Lync 2013 mobile - IOS devices not working

I need some help with Lync 2013 mobile access. I can't connect with any IOS mobile device, while android devices are working fine. On IOS devices the connection never worked.
On Ipad i get "we can't connect to the server. ..."

It is Lync 2013 standard installation with IM, conference and Voice enabled.
Servers (all OSes are Windows server 2012):
Front end server, one NIC
Mediation server in DMZ for connectivity to ISP SIP trunk, two NICs
Edge server in DMZ, two NICs
http proxy server in DMZ, two NICs

Using 4 external IP adresses (access, webconf, av, proxy external DNS names).
I have mostly followed this posts for implementation:
http://windowspbx.blogspot.com/2012/07/step-by-step-installing-lync-server.html
http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx

All certificates are issued by internal CA. They are trusted on all servers/devices. (If I have not overlooked something.)
I ill be really grateful if someone would help me to troubleshoot or at least point me to some step-by-step troubleshooting article for Lync 2013 like http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx

You would probably need some additional info, like logs etc. Please don't hesitate to ask me.
Thank you!

p.s. attaching ipad log
ipad-log.txt
LVL 27
davorinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
At first glance, it appears that your reverse proxy setup is not properly proxying all of the URL requests. I'd check your ARR rules for starters.
0
davorinAuthor Commented:
Do you have any instructions how to test proxy setup.
I have tried to access https://lync.externaldomain.com/mcx/mcxservice.svc/mex from outside and I get an xml output.

If I start from beginning - I have next config.
for less typing I will use:
- int.com for internal domain
- ext. com for external domain
- int15 for internal IP address x.x.x.15
- ext15 for external, public IP x.x.x.15

TOPOLOGY:
dialin.int.com - phone access
meet.int.com, meet.ext.com - meeting
admin.int.com - admin access
lync.int.com - control mngt
lync.ext.com - external web services
access.ext.com - edge - EXT15 IP
webconf.ext.com - edge - EXT16 IP
av.ext.com - edge - EXT17 IP

INTERNAL DNS SERVER RECORDS:
INT.COM domain
All pointing to int20 IP - front end server
dialin, admin, lync, lyncdiscover, lyncdiscoverinternal, meet, sip, sipinternal,
SRV record _sipinternaltls._tcp.int.com ->lync.int.com

EXT.COM domain
access- EXT15 IP
av - EXT17 IP
lync - EXT18 IP
lyncdiscover - CNAME lync
lyncdiscoverinternal - INT20 IP (front end)
meet EXT18 IP
sip EXT18 IP
sipinternal INT20 (front end)
webconf - EXT16
_sip._tls SRV -> access.ext.com
_sipinternaltls._tcp SRV -> sip.ext.com

EXTERNAL DNS SERVER RECORDS:
access- EXT15 IP
av - EXT17 IP
lync - EXT18 IP
lyncdiscover - EXT18 IP
meet EXT18 IP
sip EXT18 IP
webconf - EXT16
_sip._tls SRV -> access.ext.com

PROXY IIS SERVER FARMS accessible over EXT18 IP:
dialin.ext.com
lync.ext.com
lyncdiscover.ext.com
meet.ext.com

FE/proxy certificate is having following SANs:
lync.int.com, lync.ext.com
sip.int.com, sip.ext.com
dialin.int.com
meet.int.com, meet.ext.com
admin.int.com
lyncdiscover.int.com, lyncdiscover.ext.com
lyncdiscoverinternal.int.com, lyncdiscoverinternal.ext.com

Do you see any errors?
0
Gajendra RathodSr. System AdministratorCommented:
Please try to login using Lync 2010 client on IOS mobile device.

Please using tool  Lync Connectivity Analyzer for troubleshooting.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

davorinAuthor Commented:
Hi Gajendra_Rathod,

I will try that tomorrow. Will that help me closer to the solution? As I know lync 2013 mobile clients are using UCWA, while Lync 2010 mobile clients are using MCX service.
But as temporary workaround it would be fine.
If I recall correctly Lync connectivity analyzer reports, that the setup meets minimal requirements for mobile access. Everything is "green" except http access to mcx service. But https access to mcx service is fine. I will also double check this tomorrow. Thx for comment.
0
davorinAuthor Commented:
Here are results of Lync Connectivity analyzer (run from internal computer):
Starting Lync server autodiscovery
Server discovery succeeded for secure (HTTPS) internal channel against URL https://lyncdiscoverinternal.ext.com
Server discovery succeeded for unsecure (HTTP) internal channel against URL http://lyncdiscoverinternal.ext.com
Server discovery succeeded for secure (HTTPS) external channel against URL https://lyncdiscover.ext.com
Server discovery failed for unsecured external channel against http://lyncdiscover.ext.com

Starting the requirement tests for Lync mobile apps
Starting tests for Mobility (MCX) service
Completed tests for Mobility (MCX) service.
Your deployment meets the minimum requirements for Lync mobile apps.

Using Lync 2010 client same problem, Can't connect to the server. it might be unavailable....
0
davorinAuthor Commented:
In this post I have noticed that this SRV record (External DNS/SRV/5061 _sipfederationtls._tcp.contoso.com -> sip.contoso.com) is required for mobility and the push notification.
So I have created it and pointed to Access Edge service external interface and I would expect that Lync edge server would listen to port 5061 on that interface/IP address. But it does not. It is listening just on internal edge server interface. Any idea?
0
Gajendra RathodSr. System AdministratorCommented:
Please upload your internal CA root certificate and Lync server certificate in IOS device.
0
davorinAuthor Commented:
Internal CA root certificate and all other lync certificates are installed on IOS device with iphone configuration utility.
0
Gajendra RathodSr. System AdministratorCommented:
Lync External connectivity test. Please post the result.
0
davorinAuthor Commented:
The results are not in English, so I will post short version:
Autodiscover test on port 443:
- lyncdiscover DNS record - OK
- port 443 open and listening - OK
- SSL certificate check - OK
- https://lyncdiscover.extdomain.com/Autodiscover/AutodiscoverService.svc/root/user address was found and anonymous access is denied - OK

Error at access to McxService.svc at address https://lyncdiscover.extdomain.com/Autodiscover/AutodiscoverService.svc/root/domain
Sever replied with HTTP 200, but there were no mcxservice.svc

**************************************

Remote connectivity test:
- access DNS record - OK
- port 443 open and listening - OK
- SSL certificate check - OK

Error at connectiovity test for lync user.
Error: The certificate chain was issued by an authority that is not trusted.
Vrsta napake: TlsFailureException.

All certificates are issued by internal CA. Internal CA certificate and all lync certificates are trusted by mobile devices.
0
davorinAuthor Commented:
The problem was resolved with installing Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64).
Thanks for you help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davorinAuthor Commented:
Finally I have managed to solve the problem. Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.