This article discusses a possible solution for a problem commonly called hair-pinning. Hair-pinning can occur when a request is made by an internal Lync mobile client -- in a Lync Server 2010 environments with Lync Mobility Service deployed and enabled for both internal and external users. The solution provided in this article applies to the fully updated Forefront Threat Management Gateway 2010 Server deployed as reverse proxy for publishing External Lync Web services.

Author: Edwin Joseph, Microsoft Senior Support Engineer

Publication date: November 19, 2012

Product version: Microsoft Lync Server 2010 with Cumulative update for November 2012

Lync Server 2010 Mobility Service was introduced as part of the cumulative update for Lync Server 2010: November 2011. The Lync Server Mobility Service enables Lync functionality on supported mobile devices. When deployed, Lync Server 2010 Mobility Service users can use supported Apple iOS, Android, Windows Phone, or Nokia mobile devices to perform such activities as sending and receiving instant messages, viewing contacts, and viewing presence. In addition, mobile devices support some Enterprise Voice features, such as click to join a conference, Call via Work, single number reach, voice mail, and missed calls.

Based on the requirements of their organization, Lync administrators can enable the Lync Mobility feature for internal users only or for both internal and external users. Lync mobile clients connect using HTTP or HTTPS protocol. When Lync Mobility Service is enabled for external users, you must use a reverse proxy to publish the Mobility Service to external and internal users.

When Lync Mobility Service is enabled for both internal and external users, connecting both internal and external Lync mobile clients to Lync Server 2010 through a reverse proxy to the external Lync Web services reduces the number of registered endpoints. See Figure 1 below.

Figure 1: Expected Lync Server 2010 Mobility Request Flow

In many environments, enabling the Lync Mobility Service introduces the possibility for hair-pinning. This article discusses why hair-pinning may present a problem and how to work around the problem to successfully enable Lync Mobility Service for both internal and external users.

Hair-pinning in Threat Management Gateway

Hair-pinning occurs when communication traffic exits and enters the same interface on a network device. For example, when a request is initiated by an internal user exits the internal TMG interface and immediately resolves to the external TMG interface, hair-pining has occurred. Why is hair-pinning problem? By default, interfaces on the same security level cannot communicate with each other. Packets cannot enter and exit the same interface. Therefore, hair-pinning creates a problem for most firewalls and routers. Using reverse proxies, however, alleviates the problem.

How to Fix Hair-Pining in Threat Management Gateway

The solution is to let the internal interface of the reverse proxy handle requests for internal clients, instead of forwarding the request to the external interface of the reverse proxy. In other words, to implement this work around you must implement a split brain DNS. See Figure 2.

Figure 2: Recommended Lync Server 2010 Mobility Request Flow

To implement a split brain DNS.

  1. Change Internal DNS A record for external Lync Web services.
  2. Change the TTL value on the external Web services DNS records.
  3. Change setting of the web listener and publishing rule for external Lync Web services.

To change the internal DNS A record for external Lync Web services.

  1. Launch the DNS Management Console.
  2. Expand the domain.
  3. Open the properties of the A record for External Lync Web services.
  4. Change the IP address to the IP address of the internal interface of the reverse proxy.
  5. Click OK.

To change TTL for external Lync Web services host records.

The time to live (TTL) value for the external Web services A or host record must be set to minimum value both in the internal and public DNS servers. This is important when users move between networks because it enables Lync Mobility clients to connect to external web services with minimal disruption in services. Our recommendation is to set the TTL value to 30 seconds so that the device doesn’t query DNS too often. However, this value can be set to match your infrastructure requirements.

To modify DNS TTL value for your Windows DNS servers please refer to HOW TO: Modify Time to Live on Domain Name System Records.

To change settings of the web listener and publishing rule for external Lync Web services.

1. Launch the TMG Management Console.

2. Open the properties of the SSL Listener associated with external Lync Web services.

a. Enable the following networks for the SSL listener.

i. External

ii. Internal

iii. Local Host

Note:  If you have multiple external and internal interfaces, you may need to specify by IP address.

b. Click Apply, and then click OK.

Figure 3: TMG web listener properties

3. Open the properties of the TMG rule associated with external Lync Web services.

a. Select the From tab.

b. Locate the configuration of the Source network.

c. Verify that either anywhere is enabled, or verify that External, Internal, and Local Host are enabled.

d. Select the Bridging tab.

e. Verify that you are bridging HTTPS traffic from port 443 to port 4443.

f. Click Apply, and then click OK.

Figure 4 : TMG web publishing rule properties

Figure 5 : TMG web publishing rule properties

4. Apply the configuration changes.

Limitations

When a user moves from an internal to external network or vice versa, their ability to send and receive IM message is disrupted for a short period of time. We have noticed that when the external Web services host record is set to 30 second TTL, on average it takes about five minutes after changing networks for the end user to be able to send and receive IM and view presence updates. This is due to the fact that mobile devices cache the DNS records information.

Summary

The solution to the hair-pining in TMG is to direct internal Lync mobile client requests to the internal interface of TMG, rather than allowing them to pass through the TMG and enter using the external interface of the TMG server.

Additional Resources

h4>Lync Server Resources

We Want to Hear from You