Hi Everyone,
The last few days i have been racking my brain over the deployment processes of Lync Mobility in a Lync 2013 environment.
What has got me confused is the process of lyncdiscoverinternal and the autodiscover certificate.
As far as I am aware, All lync 2013 clients require either lyncdiscover or lyncdiscoverinternal DNS records to determine whether they are internal or external to the corporate network.
Thats understandable.
What I cant understand, is the fact that the lync 2013 mobile client, when obtaining lyncdiscoverinrternal.domain.com (which points to the internal address of the front end pool) contacts the Lync front end services for the auto discover record and is prompted for the certificate that's provided from the web services on the front end. This certificate is signed by my Internal CA. Is that intended behavior?. because 100% that device is not going to trust it.
Because if after the autodiscover service has succeeded the Mobility client will then return the external UCWA services URL and then Hairpin via the reveres proxy back in. This part here makes total sense. So now we have the Mobile client connected to the front end services VIA the reverse porxy. Public Certificate now.
But the autodiscover part is stumping me.
I can understand if I were to push all trusted CA certificates onto devices then this wouldnt be a problem. But is that feasible? I mean what about in BYOD scenarios, EG a college campus or school. Pushing certificates onto unmanaged devices is sometimes not an option.
Have other people found solutions in getting the lyncdiscoverinternal record to work for mobility without installing trusted Root CA,s on mobility devices?
Or is a feasible option to create a new DNS for a Guest WIFI network and have only the lyncdiscover record exist just like it was an external network?
Or am i doing something wrong and missed and important design or configuration factor?
Is it possible to tell the Lync Mobility client to push ALL requests via the reverse proxy when on the internal network, Just like the old days when we issued "lyncdiscover" to the external Reverse Proxy address.
Thanks.