Solved

Lync 2013 with Edge Server

Posted on 2014-04-24
22
1,223 Views
Last Modified: 2014-05-01
I have a Lync 2013 (installed on 2012R2 on the domain) install that works perfectly on the inside network. I added an Edge server also on 2012R2 (not on the domain and network discovery fixed) and I will not work outside the internal network. MS Connectivity Analyzer says my autodiscover works and the port is open but there is something wrong with the cert. I have contacted GoDaddy and they insist it is a server config issue (that would be fine but the outside traffic can tunnel through to say the cert isnt right) and everything suggests the Edge server is letting traffic through. I really need the help of someone who has a setup a simple Lync configuration and its working. The network is simple for the Lync. One FE Server (Lync) and one Edge Server pointing to the firewall, thats it. ANY help would be appreciated.
0
Comment
Question by:ZeroDogg
  • 12
  • 9
22 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40021916
what error do the clients give you when trying to log in?
what Names have you put in certificate?
sip and webconf?
0
 

Author Comment

by:ZeroDogg
ID: 40022669
It either hangs at "trying to contact server" and does nothing or there is a cert verification error.
The names in the cert are company.org and sip.company.org
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40024497
The certificates has nothing to do with external connectivity in case the services in Edge server are starting. if there's a certificate issue only then it would connect and tell you at least that there's a certificate problem.  

If you have properly assigned the public certificate to the DMZ NIC on the Edge server and added all the certificates e.g. (Intermediate and CA Root) for it then it should work properly.  you also need to check the internal certificate for your domain. it should be added to the Edge's internal NIC and the certificate path should state OK.

Have you changed the FQDN of the Edge to something like Edge.domain.com? This needs to be done and the FQDN needs to be added manually to your local DNS server in order for Lync Front end to find it.

You also need to add Lync Frontend's FQDN and IP in your Edge server's host file and make sure that you can ping your Lync Front end's IP from Edge server.

The traffic needs to be routed from Lync EDGE to Lync front end through the DMZ to the Local LAN to Front end server.

Also have you configured all the required Public DNS records?

sip.domain.com --> ports 443 and 5061 TCP
webconf --> port 443 TCP
av.domain.com --> 443 tcp, 3478 tcp/udp , 50000-59999 tcp/udp

most important for initial connectivity is the SIP.
0
 

Author Comment

by:ZeroDogg
ID: 40026222
This is more of what I needed. In my documentation for the FQDN in the Edge server was to add abcint.local for the DNS suffix. What you are saying is to make edge.abcext.com? My other questions would be does edge.abcext.com need to be in the SAN of the cert and what other DNS settings need to be added if my internal network is abcint.local and my outside is abcext.com? Thanks for your input so far, it helps a lot.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40026249
No if your local dns is not split domain dns then your edge FQDN needs to be as the DNS too. so if your DNS is domain.local then edge is going to be edge.domain.local and same for domain.com "split domain".

as for certiricates, there is two parts internal and external! as for the interenal you will generate the csr "Code signing request" using Lync deployment tool and it will automatically give you the required SANs for internal certificate which will be only one the Edge's FQDN.

In the external there are 3 SANs required. the common name is going to be sip.domain.com  and the subject alternative names are going to be
webconf.domain.com
domain.com
sip.domain.com
0
 

Author Comment

by:ZeroDogg
ID: 40028662
I really thought I had this but nothing is still working and I am guessing it's DNS. Lync still works perfectly inside but a DNS error outside when autoconfig is on and problem connecting to server when manual settings are in place. SSL checks say it resolves the outside address and and type of IIS server then says it cant resolve cert and to check port 443. MS Connectivity Analyzer says it resolves autodiscover and the outside address and that it can go through port 443 but cant resolve lyncdiscover.abcext.com to a inside server. I am at a loss, I cant tell you how many times I have stripped the DNS settings from the external and internal DNS ans started over with new DNS settings that I keep being told to make with no progress.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40028796
Have you checked what does your client logs says? in the following path there's a log file called Lync-UccApi-0.UccApilog, try attaching this one here so we can check for the error messages

%userprofile%\appdata\Local\Microsoft\Office\15.0\lync\Tracing

also on your lync edge, download Microsoft Lync 2013 debugging tools and install them there. then navigate to the folder where they were installed, probably c:\program files\microsoft Lync 2013\debugging tools.

Here you can find ocslogger tool and snooper, put a shortcut for both on your desktop and run ocslogger as an admin.

make sure to tick the S4 and SIP flags and start tracing before you login. when you login browse the log file and attach it here too.
0
 

Author Comment

by:ZeroDogg
ID: 40030410
I'm not sure what you meant by before I login. What I could tell was to run the oslogger on the Edge server, so I have attached that. The Apilog is from my machine at home outside my work network. If I did something inncorrect please let me know how to correct it.

It increasingly gets more bizarre. When doing a MS Connectivity analyzer, use the test remote server test the have it manually check 5061 its good all the way to the point an error that I could not be signed in. Same test for 443, is the same as all the other tests, resolves the name, port but says it cant talk to the SSL cert whereas 5061 you can.
Lync-UccApi-0.txt
OCSLogger-2014-04-29-13-42.txt
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40030478
Ok first thing I could tell from the logs that you don't have the Public DNS SRV Values set at all.

04/28/2014|10:44:56.921 A28:13A8 ERROR :: QueryDNSSrv GetDnsResults query: _sip._tls.armaintl.org failed 8007232b

This value _sip._tls.armaintl.org should be configured on your public domain's DNS in the SRV part and should point to sip.armaintl.org A record on port 443.

the other srv record for federation is also not created. _sipfederationtls._tcp.armaintl.org this should point to sip.armaintl.org on port 5061or else u'll have issues federating with other Lync servers or Skype.

Second thing

Is this your access edge's FQDN? sip.armaintl.org ? If so then I think you have 3 issues.

1- Lync Edge services are not starting and therefore the ports are not listening on external traffic.
2- Firewall is not configured properly with Static NAT 1:1 between the DMZ NIC and the DMZ on the firewall.
3- Certificate is not assigned properly which causes services to crash automatically.

First thing you need to do is to go to Lync Edge server and check if Lync services are started and working properly.

Then download this utility, run it as admin and check if the Intermediate cert is configured properly, if not then let the tool fix it and restart your server when done.
https://www.digicert.com/util/

Try browsing internet from your Edge server and see what's the Public IP its showing. just go to google and search "whats my ip" and make sure it shows the Public SIP access edge's IP.

Make sure you create static routing on your Edge server, Open CMD and run the following commands .. only change the LAN's name from Internal to what you have in your current configuration. and the IP of the default gateway for the LAN Network instead of 192.168.1.1


netsh interface ipv4 add route 10.0.0.0/8 "internal" 192.168.1.1
netsh interface ipv4 add route 172.16.0.0/12 "internal" 192.168.1.1
netsh interface ipv4 add route 192.168.0.0/16 "internal" 192.168.1.1

Where Internal is the name of the LAN NIC and the ip 192.168.1.1 is the gateway of the LAN Network

by the way, what's the IP 200.100.50.240? I could see it many times in the log! but it doesn't relate to any of your FQDns.

Another question I have, what made you assign the fqdn av.armaintl.org to the same public IP as sip.armaintl.org ? That's going to certainly cause a conflict unless you use a different port if you're going to assign them the same public IP.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40030538
after looking at ocslog, I can see you have many certificate TLS negotiation errors. could you tell me how did you configure your Lync edge's NICs ?

Lync Edge should have 2 NICs, one Internal and the other one is External! The internal should have only an internal/local ip and subnet mask. nothing else.

External should have DMZ IP with subnet mask, default gateway, dns ..etc and should be able to browse internet meaning outbound should be totally open.

Internal NIC should have a separate certificate that's generated from your Local CA and the CA root certificate should be imported as well.

would be helpful if you could share all these information

same for the Public/DMZ NIC too.
0
 

Author Comment

by:ZeroDogg
ID: 40030644
For your first thing, done.
For your second thing, my edge's FQDN is edge2013.armaintl.local (per setup instructions) plus 4 additional letters before the word edge. I dont know where the sipinternal.armaintl.org is coming from.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:ZeroDogg
ID: 40030658
The NICs are setup just the way you said. The internal is an inside addy only with a subnet mask and nothing else. The second is a NAT'd addy through the Cisco ASA pointing (NATd) to an outside public IP. It has a subnet mask and gateway and the ISP's DNS servers. I can browse the internet and when I check what is my ip it does resolve to the outside addy it was assigned to. I hope this helps. Please let me know of any more information you need.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40030667
Please check my latest comment regarding the certificates, it seems the problem is related to it mostly.
0
 

Author Comment

by:ZeroDogg
ID: 40030680
Just to be sure because I know we have talked about the certs. Check the 2 on the Lync or the 3 on the Edge?
0
 

Author Comment

by:ZeroDogg
ID: 40031126
I redid the Lync FE "inside" certs with no change. Do I need to redo the the three certs in Edge again and if so could there be the old certs that havent been removed (meaning just keep doing the certs over and over) be causing an issue. Can I have your email address moh10ly?
0
 
LVL 23

Accepted Solution

by:
Mohammed Hamada earned 500 total points
ID: 40031145
While checking your Edge's FQDN, it seems you don't even have a certificate assigned on the DMZ NIC ?

http://www.sslshopper.com/ssl-checker.html#hostname=sip.armaintl.org

Are you sure you assigned a certificate on the Public NIC?

I think you have probably missed some steps, could you please double check your deployment step by step using the following link ?

http://northernlync.wordpress.com/2013/02/17/complete-lync-2013-installation-guide-including-edge-server-installation-part-5-of-6/
0
 

Author Comment

by:ZeroDogg
ID: 40031163
I spoke way too soon. I redid the inside Lync server certs and I can connect now. The AD is pretty big and says its still syncing which is ok. I ran the SLL certs verification and MS Connectivity Analyzer and they still the same thing but I am connected along with another user I am testing with. Can we pick up tomorrow? I am SO appreciating your help!
0
 

Author Comment

by:ZeroDogg
ID: 40033694
I am going to accept one of these as a solution as all of them helped me get this project fixed. I dont know if I should open another question about why the SSL checker still states the same issue as does the MS Connectivity Analyzer. They both say that nothing checks out but Lync is working on the outside of the internal LAN. I even tested video and sound, it all works. The only thing that isnt is that its taking a long time for anything to sync with the AD as in nothing has synced yet outside of the network. Please let me know what you think so I can give the points and move on to the next issue of Lync. Thanks again.

ZeroDogg
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40033717
Normally the SSL checker should report nothing when your certificates are installed properly even when your Lync connectivity is fine.

The ssl will mostly affect your federation with Skype or other Lync domains. so yes I think you should open another question for this one.
0
 

Author Comment

by:ZeroDogg
ID: 40033755
Thank you sir and I hope to work with you again.
0
 

Author Closing Comment

by:ZeroDogg
ID: 40033757
This guy is tops, he really knows Lync!
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40034215
Glad your problem have been solved :)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Let Bitmoji into your life. Now is the time to learn a new language of smartphone messaging with this brief introduction.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Viewers will learn the different options available in the Backstage view in Excel 2013.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now