Lync Server 2010 Mobility supports an internal and an external automatic discovery record. The mobile client signs-in as follows:-
- DNS query for lyncdiscoverinternal.
- DNS query for lyncdiscover.
Got this great flow diagram from Brendan Carius…cheers 😉
Usually the Lync Web Services certificate assigned to the Front-end Pool is issued by an internal CA. Of course this Root CA isn’t present on Mobile devices and so not trusted. The Lync mobile client would not be able to sign-in, unless the internal root certificate was pre-installed on the device.
Its a little more tricky to deploy the Root CA to all your mobile devices so it makes more sense to NOT have a Lyncdiscoverinternal DNS record. Instead have a lyncdiscover A record (internally) pointing to the public IP of your RP.
You will need a RP rule to allow this traffic from internal – effectively hairpinning the traffic.
Even after configuring this I still got “Can’t verify certificate from the server. Please contact your support team”.