Lync 2010 Mobility Service Deployment – Part 2

In part one of the article series, we installed CU4 for Lync servers, installed the pre-reqs and mobility service. In this part, we will publish Lync autodiscover through TMG 2010, configure mobility policies and verify Lync mobile settings.

Now that we have setup everything on the internal Lync servers (front-end and directors), let’s configure the TMG server to publish Lync autodiscover. The assumption is that you have your simple urls and lync web services published through the reverse proxy already and that the certificate has the url of lyncdiscover.domain.com. If you have an existing rule, you can just add the Lync autodiscover url in the Public Names tab and you will be fine. But, I am creating a dedicated rule for Lync autodiscover.

Launch the TMG Management Console and click on Firewall Policy node. Click on Publish Web Sites option on the right hand side task bar. Give a name for the rule, say Lync Autodiscover and click Next.

Select Allow and click Next.

Select the first option Publish a single web site or load balancer and click Next.

Select Use SSL to connect to the published web server or farm and click Next.

Type in the internal site name. This is the name of your front end server. If you have a a Std Edition, this is the fqdn of the Lync server. If you have an enterprise pool with a number of front end servers, then this fqdn is the hardware LB VIP fqdn.

Make sure that TMG is able to resolve the internal name. Hence, put the internal name in the HOSTS file with the corresponding internal IP address of the server.

Put /* in the path and click Next. Make sure the check box is selected.

Type in the public name – this is your Lync autodiscover url, it’s lyncdiscover.exchangemaster.me in my case.

If you already have a web listener (for the other Lync publishing rule), select that. If not, create a new one with the settings below.

• Listener Name : Lync Listener
• Require SSL secured connections with clients
• Select External network and pick the external IP address.
• Select the certificate (you need to have imported a public cert to the Personal Store of the computer already).
• No authentication
• No SSO

Select No delegation, but clients may authenticate directly. This is an important setting and make sure you select the right one (both looks similar), it is the second option.

Select All Users and click Next.

Click Finish to end the wizard. Click Apply button for the changes to take effect.

Double click on the rule and navigate to the To tab. Make sure the settings are as in the screenshot below.

On the Bridging tab, redirect http port to 8080 and https to 4443. This is because the external Lync website in the internal Lync server uses port 8080 and 4443. The internal website uses port 80 and 443. Hence, the 443 request from the outside world needs to be redirected to 4443 port of the internal Lync server.

On the Listener tab, click the Properties button to modify the properties of the Lync web listener. Navigate to Connections tab and configure the options as per the screenshot below.

Finally, click on the Test Rule button on the properties of the rule itself and make sure you get all green.

That’s all. Download the Lync mobile app from the marketplace/ store and provided you have your lyncdiscover.domain.com record pointing to the TMG server and your simple & lync web services urls configured, you should be able to login to a mobile phone with a sip address and password.

For non-Windows phones, you also need to type in your username as well (AD domain\username), along with the sign-in address and password. This is an important point as these mobiles simply says to check the credentials and try again, whereas a Windows phone will prompt you for AD credentials.

Mobility Policies

As part of the setup, a Global mobility policy will be created. This policy will have mobility and external voice enabled by default. Run Get-CsMobilityPolicy to view the details.

You are free to create user level policies if you want to have different settings.

The only step remaining is to configure push notifications, which I will explain in the next part.