External Access for Lync 2013 not working

I finished setting up my test bed for Lync 2013.  Internal access is working fine, however I cannot get external access to work.  I am trying to use Microsoft's Remote Connectivity Analyzer to figure out the problem.

- Lync Autodiscover Web Service Remote Connectivity Test: SUCCESSFUL
- Lync Server Remote Connectivity Test: FAILS when using Autodiscover to detect server settings
Testing remote connectivity for user <user> to the Microsoft Lync server.  
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
 
 Additional Details
 
Elapsed Time: 21508 ms.  

 
 
 Test Steps
 
 Attempting to resolve the host name sip.mydomain in DNS.
  The host name resolved successfully.
 
 Additional Details
 
IP addresses returned: <external IP of accessedge>

Elapsed Time: 139 ms.  

 

 Testing TCP port 5061 on host sip.my.domain to ensure it's listening and open.
  The specified port is either blocked, not listening, or not producing the expected response.
   Tell me more about this issue and how to resolve it
 
 Additional Details
 
A network error occurred while communicating with the remote host.


Elapsed Time: 21064 ms.  
 
This same test succeeds when I manually specify server settings to be accessedge.mydomain with the edge port being 443.

My setup is that I have one Standard FE server, One Edge Server, and One RP server using IIS ARR 3.0.  Where do I need to start troubleshooting this?
ejscnITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
the automatic discovery returns sip.mydomain.com and it fails,
but when you enter accessedge.mydomain.com it works?

I'd check the following

external DNS service record;
_sip._tls.mydomain.com - what host name and port does this point to?
_sipfederationtls._tcp.mydomain.com - what host name and port does this point to?

You can check using nslookup. From CMD type nslookup and click enter.
(specify external DNS server (like google.com))
server 8.8.8.8
(Specify Service Lookup)
set type=srv
(Enter service record and hit enter)
_sip._tls.mydomain.com

Then check topology in Lync, go to Edge Server and see what FQDN you've used for Access Edge. Is it sip.mydomain.com or accessedge.mydomain.com?
Are the names present in certificate?
you can test that here:
www.digicert.com/help - enter either sip.mydomain.com or accessedge.mydomain.com
do both FQDN point to same address? do they present the same certificate?

Also - make sure TCP443 and TCP5061 are opened in firewall and MAPPED to Access Edge address on Lync Edge Server (You'll find address in Lync Topology Builder)
ejscnITAuthor Commented:
Jakob,

I owe you for all the help you've provided me with this Lync deployment.  This is the third question you've answered for me.

The remote connectivity analyzer test is working, and I can now access Lync externally using Lync 2013 on Windows. However the mobile app on Android isn’t working (I haven’t tested with iOS or WP, but I’m assuming the same results).  I used the Lync Connectivity Analyzer (from the edge server) and got this result: “Verification failed for Mobility (UCWA) service. The service could not be reached from an external network.”  The UCWA service is pointing to lyncserver.mydomain.com, which is not in DNS externally and would then be inaccessible.  Do you have any thoughts on what I should try next?

external DNS service record;
_sip._tls.mydomain.com - what host name and port does this point to?   Accessedge.mydomain.com
_sipfederationtls._tcp.mydomain.com - what host name and port does this point to? Accessedge.mydomain.com (this entry was missing)

You can check using nslookup. From CMD type nslookup and click enter.
(specify external DNS server (like google.com))
server 8.8.8.8
(Specify Service Lookup)
set type=srv
(Enter service record and hit enter)
_sip._tls.mydomain.com
This wasn’t working because I had entered it incorrectly.  Now it points to accessedge.mydomain.com on port 443

Then check topology in Lync, go to Edge Server and see what FQDN you've used for Access Edge. Is it sip.mydomain.com or accessedge.mydomain.com? accessedge.mydomain.com
Are the names present in certificate? yes
you can test that here:
www.digicert.com/help - enter either sip.mydomain.com or accessedge.mydomain.com
do both FQDN point to same address? do they present the same certificate?   Yes and yes.

Also - make sure TCP443 and TCP5061 are opened in firewall and MAPPED to Access Edge address on Lync Edge Server (You'll find address in Lync Topology Builder)  
I have no firewall aside from Windows firewall for this test bed.  According to the topology builder, TCP5061 is disabled because I’m not using federation.
Jakob DigranesSenior ConsultantCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ejscnITAuthor Commented:
Hi Jakob,

Sorry so long to respond.  I looked into the third link you sent since we are running 2012R2 and do not have licensing for TMG.  We also do not have ADFS set up, which was a hangup with the third option you sent.  I have followed the steps in this article http://www.nojitter.com/post/240169216/technically-lync-reverse-proxy-alternatives to implement reverse proxy for Lync.  I'm not sure if you've ever used ARR 3.0 for Lync Reverse Proxy.

Do you have any ideas what I may have misconfigured?  Or how I can test for what isn't working?  Again, thank you for all your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.