Add SIP Domain to Lync 2013

Similar Messages

• Locking federation to specfic domains in Lync 2013

  Hello,
  Once federation is enabled, Is there a way to lock Lync 2013 federation to a number of selected domains, where only these domains are able to contact me and any other domains that I'm not federated to are not?
  Is this functionality supported out of the box?
  Thanks!

  Yes this is possible out of the box. you just specify what domains are allowed (Whitelisted)
  From within Lync Control Panel select "Federation & External Access", "SIP Federated Domains" and then create the domains you want to allow in there.
  From within Access Edge Configuration, uncheck "Enable Partner Domain Discovery" (which disables Open Federation)
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Configuring Level3 SIP trunk with Lync 2013

  Hi, I ran into some issues trying to configure SIP trunk from Level 3 and I was hoping someone here can help. We have our mediation server collocated with FE and SIP traffic goes from public IP, port 5060 via NAT, to local IP on FE, port 5060.
  Level 3 provided us with one signaling IP and two RTP IPs.
  I tried multiple trunk configuration settings and I can see that when I'm placing a call from Lync to an outside number I'm getting INVITE from Level 3 signaling IP, the session is established, phone rings, but there is no audio on either side. There's also
  a METHOD NOT ALLOWED message coming from them, which doesn't tell me much about what's happening.
  If I call to a Level 3 DID (assigned to my Lync user account) there's also INVITE from their side, but later I receive a CANCEL from them due to idle session. The phone never rings.
  Questions:
  1) Does anyone have Level 3 SIP trunks configured and can share their Get-TrunkConfiguration settings? What settings should I have for encryption, refer, sessionTimer / RTCP, and others? Level 3 refuses to provide any additional information besides IPs.
  2) Do I understand this correctly that when configuring PSTN gateways in topology, one of the RTP IPs should be entered in the  "alternate media IP" field? We have SIP trunks from another provider (which work fine), and they only use one IP
  for everything, so I don't have any experience configuring separate SIP and media IPs with Lync.
  Thanks, and let me know if I should provide additional info.

  Hi,                                                              
  On Lync topology PSTN gateways interface, please check if you enter gateway listening port 5060 and enable TCP option.
  Please also check if you enable refer support on Lync Server Control Panel, if you enable it please uncheck it.
  You can compare the trunk configuration for Level 3 in the part “Sample Trunk Configuration for Level 3” in the link below with yours’, it is for Lync server 2010 but similar for Lync server 2013:
  http://blogs.technet.com/b/nexthop/archive/2013/04/10/configuring-lync-2010-server-to-work-with-level-3-sip-trunking-services.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Can I add a two way trusted but in different forest domain to My existing Lync 2013 Topology !

  HI !
  We have an installed Lync 2013 Std Edt. setup and its working perfectly for one domain. Our network infrastructure ( LAN ) is being shared with our sister company. They have their own forest and domain and a two ways trust relationship with our domain. I
  want to add them in our Lync 2013 topology, is it possible ?? if yes, thn what are the requirements and which changes i need to consider.
  Response from experts would be greatly appreciated. 

  Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• Lync 2013 & Active Directory Intra Domain Migrations

  Hi all,
  Hopefully this is the correction forum to ask.  Suppose the following scenario
  Parent Domain containing Lync 2013 Servers
  Child domains consisting of user accounts
  It is intended that child domains containing Lync 2013 enabled users be migrated to the parent domain. 
  A few questions
  Is it possible to migrate user accounts to another domain and configure the migrated (technically new) account to link back to Lync so as to retain contact information?
  Or prior to migration have contacts exported so they can be imported into the new Lync 2013 accounts?
  Thanks,

  Within a single forest it quite possible to have Lync installed in one domain and User a part of another domain 
  All we have to do during the Lync server install process run the domain prepaerationn wizard for all the domain weher we shall either have Lync user object or Lync server object 
  Please refer http://technet.microsoft.com/en-us/library/gg398630.aspx
  I believe As long as the user SIP URI Doesn't change you can export the user data information and after the migration if you can import in user information 
  Please refer http://technet.microsoft.com/en-us/library/jj204897.aspx
  PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered"

• Lync 2013 Hosting

  Hi, 
  I want to host a lync 2013 server for my external clients and users. What would be the considerations, and requirements and server roles to host a server?
  My requirement is Web scheduling, meetings. Sharing, Text chats only for external users.
  Now we have a local domain testdomain.local using Active Directory.
  One live domain which is mydomain.com
  Please suggest me the solution for Lync 2013 Hosting for external users.
  Thanks

  yes as Thamara said you have to install the Edge Role in order to login Externally.
  check this for installing Edge server 
  http://social.technet.microsoft.com/wiki/contents/articles/16931.installing-lync-2013-edge-server.aspx
  http://www.orcsweb.com/blog/cory-granata/installing-lync-2013-edge-server/
  For installing Reverse proxy 
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  http://jaapwesselius.com/2014/03/16/using-arr-for-reverse-proxy-with-lync-2013/
  SAN
  Certificate Requirements 
  check
  for SAN certificate requirements for External access
  https://technet.microsoft.com/en-us/library/gg398094.aspx
  you required this names to be included in your san certificate 
  SN = sip.domain.com
  SAN = meet.domain.com
  SAN=  admin.domain.com
  SAN= dialin.domain.com 
  DNS
  Records which needs to be created.
  check
  this for creating External DNS records.
  https://technet.microsoft.com/en-us/library/gg398758.aspx
  Check
  this for adding Routable domain to Lync
  http://blog.ucitsimple.com/2011/10/04/adding-new-sip-domains-to-lync/
  For
  detailed explanation check this great detailed blog how the Dns works for Internal domain and external domain. If your internal domain is different than external Domain 
  http://msunified.net/2013/08/07/lync-client-sign-in-and-dns-records-recommendations/
  Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

• Primary SIP domain Question

  Hi,
  We’re in strange situation where our AD domain is abc.net but we want primary sip domain to be lync.abc.com & smtp domain is abc.com so email addresses are
  [email protected]
  So my question is, if I publish the topology for primary sip domain as
  lync.abc.com then what could be our challenges in terms of client logon and lync access …? What do I have to have in place to make this work?
  Note:    Our Lync deployment will be two central sites and each will handle their own specific lync traffic.

  You won't hit anything that would won't be able to overcome.
  But what is the justification for knowingly making your SIP domain different from your SMTP name space? It's considered best practice to align the two in order to create a simplified user experience and minimise the amount of additional consideration (such
  as exchange integration).
  Fully appreciate you'll have your own circumstances though, and if this is a requirement - so be it =)
  Kind regards
  Ben
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
  For Fun: Gecko-Studio | For Work:
  Nexus Open Systems

• Lync 2013 Step 3 - Prepare Current Forest Error

  Hello All;
  We are trying to upgrade with a side by side migration but Both in Server 2012R2 and Server 2008R2 SP1 - I'm getting stuck at the same error.
  Our current environment;
  Domain.net
     company.domain.net
     farm.domain.net
  Lync 2010 installed & running with user interaction on farm.domain.net.  "Lync2010.farm.domain.net"
  Lync 2013 is trying to install on farm.domain.net as well "Lync2013.farm.domain.net"
  I get to Step 3 running the setup on "Lync2013.farm.domain.net" and get the error:
  Error: Computer is not a member of the root domain. For security reasons, this action must be run on a root domain computer.
  ▼ Details
  └ Type: DeploymentException
  └ ▼ Stack Trace
      └  
  at Microsoft.Rtc.Management.Deployment.LcForest.PrePrepCheck()
  at Microsoft.Rtc.Management.Deployment.LcForest.PrepareForest()
  Now I've tried the "Enable-CsAdForest -GroupDomain weblynx.net" in both admin powershell and admin lync powershell. 
  http://support.microsoft.com/kb/2549544/en-us 
  Googling is basically telling me the same thing but getting the same error. 
  Any Ideas? 

  Are you running this part of the deployment from the root domain (domain.net) or just farm?  You'll need to run this step separately in the root, even if you're not deploying Lync servers there. 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Lync 2013 mobile app does not work internally, SIP domain is Different than users UPN. not sure if that matters.

  using the lync client connectivity tester on a pc on the same lan as my mobile client everything is green and it says its ready for use.
  using my android galaxy s5 client on wifi on the same lan i get a screen with waiting to sign in spinning and an error at the top "we cant connect to the server check your network connection and server address, and try again."
  i have uploaded the full client log files
  here: client log file
  some errors that stand out from this log file are:
  1. ERROR HttpEngine: Certificate check fails: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
  2. <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
    <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
  i am using the correct creds, same creds i used on the analyzer tool.
  in the analyzer tool i did have to fill in the username field because my sip domain is different then my users UPN. which from what ive read its required to use the username field.
  i also filled in the username field in the mobile app with domain\username
  3. ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/platform/networkapis/privateandroid/CHttpConnection.cpp/295:CHttpConnection exception: java.lang.NullPointerException
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/173:Received response of request(UcwaAutoDiscoveryRequest) with status = 0x22020001
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/201:Request UcwaAutoDiscoveryRequest resulted in E_ConnectionError (E2-2-1). The retry
  counter is: 0
  4. Jan 14, 2015 8:40:50 AM ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/authenticationresolver/private/CAuthenticationResolver.cpp/431:Failing the original request as we weren't able to get the token
  this is the same type of error i was getting in the lync connectivity analyzer until i filled in the username field. but its filled in, in my client.
  again you can see the full log file is `HERE
  thank you in advance for any help. im trying to get internal working before i try external.

  Eric,
  I am trying to configure a reverseproxy on my netscaler which is in a 2 arm mode(dmz/internal) but I keep getting an error when configuring the monitor.
  i used this guide to configure it
  http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html
  but continue to get this error in the netscaler monitor "Failure - TCP connection successful, but application timed out"
  so the virtual server is never up, thinking about just changing it to tcp as a monitor so it stays up and i can at lesat get the vip up.
  Also your link to the diagram shows it going to the reverse  proxy but the one im using has it going directly to the front end servers.
  http://www.lync-solutions.com/Documents/Lync_2013_protocol_poster_v6_7.pdf
  I'm guessing Microsoft's is the correct one but wonder why the config differential?
  I see that your diagram says "mobility url", what is the mobility url? i though that was the lyncdiscoverinternal.internal.com
  current setup is
  2 fe servers on internal
  1 edge server on dmz
  1 almost done reverse proxy netscaler load balancer.
  also this ms link i used to configure dns entries, along with the pdf linked above.
  http://technet.microsoft.com/en-us/library/jj945644.aspx
  i currently have these external dns entries and they all point to the edge server on the dmz.
  dialin .external.com
  lync .external.com
  lyncweb .external.com
  lyncdiscover.external.com
  meet .external.com
  sip .external.com
  webconf .external.com
  av .external.com
  _autodiscover._tcp.external.com.
  the internal dns links point to 1 of the front end servers
  1. lyncdiscoverinternal.internal.com
  2. lyncdiscover.internal.com
  3. _sipinternaltls._tcp.internal.com
  4. _sipinternal._tcp.internal.com
  5. sipinternal.internal.com
  6. sip.internal.com
  thanks again for your help.

• Lync 2013 credentials problems on domain computers

  Hi folks,
  We are having trouble with Lync 2013 and credentials on our domain computers. We have been using Office 365 and Outlook for our email for a couple years and it has worked well enough, so recently we decided we wanted to start using Lync as well. We deployed
  the Office 365 Pro Plus suite available to us through our Office 365 subscription and signed in. The first sign-in went as expected. It asked for a username and password, asks if it should remember those credentials for next sign-in (yes), then connects and
  everything with Lync itself functioned normally. Subsequent sign-ins have not been normal.
  When a user restarts their computer and launches Lync it remembers their user name but not their password. Once they type their password in it asks if it should remember those credentials for next sign-in again, then connects. If a user exits and re-launches
  Lync without restarting it remembers their credentials and signs in properly, but then immediately a popup box appears saying that "Credentials are required" in order for Lync to get calendar information from Outlook ( http://i.imgur.com/hqcK426.png
  We know the problem is only happening with computers on our domain, but we don't know why. I tested things out on my home desktop and network by installing Office 365 Pro Plus, setting up Outlook, and then Lync. Both Outlook and Lync auto-discovered everything
  normally after getting my credentials and Lync behaves as expected every time the program launches. I then brought my personal laptop in and tried the same thing on my work network to see if it is network related, but Lync behaves normally on that computer
  as well.
  I originally worked on the problem at the Office 365 Community Forums ( http://community.office365.com/en-us/f/166/t/246014.aspx ), but after we isolated the problem to something with the domain computes I was told that they could not help me any further
  and was referred here. Does anyone have any ideas as to what is keeping Lync from behaving properly on our domain computers? We have a mix of Windows 7 x64 and Windows 8.1 x64 computers, all joined to the same domain and with the same basic suite of software.
  Thanks,
  ~Misharum
  PS: How do I verify my account? The outlook.com email address has been verified, but I don't see anywhere to do verification in my TechNet profile here.

  Yeah, the clients are fully patched. I put a support ticket in through Office 365 and the rep there was able to help me. It ended up being two separate problems.
  Lync was not remembering my credentials to automatically log me in between restarts:
  Installed the latest version of the Microsoft Online Services Sign-In Assistant.
  After signing signing into Lync another popup appeared asking for credentials again to access calendar information. (two steps to solve this one).
  In Active Directory Users and Computers, open up the properties of each affected user, go to the Attribute Editor tab, find and double click the proxyAddress attribute, and add in
  sip:[email protected] where the userid is the user's login name and domain.com is your domain. I'd imagine this is scriptable in PowerShell but I don't know enough to do it.
  Then on the computer that the users will be using, while the user is logged in, add a dword of NoDomainUser = 1 in the registry at HKCU\Software\Microsoft\Office\15.0\Common\Identity. The most sensible way to do this in my mind is with a group policy so
  it will get written to each user's registry under their profile when they log in.
  After doing all of this Lync remembered my credentials between restarts, signed me in automatically, and only gave that credentials popup on the first sign-in after applying both changes in step 2.

• Enable new Child Domain in Lync Server 2013

  Hello All,
  We are running Lync server 2013 in the Root Domain test.local. There are number of child domain enabled for Lync service . Eg: abc.test.local , xyz.test.local etc. Now i have a requirement to create new child domain and enable it for lync service.
  So i created a new child domain (site1.test.local), then from lync shell i run below command to enable it.
  Enable-CsAdDomain
  –Domain site1.test.local –report c:\users\lyncadmin\Report1.html
  Then i add the new SIP domain in topology builder in SIP doamin and
  Simple URLs and publish the topology.
  On AD all users are created in OU so i run below command to give privileges on OU:
  Grant-CsOUPermission -Domain site1.test.local -ObjectType "User" -OU "OU=SITEUsers,DC=Site1,DC=TEST,DC=LOCAL"
  After all the step , when i try to login the new users, Users are not logging , in Lync client logs it is giving below error:
  4005;reason="Destination URI either not enabled for SIP or does not exist";source="LYNCFE13-02.TEST.LOCAL"
  Please help to solve this issue .

  I can see my child domain accounts in Lync control panel (enable user section) and all accounts are enabled. If i run below command then it show result = failure. But my others account are working.
  PS C:\Users\administrator> Test-CSRegistration -UserSipAddress [email protected] -TargetFQDN xxxx.xxxx.localTarget Fqdn   : xxx.xxx.local Result: Failure Latency : 00:00:00Error Message : 504, Server time-out Diagnosis: ErrorCode=1045,Source=LYNCFE-00.xxxx.xxxx,Reason=Local edge server pool is out of service,port=5061,pool-size=2,pool=xxx-Edges.xxxx.local                Microsoft.Rtc.Signaling.DiagnosticHeader
  Other accounts are giving SUCCESS msg and running without any issue.

• Lync 2013 Multi Tenant - SIP/2.0 401 Unauthorized

  New Lync 2013 Multi Tenant install. Can provision users in the Primary OU. Users in primary OU login without error.
  Users provisioned in a sub OU can not login to Lync. Provisioning process completes successfully.
  Client prompts for password. Attempts login and fails with:
  You didn't get signed in. It might be your sign-in address or logon credentials. (SIP address and UPN are identical)
  FE logging:
  SIP/2.0 401 Unauthorized
  TL_INFO(TF_PROTOCOL) [0]128C.2E1C::04/15/2014-22:28:42.421.00004ea3 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[212989229] $$begin_recordTrace-Correlation-Id: 212989229
  Instance-Id:
  3A4
  Direction:
  outgoing;source="local"
  Peer:
  edge1.domain.corp:56094
  Message-Type:
  response
  Start-Line:
  SIP/2.0 401 Unauthorized
  From:
  <sip:[email protected]>;tag=57e75cd85f;epid=f7a8f50c07
  To:
  <sip:[email protected]>;tag=10A7EC7396D5F1EDCEA8D35A0C49F3CB
  Call-ID:
  8654248b0dd64d519f42617b862e75bc
  CSeq:
  2 REGISTER
  Via:
  SIP/2.0/TLS 10.200.10.210:56094;branch=z9hG4bK4B6654F6.FADCC8B2E74B96BA;branched=FALSE;ms-received-port=56094;ms-received-cid=20C00
  Via:
  SIP/2.0/TLS 172.16.232.59:60361;received=10.200.250.206;ms-received-port=43233;ms-received-cid=1E9D00
  Content-Length:
  0
  Failed to validate user credentials
  $$end_record
  TL_ERROR(TF_SECURITY) [0]128C.2E1C::04/15/2014-22:28:42.468.0000542a (SIPStack,SIPAdminLog::WriteSecurityEvent:SIPAdminLog.cpp(319))[212989229] $$begin_recordText: Failed to validate user credentials
  Result-Code:
  0x8009030c SEC_E_LOGON_DENIED
  Source:
  edge1.domain.internal:56094
  SIP-Start-Line:
  REGISTER sip:domain.com SIP/2.0
  SIP-Call-ID:
  8654248b0dd64d519f42617b862e75bc
  SIP-CSeq:
  3 REGISTER
  Data:
  gssapi-data="NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00\xB4\x00\x00\x00D\x01D\x01\xCC\x00\x00\x00 \x00 \x00X\x00\x00\x000\x000\x00x\x00\x00\x00\x0C\x00\x0C\x00\xA8\x00\x00\x00\x10\x00\x10\x00\x10\x02\x00\x00U\x82\x90b\x06\x03\x80%\x00\x00\x00\x0FQ\xC8@\x1E\x1F\xD2\xF9w\x0C!\xF8Y\x84\x84\x06PM\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00A\x00c\x00c\x00o\x00u\x00n\x00t\x00r\x00i\x00c\x00h\x00.\x00l\x00i\x00b\x00e\x00r\x00t\x00y\x00@\x00h\x00o\x00t\x00m\x00a\x00i\x00l\x00.\x00c\x00o\x00m\x00L\x00A\x00P\x00T\x00O\x00P\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00+\xD8\x1CE\xFB\\x9E7\xACbc\x17e\xDE\xAC\xFD\x01\x01\x00\x00\x00\x00\x00\x00R\n\x0E\xFAX\xCF\x01\xF2h\xA4\xBE\x8B\xC3w=\x00\x00\x00\x00\x02\x00\x06\x00P\x00P\x00C\x00\x01\x00\x1A\x00P\x00P\x00C\x001\x00L\x00Y\x00N\x00C\x00F\x00E\x000\x000\x001\x00\x04\x00\x10\x00p\x00p\x00c\x00.\x00c\x00o\x00r\x00p\x00\x03\x00,\x00P\x00P\x00C\x001\x00L\x00Y\x00N\x00C\x00F\x00E\x000\x000\x001\x00.\x00p\x00p\x00"
  $$end_record

  Hi,
  Please double check the port between FE server and Edge server.
  Please also check if you add the SAN of sub domain in the Edge external certificate with the help of the link below:
  http://technet.microsoft.com/en-us/library/gg398409.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 with SIP trunk with panasonic kx-tde200

  Hi
  My company has installed a panasonic ip-pbx kx-tde for multiline with 100 number range for telephone service.
  Now my company is going to replace multiline by sip trunk . It will still work with Panasonic pbx box just need to reprogramme to be able to connected to the sip proxy which is managed by internet service provider.
  For this scenario , would Lync 2013 voice work if I just add PSTN gateway which is the ip of panasonic pbx address to the frontend in topology ? Or I may need a mediation server as a must requirement  to make lync voice work?
  Thanks
  WenFei

  Media bypass allow a call to basically skip the mediation server once it's established and go directly from gateway (in this case the PBX) and the endpoint (the telephone handset or Lync client) More information here: http://technet.microsoft.com/en-us/library/gg398719.aspx 
  By having this (if your PBX supports it) you reduce the load on the mediation servers. Before you go too far down the road also make sure that your PBX supports SIP trunks that are SIP over TCP (as Lync doesn't work with SIP over UDP)
  Sort of, the easiest way is to add the .com as an additional SIP domain in Topology builder, you will need to create DNS records for it (both internal and external) and you will need to reissue the certs with additional SANs to support the second domain.
  YOu will also need to update all the users to use the new suffix of xxx.com. So it's not a small task.
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Lync 2013 /w Edge not working properly (internal/external same domain name and all "external" users"

  Hi,
  I've got some issues with a Lync 2013 setup.
  The config consists of 2 lync servers. One FE and one Edge. All seems to work except audio in meetings and Sip.
  The setup is like this (fake ip's used):
  Front End:
  Internal IP: 172.16.0.10
  External IP: x.x.185.10
  All ports open in Cisco ASA
  internal AD DNS: dialin/lync/meet/lyncdiscover to Front end internal ip. edge/lsedge/sip points to edge internal ip
  EDGE:
  Interal IP: 172.16.0.11 (no gateway configured)
  External IPS: x.x.185.11, x.x.185.12, x.x.185.13
  All external IP's are direct internet facing, no NAT (a firewall is in place).
  All external interfaces are using a wildcard certificate.
  All server are running in a remote data center, so basically no internal users. We all connect to the external interfaces. The Windows domain name (AD) is the same as our External DNS (companyname.com).
  Autodiscover works, we can logon, chat but there is no audio. The audio test failes. Also SIP is not working with a sip trunk.
  External DNS: sip/webconf/av are pointing to their external ip's. sipexternal is a cname to sip. lyncdiscover/lync/dialin/meet all point to the Frond end External ip.
  _sip._tls/_sipfederationtls.tcp/_xmpp-server.tcp all point to the sip.companyname.com ip.
  I just can't figure out what is wrong.

  @PSingh123 I'll try the logs in a minute and get back with the results.
  @PaulB_NZ Thanks for the input. In my opinion the FE does need an external IP. How else will you be able to connect if you are a remote worker?
  The Edge is (asfar as i know) needed for Enterprise voice and Federation with other (external) sip domains. It's not needed for basic (chat/video/whiteboard etc) Lync functionality for both internal and external (remote) users.
  The Edge is to communicate with services/users outside the origanisation.
  I do still think that the basic topology (FE with internal IP and Nat'ed external ip working with an Edge with internal IP and 1 external IP nat'ed to 3 DMZ ip's) is correct in this case.
  I can be wrong and in that case would like to be pointed to the correct configuration.
  75           
  Points
  Top 15
  PSingh123        
  Partner        
  Joined  Jun 2007        
  9
  PSingh123's threads
  Show activity