Troubleshooting External Lync Mobility

Connectivity Issues Step-by-Step

This article provides step-by-step troubleshooting for Microsoft Lync Server 2010 connectivity issues for
external users with mobile devices. This article assumes that Lync Server 2010 Mobility Service and Lync Server 2010
Autodiscover Service are successfully deployed and internal users are able to connect using the Lync 2010 mobile
client. It assumes that Lync Server clients can successfully connect to an external mobile device user without error
messages or warnings for web services connectivity. This article does not include steps for troubleshooting push
notifications for Windows Phone 7 and iOS devices.

Product version: Microsoft Lync Server 2010 with Cumulative update for November 2012

Symptom
When a mobile device with a Lync 2010 client tries to connect to Lync Server 2010, the user receives the error
message:

Can’t connect to the server. It might be unavailable. Also please check your network connection, sign-in
address, and server addresses.

Troubleshooting
Note: The SIP domain used throughout this document is contoso.com; replace contoso.com with your actual SIP
domain. Lyncexternal.contoso.com is the external web services URL of the pool.

Step 1. Autodiscover setup check

If you use Autodiscover Service to locate Lync Server 2010, the first step is to type the Autodiscover URL into the
web browser. For example after typing https://lyncdiscover.contoso.com in the browser, you should receive a
prompt to open or save the lyncdiscover_contoso.com file.

If you receive a warning or an error, check the browser settings. If you are prompted for authentication when
browsing lyncdiscover.contoso.com, there is a configuration issue on the reverse proxy.

If you are unable to obtain the lyncdiscover_contoso.com file, perform a Nslookup for lyncdiscover.contoso.com.
Verify that the A record is setup for lyncdiscover.contoso.com and that it points to the correct external IP address.

When you open the lyncdiscover_contoso.com file in notepad, you should see the following content.

{"AccessLocation":"External","Root":{"Links":[{"href":"https://lyncexternal.contoso.com/Autodiscover/Autodiscove
rService.svc/root/domain","token":"Domain"},{"href":"https://lyncexternal.contoso.com/Autodiscover/Autodiscover
Service.svc/root/user","token":"User"}]}}

The URL identified in the lyncdiscover_contoso.com file must be the external web services URL for the Lync Server
2010 Front End Server or Lync Server 2010 Director pool. If the internal web services URL is identified, the web
publishing rule is incorrect and is bridging the connection to port 443 instead of port 4443 for the Lync external
web services.

When you have verified that the A record for lyncdiscover.contoso.com is correct and that the URL returned in the
lyncdiscover_contoso.com file is the external web services URL for the Lync Server Front End Server or Lync Server
Director pool, you are ready to look at the Lync mobility setup.

Step 2. Check Web Services Internal URL

A prerequisite for the Lync mobility component is that the Front End pool internal web FQDN must be distinct
from the Front End pool external web FQDN.
To configure internal web services

1. Log on to the computer where Topology Builder is installed, as a member of the Domain Admins group
and the RTCUniversalServerAdmins group.
2. To start Topology Builder, click All Programs, click Microsoft Lync Server 2010, and then click Lync
Server Topology Builder.
3. In the Topology Builder console tree under Standard Edition Front End Servers, Enterprise Edition
Front End pools, and Directory pools, select the pool name. Right-click the name, click Edit Properties,
and click Web Services.
4. Under Internal Web Services check the option Override FQDN.
5. Add an Internal Web Services FQDN, and then click OK.
6. Verify the listening and published ports are configured correctly for your environment.
7. Repeat these steps for all Standard Edition Servers, Front End pools, and Director pools in your
environment.
8. In the console tree, click Lync Server 2010. In the Actions pane, click Publish Topology.

Step 3. MCX configuration check

Log on to the computer as a member of the CsAdministrator group. In the Lync Management Shell run the
following cmdlet.

Get-CsMCXconfiguration |fl

Verify the ExposedWebUrl is set to External. If this value is set to the Internal, only your internal mobility client
can connect to Lync Server. To set the value for ExposedWebUrl to external, use the following cmdlet.

Set-CsMcxConfiguration –ExposedWebUrl External

Step 4. DNS record check

Verify that the A record for Lyncdiscover is setup correctly in the internal DNS.

External DNS Records

Record type Host name Resolves to

CNAME lyncdiscover.contoso.com External Web Services FQDN for
your Director pool, if you have
one, or for your Front End pool if
you do not have a Director
A (host) lyncdiscover.contoso.com External or public or IP address of
the reverse proxy
Step 5. Certificate check

Refer to the certificate requirements in the Lync Server 2010 Mobility Guide.

If you are using a Director, verify the certificate.

Director Pool Certificate

Description Subject alternative name entry

Internal Autodiscover Service URL SAN=lyncdiscoverinternal.contoso.com
External Autodiscover Service URL SAN=lyncdiscover.contoso.com
Note: Alternatively, you can use SAN= *.contoso.com.

Front End Pool Certificate

Description Subject alternative name entry

Internal Autodiscover Service URL SAN=lyncdiscoverinternal.contoso.com
External Autodiscover Service URL SAN=lyncdiscover.contoso.com
Note: Alternatively, you can use SAN= *.contoso.com.

Reverse Proxy (Public CA) Certificate

Description Subject alternative name entry

External Autodiscover Service URL SAN=lyncdiscover.contoso.com
Note: Assign this certificate to the SSL Listener on the reverse proxy.

After completing the four steps outlined above, browse to the Autodiscover URL in web browser
https://lyncdiscover.contoso.com.

You should receive a prompt to open or save the file Lyncdiscover_contoso.com.

If you still do not receive an option to open or save the file lyncdiscover_contoso.com, verify the reverse proxy
setup. Refer to the Lync Server 2010 Mobility Guide.

Step 6. Domain file check

If you receive the option to open or save the lyncdiscover_contoso.com file in the web browser, proceed to step 5.

Try to browse to the following URL in your web

browser. http://lyncdiscover.contoso.com/autodiscover/autodiscoverservice.svc/root/domain

You should receive a prompt to open or save the domain file.

When you open the domain file in notepad you should see the following content.

{"AccessLocation":"External","Domain":{"Links":[{"href":"https://lyncexternal.contoso.com/Autodiscover/Autodiscove
rService.svc/root","token":"External/Autodiscover"},{"href":"https://lyncexternal.contoso.com/Reach/sip.svc","token":"E
xternal/AuthBroker"},{"href":"https://lyncexternal.contoso.com/Mcx/McxService.svc","token":"External/Mcx"}],"SipClien
tExternalAccess":{"fqdn":"edge.contoso.com","port":"5061"},"SipClientInternalAccess":null,"SipServerExternalAccess":{"f
qdn":"edge.contoso.com","port":"5061"},"SipServerInternalAccess":null}}

The URL mentioned in the domain file must be the external web services URL for the Front End Server or Director
pool. If the internal web services URL is returned, the web publishing rule is incorrect. This means that it is
bridging the connection to port 443 instead of 4443 for Lync Server external web services.

If you are unable to download the Domain file, there is a problem with the reverse proxy configuration or
authentication settings for web services in Lync Server 2010.

Step 7. Web Services authentication check

Try to browse the URL https://lyncexternal. contoso.com/mcx/mcxservice.svc/mex in your web browser.

Depending on your browser settings, you should

see https://lyncexternal.contoso.com/Mcx/McxService.svc/WebTicket_Bearer in the browser or the XML SOAP
information. This means the web services URL authentication setting is set to negotiate.

To quickly verify the web services URL authentication settings, use the Lync Management Shell to run the
following cmdlet.

Get-CsWebServicesConfiguration |fl

Verify the value for the UseWindowsAuth parameter is set to Negotiate.

Step 8. Debug log from mobile device

Enable and collect debugging logs from a mobile device to verify the reverse proxy configuration.
Note: The logging information may contain personal information. To address privacy concerns, edit the log file in
accordance with company guidelines before forwarding logging information.

To Enable logging on a Windows Phone

1. From any screen of the Lync for Windows Phone application, touch the ellipses, to bring up the menu, and then
tap settings.

2. On the settings page, toggle Diagnostic Logging to the on position.

3. Close and exit Lync. Launch Lync and sign-in to reproduce the issue.

4. To send the logs, tap the ellipses to bring up the menu and tap about.

5. On the about page, tap send diagnostic logs. The logs are stored in your Saved Pictures folder. To send the
logs, tap ok and attach the image to the email that opens automatically.

6. When the new email opens, tap the paperclip to attach the log file. Swipe the menu to change to date view and
select the most recent Lync log identified by the Lync icon.

7. Type in the recipient’s name and tap send.

8. To review the log, open the received file in a text editor. The log has a .jpg extension. Change the file extension
to .txt and open a text editor.

To Enable logging on an iPhone

1. To enable logging access the Logging option from My Info tab -> Options -> Logging.

2. Within the Send Feedback screen, you have the option to submit Bug.

3. After you have completed the feedback, click the Next button at the top of the screen. This brings up your
iPhone email client. Use your corporate account to send the feedback.

Note: Logging on an iPad is similar to an iPhone.

To Enable logging on an Android device

1. After sign in, tap Options on the Signing in tab. On the Options page, tap Diagnostic logging to enable
logging. Sign out and then sign in.

2. Recreate the issue. Return to the Options screen and tap About Lync.

3. Tap Send diagnostic logs and then choose a configured email account.

4. Enter the recipients and subject line information and tap Send. The logs are attached as a .zip file.

Sample error messages

Here are some errors you might see in the device logs from Windows Phone 7.

Error : 410674486 : HttpRequestPump : Got a failure response to request

UnauthGethttps://lyncexternal.contoso.com/Autodiscover/AutodiscoverService.svc/root/user. Status:
UnknownError. Code: 403.

Verbose : 410674486 : HttpRequestPump : Error status description for request

UnauthGethttps://lyncexternal.contoso.com/Autodiscover/AutodiscoverService.svc/root/user is "Forbidden ( The
server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )".

Error : 410674486 : MetadataManager : Web request to resolve failed. Error: HttpClientForbiddenError [Error,
Transport, TransportFramework].

Here are some errors you might see in the device logs from an Android device.

ERROR TRANSPORT
/mnt/hgfs/marvin_LyncRTM/dev/como/transport/metaDataManager/private/CMetaDataManager.cpp/511:Unable
to get a response to an unauthenticated get to url
https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR TRANSPORT
/mnt/hgfs/marvin_LyncRTM/dev/como/transport/authenticationResolver/private/CAuthenticationResolver.cpp/55
4:Unable to get the meta data for server url
https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR APPLICATION
/mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CUcwaAutoDiscoveryServiceRetrial
Wrapper.cpp/348:Auto-discovery failed. Analysing the failure

ERROR APPLICATION
/mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CLogonSession.cpp/1050:Auto-
discovery failed, aborting sign-in!Error Samples

Here are some of the errors you might see in the device logs from an iPhone or iPad.

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server
administrator. (12202)

ERROR TRANSPORT
/Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../metaDataManager/private/CMetaDat
aManager.cpp/511:Unable to get a response to an unauthenticated get to url
https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR TRANSPORT
/Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../authenticationResolver/private/CAuth
enticationResolver.cpp/562:Unable to get the meta data for server url
https://Lyncexternal.contoso.com/autodiscover/autodiscoverservice.svc/root/user

ERROR APPLICATION
/Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/applicationLayer/_buildIos/../infrastructure/private/CUcwaA
utoDiscoveryServiceRetrialWrapper.cpp/348:Auto-discovery failed. Analysing the failure

ERROR APPLICATION
/Users/comobuildadmin/se_wave1_idx/src/dev/CoMo/applicationLayer/_buildIos/../infrastructure/private/CLogon
Session.cpp/1050:Auto-discovery failed, aborting sign-in!

Note: Log information and verbosity varies as per device and platform.

These error messages indicate the client is having an issue authenticating with Lync Server 2010. First, verify that
Authentication Delegation is verified on the reverse proxy publishing rule configuration. This must be set to No
delegation, but client may authenticate directly. If the reverse proxy publishing rules are set to No delegate and
client cannot authenticate directly, it fails to sign-in when it reaches the step to provide credentials to request a
token after MEX retrieval.

Summary
This article describes a process to verify connectivity from an external Lync mobility client to Lync Server 2010.

1. Browse to https://lyncdiscover.contoso.com. You will receive a prompt to open or save

the lyncdiscover_contoso.com file.
2. Browse to http://lyncdiscover.contoso.com/autodiscover/autodiscoverservice.svc/root/domain. You will
receive a prompt you to open or save the Domain file.
3. Browse to https://lyncexternal. contoso.com/mcx/mcxservice.svc/mex. Depending on your browser
settings, you should see a banner
for https://lyncexternal.contoso.com/Mcx/McxService.svc/WebTicket_Bearer or you should see XML SOAP
information.
Thanks for Edwin Joseph

If are unable to connect, verifying the reverse proxy publishing rule configuration. If reverse proxy settings are
correct, verify the Lync mobility settings as described in the Lync Server 2010 Mobility Guide. Verify that you have
installed the latest updates for Lync Server 2010 Mobility Service. Service Here is the update for Lync Server 2010,
Mobility Service: February 2012.