Lync Server 2010 Mobility supports an internal and an external automatic discovery record. As described in this post, the mobile client signs-in by performing a DNS query for lyncdiscoverinternal.<your sip domain>. If this record is not present (does not resolve), the client attempts lyncdiscover.<your sip domain>. This design approach aligns to the Lync 2010 client software for Windows. First an attempt for the SRV record _sipinternaltls._tcp.<your sip domain>, followed by _sipinternal.tcp, followed by _sip._tls, then the A record fallbacks. This approach is great for Windows PCs, and allows Split-DNS configurations to bounce client systems to either the Internal Front-end Pool or the External Access Edge on the Internet. The Windows PCs are managed and Group Policy can add trusted root certificates to the computer certificate store.

But thinking about Mobile clients specifically, they do not have this Group Policy deployment luxury. I’m trying to determine the advantage of ever defining lyncdiscoverinternal.<your sip domain> in the internal DNS namespace. Typically, the Lync Web Services certificate assigned to the Front-end Pool is issued by an internal certificate authority. This Root Certificate Authority certificate is not present on Mobile devices, therefore will be untrusted. The Lync mobile client would not be able to sign-in, unless the internal root certificate was pre-installed on the device.

As you are unable to simply deploy the root certificates to your fleet of mobile devices, bouncing all the devices to lyncdiscover.<your sip domain> looks to be the most appropriate approach. This will typically require routing and access rules to allow internal traffic a connection to the Reverse Proxy server.


Join the conversation! 14 Comments

  1. Great post, my thoughts are that this will become useful for devices on Wi-Fi that can traverse internal to external.

    – Adam

  2. Hi,

    I try to understand “Permit routing from the internal corporate network to the reverse proxy listener” mean.
    Is it to create access rule in TMG that allow my internal network 10.10.x.x to public ip x.x.14.21 (meet,dialin). If yes what ports (5087?)


    1. TMG
    EXT IP: x.x.14.21 x.x.14.22
    INT IP:
    2. LYNC FE
    3. LYNC EDGE
    EXT IP: x.x.14.22
    INT IP:

    DNS Config:
    1. domain.local
    lync-01 A
    admin A
    dialin A
    meet A
    lyncdiscoverinternal A
    lyncdiscover A x.x.14.21 (TMG public ip)
    lync-01 A
    admin A
    dialin A
    meet A
    lyncdiscoverinternal A
    lyncdiscover A x.x.14.21 (TMG public ip)

    im A x.x.14.22
    lyncdiscover A x.x.14.21
    meet A x.x.14.21

  3. I have configured Lync autodiscover for internal and external. I have both lyncdiscover and lyncdiscoverinternal in the internal DNS. lyncinternal is pointing to the external interface IP of the TMG server listener/rule and the lyncdiscoverinternal is a CNAME pointing to the internal FE pool DNS name. All devices work externally with this configuration. Although, in this configuration Android devices are working on internal Wifi but iPhones and iPads fail with “Can’t verify certificate from the server. Please contact your support team”. It would appear that the devices dont trust the internal certificate which makes sense. I removed lyncdiscoverinternal from the internal DNS. I restarted the Apple devices and still get the same issue. Android still works.

  4. Thanks for this, great post. Happy New Year!

  5. thanks bro. I agree. the lyncdiscoverinternal is getting the AX. I mean, like, in 2 seconds.

  6. Hey Mike,

    I had the same problem, I routed lyncdiscoverinternals to my “Internal” network to get around changing internal server certificates. the only way I could get around the cert issue was to create a new listner and assign it only 80. This did require an additional IP on the TMG internal.

  7. I’ve not used Lyncdiscoverinternal. We have split brain dns and so internally I am able to point my lyncdiscover and External Web services FQDNs to an internal VIP on the TMG reverse proxy.
    As TMG handles the request and has a public Cert we have no problems.

  8. Hi Mike, just send your certificate from email to your apple device then install it.

  9. Hi, thanks for this post. it maked it clear now for me the difference between two. Do you an article how to set the mobility step by step?

Comments are closed.