Lync Mobility Step by Step in Split Domain Name Part II

In second part of this series we will talk about publishing rule in TMG for Lync Mobility, we will also go through some trouble shooting steps which we will face during connecting Lync mobile Client.

Let us publish Lync Mobility using TMG

In my scenario i already have one rule which is created for Lync Services, in this TMG rule i have not enabled port 80 because all of my lync simple urls are published through 443. Keep in mind that for Lync discovery i have not added any SAN names in my external certificate, however DNS Entry in external DNS is there, which is why i will publish lync services over port 80. As per my understanding i can use the same Lync firewall rule to publish lync mobility only three things needs to be changed one is to allow port 80 from outside and allow port 8080 from TMG to hardware load balacner, add lync discover name under public name in the same rule. So let’s go ahead and edit the existing lync rule.

Go to the TMG double click existing Lync rule,

on the Lync 2010 Properties click on the Listener tab on the litsener tab notice that port HTTP is shown as disabled and notice that Certificate CN is mail.khatri.com which means we are using only once certificate for exchange and Lync. on the Listener tab click Properties

on the Listener properties page click on Connection tab then select Enable HTTP connections on port make sure that port 80 is defined autoamtically if not type 80 and then click on and then ok, you will be redirected to Lync 2010 Properties page. On the Lync 2010 properties page click on Bridging tab, on Bridging select Redirect request to HTTP ports and then type 8080

Once done then click on public name tab and then add lyndiscover.khatri.com then click ok.

we are done with the publishing rule. let’s take a mobile which is windows phone or android or iphone install Lync client on it then try to connect. First connect to your mobile to company wifi once it is done then connect your mobile to 3g or gprs then again try to connect.

I have connected my iphone on my internal wifi, tried to connect Lync Mobile client it is not connecting but throwing error that could not verify server please contact system administrator, ok which means it can not find the automatic discovery of my lync autodiscover site, lets add server values instead of connecting using Auto Detect. open the Lync Mobile client click more Details find Auto-Detect server option then switch this option to off. Once this option is switched to off you will have two entries Internal Discovery Address and External Discovery address, type lyncdiscoverinternal.khatri.com under internal Discovery and lyncdiscover.khatri.com under external discovery address then sign in again. This time Lync client stucks on keep signing in, i gave it 10 minutes but no error even no time out error. So what is the problem why it is not connecting internally. Let’s try to connect from outside, switch to GPRS connection and the try but this time turn on the option Auto-Detect Server, This time it gave me error can not verify server certificate, but why, am i publishng my Lync mobility on port 443 ofcourse not i am publishing on port 80 then why it is trying to get the certificate.

Let’s go to the TMG logging option to see weather request is coming to TMG or not and if request is coming then what exactly the error is on TMG, Open TMG console on the left pane click on logs and reports on the middle pane under tasks click Edit filter on the Filter page click on Filter by option then select Rule, on the contains option click on Equals, on the value page select Lync 2010 rule then click on update

you will be redirected to Logs and reports page, Ok so now we told TMG that when ever some one tries to connect and hit on this rule show all results, now let’s go ahead and try to connect again from outside and keep an eye on TMG i have got same error on Lync client and found some thing weired in TMG results

Which means we are going to TMG to connect but TMG is saying that request should come with HTTPs not with HTTP. what i have done wrong here i mean how to tell TMG or Lync that i dont want lyncdiscovery over HTTPs there is no way over here. This has forced me to read whole technet documents related to Lync Mobility because you can not find alot of info every where except Technet. In the Technet i have found out that even if you are creating http or https autodiscover request you have to create a new firewall rule. Well that makes sense, let’s delete what ever addition we have done on the existing Lync 2010 firewall rule and then create a new rule dedicated for Lync Mobility. you can find more info related to this on this website http://technet.microsoft.com/en-us/library/hh690030.aspx

Open TMG console right click on firwall Policy then click New and then Website Publishing Rule

on the Welcome Page under Web Publishing Name type Lync Mobility click Next

on the Select Rule Action click Allow then click Next, on the Publishing Type page select Publish a Single website or Load balancer click Next

on Server Connection Security page click Use non secure connection…… then click Next (if you are publishing secured then you have to select first option)

Under internal site name type lyncweb-int.khatri.com then click Next (this is the Lync url with which address book downloads, which points to HLB)

on the Internal Publishing details under path (optional) type /* also make sure you have selected foward the original host header …. then click next

on Public name details type lyncdiscover.khatri.com then click Next

on the select Web Listener click New (as we can not utilize the existing Lync Web listner because that one is being used as HTTPs). on the name type Lync Mobility Listener then click Next

on client Connection Security select Do not require SSL secured connections click next

on the Select Web Listener IP Address click on External and then select the IP address which is dedicated for Lync Web Services. This is the same IP which is being used for dialin.khatri.com, meet.khatri.com and lyncweb-ext.khatri.com, as these are published on port 443 whic is why we can use same IP for port 80. In my case i am not giving public IP instead i have NAT public IP with the IP which is on the external interface of TMG. As we have TMG NLB in which external and internal both interfaces are NLB thats why i have added Lync NAT IP in the TMG External NLB IP, you can also add as much IPs as you want in to the NLB ip so that specific requests can come to that ip.

on the Authentication Settings page select No Authentication then click Next and then next and then Finish here you will be taken to the mail Firwall rule

On the Listener page click Next on the Authentication Delegation click on No Delegation but Client can authenticate Directly then click Next and Finish

Double click on the created rule then click on Listener then click Properties

now click on Authentication tab then click on Advanced

on the Advanced page click Allow client authentication over HTTP click OK OK we are done.

Let’s go ahead and connect Lync Mobile client over internet by connecting gprs or 3g or wifi of your home or Company Guest wifi which goes outside company network but doesn’t route to your company internal network. I have connected my Iphone and voila it connected like a charm. it is working perfectly fine. Now the problem is why Lync Mobile client is not connecting from itnernal network by the way good question :). Ok let’s try again but this time let’s enabl logging on the Lync Mobile Client which will give all logs related to Lync Mobile client. Now the question is how to enable Lync Mobile Client logging.

Guys i am tired i think i have to write Part III for Lync Mobile Connectivity internally. Mean while enjoy Lync Mobile Client Connecitivity from outside.

Advertisements

Tags:

One Response to “Lync Mobility Step by Step in Split Domain Name Part II”

  1. webdeveloper roma Says:

    Keep on working, great job!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: