RSS Subscription 167 Posts and 2,643 Comments

Using Lync 2010 Mobility on your Corporate WIFI Networks

Lync 2010 Mobility has been out for a few months now.  Jeff Schertz has a great writeup on Lync Mobility on his blog here.  What I wanted to go into is some more detail on deploying Lync Mobility on your corporate wifi networks which I haven’t seen documented in very good detail on Technet or other blog articles.  Now keep in mind, this blog article is for deploying Lync Mobility on your corporate wifi networks, not your guest wifi networks.  Basically, any wifi network that can access your Front End Servers.

There are two considerations to take when deploying Lync 2010 Mobility on your Corporate WIFI Network that you need to be cognizant of after reading Jeff Schertz’s Mobility article and the official Mobility documentation:

  • Certificates
  • Talking to the External Mobility Services

Certificate Issues for Lync 2010 Mobile Clients Connecting over Corporate WIFI

If we take a look at Jeff’s article or the official Lync Mobility document, we can see that there is an FQDN we add to internal DNS:

  • lyncdiscoverinternal.domain.com

The basic process for how the Lync 2010 Mobile Client will connect to Mobility Services while on a corporate WIFI network is as follows:

As we can see by the above, the Lync 2010 Mobile client does a lookup for lyncdiscoverinternal.domain.com.  It is because of this, the Lync Mobile documentation has us replace the certificate on our Front End Servers.  Now with that said, that means that any request to Lyncdiscoverinternal.domain.com will eventually terminate (SSL termination) against our Front End Server.  Now in the majority of deployments, the Front End Servers and Internal Edge NIC will have certificates signed by your internal certificate authority.

Now with that said, that means that Mobile clients will have some issues with connectivity to Lync 2010 Mobile Services as lyncdiscoverinternal.domain.com would be signed by your internal certificate authority.  Domain-Joined machines will automatically have most likely have a copy of your Root Certificate Authority’s self-signed certificate.  If your Root Certificate Authority is an Enterprise Root CA, it automatically publishes its certificate to Active Directory.  When domain joined machines sign into AD, they will install these certificates.  For Standalone Root CA’s, you have probably used Group Policy to publish your Root/Intermediate certificates or used certutil -dspublish.  The issue here is that these Mobile Devices do not have a copy of your internal Certificate Authority’s certificate.  Thus, they will have certificate/connectivity problems when on the WIFI Network.

My experience at a previous client with the different mobile devices have shown the following results:

  • Windows Phone 7: Seemed to function even without the root certificate.  The WP7 seem to employ some kind of silent fallback mechanism to connect to the external network and attempt to find the external web services name.
  • IOS 5: Retrieved an error that we could not connect to the server without any certificate warning.  It just would not connect to the server. After importing the root certificate on the IOS device, we could connect without any issue.
  • Android: Retrieved a certificate warning.  We were presented with a connect button on the bottom left which allowed the user to connect regardless of the warning/error that they received about not trusting the server they were connecting to.

Now, these certificate warnings may be unacceptable to your organization.  If they are, you will want to replace your Front End/IIS Certificate(s) with a certificate from a Public Certificate Authority.  Keep in mind you will want to replace the internal Edge Server’s certificate with a Public Certificate as well.  I have seen issues where if the Front End and Internal Edge had certificates from different CAs, they would stop replicating with each other.  This bug may have been fixed as this happened several months ago when Lync 2010 was still relatively new.

However, other than having Public Certificates in the entire infrastructure, there is another method.

How to prevent certificate errors and still utilize internal certificates on your internal Lync 2010 infrastructure

There is a method you can use to get Lyncdiscoverinternal.domain.com to function without needing to configure your Lync 2100 Front End Servers and Lync 2010 Edge Server’s Internal NIC with a public certificate. Another method in which you can use to prevent certificate errors is by having all LyncDiscoverInternal.domain. requests go to your Reverse Proxy which will use a Public Certificate.  By taking a look at the Lync Mobility documentation, we can see that both 80 and 443 can be used to service Lync Autodiscover Mobile requests.  Because of this, we can have TMG also service LyncDiscoverInternal.domain.com requests.  A couple options here would be to:

  • On the Web Services rule for Lync 2010 which handles Simple URLs and the External Web Services FQDN, we can add all LyncDiscover.domain.com FQDNs (one for each SIP Domain) as well as all LyncDiscoverInternal.domain.com (one for each SIP Domain).
  • Create a new Web Listener and Web Services rule for Lync 2010 Mobile Autodiscover requests that handle Lync 2010 Autodiscover Only.  This Web Listener will listen on port 80.  The Web Listener will bridge to 8080 on the Front End Server or Hardware Load Balancer that services the Lync 2010 Pool.  The Mobile Client, as stated earlier, will attempt both HTTP and HTTPs for Autodiscover.  Because the Autodiscover FQDNs will point to the Reverse Proxy (ISA/TMG), HTTP will work for Autodiscover and the client will successfully connect.

In taking a look at the following diagram that is provided in the Lync 2010 Planning Documentation, the DNS record on the far right, lyncdiscoverinternal.contoso.net would point to the NIC on the Reverse Proxy Server.  This would require you to ensure that internal communications over either 80 or 443 (depending on which scenario above is used) so autodiscover requests from the Lync 2010 Mobile client on WIFI networks function properly.

To verify that LyncDiscoverInternal.domain.com functions properly while on the Internal WIFI Network, connect to the WIFI Network and use the following Autodiscover URL to test Autodiscover Connectivity:

https://lyncdiscoverinternal.domain.com/autodiscover/autodiscoverservice.svc/root/domain

The following Autodiscover results are provided back to Internet Explorer.  As you can see, it provides Redirect Information on where the client should now connect to make a successful Autodiscover Request:

{“AccessLocation”:”Internal”,”Root”:{“Links”:[{"href":"https:\/\/InternalWeb.domain.com\/Autodiscover\/AutodiscoverService.svc\/root\/domain","token":"Domain"},{"href":"https:\/\/InternalWeb.domain.com\/Autodiscover\/AutodiscoverService.svc\/root\/user","token":"User"},{"href":"https:\/\/InternalWeb\/Autodiscover\/AutodiscoverService.svc\/root\/oauth\/user","token":"OAuth"}]}}

We will use the following new URL to see the entire Autodiscover result:

https://InternalWeb.domain.com/Autodiscover/AutodiscoverService.svc/root/domain

This provides us with the new following results.  As you can see, the MCX URL we use is the External Web Services FQDN.  This means that even if we have a client on the internal corporate WIFI, they must connect to the external web services FQDN that is published through TMG.

{“AccessLocation”:”Internal”,”Domain”:{“Links”:[{"href":"https:\/\/InternalWeb.domain.com\/Autodiscover\/AutodiscoverService.svc\/root","token":"Internal\/Autodiscover"},{"href":"https:\/\/InternalWeb.domain.com\/Reach\/sip.svc","token":"Internal\/AuthBroker"},{"href":"InternalWeb.domain.com\/Ucwa\/Discovery","token":"Internal\/Ucwa"},{"href":"https:\/\/ExternalWeb.domain.com\/Mcx\/McxService.svc","token":"Internal\/Mcx"},{"href":"https:\/\/ExternalWeb.domain.com\/Autodiscover\/AutodiscoverService.svc\/root","token":"External\/Autodiscover"},{"href":"https:\/\/ExternalWeb.domain.com\/Reach\/sip.svc","token":"External\/AuthBroker"},{"href":"https:\/\/ExternalWeb.domain.com\/Ucwa\/Discovery","token":"External\/Ucwa"},{"href":"https:\/\/ExternalWeb.domain.com\/Mcx\/McxService.svc","token":"External\/Mcx"}],”SipClientExternalAccess”:{“fqdn”:”sip15.ms.cdw.com”,”port”:”443″},”SipClientInternalAccess”:{“fqdn”:”LyncPool.domain.com”,”port”:”5061″},”SipServerExternalAccess”:null,”SipServerInternalAccess”:{“fqdn”:”LyncPool.domain.com”,”port”:”5061″}}}

Another way to look at the Autodiscover response is by taking a look at the Lync client’s Mobility Diagnostic Log.  For information on how to view these diagnostic logs, please see Randy Wintle’s article here.  The following XML data will be seen which is formatted a bit differently than viewed above:

<?xml version=”1.0″ encoding=”utf-8″?><AutodiscoverResponse AccessLocation=”Internal” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”><Domain><SipServerInternalAccess fqdn=”LyncPool.domain.com” port=”5061″/><SipClientInternalAccess fqdn=”LyncPool.domain.com” port=”5061″/><SipClientExternalAccess fqdn=”sip.domain.com” port=”443″/><Link token=”Internal/Autodiscover” href=”https://InternalWeb.domain.com/Autodiscover/AutodiscoverService.svc/root”/><Link token=”Internal/AuthBroker” href=”https://InternalWeb.domain.com/Reach/sip.svc”/><Link token=”Internal/Ucwa” href=”https://InternalWeb.domain.com/Ucwa/Discovery”/><Link token=”Internal/Mcx” href=”https://ExternalWeb.domain.com/Mcx/McxService.svc”/><Link token=”External/Autodiscover” href=”https://ExternalWeb.domain.com/Autodiscover/AutodiscoverService.svc/root”/><Link token=”External/AuthBroker” href=”https://ExternalWeb.domain.com/Reach/sip.svc”/><Link token=”External/Ucwa” href=”https://ExternalWeb.domain.com/Ucwa/Discovery”/><Link token=”External/Mcx” href=”https://ExternalWeb.domain.com/Mcx/McxService.svc”/></Domain></AutodiscoverResponse>

All Lync Mobile clients must connect through the external web services FQDN

So by now, we realize that a Mobile Client on the corporate network must connect through external web services.  This means we must do the following:

  • Create our external web services FQDN (ExternalWeb.domain.com) in our internal DNS infrastructure that mobile clients resolve against.  This FQDN will point to the Public IP of External Web Services.  Essentially, the DNS record created in External DNS and the DNS record created in Internal DNS will be identical.
  • Allow our mobile client connected to WIFI to connect to external web services.  This will be done by hairpinning.  Essentially, this means if the mobile client when connected to WIFI must connect out to the 131.x.x.50 (in this example, 131.x.x.50 will be our external web services IP pointed to the external interface of TMG) and then back into the NAT’d IP of TMG without completely going out to the internet.  Thus the traffic is hairpinned.

Now I’m sure the following question is going through your head: Why must we have all mobility services connect to the External Web Services FQDN and why aren’t we using the Pool and Edge Server just like the Lync 2010 client installed on Desktop Operating Systems?  There are a couple answers to this question:

  • SIP protocol by nature has long hold times.  HTTP protocol by nature has short hold times.  Mobile clients these days have the ability to switch between WIFI and cellular networks in a very fast if not seamless manner.  By having Lync 2010 Mobile clients use HTTP which have short hold times, Lync 2010 Mobile Clients can mantain connectivity during this WIFI to cellular (and vice versa) transition.
  • The reason why we always want to connect to external web services is because now that we understand why we are using HTTP based on the above bullet, we want to maintain connectivity to the same location to ensure a faster/smoother transition between WIFI and cellular (and vice versa) networks.  We must also maintain the same persistence while maintaining these connections.  Having the clients connect to the same place and maintaining affinity (if using HA and a certificate for cookie based affinity on the HLB) we can maintain affinity from your Mobile Client to the Reverse Proxy to the Hardware Load Balancer and then to the Front End Pool Servers.

An Alternative Way to connect to external web services without the use of hairpinning (Less Preferable than Hairpinning)

Let me start this by saying, this method is not reconnected due to extra traffic and burden on your bandwidth and DNS Servers.  If for whatever reason, you cannot hairpin the traffic so the internal WIFI network can communicate to the external web services public IP address, would be to point the external web services FQDN that is located in Internal DNS to the Internal IP address of your Reverse Proxy Server.  With this mechanism, when the Mobile Client while connected to WIFI gets the external Web Services FQDN while on Internal DNS, they will get a private IP response and connect to Reverse Proxy in that fashion.  When an internet connected mobile device gets the Autodiscover Response and does a DNS lookup, they will receive the Public IP address of External Web Services.

Now if you have read the bottom 2 bullets in the section entitled, “All Lync Mobile clients must connect through the external web services FQDN” you will understand that this method goes against the Mobility model.  One of the ways to alleviate issues when switching between WIFI and cellular networks (and vice versa) would be to change the External Web Services FQDN (in both internal and external DNS) to have a lower TTL value or even a TTL value of 0.  This way, when a mobile client switches from WIFI to cellular (or vice versa), they will do a new DNS lookup since the TTL value is 0 and find the new IP address and successfully connect.  This will obviously not be a seamless transition but it does provide a method of being able to reestablish a connection.  But, this also means that Mobile Clients and all other Lync 2010 Clients (Phone Edition, desktop client, etc.) will constantly have to do DNS lookups which will now cause more network utilization as well as DNS Server Utilization.  So if it is decided this is the roue that will be taken, be sure to be aware of the negative ramifications that this ensure.

 

Share

23 Responses to “Using Lync 2010 Mobility on your Corporate WIFI Networks”

  1. on 19 Mar 2012 at 4:24 pmChad

    Your diagram shows the LyncDiscoverInternal.contoso.net pointing to a 192.xxx address which seems misleading since you want that to point to TMG external IP, correct? Why not change it to read 131.xxx? Maybe I'm missing something however. Great article BTW for those of us who don't want to put public certs in our internal Lync servers.

  2. on 19 Mar 2012 at 8:29 pmElan Shudnow

    LyncDiscoverInternal typically points to internal FE for Autodiscover. The autodiscover result points you to the external web services FQDN whcih is the public IP of the Reverse Proxy.

  3. on 20 Mar 2012 at 11:36 amAaron S.

    Excellent article, well done.

  4. [...] Corporate WIFI Networks | Elan Shudnow’s Blog Posted on March 21, 2012 by johnacook http://www.shudnow.net/2012/03/12/using-lync-2010-mobility-on-your-corporate-&#8230; Share this:StumbleUponDiggRedditLike this:LikeBe the first to like this [...]

  5. [...] Corporate WIFI Networks | Elan Shudnow’s Blog Posted on March 21, 2012 by johnacook http://www.shudnow.net/2012/03/12/using-lync-2010-mobility-on-your-corporate-&#8230; Share this:StumbleUponDiggRedditLike this:LikeBe the first to like this [...]

  6. [...] Also see Elan Shudnow’s blog on Using Lync 2010 Mobility on your Corporate WIFI Networks: http://www.shudnow.net/2012/03/12/using-lync-2010-mobility-on-your-corporate-wifi-networks/ [...]

  7. on 22 Mar 2012 at 9:46 amAmit

    Hi,

    What about if we dont have reverse Proxy then how we can make login on Lync Mobile.

    Thanks
    Amit

  8. on 22 Mar 2012 at 10:09 amChad

    OK so if i'm following you, internal mobile client will contact LyncDiscoverInternal.contoso.net directly from the internal FE servers, which will direct them to externalwebfqdn (ie lyncwebext.contoso.com) which our internal DNS now has a record pointing that to external TMG IP, thus hairpin connection to external TMG IP and back in. If I have that correct, isnt the initial connection to LyncDiscoverInternal.contoso.net still going to use the internal cert before its referred to lyncwebext? Also you state in the blog

    "In taking a look at the following diagram that is provided in the Lync 2010 Planning Documentation, the DNS record on the far right, lyncdiscoverinternal.contoso.net would point to the NIC on the Reverse Proxy Server."

    This is where I get confused as it seems to infer I would need to change the DNS record for lyncdiscoverinternal.contoso.net to point to the RP NIC.

  9. on 22 Mar 2012 at 4:53 pmChad

    better yet, why not just avoid creating lyncdiscoverinternal and create lyncdiscover host record in internal DNS instead that points to TMG external IP. Then internal wifi mobile users fail on lyncdiscoverinternal and then resolve lyncdiscover (and lyncwebext) from internal DNS and get hairpinned.

  10. on 22 Mar 2012 at 5:01 pmElan Shudnow

    Reverse Proxy is required for Lync and not just for Mobility.

  11. on 23 Mar 2012 at 6:58 amElan Shudnow

    So the lyncdiscoverinternal would point to internal NIC on TMG and you would need to include the lyncdiscoverinternalon the public cert. On the listener, you would configure it to listen on the internal IP of the server and in the rules, you would need to make some modifications such as in Public Names adding lyncdiscoverinternal as well as the From Tab add Internal.

  12. on 23 Mar 2012 at 7:01 amElan Shudnow

    Then they would think they are external. Look at the Autodiscover response I posted above. The AccessLocation shows as internal. If you're connecting through lyncdiscover, your AccessLocation will be external. The autodiscover response has a bunch of other FQDNs. I would suspect (and this is purely speculation) that the mobile client may take advantage of other FQDNs in the Autodiscover response and if you start making internal clients think they are outside and vice versa, you may run into issues in the future when updates come out that allow mobile clients to leverage other functionality.

  13. [...] Veja os detalhes aqui: http://www.shudnow.net/2012/03/12/using-lync-2010-mobility-on-your-corporate-wifi-networks/ [...]

  14. on 04 May 2012 at 8:45 amAdam

    Excellent guide…worked like a charm! I've been fighting the inside/outside RP and certs with mobile for a week now…

    Thank you

  15. on 04 May 2012 at 10:01 amElan Shudnow

    Glad it worked for you. Thanks for posting.

  16. on 13 May 2012 at 9:37 amWho Calls Me

    I don’t even know how I ended up here, but I thought this post was good. I don’t know who you are but definitely you are going to a famous blogger if you aren’t already ;) Cheers!

  17. on 16 May 2012 at 8:23 amlaeufer983

    Is the Reverse Proxy required if you are doing Internal only on iOS devices that are VPNed into the corpnet?

  18. on 17 May 2012 at 10:18 amElan Shudnow

    Nope. You would just want to run the following command to make sure the Front End Pool FQDN is handed back to the mobile device:
    Set-CsMcxConfiguration –ExposedWebUrl Internal

  19. on 18 May 2012 at 1:14 pmEranCal

    Hi Elan,

    how can I email you?

    Eran

  20. on 31 May 2012 at 1:58 pmCyberGuyPR

    Correct me if I'm wrong but everything I read says reverse proxy is strongly RECOMMENDED, not required. We have a successful implementation without RP including mobility. The the only thing not working properly is mobility through wifi.

  21. [...] http://www.shudnow.net/2012/03/12/using-lync-2010-mobility-on-your-corporate-wifi-networks/ Share this:StumbleUponDiggRedditLike this:LikeBe the first to like this. [...]

  22. on 23 Dec 2012 at 8:04 pmESC

    When the internal mobile user access to Revese Proxy(TMG), TMG think the traffic is IP spoofing.
    So we may need to turn off the ip spoofing function on TMG.
    Why isn't this mentioned? I think this lead to one of the misconfig issue.

  23. [...] http://www.shudnow.net/2012/03/12/using-lync-2010-mobility-on-your-corporate-wifi-networks/ [...]

Trackback this post | Feed on Comments to this post

Leave a Reply