Lync 2013 Deployment DNS, Mobile Clients and Conferencing Issues

Posted on 2014-02-05
Last Modified: 2014-05-05
The deployment is:

1 F.E. Server 2008r2 Lync 2013 fully patched single nic internal network
1 Reverse proxy- 2008r2 with TMG 2010 fully patched two nics, one internal one on DMZ
1 Edge server 2008r2 fully patched 4 nics one internal, one for access, one for av and one for webconf
1 Webapp server 2008r2 fully patched single nic on internal network no external dns entries
2 mediation servers 2012 fully patch single internal nic (used for enterprise voice) they share a VIP for the mediation pool services
1 2012 server that has 2012 SQL Enterprise installed as I will be moving the central management store off the F.E. so I can deploy a front end enterprise pool for LB across multiple sites

I can test all urls from reverse proxy and the rules pass.

I think my issues with mobile phones not connecting, as this does not have anything to do with edge, is with the DNS records. Id like someone to verify the internal DNS entries that are needed maybe I have one pointing to the wrong server. Its possible.

Conferencing fails once more than two people are chatting or sharing their desktops. If a third person is invited or joins ID 504 event 239 is display in the chat box.

Eventually I will have four F.E. servers in a Enterprise pool as well as four edge servers. This started as a single server deployment just for internal IM purposes. Then they wanted external (edge) then external without the need for VPN (reverse proxy and edge) now finally Enterprise voice so they can have dial in conferencing. so its roll has expanded four times in less than a year.

Any help is greatly appreciated.
Question by:MXadmin
  • 5
  • 3
LVL 12

Expert Comment

ID: 39836279
It's hard to say without knowing your numbers but on the surface this looks a little over-scaled.  For example, 4 physical NICs in each Edge server is most likely overkill; 2 NICs would be the best approach.

The mobile clients do not use Edge for connections, only media relay you should look more closely at the reverse proxy configuration.

Author Comment

ID: 39836377
these are VMS. Its four IPS not Nics, my apologies, its two nices with the external nic on the DMZ having three seperate ips for services. What on the RP should be looked at? All the rules pass, I am forwarding the header and the authentication is set to client can auth direct.
LVL 12

Expert Comment

ID: 39836554
OK, that makes more sense.

Do the mobile clients sign-in but media fails, or do they not even sign-in in at all?  Could be Lyncdiscover related in the latter.

Author Comment

ID: 39836682
They actually cant sign in. They were working just fine when I had a FE with an Edge, I just put in a ton of direct routes and host file enteries and everything worked fine. Once they said put in the reverse proxy and the host files went away on the edge is when things started to break. The internal DNS records right now I have the lyncdiscover and lyncdiscoverinternal pointing to the external IP of the reverse proxy. One thing noticed is the RP with TMG is using the SSL cert on its listner, this should ideally be the domain cert from the FE server so im going to export out that cert install and reboot the RP and test. Im concerned about the internal DNS records not being correct as this was not part of my implementation and wanted to double check prior to changing the enteries.
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

LVL 12

Expert Comment

ID: 39836855
I shouldn't have both lyncdiscover and Lyncdiscoverinternal deployed in the internal DNS.  Also the fact that it worked prior to publishing tells me that the deployment was incorrect as Lync 2013 mobile clients are ONLY supported as external clients.

I recommend reading through these two articles as they address all your questions:

Author Comment

ID: 39845713
Ive read those blogs a few times. I have mobility working just fine. The issue was certificates which an ssl on all boxes resolved. My issue now is still confercing failing. Users get 504 event id 239 when doing a multi person chat.

Accepted Solution

MXadmin earned 0 total points
ID: 40032258
I was able to resolve the issues by changing the configuration of the reverse proxy and adjusting the firewall rules that I was not aware was in place....thanks to the network "Gurus" :)

Author Closing Comment

ID: 40041610
The network admins had NAT rules affecting the proxy services. Since the server should have been place outward facing, ie in the dmz, which I was given an associated IP block to use for that purpose. Once the VLAN was adjusted to place the proxy outside the internal network the translation rules on the reverse proxy were properly resolving and pointing to the front end pool and not the BE servers.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now