Below are the logs from the MAG on a connection attempt from a mobile client:

We spent months trying to get Lync to work then gave up and got quotes for Microsoft TMG reverse proxy. Management saw the cost and told us to get it work via the the Juniper. We started again and it worked first time. Crazy!

I think one of the issue is I believe there are different way the backend Lync environment can be set up (never got a clear answer from the Lync experts on this). Originally we were told similar destinations to yours "meet.xxx.yyy" etc but the second time the Lync guys told us "join.xxx.yyy".

In the end our working config was very simple:

4 Auth only policies:

join.xxx.yyy to join.xxx.yyy:4443
dirpool.xxx.yyy to dirpool.xxx.yyy:4443
fepool.xxx.yyy to fepool.xxx.yyy:4443
lyncdiscover.xxx.yyy to lyncdiscover.xxx.yyy:4443

And role with associated resource policy allow the above desinations plus the backend servers actual names

One point to note is we a currently running 6.5R4.1

Can you elaborate any more on your configuration. Are your Mags external and internal nics both behind firewalls? What about your DNS, is your internal and external namespace the same or different?

It's a shame Juniper doesn't do a better job with communicating out supported configurations for well known apps. It makes us question our move from Cisco.

We're actually still on the old SA hardware but this shouldn't make a difference.

Yes both internal and external NICS are in DMZs behind firewalls. The DNS is split in the sense that externally the DNS points to VPN boxes and internally the same names are alisas pointing to the Lync boxes. We did try with different internal names but it didn't work. The Lync team told me it is the port (4443) that Lync uses to decide if the client is internal or external.

Using the authorization only URL for anything other than ActiveSync is not supported. With that said, some applications do work successfully. If something does not work, depending on the failure point, we will work on a case-by-case process to find a solution.

The user access log you posted showed that the failure is specifically tied to authentication; a 401 is being sent back. What do users see? Is this on a mobile device or full desktop? Does Lync require direct access from the server to the PC?

I also see you listed that you noted that you have a no rewriting policy configured; was that a typo? If you choose to not rewrite, the traffic will be redirected for direct access. If the server is internal only, this won't work; you must rewrite the traffic to send through the MAG (unless you have a rewrite policy listed above it that takes precedence).

Lync is not a supported application, meaning it is not something we have access to for testing in QA. I don't think there have been any requests to get this in any type of standard testing. If you would like to see this supported, please let your account team know. 

In the meantime, though, we can help out here or through JTAC.

zanyterp - thanks for the info. i would suggest that the web gui and documentaiton be updated since the current set does not indicate that signing-in pages with virtual hostnames are only for ActiveSync. Actually, they seem to indicate the later:

Either way, I hope we can get this working. Otherwise we will need to look at another reverse proxy solution.

To try and answer your questions, this is being set up for lync mobile (phones) clients. The client is making the connection and gettting the 401 from the server. Strangely, we've somehow gotten 1 and only 1 client working through a mix of internal and external testing.

The web resource profiles have Autopolicy enabled with no rewriting. By doing that it looks like a selective rewriting resource policy was created.

The automatically created selective rewriting policies defined have an action of "Don't rewrite (with Redirect)"

---

@jspanitz wrote:

zanyterp - thanks for the info. i would suggest that the web gui and documentaiton be updated since the current set does not indicate that signing-in pages with virtual hostnames are only for ActiveSync. Actually, they seem to indicate the later:

Required: Protocol, hostname and port of the server (example: http://www.domain.com:8080). Server paths are not supported.

Either way, I hope we can get this working. Otherwise we will need to look at another reverse proxy solution.

 

To try and answer your questions, this is being set up for lync mobile (phones) clients. The client is making the connection and gettting the 401 from the server. Strangely, we've somehow gotten 1 and only 1 client working through a mix of internal and external testing.

 

The web resource profiles have Autopolicy enabled with no rewriting. By doing that it looks like a selective rewriting resource policy was created.

 

The automatically created selective rewriting policies defined have an action of "Don't rewrite (with Redirect)"

 

---

Thank you for the information on what you are doing. I agree on the documentation.

OK; that resource profile needs to be fixed (unless you want the connection to go over a VPN tunnel). The don't rewrite policy renders the authorization only URL that you have configured moot; it is sending the client to the backend server directly. The authorization only policy is based on the rewriting engine; if you don't rewrite traffic, it will not be accessible. What happens when you remove that policy?

No; the auth only sign in page is fine. What you need to remove is the rule for "dont rewrite, redirect" and replace it with a "rewrite" policy so that the traffic is rewritten and sent through the IVE.