• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

We recently ran into a situation where our Polycom phones will no longer work with our Lync 2013 implementation. These phones worked for 6 months and then just stopped.

 

Scenario

Lync 2103 Enterprise pool load balanced with Kemp Loadmaster

Lync 2013 Edge Server

ForeFront TMG for Reverse Proxy

SQL 2012 BE Database Server

Lync Persistent Chat Server

Phones USB tethered to desktop computers

 

Version 4.0.7577.4413 - Cycles back and forth between downloading certificate, installing certificate, and contacting Lync server (endless loop)

Version 4.0.7577.1000 - Right out of box returns "Sign-in Error" This is the same error another phone gives that was flashed to factory default

 

The only change that occurred in our Lync environment more or less prior to this problem occurring is that the Lync Edge external certificate was updated on 2/27/2014.

 

Last record of device update logs shows 1/28/2014.

 

We came in on Monday 3/1/2014 with the phones in the currently described condition.

 

Wireshark captures show the phone talking to NTP server, FE pool address (TLS etc, and cylcing through the same communication twice), and then talking to Edge external IP doing the same exact TLS and certificate negotiating as the pool address (this also happens twice).

 

Been through all of Jeff Schertz's blogs, setup DHCP (although we had not used it before) and can successfully test configuration with test-csphonebootstrap.

 

Set SCHANNEL on FE servers to not send the list of trusted roots, rebooted them, still no effect.

It's as if the phones just quit communicating properly with the FE pool.

There are no real logs to review and we don't know exactly what logs we could use and how to read them.

 

Any help with this would be greatly appreciated

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended
We had active Lync Clients registered against the edge servers so an internal cert there wasn't an option for us. We had an internal / domain cert on the FE pool but the site with the issue accessed Lync via the Edge.

We were able to register the phones against the FE pool and update them. Once at 4420 the registered via the edge again.

If you've an enterprise FE pool and you change the cert becsure to reboot the pool servers.

James

View solution in original post

4 REPLIES 4
HP Recommended
GlobalSign certificate?
HP Recommended

Yes. I saw a post elsewhere recently where a fellow ran into this with a Globalsign cert but he described it as the root certs expiring. Ours haven't. The Edge server cert expired "accidentally" so I scambled to get that renewed. The workaround the other fellow did was to set SCHANNEL parameters in the registry and reboot but that didn't work.

 

I just stumbled on to your article at:

 

http://blog.strencom.net/author/james-waite-2/

 

What do you suggest? Dump a cert from my domain root CA onto the FE servers or the Edge server or both to get past the issue. Then get the devices up to .4420? If that works dump the 3rd party certs back into service?

 

I tried to do a free Comodo cert on the Edge but it wouldn't install presumably because they don't allow SANs in the free certs so the edge server refused it due to improper name support.

HP Recommended
We had active Lync Clients registered against the edge servers so an internal cert there wasn't an option for us. We had an internal / domain cert on the FE pool but the site with the issue accessed Lync via the Edge.

We were able to register the phones against the FE pool and update them. Once at 4420 the registered via the edge again.

If you've an enterprise FE pool and you change the cert becsure to reboot the pool servers.

James
HP Recommended

That did it. Temporarily changing the cert to an internally cert allowed the devices to update. Switching back to the Globalsign cert after the update to 4420 the phone continue to work.

 

Thanks much

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.