• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8965
  • Last Modified:

Lync 2013 mobile - IOS devices not working

I need some help with Lync 2013 mobile access. I can't connect with any IOS mobile device, while android devices are working fine. On IOS devices the connection never worked.
On Ipad i get "we can't connect to the server. ..."

It is Lync 2013 standard installation with IM, conference and Voice enabled.
Servers (all OSes are Windows server 2012):
Front end server, one NIC
Mediation server in DMZ for connectivity to ISP SIP trunk, two NICs
Edge server in DMZ, two NICs
http proxy server in DMZ, two NICs

Using 4 external IP adresses (access, webconf, av, proxy external DNS names).
I have mostly followed this posts for implementation:

All certificates are issued by internal CA. They are trusted on all servers/devices. (If I have not overlooked something.)
I ill be really grateful if someone would help me to troubleshoot or at least point me to some step-by-step troubleshooting article for Lync 2013 like http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx

You would probably need some additional info, like logs etc. Please don't hesitate to ask me.
Thank you!

p.s. attaching ipad log
  • 8
  • 3
3 Solutions
Cliff GaliherCommented:
At first glance, it appears that your reverse proxy setup is not properly proxying all of the URL requests. I'd check your ARR rules for starters.
davorinAuthor Commented:
Do you have any instructions how to test proxy setup.
I have tried to access https://lync.externaldomain.com/mcx/mcxservice.svc/mex from outside and I get an xml output.

If I start from beginning - I have next config.
for less typing I will use:
- int.com for internal domain
- ext. com for external domain
- int15 for internal IP address x.x.x.15
- ext15 for external, public IP x.x.x.15

dialin.int.com - phone access
meet.int.com, meet.ext.com - meeting
admin.int.com - admin access
lync.int.com - control mngt
lync.ext.com - external web services
access.ext.com - edge - EXT15 IP
webconf.ext.com - edge - EXT16 IP
av.ext.com - edge - EXT17 IP

INT.COM domain
All pointing to int20 IP - front end server
dialin, admin, lync, lyncdiscover, lyncdiscoverinternal, meet, sip, sipinternal,
SRV record _sipinternaltls._tcp.int.com ->lync.int.com

EXT.COM domain
access- EXT15 IP
av - EXT17 IP
lync - EXT18 IP
lyncdiscover - CNAME lync
lyncdiscoverinternal - INT20 IP (front end)
meet EXT18 IP
sip EXT18 IP
sipinternal INT20 (front end)
webconf - EXT16
_sip._tls SRV -> access.ext.com
_sipinternaltls._tcp SRV -> sip.ext.com

access- EXT15 IP
av - EXT17 IP
lync - EXT18 IP
lyncdiscover - EXT18 IP
meet EXT18 IP
sip EXT18 IP
webconf - EXT16
_sip._tls SRV -> access.ext.com

PROXY IIS SERVER FARMS accessible over EXT18 IP:

FE/proxy certificate is having following SANs:
lync.int.com, lync.ext.com
sip.int.com, sip.ext.com
meet.int.com, meet.ext.com
lyncdiscover.int.com, lyncdiscover.ext.com
lyncdiscoverinternal.int.com, lyncdiscoverinternal.ext.com

Do you see any errors?
Gajendra RathodSr. System AdministratorCommented:
Please try to login using Lync 2010 client on IOS mobile device.

Please using tool  Lync Connectivity Analyzer for troubleshooting.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

davorinAuthor Commented:
Hi Gajendra_Rathod,

I will try that tomorrow. Will that help me closer to the solution? As I know lync 2013 mobile clients are using UCWA, while Lync 2010 mobile clients are using MCX service.
But as temporary workaround it would be fine.
If I recall correctly Lync connectivity analyzer reports, that the setup meets minimal requirements for mobile access. Everything is "green" except http access to mcx service. But https access to mcx service is fine. I will also double check this tomorrow. Thx for comment.
davorinAuthor Commented:
Here are results of Lync Connectivity analyzer (run from internal computer):
Starting Lync server autodiscovery
Server discovery succeeded for secure (HTTPS) internal channel against URL https://lyncdiscoverinternal.ext.com
Server discovery succeeded for unsecure (HTTP) internal channel against URL http://lyncdiscoverinternal.ext.com
Server discovery succeeded for secure (HTTPS) external channel against URL https://lyncdiscover.ext.com
Server discovery failed for unsecured external channel against http://lyncdiscover.ext.com

Starting the requirement tests for Lync mobile apps
Starting tests for Mobility (MCX) service
Completed tests for Mobility (MCX) service.
Your deployment meets the minimum requirements for Lync mobile apps.

Using Lync 2010 client same problem, Can't connect to the server. it might be unavailable....
davorinAuthor Commented:
In this post I have noticed that this SRV record (External DNS/SRV/5061 _sipfederationtls._tcp.contoso.com -> sip.contoso.com) is required for mobility and the push notification.
So I have created it and pointed to Access Edge service external interface and I would expect that Lync edge server would listen to port 5061 on that interface/IP address. But it does not. It is listening just on internal edge server interface. Any idea?
Gajendra RathodSr. System AdministratorCommented:
Please upload your internal CA root certificate and Lync server certificate in IOS device.
davorinAuthor Commented:
Internal CA root certificate and all other lync certificates are installed on IOS device with iphone configuration utility.
Gajendra RathodSr. System AdministratorCommented:
Lync External connectivity test. Please post the result.
davorinAuthor Commented:
The results are not in English, so I will post short version:
Autodiscover test on port 443:
- lyncdiscover DNS record - OK
- port 443 open and listening - OK
- SSL certificate check - OK
- https://lyncdiscover.extdomain.com/Autodiscover/AutodiscoverService.svc/root/user address was found and anonymous access is denied - OK

Error at access to McxService.svc at address https://lyncdiscover.extdomain.com/Autodiscover/AutodiscoverService.svc/root/domain
Sever replied with HTTP 200, but there were no mcxservice.svc


Remote connectivity test:
- access DNS record - OK
- port 443 open and listening - OK
- SSL certificate check - OK

Error at connectiovity test for lync user.
Error: The certificate chain was issued by an authority that is not trusted.
Vrsta napake: TlsFailureException.

All certificates are issued by internal CA. Internal CA certificate and all lync certificates are trusted by mobile devices.
davorinAuthor Commented:
The problem was resolved with installing Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64).
Thanks for you help.
davorinAuthor Commented:
Finally I have managed to solve the problem. Thanks for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now