External Access for Lync 2013 not working
I finished setting up my test bed for Lync 2013. Internal access is working fine, however I cannot get external access to work. I am trying to use Microsoft's Remote Connectivity Analyzer to figure out the problem.
- Lync Autodiscover Web Service Remote Connectivity Test: SUCCESSFUL
- Lync Server Remote Connectivity Test: FAILS when using Autodiscover to detect server settings
My setup is that I have one Standard FE server, One Edge Server, and One RP server using IIS ARR 3.0. Where do I need to start troubleshooting this?
- Lync Autodiscover Web Service Remote Connectivity Test: SUCCESSFUL
- Lync Server Remote Connectivity Test: FAILS when using Autodiscover to detect server settings
Testing remote connectivity for user <user> to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Additional Details
Elapsed Time: 21508 ms.
Test Steps
Attempting to resolve the host name sip.mydomain in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: <external IP of accessedge>
Elapsed Time: 139 ms.
Testing TCP port 5061 on host sip.my.domain to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Elapsed Time: 21064 ms.
This same test succeeds when I manually specify server settings to be accessedge.mydomain with the edge port being 443.Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Additional Details
Elapsed Time: 21508 ms.
Test Steps
Attempting to resolve the host name sip.mydomain in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: <external IP of accessedge>
Elapsed Time: 139 ms.
Testing TCP port 5061 on host sip.my.domain to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Elapsed Time: 21064 ms.
My setup is that I have one Standard FE server, One Edge Server, and One RP server using IIS ARR 3.0. Where do I need to start troubleshooting this?
ASKER
Jakob,
I owe you for all the help you've provided me with this Lync deployment. This is the third question you've answered for me.
The remote connectivity analyzer test is working, and I can now access Lync externally using Lync 2013 on Windows. However the mobile app on Android isn’t working (I haven’t tested with iOS or WP, but I’m assuming the same results). I used the Lync Connectivity Analyzer (from the edge server) and got this result: “Verification failed for Mobility (UCWA) service. The service could not be reached from an external network.” The UCWA service is pointing to lyncserver.mydomain.com, which is not in DNS externally and would then be inaccessible. Do you have any thoughts on what I should try next?
I owe you for all the help you've provided me with this Lync deployment. This is the third question you've answered for me.
The remote connectivity analyzer test is working, and I can now access Lync externally using Lync 2013 on Windows. However the mobile app on Android isn’t working (I haven’t tested with iOS or WP, but I’m assuming the same results). I used the Lync Connectivity Analyzer (from the edge server) and got this result: “Verification failed for Mobility (UCWA) service. The service could not be reached from an external network.” The UCWA service is pointing to lyncserver.mydomain.com, which is not in DNS externally and would then be inaccessible. Do you have any thoughts on what I should try next?
external DNS service record;
_sip._tls.mydomain.com - what host name and port does this point to? Accessedge.mydomain.com
_sipfederationtls._tcp.mydomain.com - what host name and port does this point to? Accessedge.mydomain.com (this entry was missing)
You can check using nslookup. From CMD type nslookup and click enter.
(specify external DNS server (like google.com))
server 8.8.8.8
(Specify Service Lookup)
set type=srv
(Enter service record and hit enter)
_sip._tls.mydomain.com
This wasn’t working because I had entered it incorrectly. Now it points to accessedge.mydomain.com on port 443
Then check topology in Lync, go to Edge Server and see what FQDN you've used for Access Edge. Is it sip.mydomain.com or accessedge.mydomain.com? accessedge.mydomain.com
Are the names present in certificate? yes
you can test that here:
www.digicert.com/help - enter either sip.mydomain.com or accessedge.mydomain.com
do both FQDN point to same address? do they present the same certificate? Yes and yes.
Also - make sure TCP443 and TCP5061 are opened in firewall and MAPPED to Access Edge address on Lync Edge Server (You'll find address in Lync Topology Builder)
I have no firewall aside from Windows firewall for this test bed. According to the topology builder, TCP5061 is disabled because I’m not using federation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Jakob,
Sorry so long to respond. I looked into the third link you sent since we are running 2012R2 and do not have licensing for TMG. We also do not have ADFS set up, which was a hangup with the third option you sent. I have followed the steps in this article http://www.nojitter.com/post/240169216/technically-lync-reverse-proxy-alternatives to implement reverse proxy for Lync. I'm not sure if you've ever used ARR 3.0 for Lync Reverse Proxy.
Do you have any ideas what I may have misconfigured? Or how I can test for what isn't working? Again, thank you for all your help.
Sorry so long to respond. I looked into the third link you sent since we are running 2012R2 and do not have licensing for TMG. We also do not have ADFS set up, which was a hangup with the third option you sent. I have followed the steps in this article http://www.nojitter.com/post/240169216/technically-lync-reverse-proxy-alternatives to implement reverse proxy for Lync. I'm not sure if you've ever used ARR 3.0 for Lync Reverse Proxy.
Do you have any ideas what I may have misconfigured? Or how I can test for what isn't working? Again, thank you for all your help.
but when you enter accessedge.mydomain.com it works?
I'd check the following
external DNS service record;
_sip._tls.mydomain.com - what host name and port does this point to?
_sipfederationtls._tcp.myd
You can check using nslookup. From CMD type nslookup and click enter.
(specify external DNS server (like google.com))
server 8.8.8.8
(Specify Service Lookup)
set type=srv
(Enter service record and hit enter)
_sip._tls.mydomain.com
Then check topology in Lync, go to Edge Server and see what FQDN you've used for Access Edge. Is it sip.mydomain.com or accessedge.mydomain.com?
Are the names present in certificate?
you can test that here:
www.digicert.com/help - enter either sip.mydomain.com or accessedge.mydomain.com
do both FQDN point to same address? do they present the same certificate?
Also - make sure TCP443 and TCP5061 are opened in firewall and MAPPED to Access Edge address on Lync Edge Server (You'll find address in Lync Topology Builder)