Lync Mobility – lyncdiscoverinternal vs lyncdiscover

Lync Server 2010 Mobility supports an internal and an external automatic discovery record. The mobile client signs-in as follows:-

  1. DNS query for lyncdiscoverinternal.
  2. DNS query for lyncdiscover.

Got this great flow diagram from Brendan Carius…cheers 😉

Usually the Lync Web Services certificate assigned to the Front-end Pool is issued by an internal CA. Of course this Root CA isn’t present on Mobile devices and so not trusted. The Lync mobile client would not be able to sign-in, unless the internal root certificate was pre-installed on the device.

Its a little more tricky to deploy the Root CA to all your mobile devices so it makes more sense to NOT have a Lyncdiscoverinternal DNS record. Instead have a lyncdiscover A record (internally) pointing to the public IP of your RP.
You will need a RP rule to allow this traffic from internal – effectively hairpinning the traffic.

Even after configuring this I still got “Can’t verify certificate from the server. Please contact your support team”.

It would appear that the devices dont trust the internal certificate which makes sense. So how to fix this?

2 Options here
1. either install the Root CA on the device (defeats the point as it works as the internal anyway)
2. the only way I could get around the cert issue was to create a new listner and assign it only 80. This did require an additional IP on the TMG internal.

Another Error I got was “The server is either busy or did not respond, please try again later”

Running traces on my iPhone showed that the lync discover URL was translated to the External web services URL which wasn’t valid in the DNS of my internal connection. Once I added a CNAME to match we were sorted


About Paul B

My name is Paul Bloem and I am employed at Lexel Systems in New Zealand as a Principal Consultant for Unified Communications. I have been working on enterprise voice solutions for over 20 years. My first 10 years were spent working for a Telco in South Africa (Telcom SA). This is where all the groundwork happened as I was exposed to just about every aspect of telecommunication you could imagine. I develop an interest in PBX technologies and eventually became the go-to guy. Next, I had a 10 year run at Siemens South Africa, most of my time there was as a Technical Trainer. During this time VoIP hit the world stage, I had the privilege of introducing VoIP both as H.323 and later SIP across the Siemens HiPath 4000 solution stack. In 2008 I immigrated to New Zealand with my newly attained MCSE, I was ready to go where no PBX Techie had gone before. I was employed to explore OCS 2007 and that was pretty much the beginning of the end for me. I have been working on OCS and Lync ever since. My current role focuses exclusively on Lync and associated technologies.. That includes pre-sales, consulting, architecture and design, training and support. I even get to play in the development space from time to time - focus on play ;-) I was nominated as a Microsoft VTSP for Lync early in 2013 and also awarded Microsoft's MVP award for Lync in 2014.
This entry was posted in DNS, Lync Mobility, Lyncdiscover. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s