locked
Skype for Business Mac client - external access RRS feed

  • Question

  • Hi,

    We have a small Skype for Business 2015 environment consisting of 

    2 Front End servers

    2 Edge servers

    and the reverse proxy configured on the FortiGate firewall.

    We are able to login with the Skype for Business Windows client externally and internally. We can also access the server internally using the Skype for Business Mac client but we can't access it externally from macOS.

    Trying to access https://lyncdiscover.domain.com via browser doesn't work (ERR_EMPTY_RESPONSE)

    The Microsoft Skype for Business Autodiscover Web Service test tool comes back with the following error:

    Testing connectivity to the Lync Autodiscover Web Service server for a secure connection on port 443 to obtain the root token.

     

    Connectivity to the Lync Autodiscover Web Service test failed.

     

    Additional Details

     

    Elapsed Time: 100771 ms.

     

    Test Steps

     

    Attempting to test Autodiscover Web Service URL https://lyncdiscover.domain.com/Autodiscover/AutodiscoverService.svc/root.

     

    Autodiscover Web Service URL can't be contacted due to failure of the following tests:

     

    Additional Details

     

    Elapsed Time: 100771 ms.

     

    Test Steps

     

    Attempting to resolve the host name lyncdiscover.domain.com in DNS.

     

    The host name resolved successfully.

     

    Additional Details

     

    IP addresses returned: 11.22.33.44

    Elapsed Time: 387 ms.

    Testing TCP port 443 on host lyncdiscover.domain.com to ensure it's listening and open.

     

    The port was opened successfully.

     

    Additional Details

     

    Elapsed Time: 53 ms.

    Testing the SSL certificate to make sure it's valid.

     

    The certificate passed all validation requirements.

     

    Additional Details

     

    Elapsed Time: 114 ms.

     

    Test Steps

     

    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server lyncdiscover.domain.com on port 443.

     

    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

     

    Validating the certificate name.

     

    The certificate name was validated successfully.

     

    Additional Details

     

    The host name that was found, lyncdiscover.domain.com, is a wildcard certificate match for common name *.domain.com.

    Elapsed Time: 0 ms.

    Testing the certificate date to confirm the certificate is valid.

     

    Date validation passed. The certificate hasn't expired.

     

    Additional Details

     

    The certificate is valid. NotBefore = 8/18/2015 12:00:00 AM, NotAfter = 8/17/2018 11:59:59 PM

    Elapsed Time: 0 ms.

    Testing HTTP authentication methods for URL https://lyncdiscover.domain.com/Autodiscover/AutodiscoverService.svc/root/user.

     

    HTTP authentication test failed.

     

    Additional Details

     

    Exception details:

    Message: The operation has timed out

    Type: System.Net.WebException

    Stack trace:

    at System.Net.HttpWebRequest.GetResponse()

    at Microsoft.Exchange.Tools.ExRca.Extensions.RcaHttpRequest.GetResponse()

    Elapsed Time: 100214 ms.

    Any help would be appreciated

    Thanks


    • Edited by KSK9 Friday, March 3, 2017 12:06 AM
    Friday, March 3, 2017 12:05 AM

Answers

  • Hi,

    I believe that we've finally found the issue. This article helped a lot:

    https://three65.blog/2016/02/03/skype-for-business-mobility/

    Here are four important things to remember when configuring the reverse proxy:

    1. SSL decryption and re-encryption – Ability to install a public trusted certificate to the reverse proxy virtual IP service for the required URLs for decryption of packets on the public side, read and interpret the packet HTTP header to determine the correct back end service to send the request on to, and then re-encrypt the packet on the private side and send to the front end server.

    2. Symmetric routing must be configured. That means that the outgoing packet from the front end must traverse the same route the incoming packet arrived on, i.e. in through the reverse proxy and back out of the reverse proxy. This is more of a networking requirement than a reverse proxy requirement per-say. The use of web proxy servers is not supported as it can cause asymmetric routing. If a web proxy server is in use, then all external urls for the Skype for Business deployment from all machines must bypass the web proxy server.

    3. Any form of content caching on the reverse proxy must be disabled. Caching is not supported.

    4. The reverse proxy must support COOKIE based persistence rather than SOURCE based persistence. This is because the source address of the mobile device can change as it traverses 3G hotspots and Wifi networks. Using COOKIE based persistence means the device can be identified regardless of network membership and will be trusted so authentication does not need to reoccur.

    After changing the the reverse proxy to cookie based persistence we managed to login from outside without any issues.

    Thanks everyone!

    • Proposed as answer by Akabe Friday, March 10, 2017 7:31 PM
    • Marked as answer by KSK9 Friday, March 10, 2017 9:16 PM
    Friday, March 10, 2017 4:38 PM

All replies

  • Hi KSK9,

    In order to narrow down the issue, would you please tell us did the issue just appear on the specific MAC client or all MAC client had this issue, and what’s your SFB MAC client version?

    For this issue, please try the following troubleshooting steps:
    1. Try to use another MAC book test if there is the same issue.
    2. Rebuild the user profile for MAC client and test again.
    3. Make sure you have set port redirect for port 443 to 4443.

    Moreover, you could try to use Microsoft remote connectivity analyzer check if there are any errors.
    https://testconnectivity.microsoft.com/


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 3, 2017 5:32 AM
  • Hi, 

    Could you also let us know detail about the certificate that you have assigned to the Reverse proxy. Are you with Wild card certificate  can you also check the SAN entries on them and see  that they have the required entries as described in the Article below

    https://technet.microsoft.com/en-us/library/jj205381%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396


    Linus || Please mark posts as answers/helpful if it answers your question.

    Friday, March 3, 2017 5:48 AM
  • Hi,

    We tried four different Mac computers. Three of them have the latest Skype for Mac client installed 16.3.240. One of the Skype clients is on the latest beta.

    We tried different profiles and none of them worked.

    Our reverse proxy is configured to redirect port 443 to 4443 and port 80 to 8080

    We are using wildcard certificate installed on the reverse proxy CN=*.domain.com

    The Skype for Business Autodiscover Web Service is successful:


    Testing remote connectivity for user user@domain.com to the Microsoft Lync server.
      The specified user successfully signed in to Microsoft Lync server remotely through the Lync Access Edge Server.
     
    Additional Details
     
    Elapsed Time: 4724 ms.
     
    Test Steps
     
    Attempting to resolve the host name sip1.domain.com in DNS.
      The host name resolved successfully.
     
    Additional Details
     
    IP addresses returned: 11.22.33.44
    Elapsed Time: 491 ms.
    Testing TCP port 443 on host sip1.domain.com to ensure it's listening and open.
      The port was opened successfully.
     
    Additional Details
     
    Elapsed Time: 210 ms.
    Testing the SSL certificate to make sure it's valid.
      The certificate passed all validation requirements.
     
    Additional Details
     
    Elapsed Time: 649 ms.
     
    Test Steps
     
    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip1.domain.com on port 443.
      The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
     
    Additional Details
     
    Remote Certificate Subject: CN=sip1.domain.com, OU=IT, O=domain, L=London, S=London, C=GB, Issuer: CN=GeoTrust SSL CA - G3, O=GeoTrust Inc., C=US.
    Elapsed Time: 585 ms.
    Validating the certificate name.
      The certificate name was validated successfully.
     
    Additional Details
     
    Host name sip1.domain.com was found in the Certificate Subject Common name.
    Elapsed Time: 0 ms.
    Certificate trust is being validated.
      The certificate is trusted and all certificates are present in the chain.
     
    Test Steps
     
    The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=sip1.domain.com, OU=IT, O=domain , L=London, S=London, C=GB.
      One or more certificate chains were constructed successfully.
     
    Additional Details
     
    A total of 1 chains were built. The highest quality chain ends in root certificate CN=GeoTrust Global CA, O=GeoTrust Inc., C=US.
    Elapsed Time: 16 ms.
    Analyzing the certificate chains for compatibility problems with versions of Windows.
      Potential compatibility problems were identified with some versions of Windows.
     
    Additional Details
     
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
    Elapsed Time: 3 ms.
    Testing the certificate date to confirm the certificate is valid.
      Date validation passed. The certificate hasn't expired.
     
    Additional Details
     
    The certificate is valid. NotBefore = 2/14/2017 12:00:00 AM, NotAfter = 2/14/2020 11:59:59 PM
    Elapsed Time: 0 ms.
    Testing remote connectivity for user user@domain.com to the Microsoft Lync server.
      The specified user successfully signed in to Microsoft Lync server remotely through the Lync Access Edge Server.
     
    Additional Details
     
    MRAS Server: sip:SVLONSFBEDGE1.DOMAIN.LAN@domain.COM;gruu;opaque=srvr:MRAS:TZ_2qqYD51-vpWCW4a4g6QAA
    Address Book Server External URL: https://WS2.domain.COM:443/abs/handler
    Distribution List Expansion URL: https://WS2.domain.COM:443/groupexpansion/service.svc
    A-V Edge Server Hostname: av2.domain.com, TCP Port: 443, UDP Port: 3478
    Elapsed Time: 2769 ms.
     
    Test Steps
     
    Attempting to contact Audio/Video Lync Edge server av2.domain.com at TCP port 443. The Audio/Video Lync Edge server name, the TCP port, and the UDP Port 3478 on which it listens for Media Port requests are obtained from the Microsoft Office Communications Server when the test user signs in. This test determines if the Audio/Video Lync Edge server is properly accepting STUN/TURN requests for Media TCP ports in order for external voice and video calls to be enabled.
      The Audio/Video Lync Edge server is accepting requests for TCP Media ports.
     
    Additional Details
     
    Elapsed Time: 891 ms.
     
    Test Steps
     
    Attempting to resolve the host name av2.domain.com in DNS.
      The host name resolved successfully.
     
    Additional Details
     
    IP addresses returned: 22.33.44.55
    Elapsed Time: 465 ms.
    Testing TCP port 443 on host av2.domain.com to ensure it's listening and open.
      The port was opened successfully.
     
    Additional Details
     
    Elapsed Time: 425 ms.

    Friday, March 3, 2017 10:01 AM
  • One more thing that I noticed is that when I try to access

    https://lyncdiscover.domain.com/Autodiscover/Autodiscover.svc/root it doesn't work

    when I try

    http://lyncdiscover.domain.com/Autodiscover/Autodiscover.svc/root it comes back with the XML file

    <resource xmlns="http://schemas.microsoft.com/rtc/2012/03/ucwa" rel="root" href="https://ws2.domain.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=domain.com">
    <link rel="user" href="https://ws2.domain.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=domain.com"/>
    <link rel="xframe" href="https://ws2.domain.com/Autodiscover/XFrame/XFrame.html"/>
    </resource>

    Friday, March 3, 2017 5:59 PM
  • hi 

    what do you see if you open https://lyncdiscover.domain.com in your browser? iis ?

    Friday, March 3, 2017 11:44 PM
  • Hi,

    Nothing happens, doesn't get to the website.

    Thanks

    Monday, March 6, 2017 6:48 PM
  • Hi KSK9,

    Regarding this issue, please try to check if there are any error messages on your SFB FE server side.


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alice-Wang Friday, March 10, 2017 2:53 AM
    Thursday, March 9, 2017 8:26 AM
  • Hi,

    I believe that we've finally found the issue. This article helped a lot:

    https://three65.blog/2016/02/03/skype-for-business-mobility/

    Here are four important things to remember when configuring the reverse proxy:

    1. SSL decryption and re-encryption – Ability to install a public trusted certificate to the reverse proxy virtual IP service for the required URLs for decryption of packets on the public side, read and interpret the packet HTTP header to determine the correct back end service to send the request on to, and then re-encrypt the packet on the private side and send to the front end server.

    2. Symmetric routing must be configured. That means that the outgoing packet from the front end must traverse the same route the incoming packet arrived on, i.e. in through the reverse proxy and back out of the reverse proxy. This is more of a networking requirement than a reverse proxy requirement per-say. The use of web proxy servers is not supported as it can cause asymmetric routing. If a web proxy server is in use, then all external urls for the Skype for Business deployment from all machines must bypass the web proxy server.

    3. Any form of content caching on the reverse proxy must be disabled. Caching is not supported.

    4. The reverse proxy must support COOKIE based persistence rather than SOURCE based persistence. This is because the source address of the mobile device can change as it traverses 3G hotspots and Wifi networks. Using COOKIE based persistence means the device can be identified regardless of network membership and will be trusted so authentication does not need to reoccur.

    After changing the the reverse proxy to cookie based persistence we managed to login from outside without any issues.

    Thanks everyone!

    • Proposed as answer by Akabe Friday, March 10, 2017 7:31 PM
    • Marked as answer by KSK9 Friday, March 10, 2017 9:16 PM
    Friday, March 10, 2017 4:38 PM
  • Hi KSK9,

    Thanks for your sharing.

    It will help others who has the similar issue.


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 13, 2017 1:48 AM