This article provides step-by-step troubleshooting for Microsoft Lync Server 2010 connectivity issues for external users with mobile devices. This article assumes that Lync Server 2010 Mobility Service and Lync Server 2010 Autodiscover Service are successfully deployed and internal users are able to connect using the Lync 2010 mobile client. It assumes that Lync Server clients can successfully connect to an external mobile device user without error messages or warnings for web services connectivity. This article does not include steps for troubleshooting push notifications for Windows Phone 7 and iOS devices.

Author: Edwin Joseph

Publication date: February 21, 2012

Product version: Microsoft Lync Server 2010 with Cumulative update for November 2012

Symptom

When a mobile device with a Lync 2010 client tries to connect to Lync Server 2010, the user receives the error message:

Can’t connect to the server. It might be unavailable. Also please check your network connection, sign-in address, and server addresses.

Troubleshooting

Note: The SIP domain used throughout this document is contoso.com; replace contoso.com with your actual SIP domain. Lyncexternal.contoso.com is the external web services URL of the pool.

Step 1. Autodiscover setup check

If you use Autodiscover Service to locate Lync Server 2010, the first step is to type the Autodiscover URL into the web browser. For example after typing https://lyncdiscover.contoso.com in the browser, you should receive a prompt to open or save the lyncdiscover_contoso.com file.

If you receive a warning or an error, check the browser settings. If you are prompted for authentication when browsing lyncdiscover.contoso.com, there is a configuration issue on the reverse proxy.

If you are unable to obtain the lyncdiscover_contoso.com file, perform a Nslookup for lyncdiscover.contoso.com. Verify that the A record is setup for lyncdiscover.contoso.com and that it points to the correct external IP address.

When you open the lyncdiscover_contoso.com file in notepad, you should see the following content.

{"AccessLocation":"External","Root":{"Links":[{"href":"https:\/\/lyncexternal.contoso.com\/Autodiscover\/AutodiscoverService.svc\/root\/domain","token":"Domain"},{"href":"https:\/\/lyncexternal.contoso.com\/Autodiscover\/AutodiscoverService.svc\/root\/user","token":"User"}]}}

The URL identified in the lyncdiscover_contoso.com file must be the external web services URL for the Lync Server 2010 Front End Server or Lync Server 2010 Director pool. If the internal web services URL is identified, the web publishing rule is incorrect and is bridging the connection to port 443 instead of port 4443 for the Lync external web services.

When you have verified that the A record for lyncdiscover.contoso.com is correct and that the URL returned in the lyncdiscover_contoso.com file is the external web services URL for the Lync Server Front End Server or Lync Server Director pool, you are ready to look at the Lync mobility setup.

Step 2. Check Web Services Internal URL

A prerequisite for the Lync mobility component is that the Front End pool internal web FQDN must be distinct from the Front End pool external web FQDN.

To configure internal web services

  1. Log on to the computer where Topology Builder is installed, as a member of the Domain Admins group and the RTCUniversalServerAdmins group.
  2. To start Topology Builder, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Topology Builder.
  3. In the Topology Builder console tree under Standard Edition Front End Servers, Enterprise Edition Front End pools, and Directory pools, select the pool name. Right-click the name, click Edit Properties, and click Web Services.
  4. Under Internal Web Services check the option Override FQDN.
  5. Add an Internal Web Services FQDN, and then click OK.
  6. Verify the listening and published ports are configured correctly for your environment.
  7. Repeat these steps for all Standard Edition Servers, Front End pools, and Director pools in your environment.
  8. In the console tree, click Lync Server 2010. In the Actions pane, click Publish Topology.

Step 3. MCX configuration check

Log on to the computer as a member of the CsAdministrator group. In the Lync Management Shell run the following cmdlet.

Get-CsMCXconfiguration |fl

Verify the ExposedWebUrl is set to External. If this value is set to the Internal, only your internal mobility client can connect to Lync Server. To set the value for ExposedWebUrl to external, use the following cmdlet.

Set-CsMcxConfiguration –ExposedWebUrl External

Step 4. DNS record check

Verify that the A record for Lyncdiscover is setup correctly in the internal DNS.

External DNS Records

Record type

Host name

Resolves to

CNAME

lyncdiscover.contoso.com

External Web Services FQDN for your Director pool, if you have one, or for your Front End pool if you do not have a Director

A (host)

lyncdiscover.contoso.com

External or public or IP address of the reverse proxy

Step 5. Certificate check

Refer to the certificate requirements in the Lync Server 2010 Mobility Guide.

If you are using a Director, verify the certificate.

Director Pool Certificate

Description

Subject alternative name entry

Internal Autodiscover Service URL

SAN=lyncdiscoverinternal.contoso.com

External Autodiscover Service URL

SAN=lyncdiscover.contoso.com

Note: Alternatively, you can use SAN= *.contoso.com.

Front End Pool Certificate

Description

Subject alternative name entry

Internal Autodiscover Service URL

SAN=lyncdiscoverinternal.contoso.com

External Autodiscover Service URL

SAN=lyncdiscover.contoso.com

Note: Alternatively, you can use SAN= *.contoso.com.

Reverse Proxy (Public CA) Certificate

Description

Subject alternative name entry

External Autodiscover Service URL

SAN=lyncdiscover.contoso.com

Note: Assign this certificate to the SSL Listener on the reverse proxy.

After completing the four steps outlined above, browse to the Autodiscover URL in web browser https://lyncdiscover.contoso.com.

You should receive a prompt to open or save the file Lyncdiscover_contoso.com.

If you still do not receive an option to open or save the file lyncdiscover_contoso.com, verify the reverse proxy setup. Refer to the Lync Server 2010 Mobility Guide.

Step 6. Domain file check

If you receive the option to open or save the lyncdiscover_contoso.com file in the web browser, proceed to step 5.

Try to browse to the following URL in your web browser. http://lyncdiscover.contoso.com/autodiscover/autodiscoverservice.svc/root/domain

You should receive a prompt to open or save the domain file.

When you open the domain file in notepad you should see the following content.

{"AccessLocation":"External","Domain":{"Links":[{"href":"https:\/\/lyncexternal.contoso.com\/Autodiscover\/AutodiscoverService.svc\/root","token":"External\/Autodiscover"},{"href":"https:\/\/lyncexternal.contoso.com\/Reach\/sip.svc","token":"External\/AuthBroker"},{"href":"https:\/\/lyncexternal.contoso.com\/Mcx\/McxService.svc","token":"External\/Mcx"}],"SipClientExternalAccess":{"fqdn":"edge.contoso.com","port":"5061"},"SipClientInternalAccess":null,"SipServerExternalAccess":{"fqdn":"edge.contoso.com","port":"5061"},"SipServerInternalAccess":null}}

The URL mentioned in the domain file must be the external web services URL for the Front End Server or Director pool. If the internal web services URL is returned, the web publishing rule is incorrect. This means that it is bridging the connection to port 443 instead of 4443 for Lync Server external web services.

If you are unable to download the Domain file, there is a problem with the reverse proxy configuration or authentication settings for web services in Lync Server 2010.

Step 7. Web Services authentication check

Try to browse the URL https://lyncexternal. contoso.com/mcx/mcxservice.svc/mex in your web browser.

Depending on your browser settings, you should see https://lyncexternal.contoso.com/Mcx/McxService.svc/WebTicket_Bearer in the browser or the XML SOAP information. This means the web services URL authentication setting is set to negotiate.

To quickly verify the web services URL authentication settings, use the Lync Management Shell to run the following cmdlet.

Get-CsWebServicesConfiguration |fl

Verify the value for the UseWindowsAuth parameter is set to Negotiate.

Step 8. Debug log from mobile device

Enable and collect debugging logs from a mobile device to verify the reverse proxy configuration.

Note: The logging information may contain personal information. To address privacy concerns, edit the log file in accordance with company guidelines before forwarding logging information.

To Enable logging on a Windows Phone

1. From any screen of the Lync for Windows Phone application, touch the ellipses, to bring up the menu, and then tap settings.

2. On the settings page, toggle Diagnostic Logging to the on position.

3. Close and exit Lync. Launch Lync and sign-in to reproduce the issue.

4. To send the logs, tap the ellipses to bring up the menu and tap about.

5. On the about page, tap send diagnostic logs. The logs are stored in your Saved Pictures folder. To send the logs, tap ok and attach the image to the email that opens automatically.

6. When the new email opens, tap the paperclip to attach the log file. Swipe the menu to change to date view and select the most recent Lync log identified by the Lync icon.

7. Type in the recipient’s name and tap send.

8. To review the log, open the received file in a text editor. The log has a .jpg extension. Change the file extension to .txt and open a text editor.

To Enable logging on an iPhone

1. To enable logging access the Logging option from My Info tab -> Options -> Logging.

2. Within the Send Feedback screen, you have the option to submit Bug.

3. After you have completed the feedback, click the Next button at the top of the screen. This brings up your iPhone email client. Use your corporate account to send the feedback.

Note: Logging on an iPad is similar to an iPhone.

To Enable logging on an Android device

1. After sign in, tap Options on the Signing in tab. On the Options page, tap Diagnostic logging to enable logging. Sign out and then sign in.

2. Recreate the issue. Return to the Options screen and tap About Lync.

3. Tap Send diagnostic logs and then choose a configured email account.

4. Enter the recipients and subject line information and tap Send. The logs are attached as a .zip file.

Sample error messages

Here are some errors you might see in the device logs from Windows Phone 7.

Error : 410674486 : HttpRequestPump : Got a failure response to request UnauthGethttps://lyncexternal.contoso.com/Autodiscover/AutodiscoverService.svc/root/user. Status: UnknownError. Code: 403.

Verbose : 410674486 : HttpRequestPump : Error status description for request UnauthGethttps://lyncexternal.contoso.com/Autodiscover/AutodiscoverService.svc/root/user is "Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )".

Error : 410674486 : MetadataManager : Web request to resolve failed. Error: HttpClientForbiddenError [Error, Transport, TransportFramework].

Here are some errors you might see in the device logs from an Android device.

ERROR TRANSPORT /mnt/hgfs/marvin_LyncRTM/dev/como/transport/metaDataManager/private/CMetaDataManager.cpp/511:Unable to get a response to an unauthenticated get to url https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR TRANSPORT /mnt/hgfs/marvin_LyncRTM/dev/como/transport/authenticationResolver/private/CAuthenticationResolver.cpp/554:Unable to get the meta data for server url https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR APPLICATION /mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CUcwaAutoDiscoveryServiceRetrialWrapper.cpp/348:Auto-discovery failed. Analysing the failure

ERROR APPLICATION /mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CLogonSession.cpp/1050:Auto-discovery failed, aborting sign-in!Error Samples

Here are some of the errors you might see in the device logs from an iPhone or iPad.

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

ERROR TRANSPORT /Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../metaDataManager/private/CMetaDataManager.cpp/511:Unable to get a response to an unauthenticated get to url https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR TRANSPORT /Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../authenticationResolver/private/CAuthenticationResolver.cpp/562:Unable to get the meta data for server url https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR APPLICATION /Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/applicationLayer/_buildIos/../infrastructure/private/CUcwaAutoDiscoveryServiceRetrialWrapper.cpp/348:Auto-discovery failed. Analysing the failure

ERROR APPLICATION /Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/applicationLayer/_buildIos/../infrastructure/private/CLogonSession.cpp/1050:Auto-discovery failed, aborting sign-in!

Note: Log information and verbosity varies as per device and platform.

These error messages indicate the client is having an issue authenticating with Lync Server 2010. First, verify that Authentication Delegation is verified on the reverse proxy publishing rule configuration. This must be set to No delegation, but client may authenticate directly. If the reverse proxy publishing rules are set to No delegate and client cannot authenticate directly, it fails to sign-in when it reaches the step to provide credentials to request a token after MEX retrieval.

Summary

This article describes a process to verify connectivity from an external Lync mobility client to Lync Server 2010.

  1. Browse to https://lyncdiscover.contoso.com. You will receive a prompt to open or save the lyncdiscover_contoso.com file.
  2. Browse to http://lyncdiscover.contoso.com/autodiscover/autodiscoverservice.svc/root/domain. You will receive a prompt you to open or save the Domain file.
  3. Browse to https://lyncexternal. contoso.com/mcx/mcxservice.svc/mex. Depending on your browser settings, you should see a banner for https://lyncexternal.contoso.com/Mcx/McxService.svc/WebTicket_Bearer or you should see XML SOAP information.

If are unable to connect, verifying the reverse proxy publishing rule configuration. If reverse proxy settings are correct, verify the Lync mobility settings as described in the Lync Server 2010 Mobility Guide. Verify that you have installed the latest updates for Lync Server 2010 Mobility Service. Service Here is the update for Lync Server 2010, Mobility Service: February 2012.

References

Lync Server Resources

We Want to Hear from You