5 Essential Tips for Deploying Lync2013 Mobility Service

5/30/2013

A good place to start understanding how the Mobility Service works is here: http://technet.microsoft.com/en-us/library/hh690030.aspx. Most of the steps are already provided in Technet but I find that many of the key essential must-do's are scattered in various pages rather than being consolidated in a single location. Hence, this article serves as a companion to the Technet documentation and is intended for anyone who is encountering difficulty in successfully getting the Mobility service to work. It will also be useful in case I ever need to deploy the Mobility Service again in a different environment and do not wish to spend time to troubleshoot the commonly encountered issues. The diagram below reproduced from Technet is very helpful to understand the how the mobility service works:

Tip#1: Lync Internal and External AutoDiscover DNS records

During Automatic Discovery, mobile devices will first use DNS lookup to the internal DNS record lyncdiscoverinternal.<internal domain>. If not found, it means that the client is on an external network and will then lookup the external DNS record lyncdiscover.<sipdomain>. A mobile device that is internal to the network connects to the internal Autodiscover Service URL, and a mobile device that is external to the network connects to the external Autodiscover Service URL. For split-brain DNS environment, the internal autodiscover DNS record should exist in the internal DNS and not in the external public DNS. Vice versa, the external autodiscover DNS record should exist in the external public DNS and not in the internal DNS.

Tip#2: Lync Web services FQDNs

The internal web services FQDN must be different from the external web services FQDN. This is a requirement as stated in Technet but not emphasized enough. This is particularly important when using a Standard Edition Front End, where the internal Web Services FQDN defaults to the Lync server FQDN and cannot be changed. If the same Lync server FQDN has also been used for the external web services FQDN for some reason, then it must be changed in order for the Mobility Service to work properly. Note that changing the external web services FQDN in Topology Builder requires a re-issuance of the default Lync server certificate.

Tip#3: Lync Web services DNS records

As mentioned in Technet: "The Lync Server 2013 Autodiscover Service returns all Web Services URLs for the user's home pool, including the Mobility Service (Mcx and UCWA) URLs. However, both the internal Mobility Service URL and the external Mobility Service URL are
associated with the external Web Services FQDN. Therefore, regardless of whether a mobile device is internal or external to the network, the device always connects to the Lync Server 2013 Mobility Service externally through the reverse proxy"

- The internal web FQDN must only resolve to and be accessible from inside the corporate network.
- The external web FQDN must only resolve to and be accessible from the Internet.
- For a user who is inside the corporate network, the Mobility Service URL must be addressed to the external web FQDN. This requirement is for the Mobility Service and applies only to this URL.

What is not obvious from the above statements are that for a DNS split-brain environment with mobile device clients connecting wirelessly, you need to configure the external web FQDN in the internal DNS with the public Reverse Proxy IP address. Otherwise, internal clients will not be able to reach the external web FQDN returned by the internal autodiscover service. Without this record, the mobile client will display an error "Can’t connect to the server. It may be busy or temporarily unavailable. Please try again" and you will likely encounter the error logs from the mobile client showing something like this:

"... The AppliesTo element of web ticket request points to a different web server or site... "

Tip#4: Reverse Proxy Web Listener

Although Forefront TMG is no longer available for sale, many sites are still using an existing TMG as a Reverse Proxy for Lync. If so, the existing Web Access rule can be modified to cater for the Mobility Service. Obvously the web listener for this rule must have a certificate from a public CA (I'm using GoDaddy) and the external public AutoDiscover FQDN must be added to the certificates SAN if https is desired for service requests. As per the Technet documentation, the following settings are worthy of mention:

On the Web Publising rule, in the To tab, ensure the following:

◦ Select Forward the original host header instead of the actual one.

◦ Select Requests appear to come from the Forefront TMG computer.

On the Bridging tab, ensure the following:

◦ Select Web server.

◦ Select Redirect requests to HTTP port, and type 8080 for the port number.

◦ Select Redirect requests to SSL port, and type 4443 for the port number.

Tip#5: Use the new Lync Connectivity Analyzer

The new Lync Connectivity Analyzer is a great tool for testing and verifying the Autodiscover and Mobility services. You can choose to test both internal and external Auto Discovery URLs. If your DNS records are not done properly, this tool will be a good place to start troubleshooting.

16 Comments

Stanislaw

7/18/2013 08:28:29 pm

Hello Brennon,
Could you please take a look at my problem?
My aim is to correctly set Lync 2013 Environment.
I have:
FrontEnd
ReverseProxy
Edge
OWAS (Web App Server)
I want to have mobility with autodiscover. I prefer to use certificates with following settings, is it correct and will work as expected?:
On the FrontEnd I would like to request (to internal CA) one certificate for ‘Server default’ and ‘Web services internal’:

With following
SN:
lyncpool.domain.local
SANs:
lyncpool.domain.local
FrontEnd.domain.local
sip.domain.local
lyncdiscoverinternal.domain.local
Additionally, for external user access my approach assumes that I will request for ‘Web services external’ such SANs:

SN:
webext.domain.com
SAN:
webext.domain.com
sip.domain.com
lyncdiscover.domain.com
owa-ext.domain.com

I would like to use second (external certificate) on FrontEnd and on the Reverse Proxy for two purposes: FrontEnd external services and OWAS.

Do you think this is possible and supportable?
Do I need to have separate IP address for OWAS external acces?

Brennon link

9/19/2013 06:03:16 pm

For the FE Pool, in additional to what you listed above, the certs should also contain the SAN entries:

lyncdiscover.domain.com
lyncwebservices.domain.com

Did you manage to get it working?

Shark

1/8/2014 09:31:53 am

Hi,

Tip#2: Do we really need 2 different urls for the internal and the external web services (not the discovery urls) in an enterprise pool deployment? Why? Let’s say it’s called lyncws.sipdomain.com which points internally to the Pool-VIP:443 and externally to the reverse-proxy-IP:443 which is redirected to the Pool-VIP:4443
Why this will be a problem?

Thank you

Brennon link

1/13/2014 04:05:40 pm

As stated in TechNet, the internal web services and external web services FQDNs must be different. I've tried using the same FQDN and the mobility service never works properly. The excerpt from http://technet.microsoft.com/en-us/library/hh690030.aspx :

Your topology must meet the following requirements to support the Mobility Service and the Autodiscover Service:

• The Front End pool internal web FQDN must be distinct from the Front End pool external web FQDN.

• The internal web FQDN must only resolve to and be accessible from inside the corporate network.

• The external web FQDN must only resolve to and be accessible from the Internet.

• For a user who is inside the corporate network, the Mobility Service URL must be addressed to the external web FQDN. This requirement is for the Mobility Service and applies only to this URL.

• For a user who is outside the corporate network, the request must go to the external web FQDN of the Front End pool or Director.

If you support automatic discovery, you need to create the following DNS records for each SIP domain:
• An internal DNS record to support mobile users who connect from within your organization's network.

• An external, or public, DNS record to support mobile users who connect from the Internet.

The internal automatic discovery URL should not be addressable from outside your network. The external automatic discovery URL should not be addressable from within your network. However, if you cannot meet this requirement for the external URL, mobile client functionally will probably not be affected, because the internal URL is always tried first.

Shawn

2/2/2014 01:27:45 pm

Regarding Step #3, does that not also require hair-pinning on the router? Directing a Mobile client on internal WiFi for example, back out to the Public IP of the Reverse Proxy won't work without the router hair-pinning that traffic back inside correct?

The other trick I've heard is to configure Internal DNS to point the External Web FQDN to the internal IP of the Reverse Proxy, and then configure the RP to listen for traffic from both external and internal connections.

Brennon link

2/6/2014 10:42:37 am

In a nutshell, yes hair pinning is happening. The difference between Lync2010 and Lync2013 clients is in that the former is directed to Mcx service while the latter uses the UCWA service. This is explained very well in Jeff's article http://blog.schertz.name/2013/07/understanding-lync-2013-mobility/

I haven't tried the trick you mentioned but logically it should work provided the RP is configured correctly. However it would not be an officially supported configuration by Microsoft.

Brian

7/7/2014 11:39:22 am

Brennon - question for you. This is regarding tip 3. Our FEs are using internally issued certain. Mobile client on internal wifi and it will not connect unless the root cert is imported on the iOS device. It is clear from the client logs that TLS will not occur. Since lyncdiscoverinternal can be resolved this sets the client to location = internal. After failing https it tries http auto discover service and receives an auto discover XML response containing various internal and external urls, but the client leverages the URL for the internal Web services and not the external URL. In fact, the mcx and ucwa urls are not in the response.

It makes sense why the client won't connect, but I can't understand why the iOS lync client is using the internal URL. Perhaps I'll check get-csmcxconfiguration to ensure someone hasn't set to use internal URL.

Any ideas?

PS - we have the external web services DNS entry pointing to public RP interface

Brennon link

7/8/2014 07:49:37 pm

MCX is not used by Lync2013 mobile clients but UCWA is. Internal Lync2013 mobile clients still need to talk to the internal Lync autodiscover service via https so it will need the root cert. If https fails yes it will try http but it will be unlikely to pass the remaining security checks so it's still https that is used in most cases.

The autodiscover service will always direct the client to the Lync external web services FQDN to get reach the mobility service. Do you have the Lync external web services FQDN record in your internal DNS?

Bashir Dashti

10/27/2014 09:52:17 pm

Hi, i have installed lync 2013 , 1. FE, 2. DC, 3.Edge
1. fe.mydomain.com 192.168.0.2
2. dc.mydomain.com 192.168.0.1
3. edge01.mydomain.com 192.168.0.3 with 3 live ip, <10.1.3.20 sip.mydomain.com> <10.1.3.18 webconfig.mydomain.com> <10.0.1.26 av.mydomain.com >

what DNS and SRV will be added on DC < domain controller>

Chris Harris link

2/26/2015 10:29:16 am

Is a reverse proxy required for internal wireless mobile devices running Lync 2013 client? Internal iOS client logs show: "The AppliesTo element of web ticket request points to a different web server or site".
All examples state that the Lync mobile service URL and LyncDiscovery need to point to the external IP and go out then come back in a reverse proxy. Is that absolutely necessary? It won't just work internally by hitting the server directly as Lync 2013 client on Windows does? Split-brain DNS has all host names pointing to internal IP of Lync standard ed server. Seems crazy to have to implement reverse proxy just to make internal device work. Thx!!!

Chris H link

3/3/2015 11:12:30 am

Brennon link

3/3/2015 11:26:17 pm

Hi Chris

Yes it is required for internal wireless mobile devices running Lync2013 mobile client. Both external and internal mobile clients use the external reverse proxy to get into Lync web services. This is just how it works - the 'hairpinning' is by design.

Chris H link

3/4/2015 06:09:24 am

Thanks Brennon. There is no way around this somewhat nonsensical requirement for internal mobile devices accessing Lync Standard? The silly part here is the Lync environment is not open to the outside world, and the Lync Desktop Client 2013 connects *directly* to Lync standard server. Internal Mobile devices also connecting directly to Lync standard server is no less secure. Why a basically external facing design is required to be built out for internal access doesn't make sense and is not cost effective. It seems like there would be some way around this, however the mobile device seems to know its not going through a reverse proxy and then refuses to work. In order to resolve this must I deploy the extinct TMG product or a Windows 2012 R2 server with the reverse proxy features I've read about? Will an Edge server also be required? Remember this environment is not externally accessible. Thx for your help.

Brennon link

3/4/2015 02:58:09 pm

Hi Chris

Yes you need a RP to publish the external Lync web services so that Lync mobile users can login. There's no way around this as far as I know. I personally have used TMG and Kemp as RP and both work fine.

Lync 2013 mobile clients are always treated as external clients regardless of the actual network location they connect from, hence the Edge server is required. However Lync mobile does not use the Access Edge or Webconf Edge. It only uses the AV Edge service. There's a very good article on Lync mobility media paths written by Jeff Schertz: http://blog.schertz.name/2013/11/lync-mobility-media-paths

Chris H link

3/4/2015 03:54:37 pm

Thanks so much Brennon, I really appreciate your insight. Between this blog post and your comments this is the clearest explanation I've found, thanks again. If you ever have a tough Exchange question (or an easy one) drop me a line I'll help you out.
Chris

shessumaru

4/1/2015 07:29:31 am

Hi, i have installed lync 2013 , 1. FE, 2. Edge, 3.Reverse proxy
1. fe.mydomain.com 192.168.0.2
2. edge01.mydomain.com 192.168.0.3 with 3 live ip, <10.1.3.20 sip.mydomain.com> <10.1.3.18 webconfig.mydomain.com> <10.0.1.26 av.mydomain.com >
3. revers proxy (on tmg)

i cant seem to get the ip the external web services url should point to. Should the external web service url point to the TMG or should it point back to the RP

Your comment will be posted after it is approved.