I’m going out on a limb here…
You’re reading this blog post because like me your building your nice greenfield Lync 2013 or Skype4B implementation
As part of the install you have spun up an edge server, checked all the port requirements and had the firewall team implement your changes, got your SSL certificates ready and assigned.
Everything looks good. so you head over to https://testconnectivity.microsoft.com/ punch in the details of your test account and get the most unhelpful error message ever
The certificate couldn’t be validated because SSL negotiation wasn’t successful.
Now, I’m sure you have probably spent a little while checking for the obvious before jumping on Google and punching the error in.
- Edge certificate
- Intermediates if you need them
- Certificate between Edge and Front end pool
- Maybe you even checked the firewall to make sure it wasnt it.
- A couple of articles out there will suggest looking at the TLS handshake
2 things I can recommend to make troubleshooting this alot easier.
1.) Go grab The Remote UC troubleshooting Tool (RUCT) by Curtis Johnstone.
It gives a much better technical view of whats going on instead of the Microsoft Lync Connectivity Analyzer application and at least lets you verify what SSL certs are coming through.
You can grab it here http://www.insideocs.com/Tools/RUCT/RUCT.htm
Edit: Yes, I know James Cussen has built a similar tool to RUCT for checking DNS and the like, I still use RUCT for checking SSL certificates and chains.
You can grab James’ tool from here http://www.mylynclab.com/2014/03/lync-edge-testing-suite-part-2-lync-dns.html
2.) Check your remote access policy..
For some insane reason, if you haven’t defined your remote access policy.. instead of the port being shut or getting an error message.. The Lync server will abort the TLS handshake.. WHAT?
To fix, head over to your Lync/Skype4B control panel and in the “Federation and External Access” section, ensure you have “Enabled communications with remote users” ticked.
I’ve seen this happen with Skype4B as well, so I’ve updated the article a wee bit to try and help others find it.