Enabling Lync Server 2010 for Lync Mobile Clients

As the Lync mobile clients are released so are the server side setup notes. This article will go through the steps for setting up your environment and make it ready for the Lync mobile clients.

Note: This post will be updated as the Lync community get more hands on with the service. Last update 10.04.2012

Lync Mobile features

Lync mobile client is released for Windows Phone 7, iPhone, iPad, Android and Nokia (Symbian). The feature set is about the same accross the platforms. There is no ability to view meeting content, video or do voice over IP. The main features is therefore

  • IM and presence
  • One Click join meetings
  • Call via work

For a detailed feature list see the TechNet article: http://technet.microsoft.com/en-us/library/hh691004.aspx

Planning for Lync Mobility

If you have a multi-homed Front End server the Mobility Service (Mcx) may sometimes fail

  • Reason: When calculating routing for a Mobility request the service makes a call to read DNS settings of the registered adapter. In some instances it is possible for the non-registered adapter to be returned.
  • This causes routing of the request to fail This is regardless subnet configuration on the second NIC
  • There should be a forthcoming Release Note or KB Article on this topic
  • UPDATE: This issue was fixed in the february 2012 mobility update: http://support.microsoft.com/kb/2675221

If you use a Director it must be updated the same way as for a Front End

If you plan to support Lync Mobility and Push Notifications over a Wi-Fi you need to


This Lync Mobility guide requires that your Lync solution is deployed with Lync Edge server and Reverse Proxy. This guide will only talk about Lync Mobility specific configuration

Install CU4 (November release) or later in you Lync infrastructure: http://go.microsoft.com/fwlink/?LinkID=208564.

IIS 7.5 is recommended because of some high load request limitations

If you use Hardware Load Balancer

  • You must ensure that cookie-based persistence on a per port basis for external ports 4443 and 8080 on the hardware load balancer is configured
  • For Lync Server 2010 it is important to use cookie-based persistence so that multiple connections from a single client are sent to one server to maintain session state
  • For details on how to configure, see Load Balancing Requirements.

Install the IIS feature Dynamic Content Compression (Web-Dyn-Compression) on all involved Front End servers

  • Server 2008: ServerManagerCMD.exe –Install Web-Dyn-Compression
  • Server 2008 R2: Import-Module ServerManager; Add-WindowsFeature Web-Dyn-Compression

Enabling Lync Mobility

Configure Lync Mobility Autodiscover CNAME DNS records

  • Internal: lyncdiscoverinternal.sipdomain.com
    • Point it to your Front End pool FQDN CNAME
  • External: lyncdiscover.sipdomain.com
    • Point it to your Reverse Proxy FQDN if using SSL or a new publishing rule and IP if you are using port 80
    • To find you reverse proxy FQDN use this PowerShell oneliner on your Front End server
      • Get-CsService -WebServer | ft ABHandlerExternalUri

Configure listening ports for the Mobility Service (Mcx)

  • Verify that your server version is correct by running PowerShell cmdlet: Get-CsServerVersion
    • Version should be 4.0.7577.0 or newer
  • In PowerShell run the following cmdlet for internal and external listening port
    • Set-CsWebServer –Identity <internal FE Pool FQDN> -McxSipPrimaryListeningPort 5086 -McxSipExternalListeningPort 5087
  • Publish the updates to the CMS database
    • Enable-CsTopology –verbose

Download and enable the Lync Mobility

  • Do not install, but download the McxStandalone.msi and place it in the following folder on all Front End servers and Directors
  • Run the Lync Server Deployment wizard, found under Administrative tools-> Lync Server
    • In the wizard click Install or update Lync Server System
    • Choose Step 2: Setup or Remove Lync Server components
    • This will reconfigure the Lync Services on the Front End with the new listening ports
  • Verify that the server is configured correct, open IIS and check for Autodiscover and Mcx Vdirs

Update certificates on Front End and Edge/TMG

  • Still in the Lync Server Deployment Wizard choose step 3: Request, Install or Assign Certificates
  • You need to request a new certificate with the new name, make sure you get all additional SAN entries from the old certificate
  • If you use the same certificate on all Front End services you can use this PS onliner to get a list of your certificates SAN’s
    • On FE: Get-CsCertificate -Type default | Select-Object -ExpandProperty AlternativeNames
  • If you use the same certificate on Edge and TMG you can run the below command to get all SAN’s
    • On Edge: Get-CsCertificate -Type DataEdgeExternal | Select-Object -ExpandProperty AlternativeNames
  • To reissue the certificates using PowerShell see Ari Protheroe’s blog post: http://ariprotheroe.wordpress.com/2011/12/10/reissuing-certificates-for-lync-mobile/

Configuring Push Notification

  • Push Notification is used by the Mobility Service to send notifications to Apple and Microsoft phones that has the Lync application running in the background to wake them up
  • To enable push notification run the following cmdlet:
    • Set-CsPushNotificationConfiguration -EnableApplePushNotificationService $True -EnableMicrosoftPushNotificationService $True
  • You need to enable federation with Office365 as a hosted provider if you have not already done so
    • New-CsHostingProvider -Identity “LyncOnline” -Enabled $True -ProxyFqdn “sipfed.online.lync.com” -VerificationLevel UseSourceVerification
  • You then need to set up a hosting proivder between your organization and the Push Notification Service at Lync Online
    • New-CsAllowedDomain -Identity “push.lync.com”

Publishing externally

There is two possibilities when publishing Lync Mobility through a reverse proxy

  • Publish through port 80 using the same IP as your existing Lync publishing rule
    • Pros: you don’t have to update on your reverse proxy certificate with an extra SAN name
    • Cons: you need to open port 80->8080 on a new rule and it is not recommende to do this by Microsoft
    • Cons: I have experienced problems using port 80 event though all config was correct. Everything worked fine when adding a certificate. So I don’t recommend it.
    • Result: discovery information for you Lync mobile clients will get information about logon server unencrypted, the rest is encrypted the usual way
  • Publish through port 443 using the same IP as your existing Lync publishing rule
    • Pros: All traffic will be encrypted, you just need to add lyncdiscover.sipdomain.com to public name on the publishing rule
    • Cons: You need to add an extra SAN name for lyncdiscover.sipdomain.com on your reverse proxy certificate
    • Result: all traffic are encrypted
  • Take a look at Adam Jacobs blogpost at the bottom for how to create a new rule

Validating and Troubleshooting

I have written a blogpost on how to validate and troubleshoot Lync Mobile and Mobility here: https://msunified.net/2011/12/23/lync-server-mobility-troubleshooting-tips/

Monitoring the Mobility Performance

There are several places you can monitor Mobility, here from TechNet:


MVP Adam Jacob’s blog: http://imaucblog.com/archive/2011/12/09/step-by-step-microsoft-lync-2010-lync-mobility-mcx-installation-guide/
Ben Lee’s blog: https://www.bibble-it.com/2011/12/10/configuring-lync-mobility-part-1
MVP Jeff Schertz’s blog: http://blog.schertz.name/2011/12/deploying-the-lync-2010-mobility-service/
Lync Server Mobility Troubleshooting Tips: https://msunified.net/2011/12/23/lync-server-mobility-troubleshooting-tips/
Microsoft Lync Server 2010 Mobility Guide: http://www.microsoft.com/download/en/details.aspx?id=28355
Planning for Mobility: http://go.microsoft.com/fwlink/?LinkId=235303
Deploying Mobility: http://go.microsoft.com/fwlink/?LinkId=235304
Monitoring Mobility for Performance: http://go.microsoft.com/fwlink/?LinkId=235305

60 thoughts on “Enabling Lync Server 2010 for Lync Mobile Clients

  1. There is some incorrect information you are providing on the hardware load balancer. The internal web services should use source address persistence. It’s only the HLB Rule for the 4443 and 8080 that will be utilized for external web services that uses cookie based persistence. You mention a couple times that cookie based is used for internal web services which is incorrect.

  2. There is an incorrect info about the directory: C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup …the correct one is C:\Program Files\ ….etc.etc..
    Plus, if there isn’t the directory structure mentioned above, you must create it to execute correctly the installation wizard


    • Hi and thanks for posting. The Official Lync Mobility documentation clearly states that the directory to copy McxStandalone.msi to is C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup. In the deployments me and my colleagues have done so far have used this directory with success so I believe the documentation listed in the article is correct. Follow this link to see the original documentation on this: http://technet.microsoft.com/en-us/library/hh690016.aspx


  3. I have three SIP domains. Do I need the following to my external cert?


    • Hi Mike, and thanks for asking. If you want Lync Mobile to autodiscover Lync configuration for all domains and you want the discovery process to be encrypted you need to add lyncsdiscover for each domain, yes. Both DNS CNAME and certifcate SAN.

      It is however possible to do this over port 80, though it is not recommended by Microsoft


  4. Hi Ståle.
    Thanks for this guide. I’m currently working my way through it.
    You might want to change the text in this line to avoid misunderstandings for some people:

    •In PowerShell run the following cmdlet for internal and external listening port ◦Set-CsWebServer –Identity pool1.msunified.net -McxSipPrimaryListeningPort 5086 -McxSipExternalListeningPort 5087

    •In PowerShell run the following cmdlet for internal and external listening port ◦Set-CsWebServer –Identity pool.sipdomain.com -McxSipPrimaryListeningPort 5086 -McxSipExternalListeningPort 5087


  5. My AutodiscoverServiceExternalUri + internal seems to be misconfigured. How do I change the values?

    Set-CsWebServer : A parameter cannot be found that matches parameter name ‘AutodiscoverServiceExternalUri’.

    • I am not entirely sure if you can configure them manually since they seem to be based on topology information. I think you should rerun the installation wizard again if the are wrong.

      The URL I used as an example is wrong, it should return your web services internal and external URL and not lyncdiscover. Lyncdiscover is used to find the web services url. The web services URL is the one you find by running the command Get-CsService -WebServer | ft ABHandlerExternalUri

      Sorry for the misunderstanding and thanks for posting.

    • Sorry about that, it was a typo. It should be Get-CsService -WebServer | fl autodiscover*

      It is corrected in the blog, thanks for letting me know! :)

  6. Hi! When I run the command “Get-CsService -WebServer | ft ABHandlerExternalUri”, I get a URL which I can’t see anywhere in the topology builder, and it is wrong. I think I may have entered it once when I first installed the server, but after that I have made many changes to how things are set up. Does anyone know how to change this one? Also, if I do “Get-CsService -WebServer | fl” I see the same, wrong URL in several places, so there is obviously several things stuck from the first configuration I did.


    • Hello Christian.

      If you have done updates to this in the topology builder it is importarnt that you run update-CsTopology and then Setup or Remove Lync Server components on the Front End in the deployment wizard to reconfigure the services on the FE.
      •Run the Lync Server Deployment wizard, found under Administrative tools->Lync Server
      ◦In the wizard click Install or update Lync Server System
      ◦Choose Step 2: Setup or Remove Lync Server components

      It should not be necessary to set this url manually

      Hope this helps
      Regards Ståle

      • Thanks, I tried this now, but no change to any of those URLs. Possibly it is still set somewhere that I can’t see, but where can that be? I see thiris URL on all the external URL’s: ABHandlerExternalUri, CollabContentExternalUri, DeviceUpdateDownloadExternalUri, MeetExternalUri, DialinExternalUri, ReachExternalUri, WebTicketExternalUri and AutodiscoverServiceExternalUri.

        • Hi again, it seems my brain has gone off on christmas vacation before my body. I found the URL in the topology builder where it of course is supposed to be…

          But one thing I cannot find: When trying to connect externally to meetings, there is a redirect done when the client needs to install the meeting-plugin. This URL then points to the domain local name of the FE server. Do you know where that one is changed? Maybe of topic for the blogg post…

        • Good that you found it. Actually I am not sure where that URL comes from. It should be based on you meet URL I guess, no use for external users to get the intern FE URL. I have not seen this problem elsewhere. In such cases a install or update lync server system is recommonded to do from the deployment wizard. Its amazing what that can fix :)

  7. When I try to install the McxStandalone.msi I get the following error:

    Installing McxStandalone.msi(Feature_WebComponent_Autodiscover)…failure code 1620

    I have done all the Prerequisites.

    Thanks for the help

    • Hi Jason, are you trying to install the msi directly? it is only supposed to be installed using the bootstrapper through PowerShell or gui as depicted in the blog article

  8. I’m receiving the exact same error message as Jason. I ran bootstrapper in an elevated powershell window as well. Any fix yet?

    • It was a bad download. I downloaded mcxstandalone.msi directly to the C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup and we’re all good.

  9. Hi there I have followed through with all the instructions to install the mobility updates, created DNS records – our setup is a single FE server a singe Edge Server and a ForeFront proxy. When I run the

    $passwd1 = ConvertTo-SecureString “#####” -AsPlainText -Force
    $tuc1 = New-Object Management.Automation.PSCredential(“#####”, $passwd1)
    $passwd2 = ConvertTo-SecureString “#####” -AsPlainText -Force
    $tuc2 = New-Object Management.Automation.PSCredential(“#####”, $passwd2)
    Test-CsMcxP2PIM -TargetFqdn ##### -SenderSipAddress sip:#####-SenderCredential $tuc1 -ReceiverSipAddress sip:##### -ReceiverCredential $tuc2 -v

    Test commands on the FE server I get the following error:

    Result: Failure
    Error: ERROR – No response received for Web-Ticket service. Inner Exception: The HTTP request is unauthorised with client authentication scheme ‘Ntlm’. The authentication header received from the server was ‘NTLM’. Inner Exception: The remote server returned an error: Unauthorized.

    Then there is a fairly long log trail with the most usefull piece being after completing the STAActivity activity completed – then it goes to “Trying to get a web ticket”. Using NTLM\Kerb auth – could not get a web ticket.

    No response received for Web-Ticket service – occurred during workflow.

  10. What about if you have a directory server?
    Installing windows features, copy files to setup dir and then run wizard is that all?

      • When you run wizard and try to update certificates it does not add the autodiscover url to the request. Is that bug or intended?
        Also noticed in my installation that wizard just added autodiscover to web server and not mcx part is that correct?
        And my last question. why do you has to have the autodiscover url in the directors certificate. I don’t have any dns records of autodiscover url pointing to that server anyway?

        • At the moment the url thing is intendent, so you need to add it manually. For the vdirs there is just autodiscover that is needed on the Director Server role, Mcx service resides on the FE’s. Why it is needed in the certificate? honestly I’m not sure but I believe you need to point your internal autodiscover CNAME to the director since that is probably you sign in server, and derfore you need it on you certificate since its https.


  11. Hi. No matter how many times i follow the above steps to install McxStandalone through bootstrapper i can never get it to install.
    I have placed McxStandalone.msi under “c:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup” and launched
    D:\Program Files\Microsoft Lync Server 2010\Deployment> .\Bootstrapper.exe
    with no luck. The bootstrapper doesn’t seem to see any changes?
    I did do “Set-CsWebServer -Identity FEpool.domain.com -McxSipPrimaryListeningPort 5086 -McxSipExternalListeningPort 5087” and “Enable-CsTopology -verbose”
    any ideas?


    • Just to make sure, are you performing these actions on you Front End server? If you try to install it on any other server, edge for example, it would just not install as you descibe it.

      • Yes, this is a Front End server configuration, and Director, if you have one. No Edge server configuration is needed, assuming the Edge server is configured correct for remote access to begin with

  12. Hi, thanks for your good article.

    It would be nice to add “Get-CsService –WebServer” in the troubleshooting section. This command permits to easily see if services McxSipPrimaryListeningPort & McxSipExternalListeningPort are listening on ports 5086 & 5087.


  13. I have the reverse issue. I can connect iPhones just fine from outside the building or over 3g, but i’m getting a “can’t connect to the server” error when connected to my corporate wifi network, i’m pretty sure it’s all set up right….

    I’m using a Cisco ASA as reverse proxy that it all working fine, i even found something where MS said that even when you connect to the internal side it still ends up using the reverse proxy, but if i add rules for 8080 4333 on my corporate interface (on the ASA) i get not hit, if i add rules to the same interface for 80 and 443 i’m getting hits, but still can’t connect to the server, any ideas?


    • Hi.

      I recommend not enabling lyncdiscoverinternal and route all lync mobile traffic to external interface on the reverse proxy. You could add lyncdiscover CNAME to your internal DNS pointing to you external FQDN. So you need to open a route from your internal network to external interface on the reverse proxy and over port 443.


  14. Hi,
    When I execute the command “Set-CsWebServer –Identity -McxSipPrimaryListeningPort 5086” I get the following error :

    set-cswebserver : a parameter cannot be found that matches parameter name ‘McxSipPrimaryListeningPort’

    Do you have an idea ?
    Thank you very much

    • It seems you have forgotten the -identity value. You need to specifiy internal FE pool FQDN as identity like the below line

      Set-CsWebServer –Identity “Internal FE Pool FQDN”-McxSipPrimaryListeningPort 5086 -McxSipExternalListeningPort 5087

      Or it may be the comment field that has removed it. Try to write the command manually, and use tab completion in powershell, it may be something with the copy paste procedure

  15. Hi,
    When I test the mobility service using script I receive the error below:

    Creating WebTicket security token request
    Creating WebTicket security token request

    TargetUri : https://cpspsslync01.cpfl.com.br:443/mcx
    TargetFqdn : cpspsslync01.cpfl.com.br
    Result : Failure
    Latency : 00:00:00
    Error : Incorrect home pool

    Diagnosis :

    VERBOSE: ‘STActivity’ activity started.
    Starting STS Uri Discovery…
    Found sts-uri :
    STS Uri Discovery activity completed successfully.
    ‘STActivity’ activity completed in ‘0.0331416’ secs.
    ‘STActivity’ activity started.
    Starting STS Uri Discovery…
    Found sts-uri :
    STS Uri Discovery activity completed successfully.
    ‘STActivity’ activity completed in ‘0.0183783’ secs.
    ‘STActivity’ activity started.
    Trying to get web ticket.
    Web Service url :
    Using NTLM\Kerb auth.
    GetWebTicketActivity completed.
    ‘STActivity’ activity completed in ‘0.1389925’ secs.
    ‘STActivity’ activity started.
    Trying to get web ticket.
    Web Service url :
    Using NTLM\Kerb auth.
    GetWebTicketActivity completed.
    ‘STActivity’ activity completed in ‘0.075835’ secs.
    ‘McxInitiateSession’ activity started.
    ‘McxInitiateSession’ activity completed in ‘0.4681399’ secs.
    ‘McxInitiateSession’ activity started.
    Mobility Service exception:
    ntation.Mcx.McxFault]: Incorrect home pool (Fault Detail is equal to
    An exception ‘Incorrect home pool’ occurred during Workflow
    Microsoft.Rtc.SyntheticTransactions.Workflows.STMcxP2PImWorkflow execution.
    Exception Call Stack:
    Server stack trace:
    operation, ProxyRpc& rpc)
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean
    oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan
    ge methodCall, ProxyOperationRuntime operation)
    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage

    Exception rethrown at [0]:
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
    reqMsg, IMessage retMsg)
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
    msgData, Int32 type)
    on(UInt32 userStateAvailability, UInt32 localeId, String activityToken, String
    userAgent, String endpointLocation, Int64 timeZoneBias, String timeZoneName,
    String timeZoneAbbreviation, Boolean autoSubscribeForPresenceOfContacts, UInt32
    onlineToInactiveTransitionInterval, UInt32 inactiveToAwayTransitionInterval,
    String mobilePhoneUri)
    Session(UInt32 userStateAvailability, UInt32 localeId, String activityToken,
    String userAgent, String endpointLocation, Int64 timeZoneBias, String
    timeZoneName, String timeZoneAbbreviation, Boolean
    autoSubscribeForPresenceOfContacts, UInt32 onlineToInactiveTransitionInterval,
    UInt32 inactiveToAwayTransitionInterval, String mobilePhoneUri)
    nalExecute(ActivityExecutionContext executionContext)
    tionContext executionContext)
    at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity,
    ActivityExecutionContext executionContext)
    at System.Workflow.ComponentModel.CompositeActivityExecutor`1.Execute(T
    activity, ActivityExecutionContext executionContext)
    at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity
    activity, ActivityExecutionContext executionContext)
    me workflowCoreRuntime)
    at System.Workflow.Runtime.Scheduler.Run()

    ‘McxTermiateSession’ activity started.
    ‘McxTermiateSession’ activity completed in ‘3.9E-06’ secs.
    VERBOSE: Workflow Instance Id 3eaf5300-46c1-4f55-abe5-ff5ec74c3e9e, completed.
    VERBOSE: Workflow Execution Time (sec): 0.8902944

  16. I was reading through your post, Thanks for your patience and prompt replies.
    In my case am only using Lync internally so I don’t have Edge services. I do have a reverse proxy in the DMZ, is it possible l can do without edge server ?

    • Hi Brian, interresting question. I had to re-read the technet documentation for this one.

      You can deploy the mobility service with only the reverse proxy, but you must remember to publish not only lyncautodiscover but also your webservices url, dialin and meet url. The Edge server is only used for push notification so that you get a popup for new chat messages on iOS and WP7, which is a core feature. Nokia and Android dont use push notifications. To get call via work and be able to join meetings you need a mediation server be connected to a IP-Trunk\PSTN.


  17. Hello and thank you very much for the guide. I am however unable to get it rolling.

    Ever since i made the changes that your guide suggests I am getting a lot of warnings in event viewer on FE with id 1309. Mobile clients don’t work, neither internal or external. The warnings in event viewer state HttpListenerException and Access is denied.

    Also trying to browse the site FQDN/autodiscover/autodiscover.svc/root for troubleshooting gives me a Server Error page and the same errors as shown in the event viewer ASP 2.0 warnings. I have googled around all day but I am unable to find anything. Any ideas will be most appreciated! :-)

    Best regards,

  18. Hi Guys,

    I am getting the following error:

    Error: An error occurred: “Microsoft.Rtc.Management.ADConnect.ADOperationException” “Active Directory operation failed on “DC.domain.com”. You cannot retry this operation: “Access is denied 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0″”

    Aany help will be great :)

    Thank you in advance,

  19. Getting “Can’t connect to exchange web server” in Lync Mobile. We got the rest of Lync and Lync mobile working fine, but are having a bit of difficulties figuring out what to expose through the TMG and so on to get the Lync Mobile client to talk to exchange. Any help would be appreciated

    • Hi and thanks for asking on the blog. You need to publish autodiscover.domain.com for exchange and Exchange web services (EWS) through the same tmg rule or through the same owa.

      The reason for autodiscover.domain.com is that the Lync mobile and the lync full client will search for the ews url by looking up sipdomain with autodiscover in front.


  20. Very short and helpful article. By the help of it , I have setup lync mobility in a hour. Thank you

Leave a Reply to Kasee Powers Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.