Lync 2013 EDGE replication is not working

Similar Messages

• Lync 2013 Edge replication not working

  hi, I have a Lync 2013 Edge replication issue - it is simply not working.
  UpToDate           : False
  ReplicaFqdn        : LyncEdge.contoso.com
  I have already checked the following:
  1) telnet from FEP servers to the Edge sever on port 4443 is working
  2) Certificates are installed correctly - Lync Federation, Voice/Video to Skype, Lync Mobile is all working fine.
  3) Replication traffic checking showing the following error in XDS logs:
  (000000000126DB35)[FileTransferTask(11, 9/03/2015 2:44:24 PM): {TASK_NOT_STARTED, fromReplica, [lyncedge.contoso.com, HttpsWebService, 4443], 0}] Failed to copy files from replica. Exception: [System.ServiceModel.Security.MessageSecurityException: The HTTP
  request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
     at System.Net.HttpWebRequest.GetResponse()
     at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
     --- End of inner exception stack trace ---
  Server stack trace:
     at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
     at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
     at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
     at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.Rtc.Xds.Replication.Common.IReplicationWebService.DownloadFiles(String senderFqdn, String sourceDirPath, String tempDirPath)
     at Microsoft.Rtc.Xds.Replication.FileTransfer.FileTransferTask.CopyFilesFromReplicaUsingWcf(String fromDir, String tmpDir, String toDir)]
  I have checked certificate stores: there are only 34 certificates in the Root folder and the SendTrustedIssuerList reg. key has been configured, which did not solve the issue.
  Any idea how to troubleshoot this or possible root causes?

  Try Test-CsComputer on the Frontend Servers and the Edge Servers. This should check Windows Firewall exceptions are correct. Then check permissions on your Lync fileshare. You can also try to reinstall CMS Database with the following command (user must be
  memeber of CsAdministrator group and sysadmin group of SQL Server)
  Install-CsDatabase -CentralManagementDatabase -SqlServerFqdn CMS.FQDN 
  -SqlInstanceName DBInstance -Verbose

• Lync 2013 Mobility continues to not work

  Having issues getting mobility to work.
  Simple environment:
  Single server Edge pool
  Single server EE pool
  SQL clustered backend
  All Lync 2013 CU1 at this point in time.
  Potentially required reading:
  Deploying Mobility (Technet)
  Lync Mobility Deep dive
  (based on 2010, but nearly the same in 2013)
  http://masteringlync.com/2011/08/13/using-fiddler-to-troubleshoot-address-book-download-issues/
  http://blogs.technet.com/b/nexthop/archive/2012/11/09/understanding-lync-server-autodiscover-to-support-the-lync-windows-store-app.aspx
  Windows RT app uses the same method as IOS, and is more wiresharkable/tracable, so I am using that.
  Client end errors:
  Windows RT app (15.0.4481.1503) -  this client version cannot log in.
  iOS - Can't sign in.  Please check your account information and try again.
  I don't have a windows phone or android, so working with the clients I have.  (I understand these also do not work)
  Fiddler trace of Windows RT app session:
   From the W3svc logs:
  2013-03-20 03:53:17 1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user [email protected] 4443 - 75.122.79.199
  LyncImm/15.0.4481.1503+(Microsoft+Lync) 401 0 0 35
  LyncImm is
  NOT a user agent listed in the CSCP - google "user agent" +lyncIMM turned up nothing.  Dead lead?
  Lync connectivity analyzer shows it repeats the same webticket 401 over and over with:
  Cookie  found in autodiscover response: StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
    X-Ms-diagnostics: 28032;source="LyncFE.company.local";reason="The web ticket is invalid.";faultcode="wsse:InvalidSecurityToken"
    X-MS-WebTicketURL:
  https://lyncweb.company.com/WebTicket/WebTicketService.svc
    X-MS-WebTicketSupported: cwt,saml
    X-MS-Server-Fqdn: LyncFE.company.local
    X-Content-Type-Options: nosniff
    Cache-Control: no-cache
    Date: Wed, 20 Mar 2013 04:12:20 GMT
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Content-Length: 1293
    Content-Type: text/html
  LCA:  from inside, choosing Windows App - success!
  LCA: from inside, choosing Lync Mobile Apps- fail:
  Failed to obtain the WS-Metadata Exchange (MEX) document using GET for
  https://lyncweb.company.com/Mcx/McxService.svc/mex.
  The service did not require authorization.
  LCA, from outside, choosing Windows App - hangs repeatedly on the HTTPS external channel.  (repeating 401's on webticket service)
  LCA, from outside, choosing Choosing Lync Mobile apps  - failed, same as from inside #2
  Here's what the LCA failure looked like:
  2013-03-20 04:59:12
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 134
  2013-03-20 04:59:12
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 155
  2013-03-20 04:59:12
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 35
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 126
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 158
  2013-03-20 04:59:13
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 31
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 126
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 148
  2013-03-20 04:59:13
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 33
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 121
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 155
  2013-03-20 04:59:13
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 31
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 125
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 147
  2013-03-20 04:59:15
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 32
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 120
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 151
  Similar thread:
  http://social.technet.microsoft.com/Forums/en-US/ocsmobility/thread/96c3fc3a-2f80-435a-8368-1a83dcd56e55/
  http://msdn.microsoft.com/en-us/library/ff595929%28v=office.12%29.aspx
  IOS attempt at sign on (version 4.3.8000.0000)
  IIS log files:
  2013-03-20 04:26:08
  1.2.3.4 GET / sipuri=sip:[email protected] 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 200 0 0 1382013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 0 0 802013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074254 1292013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074252 882013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074254 782013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074252 882013-03-20 04:26:09
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074254 782013-03-20 04:26:09
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074252 84
  IOS log file was too large to post in message.
  Running test-cmdlets:
  $passwd1 = ConvertTo-SecureString "supersecure" -AsPlainText -Force $passwd2 = ConvertTo-SecureString "notontheinternet" -AsPlainText -Force $tuc1 = New-Object Management.Automation.PSCredential("domain\user1",
  $passwd1) $tuc2 = New-Object Management.Automation.PSCredential("domain\user2", $passwd2) Test-CsMcxP2PIM -TargetFqdn lyncfe.company.local -Authentication Negotiate -SenderSipAddress sip:[email protected] -SenderCredential $tuc1 -ReceiverSipAddress
  sip:[email protected] -ReceiverCredential $tuc2 -v
  From <http://technet.microsoft.com/en-us/library/hh690024.aspx>
  Results:
  Target Fqdn   : lyncfe.company.com
  Target Uri    :
  https://lyncfe.company.com:443/mcx
  Result        : Failure
  Latency       : 00:00:00
  Error Message : No response received for Web-Ticket service.
                  Inner Exception:The HTTP request is unauthorized with client
                  authentication scheme 'Ntlm'. The authentication header
                  received from the server was 'Negotiate,NTLM'.
                  Inner Exception:The remote server returned an error: (401)
                  Unauthorized.
  Diagnosis     :
                  Inner Diagnosis:X-MS-Server-Fqdn : lyncfe.company.com
                  Cache-Control : private
                  Content-Type : text/html; charset=utf-8
                  Server : Microsoft-IIS/7.5
                  WWW-Authenticate : Negotiate,NTLM
                  X-Powered-By : ASP.NET
                  X-Content-Type-Options : nosniff
                  Date : Wed, 20 Mar 2013 04:39:44 GMT
                  Content-Length : 6639
  Verbose comments on it:
  Trying to get web ticket.
  Web Service Url :
  https://lyncfe.company.com:443/WebTicket/WebTicketService.svc
  Using NTLM\Kerberos authentication.
  Could not get a web ticket
  CHECK:
   - Web service Url is valid and the web services are functional
   - If using Phone Number\PIN to authenticate, make sure they match the user uri
   - If using NTLM\Kerberos authentication, make sure you provided valid
  credentials
  URLs and ports all look OK, all services started.
  Not using phone/PIN
  I provided valid creds - the virtual directories show anon/NTLM for the Webticket vdir.
  Any help is welcome - really want this issue put to bed!

  I know this is an old thread, but I was struggling with the same error for mobility, and I hope this may help others in the same situation. 
  On my scenario the issue was caused because the customer didn't use any reverse-proxy solution, instead the FE external website was directly published using a FortiGate box.
  Given that scenario, there were 2 different certs installed on the FE server, 1 (internal RootCA) certificate was applied to the internal website, and another one issued by Godaddy was assigned to the external website manually from IIS console.
  ---I know this is far from a supported solution, but I was able to get it working after some investigation---
  To solve the issue I use this article:
  http://technet.microsoft.com/en-us/library/jj205253.aspx it explains how to check and assign the certificates for oAuth and I used these cmdlets to specify the Godaddy cert to the "WebServiceExternal" & "OAuthTokenIssuer" websites.
  After that the mobility access for internal and external users started to work as expected, I've validated it with "Lync Connectivity Analyzer" and with different mobile clients on Android, IOS and Windows Store.
  Hope this information may be useful.
  Performance, Security & Design

• Lync 2013 meeting invitation customizations not working for some users

  Hello Microsoft TechNet Forms,
  I have a strange problem that I am totally stumped on. I made some modifications to the Lync 2013 meeting configuration to add in my company's logo, a footer and set a custom help Lync URL. Now everything seemed to work expect for myself and
  one other person I tested with. If I try creating a new Lync 2013 meeting via my Outlook 2013 the normal stock Lync meeting invite appears. Yet testing with any other user everything I have changed appears as expected and I am at a total loss to why.
  I have so far from troubleshooting determined it must be something with my account that is causing it but I have just not been able to determine what. As signing into a different machine yields the same result yet testing with another account that is
  known to work on the exact same machine works correctly with the different account. I have tired deleting and re-crating my Lync account just in case that had something to do with it but that didn't fix the problem. I have tired repairing Office 2013 to
  running windows update on Office 2013 which didn't help.
  The changes I made to the meeting configuration are global scoped. I have so far not found anything online from anyone ever reporting a similar issue to this. At this point I am stuck on what I should be looking for with regards to what is stopping
  the meeting invite updating for myself and the other person. Given I don't know what mechanism is involved with updating the Lync meeting invite on Outlook 2013 I am stumped. I am open to any suggestions someone might have as to what to do next or what might
  be the cause of this problem.
  Nicholas,

  Hi Nicholas,
  Can you compare your account with other’s and check if your account is applied any special policy in Lync Control Panel ?
  Best regards,
  Eric

• Lync 2013 Web App Sharing not working.

  We are having a problem with Lync Web App 2013.  Our external customers can open the meeting link and join the meeting without a problem.  Once they are in the meeting an internal user begins the presentation by sharing his screen.  The Lync
  Web App just says "Loading..." for the external customer.  The internal presenter sees this external customer continually change from "in collaboration session" to "not in collaboration session".  The external customer
  is never actually shown the screen share.
  Other notes:
  -->We tried this from an external wireless hotspot and it worked fine, thus, it seems something in this customer's company firewall that is blocking it.
  -->We also tried sharing a powerpoint (we have a functional office web apps server), which produced the same results.
  -->When we used the Lync 2010 Web App (before we upgraded to 2013), everything seemed to work fine, thus I am concluding that the 2013 Lync Web App (since it has more capabilities) is somehow trying to use more ports or something.
  -->Internally, the Lync Web app works fine.
  So, I assume something in the customer's company's firewall is blocking some access to Lync 2013 Web App.  My question is:  what needs to be enabled both on-premise and at the customer's side to access Lync 2013 Web App screen sharing and if the
  company (for security reasons) doesn't want to open extra ports, is there some work around to force Lync Web App to use port 443 for screen sharing.
  Thanks,
  Adam

  The ports 1024-65535 * are used for application sharing.
  You can configure the port ranges for Lync clients.
  http://technet.microsoft.com/en-us/library/jj204760.aspx
  You can’t use 443 as port 443 is used for HTTPs.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Lync 2013 Multitenant - Sign-in not working

  Hello,
  I am working on deploying the Lync 2013 Multitenant hosting pack in a staging environment for testing with the eventual goal of putting this into a production environment. So far I am working with a single front-end server routed through an F5 load balancer
  using their iApp application template for Lync 2013. We are attempting to work with a very simple deployment that we scale out as additional features/capacity is needed.
  The issue I'm having is during the sign-in process. I have provisioned a tenant and a user within that tenant and I am able to use the Get-CsTenant and Get-CsUser commands to view the tenant and user. I have also established the following DNS entries for
  the tenant.
  A record: lync.<hosting domain> - Pointed to the public IP address for the Lync application through our F5.
  A record: lyncpool01.<hosting domain> - Pointed to the public IP address for the Lync application through our F5.
  SRV record: _sip._tls.<tenant domain> (priority 0, weight 0, port 443) - Pointed to lync.<hosting domain>
  SRV record: _sipfederationtls._tcp.<tenant domain> (priority 0, weight 0, port 5061) - Pointed to lync.<hosting domain>
  When I attempt to sign in to my test user externally using the Lync 2013 desktop client, I do get a certificate warning on the client that lync.<hosting domain> (cert is lyncpool01.<hosting domain>) is attempting to handle the request, but when
  I accept the cert, the client waits for about 30 seconds and then gives the error "Lync couldn't find a Lync Server for <tenant domain>. There might be an issue with the Domain Name System (DNS) configuration for your domain. Please contact your
  support team.". I can't figure out where this is falling apart or what name the Lync client is attempting to reach, and enabling event logging for Lync has revealed no helpful information.
  Is there any assistance you can give?

  Hi,
  Agree with PaulB_NZ.
  As Lync 2013 Multitenant only have external and federation users, you need to deploy Edge Server in the DMZ zone to support external and federation access.
  What's more, if you want to use Lync mobile clients you also need to deploy a Reverse Proxy in the DMZ zone.
  More details:
  https://technet.microsoft.com/en-us/library/gg398069.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Link to User's MySite on Lync 2013 Contact Card does not work

  Hello,
  we're running a sharepoint 2010 environment with a configured user profile service application and a mysite host. we're also running lync 2010 clients but are planning to upgrade to lync 2013. the it guys (including me) have already installed lync 2013 client.
  the lync server is also already on 2013.
  with the old 2010 lync client, it was possible to click on a name from a lync contact card and this directed to the users mysite, which was great. to archieve this, we updates the wwwHomepage attribute in AD with the corresponding link for each user to the
  mysite.
  now with lync 2013 it is no longer possible. 
  i couldn't find anything about this topic ...
  any help would be highly appreciated
  kind regards
  Marco

  I tested it in my lab.
  The same result with your.
  It is by design.
  Lisa Zheng
  TechNet Community Support

• Lync 2013 mobile app does not work internally, SIP domain is Different than users UPN. not sure if that matters.

  using the lync client connectivity tester on a pc on the same lan as my mobile client everything is green and it says its ready for use.
  using my android galaxy s5 client on wifi on the same lan i get a screen with waiting to sign in spinning and an error at the top "we cant connect to the server check your network connection and server address, and try again."
  i have uploaded the full client log files
  here: client log file
  some errors that stand out from this log file are:
  1. ERROR HttpEngine: Certificate check fails: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
  2. <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
    <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
  i am using the correct creds, same creds i used on the analyzer tool.
  in the analyzer tool i did have to fill in the username field because my sip domain is different then my users UPN. which from what ive read its required to use the username field.
  i also filled in the username field in the mobile app with domain\username
  3. ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/platform/networkapis/privateandroid/CHttpConnection.cpp/295:CHttpConnection exception: java.lang.NullPointerException
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/173:Received response of request(UcwaAutoDiscoveryRequest) with status = 0x22020001
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/201:Request UcwaAutoDiscoveryRequest resulted in E_ConnectionError (E2-2-1). The retry
  counter is: 0
  4. Jan 14, 2015 8:40:50 AM ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/authenticationresolver/private/CAuthenticationResolver.cpp/431:Failing the original request as we weren't able to get the token
  this is the same type of error i was getting in the lync connectivity analyzer until i filled in the username field. but its filled in, in my client.
  again you can see the full log file is `HERE
  thank you in advance for any help. im trying to get internal working before i try external.

  Eric,
  I am trying to configure a reverseproxy on my netscaler which is in a 2 arm mode(dmz/internal) but I keep getting an error when configuring the monitor.
  i used this guide to configure it
  http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html
  but continue to get this error in the netscaler monitor "Failure - TCP connection successful, but application timed out"
  so the virtual server is never up, thinking about just changing it to tcp as a monitor so it stays up and i can at lesat get the vip up.
  Also your link to the diagram shows it going to the reverse  proxy but the one im using has it going directly to the front end servers.
  http://www.lync-solutions.com/Documents/Lync_2013_protocol_poster_v6_7.pdf
  I'm guessing Microsoft's is the correct one but wonder why the config differential?
  I see that your diagram says "mobility url", what is the mobility url? i though that was the lyncdiscoverinternal.internal.com
  current setup is
  2 fe servers on internal
  1 edge server on dmz
  1 almost done reverse proxy netscaler load balancer.
  also this ms link i used to configure dns entries, along with the pdf linked above.
  http://technet.microsoft.com/en-us/library/jj945644.aspx
  i currently have these external dns entries and they all point to the edge server on the dmz.
  dialin .external.com
  lync .external.com
  lyncweb .external.com
  lyncdiscover.external.com
  meet .external.com
  sip .external.com
  webconf .external.com
  av .external.com
  _autodiscover._tcp.external.com.
  the internal dns links point to 1 of the front end servers
  1. lyncdiscoverinternal.internal.com
  2. lyncdiscover.internal.com
  3. _sipinternaltls._tcp.internal.com
  4. _sipinternal._tcp.internal.com
  5. sipinternal.internal.com
  6. sip.internal.com
  thanks again for your help.

• Lync 2013 edge server won't work

  Hi folks!
  I'm trying to test an edge server to enable users public access. I think i've done almost everything because all services actually  are running  on the edge server.
  Since it's a test i didn't buy a public certificate (I know i can't test federation, but for the moment i would be very happy only to achieve public connection).
  First i tried with https://testconnectivity.microsoft.com but the test failed with an error on the certificate and i'ts quite strange because during the first step cert was accepted (i checked the box to skip if the cert was trustfully).
  During the step "connection to lync server" the test failed with a tlsfailure "Cert chain was provided by an untrusted CA". As i said it seems a bit strange to me, but i thought could be possible since the cert wasn't public.
  So i moved on and i tried to perform the connection with a client, but with no results.
  I thought that would be possible there were something wrong with nat'd ips. So  i changed my laptop vlan to match external interface nat'd ips. Then in my hosts file i added properly resolutions. After that i put lyncaccess.mypublicdomain.com in the
  manual client configuration as both internal and external server, but unfortunately i wasn't able to connect this way either.
  Any helps, will be appreciated.
  Cecco
   

  I had done very similar configuration in my test lab, To test your Edge configuration, connect your one of the client in Edge network. Yes, add SIP, Pool name and IP in the Hosts files.
  Additionally, export the internal CA root certificate and add to the Edge side connection PC.
  Change the automatic login and enter the internal SIP/Pool name pool1.domain.com:5061 and try login.

• Lync 2013 Edge server compatibility with Lyn 2010 Front end Pool

  Hi All,
  Technet article (http://technet.microsoft.com/en-us/library/jj688121.aspx) says the following:
  If your legacy Lync Server 2010 Edge Server is configured to use the same FQDN for the Access Edge service, Web Conferencing Edge service, and the A/V Edge service, the procedures in this section are not supported. If the
  legacy Edge services are configured to use the same FQDN, you must first migrate all your users from Lync Server 2010 to Lync Server 2013, then decommission the Lync Server 2010 Edge Server before enabling federation on the Lync Server 2013 Edge Server.
  Can you tell me why it is you have to change the External Lync Web services URL during a migration to Lync 2013 from Lync 2010. What purpose does this serve?
  Also can you clarify this and explain why this is required, why would you have to migrate all of your users, would a Lync 2013 Edge not talk to a Lync 2010 front-end?
  Any help would be much appreciated. MANY THANKS.

  Thank you very much for all your inputs.
  We still have few questions:
  Questions:
  Can you tell me if Lync 2010 users will be able to login using mobility if we repoint the reverse proxy (TMG) web services publishing rule to the Lync 2013 server? Remember both systems Lync 2010 and 2013 are using the same web
  services URL so they will both end up at the Lync 2013 server. Alternatively if not we will migrate all users to 2013, this is not a problem
  In addition to this I cannot find anything that states how Exchange UM will operate when you are running from a backup pool and the exchange UM contacts are not available because they are homed on the server that is down. This
  configuration is 2 x standard edition servers pool paired. How can we make sure Exchange voice mail works during a pool failover?
  Call Park is not clear to me I read the following:
  Lync Server 2013 provides new disaster recovery mechanisms in the form of failover and failback processes. These failover and failback processes support recovery of Call Park functionality by allowing
  users who are homed in the primary pool to leverage the Call Park application of the backup pool when an outage occurs in the primary pool. Support for disaster recovery of the Call Park application is enabled as part of the configuration and deployment of
  paired Front End pools.
   Is this saying we need to deploy Call Park in the DR pool and use a different range of orbit numbers, or can we use the same range in the DR pool?
  Further, I can see that Common Area Phones will be fine as they will log into the DR pool automatically. Response Groups need to be exported and imported to the DR pool. Incidentally these did not migrate well at all and have
  caused us a big headache!
  Any inputs will be greatly appreciated. Thanks again for all of your time.

• Lync 2013 Edge Server Issues

  Forgive me if this question sounds rather "entry level", I have never worked with Lync and this project was handed to me by my boss, who hasn't worked with Lync either.
  I have been reading various posts and forum messages until I went cross eyed about setting up Lync 2013 Edge server correctly.  I am still running into some questions and issues with the Access, Web, and A/V services starting.  Here is my main
  question, and below is my setup. 
  Question:
  Is there a need for both an external and internal nic card IF all three external IP's for the external services are programmed at the firewall and router to go directly to 1 internal IP address?
  Setup:
  Currently I have 1 FE-Standard server that also acts as the Mediation Server, and 1 Edge Server both of which are virtual and running Server 2012.  Originally I did have 2 network cards setup, as all other documentation suggested, 1 external and 1 internal. 
  However my boss, who setup the DNS/Firewall entries stated to remove the External Card since the external address that was setup for the 3 services was routed to 1 internal address. The Access Services, Web Services, and A/V services are all running on three
  separate ports with their own unique FQDN- 443, 444, and 445.  The cert that was deployed is a wild card cert from GoDaddy, this has been used by other servers that point inside and outside without issues.  
  Issues and Errors Messages:
  I have run into a few different issues and error messages from the Event Viewer:
  System
  Provider
  [ Name]
  LS Protocol Stack
  EventID
  14352
  [ Qualifiers]
  50153
  Level
  2
  Task
  1001
  Keywords
  0x80000000000000
  TimeCreated
  [ SystemTime]
  2013-09-09T15:44:51.000000000Z
  EventRecordID
  2885
  Channel
  Lync Server
  Computer
  edgesvr01
  Security
  EventData
  0xC3E93C0A
  SIP_E_STACK_TRANSPORT_FAILED
  System
  Provider
  [ Name]
  LS Server
  EventID
  12303
  [ Qualifiers]
  50152
  Level
  2
  Task
  1000
  Keywords
  0x80000000000000
  TimeCreated
  [ SystemTime]
  2013-09-09T15:44:51.000000000Z
  EventRecordID
  2884
  Channel
  Lync Server
  Computer
  edgesvr01
  Security
  EventData
  80072741
  The requested address is not valid in its context.
  System
  Provider
  [ Name]
  LS Protocol Stack
  EventID
  14336
  [ Qualifiers]
  50153
  Level
  2
  Task
  1001
  Keywords
  0x80000000000000
  TimeCreated
  [ SystemTime]
  2013-09-09T15:44:51.000000000Z
  EventRecordID
  2883
  Channel
  Lync Server
  Computer
  edgesvr01
  Security
  EventData
  TLS
  external IP address that is now used now
  5061
  Please help, I am at a loss as to where to go from here.

  Thanks for the quick responses. 
  I have re-enabled the external NIC.  All services are running now.  When I ran the Remote Connectivity tester this was the outcome.
  Testing remote connectivity for user: username@domain... to the Microsoft Lync server.
   Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
  Test Steps
  Attempting to resolve the host name lync.metisconnect.com in DNS.
   The host name resolved successfully.
  Additional Details
   IP addresses returned: xxx.xxx.xxx.xxx (external address)
  Testing TCP port 443 on host: host fqdn to ensure it's listening and open.
   The port was opened successfully.
  Testing the SSL certificate to make sure it's valid.
   The certificate passed all validation requirements.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server host fqdn on port 443.
   The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
   Remote Certificate Subject: CN=*.ourdomain.com, OU=Domain Control Validated, Issuer: SERIALNUMBER=######, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona,
  C=US.
  Validating the certificate name.
   The certificate name was validated successfully.
  Additional Details
   The host name that was found, lync.metisconnect.com, is a wildcard certificate match for common name *.ourdomain.com.
  Certificate trust is being validated.
   The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.ourdomain.com, OU=Domain Control Validated.
   One or more certificate chains were constructed successfully.
  Additional Details
   A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
   Potential compatibility problems were identified with some versions of Windows.
  Additional Details
   The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Testing the certificate date to confirm the certificate is valid.
   Date validation passed. The certificate hasn't expired.
  Additional Details
   The certificate is valid. NotBefore = 7/31/2013 4:02:03 PM, NotAfter = 7/31/2014 4:02:03 PM
  Testing remote connectivity for user username@domain to the Microsoft Lync server.
   Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
    Tell me more about this issue and how to resolve it
  Additional Details
   Couldn't sign in. Error: Error Message: Operation failed because the network connection was not available..
  Error Type: ConnectionFailureException.
  External calls from a 3g/4g data connection are not connecting when using the Lync call feature to an internal users Lync Client.  Outcome is: Connecting Call and No Audio.  Then call ends.

• Lync 2013 Edge Server

  I have a few questions on setting up a Lync 2013 Edge Server.  Let me give a little background into what is going on.  My comapny currently still has the old Communicator server(1 user left to migrate to Lync!) and a Lync 2013 that is all setup
  and functional.  Our current Lync environment is only internal, since we do not have a Edge Server setup.  That is what I am task to work on now.  I have read alot of guides on how to build this server, where it needs to be placed in the DMZ,
  and what is needed for it. 
  First question - Is there a hardware spec needed for this server?
  Second question - I read that 3 public ip are needed.   What are they needed for?  So I can explain to our network guys why I need this.
  Third question - Does it matter if the Edge server is on the domain or not?  I read it shouldnt be.  I dont think it will be an issue either way for me, but its easier to manage if on the domain.
  Fourth question - Should I finish my Communicator server decom before worrying about the Edge server? 
  Final question - is there a guide on how to get rid of the Communicator Server Connections to our Lync Server?
  Thanks in advance.

  First question - Is there a hardware spec needed for this server?
  Second question - I read that 3 public ip are needed.   What are they needed for?  So I can explain to our network guys why I need this.
  Third question - Does it matter if the Edge server is on the domain or not?  I read it shouldnt be.  I dont think it will be an issue either way for me, but its easier to manage if on the domain.
  Fourth question - Should I finish my Communicator server decom before worrying about the Edge server? 
  Final question - is there a guide on how to get rid of the Communicator Server Connections to our Lync Server?
  First question- HW spec  https://technet.microsoft.com/en-us/library/gg398835.aspx
  For your reference, my edge servers happen to have 40 GB ram and 2x'E5-2690 2.9GHz' ... they don't have to be physical ... can be virtual however.
  Second - 3 IP's are recommended ... it makes it easier because you can use standard ports as opposed to straying from 443 etc. ... and it makes troubleshooting easier.  All three of the edge services include a 443 requirement - and, with SSL you can't
  just share that socket on a single IP - so, lucky service gets 443.  Also, you can segregate the traffic and see exactly what is happening.  If you only had 1 IP - many scenarios in Lync would not work (e.g., I'm at a hotel and yoru AV port is not
  allowed through the firewall). 
  Here is a wonderful reference - https://blogs.perficient.com/microsoft/2012/12/lync-scaled-consolidated-edge-public-ip-addresses/
  Third - it is recommened that it is NOT domain joined - however, it's ok that it is.  Mine IS domain joined because I have a domain in my DMZ and it assists with management (etc.) and may be required for yoru security.  Your call.  IMO, if
  you have a domain , join it.  Why not?
  RE: OCS - there is a migration path from OCS 2007 R2 to Lync 2013 as per https://technet.microsoft.com/en-us/library/gg425764.aspx   and several documents on the Internet that show the process for those who need to do so.   It's not trivial.
  Another interesting link:  http://blogs.technet.com/b/saleesh_nv/archive/2014/04/24/lync-2013-tri-co-existance.aspx

• Lync 2013 Edge Certificates

  We are planning to deploy 2 lync 2013 edge servers with F5 HLB. Can we deploy internal Certificates on LYNC 2013 Edge servers ( SIP, WebConf, and AV) and deploy external wild card certificate (Public CA) on F5 external interface, so the external users
  can be validated on F5 with public certificate and F5 can trust Edge servers in DMZ?
  Is this solution works or do we need only public certificates on Edge servers?
  Tek-Nerd

  Hi Tek-Nerd,
  Agree with others.
  I’m afraid that if you use wild card certificate on F5, the external users might not be able to access the Lync Server.
  From
  https://technet.microsoft.com/en-us/library/gg398692.aspx
  “Microsoft Lync Server 2013 uses certificates to mutually authenticate other servers and to encrypt data from server
  to server and server to client. Certificates require name matching of the domain name system (DNS) records associated with the servers and the subject name (SN) and subject alternative name (SAN) on the certificate. To successfully map servers, DNS records
  and certificate entries, you must carefully plan your intended server fully qualified domain names as registered in DNS and the SN and SAN entries on the certificate.”
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Lync 2013 Edge and Reverse proxy on same server with SNI

  Hello
  I cannot find information if it is possible to create a single Lync 2013 Edge server with a Reverse proxy on the same server?
  Would it not be possible to share port 443 with SNI support? That way we could use only one public IP?
  Thanks!

  Sorry, it doesn't work.  Remember that 443 isn't HTTPS for the Edge.  If you went with the single IP model for the edge, 443 would be used for the A/V role which would be STUN/TURN. 
  The edge will always want to listen on 443, it just doesn't work to collocate a reverse proxy.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync 2013 Edge--Unable to Publish Topology due to port assignment issues aka sharing conflicts

  Hi all
  I trying to setup the following , Single Lync Edge 2013, consolidated with single external IP address, but having issues
   with the Topology Builder when I go to Publish.
  This topology  builder setup for Edge Server  will not work:
  Access edge
  Port 443
  Web conf
  Port 444
  A/V edge
  5061
  Error with in topology builder “…topologycontains one or more port sharing conflicts”.
  It seems to object to the A/V edge of Port 5061…. 
  Is there another port that I should be using for the A/V edge that is the best practice…?
  Suffice to say….Other than Port “444” how does one chooses the other two (2)
   unique ports to avoid conflicts…?
  Many thanks in advance
  Magellan99

  5061 is used for federation, and as such implicitly tied to your Access Edge service. If you're using single IP for Edge services, leave them as default as Thamara has advised.
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
  For Fun: Gecko-Studio | For Work:
  Nexus Open Systems
  Follow @twitter