Lync 2013 Remote Powershell

Similar Messages

• Lync 2013 Remote Access on all Lync clients from the internet not login.

  Hi All,
  I have a Lync 2013 setup with and Edge server as well as TMG Server.
  All clients can login on the mobile devices (IPAD, Windows phone etc). However, when i try login on lync client, I get "we're having trouble connecting to the server. If this continues, please contact your support team".
  What could be casing this causing this?
  KimaniBob

  Hi Ben,
  Thansk for the reply.
  I have created  the DNS records on the external and tested all, all seem fine. My Edge server has 2IPs(Internal and External) a NAT has being to the External interface of the Edge and it has being done well.
  I have also ran the ecxhange connectivity, and the output is all green. (Passed)
  Just as an add on. The lync client seems to establish a connection because , I prompts me to enter my credentials. If i put in wrong credentials i get an authentication error. However, if I put in the correct credentials, I get server is temporary unavailable.
  Althou the the error has changed now'Lync couldn't find the server for domain.com....'
  I ran the ocslogging tool and i get the following logs:
  TL_INFO(TF_CONNECTION) [0]1274.0B08::12/09/2013-13:29:25.870.00000149 (SIPStack,SIPAdminLog::WriteConnectionEvent:1222.idx(446))[972797567] $$begin_record
  Severity: information
  Text: TLS negotiation started
  Local-IP: 192.168.168.3:5061
  Peer-IP: 212.49.88.99:11468
  Connection-ID: 0x60400
  Transport: TLS
  $$end_record
  TL_ERROR(TF_CONNECTION) [0]1274.0B08::12/09/2013-13:29:26.058.0000014c (SIPStack,SIPAdminLog::WriteConnectionEvent:1222.idx(452))[972797567] $$begin_record
  Severity: error
  Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
  Local-IP: 192.168.168.3:5061
  Peer-IP: 212.49.88.99:11468
  Connection-ID: 0x60400
  Transport: TLS
  $$end_record
  I also check on the TMG and found it was dropping SIP protocal (port:5061), not sure if this is the cause, and if so how do I sort it.
  So far no solution.
  KimaniBob

• User migration from Lync 2010 to Lync 2013

  We have Lync 2013 pool co-existence with Lync 2010 pool. Need to move users based on their AD Group membership. In a particular AD group, only few of the users are enabled for LYNC 2010, not all users. How to get the list of only Lync enabled users in AD
  group and move them on to Lync 2013 by PowerShell script?
  Thanks in advance for your help
  Tek-Nerd

  When I ran the below command
  Get-ADGroupMember Mygroup | where {$_.msRTCSIP-UserEnabled -eq "true"}
  on my Lync 2013 server, got the below error message...
  At line:1 char:46
  + Get-ADGroupMember MyGroup | where {$_.msRTCSIP-UserEnabled -eq "true"}
  +                                             
  ~~~~~~~~~~~~
  Unexpected token '-UserEnabled' in expression or statement.
  At line:1 char:59
  + Get-ADGroupMember MyGroup | where {$_.msRTCSIP-UserEnabled -eq "true"}
  +                                                          
  ~~~
  Unexpected token '-eq' in expression or statement.
      + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordExcep
      + FullyQualifiedErrorId : UnexpectedToken
  Tek-Nerd

• Remote PowerShell Connection to Lync Server With Kerberos authentication Fails

  Hi everyone ,
  Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
  E.g :
  Error -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
  [serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
  the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify
  that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
  server:   Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
     eption
      + FullyQualifiedErrorId : PSSessionOpenFailed
  Works  -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Negotiate

  Hi,
  Please double check if Windows Update is the latest version, if not, please update and then test again.
  Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• [Exchange 2013/Online][PS] How to retrieve existing remote PowerShell sessions

  I'm trying to figure out how to retrieve all existing remote PowerShell sessions (user-managed) between a client and an Exchange 2013 server.
  Running Get-PSSession only returns remote sessions created within the current PowerShell session (system-managed). I need to do this from within a
  different PowerShell session, possibly even from a different computer from where those remote sessions were established.
  Documentation for Get-PSSession states that this should be possible starting with PS 3.0 since user-managed sessions are now stored locally on the remote server (in my case, the Exchange 2013 server) and can later be retrieved from any system-managed session
  by using Get-PSSession with either the ComputerName or ConnectionUri parameter sets.
  Here's how those remote sessions are created:
  PS $> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<exchange_server>/powershell/ -Credential $credential -Authentication Basic -AllowRedirection
  PS $> Import-PSSession $Session
  And how I try to retrieve those session afterward:
  PS $> Get-PSSession -ComputerName <exchange_server> -ApplicationName powershell -Authentication Basic -Credential $credential -UseSSL -Port 443
  PS $> Get-PSSession -ConnectionUri https://<exchange_server>/powershell/ -AllowRedirection -Authentication Basic -Credential $credential
  Both methods yield no results (nor errors), while running Get-PSSession (without any parameters) within the same user-managed session would successfully return the session. 
  The only explanation I could think of right now is that somehow, WinRM on the Exchange server is not running PS 3.0 even though:
  $PSVersionTable.PSVersion returns 3 0 -1 -1
  winrm id returns ProductVersion = OS: 6.2.9200 SP: 0.0
  Stack: 3.0
  But when I attempt to disconnect a remote session with this Exchange server using Disconnect-PSSession, I get the
  following error message: 
  Disconnect-PSSession : Disconnect-PSSession operation failed for runspace Id = XXXXX
  for the following reason: The disconnection operation is not supported on the remote computer. To support
  disconnecting, the remote computer must be running Windows PowerShell 3.0 or a later version of Windows PowerShell.
  So I guess I have a couple questions:
  Are remote PSSession even supposed to be maintained on
  an Exchange 2013 server? 
  If so, is it possible to retrieve them from a different session using GET-PSSession?
  Which version of PS 3.0 is used by WinRM on an Exchange 2013 server?
  thanks

  Thanks for your help. 
  1. I know that remote PS sessions are supported, I have no issue connecting to the Exchange server. The issue is with
  reconnecting to an existing PS session.
  2. As mentioned in my original post, PS & WinRM 3.0 are installed on the client:
  $PSVersionTable.PSVersion returns 3
  0 -1 -1
  winrm
  id returns ProductVersion = OS: 6.2.9200 SP: 0.0 Stack:
  3.0

• Lync 2013 Contacts - Remote users

  Hi,
  Almost ready to roll out Lync 2013 but...
  Most of our company is spread out across the Internet so we'll want to have the GalContacts files to download automatically to each user.
  Currently I find that that remote users are not getting the GalContacts files, is that an administrative setting in Lync?
  Thanks
  Mike
  Edit: When I monitor a connection in Fiddler on a remote computer I see no request for the address book like I see for those on the LAN.

  Hi,
  External Lync users download Address Book through Reverse Proxy.
  So please double check Reverse Proxy configuration. External Lync users will use the External Web Services FQDN to download address book, so please double check if you enter the correct External Services FQDN.
  Also, double check if all needed SAN added in Reverse Proxy certificate.
  You can troubleshooting with the help of the link below:
  http://technet.microsoft.com/en-us/library/gg398069.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 Server / Roles & Components

  Lync
  2013 Server / Roles & Components 
  Front End
  User authentication and registration
  Presence information and contact card exchange
  Address book services and distribution list expansion
  IM functionality, including multiparty IM conferences
  Web conferencing, PSTN Dial-in conferencing and A/V conferencing (if deployed)
  Application hosting, for both applications included with Lync Server (for example, Conferencing Attendant and Response Group application), and third-party applications
  Primary store for user and conference data.  Information about each user is replicated among Front End Servers in the pool
  Optionally, Monitoring, to collect usage information in the form of call detail records (CDRs) and call error records (CERs). This information provides metrics about the quality of the media (audio and video) traversing your network for both Enterprise
  Voice calls and A/V conferences.
  Web components to supported web-based tasks such as web scheduler and join launcher.
  One Front End pool runs the Central Management Server DB, which manages and deploys basic configuration data to all servers running Lync
  Optionally, Archiving, to archive IM communications and meeting content for compliance reasons.
  Optionally, if Persistent chat is enabled, Persistent Chat Web Services for Chat Room Management and Persistent Chat Web Services for File Upload/Download.
  Back End
  Database server running Microsoft SQL Server
  Provide the DB services for the Front End pool
  Acts as backup store for the pool’s user and conference data
  Primary stores for other DB’s like Response Group
  High Availability for the BE DB is provided via SQL Mirroring
  Optional Witness to enable automatic failover for BE
  SQL Sever 2008 R2 or higher required for SQL Mirroring
  Edge Server
  Enable users to communicate and collaborate with users outside the organization’s firewall
  Comprises four separate server roles
  Access Edge – Acts as a secure proxy for all remote Lync signaling traffic
  Remote Access
  Federation
  Public IM Connectivity (PIC)
  Web Conferencing Edge – Enable remote users to participate in Web conferences with internal or remote workers
  A/V Edge – Responsible for secure relay of A/V media among internal, external, and federated contacts
  XMPP Gateway – Allows IM/P with XMPP federated contacts
  Reverse Proxy
  Simple URL Publishing – Required for users to join Lync meetings
  Web Conferencing Content – Users download meeting content (PowerPoint, Whiteboard, and Poll data) via Lync Web Services when in meeting
  Address Book & Distribution List Expansion – Required for users to download Lync Address Book and perform DL expansion
  User Certificates – Provides client certificate authentication via Lync Web Services
  Device Updates – Provides software updates to Lync IP endpoints
  Mobility – Provides connectivity for mobile clients via Lync Web Services
  Mediation Server
  Translates signaling and media between Lync Server and PSTN, IP-PBX, or SIP Trunk
  Can be co-located on Front End or separated as stand-alone Server dependent on call volume
  Role facilitates dial-in conferencing
  Capacity
  Co-located = 150 Concurrent Calls
  Standalone =  1100 Concurrent Calls
  Persistent Chat
  Enable users to participate in multiparty, topic-based conversations that persist over time
  Pchat Front End server role runs persistent chat service
  Pchat Back End server stores chat content and compliance events
  Geographic DR is provided via stretched pool and SQL log shipping to replicate DB info
  150k provisioned users / 80k concurrent users
  Archiving
  Uses SQL Server 2008 R2 or SQL Server 2012 for DB
  Capable of archiving the following:   
  Peer-to-peer IM
  Multiparty IM
  Web Conferences, including uploaded content and events
  A/V for peer-to-peer IM and web conferences
  Web conferencing annotations and polls
  Monitoring
  Agent that runs on each Front End Server that collects and manages information from the Front End and Mediation Servers
  Stored on SQL Server DB
  Leverages SQL Server Reporting Services for creation of reports related to call quality and metrics
  Office Web Apps Server
  External server leveraged for rendering PowerPoint slides within the Lync client and Lync Web App
  Typically leveraged within SharePoint deployments to deliver browser-based versions of Microsoft Office applications
  System Center Ops Mgr
  Health configuration in Lync Server 2013 is built around System Center Operations Manager and the use of Lync Server Management Packs. These Management Packs include a number of new features and enhancements, including:
  Feature
  Description
  Synthetic Transactions
  Windows PowerShell cmdlets that can be run from various locations to ensure that end user scenarios such as sign-in, presence, IM, and conferencing are readily available to end users.
  Call Reliability Alerts
  Database queries for Call Detail Records (CDR). These records are written by Front End Servers to reflect whether end users were able to connect to a call or why a call was terminated. These queries result in alerts that indicate when a wide range of end
  users are experiencing connectivity issues for peer-to-peer calls or basic conferencing functionality.
  Media Quality Alerts
  Database queries that look at Quality of Experience (QoE) reports published by clients at the end of each call. These queries result in alerts that pinpoint scenarios where users are likely to be experiencing poor media quality during calls and conferences.
  The data is built upon key metrics such as packet latency and loss, metrics that are known to directly contribute to call quality.
  Component Health
  Individual server components raise alerts by using event logs and performance counters. These alerts indicate failure conditions that can severely impact one or more end user scenarios. These alerts can also indicate a variety of other failure conditions,
  including services not running, high failure rates, high message latency, or connectivity issues.
  Dependency Health
  Failures can occur for a variety of external reasons. The management packs now monitor and collect data for some of the critical external dependencies that might indicate severe issues, including IIS availability, CPU and memory usage of servers and processes,
  and disk metrics.
  Exchange UM
  http://www.contactcenterarchitects.com/lync-2013-server-roles-components/

  Hi,
  Thank you for sharing the information. It is useful for others who not understand Lync Server Roles and Components. You time and effort are appreciated.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 Mirror Database fails to install - Error: DsRoleGetPrimaryDomainInformation failed with error "6BA".

  Database primary installs just fine for Lync 2013 - however fails instantly when trying to install mirror DB to mirror SQL Server.  The account has dull domain admin, Enterprise admins, and schema admins.  Full access to the share as well.  I
  get the following error:
   InstallMirrorDatabaseCmdlet.StartMirroring
  4/7/2014 10:38:56 AM
  Failed
       └ 
  Error: DsRoleGetPrimaryDomainInformation failed with error "6BA".
  ▼ Details
  └ Type: CannotGetDomainInfoException
  └ ► Stack Trace
      └  
  at Microsoft.Rtc.Management.ADConnect.NativeHelpers.NativeHelper.GetPrimaryDomainInformation(String server)
  at Microsoft.Rtc.Management.Deployment.MirrorUtils.GetSqlServerAccount(String server, String instanceName)
  at Microsoft.Rtc.Management.Deployment.TopologyParser.PopulateDatabasesForSqlInstance(ISqlInstance sqlInstance)
  at Microsoft.Rtc.Management.Deployment.TopologyParser.FindDatabasesForMachine(IMachine machine)
  at Microsoft.Rtc.Management.Deployment.TopologyParser.FindDatabasesForFqdn()
  at Microsoft.Rtc.Management.Deployment.TopologyParser.GetDbListToMirror()
  at Microsoft.Rtc.Management.Deployment.TopologyParser.get_DbInfoList()
  at Microsoft.Rtc.Management.Deployment.InstallMirrorDatabaseCmdlet.StartMirroring()
  at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog(Action action)
  4/7/2014 10:38:58 AM
  Error
   └ 
  Error: An error occurred: "Microsoft.Rtc.Management.ADConnect.CannotGetDomainInfoException" "DsRoleGetPrimaryDomainInformation failed with error "6BA"."

  The issue could be a typo in the SQL server name or that the SQL server isn't allowing remote connections. If you run the Install-csmirrordatabase command from powershell you should see more details about the error.
  Take a look at Doug Deitterick's blog: http://blogs.technet.com/b/dodeitte/archive/2013/03/05/issue-configuring-sql-mirroring-for-lync-server-2013-when-sql-witness-is-defined-but-not-available.aspx
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Office web Apps server Lync 2013 Certificate

  Hi,
   I'll be installing Office web app (OWA) server with Lync 2013 std edition. External users access is disabled but federation is enabled, mean OWA will be exposed to internet as wabweb.contoso.com, the interal host name of OWA server is owa.contoso.local
  Does the certificate on the on OWA server need to have owa.contoso.local and certificate principle name and wabweb.contoso.com as SAN? or only owa.contoso.local is enough?

  It really depends on how you publish the server to the internet. You have some options. If you are publishing this via a reverse proxy, internally you would have a private cert with .local on it and the public name on the reverse proxy.  If you are
  punching a firewall hole/NAT directly to the server your best option is to use a public cert on that server directly.
  That all said, personally I like to make both the internal and external farm URL the same, and use a public cert on the server (if no reverse proxy is in play).  So I would actually enter the OWAS Farm as wabweb.contoso.com in topology builder, than
  when creating the farm via PowerShell make that both the internal and external URL and get a certificate with a single name on it of wabweb.contoso.com.
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

• Iphone and ipad Lync Client Randomly cannot sign in to Lync 2013 Server

  I have a Lync 2013 environment that will allow all clients to connect from inside and outside of the network except for ios devices. iOS devices are sometimes able to connect and sometimes not. When they are not able to sign in they receive a message stating,
  "An Error Occurred in Lync. Please retry. If the problem persists, contact your support department"
  I have run tests using the Microsoft Remote Connectivity Analyzer and all tests come back green.  I have also used the Lync Connectivity Analyzer and get the results below:
  Starting Lync server autodiscovery
  Starting automatic discovery for secure (HTTPS) internal channel
  Server discovery failed for secured internal channel against
  https://lyncdiscoverinternal.earenfroe.com/
  Starting automatic discovery for unsecure (HTTP) internal channel
  Server discovery failed for unsecured internal channel against
  http://lyncdiscoverinternal.earenfroe.com/
  Starting automatic discovery for secure (HTTPS) external channel
  Server discovery succeeded for secure (HTTPS) external channel against URL
  https://lyncdiscover.earenfroe.com/
  Starting automatic discovery for unsecure (HTTP) external channel
  Server discovery failed for unsecured external channel against
  http://lyncdiscover.earenfroe.com/
  Starting the requirement tests for Lync Mobile 2013 App
  Starting tests for Mobility (UCWA) service
  Completed tests for Mobility (UCWA) service
  Your deployment meets the minimum requirements for Lync Mobile 2013 App.
  Anyone have any suggestions on where to go next?  Troubleshooting an intermittent connection issue that only affects one mobile platform is tough...especially when all the testing tools say everything is configured correctly :)
  Thanks in advance!
  Tom

  I have the same problem, and we have netscaller as revrse proxy solution and we have the required records created for mobility.
  with lync2010 mobility it is working fine, but with lync 2013 mobiltity we have intermittent issue with error e2-3-33 error
  raghu
  I had the same problem (e2-3-33 on mobile devices at random times) and it turns out it was McAfee antivirus causing the UCWA service to crash repeatedly. The workaround for it is outlined in the below blog entry I found as well as the below Microsoft document.
  Long story short you want to run  follow the steps outlined in the workaround section below (I copied it from the linked MSFT document)
  http://support.microsoft.com/kb/2997513
  http://lynclounge.blogspot.com/2014/07/lync-mobility-issues-event-ids-1309.html
  WORKAROUND
  he following procedures must be performed on all Lync Server 2013 FE server and Director Lync 2013 server roles. To
  perform these procedures, first open a command prompt as an administrator.
  Windows Server 2008 R2
  On the Start menu, type cmd.exe in the Windows search feature, and then press Enter.
  Right-click cmd.exe, and then click Run as administrator.
  Windows Server 2012
  Press the Windows key to access the Start page.
  Use the Windows search feature to locate cmd.exe.
  Right-click cmd.exe, and then click Run as administrator.
  In the Command Prompt window, follow these steps:
  Navigate to the %install drive%:\Windows\System32\inetsrv> directory prompt.
  Enter the following command, and then press Enter:
  appcmd set config /section:applicationPools /[name='LyncUcwa'].recycling.disallowOverlappingRotation:true
  Enter the following command, and then press Enter:
  appcmd set config /section:applicationPools /[name='LyncUcwa'].processModel.shutdownTimeLimit:0.00:00:30
  To confirm the changes from steps 2–3, enter the following command, and then press Enter:
  appcmd list apppools lyncucwa /config
  The following information should be returned to the console to confirm the update to the LyncUcwa application pool
  settings:
  <add name="LyncUcwa" autoStart="true" managedRuntimeVersion="v4.0" managedPipelneMode="Integrated" startMode="AlwaysRunning">
  <processModel identityType="NetworkService" idleTimeout="00:00:00" shutdownTieLimit="00:00:30" />
  <recycling disallowOverlappingRotation="true">
  <periodicRestart time="00:00:00">
  <schedule>
  </schedule>
  </periodicRestart>
  </recycling>
  <failure />
  <cpu />
  </add>
   

• Voice problems with Lync 2013 Mobile

  Hi
  I have a situation where Lync 2013 on both iPhone & Android has started giving problems with making and receiving voice calls. There are no problems with Windows, Mac or Phone Edition clients that I'm aware of. I have not tested anything over the VPN,
  but this should not be a factor.
  For receiving calls - If the user is connected to the LAN via Wi-Fi AND the call is from an internal user, all works fine. If the call is from an external user OR the user is connected via 3G, then the call just shows "Connecting" indefinitely.
  This includes transferred calls.
  For making calls - If the user is connected to the LAN via Wi-FI and calls either an internal or external users, all works fine. If the user is connected via 3G and calls either an internal or external user, the phone rings, but when it's answered it shows
  call ended.
  I have ran RUCT on a computer outside the network, with the following findings:
  DNS:
  Record
  Type
  Hostname
  IP Address
  Port
  Weight
  Priority
  _sip._tls.domain.com
  SRV
  sip.domain.com
  Edge External IP
  443
  100
  0
  sip.domain.com
  A
  sip.domain.com
  Edge External IP
  sipexternal.domain.com
  A
  sipexternal.domain.com
  Edge External IP
  meet.domain.com
  A
  meet.domain.com
  <null>
  _ntp._udp.domain.com
  SRV
  pool.ntp.org
  NTP Server IP
  123
  100
  0
  _sipfederationtls._tcp.domain.com
  SRV
  sip.domain.com
  Edge External IP
  5061
  100
  0
  lyncdiscover.domain.com
  A
  sip.domain.com
  Edge External IP
  lyncdiscover.domain.com
  CNAME
  sip.domain.com
  I have ran Test Port on each entry where there is a port with successful results. Ping works on all entries.
  If I query Certificate Information on sip.domain.com with port 5061 or 444, it succeeds and returns the certificate with subject sip.domain.com. If I query 443, it fails with error "An error occurred while retrieving the certificate. Unable to read
  data from the transport connection: An existing connection was forcibly closed by the remote host."
  On Microsoft Remote Connectivity Analyzer, all tests pass except for the certificate test:
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.domain.com on port 443
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
  Running netstat on Lync Edge gives me the following with regards to port 443:
  TCP   <Internal IP>:443   Lync2:0   LISTENING
  TCP   <External IP>:443   Lync2:0   LISTENING
  Firewall allows connections on port 443 and I've tried disabling the firewall as well. Trying to open https://sip.domain.com in the browser on the Lync Edge fails also, telnet succeeds, but no data is returned.
  I've restarted the AV service and also rebooted the Lync Edge server, no change. In the topology builder, I can see that AV is configured to listen on port 443.
  Any ideas would be most welcome.
  Regards
  Lionel
  MCP Windows Server MCTS .NET

  I have ran a large amount of additional tests. On my latest round of testing, I have obtained the following results:
  Call received via PSTN gateway on user DID, answered by desktop client inside LAN - works.
  Call received via PSTN gateway on response group, answered by desktop client inside LAN - works.
  Call received via PSTN gateway on user DID, answered by desktop client outside LAN (behind NAT, DSL router) - works.
  Call received via PSTN gateway on response group, answered by desktop client outside LAN (behind NAT, DSL router) - works.
  Call received via PSTN gateway on user DID, answered by mobile client inside LAN - does not work.
  Call received via PSTN gateway on response group, answered by mobile client inside LAN - does not work.
  Call received via PSTN gateway on user DID, answered by mobile client outside LAN (behind NAT, DSL router) - works.
  Call received via PSTN gateway on response group, answered by mobile client outside LAN (behind NAT, DSL router) - works.
  Call received via PSTN gateway on user DID, answered by mobile client outside LAN (3G) - does not work.
  Call received via PSTN gateway on response group, answered by mobile client outside LAN (3G) - does not work.
  Call received via PSTN gateway on user DID, answered by desktop client inside LAN and transferred to mobile client inside LAN - does not work.
  Call received via PSTN gateway on response group, answered by desktop client inside LAN and transferred to mobile client inside LAN - does not work.
  Call received via PSTN gateway on user DID, answered by desktop client inside LAN and transferred to mobile client outside LAN (behind NAT, DSL router) - works.
  Call received via PSTN gateway on response group, answered by desktop client inside LAN and transferred to mobile client outside LAN (behind NAT, DSL router) - works.
  Call received via PSTN gateway on user DID, answered by desktop client inside LAN and transferred to mobile client outside LAN (3G) - does not work.
  Call received via PSTN gateway on response group, answered by desktop client inside LAN and transferred to mobile client outside LAN (3G) - does not work.
  Call made through PSTN gateway from desktop client inside LAN - works.
  Call made through PSTN gateway from desktop client outside LAN (behind NAT, DSL router) - works.
  Call made through PSTN gateway from mobile client inside LAN - does not work.
  Call made through PSTN gateway from mobile client outside LAN (behind NAT, DSL router) - works.
  Call made through PSTN gateway from mobile client outside LAN (3G) - does not work.
  Call from desktop client inside LAN to desktop or mobile client (regardless of location) - works.
  Call from desktop or mobile client (regardless of location) to desktop client inside LAN - works.
  Call from desktop or mobile client (regardless of location) to desktop or mobile client (regardless of location) - works.
  There is no difference in behaviour between normal calls and conference calls. Reproducing the problem seems to require the following:
  1. PSTN gateway needs to be involved
  2. One party needs to be on mobile client
  3. The mobile client needs to be inside the LAN or on a 3G connection, but not behind NAT on a DSL connection
  The only conclusion I can make is that somehow NAT makes the problem go away, but it does not affect desktop clients (on the LAN or Wi-Fi at least, I do not have a way to test them on 3G).
  The PSTN gateway (Cisco UCM) could also be the problem, but it works fine in all other cases. It has 4 trunks and makes all kinds of routing decisions, but once a call is routed to/from Lync, it should not make a difference on what type of device it is answered.
  I'm really baffled by this one. Perhaps the 3G thing is a service provider issue and the issue on the LAN has something to do with the internal DNS combined with the behaviour of the mobile client. Just not sure exactly what.
  MCP Windows Server MCTS .NET

• Issues with Hosted Exchange, UM and Lync 2013.

  Hello everyone!
  I am trying to deploy UM with Office 365 Hosted Exchange. We are using one Lync 2013 Standard Edition FE and have deployed one edge server. We have set up our firewall to host the Reverse Proxy.
  We do not use wildcard certs. External DNS resolves the _sipfederation and sip._tls SRV records to the external face of the edge server. The edge server functions as it should for remote users and mobility.
  I have tried to follow these instructions to the letter three times over to no avail.
  http://y0av.me/2014/01/07/lyncum365/
  Neither Snooper or Event Viewer show any particular issue, though when I try to dial out to voice mail I will get one to two rings and then 5 seconds of silence a fast busy, and finally "Call Unsuccessful".
  When checking the firewall logs I notice a seemingly random 10.x.x.x address being sent to the firewall by the external leg of the edge server. Wireshark captures it as STUN packets on port 3478 being sent to port 3478. These are being dropped by our firewall.
  I believe them to be RTP packets but I do not know if this is normal behavior. Has anyone any ideas?

  My mistake. Here is the snooper result.
  TL_INFO(TF_PROTOCOL) [edge\edge]0C4C.05E4::06/18/2014-15:43:34.153.0000000C (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265)) [3770767507]
  Trace-Correlation-Id: 3770767507
  Instance-Id: 2E5A
  Direction: incoming;source="external edge";destination="internal edge"
  Peer: exap.um.outlook.com:5061
  Message-Type: response
  Start-Line: SIP/2.0 488 Compression algorithm refused
  From: sip:sip.domain.net;tag=08FB9ED133BA396696FE6546EA6F3031
  To: sip:exap.um.outlook.com;tag=B8FFE4E9267ED6ECB78ADCC60126B53F
  Call-ID: 66602CE1F9980BFA94AD
  CSeq: 1 NEGOTIATE
  Via: SIP/2.0/TLS 10.11.11.23:50752;branch=z9hG4bK2132316E.5B3AF52DE2753A36;branched=FALSE;received=207.46.5.9;ms-received-port=50752;ms-received-cid=60172700
  Content-Length: 0
  Server: RTC/5.0
  TL_INFO(TF_NETWORK) [edge\edge]0C4C.05E4: :06/18/2014-15:43:34.153.0000000D (SIPStack,NegotiateLogic::SetCompressionType:NegotiateLogic.cpp(2701)) [559249495]( 00000079B1274FB8 ) Compression type is now CompOff
  TL_INFO(TF_NETWORK) [edge\edge]0C4C.05E4: :06/18/2014-15:43:34.153.0000000E (SIPStack,NegotiateLogic::ProcessCompressionResponse:NegotiateLogic.cpp(2217)) [559249495]( 00000079B1274FB8 ) Peer refused [488] our request for compression
  TL_INFO(TF_NETWORK) [edge\edge]0C4C.05E4: :06/18/2014-15:43:34.153.0000000F (SIPStack,NegotiateLogic::AdvanceOutboundNegotiation:NegotiateLogic.cpp(910)) [559249495]( 00000079B1274FB8 ) Outbound negotiation sequence is complete
  $$end_record
  And finally..
  TL_INFO(TF_PROTOCOL) [edge\edge0C4C.05E4::06/18/2014-15:43:49.379.0000002E (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265)) [962697980]
  Trace-Correlation-Id: 962697980
  Instance-Id: 2E61
  Direction: incoming;source="internal edge";destination="external edge"
  Peer: fe1.domain.net:61254
  Message-Type: request
  Start-Line: BYE sip:uminternal.um.prod.outlook.com:5066;transport=Tls;ms-fe=CO1PR02MB111.namprd02.prod.outlook.com SIP/2.0
  From: <sip:[email protected]>;tag=b736386270;epid=9bcee72318
  To: <sip:[email protected];opaque=app:voicemail>;tag=eced411395;epid=07C3F2A933
  Call-ID: 4266a095bdef8280d67c7e7df58446fc
  CSeq: 2 BYE
  Via: SIP/2.0/TLS 10.10.10.25:61254;branch=z9hG4bKC848F11A.A88BCA6858661A50;branched=FALSE
  Via: SIP/2.0/TLS 10.10.10.125:49156;ms-received-port=49156;ms-received-cid=401200
  Route: <sip:edge.domain.net:5061;transport=tls;opaque=state:Si;lr>
  Route: <sip:exap.um.outlook.com:5061;transport=tls;epid=07C3F2A933;lr;ms-key-info=AAEAARc45bIQE6UJAYvPAR8eV4QTvCH3EE2Kxtie7I2PMCSj-2aArKHP8dStYlJe-9jphIkz_mDEkCD_v8hY-mghQEHD6-F12E7E14YG-TJ2gEcQE0Bx2r_rDB3LrzRZzgQ0WVvxreLPWGI80elWF-xfbc_X3JE8mOR2OB9KQM8-e9WOjfq2kj6CnDGeL0yzgz4OB8zm-ao03Yo4gMZ-BpwaxC3BNuvvVDJo9wqrYftq_Z3MIVewWrqcDt5Td4vxCsMiXdwEqtEIRKVvQoqboleBJAyQl-C3qGgfEoSkUnApFuTSnQYRa4kbZ1iPaACpdKT-VTQGjc9HXfps48YJCsIXW0Ab_NSM2uvhUyw900men1ukXSmoZoWZbwqe5siuWVUcFoQl1h1Jcy4lCyZUfDZoqPzDioLqTk9iUmS8fa-PAJjsq72yGjVB_y1aJSxtHVsw7MiDqOGOPqT3dmF-sINkeyuokCy8UCf_cQHmEHwVzZLUJqaVccr3QNCLsBzhcWSypnC60ZZphOKuwl6RvUXWICPf0ubLTL2ppC3tWEgFdUUWOPVd84uGlMcqRLKGb1qrmpj8Nu6Lte7t5n2pMEBCfgAe79t4GO0C5KScdKT_XBM1iIBRXdNkPKHfSgC-wPQgRikdw7vRD-hOWlN5Lay7-zkQ4Ag6rauszFTAwbft99OieAOxKIsgYcxXxcG6;ms-route-sig=fiEMuzbN4_PyEz_I5gG3g8FtqNAonwgZCoRnOq-ByfYEtywTZp-Hk_eAAA>
  Max-Forwards: 69
  Content-Length: 0
  ms-client-diagnostics: 22; reason="Call failed to establish due to a media connectivity failure when both endpoints are internal";CallerMediaDebug="audio:ICEWarn=0x40003a0,LocalSite=10.10.10.125:6735,LocalMR=10.11.11.23:51430,RemoteSite=10.27.46.15:5286,RemoteMR=207.46.5.80:54106,PortRange=1025:65000,LocalMRTCPPort=51430,RemoteMRTCPPort=54106,LocalLocation=2,RemoteLocation=2,FederationType=0"
  $$end_record

• Lync 2013 /w Edge not working properly (internal/external same domain name and all "external" users"

  Hi,
  I've got some issues with a Lync 2013 setup.
  The config consists of 2 lync servers. One FE and one Edge. All seems to work except audio in meetings and Sip.
  The setup is like this (fake ip's used):
  Front End:
  Internal IP: 172.16.0.10
  External IP: x.x.185.10
  All ports open in Cisco ASA
  internal AD DNS: dialin/lync/meet/lyncdiscover to Front end internal ip. edge/lsedge/sip points to edge internal ip
  EDGE:
  Interal IP: 172.16.0.11 (no gateway configured)
  External IPS: x.x.185.11, x.x.185.12, x.x.185.13
  All external IP's are direct internet facing, no NAT (a firewall is in place).
  All external interfaces are using a wildcard certificate.
  All server are running in a remote data center, so basically no internal users. We all connect to the external interfaces. The Windows domain name (AD) is the same as our External DNS (companyname.com).
  Autodiscover works, we can logon, chat but there is no audio. The audio test failes. Also SIP is not working with a sip trunk.
  External DNS: sip/webconf/av are pointing to their external ip's. sipexternal is a cname to sip. lyncdiscover/lync/dialin/meet all point to the Frond end External ip.
  _sip._tls/_sipfederationtls.tcp/_xmpp-server.tcp all point to the sip.companyname.com ip.
  I just can't figure out what is wrong.

  @PSingh123 I'll try the logs in a minute and get back with the results.
  @PaulB_NZ Thanks for the input. In my opinion the FE does need an external IP. How else will you be able to connect if you are a remote worker?
  The Edge is (asfar as i know) needed for Enterprise voice and Federation with other (external) sip domains. It's not needed for basic (chat/video/whiteboard etc) Lync functionality for both internal and external (remote) users.
  The Edge is to communicate with services/users outside the origanisation.
  I do still think that the basic topology (FE with internal IP and Nat'ed external ip working with an Edge with internal IP and 1 external IP nat'ed to 3 DMZ ip's) is correct in this case.
  I can be wrong and in that case would like to be pointed to the correct configuration.
  75           
  Points
  Top 15
  PSingh123        
  Partner        
  Joined  Jun 2007        
  9
  PSingh123's threads
  Show activity

• Can't Log In with Lync 2013 Windows 8 App over VPN

  Howdy,
  I've downloaded the Lync 2013 App to Windows 8.1.  When I type in my work email, I can't sign in.  I get that the server isn't available or doesn't support Lync.
  The error is attached.
  I can't find a forum for the Lync App itself so I'm hoping to be redirected or since this has to be an easy question, someone might answer it here.
  I'm logged in on our VPN and I'm working around this issue right now with RDP to my desktop and signing in to Lync 2010 there.  This is for the purpose of doing my class this next week from home and showing Yep, I'm really available over Lync. 
  What is really desired is to get Lync on my remote machine working but there's no real Settings page on the App.
  Apparently it does pick up the VPN and tries to sign me in:
  However, there's not much of a way to configure anything.  I can't find a "Settings" page. Tried uninstall/reinstall to see if I didn't fat finger something.
  Lync 2010 is set up on company laptops to work over VPN correctly from home so I can't imagine it's this hard.  I think the "oversimplified" approach of just putting in the email address and (I'm theorizing) letting Lync detect VPN or not,
  can I log in, etc. or whatever it does, this isn't working.  And of course, it's Encapsulated. :)
  OK, I have a work around, it's not a do or die issue here.  I'll RDP to my desktop, sign in and Lync will show me available.  I'll set my location as Home during the hours of the class.
  But ... it's always REALLY annoying when you KNOW it's a simple setup procedure and if that's just found ...
  Thanks for any help.
  Michael Durthaler

  Check that you configure requirement for Lync windows store App as exist in below link
  http://technet.microsoft.com/en-us/library/jj823129.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Lync 2013 Mobility continues to not work

  Having issues getting mobility to work.
  Simple environment:
  Single server Edge pool
  Single server EE pool
  SQL clustered backend
  All Lync 2013 CU1 at this point in time.
  Potentially required reading:
  Deploying Mobility (Technet)
  Lync Mobility Deep dive
  (based on 2010, but nearly the same in 2013)
  http://masteringlync.com/2011/08/13/using-fiddler-to-troubleshoot-address-book-download-issues/
  http://blogs.technet.com/b/nexthop/archive/2012/11/09/understanding-lync-server-autodiscover-to-support-the-lync-windows-store-app.aspx
  Windows RT app uses the same method as IOS, and is more wiresharkable/tracable, so I am using that.
  Client end errors:
  Windows RT app (15.0.4481.1503) -  this client version cannot log in.
  iOS - Can't sign in.  Please check your account information and try again.
  I don't have a windows phone or android, so working with the clients I have.  (I understand these also do not work)
  Fiddler trace of Windows RT app session:
   From the W3svc logs:
  2013-03-20 03:53:17 1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user [email protected] 4443 - 75.122.79.199
  LyncImm/15.0.4481.1503+(Microsoft+Lync) 401 0 0 35
  LyncImm is
  NOT a user agent listed in the CSCP - google "user agent" +lyncIMM turned up nothing.  Dead lead?
  Lync connectivity analyzer shows it repeats the same webticket 401 over and over with:
  Cookie  found in autodiscover response: StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
    X-Ms-diagnostics: 28032;source="LyncFE.company.local";reason="The web ticket is invalid.";faultcode="wsse:InvalidSecurityToken"
    X-MS-WebTicketURL:
  https://lyncweb.company.com/WebTicket/WebTicketService.svc
    X-MS-WebTicketSupported: cwt,saml
    X-MS-Server-Fqdn: LyncFE.company.local
    X-Content-Type-Options: nosniff
    Cache-Control: no-cache
    Date: Wed, 20 Mar 2013 04:12:20 GMT
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Content-Length: 1293
    Content-Type: text/html
  LCA:  from inside, choosing Windows App - success!
  LCA: from inside, choosing Lync Mobile Apps- fail:
  Failed to obtain the WS-Metadata Exchange (MEX) document using GET for
  https://lyncweb.company.com/Mcx/McxService.svc/mex.
  The service did not require authorization.
  LCA, from outside, choosing Windows App - hangs repeatedly on the HTTPS external channel.  (repeating 401's on webticket service)
  LCA, from outside, choosing Choosing Lync Mobile apps  - failed, same as from inside #2
  Here's what the LCA failure looked like:
  2013-03-20 04:59:12
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 134
  2013-03-20 04:59:12
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 155
  2013-03-20 04:59:12
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 35
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 126
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 158
  2013-03-20 04:59:13
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 31
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 126
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 148
  2013-03-20 04:59:13
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 33
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 121
  2013-03-20 04:59:13
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 155
  2013-03-20 04:59:13
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 31
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 125
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 147
  2013-03-20 04:59:15
  1.2.3.4 GET /Autodiscover/AutodiscoverService.svc/root/user
  [email protected] 4443 - 75.122.79.199 -
  401 0 0 32
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/mex - 4443 - 75.122.79.199 - 200 0
  0 120
  2013-03-20 04:59:15
  1.2.3.4 POST /WebTicket/WebTicketService.svc/Auth - 4443 - 75.122.79.199 - 200
  0 0 151
  Similar thread:
  http://social.technet.microsoft.com/Forums/en-US/ocsmobility/thread/96c3fc3a-2f80-435a-8368-1a83dcd56e55/
  http://msdn.microsoft.com/en-us/library/ff595929%28v=office.12%29.aspx
  IOS attempt at sign on (version 4.3.8000.0000)
  IIS log files:
  2013-03-20 04:26:08
  1.2.3.4 GET / sipuri=sip:[email protected] 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 200 0 0 1382013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 0 0 802013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074254 1292013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074252 882013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074254 782013-03-20 04:26:08
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074252 882013-03-20 04:26:09
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074254 782013-03-20 04:26:09
  1.2.3.4 POST /webticket/webticketservice.svc - 4443 - 166.137.151.211
  Lync%202010/1.6+CFNetwork/609.1.4+Darwin/13.0.0 401 1 2148074252 84
  IOS log file was too large to post in message.
  Running test-cmdlets:
  $passwd1 = ConvertTo-SecureString "supersecure" -AsPlainText -Force $passwd2 = ConvertTo-SecureString "notontheinternet" -AsPlainText -Force $tuc1 = New-Object Management.Automation.PSCredential("domain\user1",
  $passwd1) $tuc2 = New-Object Management.Automation.PSCredential("domain\user2", $passwd2) Test-CsMcxP2PIM -TargetFqdn lyncfe.company.local -Authentication Negotiate -SenderSipAddress sip:[email protected] -SenderCredential $tuc1 -ReceiverSipAddress
  sip:[email protected] -ReceiverCredential $tuc2 -v
  From <http://technet.microsoft.com/en-us/library/hh690024.aspx>
  Results:
  Target Fqdn   : lyncfe.company.com
  Target Uri    :
  https://lyncfe.company.com:443/mcx
  Result        : Failure
  Latency       : 00:00:00
  Error Message : No response received for Web-Ticket service.
                  Inner Exception:The HTTP request is unauthorized with client
                  authentication scheme 'Ntlm'. The authentication header
                  received from the server was 'Negotiate,NTLM'.
                  Inner Exception:The remote server returned an error: (401)
                  Unauthorized.
  Diagnosis     :
                  Inner Diagnosis:X-MS-Server-Fqdn : lyncfe.company.com
                  Cache-Control : private
                  Content-Type : text/html; charset=utf-8
                  Server : Microsoft-IIS/7.5
                  WWW-Authenticate : Negotiate,NTLM
                  X-Powered-By : ASP.NET
                  X-Content-Type-Options : nosniff
                  Date : Wed, 20 Mar 2013 04:39:44 GMT
                  Content-Length : 6639
  Verbose comments on it:
  Trying to get web ticket.
  Web Service Url :
  https://lyncfe.company.com:443/WebTicket/WebTicketService.svc
  Using NTLM\Kerberos authentication.
  Could not get a web ticket
  CHECK:
   - Web service Url is valid and the web services are functional
   - If using Phone Number\PIN to authenticate, make sure they match the user uri
   - If using NTLM\Kerberos authentication, make sure you provided valid
  credentials
  URLs and ports all look OK, all services started.
  Not using phone/PIN
  I provided valid creds - the virtual directories show anon/NTLM for the Webticket vdir.
  Any help is welcome - really want this issue put to bed!

  I know this is an old thread, but I was struggling with the same error for mobility, and I hope this may help others in the same situation. 
  On my scenario the issue was caused because the customer didn't use any reverse-proxy solution, instead the FE external website was directly published using a FortiGate box.
  Given that scenario, there were 2 different certs installed on the FE server, 1 (internal RootCA) certificate was applied to the internal website, and another one issued by Godaddy was assigned to the external website manually from IIS console.
  ---I know this is far from a supported solution, but I was able to get it working after some investigation---
  To solve the issue I use this article:
  http://technet.microsoft.com/en-us/library/jj205253.aspx it explains how to check and assign the certificates for oAuth and I used these cmdlets to specify the Godaddy cert to the "WebServiceExternal" & "OAuthTokenIssuer" websites.
  After that the mobility access for internal and external users started to work as expected, I've validated it with "Lync Connectivity Analyzer" and with different mobile clients on Android, IOS and Windows Store.
  Hope this information may be useful.
  Performance, Security & Design