locked
Cannot connect to the server from Lync Mobile App RRS feed

  • Question

  • We are up and running with Lync 2013 as far as the desktop client.  I am able to login connected to the VPN as well as not connected to the VPN .  When I try to login from the mobile app (Andriod and Apple both) I get a Cannot connect to the server error.  

    I've tried autodiscover as well as manually entered the server names.  Does anyone have an idea what the issue could be?  Certificate issue maybe?

    Tuesday, June 23, 2015 7:36 PM

Answers

  • In the best Victor Von Frankenstein voice...  It's alive!!!  Removed all http from ha proxy and made them tcp.  We can login via the mobile app now.  Thanks again for all of the help everybody!!
    • Marked as answer by Eason Huang Wednesday, July 1, 2015 9:05 AM
    Friday, June 26, 2015 7:42 PM

All replies

  • Hi,

    Please try to deploy a Reverse Proxy in DMZ zone to support the login of mobile (no matter login Lync mobile from internal or external the corporation, you need a Reverse Proxy).

    More details:

    https://technet.microsoft.com/en-us/library/hh690055(v=ocs.15).aspx

    Best Regards,
    Eason Huang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    Thursday, June 25, 2015 9:44 AM
  • Hello IndyBeerGuy,

    Just like Eason said, you'll need a reverse proxy for the Lync 2013 mobile client to sign in. Lync 2013 mobile automatically queries Lyncdiscover.domain.com. Which is a web service hosted on your Lync FE external website.

    Deploy a reverse proxy (like TMG or UAG) and assign the FE external website certificate to it, reverse proxy should route all requests incoming on ports 80 and 443 to 8080 and 4443.

    If you don't want to use a reverse proxy software, you can use your firewall if it support port forwarding. From public DNS make lyncdiscover.domain.com point to your firewall. From firewall configure it to send it to the FE server mirroring the ports as mentioned before (80>8080 & 443>4443) and from the deployment wizard on the FE assign a public certificate to the External website.

    Hope this helps,

    Regards,

    Muhammad Hazem

    uchazem.wordpress.com

    Thursday, June 25, 2015 10:17 AM
  • We do have a RP setup, I can login to Lync externally from a computer just not the mobile application on any device; apple, windows, or android.  When I look at the log file from my phone I do see it hitting my front end pool but it never lets me login.  I've installed the certs on my phone and still no luck. 
    Thursday, June 25, 2015 11:10 AM
  • Lync desktop clients from external uses Access Edge on Edge server. Mobile clients login process is completely different and uses reverse proxy.  

    Follow the below TechNet article to check your mobility configuration.

    https://technet.microsoft.com/en-us/library/hh690055.aspx?f=255&MSPPError=-2147217396

    Mobility Troubleshooting guide;

    http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx


    Tek-Nerd

    Thursday, June 25, 2015 11:31 AM
  • Gotcha...  I was just looking at that article last night, I'll go through it all today and report back an update. 
    Thursday, June 25, 2015 12:23 PM
  • Where does the cert come from when you go to https://lyncdiscover.contoso.com in your browser for testing?  I'm getting a cert authority invalid error, the subject and issuer are lync.contoso.com.  I removed lync.contoso.com from my internal certs and I still get the same error.
    Friday, June 26, 2015 1:59 PM
  • Are you trying to connect internally or externally? 

    There are a few tricks to get mobility working from the internal network.  Focus on getting it functional from the external network first.  As others have said, what you need to ensure is that lyncdiscover and your external web services FQDN for your front end pool (this is defined in your topology builder and should be different than your front end server or pool name, if it's not, change it so it is).  You also need to ensure that requests on port 443 redirect to port 4443 on your internal front end AND that the certificate used by the reverse proxy is trusted by your phones.  This requires a reverse proxy typically and you'd want a certificate from a third party such as Digicert or GoDaddy. 

    Try to connect from the outside to https://lyncdiscover.yourdomain.com and see if it prompts you to download a .json file.  Open that file and make sure you only see external FQDNs in there, and not your internal pool name or other internal names.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, June 26, 2015 2:16 PM
  • Trying Externally...  I'm not getting prompted to download the .json file but the cert is coming back correct now.  It's timing out on me giving me a 504... 
    Friday, June 26, 2015 5:15 PM
  • That's what you should focus on for now. See if you can get a json file by editing the hosts file on your machine to point lyncdiscover at an internal front end and navigating to https://lyncdiscover.yourdomain.com:4443

    If you get the JSON, then your ARR is the issue, otherwise the Front End is.  Don't forget the remove that entry from your hosts file when you're done.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, June 26, 2015 5:21 PM
  • Thanks for your help on this Anthony...

    I get an xml file not a json file but the links in it are correct.  We don't have ARR...

    <resource rel="root" href="https://lyncwebext.contoso.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=contoso.com"><link rel="user" href="https://lyncwebext.contoso.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=contoso.com"/><link rel="xframe" href="https://lyncwebext.contoso.com/Autodiscover/XFrame/XFrame.html"/></resource>

    Friday, June 26, 2015 5:33 PM
  • Sorry, habit, by ARR I meant your Reverse Proxy.  Sounds like an issue with your RP configuration if you get 504s when passing through it. What are you using for that?

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, June 26, 2015 5:34 PM
  • HA Proxy
    Friday, June 26, 2015 5:37 PM
  • I'm not too familiar with that one, is it working for other scenarios? 

    Can it access the front end server by FQDN, on port 4443? 


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, June 26, 2015 5:46 PM
  • Yep, we run all of our secure traffic through it...  Here is what we have in HA Proxy

    frontend http-in
            bind *:80
            reqadd X-Forwarded-Proto:\ http
            default_backend application-backend


    frontend https-in
            bind *:443 ssl crt /etc/haproxy/lync2.contoso.com.pem
            reqadd X-Forwarded-Proto:\ https
            default_backend application-backendssl

    *********

    backend application-backend
          #redirect scheme https if !{ ssl_fc }

          appsession ASPSESSIONID len 64 timeout 3h prefix

          balance leastconn
          
          stats enable
          
          
          option httpclose        # disable keep-alive
          option forwardfor
                
          # health check.
          option httpchk HEAD /index.htm HTTP/1.0\r\nHost:\ _diagnostics
          
          server      Lync01 192.168.xx.xxx:8080    cookie Lync01           check inter 2000 rise 2 fall 5



    backend application-backendssl
          #redirect scheme https if !{ ssl_fc }

          # for ASP, it will bind session stickyness
          appsession ASPSESSIONID len 64 timeout 3h prefix

          balance leastconn
          
          stats enable
          
          option httpclose        # disable keep-alive
          option forwardfor       
          
          server      Lync01 192.168.xx.xxx:4443    cookie Lync01           check inter 2000 rise 2 fall 5     

    Friday, June 26, 2015 5:56 PM
  • In the best Victor Von Frankenstein voice...  It's alive!!!  Removed all http from ha proxy and made them tcp.  We can login via the mobile app now.  Thanks again for all of the help everybody!!
    • Marked as answer by Eason Huang Wednesday, July 1, 2015 9:05 AM
    Friday, June 26, 2015 7:42 PM
  • Great job!  Glad we could help!

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, June 26, 2015 7:49 PM