locked
Problem with the external users connection RRS feed

  • Question

  • Hi!

    I have a task to deploy Lync Server. FE server was deployed without problem and test users inside corp network can communicate with each other using mobile and desktop clients.

    Internal domain-corp.local

    External domain.com

    Then I deployed Edge server. 2 interfaces – external and internal (1IP without NAT). Replication works between servers. Free external certificate from StartSSL ( sip.domain.com). On Edge server I also deployed reverse proxy based on IIS. Certificate on 443 port is used from Edge. From Internet I can visit meet.domain.com dialin.domain.comsip.domain.com

    When clients connect from external network by test@domain.com ask for password and user credentials. When I entered credentials of internal domain (domain-corp\test), I see an error “Sign-in didn't work. You didn't get signed in. It might be your sign-in address or logon credentials, so try again. If that doesn't work, contact your support team”

    With android client when connecting through the Internet "Can't sign in. Please verify your sign-in addres an try again"

    On FE I have security even id 4625

    "This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request.     - Transited services indicate which intermediate services have participated in this logon request.     - Package name indicates which sub-protocol was used among the NTLM protocols.     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."

    On Edge  id 36888

    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

    External records DNS

    _sip._tls.domain.com  

    SRV service location:          

    priority       = 100          

    weight       = 0          

    port           = 443          

    svr hostname   = sip.domain.com

    _sipfederation._tcp.domain.com  

    SRV service location:          

    priority       = 100          

    weight       = 0          

    port           = 5061          

    svr hostname   = sip.domain.com

    A-records

    sipexternal.domain.com = 11.xxx.xxx.xxx

    sip.domain.com = 11.xxx.xxx.xxx

    meet.domain.com = 11.xxx.xxx.xxx

    dialin.domain.com = 11.xxx.xxx.xxx

    lyncdiscover.domain.com = 11.xxx.xxx.xxx

     

     

    Access edge service

    FQDN                   sip.domain.com

    IPv4 address      11.xxx.xxx.xxx

    Port                     5061

    Protocol              TLS

    Web conferencing edge service

    FQDN                   sip.domain.com

    IPv4 address      11.xxx.xxx.xxx

    Port                     444

    Protocol              TLS

    A/V Edge Service

    FQDN                   sip.domain.com

    IPv4 address      11.xxx.xxx.xxx

    Port                     442

    how can this be solved? Any idea.

    Wednesday, June 24, 2015 8:02 AM

Answers

  • Sorry, it is not supported to install a reverse proxy or any other additional software on the Edge server.

    regards Holger Technical Specialist UC

    • Proposed as answer by Eason Huang Thursday, June 25, 2015 3:07 AM
    • Marked as answer by Eason Huang Monday, July 6, 2015 9:35 AM
    Wednesday, June 24, 2015 11:59 AM
  • Hi,

    Please deploy Reverse Proxy on another Server in DMZ zone, it is not supported to deploy Reverse Proxy at the same Server of Edge Server. Then test the issue again.

    You can use IIS ARR to deploy Reverse Proxy:

    http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx

    Best Regards,
    Eason Huang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by Eason Huang Monday, July 6, 2015 9:35 AM
    Thursday, June 25, 2015 3:12 AM

All replies

  • Sorry, it is not supported to install a reverse proxy or any other additional software on the Edge server.

    regards Holger Technical Specialist UC

    • Proposed as answer by Eason Huang Thursday, June 25, 2015 3:07 AM
    • Marked as answer by Eason Huang Monday, July 6, 2015 9:35 AM
    Wednesday, June 24, 2015 11:59 AM
  • Hi,

    Please deploy Reverse Proxy on another Server in DMZ zone, it is not supported to deploy Reverse Proxy at the same Server of Edge Server. Then test the issue again.

    You can use IIS ARR to deploy Reverse Proxy:

    http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx

    Best Regards,
    Eason Huang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by Eason Huang Monday, July 6, 2015 9:35 AM
    Thursday, June 25, 2015 3:12 AM