Check out the most comprehensive, actively managed Lync blog roll in the known universe, your one-stop source for links to over 100 of the very best Lync blogs. Here you will also find weekly blog highlights and a feed for a dozen of the top blogs.
Lync Server Support Home
Top Lync Solutions RSS Feed
Microsoft Senior Support engineers walk you through real-life support cases, giving you an insider’s view into the systematic approach they use to troubleshoot Lync Server issues.
These short videos focus on specific tasks and show you how to accomplish them for Microsoft Lync Server 2010.
This article discusses a possible solution for a problem commonly called hair-pinning. Hair-pinning can occur when a request is made by an internal Lync mobile client -- in a Lync Server 2010 environments with Lync Mobility Service deployed and enabled for both internal and external users. The solution provided in this article applies to the fully updated Forefront Threat Management Gateway 2010 Server deployed as reverse proxy for publishing External Lync Web services.
Author: Edwin Joseph, Microsoft Senior Support Engineer
Publication date: November 19, 2012
Product version: Microsoft Lync Server 2010 with Cumulative update for November 2012
Lync Server 2010 Mobility Service was introduced as part of the cumulative update for Lync Server 2010: November 2011. The Lync Server Mobility Service enables Lync functionality on supported mobile devices. When deployed, Lync Server 2010 Mobility Service users can use supported Apple iOS, Android, Windows Phone, or Nokia mobile devices to perform such activities as sending and receiving instant messages, viewing contacts, and viewing presence. In addition, mobile devices support some Enterprise Voice features, such as click to join a conference, Call via Work, single number reach, voice mail, and missed calls.
Based on the requirements of their organization, Lync administrators can enable the Lync Mobility feature for internal users only or for both internal and external users. Lync mobile clients connect using HTTP or HTTPS protocol. When Lync Mobility Service is enabled for external users, you must use a reverse proxy to publish the Mobility Service to external and internal users.
When Lync Mobility Service is enabled for both internal and external users, connecting both internal and external Lync mobile clients to Lync Server 2010 through a reverse proxy to the external Lync Web services reduces the number of registered endpoints. See Figure 1 below.
Figure 1: Expected Lync Server 2010 Mobility Request Flow
In many environments, enabling the Lync Mobility Service introduces the possibility for hair-pinning. This article discusses why hair-pinning may present a problem and how to work around the problem to successfully enable Lync Mobility Service for both internal and external users.
Hair-pinning occurs when communication traffic exits and enters the same interface on a network device. For example, when a request is initiated by an internal user exits the internal TMG interface and immediately resolves to the external TMG interface, hair-pining has occurred. Why is hair-pinning problem? By default, interfaces on the same security level cannot communicate with each other. Packets cannot enter and exit the same interface. Therefore, hair-pinning creates a problem for most firewalls and routers. Using reverse proxies, however, alleviates the problem.
The solution is to let the internal interface of the reverse proxy handle requests for internal clients, instead of forwarding the request to the external interface of the reverse proxy. In other words, to implement this work around you must implement a split brain DNS. See Figure 2.
Figure 2: Recommended Lync Server 2010 Mobility Request Flow
To implement a split brain DNS.
To change the internal DNS A record for external Lync Web services.
To change TTL for external Lync Web services host records.
The time to live (TTL) value for the external Web services A or host record must be set to minimum value both in the internal and public DNS servers. This is important when users move between networks because it enables Lync Mobility clients to connect to external web services with minimal disruption in services. Our recommendation is to set the TTL value to 30 seconds so that the device doesn’t query DNS too often. However, this value can be set to match your infrastructure requirements.
To modify DNS TTL value for your Windows DNS servers please refer to HOW TO: Modify Time to Live on Domain Name System Records.
1. Launch the TMG Management Console.
2. Open the properties of the SSL Listener associated with external Lync Web services.
a. Enable the following networks for the SSL listener.
iii. Local Host
Note: If you have multiple external and internal interfaces, you may need to specify by IP address.
b. Click Apply, and then click OK.
Figure 3: TMG web listener properties
3. Open the properties of the TMG rule associated with external Lync Web services.
a. Select the From tab.
b. Locate the configuration of the Source network.
c. Verify that either anywhere is enabled, or verify that External, Internal, and Local Host are enabled.
d. Select the Bridging tab.
e. Verify that you are bridging HTTPS traffic from port 443 to port 4443.
f. Click Apply, and then click OK.
Figure 4 : TMG web publishing rule properties
Figure 5 : TMG web publishing rule properties
4. Apply the configuration changes.
When a user moves from an internal to external network or vice versa, their ability to send and receive IM message is disrupted for a short period of time. We have noticed that when the external Web services host record is set to 30 second TTL, on average it takes about five minutes after changing networks for the end user to be able to send and receive IM and view presence updates. This is due to the fact that mobile devices cache the DNS records information.
The solution to the hair-pining in TMG is to direct internal Lync mobile client requests to the internal interface of TMG, rather than allowing them to pass through the TMG and enter using the external interface of the TMG server.
h4>Lync Server Resources