Microsoft Lync Server 2010 – Mobility Services – LyncDiscover – External Configuration

Implementing Microsoft Lync Server 2010 Mobility Services for mobile devices is not that hard, but just to make it easy I have made this short checklist. This primary purpose of this article is to clearify how to use multiple SIP domains.

You only need domainB through domainD in this guide, if you have multiple SIP domains for users in the Lync Environment – typically if you use the same SIP address as the users primary e-mail address (companyA companyB and so on).

Steps:

1. Download the Microsoft Lync Server 2010 Mobility Guide
2. Read the complete document, and follow the instructions
3. Plan your mobility implementation – and document it before implementing
4. Verify that you have the correct DNS records set up (see note below)
5. When publishing the LyncDiscover (page 28 in the Microsoft guide), remember to:
   Add LyncDiscover.domainA.com, LyncDiscover.domainB.com, LyncDiscover.domainC.com on the Public Name tab of the Web Publishing rule
   
   Use port 80/8080 for LyncDiscover

DNS Records:

If using more than one SIP domain, it is important that all external DNS domains contains the nessary SRV records, all SRV records should point to the “first” SIP domain (domainA.com), this reduces the amount of DNS names in the SAN certificates.

DNS records for each additional SIP domain:

• (SRV) _sip._tls.domainB.com -> sip.domainA.com (like port 443)
• (SRV) _sip._tls.domainC.com -> sip.domainA.com (like port 443)
• (SRV) _sip._tls.domainD.com -> sip.domainA.com (like port 443)
• (SRV) _sipfederationtls._tcp.domainB.com -> sip.domainA.com (like port 5061)
• (SRV) _sipfederationtls._tcp.domainC.com -> sip.domainA.com (like port 5061)
• (SRV) _sipfederationtls._tcp.domainD.com -> sip.domainA.com (like port 5061)
• (Alias/C-Name) LyncDiscover.domainB.com -> LyncDiscover.domainA.com
• (Alias/C-Name) LyncDiscover.domainC.com -> LyncDiscover.domainA.com
• (Alias/C-Name) LyncDiscover.domainD.com -> LyncDiscover.domainA.com

Verify that LyncDiscover.domainA.com is present in the SAN certificate for the TMG server (not in the certificate for the Edge server, which should contain SIP records).

If you have followed the Microsoft Lync Server 2010 Mobility Guide and the few pointers above you should be able to connect your mobile device using only:

• SIP signin (user@sipdomainA.com, user@sipdomainB.com, user@sipdomainC.com)
• UPN singin (if different from SIP address)
• Password

You will be prompted for accepting the certificate for LyncDiscover.domainA.com, the very first time you sign in, just accept and you are ready to go. This is not at security prompt but a result of redirecting LyncDiscover.domainX.com to LyncDiscover.domainA.com.

You might want to read this too: http://blog.schertz.name/2011/12/deploying-the-lync-2010-mobility-service/

When working with SAN certificates I have found that GoDaddy.com is a cheap and easy way to get certificates.
Remember that you can sign certificates with the StarFish root instead of GoDaddy, looks nicer to me.