none
lyncdiscover.domain.com reverse proxy and windows lync 2013 client RRS feed

  • Question



  • Hi ,

    We have a reverse proxy in a DMZ with NATing from firewall for real ip to dmz

    ip. We have lyncdiscover.domain.com dns record pointing to this real ip.

    And the reverse proxy is having IIS ARR with rule for lyncdiscover for 443 to 4443

    and 80 to 8080…

    Now we have a situation where the Windows Lync Client is connecting to this

    lyncdiscover and trying and trying to connect?

    We are expecting it should connect using the _tls pointer dns, but we are observing

    that the Windows Client is connecting to the lyncdiscover?

    If we hard code sip.domain.com:443 we observe that it will connect.But in TCPView we

    are seeing that it keeps pounding the reverse proxy.?

    Can you please advice from you experience why such a behavour is coming from the

    windows client ?

    Due to this we cannot open up the reverse proxy for mobile users!

    -------------------

    Wednesday, October 1, 2014 5:40 PM

All replies

  • The Lync 2013 Client added lyncdiscoverinternal.domain.com and lyncdiscover.domain.com as the first records it will attempt to connect to during sign-in.  Just like when the Lync Mobile client connects to lyncdiscover.domain.com and is returned an XML file on how to sign-in, the full Windows Client now does the same behavior.

    So it's completely normal for the full client to be attempting that address.

    If you aren't able to login with the full client when it's reaching out to lyncdiscover.domain.com than there is most likely something wrong on the IIS/ARR configuration.

    Thanks,

    Richard


    Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

    Wednesday, October 1, 2014 5:59 PM
  • As Richard says, providing your routing etc is all fine, this is most likely an IIS ARR issue.

    Check your IIS configuration off against this article; http://www.gecko-studio.co.uk/iis-arr-configuration-reverse-proxy-lync/

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

    Thursday, October 2, 2014 6:24 AM
  • Hi abm_v,

    As I know, the order of preference for the Lync 2013 client is as follow.

    1. lyncdiscoverinternal.domain.com (A record)

    2. lyncdiscover.domain.com (A record)

    3. _sipinternaltls._tcp.domain.com (SRV record)

    4. _sip._tls.domain.com (SRV record)

    5. sipinternal.domain.com (A record)

    6. sip.domain.com (A record)

    7. sipexternal.domain.com (A record)

    Best regards,

    Eric


    • Edited by Eric.YK Thursday, October 2, 2014 7:06 AM
    Thursday, October 2, 2014 7:05 AM
  • I have a lyncdiscover.domain.com (A record) externally , but my Windows Client (Lync 2013) is getting looped trying to connect and request something from the reverse proxy...? even after I give sip.domain.com manually ? I will check IIS AR and update this post....:-( , the reverse proxy is in a way dosed...


    -------------------

    Thursday, October 2, 2014 7:45 AM
  • if you explicitly set the external server address as sip.domain.com:443, it should not go through the auto discover process anymore. In that case, make sure that you have the both internal server name and the external server name is configured. 


    http://thamaraw.com

    Thursday, October 2, 2014 7:50 AM
  • Seems that there is some misconfiguration in the FE webservices and the reverse proxy , either related to security or certificates and names.

    The ios mobile client can connect but the windows lync 2013 cant connect if the reverse proxy is live,if i shut down the reverse proxy then the windows lync 2013 client will work and the mobile client will not work... the windows client gets stuck in some loop , trace on the client gives..

    The server returned a security fault: 'An invalid security token was provided'.

    The fault reason was: 'An error occurred when processing the security tokens in the message.'.

    and a fiddler trace with decrypt gives

    https://lyncwebservice.kcs.com.kw/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=domain.com?sipuri=user@domain.com

    something like

    401 - Unauthorized: Access is denied due to invalid credential

    stuck just stuck !!!!


    -------------------

    Friday, October 3, 2014 5:07 PM
  • Seems that there is some misconfiguration in the FE webservices and the reverse proxy , either related to security or certificates and names.

    The ios mobile client can connect but the windows lync 2013 cant connect if the reverse proxy is live,if i shut down the reverse proxy then the windows lync 2013 client will work and the mobile client will not work... the windows client gets stuck in some loop , trace on the client gives..

    The server returned a security fault: 'An invalid security token was provided'.

    The fault reason was: 'An error occurred when processing the security tokens in the message.'.

    and a fiddler trace with decrypt gives

    https://lyncwebservice.xxx.com.xxx/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=domain.com?sipuri=user@domain.com

    something like

    401 - Unauthorized: Access is denied due to invalid credential

    stuck just stuck !!!!


    -------------------


    • Edited by abm_v Friday, December 16, 2016 8:42 AM
    Friday, October 3, 2014 5:07 PM
  • check this link

    http://masteringlync.com/2014/02/17/quick-tip-lync-mobile-login-issues/


    Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

    Sunday, October 5, 2014 9:43 AM
  • we are getting frequently , server unavailable while connecting the lync from outside the organizations, are you sure this is happening due to the above task not properly configured .
    Monday, October 10, 2016 8:40 AM