Lync 2010 & Exchange Integration

Hoping someone can save me some time and point me in the right direction with this please..

We have recently taken over support of an environment with Exchange 2010 and Lync 2010.
Lync is primarly (only) used for IM internally - there is no need for external access or voice at the moment.

We changed the A records in our external DNS zonefile to point to a new website with SSL and since then Lync prompts to accept the website certificate when signing in.

Lync signs in ok but then when trying to connect to Exchange it seems to browse to http://external.co.uk:443 via our proxy server - hence the website certificate being presented.
We have one SIP domain (internal.local) and users have SMTP address of "f.s@external.co.uk"
As part of looking into this i changed the CSAdministrator group (back) to Universal and can now publish topology
We have split DNS so i have added A records for autodiscover into our Active Directory internal.local and external.co.uk zones, i also added an SVR record for _autodiscover and Lync client can now use EWS successfully

The client is functioning (in fact with EWS we now have a little more functionality) but we still have it trying to browse externally and being presented with the website certificate. Users could probably just click to trust the server but i was hoping for more of an elegant & global solution.

Any Ideas?
LVL 8
CamyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisSenior Technical ArchitectCommented:
what URL's do you have defined in exchange?
I think this digicert tool on the analyse step will list them out https://www.digicert.com/internal-domain-name-tool.htm
or use the following PowerShell

Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize

I would expect the following DNS records externally for it all to work

an SRV for autodicover.domain.com which points to a Record of you mail server
an A record which goes to the IP of you mail server i.e. mail.domain.com
CamyAuthor Commented:
I have A records for autodiscover.internal.local and mail.external.co.uk in our AD DNS.
Output of those commands is attached.
info.txt
CamyAuthor Commented:
Reading the links below seem to indicate this is expected behaviour of the client;

http://blogs.technet.com/b/rmilne/archive/2013/04/02/busting-the-set-autodiscovervirtualdirectory-myth.aspx
http://blogs.technet.com/b/rmilne/archive/2011/10/21/exchange-amp-the-autodiscover-web-service.aspx
http://www.microsoft.com/en-us/download/confirmation.aspx?id=15668

Internal and External Networks

1.      UC client will attempt to read any existing Autodiscover data with a valid Time-to-Live (TTL), which may have been previously retrieved by Outlook.
2.      UC client or device will extract the SMTP domain from the user’s presence document.
3.      UC client or device will then use the user’s SMTP domain to construct DNS queries for the following URLs:
•      https://<smtpdomain>/autodiscover/autodiscover.xml
•      https://autodiscover.<smtpdomain>/autodiscover/autodiscover.xml
•      http://autodiscover.<smtpdomain>/autodiscover/autodiscover.xml
•      Autodiscover SRV record

4.      UC client or device will send unauthenticated GET to above Autodiscover URLs to determine whether server is running Exchange Server 2007 (X-SOAP-Enabled) or Exchange Server 2010 (X-WSSecurity-Enabled).
5.      A new SOAP or XML request is sent to retrieve EWS information, which is then cached in the Registry with a default TTL value of 24 hours.
6.      In the event of Autodiscover failure, retries will occur as follows:
•      If Autodiscover fails, retry on a three-minute interval over a period of two hours.
•      If Autodiscover fails after three successive attempts, use MAPI but continue to retry.
•      If Autodiscovery succeeds, refresh cached values on an hourly basis.

Given we want people to be able to browse to https://external.co.uk I'm not sure how to prevent the Lync client from doing this and presenting the website certificate with the request to trust. Might just need to advise users to choose to trust this box / certificate.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

ChrisSenior Technical ArchitectCommented:
if you are hosting the website and the exchange infrastructure the only real way to do this is with SNI (Server Name Indication) where you can separate out via the following path i.e. /autodiscover.xml

but its started to get complicated by have the website on base level domain
CamyAuthor Commented:
Think i might have got to an acceptable place, as mentioned in https://support.microsoft.com/en-us/kb/2531068 I have pushed out an update to the key HKCU\Software\Microsoft\Communicator\TrustModelData so that it includes "external.co.uk"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChrisSenior Technical ArchitectCommented:
if you are looking to get around that prompt then that regkey works as i have used that in our environment.
If you have a multiSAN certificate Lync sometime get fussy about the order of the names and throws that error up.
sorry hadn't picked up that was the exact error

If you add that to HKLM it will apply to all users, which is how i have implemented it

1.      Start Registry Editor on the computer on which the Lync 2013 desktop client is installed.
2.      Locate the following registry location on the computer:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\15.0\Lync

Note If the Lync registry key does not exist, you must create the key.
3.      Right-click the Lync key, click New, and then click String Value.
4.      Type TrustModelData, and then press ENTER.
5.      Right-click TrustModelData, and then click Modify.
6.      In the Value date box, add the domain of the server that is displayed in the Trust Model dialog box.
CamyAuthor Commented:
Resolved with further investigation and by implementing the registry edit as expended on by irweazel after resolution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.