Forum Discussion
Mobile Apps, internal use, certificate warnings
Mobile apps are using the dns records lyncdiscover.domain.com for login in.
Desktop clients are using in first case lyncdiscoverinternal.domain.com.
Recommendation is to point A record lyncdiscoverinternal.domain.com to front end server/pool. lyncdiscover.domain.com A record should point to the reverse proxy, in this case the external webservices url will be used (port translation 80,443 to 8080 4443).
There is documentation on technet about how mobility needs to be configured.
link: https://technet.microsoft.com/en-us/library/hh690030(v=ocs.15).aspx
Hi Erwin,
currently I don't have lyncdiscover.xxxx record on our internal DNS.
But it's not what I understand here :
When you use Automatic Discovery, mobile devices use DNS to locate resources. During the DNS lookup, a connection is first attempted to the FQDN that is associated with the internal DNS record (lyncdiscoverinternal.<internal domain name>). If a connection cannot be made by using the internal DNS record, a connection is attempted by using the external DNS record (lyncdiscover.<sipdomain>). A mobile device that is internal to the network connects to the internal Autodiscover Service URL, and a mobile device that is external to the network connects to the external Autodiscover Service URL. External Autodiscover requests go through the reverse proxy. The Lync Server 2013 Autodiscover Service returns all Web Services URLs for the user's home pool, including the Mobility Service (Mcx and UCWA) URLs. However, both the internal Mobility Service URL and the external Mobility Service URL are associated with the external Web Services FQDN. Therefore, regardless of whether a mobile device is internal or external to the network, the device always connects to the Lync Server 2013 Mobility Service externally through the reverse proxy.
For me, it tries first to lyncdiscoverinternal, and as soon it will find it, it will connect to it.
After it should use external web url. but if it uses another url, like meet.domain.com, etc, internal DNS will always send it to front end server, and we will have problem with certificates.
- Mobile devices don't connect to internal Autodiscover Service (will use internal certicate). This is only used for Desktop Client. Like Ivan mentioned UCWA request will land on Reverse proxy and will be forwarded to Skype external web services url(public certificate which the mobile phone can check), this one is using port 8080 and 4443 (in default configuration).
Erwin Bierens wrote:
Mobile devices don't connect to internal Autodiscover Service (will use internal certicate). This is only used for Desktop Client. Like Ivan mentioned UCWA request will land on Reverse proxy and will be forwarded to Skype external web services url(public certificate which the mobile phone can check), this one is using port 8080 and 4443 (in default configuration).If mobile device use lyncdiscoverinternal dns, then it will connect internally first ?
- Mobile devices are not checking lyncdiscoverinternal. First check on mobile devices is lyncdiscover.
- ivanja
Microsoft
You won't, as the described in the article mobility is always hairpinned over the reverse proxy.
consult here
The UCWA request will land on your RP and redirect to external web fqdn.
If he did that, he would not show me any private certificates and I would not have warning: D
