Skype for Business Mobile Authentication Issue with IIS ARR Reverse Proxy

I haven't worked much with IIS ARR. Most of my customers prefer either a F5 or Kemp for their load balancing solution. I recently worked with a customer who did not have a solution in place and did not want to spend money on a dedicated appliance.

Necessity is the mother of invention learning something new. 😀

A colleague of mine forwarded me this article he had used previously to setup IIS ARR for another customer. While the article is several years old, it's still an excellent resource and I would recommend bookmarking it. The guide in the website linked above walked me through most of what I needed for the setup.

I finished the configuration steps and signed in on my Android phone via a test account the customer provided me. I added the customer to my contacts list and sent him an IM. Everything was working alright until my account was logged off without warning and I received the error message below:

I wasn't sure what to make of this error. My mobile phone was connected via wifi, so I thought maybe there was an issue with my home wifi network. I shut off the wifi connection on my phone to connect via my mobile network and couldn't sign back in with the same credentials. My mobile client flashed the error below:

Switching from my wifi network to my mobile network didn't help at all. I couldn't login, so if anything, I made it worse. What the heck!?! 😡

The error I received this time was different. Could 'server address' be an issue with the external DNS entries? My intial impression was no, probably not. If the external DNS entries were incorrect/misconfigured then authentication would not have worked the first time. If it's not my mobile phone network or external DNS, could it be the reverse proxy?

I double checked the reverse proxy settings again. The server certificates and port bindings were correct. What was I missing? The answer was in the server farms I created. The customer had two standalone servers and each server had its own external web services address. Each external web services server farm should have only one server listed. I accidently listed both servers in each server farm. This was clearly an oversight and rookie mistake on my part! I removed the additional entry in each farm and the authentication issues disappeared. 

Below is the correction I made on the reverse proxy (skype1 in webext-se, skype2 in webext-se2):

I hope my 'learning experience' saves you from the same mistake I made in the future.

Automate Documentation via the Skype for Business Environment Report

Documentation is useful, but in my experience, it's one of the last things that gets done. At my last job, I was on a team of four people who supported over 20,000 Lync 2013 users. My day to day, tactical activities took precedence over writing wiki articles outlining server details, DNS entries, and other details. To be clear: I documented things, but it was often after hours. I spent most of my normal business hours keeping my users content and the environment stable.

If only there was a quick way to produce documentation about a Skype for Business environment...

Spoiler Alert: lucky for us, there is. 😏

A colleague of mine mentioned this super helpful tool. The Skype for Business Environment Report is a collection of PowerShell scripts that pull information from your Skype for Business topology and output the data into a Word Document, Visio Diagram, or both. 

Below is a list of steps to help run the scripts:

1. Download and unzip the file on a front end server in the Skype for Business environment.

2. Open PowerShell and run the 'Get-CsEnvironmentInfo.ps1' script. The script collects the initial information for the Skype for Business environment. Optional: you can supply credentials for your front end servers using the '-InternalCredentials' switch and for your edge servers using the '-EdgeCredentials' switch.

3. The script will run and collect information from your topology. When you are done, a .zip file is produced and resides in the script directory.

4. Note: the scripts to create the Word Document and Visio Diagram must be run on a machine with Word and Visio installed.

Run the 'New-CsEnvReport.ps1' script and use the .zip file you produced in the previous step. A window opens to allow you to select the .zip file from the previous step. Optional: you can supply the .zip file name via the 'envdatafile' switch. 

5. The Word Document is created in the script directory. Open the Word Docment and view all the data from your topology that is organized with a table of contents. Here is an example:

6. The steps to create the Visio Diagram are similar to Word Document creation steps above. You will run the 'New-CsEnvDiagram' script and supply the .zip file similar to Step 4.

Studying for Exam 70-333 (Deploying Enterprise Voice with Skype for Business 2015)?

Taking the 70-333 Exam soon? If so, you'll want to check out this book written by Michael Tressler (aka, flinchbot). I found this book super helpful when preparing for my exam (which I passed in April 2017, by the way, with a 975 😉) and it does a really good job of covering all aspects of Enterprise Voice. Hands on experience is the best teacher, in my opinion, but I would recommend using this book as a study/reference guide.

 Time to study for my Office 365 Exams. MCSE Productivity, here I come!