Lync Mobile iOS Certificate Errors

I ran into an issue (which I didn't with Android and WP7) where I was unable to login to the iPad and iPhone iOS Lync client. It turns out this error was two separate certificate errors. The first was immediately upon signing internal to the domain (because my Apple devices did not trust my internal CA). The second (internal or externally) was an issue with the intermediate certificate not being present on my KEMP Hardware Load Balancer.

Internal Root Certificate

The error I was seeing on my iPad was "Can't connect to the server. It might be unavailable. Also please check your network connection, sign-in address and server addresses". Again, the WP7 and Android devices were not experiencing this issue! (As a side, the Android devices did realize there was an untrusted certificate but I had the option of saying it was okay and move on. Eventually I simply emailed myself the root and intermediate certificates which installed with a simple click).


My Internal CA is comprised of a Root, Intermediate, and an Issuing CA yet the Apple devices only seem to care about the root. To add the certificate to the device, the Apple iPhone Configuration Tool is used. It is true that you could send yourself an email with the certificate, but I have found that the device does not fully trust that method. If you do not already have the Configuration Tool (it is not part of iTunes) download it from Apple here. There is a Mac version of the tool as well but I will show the Windows version.

Once the application is installed, launch the tool and navigate on the right to Configuration Profiles.


In the upper-right click New to create a Configuration Profile. The Configuration Profile can be used to set and configure all types of settings; however, I am only interested in adding a trusted root certificate to the device. Start by naming the profile. In my example, I have named it BriComp Root Certificate and set my unique identifier to com.bricomp.cert.profile. Complete the General settings by entering your company name and optionally a description.


Next, navigate down the list to the certificate icon labeled Credentials and click Configure.


After clicking Configure a list of certificates found on your local computer will be displayed. Assuming your computer trsuts your internal LAN certificates your root certificate will be shown here. Scroll to the correct certificate and click OK.


The certificate will be shown in the Credential window and all changes are immediate (i.e. there is no 'save' option). For small/single installs connect your device to your computer using the USB cable. The device will be displayed in the Configuration Tool under DEVICES. Select the device and then the Configuration Profile Tab.


You will notice there is an option to install the profile directly. Click Install to begin the process. On your device, a Install Profile window is shown where you must click Install followed by Install Now confirming the installation of the Root Certificate. If you have a passcode you will need to enter it and then click Done.


For mass installs, you can export the configuration profile using the tool and email it to all that need it.

External Certificate Error

Once I got past my internal certificate issue I was then receiving the error "Can't verify the certificate from the server. Please contact your support team".


This error was the same inside and outside my network but again, only on my Apple iOS devices. Puzzled for days I nearly gave up when I thought maybe...just maybe the Hardware Load Balancer needed the intermediate certificate loaded for DigiCert - the issuer of my web services external certificate. This is an easy process and if you followed my past blog on configuring the KEMP HLB for Lync this step may be required as well.

In the KEMP LB web configuration page navigate to Certificates | Intermediate Certs.


In this section you have the option of managing the intermediate certificates on your Load Balancer. Click Add New to display the New dialog. Here you need to paste the public certificate DigiCertHighAssuranceCA-3.cer into the text box and provide a name. The certificate can be downloaded from DigiCert's website athttps://www.digicert.com/digicert-root-certificates.htm. Save the file to your local computer and open it with Notepad. The certificate will look like a text file that is created when you are requesting a new certificate for yourself. Copy and paste the entire content unaltered into the KEMP website and name the certificate DigiCertHA3.

Click Add to complete the installation of the Intermediate Certificate.  That's it - once the LB trusts the DigiCert Intermediate and your device trusts your internal CA your client will be able to login.

Lync Mobility on WiFi with a KEMP LB

Like many I was excited to see the mobility client finally released for Lync 2010 but needed to figure out what communication was going where - can't fix what you do not understand.

THE ISSUE

When using mobility, internally or externally, all communication flows from the mobile device to the External Web Services of your pool. The concept is that there is a single point of communication regardless of your network allowing communication to seamlessly move network to network. In order to achieve this, the external services URLs must be reachable internally when a client access port 443.

THE LOAD BALANCER

That requirement was not as daunting as one might think when using a Hardware Load Balancer, in this case it was my KEMP. The key on the KEMP was to have two VIPs created, one for internal communication and one for external communication. The configuration looked something like this:

Internal Web Services VIP
10.10.10.10:443 --> 10.10.10.50:443
10.10.10.10:80 --> 10.10.10.50:80

External Web Services VIP
10.10.10.20:443 --> 10.10.10.50:4443
10.10.10.20:80 --> 10.10.10.50:8080

With this configuration, the port address translation happens on the HLB so the Reverse Proxy or Firewall can send the external traffic unchanged. Internally, the communication is always bound for HTTP/HTTPS and then changed depending on the destination IP.

DATA FLOW

Looking at communication from a phone via cellular and WiFi then looks like so:

Cellular
Phone IP (12.5.5.23) --> Ext AutoDiscover (68.5.12.54:443) --> Ext Web Services URL (68.5.12.54:443) --> HLB (10.10.10.20:443) --> Lync Pool External Web Services (10.10.10.50:4443)

WiFi
Phone IP (10.10.10.100) --> Internal AutoDiscover (10.10.10.10:443) --> Int Web Services (10.10.10.10:443) --> Ext Web Services URL/HLB (10.10.10.20:443) --> Lync Pool External Web Services (10.10.10.50:4443)

As you can see both methods end up going to the external web services which is managed by the KEMP HLB. The only difference is when on the internal WiFi it is able to resolve the internal pool which passes the Mobile URL information back which is the external web services URL. Because the external web services URL resolves internally to the VIP created for the external web services, it is redirected to port 4443.

That sets the data flow as we want, now the only thing left is the configuration of the KEMP HLB which requires the setup using cookies for persistence (again referencing Dave Howe's article here).

CONFIGURING THE HLB

The KEMP configuration for Lync is fairly easy with the setting below. You will need your external certificate so that is can be loaded into the HLB (public and private key) as it will need to decrypt and re-encrypt the communication. An example configuration would be:

Basic Properties
Service Type: HTTP/HTTPS
L7 Transparency: Disabled
Real Server Check Parameters: Optional but recommended
Service Nickname: Lync Web Servers -4443
Persistence Options
Mode: Active Cookie
Timeout: 3 Days (the length of an inactive Push Session before it times out)
Cookie Name: MS-WSMAN
Scheduling Method: resource based (adaptive)
Idle Connection Timeout: 0
Use Address for SNAT: Unchecked

SSL Properties
SSL Acceleration: Enabled and Reencrypt checked
Certificates: Load the external web services certificate here
Rewrite rules: None
Client Certificates: No Client Certificates required

Advanced Properties
Content Switching: Disabled
HTTP Headre Modifications: None
Port Following: No Port Selected
Enable Caching: Unchecked
Enable Compression: Unchecked
Detect Malicious Requests: Unchecked
Add Header to Request:
Not Available Server:
Not Available Redirection Handling:
Default Gateway:

COMPLETE

Assuming there are physical servers that the VIP is pointing to (again redirecting to port 4443 and 8080) communication should now flow. As key a reminder, make sure the external web services URL resolves internally to the external HLB VIP configured above and you are good.