locked
Intranet Only Skype Server Issues with Android and iOS RRS feed

  • Question

  • We have a client trialing Skype for Business Server 2015, and would like to set this up for internal use only. We've installed it, and desktops and laptops are working well both wired and wirelessly. But Android and iOS devices attached to the company wireless is not. When we try using the Skype app, it fails to connect.

    Speaking to Microsoft Support, they said that in order for Android and iPads to work, we need to setup a reverse proxy server, and attach one of the NICs to the DMZ. We do not want any external access to this Skype installation. They said this would not pose a security risk, but my client does not want to do this.

    Does anyone have this setup that could help instruct me whether a reverse proxy is necessary, and if not, what you had to do to get iPads and Android.

    Thank you,
    Tom Drought


    Tom Drought

    Friday, August 19, 2016 4:56 PM

Answers

  • Tom,

    Mobility Services hairpin off of the reverse proxy when connecting internally. Mobility services connect to external UCWA services on the front end through port 4443. You do not need to open this to the public sector if you choose not to.

    Jeff Schertz has a good article on mobility services Here.

    -Don


    • Edited by Don Deppe Friday, August 19, 2016 6:11 PM edit
    • Proposed as answer by Anthony CaragolMVP Friday, August 19, 2016 7:27 PM
    • Marked as answer by Tom Drought Friday, August 19, 2016 7:31 PM
    Friday, August 19, 2016 6:10 PM
  • If the reverse proxy you choose allows hairpinning the traffic back in, then it should work.  The DMZ thing is just a best practice, but may not be necessary from a functional or security perspective seeing as how this is only offered to internal users.

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    • Marked as answer by Tom Drought Friday, August 19, 2016 7:43 PM
    Friday, August 19, 2016 7:39 PM
  • Don is right, I've even put the reverse proxy on the inside network, and never allowed access from the Internet because it was used internally only.  You'll want your lyncdiscover and external web services FQDN pointing at the reverse proxy, which should reply with a trusted third party certificate and redirect requests received on TCP/443 to port 4443 of the front end.

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    • Marked as answer by Tom Drought Friday, August 19, 2016 7:43 PM
    Friday, August 19, 2016 7:29 PM

All replies

  • Tom,

    Mobility Services hairpin off of the reverse proxy when connecting internally. Mobility services connect to external UCWA services on the front end through port 4443. You do not need to open this to the public sector if you choose not to.

    Jeff Schertz has a good article on mobility services Here.

    -Don


    • Edited by Don Deppe Friday, August 19, 2016 6:11 PM edit
    • Proposed as answer by Anthony CaragolMVP Friday, August 19, 2016 7:27 PM
    • Marked as answer by Tom Drought Friday, August 19, 2016 7:31 PM
    Friday, August 19, 2016 6:10 PM
  • Don is right, I've even put the reverse proxy on the inside network, and never allowed access from the Internet because it was used internally only.  You'll want your lyncdiscover and external web services FQDN pointing at the reverse proxy, which should reply with a trusted third party certificate and redirect requests received on TCP/443 to port 4443 of the front end.

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    • Marked as answer by Tom Drought Friday, August 19, 2016 7:43 PM
    Friday, August 19, 2016 7:29 PM
  • The engineer stated I needed to have the Reverse Proxy setup on the DMZ. Can I simple add the Reverse Prove to the local LAN?

    Tom Drought

    Friday, August 19, 2016 7:32 PM
  • If the reverse proxy you choose allows hairpinning the traffic back in, then it should work.  The DMZ thing is just a best practice, but may not be necessary from a functional or security perspective seeing as how this is only offered to internal users.

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    • Marked as answer by Tom Drought Friday, August 19, 2016 7:43 PM
    Friday, August 19, 2016 7:39 PM