4. Network and Security Considerations for Mobility
Given the requirements to direct all mobile
users to the external web services through a reverse proxy, even for
internal clients, a unique hairpin situation is created. In some
environments, hair pinning is not allowed. This scenario can arise when
the internal traffic is egressing an interface and attempting to
immediately ingress on the same interface.
This functionality must be allowed
for the Mobility Services to work. A potential workaround for this
issue is to deploy the reverse proxy solution separately from the
firewall (that is, do not allow RP traffic to traverse the corporate
firewall to prevent issues with hair-pinning). In that configuration,
the traffic will egress the reverse proxy interface, and then ingress
the reverse proxy interface. In the event that the traffic must still
pass through the external firewall, it is important to work with the
firewall administrators to provide an exception to the hairpin rule for
this traffic.
Firewall Rules Required for Lync Mobile
Lync mobile clients connect through
the external web services connection, which should be published on port
443 TCP. This requirement should be fairly standard and should be
implemented with all Lync deployments involving external users. Apple
iOS devices that are connected to the internal infrastructure will
require a unique firewall rule for push notification connectivity. When
an Apple iOS device attempts to connect to the Apple Push Notification
Service, the device initiates an outbound connection on port 5223 TCP.
It is important to ensure that this connectivity is allowed outbound
from the corporate network for these devices to functional properly.
5. Steps to Enable Mobility
Deploying Mobility Services in Lync
Server 2013 is relatively simple. Following the guidance in previous
sections, follow the high-level steps that follow to enable Mobility in
a Lync Server 2013 environment.
DNS Configuration for the LyncDiscover Service
DNS records will be required for the LyncDiscover service for both internal and external users.
Create an internal DNS A record for LyncDiscoverinternal.<sipdomain> that points to the internal web services IP address or VIP of the Hardware Load Balancer.
Create an external DNS A record for LyncDiscover.<sipdomain> that points to the external reverse proxy interface for the external web services.
Configurations for Proper Certificate Configuration
If LyncDiscover services are being
deployed over HTTPS, a SAN must be created on all web service
certificates for the appropriate LyncDiscover URLs.
Configurations for Push Notifications
After the federation connection has been established, use the Set-CSPushNotificationConfiguration cmdlet to enable this functionality. An example is provided here:
Set-CsPushNotificationConfiguration -EnableApplePushNotificationService $True -EnableMicrosoftPushNotificationService $True
To test the push notification configuration, use the cmdlet Test-CSMCXPushNotification. An example is provided here:
Test-CSMCXPushNotification -AccessEdgeFQDN InternalEdgeName.Companyabc.com
