locked
Reverse Proxy for corporate Mobile users via internal IP RRS feed

  • Question

  • Hi,

    here is the scenario.

    Lync 2013 standard is implemented and TMG is used as reverse proxy. Non-Mobile clients and clients from outside corporate network work well but as many others, I have problem with mobile users inside the company.

    Apparently, creating a DNS record Lyncdiscoverinternal.domain.com and pointing it to the external public IP of TMG will do the work but as there are routing problems and complexities, users inside cannot be routed to that IP so I like to do it using the LAN hand of TMG.

    The reverse proxy rule in TMG is set to accept from Anywhere. Also, in listener properties I have selected External, Internal and Local host network (so as to accept mobile requests from inside)

    And finally, the lyncdiscoverinternal.domain .com is set to LAN IP of TMG

    So I think everything is in place, but when trying to connect via Android skype client on a mobile connected to internal wifi network, it stays in signing in ....and finally says " can't sign in. Please verify your sign-in address and try again.

    Any help will be much appreciated.


    • Edited by Mo.Gan Saturday, June 17, 2017 5:52 AM Lync is correct
    Saturday, June 17, 2017 5:42 AM

Answers

  • Problem Solved

    in iOS 10.2+, User certificates are not trusted by default (even after you import them)

    You should go to Settings..General..About..Certificate Trust Settings and Enable Full Trust for the root certificate

    • Marked as answer by Mo.Gan Saturday, June 24, 2017 5:30 AM
    Saturday, June 24, 2017 5:12 AM
  • Solved.

    Wrongfully I was sending the external FQDN to FE server. Sending it to TMG and I'm done
    • Marked as answer by Mo.Gan Tuesday, June 20, 2017 3:55 AM
    Tuesday, June 20, 2017 3:55 AM

All replies

  • Hi MohammadG,

    For this issue, did all internal users had this issue?

    Please try the following troubleshooting steps:
    1. Please check if IOS had the same issue.
    2. Because for Lync mobility, for internal access, it will be redirected to FE server via reverse proxy, so we suggest you check if you have correct configuration for TMG, please refer to the blog below
    https://social.technet.microsoft.com/wiki/contents/articles/9807.how-to-configure-forefront-tmg-2010-as-reverse-proxy-for-lync-server-2010.aspx
    3. If the configuration or RP is correct, please try to check if there are any event IDs in your SFB FE server.

    Hope this reply is helpful to you.


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alice-Wang Monday, June 19, 2017 9:16 AM
    Monday, June 19, 2017 6:50 AM
  • Its not Lyncdiscoverinternal problem.Lyncdiscoverinternal can check the discovery and validate the mobility and further it will use web services url to access the mobility services.So the Wifi network should resolve the web services external urls and access to it .

    Jayakumar K

    Monday, June 19, 2017 7:09 AM
  • Hi,
    I started using TMG and creating a rule for publishing lync FE server
    All users including mobile and desktop can connect from outside without problem

    But still error in mobile users inside.
    I created another rule for this in TMG all the same as the rule for external access but just set the network (in web listener) to internal. Also the lyncdiscoverinternal.domain.com is pointing to TMG (Cname)
    the traffic comes to TMG. The reverse proxy rule is invoked


    Allowed Connection BIGVPN 6/19/2017 6:31:51 PM
    Log type: Web Proxy (Reverse)
    Status: 200 OK.
    Rule: Lync Mobile 2013 Reverse  
    Source: Internal (192.168.41.174:38573)
    Destination: Local Host (lync-fe.domain.com 192.168.128.148:4443)
    Request: GET http://lyncdiscoverinternal.domain.com/?sipuri=sip:giovanni@domain.com
    Filter information: Req ID: 08870225; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
    Protocol: https
    User: anonymous
     Additional information
    Client agent: AndroidLync
    Object source: Internet (Source is the Internet. Object was added to the cache.)
    Cache info: 0x41040000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response includes the EXPIRES header. Response should not be cached.)



    but after that I get error "we can't sign you in. please check your account info and try again"

    and in TMG :
    Closed Connection BIGVPN 6/19/2017 6:32:51 PM
    Log type: Firewall service
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
    Source: Internal (192.168.41.174:38569)
    Destination: Local Host (192.168.32.84:443
    Result code : FWX_E_Gracefull_shutdown


    As you can see : 192.168.41.74 is my mobile. lync-fe (192.168.128.148) is FE server and lyncdiscoverinternal.domain.com is a cname record pointing to tmg.domain.com (192.168.32.84)

    By the way, because of network rules I cannot set lyncdiscoverinternal to external IP of TMG cause the route is not available and packets going to firewall will never come back again to the firewall to complete the path

    • Edited by Mo.Gan Monday, June 19, 2017 2:15 PM Firewall
    Monday, June 19, 2017 2:08 PM
  • Solved.

    Wrongfully I was sending the external FQDN to FE server. Sending it to TMG and I'm done
    • Marked as answer by Mo.Gan Tuesday, June 20, 2017 3:55 AM
    Tuesday, June 20, 2017 3:55 AM
  • Hi MohammadG,

    Thanks for your sharing, it will help others who has similar issue


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 20, 2017 4:21 AM
  • Headache starts again :(

    I tested these and all work :

    Skype for business on Android from Internal and External

    Lync 2010 on iOS 7 (Iphone 4) from Internal and External

    But Skype for Business and Lync 2010 on iPhone (ioS 10) does not work

    and It says : (first for skype and second for lync - both errors on ios 10)

    • Edited by Mo.Gan Tuesday, June 20, 2017 12:20 PM ios ver
    Tuesday, June 20, 2017 12:12 PM
  • The very same implementation works flawlessly in another organization.

    Just the certificate they use is SHA2 and from Geotrust but mine is from internal CA and SHA-1

    Could it be the problem ?

    And this is what MS remote connectivity says:

    Testing remote connectivity for user test-outside@domain.com to the Microsoft Lync server.
         Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
          Tell me more about this issue and how to resolve it
         
        Additional Details
         
    Couldn't sign in. Error: Error Message: The certificate chain was issued by an authority that is not trusted.
    Error Type: TlsFailureException.

    Wednesday, June 21, 2017 6:24 PM
  • Problem Solved

    in iOS 10.2+, User certificates are not trusted by default (even after you import them)

    You should go to Settings..General..About..Certificate Trust Settings and Enable Full Trust for the root certificate

    • Marked as answer by Mo.Gan Saturday, June 24, 2017 5:30 AM
    Saturday, June 24, 2017 5:12 AM