Autodiscover Service Requirements
Topic Last Modified: 2011-11-23
The Microsoft Lync Server 2010 Autodiscover Service runs on Director and Front End pool servers, and when published in DNS, can be used by mobile devices running Microsoft Lync 2010 to locate mobility services. Before mobile devices running Lync 2010 can take advantage of automatic discovery, you need to modify certificate subject alternative name lists on any Director and Front End Server running the Autodiscover Service. In addition, it may be necessary to modify the subject alternative name lists on certificates used for external web service publishing rules on reverse proxies.
For details about the subject alternative name entries that are required for Directors, Front End Servers, and reverse proxies, see Technical Requirements for Mobility in Planning for Mobility.
The decision about using subject alternative name lists on reverse proxies is based on whether you publish the Autodiscover Service on port 80 or on port 443:
Published on port 80 No certificate changes are required if the initial query to the Autodiscover Service occurs over port 80. This is because mobile devices running Lync will access the reverse proxy on port 80 externally and then be redirected to a Director or Front End Server on port 8080 internally. For details, see the “Initial Autodiscover Process Using Port 80” section later in this topic.
Published on port 443 The subject alternative name list on certificates used by the external web services publishing rule must contain a lyncdiscover. entry for each SIP domain within your organization.
Reissuing certificates using an internal certificate authority is typically a simple process but for public certificates used on the web service publishing rule, adding multiple subject alternative name entries can become expensive. To work around this issue, we support the initial automatic discovery connection over port 80, which is then redirected to port 8080 on the Director or Front End pool.
For example, assume that a mobile client running Lync is configured to sign in to Lync using the automatic discovery feature using HTTP for the initial request.
Initial Autodiscover Process Using Port 80
Mobile device running Lync looks up lyncdiscover.contoso.com using DNS, where an A record exists.
External DNS returns the IP address for lsweb-ext.contoso.com (22.214.171.124) to the client.
Mobile device running Lync sends request http://lyncdiscover.contoso.com?sipuri=lyncUser1@contoso.com to 126.96.36.199.
The web publishing rule will bridge the request from port 80 externally to port 8080 internally, which will then route it to either a Director or Front End pool.
Since the request is HTTP and not HTTPS, no modifications are needed to the certificate on external web service publishing rule to support the Autodiscover Service.
The Autodiscover Service returns the external web service URLs (in HTTPS format).
The mobile device running Lync, can then reconnect to the reverse proxy on port 443 and get redirected over 4443 to the mobility service running on the user’s home pool.
Since the HTTPS query is to the external web services URL vs. the Autodiscover Service URL, it succeeds because the certificate should already contain subject alternative name entries for the external web services FQDNs.
In this scenario, there are no certificate changes required to support mobility.
If the target web server has a certificate that does not have a matching value for lyncdiscover.contoso.com as either a subject name or subject alternative name list value:
a. Web server responds with a “Server Hello” and no certificate.
b. Mobile device running Lync immediately terminates the session
If the target web server has a certificate that includes lyncdiscover.contoso.com as either a subject name or subject alternative name list value:
a. Web server responds with a “Server hello” and a certificate.
b. Mobile device running Lync validates the certificate and completes the handshake.
To support an initial connection to the Autodiscover Service using port 80 on your reverse proxy server, you can create an http publishing rule similar to this example for a Threat Management Gateway reverse proxy web publishing rule:
Create a new web publishing rule (for example, Lync Server Autodiscover (HTTP)).
In Public Name, enter lyncdiscover.contoso.com.
On the Bridging tab, select only the option to bridge requests from Port 80 to Port 8080.
On the Authentication tab, select No authentication, and Client cannot authenticate directly.
Commit changes, and move the rule to the top of the list of Lync rules (first in processing order).