none
Lync External Clients cannot download address book - TMG Reverse Proxy

    Domanda

  • Hello,

    I've been over and over my configuration and cannot get Lync External Clients to download the address book.  My config is as follows;

     

    Windows 2008 SP1 

    TMG SP1  

    F5 Load Balancer configured as specified by F5 for Lync 2010

    Lync 2010 EE FE pool / 2010 Edge / (tried w/ and w/o 2010 Director)

     

    I have configured TMG as specified by this link : http://technet.microsoft.com/en-us/library/gg429712.aspx

    If I turn off TMG, I am able to get to the F5 VIP on port 4443 so I believe the issue is occurring from the VIP to the internal EE pool.  

    All external client functionality works except for address book/group expansion.  Of note, i am receiving the following error when testing my rule via TMG;

     

     

    Time reported by the Microsoft Forefront TMG Firewall Service: 120.089 seconds

    Testing https://lyncweb.domain.com:4443/

    Category: General error

    Error details: 1460 - This operation returned because the timeout period expired.

    Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

     

    I also receive the following error when trying to access the external ABS URL directly; ie https://lyncweb.domain.com/abs/handler

    Log type: Web Proxy (Reverse) 

    Status: 1460 This operation returned because the timeout period expired.  

    Rule: LyncExt 

    Source: External (x.x.x.x:63848) 

    Destination: Local Host (lyncweb.domain.com 10.33.17.230:4443) 

    Request: GET http://lyncweb.domain.com/abs/handler/F-0ee5.lsabs 

    Filter information: Req ID: 1388e2c2; Compression: client=No, server=No, compress rate=0% decompress rate=0% 

    Protocol: https 

    User: anonymous 

    I also see these when hitting the URL directly and I never get prompted for authentication;
    Log type: Firewall service 
    Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.  
    Rule: None - see Result Code 
    Source: External (x.x.x.x:63848) 
    Destination: Local Host (10.33.34.33:443) 

    I have the 3rd party external certificate loaded on the external FE sites as well as the TMG server;ie "lyncweb.domain.com".  Web listener has bridging enabled 443--> 4443 and no authentication.  I'm forwarding original header instead of original one. Auth delegation is set to "no delegation but client can auth directly".  I am unable to even browse the URL externally...it times out; https://lyncweb.domain.com/abs or https://lyncweb.domain.com/abs/handler.  Public name is set to "lyncweb.domain.com" and path is set to "/*".  Finally, I see NO denies occurring in my TMG logs.

     

    My question is what is the best way to further troubleshoot this issue?  What logging do I need to enable to actually see the group expansion and address book attempts?  I've tried SIP tracing and all I see is proper SIP communication occurring.  I'm at a loss and could really appreciate some help.  Thanks!

     

    • Modificato albogado sabato 11 giugno 2011 15:45 additional info
    sabato 11 giugno 2011 15:36

Risposte

  • Hi,albogado,

    Please verify that you have configure the connection timeout more than 120 seconds on your TMG server.

    Try to configure:

    Web listener properties
    1. Connections > Advanced... > Connection timeout (Seconds) to more than 120 seconds.
    2. Authentication > Authentication Preferences > disable SSL client certificate timeout.
    3. Authentication > Authentication Preferences > Client credential caching > Validate credentials for every HTTP request.

    More details please check:

    http://technet.microsoft.com/en-us/library/cc995192.aspx

    Regards,

    Sharon


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    martedì 14 giugno 2011 10:33

Tutte le risposte

  • can you access the dialin and meet webpage from outsite?

    You can test the access to the page from outsite with IE https://lyncweb.domain.com/abs/handler and also from intern https://lyncweb.domain.com:4443/abs/handler 

     


    regards Holger Technical Specialist UC
    sabato 11 giugno 2011 23:13
  • Hi,albogado,

    Please verify that you have configure the connection timeout more than 120 seconds on your TMG server.

    Try to configure:

    Web listener properties
    1. Connections > Advanced... > Connection timeout (Seconds) to more than 120 seconds.
    2. Authentication > Authentication Preferences > disable SSL client certificate timeout.
    3. Authentication > Authentication Preferences > Client credential caching > Validate credentials for every HTTP request.

    More details please check:

    http://technet.microsoft.com/en-us/library/cc995192.aspx

    Regards,

    Sharon


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    martedì 14 giugno 2011 10:33
  • Hi,albogado,

    Have you fixed your problem?

    Any progress please kindly let us know.Thanks!

    Regards,

    Sharon


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    giovedì 23 giugno 2011 09:04
  • I am having the same exact issue here.

    with a Netstat -a I get nothing for 4443 is that because it's a bridge redirect?

      TCP    10.16.4.202:80          test-tmg-d1:0          LISTENING
      TCP    10.16.4.202:443         test-tmg-d1:0          LISTENING

    Eric

     

     

     


    mercoledì 13 luglio 2011 23:21
  • Hey,

    Did you solve this problem. Let me know I got the same issue.

    Thanks,

    John

    giovedì 7 giugno 2012 20:57