Monday, June 29, 2015

Lync/Skype4B Mobility dissected

Ah, Lync Mobility... My favorite topic.
According a leading research center, #1 cause for ulcer among Lync administrators is deploying Mobility.
Just kidding... about the research. The rest is true -you just take a look at the TechNet forums.
Today I decided to take another look at the Mobility subject and attempt to clarify some of the major misconceptions surrounding this particular Lync/Skype4B server modality.

Core principals

Like any other SIP endpoint, Mobile apps use SIP signaling to sign-in, send and receive IMs, and/or negotiate voice/video calls. However, unlike the rest of the family, this SIP signaling is encapsulated, for lack of better word, within SSL (HTTPS) traffic. So, while the so-called “fat client” connects to the SIP server service directly, Mobile client does so via the UCWA virtual web site, and then proxies to the SIP Service on behalf of the endpoint.

When it comes to media, P2P or a meeting, the above still applies (the call setup), but media flows exactly as it would between two "normal" clients. That is, if the Mobile client is on Internal Wi-Fi and the other endpoint (desktop or Mobile) is on the same internal network, the media would flow Peer-To-Peer. If the Mobile endpoint is on the public Internet and the other endpoint is on the internal network, the Mobile endpoint device would use the Edge server in the deployment. This holds true if the Mobile endpoint device and the other endpoint are both on the Internet.

The net takeaway so far is:

Mobile device will use SIP encapsulated within HTTPS for signaling

HTTPS traffic will flow through the Reverse Proxy

Media will flow P2P or via the Edge server, depending on the endpoint’s physical location.


Beginning with Lync 2010, a new service was introduced: lyncdiscoverinternal and lyncdiscover. This (DNS) record has become the preferred method to discover Lync registrar services across all clients. However, there is one very important difference between Desktop and Mobile clients - while desktop client have a built-in DNS fallback mechanism, mobile clients work only with the auto discovery service and, if auto discovery is not available or not working correctly, mobile sign-in will fail.

This auto discovery service is provided by the Autodiscover virtual web site on the Director or Front End pool and is present in both Internal and External web sites. For this reason, it is required to use "FQDN override" in the Topology where the Internal and External web site have different FQDNs as shown below. For example, this is my Enterprise pool:

Note that while the pool FQDN is, the Internal web site is and the External web site FQDN -

If you have a Standard edition pool, the Internal web site FQDN cannot be changed, but the external still can and must be changed:

As discussed in the previous article, based on the which web site client query, the infrastructure will respond accordingly.

Service discovery process 

Clients will first query DNS for
  • If the record is present, (all) clients will attempt to connect first using HTTP (non-encrypted). If the connection is successful (i.e. the target listens on port 80), the web site will respond with redirect to where the client receives XML containing the web URL where the client should go to authenticate and receive the web ticket.

  • If the client dies not get a response from the HTTP call, it will attempt HTTPS directly. If both (HTTP and HTTPS) connection attempts fail, it gets interesting:

Desktop client will fail back and attempt to use SRV records (, etc.). If SRV records are not present, client will attempt to resolve the host (A) record for If this fails as well, the desktop client will not be able to sign in.

Mobile client does not have fallback mechanism. If Lync autodoscover service is not available (either because of DNS resolution or unavailability of the service), the mobile client will fail to sign-in!
  • If lyncdiscoverinternal is not resolvable, clients will try to resolve lyncdiscover. The above still apply.

Mobile Device sign-in flow

The following conditions apply for this example:

  • Two sip domains are supported (primary) and (additional)
  • Simple URL and autodiscover services are pointed to (and served by) Pool1.
  • The internal VIP terminate SSL session with wild card certificate with SN=* and SAN=*
  • The account we use to sign-in have sip-uri
  • The account is homed on Pool2
  • The device is on corporate Wi-Fi and it is BYOD (not managed)
  • Besides DNS zone, the administrator maintains pinpoint DNS zone for as well
  • The enterprise does not allow hairpining. Instead, an internal VIP's were created to act as Reverse Proxy for clients requests when on corporate Wi-Fi  to the external pool web services. The VIPs use * (Wild Card) certificate.
  • The FQDN's of the external web sites (served by the "internal" Reverse Proxy) are resolvable by the internal DNS

Mobile client queries DNS and resolves to internal IP address. The IP is a VIP of hardware load balancer serving Pool1.

By design, the first attempt the endpoint makes is Because the call is HTTP, no certificate trust is required, the connection succeeds and autodiscover service returns JSON (JavaScript Object Notation) with re-direct to authentication URL. 

***Note that now HTTPS is required and the URL is (the internal VIP of Pool1). The endpoint follows the instructions, SSL connection is now terminated with * certificate and trust is established.

Endpoint attempts to receive WebTicket where it is challenged with NTLM authentication mechanism.

After successful authentication, endpoint receives XML with service location.

***XML points to the user's home pool resources.

Endpoint goes to Pool2 external web service FQDN and presents WebTicket.

Because this is first time this end point signs with this account, endpoint also requests certificate (since it is internal, it will do so via the internal web service FQDN)

Receiving certificate require new authentication

Certificate is received

Hallelujah, we have signed-in

***The device then connects to Exchange, but this is out of the current scope.

The device receives  Mobile Policy via inband provisioning

...instruction set for allowed modalities...

...MRAS credentials (because media will flow via the Edge server)...

...and, at the end, presence information of user's contacts.

The process of sign-in from public Internet is very similar, just (because we are coming from internet) no calls to internal resources are made.


Haipining is a method for hosts on LAN to leave the perimeter via NAT (like it does to reach resources on internet), and make a U-turn to access enterprise resources exposed to Internet.

For example:

Internal devices are on sibnet
All devices go to Internet via NATed public IP address
The Reverse proxy VIP for Pool1 have public IP

To performs "hairpining", device with LAN IP would leave the router with NATed IP of, make U-turn (not actually leave the infrastructure i.e. go to Internet) and visit The response from the Reverse Proxy would get back to the device using the exact same path in opposite direction.

We already established that mobile devices always use the external pool web for signaling. For this reason, device on corporate Wi-Fi must be able to resolve the external web site FQDN in the internal DNS. The key word is "resolve", not "resolve to public IP address"...

The example above shows scenario where haipinning is not allowed in the enterprise. Instead, a VIP was created to act as Reverse Proxy for clients on corp Wi-Fi. The (internal, LAN) IP address of this VIP was entered in DNS as external web site IP address.

If harpiniing was allowed, the A record (in LAN DNS) for would have IP address of (the public IP address of the Reverse Proxy).

There is third method - one that bypasses the creation of "internal" reverse proxy VIP. Typical reverse proxy is "two legged" - an interface on LAN subnet (talking to the servers), and DMZ interface NATed to Public IP. The FQDN of the public web site could be entered on internal DNS with IP address - the IP of the DMZ IP address and of course, firewall configured accordingly. In this case, we "hairpin" to... DMZ.

For example:

DMZ IP of Reverse proxy - (NATed to
In LAN DNS - Public web site FQDN resolves to
In Public DNS - Public web site FQDN resolves to IP

In both cases, traffic flows via the reverse proxy and "lands" on the external web site.

In all three cases, mobile device will do signaling by via to the external web site.

Hairpining is preferred method because it would resolve potential issues with cashing the IP address of the external web site and the transition between corporate Wi-Fi and Carrier network will be faster.

lyncdiscoverinternal vs lyncdiscover

When hairpinning is allowed, the administrator might elect to use lyncdiscover record in internal DNS. As we see in the Fiddler trace, the XML response with service locations contain pointers to both internal and external means of connectivity. Clients will select the one that applies to it.

I am yet to see a good explanation when to use one or another.

Last words

In case you wander where the traces come from - I used Fiddler as described in this article.

The next article will be about KEMP LoadMaster (qualified Reverse Proxy)


for ict 99 said...

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. ES6 Training in Chennai

Praylin S said...

Wonderful blog with great piece of information. I've been following your blogs for a while and I'm really impressed by your works. Keep sharing more such blogs.
IoT Training in Chennai
IoT Courses in Chennai
Tally Course in Chennai
Tally Classes in Chennai
Embedded System Course Chennai
Embedded Training in Chennai
IoT Training in Porur
IoT Training in Adyar

priya rajesh said...

Well written post with worthy information. It will definitely be helpful for all. Do post more like this.
DevOps course in Chennai
Best DevOps Training in Chennai
Amazon web services Training in Chennai
AWS Certification in Chennai
Data Analytics Courses in Chennai
Big Data Analytics Courses in Chennai
DevOps Training in Anna Nagar
DevOps Training in T Nagar

anushya said...

The content which you had posted under this topic is awesome. please add some more details relevant to this topic.
Manual Testing Training in Chennai
testing courses in chennai
Manual Testing Training in OMR
Manual Testing Training in Porur
Mobile Testing Training in Chennai
Mobile Application Testing Training in Chennai
Mobile Testing Training in Velachery
Mobile Testing Training in Tambaram

DedicatedHosting4u said...

I have read your blog and I gathered some needful information from your blog. Keep update your blog. Awaiting for your next update. Thanks

DedicatedHosting4u said...
This comment has been removed by the author.
MindtechAffiliates said...

Thank you for sharing this great post, I am very impressed with your post, the information provided is meticulous and easy to understand. I will regularly follow your next post.

Online affiliates

digital marketing company Indore said...

Your post is very good. I got to learn a lot from your post. Thank you for sharing your article for us. it is amazing post
what is seo
types of seo

digital marketing company Indore said...

This is a fantastic idea! I like it a lot because it's super easy for the audience to see the value of opting in. wonderful and amazing post very use full your post thanks for sharing your article
Android Application development
Web application

Unknown said...

Awesome blog thanks for sharing While choosing your perfect ride for driving, Accord Cars comes with and the best packages for you to pick from. Car rentals for self drive in Chennai are done the easier. Just pick out your plan from hourly, daily, weekly and even monthly plans available.

Unknown said...

Very useful blog thanks for sharing At Pearl’s - The best Bridal Makeup Parlour in Chennai, we take personal responsibility in making sure that you look as flawless and beautiful and the marriage that you have been dreaming of. With around 16,000 successful brides in our books, you can be confident that we know our art intimately and deep.

Adhuntt said...

Great blog thanks for sharing Looking for the best creative agency to fuel new brand ideas? Adhuntt Media is not just a digital marketing company in chennai. We specialize in revamping your brand identity to drive in best traffic that converts.

Karuna said...

Nice blog thanks for sharing Is this a special day for you? Beautiful and fragrant flowers are sure to make it even more amazing of a day no doubt. This is why Karuna Nursery Gardens offers you the best rental plants in Chennai that too at drop dead prices.

Pixies said...

Excellent blog thanks for sharing Run your salon business successfully by tying up with the best beauty shop in Chennai - The Pixies Beauty Shop. With tons of prestigious brands to choose from, and amazing offers we’ll have you amazed.

jothikumar said...

Very nice post here and thanks for it. I always like and such super content of these post. Excellent and very cool idea and great content of different kinds of valuable information's.
Selenium online training
Selenium certification training
Selenium online course
Selenium training course

Elegant IT Services said...

Wonderful blog with great piece of information

If want to know more about Aws Training in Bangalore

Please click on the link

charmidevan said...

valuable blog thanks for sharing it...waiting for next update...
Mobile Testing Training in Chennai
Mobile App Testing Training
Mobile Testing training in vadapalani
Mobile Testing training in Guindy
Mobile Testing training in Thiruvanmiyur
Manual Testing Training in Chennai
LoadRunner Training in Chennai
Photoshop Classes in Chennai
Spring Training in Chennai
QTP Training in Chennai

Prakash said...

Wonderful blog!!! Thanks for sharing this great information with us...
SEO Training in Chennai
SEO Course in Chennai
SEO Training Institute in Chennai
Best seo training in chennai
SEO training in Guindy
SEO training in Tambaram
Python Training in Chennai
Big data training in chennai
Digital marketing Course in chennai
JAVA Training in Chennai


Nice article, its very informative content..thanks for sharing...Waiting for the next update...
Manual Testing Training in Chennai
Manual Testing course in Chennai
Manual Testing Training institute in Chennai
Manual Testing Training in Velachery
Manual Testing Training in Tambaram
Mobile Testing Training in Chennai
core java training in chennai
DOT NET Training in Chennai
Hibernate Training in Chennai
Html5 Training in Chennai

Chris Hemsworth said...

The article is so informative. This is more helpful for our
best software testing training in chennai
best software testing training institute in chennai with placement
software testing training

software testing training and placement
software testing training online
software testing class
software testing classes in chennai
best software testing courses in chennai
automation testing courses in chennai
Thanks for sharing.

Naveen S said...

This is the first & best article to make me satisfied by presenting good content. I feel so happy and delighted.By Learn Digital Marketing Course Training in Chennai it will help to get Digital Marketing Training with Placement Institute in Chennai. If you Learn Social Media Marketing Training with Placement Institute in Chennai, you will get job soon.

Learn Best Digital Marketing Course Training in Chennai in professional institute to get reputed job.

Google Ads Services | Google Ads Management Agency said...

I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
Web Designing Course in Chennai | Web Designing Training in Chennai
Mobile Application Development Courses in chennai
Data Science Training in Chennai | Data Science courses in Chennai
web designing classes in chennai | web designing training institute in chennai

Extensiya said...

Awesome blog thankks for sharing 100% virgin Remy Hair Extension in USA, importing from India. Premium and original human hair without joints and bondings. Available in Wigs, Frontal, Wavy, Closure, Bundle, Curly, straight and customized color hairstyles Extensions.

Indpac said...

Very useful blog thanks for sharing IndPac India the German technology Packaging and sealing machines in India is the leading manufacturer and exporter of Packing Machines in India.

Packers And Movers Mumbai said...

Superb post, we enjoyed each and everything as per written in your post. Thank you for this informative article because it’s really helpful, I really like site.
Please visit our website : Packers And Movers Mumbai

w3webschool said...

You are providing a post is very useful for develop my knowledge and I learn more info from your blog.
Digital Marketing Course In Kolkata
Web Design Course In Kolkata
SEO Course In Kolkata

Raghav said...

Impressive blog post. I always appreciate such content writing skills.
FDA Warning Letters
FDA validation
Drug Post Launch Activity

Kirtan said...

Warrior Pals is a 501(c)3 non-profit organization that provides support to veterans, gold star families and our active military. Warrior Pals created several program services to support our heroes.

Jainiel said...

Impressive blog post. I always appreciate such content writing skills.

bill.wood said...

If you're wondering what sort of patterns could a bunch of numbers have, well the kind that makes everything easier. machine learning institute in hyderabad

Deepa said...

Gone through this wonderful coures called Salesforce Certification Training in Dallas who are offering fully practical course, who parent is Salesforce Training in USA and they have students at Salesforce Training classes in Canada institutes.

Cho co said...

In the long run, the right thing to do is to liberate these employees and help them move on so they can play to their strengths and passions somewhere else. Salesforce training in Hyderabad