none
External Lync Web App resource sharing not working with 2010 Edge and 2013 FE Pool

    Question

  • hello,

    we are slowly migrating from a Lync 2010 environment (CU8) to a Lync 2013 environment (CU2). Right now we have a pilot Lync 2013 pool (with the necessary ports published through our reverse proxy) running with one user while everyone else is still on a Lync 2010 pool. Also, our Edge server has not been "upgraded" to Lync 2013 yet. Everything works just fine for all the Lync 2010 aspects (it has been rock solid and working for a year and a half) so the Edge server and reverse proxies (among other things) must be working well (if a meeting is started by a Lync 2010-homed user, the 2010 Lync Web App works beautifully from outside). But, now with the new pilot user if we start a meeting from that 2013-homed user's account (so that the "meet" URL has their name) anyone connecting with the Lync Web App from an external location (internal works fine) cannot get access to desktop sharing or whiteboards or PowerPoints etc (IM and presence and Audio and video all work fine). The full Lync clients (2010 or 2013) work perfectly from an external location (and internally) so it is just the Lync Web App client from outside (aand only the resource sharing). We have the Office Web Apps server running fine and published through our reverse proxy and can access the URL for testing it from outside (plus the Lync 2013 client has no problems with PowerPoints from outside) so all seems just fine except this one thing.

    Any ideas on what I might be missing? Should I not worry about it until after I get the Edge server "upgraded" to see if it works then? Any additional firewall ports or certificates that I've not noticed for moving from 2010 to 2013?I've looked at IIS logs, done ocslogger snooping and run Wireshark but haven't found any odd traffic or errors anywhere. The client just keeps asking to rejoin that part of the meeting (even though the a\v and IM part continues to work)

    Any thoughts would be much appreciated

    Steve

    Tuesday, July 23, 2013 11:33 PM

Answers

  • well, it looks like it took the simplest fix it method in the book to solve my problem. A reboot. I was digging around with some of the errors I'd found and saw an old posting from Lync 2010 mobility with the same sort of issue that seemed to be resolved by rebooting the FE servers (not sure why). So, I installed some Windows updates while I was at it (this is a pilot so I had the luxury) and rebooted the servers. Sure enough, all is working beautifully now. Go figure. Maybe an IIS reset would've been enough but either way all is well. Thanks

    Steve

    • Marked as answer by scarr4 Wednesday, July 24, 2013 9:23 PM
    Wednesday, July 24, 2013 9:23 PM

All replies

  • Hi,Steve,

    Would you please make sure TCP 50000-59999 which is for application sharing are not blocked  by Reverse proxy or firewall including incoming and outgoing traffics?

    Also please verify the conferencing policy for this user is set to allow data collaboration.

    Besides,you can enable Lync server and client logging to get more specific information for troubleshooting.

    Regards,

    Sharon


    ××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××× Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    Wednesday, July 24, 2013 9:43 AM
    Moderator
  • yep, 50000-59999 is open both ways for the Edge server. And yes, data collaboration is set to True in the Conferencing Policy.

    Also, I have been logging everything coming and going and I haven't seen any errors in the ocslogging logs or IIS logs. I will keep digging with Wireshark and see what else I can find

    Steve

    Wednesday, July 24, 2013 4:16 PM
  • okay, I did a little digging with Firebug and found the following (full log test at end of this message):

    Mainly the errors are:

    "No valid security token" followed by "401 - Unauthorized: Access is denied due to invalid credentials" followed by "You do not have permission to view this directory or page using the credentials that you supplied."

    This comes from the local\internal FQDN of one of our 2013 Front End Pool servers (not sure that matters although it is odd it didn't say it came from the external pool FQDN). The error message comes whether we log into the meeting as a guest or as a known user so it isn't due to user credential problems (plus the rest of the meeting (audio, video, etc) seems to work fine. Any ideas why we get those errors?

    Steve

    11:02:09.005] 11:2:9:4, TL_ERROR, , PSOM, TransportProvider : Response :
    Headers -> Content-Length: 1293
    Content-Type: text/html
    Server: Microsoft-IIS/7.5
    X-Ms-diagnostics: 28020;source="lync2013-FE-server.domain.local";reason="No valid security token."
    X-MS-Server-Fqdn:
    lync2013-FE-server.domain.local
    X-Powered-By: ASP.NET, ARR/2.5, ASP.NET
    X-Content-Type-Options: nosniff
    Date: Wed, 24 Jul 2013 18:02:06 GMT

    Data -> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml"> <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
    <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>

    <style type="text/css">[deleted junk]  </style> </head>

    <body>
    <div id="header"><h1>Server Error</h1></div>
    <div id="content">  <div><fieldset>
      <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>  
    <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>  </fieldset></div> </div>
    </body>
    </html> , 
    Lync_Client_Model_Conversation_Providers_LogProvider$onMessage, STACKTRACE::  Lync_Client_Model_Conversation_Providers_LogProvider$onMessage  Lync_Client_Common_PostMessage$$1E_0  onPostMessage

    Wednesday, July 24, 2013 6:30 PM
  • well, it looks like it took the simplest fix it method in the book to solve my problem. A reboot. I was digging around with some of the errors I'd found and saw an old posting from Lync 2010 mobility with the same sort of issue that seemed to be resolved by rebooting the FE servers (not sure why). So, I installed some Windows updates while I was at it (this is a pilot so I had the luxury) and rebooted the servers. Sure enough, all is working beautifully now. Go figure. Maybe an IIS reset would've been enough but either way all is well. Thanks

    Steve

    • Marked as answer by scarr4 Wednesday, July 24, 2013 9:23 PM
    Wednesday, July 24, 2013 9:23 PM