I am getting error while accessing url of lyncweb.domain.com, dialin.domain.com and meet.domain.com pointing to RP server.
For this issue, you can refer below link
I tried to apply hotfix, but it shows it is not supported.
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.Elapsed Time: 669 ms.
A Web exception occurred because an HTTP 502 - BadGateway response was received from IIS7.HTTP Response Headers:
Content-Length: 1477
Content-Type: text/html
Date: Tue, 03 Jun 2014 07:24:27 GMT
Server: Microsoft-IIS/8.0 Elapsed Time: 42689 ms.
Sorry for the delay here, which hotfix did you attempt to load? The one I posted (http://www.microsoft.com/en-us/download/details.aspx?id=30333) definitely works on Windows 2012 (I've had to apply it a few times)
The second one that was posted applies to Windows 2008, so don't use that one.
I am getting error while trying to install the above mentioned hotfix.
My server configuration is :
Did you install IIS ARR2.5 or 3.0? If you installed 3, that would explain that.
Can I ask are you able to visit https://yourlyncfrontend.yourdomain.com:4443 from Internet Explorer on your Reverse proxy? Are you receiving any certificate errors? (if so, did you install the root certificate from your CA onto your Reverse Proxy)
When i try with https://lyncfrontend.domain.local:4443 and https://lyncfrontend.domain.com:4443 both opens but when i open the external domain name i get certificate .
ARR version installed is 3.0
To throw more light on the configuration:
Lync 2013 implemented, internal domain name is : domain.local and external domain name is : domain.com
All servers in VMs are with 4 core processor, 24gb ram, 1TB drive.
Frontend : Windows 2012r2 with Lync 2012 Standard Edition - 1 No (192.168.10.100)
Edge : Windows 2012 with Lync 2012 Std - 1 No
(192.168.11.101 DMZ) in workgroup
ISS ARR Reverse Proxy 3.0 : Windows 2012 with ARR and IIS configured. (192.168.11.102)
Certificate : Internal Domain root CA for internal and External (Digicert).
Internal Network : 192.168.10.x /24
External Network (DMZ) : 192.168.11.x /24
Public Firewall NAT to DMZ ip for firewall and RP server. So having two public IP facing external network.
Edge has : sip.domain.com, webconf.domain.com, av.domain.com
IIS ARR RP server has : lyncdiscover.domain.com, lyncweb.domain.com, meet.domain.com, dialin.domain.com
Have created SRV record in public : _sip.tls.domain.com >5061>sip.domain.com, _sipfederationtls._tcp.domain.com>5061>sip.domain.com, _xmpp-server._tcp.domain.com>5269>sip.domain.com
Installed frontend server using MS Lync server 2013 step by step for anyone by Matt Landis, Lync MVP.
Internal AD Integrated DNS pointing Front-end
Type of Record FQDN
IP Description
A sip.domain.com
192.168.10.100 Address internal Front End or Director for internal network clients
A admin.domain.com
192.168.10.100 URL Administration pool
A DialIn.domain.com
192.168.10.100 URL Access to Dial In
A meet.domain.com
192.168.10.100 URL of Web services meeting
A lyncdiscoverinternal.domain.com
192.168.10.100 Register for Lync AutoDiscover service to internal users
A lyncdiscover.domain.com
192.168.10.100 Register for Lync AutoDiscover service to external users
SRV Service: _sipinternaltls Protocol: _tcp Port: 5061
sip.domain.com Record pointer services to internal customer connections using TLS
External DNS pointing Edge & Proxy
Type of Record FQDN
IP Endpoint
A sip.domain.com
x.x.x.100 Edge
A webconf.domain.com
x.x.x.100 Edge
A av.domain.com
x.x.x.100 Edge
SRV _sip._tls.domain.com
sip.domain.com: 443 Edge
SRV _sipfederationtls._tcp.domain.com
sip.domain.com:5061 Edge
A Meet.domain.com
x.x.x.110 Reverse Proxy
A Dialin.domain.com
x.x.x.110 Reverse Proxy
A lyncdiscover.domain.com
x.x.x.110 Reverse Proxy
A lyncweb.domain.com
x.x.x.110 Reverse Proxy
In IIS ARR proxy server following server farms are added and configured as per link ttp://y0av.me/2013/07/22/lync2013_iisarr/
In proxy server had setup only following server farm : While running remote connectivity web service test : meet, dialin, lyncdiscover and lyncweb.
The client inside works fine internally and through vpn. Login with external client also working fine. But we are getting error in MRCA as follows.
a) While testing remote connectivity for lync getting error : The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Certificate was installed properly.
b) For remote web test under Lync throws error : A Web exception occurred because an HTTP 502 - BadGateway response was received from IIS7.
HTTP Response Headers:
Content-Length: 1477
Content-Type: text/html
Date: Wed, 14 May 2014 10:03:40 GMT
Server: Microsoft-IIS/8.0
Elapsed Time: 1300 ms.
Hello, I'm new to the party but why would you be using both: https://lyncfrontend.domain.local:4443 and https://lyncfrontend.domain.com:4443?
If this is Standard edition https://lyncfrontend.domain.com would not be defined in the topology so will always give you certificate errors and should not be used. Looking at your first post lyncweb.aig.sa seems to be your defined External Web Services URL.
The Reverse Proxy should be receiving: lyncdiscovery.aig.sa, lyncweb.aig.sa, dialin.aig.sa and meet.aig.sa (which looks to be valid on the certificate) and then proxy to the Front End server on 4443. The Reverse Proxy will need host file entries to resolve any of the "Server Address" defined when creating the IIS/AAR farm to the Front End's IP (example meet.aig.sa 192.168.10.100).
Host file entries are already in place on the RP server. Yes standard edition.
My issue is this while trying from internet lync client is not connecting with the server but while using vpn it works fine. So when i tried browsing the lyncdiscover url from internet i am getting this error:
502 - Web server received an invalid response while acting as a gateway or proxy server.
There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.
IN IIS ARR WE HAVE CREATED the external domain name instead of creating domain.local. So is this the issue which is not allowing the routing request?
Now I have created for internal domain.local ARR and removed the old server farm in the ARR. After changing it have rebooted the reverse proxy and checked. I get the same
Yes lyncweb.domain.com is my lync external web services url defined in the lync topology builder.
From Internet : When i tried to browse the webpage from external internet lyncdiscover.domain.com, lyncweb.domain.com and dialin.domain.com and meet.domain.com it throws the same error page.
From LAN network : lyncfrontend.domain.local it opens properly. When i tried to open all the url with same network it opens properly.
when i tried from RP server for the following url :
https://meet.domain.com or https://meet.domain.local or https://meet.domain.local:4443 or https://meet.domain.com:4443
<label class="errorbold" id="errorTextLabel15" style="display:block;">We're having trouble getting you into the meeting.</label> | |
<label class="errorregular" id="checkUrlLabel15" style="display:block;">It's possible you're using a bad URL. Try calling into the meeting using the phone number on the invite, or ask the organizer to drag you into the meeting from the Contacts list.</label> |
https://dialin.domain.com or https://dialin.domain.local or https://dialin.domain.local:4443 or https://dialin.domain.com:4443
After accepting certificate it shows Blank page
https://lyncweb.domain.com or https://lyncweb.domain.local or https://lyncweb.domain.local:4443 or https://lyncweb.domain.com:4443
After accepting certificate it shows Blank page
Use logparser: http://www.microsoft.com/download/en/details.aspx?id=24659
And query the IIS logs:
SELECT Date, STRCAT(TO_STRING(sc-status), STRCAT('.', TO_STRING(sc-substatus))) As Status, COUNT(*) AS Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE (sc-status = 502) GROUP BY Date, Status ORDER BY Date ASC
Have you run the Health Test in IIS/ARR ? : http://unifiedme.co.uk/2013/07/iis-arr-reverse-proxy-502-error/
Hi Michael,
My apology for the delayed response, Have run the logparser, but couldn't succeed. It throws error on select date.
C:\Program Files (x86)\Log Parser 2.2>logparser STRCAT(TO_STRING(sc-status), STRCAT('.', TO_STRING(sc-substatus))) As Status, COUNT(*) AS Hits FROM C:\inetpub\l
ogs\LogFiles\W3SVC34578\*.log WHERE (sc-status = 502) GROUP BY Date, Status ORDE
R BY Date ASC
Error: detected extra argument "STRCAT('.'," after query
Also have gone through the http://unifiedme.co.uk/2013/07/iis-arr-reverse-proxy-502-error/ url and checked all the configurations and seems everything appears fine.
i couldn't get the error log, i am getting error when i execute the command.
SELECT Date, STRCAT(TO_STRING(sc-status), STRCAT('.', TO_STRING(sc-substatus))) As Status, COUNT(*) AS Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE (sc-status = 502) GROUP BY Date, Status ORDER BY Date ASC
Error: detected extra argument "STRCAT('.'," after query
Clear your IIS logs, access the site again externally, provide the logs here for review.
Also provide the details of the applicationhost.config file in %WINDIR%\system32\inetsrv\config
Have attached the link of applicationhost.config file https://www.hightail.com/download/ZUcwYUord0E0b0E4RmNUQw
IIS Log file
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2014-08-27 00:01:46
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2014-08-27 00:01:46 10.4.60.166 GET /WebTicket/Issuer/ purpose=cwt 443 - 10.4.60.166 - - 200 0 0 41
2014-08-27 00:06:57 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.0.196 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 246
2014-08-27 00:07:15 10.4.60.166 POST /WebTicket/WebTicketService.svc/cert - 443 - 10.62.0.28 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 88
2014-08-27 00:07:15 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.0.28 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 256
2014-08-27 00:12:56 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.1.4 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 228
2014-08-27 00:25:58 10.4.60.166 POST /WebTicket/WebTicketService.svc/cert - 443 - 10.62.0.243 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 291
2014-08-27 00:26:00 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.0.243 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 258
2014-08-27 00:39:43 10.4.60.166 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof - 443 - 10.62.0.196 OC/15.0.4420.1017+(Microsoft+Lync) - 500 0 64 41
2014-08-27 00:40:56 10.4.60.166 GET /WebTicket/Issuer/ purpose=cwt 443 - 10.4.60.166 - - 200 0 0 50
We were able to resolve it by importing the internal CA's root certificate on the reverse proxy.
Hope this helps others.
Already had tried this one, we imported the internal CA root cert on reverse proxy. There is nothing blocked, pinging, able to reach lync server. Its weird one, i couldn't solve this issue.
a) The only stuff works is lync clients able to connect from internet.
b) Meeting url throws the same error which was mentioned in this thread.
c) Voice calls not working from external.
Hello,
Why do you say if you installed IIS ARR3 this would explain it? I have IIS ARR3 and am running into this issue....
Thanks
Hello,
I have the same issue for Shrepoint, but when I do a refresh page, it works. I think its some kind of timeout?
Regards