locked
Reverse Proxy Issue RRS feed

  • Question

  • So SfB is working fine internally and fat clients can connect external through the edge server.  The mobile clients I am still hung up on with the RP server.

    I am using IIS and ARR for the proxy.  It all seems to be configured correctly with the SSL cert with SAN names. I see traffic coming in but my mobile client just spins and never connects.

    Reading through some threads I noticed something about publishing the FE web address so I went and checked the topology.  On my FE server the external web services address is servername.internaldomain.com  I have done no publishing of this address.  Do I have to?  If so, can I easily change it to not show the server name and be a URL like lync.domain.com?

    Thanks in advance.  This is the last piece of my SfB puzzle.

    Tuesday, August 23, 2016 2:39 PM

Answers

  • Yes, you have to publish the external webservices from the FE.

    You can configure the external web service on the topology builder and have to publish this site through the reverse proxy. Also the lyncdiscover.sipdomain.com.

    The webservices should be forwarded from external 443 through the reverse proxy to the FE port 4443

    https://blog.kloud.com.au/2013/07/15/publish-lync-2013-with-2012-r2-preview-web-application-proxy/ 


    regards Holger Technical Specialist UC


    • Edited by Holger Bunkradt Tuesday, August 23, 2016 2:47 PM
    • Proposed as answer by Alice-Wang Wednesday, August 24, 2016 8:55 AM
    • Marked as answer by Alice-Wang Saturday, September 3, 2016 2:48 AM
    Tuesday, August 23, 2016 2:45 PM

All replies

  • Yes, you have to publish the external webservices from the FE.

    You can configure the external web service on the topology builder and have to publish this site through the reverse proxy. Also the lyncdiscover.sipdomain.com.

    The webservices should be forwarded from external 443 through the reverse proxy to the FE port 4443

    https://blog.kloud.com.au/2013/07/15/publish-lync-2013-with-2012-r2-preview-web-application-proxy/ 


    regards Holger Technical Specialist UC


    • Edited by Holger Bunkradt Tuesday, August 23, 2016 2:47 PM
    • Proposed as answer by Alice-Wang Wednesday, August 24, 2016 8:55 AM
    • Marked as answer by Alice-Wang Saturday, September 3, 2016 2:48 AM
    Tuesday, August 23, 2016 2:45 PM
  • Thanks for the reply.

    I changed the external web services URL in the topology builder to lync.domain.com then published the topology.

    I have the lync.domain.com url on my RP server and is a SAN name on the SSL cert.  8080 80 443 4443 all open.

    Still my mobile client just spins and does nothing.


    Thoughts?

    Tuesday, August 23, 2016 3:19 PM
  • what happened if you try https://lyncdiscover.sipdomain.com

    Do you get the config file back?

    https://msunified.net/2011/12/23/lync-server-mobility-troubleshooting-tips/


    regards Holger Technical Specialist UC

    Tuesday, August 23, 2016 3:28 PM
  • Yes.  I get prompted for the JSON file when i connect via IE.
    Tuesday, August 23, 2016 4:41 PM
  • Testing with the MS remote analyser this error is returned:

    Testing HTTP authentication methods for URL https://lyncdiscover.domain.com/Autodiscover/AutodiscoverService.svc/root/user.
         HTTP authentication test failed.
         
        Additional Details
         
    A Web exception occurred because an HTTP 400 - BadRequest response was received from Unknown.
    HTTP Response Headers:
    Content-Length: 3420
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Date: Tue, 23 Aug 2016 16:59:49 GMT
    Server: Microsoft-IIS/8.5
    X-Powered-By: ARR/3.0
    Elapsed Time: 723 ms.

    Tuesday, August 23, 2016 5:02 PM
  • Hi Kenneth Watts,

    According to your error message, it seems that authentication issue with your reverse proxy.

    So I suggest you to check your configuration of your reverse proxy.

    Here is a blog about how to configure reverse proxy with IIS ARR

    https://blogs.technet.microsoft.com/nexthop/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013/

    Hope this helpful to you.

    Best regards,

    Alice Wang


    Best Regards,

    Alice Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 24, 2016 8:54 AM
  • So SfB is working fine internally and fat clients can connect external through the edge server.  The mobile clients I am still hung up on with the RP server.

    I am using IIS and ARR for the proxy.  It all seems to be configured correctly with the SSL cert with SAN names. I see traffic coming in but my mobile client just spins and never connects.

    Reading through some threads I noticed something about publishing the FE web address so I went and checked the topology.  On my FE server the external web services address is servername.internaldomain.com  I have done no publishing of this address.  Do I have to?  If so, can I easily change it to not show the server name and be a URL like lync.domain.com?

    Thanks in advance.  This is the last piece of my SfB puzzle.


    Have you inspected the logs from the mobile clients? They allow e-mail submissions of the logs in the application.

    On iOS it's Settings > Logging

    Wednesday, August 24, 2016 9:24 AM
  • Alright, today I decided to start over with the RP server.  Reinstalled IIS and ARR3.

    Imported the certs and all.  Created the first server farm for the first URL of dialin.domain.com

    Tested from the RP server and I receive the dreaded 403 access is forbidden error.  Do I need to set something on the web site on the FE server?

    Wednesday, August 24, 2016 2:39 PM
  • Hi Kenneth Watts,

    You could make sure the external web service FQDNs of FE server are in the external DNS records and Certificates, also make sure both of them are included in the publishing rule.

    Here is a similar case for your reference

    https://social.technet.microsoft.com/Forums/lync/en-US/4e1c095f-2024-40b7-805c-fa6447958bee/lync-mobility-getting-403-forbidden-access-is-denied?forum=ocsmobility

    Hope this helpful to you.


    Alice Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 26, 2016 10:57 AM
  • No, the only thing on the FE is, that you define the correct https://dialin.sipdomain.com with your topology builder and run the deployment wizzard on the FE.

    You should be able to open the dialin with https://dialin.sipdomain.com:4443 from you IIS ARR

    Please be sure, that your header rules are working on the IIS ARR.


    regards Holger Technical Specialist UC

    Friday, August 26, 2016 11:45 AM
  • So the dialin.domain.com:4443 page from my RP server just gives me a 403 access forbidden page.  the Lyncdiscover from same RP server gives me the JSON config file.  So i know there is communication between the RP and FE. 

    From the RP I can resolve all the FQNS (meet, dialin, lyncdiscover and lync) to the FE server.

    Friday, August 26, 2016 3:01 PM
  • Hi Kenneth Watts,

    Would you please tell us if there is http 400 bad request error persists?

    About error 403 access forbidden, please double check the configuration of reverse proxy.

    Moreover, here is a blog for your reference

    https://blogs.technet.microsoft.com/nexthop/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step/

    Hope this helpful to you.


    Alice Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, August 28, 2016 5:54 AM