Reverse Proxy for corporate Mobile users via internal IP

All replies

• 

  

  0

  Sign in to vote

  Hi MohammadG,

  For this issue, did all internal users had this issue?

  Please try the following troubleshooting steps:
  1. Please check if IOS had the same issue.
  2. Because for Lync mobility, for internal access, it will be redirected to FE server via reverse proxy, so we suggest you check if you have correct configuration for TMG, please refer to the blog below
  https://social.technet.microsoft.com/wiki/contents/articles/9807.how-to-configure-forefront-tmg-2010-as-reverse-proxy-for-lync-server-2010.aspx
  3. If the configuration or RP is correct, please try to check if there are any event IDs in your SFB FE server.

  Hope this reply is helpful to you.

  ---

  Regards,
  

  Alice Wang

  ---

  Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  • Proposed as answer by Alice-Wang Monday, June 19, 2017 9:16 AM

  Monday, June 19, 2017 6:50 AM
• 

  

  0

  Sign in to vote

  Its not Lyncdiscoverinternal problem.Lyncdiscoverinternal can check the discovery and validate the mobility and further it will use web services url to access the mobility services.So the Wifi network should resolve the web services external urls and access to it .

  ---

  Jayakumar K

  Monday, June 19, 2017 7:09 AM
• 

  

  0

  Sign in to vote

  Hi,
  I started using TMG and creating a rule for publishing lync FE server
  All users including mobile and desktop can connect from outside without problem
  
  But still error in mobile users inside.
  I created another rule for this in TMG all the same as the rule for external access but just set the network (in web listener) to internal. Also the lyncdiscoverinternal.domain.com is pointing to TMG (Cname)
  the traffic comes to TMG. The reverse proxy rule is invoked
  
  
  Allowed Connection BIGVPN 6/19/2017 6:31:51 PM
  Log type: Web Proxy (Reverse)
  Status: 200 OK.
  Rule: Lync Mobile 2013 Reverse  
  Source: Internal (192.168.41.174:38573)
  Destination: Local Host (lync-fe.domain.com 192.168.128.148:4443)
  Request: GET http://lyncdiscoverinternal.domain.com/?sipuri=sip:giovanni@domain.com
  Filter information: Req ID: 08870225; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
  Protocol: https
  User: anonymous
   Additional information
  Client agent: AndroidLync
  Object source: Internet (Source is the Internet. Object was added to the cache.)
  Cache info: 0x41040000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response includes the EXPIRES header. Response should not be cached.)
  
  
  
  but after that I get error "we can't sign you in. please check your account info and try again"
  
  and in TMG :
  Closed Connection BIGVPN 6/19/2017 6:32:51 PM
  Log type: Firewall service
  Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
  Source: Internal (192.168.41.174:38569)
  Destination: Local Host (192.168.32.84:443
  Result code : FWX_E_Gracefull_shutdown
  
  
  As you can see : 192.168.41.74 is my mobile. lync-fe (192.168.128.148) is FE server and lyncdiscoverinternal.domain.com is a cname record pointing to tmg.domain.com (192.168.32.84)

  By the way, because of network rules I cannot set lyncdiscoverinternal to external IP of TMG cause the route is not available and packets going to firewall will never come back again to the firewall to complete the path

  • Edited by Mo.Gan Monday, June 19, 2017 2:15 PM Firewall

  Monday, June 19, 2017 2:08 PM
• 

  

  0

  Sign in to vote

  Solved.

  Wrongfully I was sending the external FQDN to FE server. Sending it to TMG and I'm done

  • Marked as answer by Mo.Gan Tuesday, June 20, 2017 3:55 AM

  Tuesday, June 20, 2017 3:55 AM
• 

  

  0

  Sign in to vote

  Hi MohammadG,

  Thanks for your sharing, it will help others who has similar issue

  ---

  Regards,
  

  Alice Wang

  ---

  Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Tuesday, June 20, 2017 4:21 AM
• 

  

  0

  Sign in to vote

  Headache starts again :(
  

  I tested these and all work :

  Skype for business on Android from Internal and External

  Lync 2010 on iOS 7 (Iphone 4) from Internal and External

  But Skype for Business and Lync 2010 on iPhone (ioS 10) does not work

  and It says : (first for skype and second for lync - both errors on ios 10)
  

  

  

  • Edited by Mo.Gan Tuesday, June 20, 2017 12:20 PM ios ver

  Tuesday, June 20, 2017 12:12 PM
• 

  

  0

  Sign in to vote

  The very same implementation works flawlessly in another organization.

  Just the certificate they use is SHA2 and from Geotrust but mine is from internal CA and SHA-1

  Could it be the problem ?

  And this is what MS remote connectivity says:

  Testing remote connectivity for user test-outside@domain.com to the Microsoft Lync server.
       Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
  Couldn't sign in. Error: Error Message: The certificate chain was issued by an authority that is not trusted.
  Error Type: TlsFailureException.

  Wednesday, June 21, 2017 6:24 PM
• 

  

  1

  Sign in to vote

  Problem Solved

  in iOS 10.2+, User certificates are not trusted by default (even after you import them)

  You should go to Settings..General..About..Certificate Trust Settings and Enable Full Trust for the root certificate

  • Marked as answer by Mo.Gan Saturday, June 24, 2017 5:30 AM

  Saturday, June 24, 2017 5:12 AM