step by step Deploy Lync 2010 Mobility Service

now and after I have my hands on a brand new Lync 2010 mobile client it’s time to install and test this service.

so let’s get started, in this scenario Lync 2010 enterprise edition pool is deployed, running on windows 2008 R2 sp1 operating system.

Before beginning the installation it is recommended to review the official deployment guide to understand the mobility service concept

A) Install Lync 2010 Cumulative update 4 December 2011

since the Mobility Service requires Lync 2010 Cumulative update 4 December 2011 to be installed, ( you can get it from here) we will start by installing it in order to apply the Lync 2010 Hotfix KB 2493736.

1-on each Lync server download from here and run LyncServerUpdateInstaller.exe, select install updates and verify that now you have latest updated version installed, if not press install updates and wait until the updates are finished.

installer0

installer00

updateinstaller1

updateinstaller2

after verifying that the updates are installed properly stop all Lync services by running the following command from the Lync management shell

Stop-CsWindowsService
 

Also Stop the world Wide Web Service using the following command

net Stop w3svc


2- Update SQL bank End Database Instance

this procedure should be performed once per pool and should be run from only one Front End server per pool for each instance of Back End databases.

use install-CsDatabase to update the SQL Back End, as follows :

From Lync management Shell run

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFQDN db-1.unibox.me

If you have collocated Databases within the SQL instance for any additional Lync Server roles for example Monitoring or archiving servers you should use the –ExcludeCollectedStore parameter

Install-CsDatabase1

now we have applied the latest update to our Lync environment reboot the server or start all Lync service by running and the IIS world wide web service 

 
Start-CsWindowsService

net start w3svc



B
Configure DNS Records

Internal and External DNS records are required to be configured for each supported sip domain, the DNS  (A) or CNAME records types are supported. the use of CNAME records is advisable in cases where Lync enterprise pool with multiple front-End servers is deployed for simplicity of administration when new Front-End Servers are deployed.

why SRV Records are not supported by the mobile clients! ?  I mean they could do it the same way that outlook clients query for Exchange autodiscover service no ?

actually this was the first question that I asked myself the first time I read mobility service requirements, after having a clear idea about the whole setup and concept I realized that this was done in order to provide a seamless experience for the mobile clients. So queries for SRV autodiscover records are not supported.

in our scenario a single sip domain will be supported for autodiscover and mobility service and defined by unibox.me, and it is shared inside and outside the organization network, thus we will be creating both the internal and external auto discovery records in the same name space.

Open DNS server management Console expand the forward lookup zone corresponding to the sip domain right-click the forward lookup zone and the following:

1- Configure  Internal Autodiscover DNS Record

select new CNAME record and set “LyncDiscoverInternal” as alias name, and the Lync pool internal web services FQDN as target host

DNS

In case where a director exist the target host should point to the director internal web services  FQDN

2- Configure External Autodiscover DNS Record

select new CNAME record and set “LyncDiscover” as alias name, and the Lync pool External web services FQDN as target host

rev16rev17

it is important to note that the Lync external web services FQDN should point to the external IP address which is already assigned to the Reverse Proxy listener of Lync external web services FQDN. ( the reverse proxy configuration is discussed in details later )

the External Autodiscover record should be configured as an internal DNS record in order to provide mobile clients seamless connectivity experience when switching between locations and networks.

C) Deploy the Mobility Service

1 – Configure internal and external ports

since the mobility service is not a built-in part of the Lync server service ports should be configured explicitly in order for the service to operate properly, the mobility service covers internal and external requests, 2 ports should be configured  to listen to internal  and external requests respectively.

To configure the ports open Lync management shell and run the following

Set-CsWebServer –Identity ucpool01.unibox.me –McxSipPrimaryListeningPort 5086
Set-CsWebServer –Identity ucpool01.unibox.me –McxSipExternalListeningPort 5087
 
As you notice the first command sets the Internal port to TCP 5086 and second one sets it to 5087 where pool name is ucpool01.unibox.me where the mobility service will be installed in my case.
 
the Set-CsWebserver cmdlets runs the publish-CsTopology in order to publish the updated topology.thus we still need to enable the topology by running from the Lync management Shell
 
Enable-CsTopology -Verbose


2 – Install IIS Dynamic Content Compression features

The Mobility Service installation requires that the Internet Information Services (IIS) module for Dynamic Content Compression be installed. Most of the cases this module is not installed in your deployment by default, in this case you need to install it before running the McxStandalone.msi package.

If the Lync server machine is running windows 2008 R2 like in my case you can install the Dynamic content Module from Lync management shell as follows:

Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-Dyn-Compression

webDyn

 

After configuring all the above we can proceed by installing the mobility and autodisocver service binaries

 

3- Install the Mobility Service and autodiscover Service Binaries

You need to run the installer on each Front End Server and each Director in every Lync Server pool where you want to provide the mobility feature. The installer installs the Mobility Service on Front End Servers and installs the Autodiscover Service on Front End Servers and Directors.The latest installation package is available for download from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkID=230577.

Copy the downloaded McxStandAlone.msi package to “C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup”

Or from either Lync management shell or windows PowerShell type the following

Import-Module BitsTransfer

$url="http://www.microsoft.com/downloads/info.aspx?na=41&srcfamilyid=919f20c9-6111-47f4-96bc-37d487552efe&srcdisplaylang=en&u=http%3a%2f%2fdownload.microsoft.com%2fdownload%2fB%2fE%2f8%2fBE8E5D68-5D26-4B36-9B86-B1DB6DDB27A7%2fMcxStandalone.msi"

Start-BitsTransfer $Url "C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup\McxStandalone.msi"

download

The above code will download the msi package and save it in the proper location

after downloading the package run the bootstrapper.exe from the lync powershell at the following location

C:\Program Files\Microsoft Lync Server 2010\Deployment\Bootstrapper.exe

bootstrapp

so far we have prepared the environment and installed the mobility and autodiscover service, the next step that is still required is to modify the Lync server certificate to include the new autodiscover SAN entries.

To verify that the Mobility Service has been successfully installed

On the Lync Front-End Server where  you have installed the Mobility Service and Autodiscover Binaries , open Internet Information Services (IIS) Manager, expand the Sites node,  expand the Lync Server External website, and check that the autodisocver virtual directory is created, do the same for the Lync Server Internal Website

iisexIISIn

also open the application pools and locate the CSExtMcxAppPool and CSIntMcxAppPool and check that they are started

apppool

4- Modify Lync Internal Certificate

In most of the cases, the Certificate installed on the Lync server would be issued from an internal CA, thus renewing or updating this certificate is simple.

The certificate should be modified to include Lyncdiscover.unibox.me and Lyncdiscoverinternal.unibox.me entries as SAN entries.

in most of the cases a single certificate is installed  and assigned for multiple use, in order to double check this, from the Lync management Shell run:

Get-CsCertificate

Get-Certificate will return all installed certificates with each certificate details. look for the thumbprint and use fields.

GetCert

GetCert1

If the thumbprint Value is the same for all usage that means that a single certificate is assigned for multiple use. which means that we need to only submit one certificate request, to include the autodiscover entries.

From the Command line run following command

Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -AllSipDomainCA <DC\CANAME> -Verbose

the above command will generate a new certificate request and install the certificate to the Lync Server computer Store.

“AllSipDomain” parameter is used here since as stated earlier we have only one sip domain is supported. In case multiple sip domain are supported, you have to specify the entries explicitly by using the –”Domainname” parameter for example

Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -CA <DC\CANAME> -Domainname "LyncdiscoverInternal.sipdomain1, LyncdiscoverInternal.sipdomain2,Lyncdiscover.sipdomain1,
lyncdiscover.sipdomain2" -Verbose


after verifying the the certificate request has been successfully submitted assign the new certificate for multiple use.

NewCert

to assign the new Certificate, run the following command you need to use the new issued Thumbprint

Set-CsCertificate -Type Default,WebServicesExternal,WebServicesInternal  Thumbprint "1C9340C21CB6C479A704ABD2F64D018F67D5B9AD"

to verify that the new certificate have successfully assigned run Get-CsCertificate Command again and compare the old and new Thumbprint values.

D) Reverse proxy configuration for mobility

The Reverse proxy used in this environment is Microsoft TMG 2010.

at this point the mobility service should be up and running and available for mobile clients connecting from inside the organization network through WIFI.

but In order to support mobile clients connecting from outside the organization network, the new External autodiscover URL should be published on the reverse proxy, the same way that simple URL and Lync web services are already published, there’s no need to add an additional publishing rule, only modify the existing rule and add lyncdiscover.<sipdomain> to the public Names and of course make sure that a Host record for lyncdiscover.<sipdomain> has been configured to point to the external IP address which is already assigned to the Reverse Proxy listener of Lync external web services FQDN. This is true as long as you modify the Reverse proxy Certificate to include the autodiscover URL as SAN, since as we know the simple URL and web components are published through HTTPS protocol.

What if your implementation supports multiple SIP domains! that means you should get a public certificate which include multiple autodisover URLs, which is not a cost effective solution. Fortunately the autodisover can be published through HTTP instead of Https Smile, this is a good solution since we are only publishing the autodiscover Service and access everything else will remain using HTTPS.

In order to publish the autodiscover service using HTTP, we need to create and configure a new website publishing rule on the TMG Server.

Give the Publishing rule a meaningful name

rev1 

On the Select Rule Action page, select Allow.

rev2

On the Publishing Type page, select Publish a single Web site or load balancer.

rev3

On the Server Connection Security page, select Use non-secured connections to connect to the published Web server or server farm.

rev4

On the Internal Publishing Details page, in Internal Site name, type the internal Web Services FQDN for your Front End pool, in our case it is csweb.unibox.me

rev5

On the Internal Publishing Details page, in Path (optional) type /* as the path of the folder to be published, and then select Forward the original host header instead of the one specified in the Internal site name field.

rev6

On the Public Name Details page, do the following:

  • Under Accept Requests for, select This domain name.
  • In Public Name, type lyncdiscover.unibox.me (the external Autodiscover Service URL).
  • In Path, type /*.

rev7

On Select Web Listener page, in Web Listener, use the New Web Listener Definition Wizard to create a new one.

rev8

in the New Web listener definition wizard,in the Client Security page select Do not requires SSL Connections with clients.

rev9

in the New Web listener definition wizard,in the Web Listener IP addresses page select External Network, as the network to listen for incoming web requests.

rev10

if there are multiple IP addresses configured on the External Network of the reverse proxy select the appropriate IP address to which <lyncdiscover.sipdomain> is configured in the public DNS. ( we will create the public DNS later )

in the authentication settings, select no authentication

rev11

finish the wizard and select the new web listener as the listener of the new web publishing rule

rev12

On the Authentication Delegation page, select No delegation, and client cannot authenticate directly

rev13

On the User Set page, select All Users.

rev14

On the Completing the New Web Publishing Rule Wizard page, verify that the web publishing rule settings are correct, and then click Finish.

In the Forefront TMG list of web publishing rules, double-click the new rule you just added to open Properties.

On the Bridging tab, configure the following:

  • Select Web server.
  • Select Redirect requests to HTTP port, and type 8080 for the port number.
  • Verify that Redirect requests to SSL port is not selected.

rev15

Click OK

Click Apply in the details pane to save the changes and update the configuration.

Click Test Rule to verify that your new rule is set up correctly

Verify that the external Autodiscover Service URL is not defined on any other web publishing rule.

E) Verify Mobility Service Deployment

1- verify autodiscover External URL publishing

to verify that the autodiscover service has been successfully published, from a computer that is connected via an external internet connection open http://lyncautodisocver.<sipdomain> in our case http://lyncdisocver.unibox.me

down

you should receive a file download request, open the file in notepad, this file contains the redirection information to the Lync web Services external website, note that this is the only information sent clear text, since the mobile client will establish a secure connection later with the Lync Server web components

{"Root":{"Links":[{"href":"https:\\/webservices.unibox.me\/Autodiscover\/AutoDiscoverService.svc\/root?sipuri=","token":"Redirect"}]}}

2- To test person-to-person instant messaging using test-CsMcxP2PIM

After you deploy the Microsoft Lync Server 2010 Mobility Service and Microsoft Lync Server 2010 Autodiscover Service, run a test transaction to verify that your deployment works correctly. You can run Test-CsMcxP2PIM to test sending an instant message between two users. To use this test transaction, you need two actual or test users and their full credentials.

from the Lync management shell run the following command

$usr1 = Get-Credential

supply the username and password for the first user

usr1

then run

$usr2 = Get-Credential

supply the username and password for the second user

usr2

then run the following command

Test-CsMcxP2PIM -TargetFQDN Ucpool01.unibox.me -SenderSipAddress [email protected] -SenderCredential $usr1 -ReceiverSipAddress sip:[email protected] -ReceiverCredential $usr2

the receiver should receive an instant message from the sender in addition you can verify the successful web ticket creation from the shell by examining the cmdlet output

p2pim

F) Configure Mobility Policy

Cumulative update for Lync Server 2010: November 2011 introduces a new mobility policy that determines who can use mobility features and who can use the Call via Work feature. Call via Work allows a mobile user to make and receive calls on a mobile phone by using a work phone number instead of the mobile phone number. This feature prevents the called party from seeing the caller’s mobile phone number and allows a user to avoid outbound calling charges.

By default, after deploying the mobility service both mobility and Call via Work features are enabled, in order to check the mobility policy

Get-CsMobilityPolicy

Policy

if desired you can change the policy settings by running the set-MobilityPolicy Command for example the below command set a description for the global mobility policy

Get-CsMobilityPolicy  | Set-MobilityPolicy –Description ‘Default Mobility Policy’

The mobility policy give administrators controls over mobile users, it is quite important to use this policy carefully

Test the Client

now testing from a Lync mobile client for iphone, using only the sign-in name and password

photo 1photo 2photo 3photo 4

hope that you enjoy mobile Lyncing!

Experienced Consultant Team Lead with a demonstrated history of working in the information technology and services industry. Skilled in Azure, Skype for Business, SQL Server, Iaas, Saas, PaaS, ITIL, Microsoft Solutions, and Servers. Strong information technology professional, technology passionate.

Posted in Messaging & Collaboration
5 comments on “step by step Deploy Lync 2010 Mobility Service
  1. Suttonj says:

    After modifying the internal certificate, the original “Alternative Names” are gone.
    I tried reissue again listing all names, but again only the new names are listed.
    I’m worried that this is going to cause trouble

    • Charbel hanna says:

      if only the new names has appeared that means  you don’t need to include the old SANs, can you post more details about what was the old SANs related too ? maybe those SANs are not used anymore, since as you know the lync certificate wizard will automatically add the required SANs based on the published topology and configuration

      regards,

  2. Roger says:

    This is the first post that CLEARLY explains the DNS configs required, in particular needing the external web fqdn published in internal dns.  Thanks

  3. Roy says:

    hi there,
    it is such a very good article tracts about a lync mobility service,
    bot I have a little question, maybe not covering this discussion,because I haven’t in my organization TMG Reverse Proxy yet, I have only FE Lync Server, Lync Edge and AD,i’m wondering where should I put my TMG Server,My Edge server connects lync outside clients through DMZ, so Should I put in DMZ : TMG and next Lync Edge ? Bot what about public Net Access ? TMG as I know is not supporting NAT as so far ?It is required for me to go through with mobility services for external lync users,please advice 😉

  4. +961 😀 lebanese FTW
    very informative post, just what i needed 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

*