Monday, June 29, 2015

Lync/Skype4B Mobility dissected





Ah, Lync Mobility... My favorite topic.
According a leading research center, #1 cause for ulcer among Lync administrators is deploying Mobility.
Just kidding... about the research. The rest is true -you just take a look at the TechNet forums.
Today I decided to take another look at the Mobility subject and attempt to clarify some of the major misconceptions surrounding this particular Lync/Skype4B server modality.


Core principals



Like any other SIP endpoint, Mobile apps use SIP signaling to sign-in, send and receive IMs, and/or negotiate voice/video calls. However, unlike the rest of the family, this SIP signaling is encapsulated, for lack of better word, within SSL (HTTPS) traffic. So, while the so-called “fat client” connects to the SIP server service directly, Mobile client does so via the UCWA virtual web site, and then proxies to the SIP Service on behalf of the endpoint.

When it comes to media, P2P or a meeting, the above still applies (the call setup), but media flows exactly as it would between two "normal" clients. That is, if the Mobile client is on Internal Wi-Fi and the other endpoint (desktop or Mobile) is on the same internal network, the media would flow Peer-To-Peer. If the Mobile endpoint is on the public Internet and the other endpoint is on the internal network, the Mobile endpoint device would use the Edge server in the deployment. This holds true if the Mobile endpoint device and the other endpoint are both on the Internet.

The net takeaway so far is:

Mobile device will use SIP encapsulated within HTTPS for signaling

HTTPS traffic will flow through the Reverse Proxy

Media will flow P2P or via the Edge server, depending on the endpoint’s physical location.


DNS




Beginning with Lync 2010, a new service was introduced: lyncdiscoverinternal and lyncdiscover. This (DNS) record has become the preferred method to discover Lync registrar services across all clients. However, there is one very important difference between Desktop and Mobile clients - while desktop client have a built-in DNS fallback mechanism, mobile clients work only with the auto discovery service and, if auto discovery is not available or not working correctly, mobile sign-in will fail.

This auto discovery service is provided by the Autodiscover virtual web site on the Director or Front End pool and is present in both Internal and External web sites. For this reason, it is required to use "FQDN override" in the Topology where the Internal and External web site have different FQDNs as shown below. For example, this is my Enterprise pool:





Note that while the pool FQDN is pool1.skypeuc.com, the Internal web site is webaint.skupeuc.com and the External web site FQDN - webaext.skupeuc.com.


If you have a Standard edition pool, the Internal web site FQDN cannot be changed, but the external still can and must be changed:





As discussed in the previous article, based on the which web site client query, the infrastructure will respond accordingly.

Service discovery process 


Clients will first query DNS for lyncdscoverinternal.contoso.com.
  • If the record is present, (all) clients will attempt to connect first using HTTP (non-encrypted). If the connection is successful (i.e. the target listens on port 80), the web site will respond with redirect to https://lyncdscoverinternal.contoso.com where the client receives XML containing the web URL where the client should go to authenticate and receive the web ticket.



  • If the client dies not get a response from the HTTP call, it will attempt HTTPS directly. If both (HTTP and HTTPS) connection attempts fail, it gets interesting:

Desktop client will fail back and attempt to use SRV records (_sipinternaltls._tcp.contoso.com, etc.). If SRV records are not present, client will attempt to resolve the host (A) record for sip.contoso.com. If this fails as well, the desktop client will not be able to sign in.

Mobile client does not have fallback mechanism. If Lync autodoscover service is not available (either because of DNS resolution or unavailability of the service), the mobile client will fail to sign-in!
  • If lyncdiscoverinternal is not resolvable, clients will try to resolve lyncdiscover. The above still apply.

Mobile Device sign-in flow


The following conditions apply for this example:

  • Two sip domains are supported -skypeuc.com (primary) and lynclog.com (additional)
  • Simple URL and autodiscover services are pointed to (and served by) Pool1.
  • The internal VIP terminate SSL session with wild card certificate with SN=*.skypeuc.com and SAN=*skypeuc.com
  • The account we use to sign-in have sip-uri @lynclog.com
  • The account is homed on Pool2
  • The device is on corporate Wi-Fi and it is BYOD (not managed)
  • Besides skypeuc.com DNS zone, the administrator maintains pinpoint DNS zone for lynclog.com as well
  • The enterprise does not allow hairpining. Instead, an internal VIP's were created to act as Reverse Proxy for clients requests when on corporate Wi-Fi  to the external pool web services. The VIPs use *.skypeuc.com (Wild Card) certificate.
  • The FQDN's of the external web sites (served by the "internal" Reverse Proxy) are resolvable by the internal DNS

Mobile client queries DNS and resolves autodiscoverinternal.lynclog.com to internal IP address. The IP is a VIP of hardware load balancer serving Pool1.

By design, the first attempt the endpoint makes is http://lyncdiscoverinternal.lynclog.com. Because the call is HTTP, no certificate trust is required, the connection succeeds and autodiscover service returns JSON (JavaScript Object Notation) with re-direct to authentication URL. 


***Note that now HTTPS is required and the URL is webaint.skypeuc.com (the internal VIP of Pool1). The endpoint follows the instructions, SSL connection is now terminated with *.skypeuc.com certificate and trust is established.

Endpoint attempts to receive WebTicket where it is challenged with NTLM authentication mechanism.



After successful authentication, endpoint receives XML with service location.
 


***XML points to the user's home pool resources.

Endpoint goes to Pool2 external web service FQDN and presents WebTicket.




Because this is first time this end point signs with this account, endpoint also requests certificate (since it is internal, it will do so via the internal web service FQDN)



Receiving certificate require new authentication



Certificate is received



Hallelujah, we have signed-in


***The device then connects to Exchange, but this is out of the current scope.

The device receives  Mobile Policy via inband provisioning



...instruction set for allowed modalities...



...MRAS credentials (because media will flow via the Edge server)...



...and, at the end, presence information of user's contacts.

The process of sign-in from public Internet is very similar, just (because we are coming from internet) no calls to internal resources are made.


Hairpining


Haipining is a method for hosts on LAN to leave the perimeter via NAT (like it does to reach resources on internet), and make a U-turn to access enterprise resources exposed to Internet.

For example:

Internal devices are on 10.255.3.0 sibnet
All devices go to Internet via NATed public IP address 71.14.14.42
The Reverse proxy VIP for Pool1 have public IP 71.14.14.46

To performs "hairpining", device with LAN IP 10.255.3.100 would leave the router with NATed IP of 71.14.14.42, make U-turn (not actually leave the infrastructure i.e. go to Internet) and visit 71.14.14.46. The response from the Reverse Proxy would get back to the device using the exact same path in opposite direction.

We already established that mobile devices always use the external pool web for signaling. For this reason, device on corporate Wi-Fi must be able to resolve the external web site FQDN in the internal DNS. The key word is "resolve", not "resolve to public IP address"...

The example above shows scenario where haipinning is not allowed in the enterprise. Instead, a VIP was created to act as Reverse Proxy for clients on corp Wi-Fi. The (internal, LAN) IP address of this VIP was entered in DNS as external web site IP address.

If harpiniing was allowed, the A record (in LAN DNS) for webaext.skypeuc.com would have IP address of 71.14.14.46 (the public IP address of the Reverse Proxy).

There is third method - one that bypasses the creation of "internal" reverse proxy VIP. Typical reverse proxy is "two legged" - an interface on LAN subnet (talking to the servers), and DMZ interface NATed to Public IP. The FQDN of the public web site could be entered on internal DNS with IP address - the IP of the DMZ IP address and of course, firewall configured accordingly. In this case, we "hairpin" to... DMZ.

For example:

DMZ IP of Reverse proxy - 192.168.1.46 (NATed to 71.14.14.46)
In LAN DNS - Public web site FQDN resolves to 192.168.1.46
In Public DNS - Public web site FQDN resolves to IP 71.14.14.46

In both cases, traffic flows via the reverse proxy and "lands" on the external web site.

In all three cases, mobile device will do signaling by via to the external web site.

Hairpining is preferred method because it would resolve potential issues with cashing the IP address of the external web site and the transition between corporate Wi-Fi and Carrier network will be faster.

lyncdiscoverinternal vs lyncdiscover


When hairpinning is allowed, the administrator might elect to use lyncdiscover record in internal DNS. As we see in the Fiddler trace, the XML response with service locations contain pointers to both internal and external means of connectivity. Clients will select the one that applies to it.

I am yet to see a good explanation when to use one or another.


Last words


In case you wander where the traces come from - I used Fiddler as described in this article.

The next article will be about KEMP LoadMaster (qualified Reverse Proxy)

47 comments:

Praylin S said...

Wonderful blog with great piece of information. I've been following your blogs for a while and I'm really impressed by your works. Keep sharing more such blogs.
IoT Training in Chennai
IoT Courses in Chennai
Tally Course in Chennai
Tally Classes in Chennai
Embedded System Course Chennai
Embedded Training in Chennai
IoT Training in Porur
IoT Training in Adyar

priya rajesh said...

Well written post with worthy information. It will definitely be helpful for all. Do post more like this.
DevOps course in Chennai
Best DevOps Training in Chennai
Amazon web services Training in Chennai
AWS Certification in Chennai
Data Analytics Courses in Chennai
Big Data Analytics Courses in Chennai
DevOps Training in Anna Nagar
DevOps Training in T Nagar

DedicatedHosting4u said...

I have read your blog and I gathered some needful information from your blog. Keep update your blog. Awaiting for your next update. Thanks
DedicatedHosting4u.com

DedicatedHosting4u said...
This comment has been removed by the author.
MindtechAffiliates said...

Thank you for sharing this great post, I am very impressed with your post, the information provided is meticulous and easy to understand. I will regularly follow your next post.

Thanks
Online affiliates

jothikumar said...

Very nice post here and thanks for it. I always like and such super content of these post. Excellent and very cool idea and great content of different kinds of valuable information's.
Selenium online training
Selenium certification training
Selenium online course
Selenium training course

Elegant IT Services said...

Wonderful blog with great piece of information

If want to know more about Aws Training in Bangalore

Please click on the link

Extensiya said...


Awesome blog thankks for sharing 100% virgin Remy Hair Extension in USA, importing from India. Premium and original human hair without joints and bondings. Available in Wigs, Frontal, Wavy, Closure, Bundle, Curly, straight and customized color hairstyles Extensions.

Kirtan said...

Warrior Pals is a 501(c)3 non-profit organization that provides support to veterans, gold star families and our active military. Warrior Pals created several program services to support our heroes.
https://www.youracclaim.com/users/warriorpals/badges
https://data.world/warriorpals
https://uberant.com/article/800030-key-measures-to-determine-the-success-of-non-profit-veteran-organizations/
https://warriorpals.com/american-veterans-assistance-programs/
https://www.inprnt.com/profile/warriorpals/
http://www.abstractfonts.com/members/1425065
https://www.feedsfloor.com/profile/warrior-pals
https://hunch.lighthouseapp.com/users/483067
http://flgclassifieds.cce.cornell.edu/author/warriorpals/

bill.wood said...

If you're wondering what sort of patterns could a bunch of numbers have, well the kind that makes everything easier. machine learning institute in hyderabad

Cho co said...

In the long run, the right thing to do is to liberate these employees and help them move on so they can play to their strengths and passions somewhere else. Salesforce training in Hyderabad

anji said...

The HBO Go is one distinctive channel and it is being used by millions of people. Enter the hbogo activation code at hbomax.com/tvsignin to complete the hbogo activation process. This can enable the subscribers to stream video on demand selections of HBO content that includes default and past series, films, sports using HBO site hbomax.com/tvsignin . You can visit this website hbomax.com/tvsignin to get more information about HBO Go.

anji said...

Download the HBO Max App. To download this you can go to this link hbomax.com/tvsignin and sign in with your existing HBO email and password, choose all access to HBO Max, and start streaming immediately. To do this you can go to the hbomax.com/tvsignin page. If you already have HBO if you subscribe to HBO through one of the providers below, then you get access to HBO Max (at no additional cost). You can visit hbomax.com/tvsignin to get more information.

anji said...

HBO Max is a stand-alone streaming platform that connects HBO's TV favorites, blockbuster movies, and family to the new Max Originals. Such as Stream Friends, Looney Tunes Cartoons, Wonder Woman, Studio Ghibli Collection and more. HBO is the streaming option for all series, including original series, movies, specials and more. To sign in to Hbomax, you can go to the link hbomax.com/tvsignin provided by us and enter the hbogo activation code at hbomax.com/tvsignin to complete the Hbogo activation process. To know more about it, you can visit our website hbomax.com/tvsignin and get information.

anji said...

The HBO Go is one distinctive channel and it is being used by millions of people. Enter the hbogo activation code at hbomax.com/tvsignin to complete the hbogo activation process. This can enable the subscribers to stream video on demand selections of HBO content that includes default and past series, films, sports using HBO site hbomax.com/tvsignin . You can visit this website hbomax.com/tvsignin to get more information about HBO Go.

anji said...

It is very easy to open a Bet 365 account. For this you have to follow the steps given by us on the bet365 login which will be requested to you during this bet365 registration process. You can visit our website " bet365 login " to login to bet365. Undoubtedly one of the best cricket betting sites in the world. You can visit our website " bet365 login " to get more information about it.

anji said...

The Canon printer enhances scan functionality, and includes a robust security feature set. Using a Canon printer service phone, you can get a full installation of the canon.com/ijsetup printer and go to the installed Canon printer to download the canon.com/ijsetup driver. To get more and more information, visit our website canon.com/ijsetup and get the information according to convenience .

anji said...

The Canon IJ Network Tool is a free application that allows you to set, view, or configure the printer's network settings that are connected through the network. For more information about this, you can visit our website canon.com/ijsetup . And using the Canon printer service phone, you can get the complete installation of the canon.com/ijsetup printer and go to the installed Canon printer to download the canon.com/ijsetup driver.

anji said...

Download the Canon printer from canon.com/ijsetup and set it up on your device. Canon printers are all in one printer that facilitates print, copy and scan. And to download Canon ijsetup printer drivers you can visit our website canon.com/ijsetup . Canon printers are designed for personal and business use. To learn more about Canon printers, visit our website canon.com/ijsetup and take advantage.

anji said...

Using a Canon printer service phone, you can get a full installation of the canon.com/ijsetup printer and go to the installed Canon printer to download the canon.com/ijsetup driver. To get more and more information, visit our website canon.com/ijsetup and get the information according to convenience .

anji said...

Canon printer is the best printer out of all printers. Which allows for the best print, copy and scan. Canon printers are designed for personal as well as commercial use. You can visit the canon.com/ijsetup website to download the Canon printer driver. To get rid of any type of problem related to Canon printers, you can contact our team at canon.com/ijsetup . For more information about Canon printers, you can visit canon.com/ijsetup and get the information as per your convenience.

anji said...

You can visit the canon.com/ijsetup website to get information about Canon Multifunction Printers, Canon Printers Dealers, Retailers, Stores and Distributors. Download the driver or software for the printer scanner. To install your additional Canon driver or software, go to the canon.com/ijsetup link and follow the steps on it. To get more information about it, visit our website canon.com/ijsetup and enjoy.

anji said...

The Canon printer enhances scan functionality, and includes a robust security feature set. Using a Canon printer service phone, you can get a full installation of the canon.com/ijsetup printer and go to the installed Canon printer to download the canon.com/ijsetup driver. To get more and more information, visit our website canon.com/ijsetup and get the information according to convenience .

anji said...

Using a Canon printer service phone, you can get a full installation of the canon.com/ijsetup printer and go to the installed Canon printer to download the canon.com/ijsetup driver. To get more and more information, visit our website canon.com/ijsetup and get the information according to convenience .

anji said...

Download the Canon printer from canon.com/ijsetup and set it up on your device. Canon printers are all in one printer that facilitates print, copy and scan. And to download Canon ijsetup printer drivers you can visit our website canon.com/ijsetup . Canon printers are designed for personal and business use. To learn more about Canon printers, visit our website canon.com/ijsetup and take advantage.

anji said...

The Canon printer enhances scan functionality, and includes a robust security feature set. Using a Canon printer service phone, you can get a full installation of the canon.com/ijsetup printer and go to the installed Canon printer to download the canon.com/ijsetup . To get more and more information, visit our website canon.com/ijsetup and get the information according to convenience .

anji said...

You can visit the canon.com/ijsetup website to get information about Canon Multifunction Printers, Canon Printers Dealers, Retailers, Stores and Distributors. Download the driver or software for the printer scanner. To install your additional Canon driver or software, go to the canon.com/ijsetup link and follow the steps on it. To get more information about it, visit our website and enjoy.

anji said...

The Amazon My TV Code program requires the customer to have an Amazon account and a streaming device or TV. Amazon Prime Video is available on almost all streaming devices like Roku, Amazon Fire TV, Chromecast. All you have to do is go to amazon.com/mytv and activate amazon.com/mytv with the help of Amazon's activation code. You can visit our website amazon.com/mytv for details of the entire process.

anji said...

To log in to your Amazon Prime Video account, enter the amazon.com/mytv on your browser and input your login information. A new screen will open asking for the "Amazon Prime Verification Code".

anji said...

To setup and download the Hp priter driver software, visit our website 123.hp.com/setup . The 123 hp setup HP printer makes printing hassle-free and easy. Install the hp printer on your Windows or Mac computer and install the drivers via 123.hp.com/setup . For more information, contact our team 123.hp.com/setup . We are always available to help you.

anji said...

Be sure to install cartridges, load paper and power on the printer. Download the 123.hp.com/setup to get the recommended software for your printer. We will help you download the correct HP printer software and drivers. Which includes Windows, MacOS, iOS and Android. You can then install your 123.hp.com/setup . For installation of drives, you can take help of our website 123.hp.com/setup and enjoy.

anji said...

A printer driver is software that your computer uses to talk to physical printers, which may be connected to your computer or another computer on your network. You can download printer drivers and software from our website 123.hp.com/setup . You can visit this 123.hp.com/setup site to install printer setup. To avoid any kind of problem you can visit our website 123.hp.com/setup and take help of our team.

anji said...

Before enjoying the Hulu service you should subscribe tohttps://sites.google.com/view/site-hulucomactivate and hulu device activation code to service your Hulu account. To see all your favorite content online from https://sites.google.com/view/url-hulucomactivate enter the activation code to enter the code for hulu activation on your device. You will find this code on your registered email id. For more information, visit our website https://sites.google.com/site/hulucomactivateactivationcodes and get the information as per your convenience.

anji said...

The primevideo.com/mytv program requires the customer to have an Primevideo account and a streaming device or TV. Prime Video is available on almost all streaming devices like Roku, primevideo Fire TV, Chromecast. For this you just have to go to primevideo and activate primevideo with the help of primevideo activation code. You can visit our website primevideo.com/mytv for details of the entire process.

anji said...

Webroot SecureAnywhere Antivirus is a powerful antivirus, designed to fight malaria and other threats. You can protect your computer, PC, and other devices from malware, viruses, spyware, etc. You can download, install and install webroot via webroot.com/safe . To install Webroot go to webroot.com/safe . If you do not have an account, go to Find My Webroot Account and create an account. If you want to know more about it, then you can visit the webroot.com/safe website.

anji said...

webroot secureanywhere gives you excellent PC security. Your antivirus software also allows downloading webroot with keycode. If you want to download and install Webroot Security on your device, go to webroot.com/safe and your Webroot Safe Download starts automatically. To know more about Webroot Antivirus, you can visit our website webroot.com/safe . You can install webroot safe by visiting our website webroot.com/safe and Our team will always be available to help you.

anji said...

You can go to webroot.com/safe website to download and install webroot. Go to webroot.com/safe with product key. And activate it. Enter webrot key code for activation. To know more about this, you can visit our given website webroot.com/safe and get information as per your convenience.

anji said...

You can also go to the webroot.com/safe website to download Webroot and install it. Go to webroot.com/safe with product key. And activate it. Enter webroot key code for activation . To get more information or to know about Webroot antivirus, you can visit our given website.

anji said...

Select the office product you want to download and install on the device. Press on the office.com/setup option. And start downloading and installing Office products on the device. Enter the Office Setup Product Key from office.com/setup . If you do not have a new and never used product key, this product key can be used during the activation process. To get help from our team, contact the office.com/setup website.

anji said...

An account associated with Office is required to install or reinstall Office. For that, sign in to office.com/setup and Get your office setup from office.com/setup . Enter the product key for the office setup. You can follow the instructions given by our website office.com/setup to activate the office setup with the product key. There is a new Sensatin office in the MS office market.

anji said...

Select the office product you want to download and install on the device. Press on the office.com/setup option. And start downloading and installing Office products on the device. Enter the Office Setup Product Key from office.com/setup . If you do not have a new and never used product key, this product key can be used during the activation process. To get help from our team, contact the office.com/setup website .

anji said...

Download and install and office setup from office.com/setup . log in and enter office 25 digit product key to activate your office product. if you are new user then you need to create a office account to get more benefits of office.com/setup subscription.

anji said...

Once the device is found, you can add roku paid channel or roku channel from roku.com/link with activation code store. Connected to your TV screen roku.com/link . And will start displaying some instructions to activate roku. You will then receive an activation code for Roku. After that you have to connect Link roku to roku.com/link . You can choose from your favorite channel roku.com/link.

arshiya said...

Nice Blog!!! Waiting for your new post... thanks for sharing with us.
effects of social media
latest artificial intelligence applications
process developer job description
characteristics of php
rpa career path
salesforce interview questions for freshers

SixD Engineering Solutions Pvt Ltd said...

Wow Very Nice Post I really like This Post. Please share more post.
Dimensional Control
3D Laser Scanning Targets

Technogeekscs said...

Thanks for Sharing a Very Informative Post & I read Your Article & I must say that is very helpful post for us.
Data Science Course in Pune

John said...

مهدی احمدوند
Thanks for Sharing a Very Informative Post & I read Your Article & I must say that is very helpful post for us.
آرمین 2afm