locked
Skype for Business Client not able to login from external network RRS feed

  • Question

  • Hi Experts,

    We have stuck with an issue and try to fix this from last few days but no success ,please all of your expertise needed here.

    Here is the issue description.

    Deployed an Skype for business server 2015 enterprise addition with 1 FE,1Edge server,1OWA server, 1 backend server.

    Internal SFB client can use all Skype functionality without any issue but when we try to test connectivity from external network its showing error on test connectivity analyzer site connection operation time out.

    and when trying to login with desktop client its continue to login with out showing any error.

    here is the details of edge server - 2 NIC Interface ,both Interface having DMZ IP assigned one for internal communication and one for external communication (both DMZ IP having same subnet  for example 172.15.2.30 and 172.15.2.42) all three edge external services resides on single IP with different ports ,5061sip,444-webconf, 443-AV.

    We have tested with a machine in DMZ only, one host record for sip.domain.com and pointing to edge server external interface and Skype client login successfully.

    Firewall ports which we have opened from external is 5061,443,444,3478 .Please advise if need to open any other ports as well for Skype client login.

    Note: Public DNS records already in place for srv, lyncdiscover and sip.domain, we have not configured reverse proxy not yet.

    appreciating all of yours help and support.

    Regards

    Vbhadauria1 

    Wednesday, August 31, 2016 10:40 AM

All replies

  • Are all services started on the edge?  Are you using bi-directional NAT for the external NIC?  

    I'd run the debug logger on the Edge and watch SIPStack to see what errors are generated when you try to log in.  I'd also triple check the firewall config to ensure it's passing traffic from the NAT'd IP back to the right IP on your edge.  

    I'd hardcode sip to point at your external edge and using tools->options->personal->advanced hardcode this as well to remove any other reverse proxy or DNS variables. 

    Check the event logs for any issues as well.

    My suspicion is your firewall may not be set up quite right.


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    • Proposed as answer by Alice-Wang Thursday, September 1, 2016 2:53 AM
    Wednesday, August 31, 2016 3:16 PM
  • Hi,

    Thanks for your quick response, yes we have checked every hardcore sets like pointing client directly on access edge name and also tried to trace logs but it shows nothing on edge server.

    i can see only my client public IP by netstat -n on cmd and its showing connection established on edge external interface over port 5061 and nothing else.

    I have trace sfb client logs as well but its showing only one message for out connection from client to access edge on port 5061 and there is no response after that.

    Please confirm on which port SFB client works for login over edge server,without reverse proxy.

    Regards

    Vbhadauria1


    • Edited by Vbhadauria1 Thursday, September 1, 2016 4:54 AM
    Thursday, September 1, 2016 4:53 AM
  • Hi Vbhadauria1,

    Yes, agree with Anthony.

    Would you please tell us is that all users in your environment cannot login to the SFB client in external network ?

    Please make sure  you could telnet port 5061 from the public network.

    The following is about the ports for Lync edge server for your reference

    https://technet.microsoft.com/en-us/library/gg425891(v=ocs.15).aspx

    Hope this helpful to you.


    Alice Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 1, 2016 5:19 AM
  • Hi Alice,

    Yes we have tested telnet on port 5061 from external network and its working bi directional,there is no issue from port,even i can see request communing on port 5061 over external interface from external client IP.

    after making changes in topology pointing, access edge on port 443, and webconf -444 and AV on 5062 its working which i have tested but not able to find exact cause why its not working over 5061 port for access edge which was default choose by topology it self.

    Please provide your expertise to find out the problem is there any other setting which we need to change like client connection port, or authentication by which solution work on port 5061 from external.

    Regards

    Vbhadauria

    Thursday, September 1, 2016 9:57 AM
  • Hi,

    As you mentioned you tested with a machine in DMZ and working fine,

    What are the components involved from internet to DMZ.

    As Anthony suggested, you may need to check each packet from the firewall perspective. I would suggest to filter the firewall logs using source and destination IP. your network team might preferably can do better.

    Then Do you have any load balancer for the external access. I would suggest to check the load balance also.

    Whatever hops involved in between internet to DMZ has to be validated.



    - Muralidharan. Please mark as answer/useful if my contribution helps you.

    Thursday, September 1, 2016 11:58 AM
  • Hi Murali,

    Yes checked TCP 5061 ,TCP 443,UDP 3478, TCP 444 all passing through firewall as per logs.

    Regards

    Vikas Singh

    Friday, September 2, 2016 10:12 AM
  • Hi Vbhadauria1,

    Since you could login from internal network, but not login from external network, from my point of view, it may be something wrong with your edge server configuration.

    Please double check the configuration of your edge server.

    Here is a similar case for your reference

    https://social.technet.microsoft.com/Forums/lync/en-US/be4acdb2-3719-4d74-8b14-1722b09aff63/skype-for-business-client-cant-sign-in-outside-of-network?forum=lyncprofile

    Hope this helpful to you.


    Alice Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 6, 2016 9:21 AM
  • If you change the ports to 443, 444, 5062 and it seems to work... if you run a netstat -an, do you still see the external interface listening on 5061?  When it's set to 5061, do you see errors in the Lync event log?

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Tuesday, September 6, 2016 2:22 PM
  • Not sure if below will solve your particular issue or not but I would like to share my case.

    I have Skype for Business 2016 on my laptop and it works fine on the corporate network while as used to give me error as "server temporarily unavailable" when I used to be on other networks (my mobile, WiFi at home etc). Tried so many things & wasted a lot of time but nothing worked. Finally a support person in my organization did below simple steps and problem solved.

    1) Run the command prompt "cmd" as administrator

    2) Run command : netsh winhttp reset proxy

    It will be a pleasure to know if it solves the problem for someone like me ..

    thank you

    Tuesday, July 24, 2018 1:12 PM