none
Ports not showing in netstat

    Question

  • Hi!

    I got the problem that i cant connect via mobility services, whether i try it from external or internal it doesnt matter.

    As I read in previous posts, i 10times checked via netstat if the ports are open, and they dont. even after several trys to publish and restart and set them ports again...

    When i do an Test-CsMcxP2PIM this is what happens:

    TargetUri  : https://srz02lyncfe01.mydomain.net:443/mcx
    TargetFqdn : srz02lyncfe01.mydomain.net
    Result     : Failure
    Latency    : 00:00:00
    Error      : ERROR - No response received for Web-Ticket service.
                 Inner Exception:The HTTP request is unauthorized with client authe
                 ntication scheme 'Ntlm'. The authentication header received from t
                 he server was 'Negotiate,NTLM'.
                 Inner Exception:The remote server returned an error: (401) Unautho
                 rized.

    Diagnosis  :

    VERBOSE: 'STActivity' activity started.
    Starting STS Uri Discovery...
    Found sts-uri :
    https://srz02lyncfe01.mydomain.net:443/CertProv/CertProvisioningService.svc
    .
    STS Uri Discovery activity completed successfully.
    'STActivity' activity completed in '0.0054293' secs.
    'STActivity' activity started.
    Starting STS Uri Discovery...
    Found sts-uri :
    https://srz02lyncfe01.lmydomain.net:443/CertProv/CertProvisioningService.svc
    .
    STS Uri Discovery activity completed successfully.
    'STActivity' activity completed in '0.0037951' secs.
    'STActivity' activity started.
    Trying to get web ticket.
    Web Service url :
    https://srz02lyncfe01.mydomain.net:443/WebTicket/WebTicketService.svc
    Using NTLM\Kerb auth.
    GetWebTicketActivity completed.
    'STActivity' activity completed in '0.0657297' secs.
    'STActivity' activity started.
    Trying to get web ticket.
    Web Service url :
    https://srz02lyncfe01.mydomain.net:443/WebTicket/WebTicketService.svc
    Using NTLM\Kerb auth.
    Could not get a web ticket
    CHECK:
     - Web service url is valid and the web services are functional
     - If using PhoneNo\PIN to authenticate, make sure they match the user uri
     - If using NTLM\Kerberos auth, make sure you provided valid credentials
    'McxInitiateSession' activity started.
    'McxInitiateSession' activity completed in '0.0758018' secs.
    An exception 'ERROR - No response received for Web-Ticket service.' occurred
    during Workflow
    Microsoft.Rtc.SyntheticTransactions.Workflows.STMcxP2PImWorkflow execution.
    Exception Call Stack:    at
    Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()
       at
    Microsoft.Rtc.SyntheticTransactions.Activities.GetWebTicketActivity.InternalExe
    cute(ActivityExecutionContext executionContext)
       at
    Microsoft.Rtc.SyntheticTransactions.Activities.STActivity.Execute(ActivityExecu
    tionContext executionContext)
       at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity,
    ActivityExecutionContext executionContext)
       at System.Workflow.ComponentModel.CompositeActivityExecutor`1.Execute(T
    activity, ActivityExecutionContext executionContext)
       at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity
    activity, ActivityExecutionContext executionContext)
       at
    System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRunti
    me workflowCoreRuntime)
       at System.Workflow.Runtime.Scheduler.Run()

    Server stack trace:
       at
    System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWe
    bRequest request, HttpWebResponse response, WebException responseException,
    HttpChannelFactory factory)
       at
    System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(
    HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory,
    WebException responseException, ChannelBinding channelBinding)
       at
    System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelR
    equest.WaitForReply(TimeSpan timeout)
       at System.ServiceModel.Channels.RequestChannel.Request(Message message,
    TimeSpan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message
    message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean
    oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan
    timeout)
       at
    System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessa
    ge methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
    message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
    reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
    msgData, Int32 type)
       at
    Microsoft.Rtc.Internal.WebTicketService.IWebTicketService.IssueToken(Message
    request)
       at Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()
    'McxTermiateSession' activity started.
    'McxTermiateSession' activity completed in '2.5E-06' secs.
    VERBOSE: Workflow Instance Id b6469d4e-94cb-4f8f-a5ed-73249a95e2fe, completed.
    VERBOSE: Workflow Execution Time (sec): 0.21586

    My Get-CsService -WebServer says this:

    PrimaryHttpPort                 : 80
    PrimaryHttpsPort                : 443
    ExternalHttpPort                : 8080
    ExternalHttpsPort               : 4443
    PublishedPrimaryHttpPort        :
    PublishedPrimaryHttpsPort       :
    PublishedExternalHttpPort       : 80
    PublishedExternalHttpsPort      : 443
    ReachPrimaryPsomServerPort      : 8060
    ReachExternalPsomServerPort     : 8061
    AppSharingPortStart             : 49152
    AppSharingPortCount             : 16383
    McxSipPrimaryListeningPort      : 5086
    McxSipExternalListeningPort     : 5087

    I tried almost everything that helped people, and nothing helped sofar.

    I really hope you can help me!

    Regards,

    Dom

    Wednesday, March 07, 2012 7:12 AM

Answers

  • Hi,

    ok let us go step by step

    first you have installed CU4 which was succesful, correct

    then you have installed mobility services with external and internal ports

    you have copied mcxstandalon msi to the desired folder

    ran the bootsrap which was succesful correct

    you are able to see autodiscover and mcx virtual directories in iis on lync server

    you have assigned new internal certificate which included lyncdiscover and lyncdiscoverinternal names

    your 3rd party certificate contains lyncdiscover.domain.com

    you have created A or cname records in your internal DNS and in your external DNS

    TMG is having lyncdiscover.domain.com in the public name

    you are able to run https://lyncdiscover.domain.com from outside and you are getting some thing to download correct. if not then what error you are recieving

    have you looked in to the blog which i have mentioned before to trouble shoot http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Tuesday, March 13, 2012 7:26 PM

All replies

  • can you open the iis manager in lync server then click on mcx then authentication and check what is enabled same thing you can do with autodiscover, post it here your results.


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 08, 2012 9:27 AM
  • Hi, my problem is kinda solved now, but the external access port wont open again. the internal port is open and the test now runs smooth w/o any problems.

    Regards.

    Thursday, March 08, 2012 10:47 AM
  • hi,

    how did you manage to resolve the problem.

    make sure that 443 is open from outside you can check your TMG to see either port 443 is allowed. i would suggest you that if you are using one tmg rule for lync simple urls along with the lync mobility then create a TMG logging then try to access from outside to see either request comes or not, if it comes then what exactly is denied. you can also check your tmg configuration over here http://salahuddinkhatr.wordpress.com

    make sure that you have created cname records in external dns for lyncdiscover.domain.com


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 08, 2012 12:50 PM
  • Ok - now after a restart the port is gone. again.

    im srsly now on the end of my knowledge and i never had this before. my external dns is lyncdiscover.censored.net and points to my TMG. my tmg rule should be working since the ocsconnectivity test finishes fine and working.

    Thursday, March 08, 2012 1:10 PM
  • what exactly you have done before and what you have restarted. Where ports are gone from inside or from outside.

    Can you please explain more in details


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 08, 2012 1:25 PM
  • well,

    i just pubished the topology again and then restarted the fe. after that netstat didnt show that the internal port (5086) was listening.

    Thursday, March 08, 2012 1:33 PM
  • leave the netstat it looks like those ports are becoming active only when there is a "mobile activity".

    try to run test-csmcxp2pim command then see either is it sucesfull or not. here is another thread talking about the same. http://social.technet.microsoft.com/Forums/da-DK/ocsmobility/thread/6c03fa96-8a8b-4d69-ac65-c1405b58ab2c

    if you are able to connect from inside on mobile which means it is fine.

    Hope above make sens


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 08, 2012 1:43 PM
  • ah ok - i thought they should be listening all the time. :)

    when i run the test, this is what it tells me:

    Result     : Failure
    Latency    : 00:00:00
    Error      : The content type text/html; charset=utf-8 of the response message
                 does not match the content type of the binding (text/xml; charset=
                 utf-8). If using a custom encoder, be sure that the IsContentTypeS
                 upported method is implemented properly. The first 1024 bytes of t
                 he response were: '<html>
                     <head>
                         <title>The given key was not present in the dictionary.</t
                 itle>
                         <style>
                          body {font-family:"Verdana";font-weight:normal;font-size:
                  .7em;color:black;}
                          p {font-family:"Verdana";font-weight:normal;color:black;m
                 argin-top: -5px}
                          b {font-family:"Verdana";font-weight:bold;color:black;mar
                 gin-top: -5px}
                          H1 { font-family:"Verdana";font-weight:normal;font-size:1
                 8pt;color:red }
                          H2 { font-family:"Verdana";font-weight:normal;font-size:1
                 4pt;color:maroon }
                          pre {font-family:"Lucida Console";font-size: .9em}
                          .marker {font-weight: bold; color: black;text-decoration:
                  none;}
                          .version {color: gray;}
                          .error {margin-bottom: 10px;}
                          .expandable { text-decoration:underline; font-weight:bold
                 ; color:navy; cursor:hand; }
                         </style>
                     </head>
    
                     <body bgcolor="white">
    
                             <span><H1>Server Error in '/Mcx' Application.<hr width
                 =100% size=1 color=silver></H1>
    
                             <h2> <i>T'.
                 Inner Exception:The remote server returned an error: (500) Interna
                 l Server Error.
    
    Diagnosis  :
    and still, im not able to sign in, whether i try it internal nor external, doesnt matter if its a win7 phone or an iOS device or an android phone.

    Thursday, March 08, 2012 1:55 PM
  • no it does not matter the client. how did you manage to resolve it before.

    Any how try the following

    have you crated cname records internally for lyncdiscoverinternal.domain.com poiting to standard edition server name or lync web service url name

    have you created new lync certificate which have lync mobility names in it

    was your deployment successful

    are you seeing any errors in lync

    when you put htps://lyncdiscoverinternal.domain.com does it give you some thing to download

    have you matched all the configuration for lync mobility installation with http://salahuddinkhatri.wordpress.com


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 08, 2012 2:03 PM
  • i dont know how i resolved it the last time, it was just  showing up from one moment to another.

    i set the record pointing to my tmg's public ip

    yes i did, internal i created them with lyncdiscover and lyncdiscoverinternal

    yes it was, no error shown, did it exactly like they say in the tutorials

    no, i dont see any errors sofar, except that my edge server wont replicate, but that doesnt matter since user are still able to connect

    no it just says after a certifikate warning: the page cannot be displayed

    yes i did.

    im hoping this is helping you a liuttle.

    Friday, March 09, 2012 6:24 AM
  • hi,

    did you add lyncdiscover.domain.com in your third party certificate and lyncdiscover.domain.com and lyncdiscoverinternal.domain.com in internal certificate assigned to lync

    what if you open lyncidscoverinternal.domain.com from internal network is it giving you some thing to download if yes then probably there is TMG issue.

    have a look in to this about trouble shooting lync mobility from out side http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx 

    if it is saying certificate warning while opening lyncdiscover.domain.com then you have to either add san name in certificate external one or create another tmg rule with port 80

    have you tried logging on to lync mobile client from inside and outside if yes what errors you are getting


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 09, 2012 7:56 AM
  • yes i did,

    nope, its just opening a site saying: The page cannot be displayed

    im going to have a look at this...no it doesnt say, if im opening the page, i get to download some file

    yes i tried, its just simple not working, it says that the server is either not reachable or the credentials are wrong

    regards.

    Friday, March 09, 2012 10:10 AM
  • Hi Dom,

    If you have an Lync 2010 Enterprise edition pool with several Front End Servers, your hardware load balancer must be able to load balance individual requests within a TCP session (in effect, you must be able to load balance an individual request based on the destination IP address).


    Noya Lau

    TechNet Community Support

    Saturday, March 10, 2012 8:53 AM
    Moderator
  • Hi!

    I dont have a enterprise farm with loadbalancer. THe only thing i have is a standard edition fe with a locally installed instance sql srv express.

    Regards,

    Tuesday, March 13, 2012 8:32 AM
  • Hi,

    ok let us go step by step

    first you have installed CU4 which was succesful, correct

    then you have installed mobility services with external and internal ports

    you have copied mcxstandalon msi to the desired folder

    ran the bootsrap which was succesful correct

    you are able to see autodiscover and mcx virtual directories in iis on lync server

    you have assigned new internal certificate which included lyncdiscover and lyncdiscoverinternal names

    your 3rd party certificate contains lyncdiscover.domain.com

    you have created A or cname records in your internal DNS and in your external DNS

    TMG is having lyncdiscover.domain.com in the public name

    you are able to run https://lyncdiscover.domain.com from outside and you are getting some thing to download correct. if not then what error you are recieving

    have you looked in to the blog which i have mentioned before to trouble shoot http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Tuesday, March 13, 2012 7:26 PM
  • Hi!

    Ok no problem:

    yes

    yes

    yes

    yes

    yes

    yes

    yes issued it with it as san.

    yes

    yes this is working

    yes i did, because of this am finally ablke to login internally but still nothing from external.

    Thanks!

    Wednesday, March 14, 2012 1:50 PM
  • ok

    so if you are not able login externally, tell us the error while connecting from outside using lync mobile client.

    post here the screen shot when you run https://lyncdiscover.domain.com  from outside

    also if it is published through TMG then have you created new rule or you are using same lync rule

    even when you run https://lyncweb-ext.company.com/mcx/mcxservice.svc what do you see please post here

    make sure in the TMG Forward the original host header instead of the actual one check box is checked.

    let us know the ouput.


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Wednesday, March 14, 2012 2:31 PM
  • HI!

    It just doesnt throw any exception it just continues to role the circle and try to connect.

    Yes it is published through the tmg, i created a new rule for it.

    when i try to run mcxservice i just get a 403 - denied.

    i did check this, and it was correct.

    regards

    Thursday, March 15, 2012 6:28 AM
  • HI!

    It just doesnt throw any exception it just continues to role the circle and try to connect.

    Yes it is published through the tmg, i created a new rule for it.

    when i try to run mcxservice i just get a 403 - denied.

    i did check this, and it was correct.

    regards

    Thursday, March 15, 2012 6:28 AM
  • Hi,

    What if you run https://lyncweb-int.company.com/mcx/mcxservice.svc from inside the company what is it giving you.

    enable the logging in TMG for mobility publishing rule and then try to sign in from mobile from outside and check does it give you some thing

    Also have a look in to this http://salahuddkhatri.wordpress.com

    I beleive there is some thing on the TMG rule


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 15, 2012 11:24 AM
  • Well after some configurationchanges in nthe weburl of the fe, its now working external.

    But now again I cant connect from internal.

    Thursday, March 15, 2012 11:43 AM
  • What exactly you have done to make it work from outside. May be you will go through those settings again then you might remember that you have changed some thing which is related to the internal. Also share with us that how you have managed to work from outside.

    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 15, 2012 11:52 AM
  • Well what i did was, that i changed the webapp url in the frontend, therefore i had to redo my tmg configuration.

     after the first fail (where nothing worked) i came to the clue that i should try to set the Public Name of the TMG RUle to "All requests".

    After that it worked like a charm, although now mobile services internal doesnt work (where i think that the problem is redirecing to the change of the webapp url).

    nd now im back at the start, with a now working external authenication, but with a not working internal.

    Thursday, March 15, 2012 1:31 PM
  • after changing the web app url have you created A record in internal DNS have you changed internal certificates to work with webapp url.

    in the TMG configuration if you changed to all requests which means some thing is wrong which is why it is not able to read the specific name. i believe you should have checked on the TMG side may be the external name in the DNS and defined in the TMG as a public name were changed which is why it was not working.

    Also when you change the front end url you on all Lync FE iis servers  you have to run enable-cscomputer to update the all the properties.

    Yes if you want to connect internally it should come through TMG interface have a look in to this.http://technet.microsoft.com/en-us/library/hh690030.aspx 


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Thursday, March 15, 2012 2:24 PM