Lync 2010 Mobility has been out for a few months now. Jeff Schertz has a great writeup on Lync Mobility on his blog here. What I wanted to go into is some more detail on deploying Lync Mobility on your corporate wifi networks which I haven’t seen documented in very good detail on Technet or other blog articles. Now keep in mind, this blog article is for deploying Lync Mobility on your corporate wifi networks, not your guest wifi networks. Basically, any wifi network that can access your Front End Servers.
There are two considerations to take when deploying Lync 2010 Mobility on your Corporate WIFI Network that you need to be cognizant of after reading Jeff Schertz’s Mobility article and the official Mobility documentation:
- Talking to the External Mobility Services
Certificate Issues for Lync 2010 Mobile Clients Connecting over Corporate WIFI
If we take a look at Jeff’s article or the official Lync Mobility document, we can see that there is an FQDN we add to internal DNS:
The basic process for how the Lync 2010 Mobile Client will connect to Mobility Services while on a corporate WIFI network is as follows:
As we can see by the above, the Lync 2010 Mobile client does a lookup for lyncdiscoverinternal.domain.com. It is because of this, the Lync Mobile documentation has us replace the certificate on our Front End Servers. Now with that said, that means that any request to Lyncdiscoverinternal.domain.com will eventually terminate (SSL termination) against our Front End Server. Now in the majority of deployments, the Front End Servers and Internal Edge NIC will have certificates signed by your internal certificate authority.
Now with that said, that means that Mobile clients will have some issues with connectivity to Lync 2010 Mobile Services as lyncdiscoverinternal.domain.com would be signed by your internal certificate authority. Domain-Joined machines will automatically have most likely have a copy of your Root Certificate Authority’s self-signed certificate. If your Root Certificate Authority is an Enterprise Root CA, it automatically publishes its certificate to Active Directory. When domain joined machines sign into AD, they will install these certificates. For Standalone Root CA’s, you have probably used Group Policy to publish your Root/Intermediate certificates or used certutil -dspublish. The issue here is that these Mobile Devices do not have a copy of your internal Certificate Authority’s certificate. Thus, they will have certificate/connectivity problems when on the WIFI Network.
My experience at a previous client with the different mobile devices have shown the following results:
- Windows Phone 7: Seemed to function even without the root certificate. The WP7 seem to employ some kind of silent fallback mechanism to connect to the external network and attempt to find the external web services name.
- IOS 5: Retrieved an error that we could not connect to the server without any certificate warning. It just would not connect to the server. After importing the root certificate on the IOS device, we could connect without any issue.
- Android: Retrieved a certificate warning. We were presented with a connect button on the bottom left which allowed the user to connect regardless of the warning/error that they received about not trusting the server they were connecting to.
Now, these certificate warnings may be unacceptable to your organization. If they are, you will want to replace your Front End/IIS Certificate(s) with a certificate from a Public Certificate Authority. Keep in mind you will want to replace the internal Edge Server’s certificate with a Public Certificate as well. I have seen issues where if the Front End and Internal Edge had certificates from different CAs, they would stop replicating with each other. This bug may have been fixed as this happened several months ago when Lync 2010 was still relatively new.
However, other than having Public Certificates in the entire infrastructure, there is another method.
How to prevent certificate errors and still utilize internal certificates on your internal Lync 2010 infrastructure
There is a method you can use to get Lyncdiscoverinternal.domain.com to function without needing to configure your Lync 2100 Front End Servers and Lync 2010 Edge Server’s Internal NIC with a public certificate. Another method in which you can use to prevent certificate errors is by having all LyncDiscoverInternal.domain. requests go to your Reverse Proxy which will use a Public Certificate. By taking a look at the Lync Mobility documentation, we can see that both 80 and 443 can be used to service Lync Autodiscover Mobile requests. Because of this, we can have TMG also service LyncDiscoverInternal.domain.com requests. A couple options here would be to:
- On the Web Services rule for Lync 2010 which handles Simple URLs and the External Web Services FQDN, we can add all LyncDiscover.domain.com FQDNs (one for each SIP Domain) as well as all LyncDiscoverInternal.domain.com (one for each SIP Domain).
- Create a new Web Listener and Web Services rule for Lync 2010 Mobile Autodiscover requests that handle Lync 2010 Autodiscover Only. This Web Listener will listen on port 80. The Web Listener will bridge to 8080 on the Front End Server or Hardware Load Balancer that services the Lync 2010 Pool. The Mobile Client, as stated earlier, will attempt both HTTP and HTTPs for Autodiscover. Because the Autodiscover FQDNs will point to the Reverse Proxy (ISA/TMG), HTTP will work for Autodiscover and the client will successfully connect.
In taking a look at the following diagram that is provided in the Lync 2010 Planning Documentation, the DNS record on the far right, lyncdiscoverinternal.contoso.net would point to the NIC on the Reverse Proxy Server. This would require you to ensure that internal communications over either 80 or 443 (depending on which scenario above is used) so autodiscover requests from the Lync 2010 Mobile client on WIFI networks function properly.
To verify that LyncDiscoverInternal.domain.com functions properly while on the Internal WIFI Network, connect to the WIFI Network and use the following Autodiscover URL to test Autodiscover Connectivity:
The following Autodiscover results are provided back to Internet Explorer. As you can see, it provides Redirect Information on where the client should now connect to make a successful Autodiscover Request:
We will use the following new URL to see the entire Autodiscover result:
This provides us with the new following results. As you can see, the MCX URL we use is the External Web Services FQDN. This means that even if we have a client on the internal corporate WIFI, they must connect to the external web services FQDN that is published through TMG.
Another way to look at the Autodiscover response is by taking a look at the Lync client’s Mobility Diagnostic Log. For information on how to view these diagnostic logs, please see Randy Wintle’s article here. The following XML data will be seen which is formatted a bit differently than viewed above:
All Lync Mobile clients must connect through the external web services FQDN
So by now, we realize that a Mobile Client on the corporate network must connect through external web services. This means we must do the following:
- Create our external web services FQDN (ExternalWeb.domain.com) in our internal DNS infrastructure that mobile clients resolve against. This FQDN will point to the Public IP of External Web Services. Essentially, the DNS record created in External DNS and the DNS record created in Internal DNS will be identical.
- Allow our mobile client connected to WIFI to connect to external web services. This will be done by hairpinning. Essentially, this means if the mobile client when connected to WIFI must connect out to the 131.x.x.50 (in this example, 131.x.x.50 will be our external web services IP pointed to the external interface of TMG) and then back into the NAT’d IP of TMG without completely going out to the internet. Thus the traffic is hairpinned.
Now I’m sure the following question is going through your head: Why must we have all mobility services connect to the External Web Services FQDN and why aren’t we using the Pool and Edge Server just like the Lync 2010 client installed on Desktop Operating Systems? There are a couple answers to this question:
- SIP protocol by nature has long hold times. HTTP protocol by nature has short hold times. Mobile clients these days have the ability to switch between WIFI and cellular networks in a very fast if not seamless manner. By having Lync 2010 Mobile clients use HTTP which have short hold times, Lync 2010 Mobile Clients can mantain connectivity during this WIFI to cellular (and vice versa) transition.
- The reason why we always want to connect to external web services is because now that we understand why we are using HTTP based on the above bullet, we want to maintain connectivity to the same location to ensure a faster/smoother transition between WIFI and cellular (and vice versa) networks. We must also maintain the same persistence while maintaining these connections. Having the clients connect to the same place and maintaining affinity (if using HA and a certificate for cookie based affinity on the HLB) we can maintain affinity from your Mobile Client to the Reverse Proxy to the Hardware Load Balancer and then to the Front End Pool Servers.
An Alternative Way to connect to external web services without the use of hairpinning (Less Preferable than Hairpinning)
Let me start this by saying, this method is not reconnected due to extra traffic and burden on your bandwidth and DNS Servers. If for whatever reason, you cannot hairpin the traffic so the internal WIFI network can communicate to the external web services public IP address, would be to point the external web services FQDN that is located in Internal DNS to the Internal IP address of your Reverse Proxy Server. With this mechanism, when the Mobile Client while connected to WIFI gets the external Web Services FQDN while on Internal DNS, they will get a private IP response and connect to Reverse Proxy in that fashion. When an internet connected mobile device gets the Autodiscover Response and does a DNS lookup, they will receive the Public IP address of External Web Services.
Now if you have read the bottom 2 bullets in the section entitled, “All Lync Mobile clients must connect through the external web services FQDN” you will understand that this method goes against the Mobility model. One of the ways to alleviate issues when switching between WIFI and cellular networks (and vice versa) would be to change the External Web Services FQDN (in both internal and external DNS) to have a lower TTL value or even a TTL value of 0. This way, when a mobile client switches from WIFI to cellular (or vice versa), they will do a new DNS lookup since the TTL value is 0 and find the new IP address and successfully connect. This will obviously not be a seamless transition but it does provide a method of being able to reestablish a connection. But, this also means that Mobile Clients and all other Lync 2010 Clients (Phone Edition, desktop client, etc.) will constantly have to do DNS lookups which will now cause more network utilization as well as DNS Server Utilization. So if it is decided this is the roue that will be taken, be sure to be aware of the negative ramifications that this ensure.