locked
External Mobility client don't have access to Skype for Business. RRS feed

  • Question

  • Hello!
    My need help for configuration Skype for Business for external mobility client.
    Now internal client work fine on the PC, and mobile client work fine in internal network.
    I install Edge, ADFS and configure ReverseProxy. Destination client work fine in external network (not domain PC), but mobility client do not connect.

    I run Lync Connectivity Analizer and resive error:

    In ReverseProxy I have published only one: https://lyncdiscover.corp.com - https://lyncdiscover.corp.com:4443


    • Edited by Alexcd83 Tuesday, October 25, 2016 1:52 PM
    Tuesday, October 25, 2016 9:02 AM

Answers

  • Hello

    For certificate you need to have the below 

    CN : 

    should be your external web service FQDN S4B.X.X

    SAN should be :

    Subject name must be present in SAN name

    S4B.X.X  (your external web service FQDN) As multiple device may not care about CN and check only SAN name  

    lyncdiscover.domain  (if you have multiple domain add all domains)

    meet.domain (if you have multiple domain add all domains)

    dialin.domain  ( dialin simple URL )

    office.domain (office web apps server )

    Please note that certificate need to be installed on the reverse proxy...

    for reference https://technet.microsoft.com/en-us/library/gg429704(v=ocs.15).aspx

    if you are using same certificate for edge and Reverse proxy , pelase follow http://blog.schertz.name/2012/07/lync-edge-server-best-practices/

    • Proposed as answer by GUIz49 Friday, October 28, 2016 9:15 AM
    • Marked as answer by Alexcd83 Monday, October 31, 2016 9:01 AM
    Friday, October 28, 2016 9:15 AM

All replies

  • you need to publish the external webservices URL as well as the lyncdiscover URL
    Tuesday, October 25, 2016 9:16 AM
  • My public URL is https://lyncdiscover.corp.com
    Tuesday, October 25, 2016 1:51 PM
  • Hi,

    Try to run https://testconnectivity.microsoft.com Skype/Lync

    and paste the result.....


    “Vote As Helpful” and/or “Mark As Answered” - Thiago Mendes da Silva - MCSE Communication - http://www.ucsteps.com/

    Tuesday, October 25, 2016 2:12 PM
  • you will need to publish external web service also. publishing lyncdiscover only will not work.
    Tuesday, October 25, 2016 6:26 PM
  • Hi Alexcd,

    Welcome to our forum.

    In addition to above suggestion, I will add DNS requirement for external mobility as the following link:

    https://technet.microsoft.com/en-us/library/hh690040%28v=ocs.15%29.aspx

    Notice: this link also apply to Skype for business;

    If there are any questions or issues, please be free to let me know.


    Best Regard,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 26, 2016 9:23 AM
  • Thanks for your answer!

    When i start test (Skype for Business Autodiscover Web Service)  https://testconnectivity.microsoft.com i receive this error.


    • Edited by Alexcd83 Thursday, October 27, 2016 6:39 AM
    Thursday, October 27, 2016 6:37 AM
  • Hi Alex,

    seems like your certificate does not contain enough SAN names. Please open your topology builder and navigate to the following:

    Skype for business server - your site . Skype for business server 2015 - Enterprise/standard edition front end pool. Right click on your frontend pool and choose properties.

    what is defined under internal and external web services?

    Check also properties on your edge pool. What is defined on external settings?

    Name on these webservices needs to be in the SAN name of your certificate. What do you use for Reverse proxy?


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, October 27, 2016 6:48 AM
  • Agree with others suggestion

    Certainly with Certificate/SAN entries. you can verify the requirements here as well 

    https://technet.microsoft.com/en-us/library/jj205381%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

     

    Linus || Please mark posts as answers/helpful if it answers your question.

    Thursday, October 27, 2016 9:12 AM
  • 1. Configuration in Topology - Standard Edition Frontend :

    2. Configuration in Topology - Edge:



    3. I use ADFS and i install on another machine server role: Remoute Access - Web Application Proxy. In ReverseProxy i add next link:

    When i input link on the mobile in external network https://lyncdiscover.domain.com i receive config:

    • Edited by Alexcd83 Thursday, October 27, 2016 9:35 AM
    Thursday, October 27, 2016 9:26 AM
  • Hi,

    I don't see the S4B.domain.com in the list of your reverse proxy. This is the external web services for your frontend server.

    I see you have S4b on the list, what id defined there? Have you checked that certificate contains that name in the SAN?

    If you enter server manually, its sip.domain.com that should be used. this hits your edge server. It will then redirect to use external web services. In your case its s4b.domain.com.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    • Proposed as answer by Liinus Thursday, October 27, 2016 11:20 AM
    Thursday, October 27, 2016 9:54 AM
  • Deleted
    Thursday, October 27, 2016 11:11 AM
  • Thanks, I added s4b in RP.



    • Edited by Alexcd83 Thursday, October 27, 2016 1:32 PM
    Thursday, October 27, 2016 12:52 PM
  • that's not correct certificate. The one you are showing is used for ADFS and not Skype.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, October 27, 2016 7:04 PM
  • Hello

    For certificate you need to have the below 

    CN : 

    should be your external web service FQDN S4B.X.X

    SAN should be :

    Subject name must be present in SAN name

    S4B.X.X  (your external web service FQDN) As multiple device may not care about CN and check only SAN name  

    lyncdiscover.domain  (if you have multiple domain add all domains)

    meet.domain (if you have multiple domain add all domains)

    dialin.domain  ( dialin simple URL )

    office.domain (office web apps server )

    Please note that certificate need to be installed on the reverse proxy...

    for reference https://technet.microsoft.com/en-us/library/gg429704(v=ocs.15).aspx

    if you are using same certificate for edge and Reverse proxy , pelase follow http://blog.schertz.name/2012/07/lync-edge-server-best-practices/

    • Proposed as answer by GUIz49 Friday, October 28, 2016 9:15 AM
    • Marked as answer by Alexcd83 Monday, October 31, 2016 9:01 AM
    Friday, October 28, 2016 9:15 AM
  • Thank you very much!!!
    I create new certificate. Reinstall ADFS, and RP.

    Now mobility client connect!



    • Edited by Alexcd83 Friday, October 28, 2016 10:03 AM
    Friday, October 28, 2016 10:01 AM