Thursday, April 21, 2011

Can't sign into Lync phone over the Edge server using PIN authentication

Well I'm back from Lync Masters in Redmond. I'll have more on that in another post coming very soon.

For those of you wondering if you can sign into a Lync "Aries" phone (un-teathered) outside your network, the answer is....'well sort of'.

The phone does need to sign in on the LAN successfully at least once so that it 'learns' the path to the web ticket service in order to get a client certificate. The client certificate will permit authentication to Lync if AD is down and plays into the branch survivability story quite well (with a few exceptions). Once the device has it's valid client certificate it will attempt to sign into a registrar by looking up the SRV record in DNS. It only does this one time if it finds a suitable registrar pool to register against. This is an important fact to remember. I'll say it again another way....the phone will NEVER go back to SRV lookup if it has been successfully authenticated against a registrar and signed in.

The phones are designed to cache this information to reduce the burden on the network and to provide a survivable experience. This means if your pool name is "pool01.contoso.com" and the phone signed in against a front-end server, it will try to find that pool by name when you connect it at home or some other remote (outside the LAN) location. Again, the phone will NEVER go back to looking to DNS for the SRV record. If you perform a trace of the traffic you'll see this happen. The phone also caches the web services fqdn and will attempt to connect to it (if you have it published through ISA/TMG).

So how do I make it work?
Well it's simple really....use the name "sip.contoso.com" as your internal host name for your "_sipinternaltls._tcp.contoso.com" record. This name will match your external Access Edge fqdn IP and you should be able to sign in. Now I wouldn't recommend this approach. Just because it can be done doesn't make it a good idea.

If the phone is signed in using a "common area phone" ID, then make sure you use the "Grant-CsExternalAccessPolicy" command to ensure the account can log in remotely.

Watch out!
Be aware of rogue devices leaking out of your network if you set it up to permit this activity. The certificate authentication mechanism will permit the phones to sign in EVEN IF THE AD ACCOUNT IS DISABLED. You must run a "Revoke-CsClientCertificate", disable the AD account for Lync, and disable the AD account to be safe.

Cheers.