Lync 2013 Client Behavior and Testing

Lync 2013 brought with it a lot of improvements on how the Lync Client side discovers Lync servers both from an external and internal perspective.  You can run into a slight issue when using Microsoft's remote connectivity tester to validate your Lync external implementation.  The problem is one of ports, and what the testing tool may assume.  It all comes down to a change in behavior which I'll detail after the break.

When the Lync client is on the internal network, it will connect to a node on the Lync front-end pool (or standard server) using the port 5061.  If you do a packet capture on your Lync client you can see it run a DNS query for the Lync pool and then initiate a connection on port 5061.  The connection will negotiate TLS and then continue encrypted.

On an external network things used to work pretty much the same.  The Lync client would run a DNS query for the access edge address (sip.contoso.com or something similar) and then connect on port 5061.  The session would then be handed off to port 443 on the access edge to complete the TLS handshake and connection.  That behavior has changed.  The new Lync client will now connect directly to port 443 rather than 5061 for its initial connection.  It makes sense, and cuts out an unnecessary connection, but it can mess with the error detection in Microsoft's testing tool.

I ran into this problem when testing a Lync server that had not been configured to allow External access on either the Global policy or the access edge policy.  The testing tool should have come back and told me that, but because the testing tool tries to connect directly to port 5061 first instead of 443, Lync 2013 never serves up the error.  Instead it spits out:
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
If I manually select the access edge address and set the port to 5061, I will get the same error.  If I instead set it to port 443, the error magically goes away and the remainder of the test passes. So, long story short (too late!) if you are getting the above error from the Microsoft connectivity tester, all may be well.  Just try manually entering your access edge on port 443.

Labels: , ,