Wednesday, June 19, 2013

Configure Fiddler for Lync Mobile sign-in troubleshooting

While we have the online utility ( to verify our Lync Mobility deployment’s functionality, sometimes the Lync administrator must deep dive into the sign-in process. Below I will describe a basic setup of both Fiddler and mobile devices for troubleshooting the process or… just plain fun, if you want to see what is happening under the hood.

Download and install Fiddler2 ( I always use the latest stable build… Do not start Fiddler after installation. There is one more executable we must install in order to enable tracing for iOS devices. Download and install the New Certificate Maker (

With both installed, start Fiddler and go to Tools -> Options

Go to the Connections tab and check “Allow remote computers to connect”. Click OK on the pop up note.

 The next step is to enable HTTPS Decryption. Go to the HTTPS tab and check “Decrypt HTTPS traffic".

Apparently Eric Lawrence has a good sense of humor – “Scary text ahead”, eh…

When set to decrypt HTTPS traffic, Fiddler works in (sort of) SSL Offload mode. Fiddler will make HTTPS requests from the local machine’s applications (or remote clients if it is configured to act as HTTP Proxy) re-encrypt with the “Fiddler Root Certificate” and then pass it to the application/client who made the request. This is because the Lync client for example, makes true HTTPS request and expects to receive answers via the established SSL channel. Without re-encryption, Fiddler would pass the answer from our reverse proxy as HTTP and the Lync client would say “Ughm, this is not what I expect”.

In a new window will you will be asked you to confirm the Fiddler root certificate installation. Click "Yes" to confirm on TrustCert confirmation screen.

At this point Fiddler is capable of decrypting local HTTPS traffic for further review. However, our goal is examine traffic between Lync and the mobile clients.

Right now, the newly generated Fiddler Root certificate is not present on the mobile device I'm going to test with. The first step is to export the certificate via the Fiddler Options screen.

The certificate can be now found on the desktop.

Because I will direct traffic from my phone to pass on TCP port 8888 (the default port Fiddler uses for HTTP proxy) via the machine Fiddler is installed. I will create a firewall exception from PowerShell. Note: You must run PowerShell as Administrator to create the rule.

Import-Module NetSecurity
New-NetFirewallRule -DisplayName "Fiddler Proxy Exception" -Description "Allow remote client to use Fiddler" -Protocol TCP -LocalPort 8888 -Enabled True -Profile Any -Action Allow -Verbose

Now I will email the certificate to myself, and then install it on my Windows 8 phone and iPad.

Once the email arrive on my WP8 device, I open it, click on the attachment and confirm the installation.

Next - configuration of the phone to use HTTP proxy for web requests. Select your Wi-Fi network...

...slide Proxy to ON, enter the IP Address of the workstation where Fiddler is installed and set the port (8888 if you used default).

To test the setup, I use Bing on the phone and search for “Lync 2013”. The expectation is Fiddler will show traffic coming from the phone.

Yup, it works! Now I will sign-in with my Lync 2013 Windows Mobile Client and watch the magic.

Oh joy. Clicking on a line will reveal the “under the hood” process.

Here are few screenshots of the iPad configuration steps.The steps are similar taken on WP8 device.

Install Fiddler Root Certificate:

Configure the Proxy:

Refer to your manufacturer's instructions how to setup other devices.

This setup can be used to trace and review sign-in process of both Lync Mobile 2010 and Lync Mobile 2013 clients. Fact is - I advice to do so and get familiar with the differences between MCX and UCWA services.

Oh, you can use Fiddler to troubleshoot Lync MX as well.

Install the EnableLoopback Utility (

If you have Lync MX already installed, when Loopback Utility screen opens, locate and check Lync app.

That's all, folks... Enjoy.