none
Lync Web App - Not Authenticating Users externally

    Question

  • I have a client trying to use the Lync Web App for external users to join conferences.  They have single legged TMG deployed as reverse proxy for the Enterprise Edition pool that it points to.  Internally, the web app works fine.  Internally, pointing my browser to the external webcomponents (meet.company.com:4443) also works fine.  If I change my hosts file to point to the TMG for resolving meet.company.com and browse to the meeting link in that manner, it works fine internally.  Externally, the web app loads fine, but upon attempting to log in, it never connects.  If using a Guest account, it says that the meeting link is invalid (the same one that tested fine internally).  If using credentials, it says the user name or password is invalid (when it isn't).  Address books and Response Groups are working fine externally.  Lync Full Client and Lync Attendee client also work fine externally.  Digging into the IIS logs, I find one event that stands out, but cannot seem to figure out what it is.  I am getting a 500 error on a request to the /Reach/Sip.svc/SessionManager - 4443, but this only comes up when testing externally.  I never see this sip.svc mentioned in the logs for successful connections.  All certificates in play are GoDaddy certs, all the required SANs are there, and the intermediates are installed correctly.  Any ideas?

    Thanks,

    Andy

    • Moved by Noya LauModerator Tuesday, February 28, 2012 8:00 AM (From:Lync Clients and Devices)
    Thursday, February 23, 2012 8:03 PM

Answers

  • Turns out, this was an issue that developed from the setup of Lync Mobility.  This had been previously deployed with the external and internal web services using the same FQDN.  When this was changed to use different names, the old public DNS record was not removed.  Removing the old external web services DNS record fixed the issue.
    • Marked as answer by andy.thompson Monday, April 09, 2012 3:50 PM
    Monday, April 09, 2012 3:50 PM

All replies

  • You probably have problems in your TMG Rule publishing the Lync Web Services

    Also you might have a problem starting the SSL session from TMG to your Front-End, make sure it requests the correct name and that it is listed in the cert on the FE


    - Belgian Unified Communications Community : http://www.pro-lync.be -

    Friday, February 24, 2012 12:11 AM
  • I checked the certs on both the front end and TMG, both have the requested SAN's listed.  While I would tend to agree that this seems to be a TMG issue, the only thing that leads me to believe otherwise is that if I route my request via TMG internally (since it is single-legged I can use the same interface) is that it works fine. The web app loads fine too, as well as address books, all traffic that passes via TMG.  It just doesn't authenticate via the web app.
    Friday, February 24, 2012 2:56 PM
  • Hi Andy,

    Yes, it may due to reverse proxy misconfiguration. Please check the port redirection. By default, the Lync Internet Information Services (IIS) server uses port 443 for internal clients and port 4443 for external clients.

    In addition, here is a step-by-step solution for configuring Microsoft Forefront Threat Management Gateway 2010 as e proxy that provisions remote access for Lync Web App conferencing users. Have a check and hope it helps.


    Noya Lau

    TechNet Community Support

    Tuesday, February 28, 2012 7:58 AM
  • Turns out, this was an issue that developed from the setup of Lync Mobility.  This had been previously deployed with the external and internal web services using the same FQDN.  When this was changed to use different names, the old public DNS record was not removed.  Removing the old external web services DNS record fixed the issue.
    • Marked as answer by andy.thompson Monday, April 09, 2012 3:50 PM
    Monday, April 09, 2012 3:50 PM