locked
Skype for Business Mobile client won't login internally RRS feed

  • Question

  • I'm working on upgrading my organizations Lync 2013 system to Skype for Business 2015.  Currently, one of the challenges I'm facing is an issue where test accounts in the Skype pool are not able login using the Skype mobile client while on the internal corporate network.  On the other hand, while on an external network, authentication works just fine.  In addition, all user accounts still homed in the Lync 2013 pool are able to login whether internal or external (as they should).

    Note:  We're currently NOT using hair-pinning.  My DNS configuration is as follows

    External
    (CNAME) lyncdiscover.company.com >> (A) lyncweb-ext.company.com
    (A) lyncweb-ext.company.com >> Public IP that NATs to Internal IP of ARR server

    Internal
    (CNAME) lyncdiscoverinternal.company.com >> (A) lyncweb-int.company.com
    (A) lyncweb-int.company.com >> Internal IP of ARR Server

    Any insight is appreciated.

    Tuesday, June 20, 2017 9:02 PM

All replies

  • Hi Glenn,

    Please change “lyncweb-int.company.com >> Internal IP of ARR Server” into “lyncweb-int.company.com >> Internal IP of Skype for business FE Server”, then check if the issue persist. You could refer to the following link to learn more details about DNS requirement for Skype for business server 2015:

    https://technet.microsoft.com/en-us/library/dn951397.aspx


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 21, 2017 7:08 AM
  • Hi Jim,

    Thank you for the suggestion and luckily enough our maintenance cycle is coming up this weekend so I will be able to test then.  Although I do have a question.

    • How will this change affect users still homed in the Lync pool keeping in mind that we are only at the testing phase of the migration to Skype for Business?  We have not reached the point where we need to flip our DNS records to point to Skype just yet.

    Perhaps to give you more information on how my environment is set up.  We are currently using Lync 2013 Enterprise edition running 3 Front-Ends which I inherited.  As part of the migration process I have stood-up 3 Skype for Business Enterprise edition Front-Ends.  I have created separate Web Services DNS (A) records for my Skype servers.

    skypeweb-int.company.com >> Kemp internal DMZ IP
    skypeweb-ext.company.com >> Kemp internal DMZ IP

    As you may notice, I am moving away from the ARR servers in Skype and moving to a Kemp HLB.

    • Now to you point of pointing lyncweb-int.company.com directly to a Front-End; and let's assume this fixes the issue, I assume that since we have three Front-Ends I will need to use DNS load-balancing in this scenario for the other two Front-ends?  If so, I guess I'm confused as to why DNS configuration works for users in the Lync pool and not the Skype pool.

    • Edited by Glenn Gabay Wednesday, June 21, 2017 2:42 PM
    Wednesday, June 21, 2017 2:41 PM
  • Quick Update:  I've tested with the mobile client by doing the following:

    On the mobile client, I've configured the discovery URLs to point directly to the Lync internal and external URLs (lyncweb-int, lyncweb-ext) and tried logging in using an account in the Lync pool while on the internal network.  This works fine.  

    I then pointed the web services URLs to (skypeweb-int, skypeweb-ext) and again tried logging into the client using an account in the Lync pool.  This also works fine.

    I did the same with an account in the Skype pool and login fails while I'm on the internal network regardless if I'm point to lyncweb or skypeweb.

    Wednesday, June 21, 2017 3:47 PM
  • Hi Glenn,

    What is test result in this maintenance cycle after you follow my suggestions?

    If there are no any load balances for Skype for business server 2015 FE servers, we need to configure DNS load balance for Skype for business server 2015 FE servers in term of lyncweb-int.company.com.


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 27, 2017 7:18 AM
  • Hi Jim,

    Unfortunately our maintenance cycle was cancelled due to circumstances out of my control.  On the other hand I did conduct the following tests.

    While on the internal network I configured the mobile Skype client to point directly to the Lync internal web-services URL (lyncweb-int.company.com) then tried logging into the client using an account in the Lync pool.  This worked.  I then tried to log into the client using an account in the Skype pool.  This also worked.  Next I configured the mobile Skype client to point directly to the Skype web-services URL (skypeweb-int.company.com) then tried logging into the client using an account in the Lync pool.  This worked.  On the other hand when I try to log into the client with an account in the Skype pool, this fails.  

    As such this kind of tells me that this is not a DNS issue rather something may not be configured correctly in Skype for Business.

    Now, to your point about DNS load balancing, the Lync internal web-services URL is pointing to two load-balanced ARR Servers.  On the other hand the Skype internal web-services URL was pointing directly to a Kemp HLB.  I modified this to use DNS load-balancing to eliminate the Kemp as the cause of the issue so I currently have three entries for skypeweb-int.company.com and each point to one of our front-end servers.

    Tuesday, June 27, 2017 3:53 PM
  • you cant point internal dns straight at the skype server as it wont have the PAT 4443 -> 443
    Tuesday, June 27, 2017 5:09 PM