none
Lync CX600 Connect from outside network RRS feed

  • Question

  • We have Lync 2010 installed and running.  Internal users have CX600 phones that are standalone and also USB connected to dekstop PCs.

    The issue I have is that we have a few users that work remotely from home.  They vpn into the network from their laptops.  We want to deploy CX600 phones to them as well.  I can not get the CX600's to connect to Lync externally, either standalone nor connected to the laptops via USB (network cable as well).

    The users can connect to Lync with the client with both vpn connected and not connected.  We use a Digicert certificate for external edge and FTMG.  External meeting connections do work as well.

    Can someone shed light and details on how to make this work please?

    Thanks.

    Jake

    Wednesday, January 12, 2011 11:39 PM

Answers

  • Sorry this took so long to respond. I was out on installations.

    This does work.  The Digicert tool showed that it needed to 'repair' how the certificates were acting.  I did the repair and it worked.   After rebooting the Lync Edge, the problem arose again.  I reran the utility and it showed the same issue.  I did a repair and it fixed it.  The utility also stated that I had already done a repair, but that the MS certificate update changed it back.  I did enable the policy it recommended and it is now working.

    Thanks for the help.

    On to why the AOL, Yahoo, and MSN people show as presence unknown...  it worked in OCS just fine.

    • Marked as answer by BiggJake Friday, February 4, 2011 4:02 PM
    Friday, January 28, 2011 3:48 PM

All replies

  • Have you tested if your external users can sing-in via the Edge successfully without VPN? Keep in mind that while (after VPN connection is established), the clients will receive internal IP and DNS server(s) entries, furthermore will use _sipinternaltls SRV record, the phone itself gets “home” provisioning i.e. will be able to query only public DNS for the SRV records of your domain.

    In conclusion, make sure your DNS public records are properly configured.

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Thursday, January 13, 2011 12:37 AM
  • Clients can sign in from outside the network without the VPN connection so I am pretty sure it is using the Edge at that point.

    There is an external DNS record for _sip._tls.company.com that points to sip.company.com.  I also hav ethe _sipfederationtls._tcp.company.com pointed there.

    Sip.company.com is pointed at the edge outside address.  Using a single DNS SIP.company.com for Acccess, AV, and Webconf.

    We do use a NAT'd addressing through our firewall.  i.e. real world to 10.10.10.x which is outside edge NIC.

    Can you give me more detail on the statement "the phone itself gets “home” provisioning i.e. will be able to query only public DNS for the SRV records of your domain." please?

    What exactly is it doing during that provisioning?

    Thursday, January 13, 2011 1:10 AM
  • Bad wording.

    What I meant is – when a user start the computer, a typical home router would give 192.168.0.20 for example, and DNS 192.168.0.254. After the user VPN, another IP address will be assigned to the virtual adapter, say 10.7.0.20 and DNS 10.7.0.2, which now takes precedence. User starts Lync client, a DNS query for _suipinternaltls is sent to 10.7.0.2 (the internal, AD integrated DNS server). If this is the first time ever the client sign to Lync, additional information would be sent to the client’s computer – user certificate signed by Lync and some other stuff.

    In the same time, when you connect the phone, the only IP and DNS the device will obtain/use is the “home” network, and so, even if the phone is connected with USB, Lync will not be able to provision the device with the user certificate, thus the first sign-in is not possible.

    If I remember correctly, it was stated by Microsoft back in August last year, the Aries devices MUST be provisioned initially on Internal network and then can be taken out on public. If you think of it – a user will not have to “change user” at home…

    I am not sure if this has changed and furthermore, what is the behavior when the topology is fully expanded i.e. 100% working reverse proxy etc. I hope MSFT would clarify this.

     

    Drago

     


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Thursday, January 13, 2011 1:25 AM
  • I have connected the phone internally first.  Do they need to be USB connected internally as well beforehand?

    Perhaps they need to connect to an Update service internally first as well?

    How can one tell if the certificate and such are loaded?  How about getting logs from the phone?

    Thursday, January 13, 2011 4:06 AM
  • Out of the box, the unit does not have any user or Lync specific settings. When connected to the local network, the first thing it does is to get UcUpdates-R2. domain.local A record, which is the update service. If the current firmware version does not match the one set on the server, the location and name of the new file is sent to unit. The phone then downloads the new firmware, waits eight minutes for idle time, installs the update and reboots.

    If the domain DHCP server is provisioned according the manual with the appropriate DHCP options AND a user account is provisioned with a PIN, same can then sign-in to the phone with “phone number and PIN”. The other option is the phone to be connected with USB cable to a PC where Lync client is installed and signed. At this point, a pop-up prompts the user to enter credentials. Those are used by the phone to authenticate for first time. Once credential are verified and accepted, two things happens – a domain certificate is downloaded and installed, as well a user certificate, generated and signed from Lync server. Then, all environmental settings are sent (inband provisioning) and finally, the user contact list. Address book download is randomized the same way as for the client.

    If we do not enforce “lockout”, after power cycle, the phone uses the user certificate to authenticate and sign-in ever next time automatically. If lock is enforced, user must enter phone PIN to use it.

    At this point, proper A records and SRV records in the public DNS should be sufficient to enable the phone to sign-in from outside, since it would use the same records and mechanism the Lync client uses (this my question “Are the clients able to sign-in from outside without VPN.”)

    So the sake of experiment, I have tested last night this scenario – one unit, which was already provisioned on the LAN network, was connected in neighbor’s house to a home router and worked properly.

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Thursday, January 13, 2011 11:54 AM
  • Thank you for the infomation.  It is helpful.

    I see a 'send logs; button, but where do they go and how di I get them.  Perhaps they can tell me more as to what is wrong.

    Thursday, January 13, 2011 1:49 PM
  • Reading those logs is pain (besides, there is no utility as far as I know). And… it will not tell you anything, believe me. In any case, when you “send logs”, you can find then in the Lync server share\site – WebService\DeviceUpdateLogs\Client\SELog

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Thursday, January 13, 2011 2:02 PM
  • You can fully provision any USB-equipped Phone Edition device (both Aries and Tanjay) externally by tethering it to a workstation with the Lync client.  The phone does NOT need to be provisioned internally first, I have taken CX600 and CX700 devices right of the factory sealed box and connected them to Lync Server via Edge from my home office, no VPN.  The certificate service and device update feature work fine externally.

    See this article for full details on this process.
    http://blog.schertz.name/2010/12/externally-provisioning-lync-phone-edition-3/

    Alternatively the Common Area Phones (e.g. CX500) will not work at all externally, unless someone were to go through the highly-unlikely scenario of adding the vendor specific (MS-UC-Client) DHCP options to that network.  It is not a supported use case and these devices are intended solely for internal network usage.

    This article covers the LPE requirements in great detail as well.
    http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/


    Jeff Schertz, Microsoft Solutions Architect - Polycom | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, January 13, 2011 2:31 PM
    Moderator
  • Excellent info. Thanks, Jeff!

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Thursday, January 13, 2011 2:40 PM
  • I went through these links and still can't get it to work as well as have some other questions.

    1)  If connecting a phone at ahome network, the DHCP has to ahve option 43 and 120?  Confused, sorry.

    2)  I have option 43 and 120 in the DHCP scope at the office and I ran the emulator and confirmed the information as being sip.comany.com for anythign sip and weblink.

    Here is a scenario of what I have setup, maybe I am missing something.

    External DNS entries

    Sip.company.com  123.345.456.789  Ports 443, 444, 5061, 8001, 50000:59999, 3478 udp DNAT’d to same ports on 10.10.10.7 which is NIC on Edge Server.  (internal Nic is 172.16.24.151)

     

    OCSwebcom.company.com, Meet.company.com, dialin.company.com 123.345.456.788 ports 80, 443 DNAT’d to same on 10.10.10.8 which is NIC on FTMG server. (internal Nic is 172.16.24.152)

    There is an external DNS record for _sip._tls.company.com that points to sip.company.com.  I also have the _sipfederationtls._tcp.company.com pointed there.

     

     

    External from Digicert

    Subject: sip.company.com

    SANs:  sip.company.com, OCSwebcom.company.com, Meet.company.com, dialin.company.com, cwa.company.com

    Internal Certs are from internal CA.

    Certificates
    Thursday, January 13, 2011 11:16 PM
  • Does the external phone have to be USB connected on fresh start?

    When it is not USB conencted it prompts me for extension or phone number and then password.  What format should this phone numebr be in?  I get "Certificate Web Service cannot be found."

    Thursday, January 13, 2011 11:21 PM
  • You just answered your previous question “If connecting a phone at home network, the DHCP has to have option 43 and 120?”

    Because users will not have those options on their home router, as Jeff pointed, sign-in via phone number and PIN is ruled out for CX500/Aastra 6721ip. Common Area Phone after all…

    Aries phones does not have a way to enter username and password (as Tanjay) and so, USB tethering for initial provisioning is mandatory (actually, the only option). Once provisioned, USB cable can be omitted. However, if “Switch user” option is selected, tethering is again necessary.

    Are you prompted to enter username and password at all on the computer screen when connected with USB?

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Thursday, January 13, 2011 11:35 PM
  • Thanks for the answer.  I will test this next week as I am not able to until then.
    Friday, January 14, 2011 12:33 AM
  • I was able to test this today.

    I am signing in using:

    Account: username@company.com

    User Name: company\user  ( also tried username@comapny.com)

    Password

    on the CX600 I get:

    Sign-In error   "Cannot download certificate because domain is not accessible. If the problem continues, contact your support team."

    The client is signed in already successfully on the machine.  The CX600 is USB tethered to the machine.

    Tuesday, January 18, 2011 8:20 PM
  • Press and hold Ctrl key and click Lync icon next to the computer clock. Click "Configuration Information" on the mnu. This will open "Lync Configuration Information". There you will see "Connected Lync Server". Is it the edge your client is connected to? Outside of AD environment, the device should use the public certificate, not a domain one.

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Tuesday, January 18, 2011 9:14 PM
  • Here is what was listed:

    DG URL Internal;https://lyncpool.company.com:443/groupexpansion/service.svc;--;
    DG URL External;https://ocswebcom.company.com:443/groupexpansion/service.svc;--;
    Quality Metrics URI;sip:lyncpool.company.com@company.com;gruu;opaque=srvr:HomeServer:bIMR0X8WEV2QYM4VG6OkHwAA;--;
    URL Internal From Server;https://lyncpool.company.com:443/abs/handler;--;
    URL External From Server;https://ocswebcom.company.com:443/abs/handler;--;
    Voice mail URI;sip:jake@company.com;opaque=app:voicemail;--;
    Exum Enabled;TRUE;--;
    Exum URL;EUM:Jake@company.com;phone-context=Inhouse.company.com;--;
    MRAS Server;sip:lyncedge@company.com;gruu;opaque=srvr:MRAS:_8A04vDDHFiv2XkyqeZtoAAA;Enabled;
    GAL Status;https://lyncpool.company.com:443/abs/handler;--;
    Controlled Phones;TRUE;--;
    PC to PC AV Encryption;AV Encryption Enforced;--;
    Focus Factory;sip:jake@company.com;gruu;opaque=app:conf:focusfactory;--;
    Telephony Mode;Telephony Mode UC Enabled;--;
    Line;tel:+15555553511;--;
    Line Configured From;Auto Line Configuration;--;
    Location Profile;Inhouse.company.com;--;
    Call Park Server URI;sip:lyncpool.company.com@company.com;gruu;opaque=srvr:Microsoft.Rtc.Applications.Cps:NH_5Du9kcVejtTK86fjs6wAA;--;
    UCS Mode;Lync Server Mode;--;
    Configuration Mode;Auto Configuration;--;
    Server Address Internal;--;--;
    Server Address External;--;--;
    Server SIP URI;jake@company.com;--;
    GAL or Server Based Search;GAL search;--;
    Local Log Folder;C:\Users\Jake\tracing;--;
    MAPI Information;Your Outlook profile is not configured correctly. Contact your support team with this information.;MAPI unavailable;
    EWS Information;--;EWS not deployed;
    Inside User Status;FALSE;--;
    Auto Update Download Started;--;--;
    Auto Update Download Completed;--;--;
    Last Auto Update Request;--;--;
    Pairing State;Lync cannot connect to your desk phone because no one is signed in. Make sure that the desk phone is connected to the network, and enter your network logon information on the desk phone if necessary.;Enabled;
    Contact List Provider;Lync Server;--;
    UCS Connectivity State;Exchange connection Down;--;
    Connected Lync Server;sip.company.com;--;
    Skill Search URL;;--;
    SharePoint Search Center URL;;--;
    EWS Internal URL;;--;
    EWS External URL;;--;
    Server SIP URI - 1;sip.company.com:443;TLS Mode;

    sip.company.com  is the edge server DNS external

    ocswebcom.company.com is the FTMG server

    Tuesday, January 18, 2011 10:04 PM
  • Something is not right. To capture the behavior, I disconnected my home lab from work ( site-to-site VPN), and reset the phone to factory default i.e. deleted all information previously downloaded.

    Signed on the client (Configuration shows I am connected to my edge), got the prompt from the phone, entered credentials and the phone signed immediately without downloading certificate. This proves that when signing from Public internet via edge, Edge certificate is used and as long is in the phone’s trusted root CA, all good.

    Powered down the phone, signed off, activated the VPN (i.e. now my home subnet is fully routed and it is part of LAN), and started the phone. The unit connected to a Domain controller (because now queried the internal DNS for _sipinternaltls), downloaded the internal Root CA and signed successfully.

    Why is your phone, even if Lync shows you have connected via Edge, attempts to connect to a domain (which would never happens if the unit is on Public internet)?

     …"Cannot download certificate because domain is not accessible. If the problem continues, contact your support team."… indicates that the unit uses _sipinternaltls record from somewhere. You don’t have this record in your public DNS, don’t you?

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Wednesday, January 19, 2011 1:49 AM
  • No that is not in the public DNS.  I even did an nslookup from the test machine for the _sipinternaltls.company.com

    I did a factory reset on the phone prior to the other test.

    This is why I am posting since I can't figure it out!

    Wednesday, January 19, 2011 3:47 PM
  • The only explanation is that the phone does not trust the Digicert certificate (and furthermore looking for Domain to download the Root CA.).

    Since you say Digicert… Visit this link: https://www.digicert.com/util/. Download the utility to your Edge and run it.

     

    Drago


    http://ocsdude.blogspot.com | MVP Snom OCS Edition
    Wednesday, January 19, 2011 7:04 PM
  • Sorry this took so long to respond. I was out on installations.

    This does work.  The Digicert tool showed that it needed to 'repair' how the certificates were acting.  I did the repair and it worked.   After rebooting the Lync Edge, the problem arose again.  I reran the utility and it showed the same issue.  I did a repair and it fixed it.  The utility also stated that I had already done a repair, but that the MS certificate update changed it back.  I did enable the policy it recommended and it is now working.

    Thanks for the help.

    On to why the AOL, Yahoo, and MSN people show as presence unknown...  it worked in OCS just fine.

    • Marked as answer by BiggJake Friday, February 4, 2011 4:02 PM
    Friday, January 28, 2011 3:48 PM