locked
Mobile Client Problem RRS feed

  • Question

  • I installed Skype for business for one of my clients  from following links

    https://blog.schertz.name/2016/03/skype-for-business-2015-edge-pool-deployment/ except the federation (Enable for federation which is used 5061 port)

    Also I install Edge and Reverse proxy

    Windows clients from lan and internet does not have problem but mobile client cant login 

    The username and password page appears but after entering them users stuck in signing page
    I use https://testconnectivity.microsoft.com for test connectivity and  Testing TCP port 5061 on host sip.doaminname.com to ensure it's listening and open

    The error is  The specified port is either blocked, not listening, or not producing the expected response

    I does not any port restriction in firewall (because it is in pilot)

    Is federation is mandatory (Port 5061) for mobile clients ?

    Regards,

    Sunday, May 5, 2019 9:29 AM

Answers

  • I check all of settings
    I missed a (n) in web external publishing in reverse proxy after correcting web external address now I can login via mobile

    Thanks all
    • Marked as answer by MajidNavvabi Saturday, July 25, 2020 6:21 AM
    Saturday, July 25, 2020 6:21 AM

All replies

  • Hi,

     

    Please check the ports settings that should be configured on reverse proxy firewall. Please check web publishing rule to ensure it's taking 443 and converting it to 4443, then sending it to your Front End server.

    As you may know, Reverse Proxy works for port address translation that translating from TCP port 80 facing external, to TCP port 8080 facing internal. External users get connected to the reverse proxy with https on port 443 and from there it'll get forwarded to 4443 on FE. 

     

    That is to say, the front end listens on ports 4443 and 8080 not on 443 and 80, which is what the mobility client will look at. When you hit the RP on 443 (or 80) it will publish back to the 4443 ports.

    Also please confirm the following points:

     

    1. Make sure you have added the following SANs entries on the public certificate (if you use SAN certificate) such as:

    lyncdiscover.sipdomain.com, extweb.sip.domain.com (extweb is the external web Service FQDN in topology), etc.


    2. On public DNS Server, add the DNS A record lyncdiscover, meet, dialin, extweb to the public IP of Reverse Proxy.


    Kind regards,

    Calvin Liu


    Please remember to mark the reply as an answer if you find it is helpful. It will assist others who has similar issue. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, May 6, 2019 8:06 AM
  • Is port 80 (8080)  necessary ? I think only 443 (4443) is required !

    Tuesday, May 7, 2019 8:42 AM
  • 80/8080 is optional. 

    I think you could try to do an additional test with “Skype for Business Autodiscover Web Service” in https://testconnectivity.microsoft.com/ to see if there is any more error. This test is used for mobility.


    Regards,

    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    • Edited by Shaw_Lu Thursday, May 9, 2019 9:07 AM
    • Proposed as answer by Shaw_Lu Monday, May 13, 2019 7:58 AM
    Thursday, May 9, 2019 9:07 AM
  • Hi,

    Is there any update?

    If the reply is helpful to you, please try to mark it as an answer, it will help others who have the similar issue.


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, May 15, 2019 8:25 AM
  • I used test connectivity again The error shows port 5061 is not open (i dont need federation at all) I change topology and add federation and run setup again on edge server After this the error was changed ! The certificate couldn't be validated because SSL negotiation wasn't successful. I can login with pc but i cant login with mobile
    Wednesday, May 15, 2019 10:19 AM
  • Hi MajidNavvabi,

    Which type of certificate do you use? 

    In your topology, modify the external web service FQDN, ensure it is different from the internal web service FQDN. Make sure the public certificate contains the required SANs (externalwebservice.domain.com, lyncdiscover.domain.com, meet…).

    As only mobile client cannot login, I think you may first check the RP configuration. Here is a guide you could refer to. 

    https://blogs.technet.microsoft.com/nexthop/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013/comment-page-12/

    On RP server, ensure it is able to resolve the internal server FQDNs. In my lab, I also added an internal DNS record “lyncdiscover.domain.com” points to internal FE server on my internal DNS server.

    Then try to access the “https://lyncdiscover.domain.com/” on your mobile client or internet machine, normally it would return such page:

    In addition, on mobile device, check you could access the URL without certificate trusted issue, the root certificate should be trusted on the device. 

    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    • Edited by Shaw_Lu Thursday, May 16, 2019 2:22 AM
    • Proposed as answer by Shaw_Lu Sunday, May 19, 2019 7:02 AM
    Thursday, May 16, 2019 2:20 AM
  • Hi,

    Is there any update on this case?

    Please feel free to drop us a note if there is any update.

    Meanwhile, if the reply is helpful to you, please try to mark it as an answer, it will help others who have the similar issue.

    Thank you for your understanding and patience!


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, May 23, 2019 8:06 AM
  • Do you have any further issue on this topic?
    If there is no issue, please remember to mark helpful reply as answer to close the thread. Your action would be helpful to other users who encounter the same issue and read this thread. Thanks for your understanding.


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    • Edited by Shaw_Lu Tuesday, May 28, 2019 9:22 AM
    • Proposed as answer by Shaw_Lu Thursday, June 6, 2019 8:50 AM
    Tuesday, May 28, 2019 9:22 AM
  • I deploy Skype for business 2019 (Windows 2016) and also Skype (Edge) and Reverse proxy (Windows 2012 R2 + ARR)
    I can login via Skype Client but I cant login via Mobile
    I check all links,forums and ... about Mobile connectivity
    I run network monitor on Front End Server (Standard) and Reverse proxy and I can see packets flow from mobile to FE
    I run microsoft connectivity tool and just i get warning about certificate
    "Analyzing the certificate chains for compatibility problems with versions of Windows.The test passed with some warnings encountered. Please expand the additional details."
    How can I turn the problem out ?

    Regards
    Wednesday, July 22, 2020 10:23 AM
  • Hi Shaw_Lu,


    I used https://testconnectivity.microsoft.com and only things which is warned is
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

    and there no other problem

    Regards

    Wednesday, July 22, 2020 10:32 AM
  • Hi MajidNavvabi, 

    Do you check the following two suggestions provided by Shaw?

    • On mobile device, check if you could access the URL without certificate trusted issue, the root certificate should be trusted on the device. 

    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, July 23, 2020 8:32 AM
  • I check all of settings
    I missed a (n) in web external publishing in reverse proxy after correcting web external address now I can login via mobile

    Thanks all
    • Marked as answer by MajidNavvabi Saturday, July 25, 2020 6:21 AM
    Saturday, July 25, 2020 6:21 AM