Forum Discussion
NimbostratusLync 2010 Mobility Sign-in not working from external
Hi All
Hoping someone out there can help me out with this issue...
I have a Lync 2010 deployment using the LTM to load balance traffic to the FE servers as per the Lync Server 2010 (2012_03_15) deployment guide. We haven't deployed Director Servers.
Using autodiscover, mobile clients coming in over 3G (or any external network) attempt to connect to https://lyncexternal.myDomain.com. I can see the traffic coming in via the F5's and hitting the FE servers as expected. However! The client can't log in - the user is presented the message " Can't sign in. Check your account information and try again" - the account information is correct. Looking at the Diagnostic Log from the mobile app, I see a 401 response from my Front End Lync Server with "Access is denied due to invalid credentials" - again, the account information is correct.
I can successfully connect to the mobile app on our internal wifi network, using exactly the same cred's and still using autodiscover - however this traffic doesn't go via the F5, it is direct to one of the FE servers (for testing - same results if the wifi traffic is passed via the F5).
Has anyone encountered this issue before? Any assistance would be greatly appreciated
thanks!
Jordan
16 Replies
- This is a complicated issue, since the problem could be related to an F5, Juniper, or Microsoft configuration problem or bug. Please open a case with F5 support so we can track the issue, and inlcude any information about support cases wth the other 2 vendors. F5 support can walk you through capturing and troubleshooting Mobility traffic on both sides of BIG-IP.
jordjw_46323Will do - thanks for the advice, I'll post any outcome- jordjw_46323I've now managed to resolve the issue, and we've got Mobility working 100%... During testing over 3G all clients where consistently getting the message regarding invalid credentials despite the RP showing successful authentication, so I tried using the mobile client with an incorrect AD password - the RP showed the invalid attempt, and subsequently the AD account became locked out. To cut a long story, I moved the port 443->4443 forwarding to take place on the firewall rather than as part of the RP policy, and it all worked. It appears that allowing the RP (in my case a Juniper MAG) to the do the forwarding was preventing the return traffic from reaching the client
J_LE_42749Hi Jordjw,
I'm quite interested with your experience on iApp & Lync :)
In your last feedback, does that mean that you had to use TCP/443 in iApp setting on the RP, and perform some PAT on the firewall?
I also assume that you do have the following architecture:
INTERNET => RP (with iApp for WebServices external) => Firewall (with PAT) => F5 (with iApp for WebServices internal) => Lync Pool
Or something approaching, correct?
I do have some issues from mobility client with address book download; does that feature work on your side?
Thanks
Jérôme- jordjw_46323Hi Jérôme
We have no issues with the address book. That feature is working for us on all tested platforms (iOS, Android, WinPhone8).
The only change to our configuration was to move the 443->4443 PAT from our reverse proxy (a Juniper MAG) and do the PAT on our firewall instead. The F5 iApp configuration still uses port 4443 on the LTM-> Lync Pool virtual server.
Doing the PAT on our firewall resolved the issue of signing in for mobility. What are you using as your RP?
Jordan - J_LE_42749Hi Jordan,
Thanks for your answer! Our reverse proxy is also an F5, configured with iApp (last version) and choosing External WebServices.
Will keep your experience with PAT in mind and continue my testing...
Thanks
Jérôme
