Lync 2013 - ARR reverse proxy - Troubleshooting Tips

  • Article

This blog may help you with troubleshooting Lync mobility connectivity failures and Lync external autodiscover issues. I have divided troubleshooting steps in to four different categories.

Network, Firewall and DNS

Try to resolve Lyncdiscover.domain.com externally and make sure that it is pointed to the correct IP address.

Do you have NAT rules configured for reverse proxy? If yes, can you cross check IP mapping in NAT rule? It should be mapped to RP external NIC.

Make sure that ports are opened on firewall. Telnet RP external IP address or FQDN on 443 or 80 and it should be working.

Try to access below URls externally and make sure that they are working. Replace domain suffix with your domain.

https://lyncdiscover.domain.com/autodiscover/autodiscoverservice.svc/root/ - You will prompt to download root file.

https://lyncdiscover.domain.com/WebTicket/WebTicketService.svc/mex - You will get an XML response from Lync server.

 https://lyncdiscover.domain.com/WebTicket/WebTicketService.svc – It should prompt for credentials.

If above URL is not working , download and install fiddler debugging tool to collect more logs from client machine. It may give you a hint on the failure.

 Certificate

Certificate will play a key role in reverse proxy configuration. You need to make sure that external certificate is valid and necessary SAN entries are present in the certificate. Following site may help you with external certificate verification. Open the URL and enter lyncdiscover.domain.com as host name and look at SN & SAN, certificate validity. https://www.sslshopper.com/ssl-checker.html

You need to make sure that internal root CA is available on RP. If RP server is not part of your internal domain, export the root CA and import in to trusted root certificate authority container in MMC.

 Reverse proxy configuration

I would recommend to change the port configuration before adding to serer farm. Sometimes, you may observe external client try to connect internal server FQDN/pool FQDN directly for web ticket. This is mainly due to ARR port forwarding misconfiguration.

If you have ARR 2.5 , go ahead and install ARR 2.5 hotfix for IIS 7 if applicable. Download the patch from following location ; https://www.microsoft.com/en-ca/download/details.aspx?id=27121

Try to telnet port 4443 and 8080 from RP server to pool FQDN or Simple URLs like meet.domain.com and dialin.domain.com.

Do you internal load balancer for web traffic? If yes, try to bypass the LB by adding a host entry and ensure that external connection is working.

Cross check static route requirements in RP. You would have removed IP gateway from internal NIC card. Make sure that route is configured properly.

 Lync backend Configuration

It’s always recommended to update Lync frontend server and client to latest CU.

Ensure that Exposed URL in MCx configuration is set to External. You can run get- csmcxconfiguration command from PowerShell to verify the same.

There are scenarios where in you may get an error code from client device. You can enable failed tracing on Lync frontend server by following below steps.

Open IIS manager and select default website and select failed request tracing option as below.

 

Click on Add and enter the error code to filter the logs and next > finish.

Later come back to default web site page and select failed request tracing from action pane and enable it. Reproduce the issue from client or mobile device. You can see the logs in following location; \C:\inetpub\logs\FailedReqLogFiles. Open the file and watch out for any failure related to web services or Lync autodiscover service. It may give some clue on the actual issue.

Conclusion

I hope above steps may help you with troubleshooting or narrow down the issue.