locked
Cannot connect from iPhone app from outside RRS feed

  • Question

  • Let me start by stating that everything inside the firewall seems to work well.

    Here's the environment:

    Windows Server 2012 R2 with Skype for Business 2015 Standard with only an internal IP address.

    Windows Server 2012 R2 with Skype for Business 2015 Standard configured as Edge server with an internal IP address as well as a DMZ IP address.

    Firewall is running as reverse proxy and is handing off meetings from outside and they work.

    I believe this diagram is the best at showing my setup. https://technet.microsoft.com/en-us/library/jj204756.aspx

    I want to make sure I am configured properly.

    https://technet.microsoft.com/en-us/library/dn951397.aspx

    Here's the question, and I apologize if it seems dumb. This is the 1st Skype for Business server I have setup and also the 1st time I've used a reverse proxy.

    1. Should the reverse proxy for meet.domain.com and the lyncdiscover.domain.com point to the same IP? I think not since they both use port 443 according to the 1st link above.
    2. Does the external lyncdiscover.domain.com point to the edge server or the standard server? Inside the firewall, it points to the internal network address of the Edge server.

    Thanks for the help!

    Thursday, July 28, 2016 4:45 PM

Answers

  • 1) They can resolve to the same IP and both should proxy back to the front end servers, as long as they pass the host headers back you're fine.  Make sure you redirect requests received on port 443 to port 4443 on the front ends however, there's a separate website on the front ends for external use that listens on 4443 and returns different results.  (The clients will ask for port 443, your job to redirect to 4443).

    2) Standard server, should never point to the edge.  The webservices it needs are on the Front End server.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Alice-Wang Friday, July 29, 2016 5:27 AM
    • Marked as answer by Niko.Cheng Friday, August 5, 2016 1:37 AM
    Thursday, July 28, 2016 7:04 PM

All replies

  • 1) They can resolve to the same IP and both should proxy back to the front end servers, as long as they pass the host headers back you're fine.  Make sure you redirect requests received on port 443 to port 4443 on the front ends however, there's a separate website on the front ends for external use that listens on 4443 and returns different results.  (The clients will ask for port 443, your job to redirect to 4443).

    2) Standard server, should never point to the edge.  The webservices it needs are on the Front End server.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Alice-Wang Friday, July 29, 2016 5:27 AM
    • Marked as answer by Niko.Cheng Friday, August 5, 2016 1:37 AM
    Thursday, July 28, 2016 7:04 PM
  • Hi Paul L Fisher,

    As a supplement, for Lync mobility external logon, it requires a reverse proxy and edge server.

    Please refer to the following article to configure reverse proxy and edge server.

    https://technet.microsoft.com/en-us/library/gg398069(v=ocs.15).aspx

    https://lyncdude.com/2013/08/28/deploy-configure-lync-edge-server-part2-installation/

    Here is a good article for troubleshooting Lync mobility for your reference

    https://blogs.technet.microsoft.com/nexthop/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Best regards,

    Alice Wang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Alice Wang
    TechNet Community Support

    Friday, July 29, 2016 5:42 AM
  • I guess I wasn't clear on my question. The links helped but do not answer my fundamental question:

    meet.domain.com and the other simple URL's point to external IP address 10.10.10.1 (not real address, just an example) which is my reverse proxy which takes traffic from ports 443 and 80 and proxies them to the correct ports (4443 and 8080) on the edge server.

    Does autodiscover.domain.com point to the same IP or do I have a different IP, 10.10.10.2 pointing to the firewall and it NAT's to the edge server? Do all the other ports (443, 5061, 478 and 50,000-59,999) point to the edge server as well through the NAT?

    Reading https://blogs.technet.microsoft.com/nexthop/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step/ step 4 says:

    External DNS Records

    Record type

    Host name

    Resolves to

    CNAME

    lyncdiscover.contoso.com

    External Web Services FQDN for your Director pool, if you have one, or for your Front End pool if you do not have a Director

    A (host)

    lyncdiscover.contoso.com

    External or public or IP address of the reverse proxy

    How can that be? How can I have both an A record and CNAME record with the same name?

    In addition, I am using https://skypevalidator.com/ and it has a goofy response:


    It wants me to have the lync.domain.com pointed to 2 different IP's and the certificate failed and passed.
    Tuesday, August 2, 2016 7:14 PM