RomualPiecyk
MIS
I am unable to connect my Lync 2010 client from an external non-domain PC over the internet. The client works only if I VPN in to my network, manually configure my client to point to the internal FQDN of my pool, which is FEPOOL.CONSOLTECHLAB.COM, then connects fine. Auto-config does not work. It will yield back the error "There was a problem verifying the certificate from the server." Then a peak in the event logs show Errors 4 (application log) and 36884 (system log), which indicate the client PC was expecting to see sipexternal.consoltechlab.com and/or sipinternal.consoltechlab.com in the certificate.
When I try to connect over the internet (no VPN) with a manual config, setting my external server name/IP address to access.consoltechlab.com, I get the error "Cannot sign in because the server is temporarily available". I have also tried access.consoltechlab.com:443.
The certs on my Edge server were both generated by my internal domain CA. The internal is called edgepool.consoltechlab.com (server name is lab-lyncedge.consoltechlab.com), and has no SANs. The external is called access.consoltechlab.com, and has the SAN's sip, access, and webconferencing. My Lync topology has access.consoltechlab.com as the FQDN of external web services.
I have installed the root CA from my internal domain on my test PCs.
Why is my client looking for sipexternal and sipinternal? Are these default names that the Lync client looks for when it can't find the name specified in the SRV record? My internal SRV record is _sipinternaltls._tcp.consoltechlab.com, and it points to port 5061 of sip.consoltechlab.com, which is an additional "A" record that points to the IP address of my front end pool (and the single server that is in that pool at the moment, lab-lyncfe.consoltechlab.com).
Some additional details:
- I have a public SRV record in place for _sip._tls.consoltechlab.com, that points to access.consoltechlab.com.
- There is an "A" record in place for access.consoltechlab.com. It is the IP address of of the external interface of my Edge server.
- My Edge server's external interface is direct on the internet, with no firewall. Just the Windows Firewall, which has the necessary ports open.
- I have exported the root CA cert of my domain as well as the front end server's cert to my home PC.
Any thoughts and ideas will be most appreciated. Thanks!
When I try to connect over the internet (no VPN) with a manual config, setting my external server name/IP address to access.consoltechlab.com, I get the error "Cannot sign in because the server is temporarily available". I have also tried access.consoltechlab.com:443.
The certs on my Edge server were both generated by my internal domain CA. The internal is called edgepool.consoltechlab.com (server name is lab-lyncedge.consoltechlab.com), and has no SANs. The external is called access.consoltechlab.com, and has the SAN's sip, access, and webconferencing. My Lync topology has access.consoltechlab.com as the FQDN of external web services.
I have installed the root CA from my internal domain on my test PCs.
Why is my client looking for sipexternal and sipinternal? Are these default names that the Lync client looks for when it can't find the name specified in the SRV record? My internal SRV record is _sipinternaltls._tcp.consoltechlab.com, and it points to port 5061 of sip.consoltechlab.com, which is an additional "A" record that points to the IP address of my front end pool (and the single server that is in that pool at the moment, lab-lyncfe.consoltechlab.com).
Some additional details:
- I have a public SRV record in place for _sip._tls.consoltechlab.com, that points to access.consoltechlab.com.
- There is an "A" record in place for access.consoltechlab.com. It is the IP address of of the external interface of my Edge server.
- My Edge server's external interface is direct on the internet, with no firewall. Just the Windows Firewall, which has the necessary ports open.
- I have exported the root CA cert of my domain as well as the front end server's cert to my home PC.
