We recently ran into a situation where our Polycom phones will no longer work with our Lync 2013 implementation. These phones worked for 6 months and then just stopped.
Lync 2103 Enterprise pool load balanced with Kemp Loadmaster
Lync 2013 Edge Server
ForeFront TMG for Reverse Proxy
SQL 2012 BE Database Server
Lync Persistent Chat Server
Phones USB tethered to desktop computers
Version 4.0.7577.4413 - Cycles back and forth between downloading certificate, installing certificate, and contacting Lync server (endless loop)
Version 4.0.7577.1000 - Right out of box returns "Sign-in Error" This is the same error another phone gives that was flashed to factory default
The only change that occurred in our Lync environment more or less prior to this problem occurring is that the Lync Edge external certificate was updated on 2/27/2014.
Last record of device update logs shows 1/28/2014.
We came in on Monday 3/1/2014 with the phones in the currently described condition.
Wireshark captures show the phone talking to NTP server, FE pool address (TLS etc, and cylcing through the same communication twice), and then talking to Edge external IP doing the same exact TLS and certificate negotiating as the pool address (this also happens twice).
Been through all of Jeff Schertz's blogs, setup DHCP (although we had not used it before) and can successfully test configuration with test-csphonebootstrap.
Set SCHANNEL on FE servers to not send the list of trusted roots, rebooted them, still no effect.
It's as if the phones just quit communicating properly with the FE pool.
There are no real logs to review and we don't know exactly what logs we could use and how to read them.
Any help with this would be greatly appreciated
Solved! Go to Solution.
Yes. I saw a post elsewhere recently where a fellow ran into this with a Globalsign cert but he described it as the root certs expiring. Ours haven't. The Edge server cert expired "accidentally" so I scambled to get that renewed. The workaround the other fellow did was to set SCHANNEL parameters in the registry and reboot but that didn't work.
I just stumbled on to your article at:
What do you suggest? Dump a cert from my domain root CA onto the FE servers or the Edge server or both to get past the issue. Then get the devices up to .4420? If that works dump the 3rd party certs back into service?
I tried to do a free Comodo cert on the Edge but it wouldn't install presumably because they don't allow SANs in the free certs so the edge server refused it due to improper name support.
That did it. Temporarily changing the cert to an internally cert allowed the devices to update. Switching back to the Globalsign cert after the update to 4420 the phone continue to work.