SFB internal or external


  • Hello

    we are using SFB 2015 infrastructure with two front end, 2 edge with reverse proxy.  web services are using hardware lb and everything else dns load balancing.  we also have split dns.

    our issue is when user  is in the office and goes home and logs in without vpn they get a alert with "exchange needs your credential's" in order to resolve this they have to log out delete cache and login again . and then its fine.  same thing happens if the user is on vpn and disconnects and becomes external.  so I think the issue somehow client can not detect fast enough when it is internal or external.  I understand that it has all the required  IP via dns when it first connects.  So client should detect automatically but which dns/ip to  use but somehow its not happening..   any idea

    Friday, March 17, 2017 2:59 PM

All replies

  • Hi Mod,

    Did the issue only happen  to specific user in your environment?

    For external access, DNS records are like following:
    1.lyncdiscover.<domain>   A (host) record for the Autodiscover service on the external Web services
    2._sip._tls.<domain>   SRV (service locator) record for external TLS connections
    3.sip.<domain>   A (host) record for the Front End pool or Director on the internal network, or the Access Edge service when the client is external
    4.sipexternal.<domain>   A (host) record for the Access Edge service when the client is external
    For details, please refer to

    Regarding this issue, please press Ctrl and right click SFB icon in the taskbar, open configuration information. On the open page check if EWS status and MAPI status are OK, the following document is for your reference


    Alice Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    • Proposed as answer by Akampa Monday, March 20, 2017 10:47 AM
    Monday, March 20, 2017 2:28 AM
  • Agree with Alice.Along with this is because of the integration with exchange is breaking.So when your logging from external it is unable to authenticate to EWS. So please verify the EWS may not be necssary to clear cahce and login.Did you tried supplying password while prompting?does it accepting?

    Jayakumar K

    Monday, March 20, 2017 10:48 AM
  • Hello:

    I did some further troubleshooting just to clarify issue is not the DNS.  Client is auto discovering(internal or external) correct DNS information.  following are the scenario

    Scenario 1:client is on VPN and if disconnects.  gets exchange popup user enters the username/password then it works. I can see EWS is ok. 

    Scenario 2:But if the user deletes the cache and logs in (without VPN).  EWS is not deployed.  We are routing EWS traffic through TMG, and we are using FBA on TMG for EWS. 

    I understands the FBA is not supported with Skype but why it works on first scenario where traffic is still routing through TMG. 

    Also my question what is the indicator tell the client okay now you are disconnected from VPN.  and use external services.  Just to clarify there is not issue discovering services.

    Monday, March 20, 2017 1:31 PM
  • Hi Mod,

    Thanks for your response.

    For this situation, it may be something wrong with EWS external URL, please refer to the following blog deploy the EWS

    Moreover, you could use Microsoft remote connectivity analyzer check if there are any issues.

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Alice Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, March 23, 2017 9:28 AM