none
External DNS SRV record for Lync 2010 RRS feed

  • Question

  • Hello,

    I am currently trying to set up external access through an Edge server for our Lync 2010 environment. I'd like to use the SRV record in our external DNS for Lync autodiscovery. However, our provider doesn't support the _tls subdomain; only _tcp and _udp are available. This would leave us with either _sip._tls_._tcp.domain.nl or _sip._tcp.domain.nl. As far as I know, both these options are unsupported.

    Technically I could use sipexternal.domain.nl, but then I'd need to order a SAN certificate for on my TMG server. I've currently published my Edge with a free StartSSL certificate for the domain uc.domain.nl and domain.nl.

    Is there any other option for me?

    Ruud van Strijp


    Ruud van Strijp - IT Engineer at Kreuze Telecom. Did NID in the Netherlands: MCSE2003, CCNA, CCDA, CCNP, CCDP.
    Monday, February 21, 2011 12:18 PM

Answers

  • Hi, after resolving _sip._tls.domain.com was failure, the Communicator will trying to resolve sipexternal.domain.com, but in this scenario, certificate validation will be failure.

    "Communicator discovery varies based on configuration. After the client discovers the server to connect to, it tries to connect by using TCP or TLS over TCP. If TLS is used, the server provides a certificate to authenticate itself to the client. The client must validate the certificate before it continues. The client might negotiate compression (if using TLS over TCP), and then it initiates a SIP registration."

    So for your scenario, I would recommend you use _sip._tls.domain.com in external DNS server.

    I would recommend you read this document although it describes OCS 2007 R2, but it also applies to Lync server 2010.

    http://technet.microsoft.com/en-us/library/dd637152(office.13).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Ben-Shun Zhu Wednesday, March 2, 2011 10:06 AM
    Tuesday, February 22, 2011 9:34 AM

All replies

  • Hi, after resolving _sip._tls.domain.com was failure, the Communicator will trying to resolve sipexternal.domain.com, but in this scenario, certificate validation will be failure.

    "Communicator discovery varies based on configuration. After the client discovers the server to connect to, it tries to connect by using TCP or TLS over TCP. If TLS is used, the server provides a certificate to authenticate itself to the client. The client must validate the certificate before it continues. The client might negotiate compression (if using TLS over TCP), and then it initiates a SIP registration."

    So for your scenario, I would recommend you use _sip._tls.domain.com in external DNS server.

    I would recommend you read this document although it describes OCS 2007 R2, but it also applies to Lync server 2010.

    http://technet.microsoft.com/en-us/library/dd637152(office.13).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Ben-Shun Zhu Wednesday, March 2, 2011 10:06 AM
    Tuesday, February 22, 2011 9:34 AM
  • Hi,

    Thanks for your reply. Too bad, using _sip._tls.domain.com is not an option; our DNS provider doesn't support the _tls protocol identifier; only _tcp and _udp are available.

    So I think the only option we have would be to use sipexternal.domain.com as our Lync domain, instead of uc.domain.com. Or switch to a different DNS provider ;)

    Ruud van Strijp


    Ruud van Strijp - IT Engineer at Kreuze Telecom. Did NID in the Netherlands: MCSE2003, CCNA, CCDA, CCNP, CCDP.
    Tuesday, February 22, 2011 9:46 AM
  • Hi Ruud,

    You could use _sipexternaltls._tcp.domain.com. Thanks,

    Luke

    Saturday, February 26, 2011 11:18 PM
  • Hey guys,

    can you please verify that _.sip._tls.domain.net  SRV port should be set to 5061 .   not 443 !!!


    Non-authoritative answer:
    _sip._tls.domain.net    SRV service location:
              priority       = 0
              weight         = 0
              port           = 5061
              svr hostname   = sip.domain.net

    Microsoft, please fix this documentation!!!

    http://technet.microsoft.com/en-us/library/gg412787.aspx


    Z-Hire -- Automate IT Account creation process
    Z-Term -- Automate IT account termination process
    Monday, September 12, 2011 11:35 PM
  • Hey guys,

    can you please verify that _.sip._tls.domain.net  SRV port should be set to 5061 .   not 443 !!!


    Non-authoritative answer:
    _sip._tls.domain.net    SRV service location:
              priority       = 0
              weight         = 0
              port           = 5061
              svr hostname   = sip.domain.net

    Microsoft, please fix this documentation!!!

    http://technet.microsoft.com/en-us/library/gg412787.aspx


    Z-Hire -- Automate IT Account creation process
    Z-Term -- Automate IT account termination process


    I have the same comment at Denny415.

    We hade the _sip._tls.domain.com point to hostname.domain.com port 443 which did not work! Once I changed this to hostname.domain.com Port 5061 it worked!

    Can someone confirm that this is the way to go?
    I have to say that our edge server is using only 1 single public IP address for all 3 roles:

    A/V service on port 443
    WEB Conf on port 444
    SIP on port 5061

    thanks

    Monday, October 10, 2011 3:09 PM
  • Hey guys,

    can you please verify that _.sip._tls.domain.net  SRV port should be set to 5061 .   not 443 !!!


    Non-authoritative answer:
    _sip._tls.domain.net    SRV service location:
              priority       = 0
              weight         = 0
              port           = 5061
              svr hostname   = sip.domain.net

    Microsoft, please fix this documentation!!!

    http://technet.microsoft.com/en-us/library/gg412787.aspx


    Z-Hire -- Automate IT Account creation process
    Z-Term -- Automate IT account termination process


    I have the same comment at Denny415.

    We hade the _sip._tls.domain.com point to hostname.domain.com port 443 which did not work! Once I changed this to hostname.domain.com Port 5061 it worked!

    Can someone confirm that this is the way to go?
    I have to say that our edge server is using only 1 single public IP address for all 3 roles:

    A/V service on port 443
    WEB Conf on port 444
    SIP on port 5061

    thanks


    Are you by any chance using a load balancer?  I was having a similar issue and it ended up benig that the F5 Lync Deployment Guide was wrong on page 7.  I had to reconfigure the virtual server for 443 to be the same as the 5061 virtual server.  Then I was able to get it working on 443.

    Hope that helps anyone that may be having this issue with an F5.

    Monday, October 17, 2011 2:34 AM
  • Hello

    I have configured my Edge and using Nating ... 2 Edge servers. All records created including _sip._tls.abc.com pointing to 443 and sip address lync.abc.com

    Now when i am trying to signing in, i am not able to . Sip address i am using lync.abc.com but when i add port 443 (lync.abc.com:443) then i am able to log on. Can you please let me know why its so ..

    Thursday, January 10, 2013 4:48 PM
  • I have the same situation as Jeoffb set up in our test environment. We're using a single public IP address and the following ports:

    SIP access: 5061

    A/V service: 443

    Web conferencing services: 444

    I'm unable to log in - all it does is ask for the password (does this mean it reached the Edge server?) and then it just says "Contacting server and signing in..." forever. I've tried both ports 443 and 5061 for the _sip._tls.domain.com SRV record.

    Does anyone know what the issue could be?

    EDIT: It turns out that our firewall wasn't allowing traffic through port 5061. Once the rule was re-enabled, I was able to sign in.

    • Edited by dkhouri Tuesday, February 19, 2013 8:26 AM
    Tuesday, February 19, 2013 7:35 AM