Publish Lync Externally without Reverse Proxy

Similar Messages

• Lync 2010 Mobility without reverse Proxy

  Hi all
  I have the following scenario which I'm battling with:
  Due to budget and existing infrastructure setup, TMG is not an option.
  I have a working Lync 2010 setup, being used for full Enterprise functionality in the business.
  - I have one FE, one EDGE server running and working well
  - I have setup Mobility and internally it works fine for Audio, IM etc
  I am battling to get the external access working through my firewall
  - I have port forwarding from 443 to 4443
  - I have tried using a single External IP resolved to lyncdiscover.mydomain.com
  - I have tried using the NAT'd External IP on my FE (Edge Pool)
  I am using a Watchguard firewall and can see when my attempt to sign in on my iphone from outside that its getting to the firewall, it forwards to my FE server but times out after a while
  If I browse to my https://lyndiscover.mydomain.com I get the download file option
  My problem here is it indicates my internal web services:
  {"AccessLocation":"Internal","Root":{"Links":[{"href":"https:\/\/my.domain.local\/Autodiscover\/AutodiscoverService.svc\/root\/domain","token":"Domain"},{"href":"https:\/\/my.domain.local\/Autodiscover\/AutodiscoverService.svc\/root\/user","token":"User"}]}}
  Can anyone suggest where I may change this to External as my topology is publishing External already
  Any help would be greatly appreciated
  Regards
  Dale
  Dale G
  Dale G

  If you want to use auto-discover, you should also forward 80 to 8080.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Sophos Firewall\Reverse Proxy With Lync 2013

  We currently have Lync 2013 deployed internally and working like a champ for about 5 months now. We are in the process of trying to get this rolled out externally and running into issues.
  It seems we have the ports opened up properly but the MS remote connectivity analyzer comes back with certificate error "The certificate couldn't be validated because SSL negotiation wasn't successful.
  I'm pretty certain our certificates are correct for the external edge server and the external firewall\Reverse proxy. From the Lync planning tool we have been following it and so far successful until the certificates. The certificates tool shows we should
  have the following certs assigned: (keep in mind we have 2 separate certificates assigned)
  Edge Server External
  Subject name: lyncaccess.domain.com
  SAN:webcon.domain.com and sip.domain.com
  Reverse Proxy:
  rp0100.domain.com (reverse proxy FQDN does resolve)
  SAN: dialin.domain.com, meet.domain.com, and temwac.domain.com (office web apps server)
  We requested the certificates from Go daddy and have them installed and the SANs are in there correct. The connectivity analyzer is able to get to our server using autodiscover over port 443, we see the traffic come in through the firewall and nothing is
  blocked just the certificate could not be validated.
  Has anyone deployed Lync using the Sophos UTM as a reverse Proxy any other ideas as to what we are missing with these certificates?
  The certificate couldn't be validated because SSL negotiation wasn't successful.
  The certificate couldn't be validated because SSL negotiation wasn't successful.

  lyncdiscover.domain.com does not resolve. Discovery is working fine through the connectivity analyzer. We actually figured that part out about the SSL. It seems we had the firewall and Reverse proxy rules in place on the Sophos appliance but the firewall
  rules leaving the edge server were being blocked. It took us about 1.5 days to figure that part out.
  The connectivity analyzer now is able to authenticate the certificates successfully. Of course it wouldn't be a Lync roll out without the next issue coming up.
  The next issue we have is the connectivity analyzer reaching the AV service. Which we are going to assume is a routing issue as well and are currently troubleshooting it:
  Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
  Error Type: RegisterException.
  Deregister Reason: None.
  Response Code: 504.
  Response Text: Server time-out.
  http://social.technet.microsoft.com/Forums/lync/en-US/f95c47cc-f8eb-4646-bdac-6c7244b26ff1/couldnt-sign-in-error-error-message-the-endpoint-was-unable-to-register-new-deployment?forum=ocsplanningdeployment
  Wish me luck.

• Only Federation: Reverse Proxy required?

  Hi,
  We are planning to deploy an Edge for Federation (only Federation) and we are wondering whether Reverse Proxy is actually required or not.
  From Setting up reverse proxy servers for Lync Server 2013 we get the features given by the Reverse Proxy. The one that could impact us and makes us doubt is:
  "Enabling external users to download meeting content for your meetings"
  It says "downloading content" not "joining".
  Without Reverse Proxy we're sure we couldn't schedule meetings through Outlook as they would contain a Meet URL that wouldn't be reachable for the federated user. In addition, we suppose that "Meet now" wouldn't work due to the same reason.
  But, if I have an IM or A/V conversation with another internal user or a federated user (peer-to-peer) and promote it to conference by inviting a federated user... Would we the three have a conference with IM and A/V? Or won't it be possible because federated
  user actually needs Meet URL in order to connect and there wouldn't be a Reverse Proxy?
  TechNet just say "downloading content" and Lync 2013 workload posters doesn't show any communication between Lync Federation and Reverse Proxy. That's why we doubt whether it's needed or not.
  Thanks.
  Kind regards.

  I have never tested this scenario before and i'm completely basing on the logic that how it works. and based on the
  Lync server 2013 protocol Workload Poster, it does seems to use https traffic while on a A\V conference as well as app sharing. But i think you still can have AV conference as long
  as you invite people to an ongoing conference.
  http://thamaraw.com

• Apache Reverse Proxy

  Hi
  I have installed Apache Reverse Proxy to access my Portal and ECC6.
  In the httpd config file , i have done the following settings.
  <VirtualHost ipaddress:port>
  ProxyPreserveHost On
  ProxyPass /irj/ http://portalserver:50000/irj/
  ProxyPassReverse /irj/ http://portalserver:50000/irj/
  ProxyPass /eccdev/ http://eccserver:8000/eccdev/
  ProxyPassReverse /eccdev/ http://eccserver:8000/eccdev/
  </VirtualHost>
  eccdev is external alias for the path
  /sap/bc/gui/sap/its/webgui/
  With this setting when i  when a request is made for eccdev/
  it takes me to the ecc6 login page.
  when i enter the required information , it just clears the username password fields.
  i checked that the username password are correctly entered.
  what is the problem ?
  Regards
  Rajendra

  Hi Darren ,
  Thanks for the reply.
  Our SSO between Portal and  ECC6 works fine without Reverse Proxy.
  If we access the Portal Through Reverse Proxy , when we navigate to any iViews say BSP iView , it asks for Username password. Once provided it works fine.
  Second Scenario is Using Reverse Proxy to Directly access
  SAP GUI . i.e without using Portal.
  If i do not use Reverse Proxy , i can access my ECC6 webgui
  through browser after providing the Login Details, but if i use Reverse Proxy then Even after providing the Login Details ,
  the LogOn Box does not go and keeps asking for login details.
  To summarize , i just want to acess the SAP GUI from Browser
  using Reverse Proxy . I am able to do it without reverse Proxy .
  Can you help ?

• TMG is dead, now which Reverse Proxy?

  Hi, now that Forefront TMG is discontinued, what is the Microsoft recommended reverse proxy to use for Lync 2010 and 2013?
  Is MS going to create a guide for this?

  Hi,
  There is no hard requirement to use TMG or ISA for Lync. Any reverse proxy that can meet the requirements for publishing the necessary resource locations can be used. TMG just as one of the possible options.
  Kent Huang
  TechNet Community Support

• Printing Issue from ITS with a Reverse Proxy Configured

  Hi experts,
  We have an enterprise portal landscape which  can be accessed from the internet. The URLs are mapped using apache server as a reverse proxy. Also, we have configured the reverse proxy settings for accessing R/3 systems.
  When the users try to take the print out from the ITS Web GUI accessed through the enterprise portal, the page redirects itself to an only internally resolvable host name of the R/3 ITS.
  Due to this issue, users are not able to take prints from internet.
  I would like to know if there is any way by which i can change this to my externally resolvable reverse proxy host address, which in turn can be mapped internally to the original host name at the reverse proxy level.
  Can any one help me out in this?
  Thanks a lot
  Shobin

  Hi Shobin,
  SAP note 1145306 might provide some help about directives to be used.
  Regards,
  Dieter

• OAM- Apache Reverse Proxy issue when Form Authenticaion is used

  Hi All,
  Customer is using Apache 2.0.65 as a reverse proxy server. OAM has been integrated with OAS. A WebGate has been installed on OHS in infra.
  When a protected resource (portal) is accessed, a login form appears. After entering the correct credentials, it does not go to the resource, instead gives displays some Header Variables on the Browser, instead of actual resource.
  This happens only when a resource is protected with Form Authentication Scheme and while using with reverse proxy. The same Form Authentication scheme works without reverse proxy. With Basic LDAP Authentication, the same resource perfectly works even when reverse proxy is used.
  Any suggestions?
  Thanks in advance.
  Regards,
  Amol

  Hi Amol,
  Check the passthrough parameter in your form scheme. If this is set to yes, what you are asking OAM to do is to pass through to the form action instead of the URL the user originally requested. I know this still does not explain why things work when the reverse proxy is not used - but it might make sense if you actually have 2 form schemes and when you access the resource via the reverse proxy, the policy domain/policy in question actually invokes the scheme which has passthrough enabled. You could ascertain this via the access tester by trying the reverse-proxied URL and direct URL.
  -Vinod

• Reverse proxy settings crashing ML Server

  I have a few IP cameras I'm attempting to expose externally via reverse proxy. I've created a site on my Mini ML Server and password protected it under a subdomain. This allows me to drop my own custom UI on the camera controls so they work better with my iPhone etc. It's working great on my laptops local virtual host. However, the reverse proxy settings seem to kill apache on the ML server. If I remove the lines in blue below, it seems to work, but i get double authentication requests. Anyone have any experience with this? My Apache knowledge is minimal at best
  ProxyRequests off
  ProxyPass /camera1/ http://192.168.0.1/
  ProxyPass /camera2/ http://192.168.0.2/
  ProxyPass /camera3/ http://192.168.0.3/
  ProxyHTMLURLMap http://192.168.0.1 /camera1
  ProxyHTMLURLMap http://192.168.0.2 /camera2
  ProxyHTMLURLMap http://192.168.0.3 /camera3
  <Location /camera1/>
  ProxyPassReverse /
  ProxyHTMLEnable On
  ProxyHTMLURLMap  /      /camera1/
  RequestHeader    unset  Accept-Encoding
  </Location>
  <Location /camera2/>
  ProxyPassReverse /
  ProxyHTMLEnable On
  ProxyHTMLURLMap  /      /camera2/
  RequestHeader    unset  Accept-Encoding
  </Location>
  <Location /camera3/>
  ProxyPassReverse /
  ProxyHTMLEnable On
  ProxyHTMLURLMap  /      /camera3/
  RequestHeader    unset  Accept-Encoding
  </Location>

  The following setup took care of my issue...
  ProxyRequests off
  ProxyPass /camera1/ http://192.168.0.30/
  ProxyPass /camera2/ http://192.168.0.32/
  ProxyPass /camera3/ http://192.168.0.34/
  ProxyPass /camera4/ http://192.168.0.36/
  ProxyPassReverse /camera1 http://192.168.0.30
  ProxyPassReverse /camera2 http://192.168.0.32
  ProxyPassReverse /camera3 http://192.168.0.34
  ProxyPassReverse /camera4 http://192.168.0.36

• Issues using IIS 8.5 with ARR 3.0 as Reverse Proxy for Lync 2013

  Dear reader, after searching for a day without finding a solution to my problem I end up here ;-)
  Working Lync 2013 environment (gradually adding functionality) consisting of 2 FE servers, Persistent Chat Server, Web Apps server, Edge Server, Reverse Proxy Server (IIS 8.5/ARR 3.0), SQL Server.
  Set up a fresh Windows 2012 R2 with IIS 8.5, installed ARR 3.0 and followed along this
  TechNet article.
  So far so good, external clients (incl. mobile phone apps) can all connect.
  Now trying to add Web Apps to the reverse proxy, which is slightly different from the others by not forwarding 80/8080 and 443/4443, but just 80 and 443 to internal Web Apps server.
  After creating the server farm/URL rewrite, browsing to the webapps.FQDN/hosting/discovery ends up with a 404 error (instead of XML, which is shown when try from the LAN).
  After moving this rewrite rule to the top, it started working, but now my lyncdiscover.FQDN stops working.
  Ofcourse moving the webapps rule down restores the lyncdiscover.
  Any ideas? (everything setup as described in above mentioned TechNet article, so using wildcards. Tried fiddling around with webext.* and lyncdiscover.* and so, but no luck. (I'm completely new to ARR)
  Thanks,
  Barry

  Can you confirm that for each URL Rewrite Rule, you have an {http_host} record that matches something like webext.* as you referenced above and as seen in step 15 here:
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  It might help if you posted a screenshot of your URL rewrite rules.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Lync Reverse Proxy Alternatives

  When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services. 
  TMG is way too expensive and complex for such a limited, simple use case.
  I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
  We decided to use Apache 2.2 on Windows Server 2008 R2. 
  Here's how we configured it:
  Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy. 
  http://technet.microsoft.com/en-us/library/gg398069.aspx
  Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server. 
  http://httpd.apache.org/download.cgi
  We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
  Use the Certificates MMC on your front end server to export the certificate and include the private key.
  Transfer the resultant .pfx file to your reverse proxy server.
  Use OpenSSL to convert your .pfx file to PEM:
  openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes 
  Separate the private key from the certificate using notepad: 
  Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag. 
  Save that text to a new file named
  yourcert.key. 
  Save
  yourcert.pem, which should now only include the certificate.
  Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
  for storing the certificates.
  Edit httpd.conf (typically in
  C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
  (See  http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
   for more information on each directive)
  Uncomment the following lines, which will enable proxy and SSL:
  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule ssl_module modules/mod_ssl.so
  Include conf/extra/httpd-ssl.conf
  Add the following lines to configure reverse proxy behavior:
  #Be a reverse proxy, not a forward proxy
  ProxyRequests Off
  #Accept requests from any client to any URL
  <Proxy *>
  Order Deny,Allow
  Allow from all
  </Proxy>
  #Set the network buffer to improve throughput
  ProxyReceiveBufferSize 4096
  #Configure the Reverse Proxy to forward all requests to your front end server on 4443
  ProxyPass / https://yourfrontend.domain.com:4443/
  ProxyPassReverse / https://yourfrontend.domain.com:4443/
  #Preserve Host Headers for Lync
  ProxyPreserveHost On
  Optionally, configure logging directives, bindings and server name.
  Save and close httpd.conf
  Edit httpd-ssl.conf (typically in conf\extra):
  Configure the session cache:
  Uncomment:
  SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
  Comment out:
  SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
  Locate the <VirtualHost _default_:443> tag and configure the following:
  Add the following directive:
  SSLProxyEngine On
  Configure the path to your SSL Certificate saved in step 3-5 above:
  SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
  Configure the path to your private key saved in step 3-5 above:
  SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
  Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
  Optionally, configure logging directives.
  Save and close httpd-ssl.conf
  Restart the Apache2.2 service
  Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
  the reverse proxy to talk to the front end Lync server on 8080 and 4443.
  From an external connection, test connectivity through the reverse proxy:
  Test
  https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
  Test the Lync Web App by setting up an online meeting and following the URL to join the meeting. 
  You can force the use of the web app by appending ?sl= to the end of the meet.company.com link. 
  See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
  Hope this information is helpful and saves some of you some money and trouble.
  Please contact me if you need further clarification or see any mistakes in my notes.
  Best regards,
  Kenneth Walden
  Enterprise Systems Supervisor
  GSD&M
  Austin, TX

  I'd like to thank you for this article.  We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product.  Anyways, your
  blog saved me a LOT of headache.  I owe you big time. 
  AWESOME JOB. 
  -Greg
  *****EDIT***
  Decided to come back in there and post good information.  We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting.  The "DIALUP" url was working fine but the "MEETING" url was broken.  On our WFE servers we were getting
  the event error as below.   Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON".  Once we put that in there ALL was good.
  Notice that the MEET portion was the only thing that was really broken.  So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER.  Look for
  http://10.x.x.x/meet/ or soemthing in the event logs. 
  Log Name:      Application
  Source:        ASP.NET 2.0.50727.0
  Date:          11/16/2011 1:26:35 PM
  Event ID:      1309
  Task Category: Web Event
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      OneofMyInternalWFEservers.local
  Description:
  Event code: 3005
  Event message: An unhandled exception has occurred.
  Event time: 11/16/2011 1:26:35 PM
  Event time (UTC): 11/16/2011 6:26:35 PM
  Event ID: b2039ecd0a62482284030f62e1e639d8
  Event sequence: 129
  Event occurrence: 28
  Event detail code: 0
  Application information:
      Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
      Trust level: Full
      Application Virtual Path: /meet
      Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
      Machine name: MYWFE.local
  Process information:
      Process ID: 14204
      Process name: w3wp.exe
      Account name: NT AUTHORITY\NETWORK SERVICE
  Exception information:
      Exception type: HttpException
      Exception message: Server cannot append header after HTTP headers have been sent. 
  Request information:
      Request URL:
  https://FQDN:4443/meet/MyName/456456
      User host address: gatewayIP
      User: 
      Is authenticated: False
      Authentication Type: 
      Thread account name: NT AUTHORITY\NETWORK SERVICE
  Thread information:
      Thread ID: 7
      Thread account name: NT AUTHORITY\NETWORK SERVICE
      Is impersonating: False
      Stack trace:    at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
     at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  Custom event details:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="ASP.NET 2.0.50727.0" />
      <EventID Qualifiers="32768">1309</EventID>
      <Level>3</Level>
      <Task>3</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
      <EventRecordID>4483</EventRecordID>
      <Channel>Application</Channel>
      <Computer>XXXXXXXXXXXXXXXXXX</Computer>
      <Security />
    </System>
    <EventData>
      <Data>3005</Data>
      <Data>An unhandled exception has occurred.</Data>
      <Data>11/16/2011 1:26:35 PM</Data>
      <Data>11/16/2011 6:26:35 PM</Data>
      <Data>b2039ecd0a62482284030f62e1e639d8</Data>
      <Data>129</Data>
      <Data>28</Data>
      <Data>0</Data>
      <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
      <Data>Full</Data>
      <Data>/meet</Data>
      <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
      <Data>SNKXS300</Data>
      <Data>
      </Data>
      <Data>14204</Data>
      <Data>w3wp.exe</Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>HttpException</Data>
      <Data>Server cannot append header after HTTP headers have been sent.</Data>
      <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
      <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
      <Data>10.71.1.1</Data>
      <Data>
      </Data>
      <Data>False</Data>
      <Data>
      </Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>7</Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>False</Data>
      <Data>   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
     at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
  </Data>
    </EventData>
  </Event>

• Lync 2013 edge-no reverse proxy question

  I deployed lync 2013 edge server and no reverse proxy yet.I am trying to connect from my windows 7 machine with no luck and I can see a top reset on the firewall,my question is is reverse proxy required for the normal client to connect and do basic IM?
  Plz confirm.thx

  *****Update**********
  now when i am trying to test connevity using microsoft connecvitry analyer i am getting error realted to the external certifictare stating that " certificate couldn't be validated because SSL negotiation
  wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation." with UC troubleshotter i am getting the same.any idea?
  PS certificate is from Digi
  cert and i have checked the installation with thier tool and all was green
  regards
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with
  the certificate installation.

• Lync mobility and HTTP authentication test failed. Is reverse proxy required?

  I currently have the following setup.
  1 x 2013 edge server lync1.local.com
  has 3 dmz ips for external names 
  has 1 internal ip
  2 x 2013 std front end servers lync2 & lync3.local.com
  Ive read that in 2013 the mobility service is installed automatically on the front end servers and i do see it running on both.
  All my clients can connect from the windows and mac clients(internally and externally) but not from phone or windows app store client (internally or externally)
  running the exchangeconnectivity test on the website i get the following error
  Testing HTTP authentication methods for URL https://lyncdiscover.external.com/Autodiscover/AutodiscoverService.svc/root/user.
    HTTP authentication test failed.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
  HTTP Response Headers:
  X-MS-Server-Fqdn: lync1.local.com
  Connection: close
  Content-Length: 64
  Content-Type: text/plain
  Server: RTC/5.0
  Elapsed Time: 427 ms.
  After some reading I notice that many people refer to a reverse proxy when dealing with mobility.
  I do not have a reverse proxy server installed. Is this required for the mobility to work correctly? I cant just use the edge server?
  Thanks in advance for any help.

  Take a look at Georg Thomas' blog: http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html also the Citrix official documentation: http://www.citrix.com/global-partners/microsoft/netscaler.html 
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Combining Lync Edge certificate of Reverse Proxy

  I wonder if the creation of a certificate from the combined Lync Edge server names and Reverse Proxy will work?
  Wants to create a certificate for Lync Edge with CN = sip.domain.com and add names required for the Edge and Reverse Proxy as an additional DNS:
  sip.domain.com 
  webconf.domain.com
  webext.domain.com
  meet.domain.com
  dialin.domain.com
  lyncdiscover.domain.com

  Hi,
  Yes, you can use the same certificate for both Edge Server (external interface) and Reverse Proxy, which SAN including all Edge Server and Reverse Proxy needed (such as: webcon.contoso.com, sip.contoso.com, webext.contoso.com, meet.contoso.com, dialin.contoso.com,
  lyncdiscover.contoso.com, and so on).
  More details:
  https://technet.microsoft.com/en-us/library/gg398519.aspx?f=255&MSPPError=-2147217396
  https://technet.microsoft.com/en-us/library/gg429704.aspx
  There is no special SAN for federate with Skype. However, the certificate must be the public SAN certificate.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support