Lync 2010 Mobility Service Deployment – Part 2

In part one of the article series, we installed CU4 for Lync servers, installed the pre-reqs and mobility service. In this part, we will publish Lync autodiscover through TMG 2010, configure mobility policies and verify Lync mobile settings.

Now that we have setup everything on the internal Lync servers (front-end and directors), let’s configure the TMG server to publish Lync autodiscover. The assumption is that you have your simple urls and lync web services published through the reverse proxy already and that the certificate has the url of If you have an existing rule, you can just add the Lync autodiscover url in the Public Names tab and you will be fine. But, I am creating a dedicated rule for Lync autodiscover.

Launch the TMG Management Console and click on Firewall Policy node. Click on Publish Web Sites option on the right hand side task bar. Give a name for the rule, say Lync Autodiscover and click Next.

Publish Lync Autodiscover_1

Select Allow and click Next.

Publish Lync Autodiscover_2

Select the first option Publish a single web site or load balancer and click Next.

Publish Lync Autodiscover_3

Select Use SSL to connect to the published web server or farm and click Next.

Publish Lync Autodiscover_4

Type in the internal site name. This is the name of your front end server. If you have a a Std Edition, this is the fqdn of the Lync server. If you have an enterprise pool with a number of front end servers, then this fqdn is the hardware LB VIP fqdn.

Publish Lync Autodiscover_5

Make sure that TMG is able to resolve the internal name. Hence, put the internal name in the HOSTS file with the corresponding internal IP address of the server.

Put /* in the path and click Next. Make sure the check box is selected.

Publish Lync Autodiscover_6

Type in the public name – this is your Lync autodiscover url, it’s in my case.

Publish Lync Autodiscover_7

If you already have a web listener (for the other Lync publishing rule), select that. If not, create a new one with the settings below.

  • Listener Name : Lync Listener
  • Require SSL secured connections with clients
  • Select External network and pick the external IP address.
  • Select the certificate (you need to have imported a public cert to the Personal Store of the computer already).
  • No authentication
  • No SSO

Select No delegation, but clients may authenticate directly. This is an important setting and make sure you select the right one (both looks similar), it is the second option.


Select All Users and click Next.

Publish Lync Autodiscover_9

Click Finish to end the wizard. Click Apply button for the changes to take effect.

Publish Lync Autodiscover_10

Double click on the rule and navigate to the To tab. Make sure the settings are as in the screenshot below.

To tab

On the Bridging tab, redirect http port to 8080 and https to 4443. This is because the external Lync website in the internal Lync server uses port 8080 and 4443. The internal website uses port 80 and 443. Hence, the 443 request from the outside world needs to be redirected to 4443 port of the internal Lync server.

Bridging Tab

On the Listener tab, click the Properties button to modify the properties of the Lync web listener. Navigate to Connections tab and configure the options as per the screenshot below.

Connections Tab

Finally, click on the Test Rule button on the properties of the rule itself and make sure you get all green.

Test ok

That’s all. Download the Lync mobile app from the marketplace/ store and provided you have your record pointing to the TMG server and your simple & lync web services urls configured, you should be able to login to a mobile phone with a sip address and password.

For non-Windows phones, you also need to type in your username as well (AD domain\username), along with the sign-in address and password. This is an important point as these mobiles simply says to check the credentials and try again, whereas a Windows phone will prompt you for AD credentials.

Mobility Policies

As part of the setup, a Global mobility policy will be created. This policy will have mobility and external voice enabled by default. Run Get-CsMobilityPolicy to view the details.

Mobility Policy

You are free to create user level policies if you want to have different settings.

The only step remaining is to configure push notifications, which I will explain in the next part.

7 thoughts on “Lync 2010 Mobility Service Deployment – Part 2”

  1. Hi Rajith Jose,

    How are you
    Thanks for the wonderful explain. I just have comment I’ve Fortigate firewall and my management not accept to buy FF TMG 2010 Kindly do you have a solution to go throw fortigate firewall to allow mobility service work
    Please advice
    Waiting for your replay as soon as possible


    • Hi Ibrahim,

      You need some sort of a reverse proxy for this. TMG, UAG, some F5 can do reverse proxy. You can even look at Kemp hardware, they are cheap and efficient.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.