On a recent Skype for Business deployment, I ran into an issue where mobile clients were not able to connect to the Skype for Business server. We were using Windows Server 2012 R2 Web Application Proxy (WAP) as the reverse proxy, which is required for the mobile clients.
I had confirmed all the configuration settings and that traffic was being passed correctly. I was able to access other URLs being serviced by the reverse proxy (meet.domain.com, dialin.domain.com), as well as successfully retrieve information from the Lyncdiscover service, using a web browser on PC.
I was also able to do the same using a browser on a mobile device that was having issues. Everything looked good, but the mobile client still couldn’t connect.
I gathered logs from the mobile client and found:
WARN HttpEngine: Server does not support any TLS Protocol. Host:lyncdiscover.domain.com
This was probably our issue, but no other scenario was presenting an SSL problem.
It turns out this is an issue with Server Name Indication (SNI) on the mobile clients. Because the Lync mobile client doesn’t support SNI, WAP was not presenting an appropriate certificate causing the connection to fail.
The solution was to bind the certificate (assuming it has all your Lync hostnames) to the default IP:port combination. This would ensure that the certificate is presented correctly to clients that doesn’t support SNI.
From an elevated command prompt on the WAP server:
netsh http show sslcert
Note the Certificate Hash and Application ID, then add a new binding with that same information to 0.0.0.0:443:
netsh http add sslcert ipport=0.0.0.0:443 certhash=<Certificate Hash> appid=<Application ID>
And that should do it. Mobile clients should work now.
Shane Skriletz, PEI