This article discusses a possible solution for a problem commonly called hair-pinning. Hair-pinning can occur when a request is made by an internal Lync mobile client -- in a Lync Server 2010 environments with Lync Mobility Service deployed and enabled for both internal and external users. The solution provided in this article applies to the fully updated Forefront Threat Management Gateway 2010 Server deployed as reverse proxy for publishing External Lync Web services.
Author: Edwin Joseph, Microsoft Senior Support Engineer
Publication date: November 19, 2012
Product version: Microsoft Lync Server 2010 with Cumulative update for November 2012
Lync Server 2010 Mobility Service was introduced as part of the cumulative update for Lync Server 2010: November 2011. The Lync Server Mobility Service enables Lync functionality on supported mobile devices. When deployed, Lync Server 2010 Mobility Service users can use supported Apple iOS, Android, Windows Phone, or Nokia mobile devices to perform such activities as sending and receiving instant messages, viewing contacts, and viewing presence. In addition, mobile devices support some Enterprise Voice features, such as click to join a conference, Call via Work, single number reach, voice mail, and missed calls.
Based on the requirements of their organization, Lync administrators can enable the Lync Mobility feature for internal users only or for both internal and external users. Lync mobile clients connect using HTTP or HTTPS protocol. When Lync Mobility Service is enabled for external users, you must use a reverse proxy to publish the Mobility Service to external and internal users.
When Lync Mobility Service is enabled for both internal and external users, connecting both internal and external Lync mobile clients to Lync Server 2010 through a reverse proxy to the external Lync Web services reduces the number of registered endpoints. See Figure 1 below.
Figure 1: Expected Lync Server 2010 Mobility Request Flow
In many environments, enabling the Lync Mobility Service introduces the possibility for hair-pinning. This article discusses why hair-pinning may present a problem and how to work around the problem to successfully enable Lync Mobility Service for both internal and external users.
Hair-pinning occurs when communication traffic exits and enters the same interface on a network device. For example, when a request is initiated by an internal user exits the internal TMG interface and immediately resolves to the external TMG interface, hair-pining has occurred. Why is hair-pinning problem? By default, interfaces on the same security level cannot communicate with each other. Packets cannot enter and exit the same interface. Therefore, hair-pinning creates a problem for most firewalls and routers. Using reverse proxies, however, alleviates the problem.
The solution is to let the internal interface of the reverse proxy handle requests for internal clients, instead of forwarding the request to the external interface of the reverse proxy. In other words, to implement this work around you must implement a split brain DNS. See Figure 2.
Figure 2: Recommended Lync Server 2010 Mobility Request Flow
To implement a split brain DNS.
To change the internal DNS A record for external Lync Web services.
To change TTL for external Lync Web services host records.
The time to live (TTL) value for the external Web services A or host record must be set to minimum value both in the internal and public DNS servers. This is important when users move between networks because it enables Lync Mobility clients to connect to external web services with minimal disruption in services. Our recommendation is to set the TTL value to 30 seconds so that the device doesn’t query DNS too often. However, this value can be set to match your infrastructure requirements.
To modify DNS TTL value for your Windows DNS servers please refer to HOW TO: Modify Time to Live on Domain Name System Records.
1. Launch the TMG Management Console.
2. Open the properties of the SSL Listener associated with external Lync Web services.
a. Enable the following networks for the SSL listener.
iii. Local Host
Note: If you have multiple external and internal interfaces, you may need to specify by IP address.
b. Click Apply, and then click OK.
Figure 3: TMG web listener properties
3. Open the properties of the TMG rule associated with external Lync Web services.
a. Select the From tab.
b. Locate the configuration of the Source network.
c. Verify that either anywhere is enabled, or verify that External, Internal, and Local Host are enabled.
d. Select the Bridging tab.
e. Verify that you are bridging HTTPS traffic from port 443 to port 4443.
f. Click Apply, and then click OK.
Figure 4 : TMG web publishing rule properties
Figure 5 : TMG web publishing rule properties
4. Apply the configuration changes.
When a user moves from an internal to external network or vice versa, their ability to send and receive IM message is disrupted for a short period of time. We have noticed that when the external Web services host record is set to 30 second TTL, on average it takes about five minutes after changing networks for the end user to be able to send and receive IM and view presence updates. This is due to the fact that mobile devices cache the DNS records information.
The solution to the hair-pining in TMG is to direct internal Lync mobile client requests to the internal interface of TMG, rather than allowing them to pass through the TMG and enter using the external interface of the TMG server.
h4>Lync Server Resources
Any early front runner to replace TMG in Lync deployments since it is no longer available for sale?
thanks for great article.
Great post, but dissapointing knowing that Microsoft will discontinue TMG Server 2012 starting december this year.
F5 Networks has a reverse proxy solution for Microsoft applications such as Exchange, SharePoint and Lync. Check this out for more detail. www.f5.com/.../microsoft-lync-iapp-dg.pdf
FYI, I work for F5.
I think probably it would UAG, this my thought based upon the security or reverse proxy soltuion that we provide currently
can not get into my facebook acconnt it was on my cell phone .don't have the phone but i'm using my laptop now and still can get in please help
Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
For more info on showbox please refer below sites:
Latest version of Showbox App download for all android smart phones and tablets.
http://movieboxappdownloads.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
For showbox on iOS (iPhone/iPad), please read below articles:
Showbox for PC articles:
There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
it doesn't charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android.
The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on 'Obscure sources'.