Externally Provisioning Lync Phone Edition

December 22, 2010 by · 80 Comments 

I recently touched on this topic in the blog article Deploying Lync Phone Edition Devices and decided it warranted its own article as it’s commonly misunderstood that all Aries devices must be first provisioned from inside a corporate network first, but that is not the always the case.  Devices with a USB interface can be provisioned and fully-utilized externally.

The process covered in this article is supported on the Polycom CX600 and CX3000 (and theoretically the Aastra 6725ip but I have not personally tested it ) devices in the Aries family, as well as the CX700 Tanjay device.

Neither the CX500 nor the 6721ip device can be used externally as they do not contain USB interfaces and thus are limited to utilizing the PIN authentication process only to connect to a Lync Server.  As this method uses customized DHCP options to support PIN login they will not work on a standard Internet connection in a home office or other unmanaged external sites.  These are common-area phone designed for internal-only applications and not for mass-deployment.

As long as a valid IP address is handed out to the device via DHCP and a router option is included along with at least one DNS server entry than the device has everything it needs to later connect to the Edge Server on its own.

Be aware that there are some pre-release beta and early revision Aries devices out there in the wild which may not follow these exact steps, so if you have one of these evaluation devices then the software may need to be upgraded to a newer version before it behaves the same as detailed in this article.  Also note that for CX700 devices they must be on at least an OCS 2007 R2 firmware version, as older versions (e.g. 1.0.522.101) did not yet support USB tethering.

Connecting Aries Devices

I’ve tested this with both a CX600 and CX3000 (both Rev B devices running 4.0.7457.0 software) from my home office using basic Internet connectivity and no VPN or any other bridged connection.  This same process has also been used with other devices in various customer locations with just Internet access and a workstation with the Lync client installed, connected to a Edge Server.

  • Connect the Ethernet LAN interface to the network, and if not using Power over Ethernet (PoE)  then connect the 24V DC power supply.

If desired, an out-of-the-box experience can be emulated on a device currently provisioned to truly test this process by performing either a hard reset or factory reset.  (This is not required and an existing device may simply just need to have the current user signed-out by using the Switch User menu selection.)

Although the phrase “factory reset” implies that the device will be returned to original factory default settings this process does not actually return the device to a factory-shipping state.  All Lync Phone Edition devices (both Tanjay and Aries families) contain two separate firmware partitions, an active partition and an inactive partition. Whenever the devices are upgraded to a new firmware they install the new version on the inactive partition and then reboot into that partition, effectively swapping the active/inactive partitions. The previous partition can be re-activated using this process to essentially roll back to the last firmware version installed.

  • To perform a hard reset on a Polycom Aries device (CX500, CX600, or CX3000) simply hold down both the * and # buttons while connecting the power.  Continue to hold the keys for approximately 10 seconds until the following screen appears, indicating that all user data and configuration settings will be erased.

image

    • Or, to perform a factory reset on a Polycom Aries device (CX500, CX600, or CX3000) simply hold down both the 4 and 6 buttons while connecting the power.  Continue to hold the keys for approximately 10 seconds until the following screen appears, indicating that the phone will be rolled back to the previously installed firmware version as well as erasing all settings.

image

  • Select Yes to begin the selected process, which should normally take about 2 to 3 minutes for a hard reset

image

  • Once the reset process is completed (or if a brand new device was used instead) the following animated screen will appear, instructing the user to press the selection key on the phone.

image

  • After pressing the selection key the Welcome menu asks for which method to use to provision the device.  As the device is not connected to the corporate internal network then Yes must be selected.

image

  • Make sure that the Lync client is signed on a workstation and then connect the USB cable from the device to the computer. At this point the device will continue to display the animated screen below.

image

  • As soon as the USB cable is connected though the workstation should indicate that the device drivers were successfully installed (this is automatic, and if the device was already connected to the same workstation prior then this balloon alert would not be seen).

image

  • Immediately after the Lync client should present a new window asking for Login information for the device.  Sometimes this window will not always appear on the top of the desktop so try looking at the Lync taskbar icon to see if the new window is hidden or minimized.

    Enter the Active Directory user credentials for the Lync account in either NetBIOS format (DOMAIN\username) or UPN format (username@domain.com) and click OK.

    Take note that often the Lync client will pre-populate these fields with data that is incorrect (like a local workstation hostname instead of a domain name) depending on the network and Windows client configuration.  The same credentials used to sign-in to the Lync client are what should be entered here.

image

  • Back on the device screen messages should be displayed indicating that the device is locating a time server, contacting the Lync Server, and then attempting to download a certificate.  In practice I have seen this process typically fail on the first attempt, resulting in the error shown below:

image

  • If this happens, simply re-enter the password in the Logon Information Needed window on the workstation again and re-submit.  The successful connection to the server will be verify by the device asking to set a phone-unlock PIN.  Enter any desired PIN (e.g. 123456) and select Next.  Confirm the new PIN and select Done.

At this point either the Next button can be pressed to select a Time Zone, Date and Time Formats, and a customized Ring Tone.  After completing (or skipping) the setup the home screen will appear.

image

Enhanced Mode

At this point the device can be left tethered to the workstation as all the feature will be available when in this enhanced, ‘better together’ mode.  The features only available when tethered include access to individual voice mails, detailed call logs, and calendar information.  This data is pulled directly from the user’s Exchange mailbox via Exchange Web Services connections which are not natively available on the device itself.

Basic Mode

So if the USB cable is now disconnected then the basic mode features still available would be the contact list, user photos, voice mail Message Waiting Indicator (MWI), and local call logs.  There will also be Conference leader options available when connected to a Lync conference.

Additionally the device can be powered off and rebooted and will still login as the same user account with needing to re-tether via USB to a workstation.  This is because both the SIP Registrar FQDN (the Access Edge Server FQDN) and the windows credentials currently supplied are both cached in the phone, even after rebooting.  (If a factory-reset is performed than all data is wiped and the process must be repeated).  After a normal reboot (disconnect and reconnect the power source) the device will automatically login as the cached user account and immediate lock, preventing unauthorized access to the phone be someone attempting to just restart it to gain access.

If the user is later manually signed-out then the tethering process will again be required to download the certificate and cached credentials into the phone again.

About Jeff Schertz
Site Administrator

Comments

80 Responses to “Externally Provisioning Lync Phone Edition”
  1. fcorfdir says:

    very usefull

    thank's a lot

  2. Richard says:

    The sign-in failure may happen if you dont have a WINS server available (or not advertised via DHCP). In this case, the DOMAINFQDNusername format should be used and work even at the first try.

    If you remove the USB cable after the signin process finished, does this break the "enhanced" functionality? I dont believe so. This stupid limited functionality (not being able to access exchange-related stuff) happens only because there is no valid entered AD credentials available in the device's memory if you logged in via the PIN authentication. If you used the USB cable, the phone for sure HAS acquired this credentials data (as even you have said in the article),so as the result the device and can live on its own with that saved credentials.

    What are your thoughts about that? Unfortunately I only have a beta Rev. device, which refuses to update to RTM FW, so I cannot confirm my idea in the real world scenario.

    • jeffschertz says:

      Richard, Yes the WINS/NetBIOS issue is referenced in my previous post (as a link to Rick Varvel's excellent Tanjay post). Also, after untethering the phone still operates in Enhanced Mode as the device caches the AD credentials entered during tether. Those credentials remain cached in the phone even after a reboot and only events like signing-out or the password changing would later break the enhanced features, require a re-tether. (This is also explained in my previous post on Lync Phone Edition).

  3. David says:

    This process doesn't work for me and I'm a bit stuck as to why. I have a few ideas but wanted to see if anyone knew.

    First of all we don't use DNS SRV for client auto-config. We have configured the .msi file for Lync to contain the settings. There are a number of reasons for this that I won't go into.

    Second of all we haven't use exposed web services externally, again varies reasons. I suspect this is the primary reasons but couldn't be sure.

    Last but not least. I sign in with a domain eg at fabikam.com. My edge server is sip.ap.fabikam-servers.com. The Cert is valid for the edge address, WC and AV. I do not however have sip.fabikam.com or anything similiar in my SANs. We have around 200 possible SIP domains so this isn't practical. Is this a requirement when using this process? I would have thought that given the phone is getting Lync settings direct from the client auto-discovery wouldn't be an issue.

    Thanks for any points you might be able to offer

    • jeffschertz says:

      David, from some initial testing and clarification with Microsoft support it appears that the Phone Edition client still performs a register to SIP domain portion of the stored SIP URI. The Lync client does not pass the Manual Configuration information to the phone, thus DNS records would be required for each SIP domain a phone would need to login to. The lack of a reverse proxy would prevent the phone from performing device updates but not prevent signing-in.

      • David says:

        It's unfortunate because that means we would have to have sip.domain.com for every domain as SANs. Creates a real problem when we have 270 domains to deal with. Hopefully in the future Microsoft will support the use of SRV records as it is with the Lync Client and just throw a single certificate warning on first sign in.

        David

        • jeffschertz says:

          This is the way it has always been as TLS requires the name to patch exactly. Maybe in the future wildcard entries will be fully supported but right now that is just not the case.

  4. Hello,
    How can set a phone lock code for Polycom CX600. When click "Lock Phone" in "Menu" nothing happens.

    Also when sign in directly without usb connection, it doesn't take extension and pin number.
    If I type wrong pin number it says "Invalid pin number". But when I enter correct pin number it says "Phone number or Extension not found"

    Please help…

    • jeffschertz says:

      The Phone Policy in your Lync environment may have the Phone Lock feature disabled. Also when using USB PIN Authentication is not used as the credentials are pulled directly from the computer's Lync client via the authentication prompt.

  5. Bastien BERTOUT says:

    Hello,

    Thanx a lot for this post and for your entire blog which helps me a lot !
    I'm deploying a POC for a customer. Lync is on premise but exchange is in the cloud (Office 365).
    In enhance mode, CX600 can't access exchange web services (so no calendar and no voice mail) ….

    My customer does not want to allow direct access to the internet from the LAN.

    So I have 3 questions
    - Is there a way to use some proxy settings on CX600 phones ?
    - Does the CX600 verify server certificate ?
    - If yes, Does the Airies store public root certificates (like verisign) ? In office 365, certificates seem to be signed by verisign so …

    Thanx a lot for your help,
    Regards,
    Bastien.

    • jeffschertz says:

      Bastien, there are no configuration options I am aware of to provide the Lync Phone Edition client with the ability to leverage a web proxy; only the DHCP-passed default route is used. And regarding certificates, yes the client does support a number of public CA root and issuing certificates by default. Here is the list of which are trusted by the phones: http://technet.microsoft.com/en-us/library/gg3982

  6. Brad says:

    I'm setting up a CX600, but when I tether it to my pc, and it asks for my login info, it will not accept my user name in the format 'domainusername'. Instead, I have to enter it as username@domain.com. Why is this?

    • jeffschertz says:

      This is usually an indication of NetBIOS name lookup failures as the DOMAINusername format relies on NetBIOS broadcasts and WINS server lookups for proper name resolution. When externally connecting via the Internet it is best to utilize the DNS domain name in either the UPN format (username@domain.com) or the Legacy format (domain.comusername).

  7. Tim says:

    I have looked all over the technet library for how to configure the better together, but can not find a clear step by step method. Can anyone direct me?

    • jeffschertz says:

      There is no configuration of the 'Better Together' functionality as all you need to do is USB tether a device to a workstation running the Lync client and enter user credentials when prompted. To actually access those features (primarily Exchange UM features) you'll need to make sure that Exchange UM is properly deployed and configured and that you are following best practices (e.g. not using Wildcard or untrusted certs) so that the devices can successfully connected to and authenticate to Exchange.

  8. Dister says:

    Nice post there. That is helpful.
    I was wondering can I get a CX600 phone for OCS-R2 deployment? Would it interop with them as well?
    If not, which phones would you suggest for OCS-R2 deployments?
    Appreciate your response.

    - Thanks
    Dister

    • jeffschertz says:

      Dister, the Aries phones only work with Lync and do not function (nor are they supported) with OCS. The only IP-based Phone Edition device for OCS is the CX700 (the Tanjay). SNOM also has an IP phone that partially interoperates with OCS (the 300 series) and there are a number of USB only devices which work with OCS as well (Polycom CX100, CX200, CX300).

  9. TOA says:

    Is it possible to use a cx600 with office 365 E3 or E4? My new cx600 says it is connecting to Lync Server, but never connects.

    • jeffschertz says:

      No, none of the Lync Phone Edition devices are currently supported with O365 for a few reasons. Mainly the devices do not natively support the ADFS authentication method required to access O365; the windows O365 sign-in client provides this for the Windows Lync client but since LPE must authenticate directly to the Lync server then this will not work. Secondly the user's Telephony Mode must be set to 'Enterprise Voice' in order to use any Lync Phone Edition devices, even via USB tethering; O365 does not yet have include EV capabilities.

  10. This works perfect for me when running a Cisco 877 at home all is fine. The problem is I have one of my Directors who we are giving a phone to and he has a Belkin router and it will not work. Do you know what would be causing this? We have exhausted just about all possibilities within his network config?

    • jeffschertz says:

      Ryan, I'm not sure what you mean by 'it works' with the Cisco phone, but if you cannot get the LPE device to work in this environment it could be a number of things: DNS, Firewall SNAT capabilities, etc. Depends on what exactly is not working: sign-in, media, etc?

  11. Lance Megyesi says:

    Great Post – very helpful – I was I have a CX600 with a Rev of X5 (Assume this is a Beta verison Device). I know that the hard reset is holding 4 # and Backspace while powering on. Do you happen to know what the Factory Reset key sequence is? I in advertantly approve the latest version 4 patch and it bricked the phone. I can get the hard reset to work but when I approve the erase of the user information it just goes back to the error. It doesn't reload the previous firmware.

    • jeffschertz says:

      Lance, you are correct that the hardware revision you have is a pre-production phone (denoted by the X) where production devices start with A,B,C,D,E etc. Unfortunately once CU2 or newer firmware is installed the phone is no longer functional and cannot be manually restored. You can try the Factory Reset procedure for beta devices which is to hold the * key, the 2 and the Home key but I have not gotten this to work once the device is disabled by the newer firmware. I suggest contacting your Polycom or partner rep to get a replacement device as those beta devices are not supported and where only intended to be used for early demos prior to the Lync 2010 release.

  12. Suzanne says:

    Is there any way to configure the Polycom CX600 to work with a SIP Server other than Lync? or is there a way to change the firmware to one that does not support Microsoft Lync?

    • jeffschertz says:

      No, these CX devices are specifically designed to only run the Lync Phone Edition firmware which is a Microsoft-only client.

  13. Zabulon says:

    if i login to the CX 600 "better together" and put in the NETBIOS (domainusername) it takes it but 5min later the phone shows the outlook integration error screen. However, if i use (domain.comusername) it works fine until the users changes the password or the account gets locked out.

    • jeffschertz says:

      That seems to point to an issue with the Exchange server handling NetBIOS name resolution, since the DNS domain name works during authentication.

  14. Samuel says:

    Hi, when users use USB cable for login to the CX phone, it's possible to configure the time zone, date format or language for them? By Lync server or by DHCP? We want to reduce the steps necessary for configuring a client

    Thank you
    Sam

  15. jeffschertz says:

    No, that information is device-specific and must be selected during the initial device sign-in process.

  16. Jason says:

    I have this working with a CX600 and everything works but searching the GAL. It displays a message that “search results are limited” and only searches my preexisting Lync contacts. Is that your experience as well when running externally?

    • jeffschertz says:

      If the directory search is failing then you may not have published the internal web services properly on your Reverse Proxy. If this works for Windows Lync client then there could be something like an untrusted certificate on the reverse proxy or some other configuration issue.

  17. Aron says:

    "Back on the device screen messages should be displayed indicating that the device is locating a time server, contacting the Lync Server, and then attempting to download a certificate."
    After this point I get error:

    Network cable was not detected. Please check that your cable is connected to the network port and that you have a network connection.

    Desk phone is not able to sign in through usb cable. It only signs in with network cable.
    According to this post it should work with usb as well, shouldn't it?

    • jeffschertz says:

      I'm not sure what you are asking but if you are using the USB cable you still must have an Ethernet connection on the phone; it does not operate with only a USB connection.

  18. Martin Fox says:

    Is it possible to get the CX600 to logon with the credentials that the PC is logged on with so avoiding the need to logon twice?

  19. Vakhtang says:

    Hello Jeff
    You may have a problem with Lync IP Phone external connectivity through the Edge in case if your Edge External Certificate Root CA is not listed in the IP Phone trusted Root CA list. I will email you the problem details and how to fix it (too much formatting for the comment space :) )

    Regards,
    Vakhtang

    • jeffschertz says:

      Yes, a workaround for this issue has been covered on other blogs, like by Kevin Peters in this article.

      • 13lind says:

        I'm having this problem trying to provision a CX600 out of the box externally on a home network. The phone is USB-tethered to a domain-joined laptop, connected to the internal network via Cisco VPN client. I just spent a couple days with Microsoft Support and they've pointed at this article http://technet.microsoft.com/en-us/library/gg3982… where it indicates that phones MUST first be connected to the internal network before being provisioned externally. All my certs are legit so it could explain my certificate download issues. I am using a Trusted Public CA (Thawte) issued certificate which I thought was trusted by LPE. This article seemingly indicates I CAN provision a phone OOTB so – please let me know if you've found a workaround. I'd like to ship phones to new remote users without having to fiddle and ship them again. Cheers!

        • jeffschertz says:

          The phone does not need to be provisioning internally if a public certificate is installed on the Access Edge service. If your Lync environment is not properly configured to utilize an Edge server and you must use the Cisco VPN client on your workstations to connect to Lync then the phone cannot has no access to the VPN over its own network connection in your home office. USB-tethering the phone to a workstation does not provide it any access to the VPN network established on the workstation.

          • 13lind says:

            I have a public certificate on my Edge server. I can connect to Lync externally with our without the VPN just fine. When attempting to provision a brand new CX600 (4.0.7577.4100) externally, it fails indicating "Cannot download certificate because domain is not accessible." Any ideas? Microsoft is telling me it's not possible.

          • jeffschertz says:

            The phone should not attempt to download a certificate when connecting to an Edge server with a public CA certificate. They are correct in that it is not possible to download certs externally, but the environment should be configured so that is not required. I can only guess that the public CA which signed your certificates is not trusted by Lync Phone Edition. As listed here LPE does trust the Verisign-issued Thawte CAs but you might be using a different, untrusted chain.

  20. Jason Fink says:

    Jeff,

    Your articles are always awesome, and I have had to reference them a lot during my first Lync implementations, so thank you for everything!

    Can you provide that workaround that you gave to Vakhtang, please? We have a DigiCert UC, and unfortunately when we were deploying Lync we didn't realize that it isn't supported for Lync Phone Edition. The link you provided to him just brings me back to here, unfortunately.

  21. Vakhtang says:

    You basically need to add the 3rd party root cert to FE server so it publishes when IP Phones request the list of root certificates.

    1* Add the 3rd party root cert to the FE trusted root certs
    2* add the root cert for FE to publish when IP Phones requesting the root certs, use Lync management shell

    get-cscertificate
    get the list of all certificates

    get-csWebServiceConfiguration
    get the list of trusted CA certificates

    $cert = new-cswebtrustedCACertificate -thumbprint “?Thumbprint_Here” -castore TrustedRootCA
    set-cswebserviceConfiguration -trustedCACerts @{Add=$cert}

    be aware that you may need to reset existing client PIN

    Set-CsWebServiceConfiguration -Identity site:Redmond -TrustedCACerts $Null
    remove all associated certificates or remove line by line

    Additional references: http://blogs.technet.com/b/csps/archive/2011/07/2
    OCSGuy http://ocsguy.com/2012/05/19/lync-phone-edition-c

  22. Aaree says:

    I didn't understand the external sign in part. Phone need to have a cert trusted by my edge server . Public cert have got lot of intermediate cert which normally phone do not have in it by default. then how will they sign in externally .

    please help to understand this .
    thanks

    • jeffschertz says:

      LPE already trusts a large number of public CA root certificate authorities, so when the device is connecting to an Edge Server there is no need to download the certificate chain like when connecting to an internal server which typically uses a private CA.

  23. Arnrkrk says:

    Hi Jeff,

    How can a devices with a USB interface can be provisioned and fully-utilized externally without signing in even once from inside .
    How phone will download the root and intermediate cert of the edge .

    Thank you
    Arnrkrk

  24. Scott says:

    Hi Jeff,

    We recently updated our external certificate on our edge servers and rebooted them. The next morning we came in and our cx600 devices that got rebooted, can no longer login. We then rolled back our certs to the old certs thinking that was where the problem existed . Still cannot get them to login. All phones are external to our domain. Error we are receiving is: Cannot download certificate because the domain is not accessible. Any ideas you could suggest would be great. We have looked everywhere and also have Microsoft working on it as well.

    • jeffschertz says:

      Scott, unless you changed the certificate to one from a completely different certificate authority I can't see what the issue could be here. I can only assume that the configuration between the two is somehow different and a required name might be missing from the new certificate.

  25. Graham Brewer says:

    Hello Jeff,
    We have Lync 2013 installed and am using a combination of Snom 300 and Polycom CX700 from an earlier install of OCS 2007R2. My question: I am getting beaten up by users with the same old "I changed my password in Windows and now my phone does not work, I want to change my password in one place nad expect my phone to update"
    So, looking at USB tethered phones, such as the CX600…do these allow for automatic update of password changes??? and/or any other ideas would be appreciated??

    Regards,
    Graham Brewer

    • jeffschertz says:

      Graham, if the AD password is changed the CX phones will still continue to sign-in to Lync as they utilize a client certificate for Lync authentication which is generated after the first successful NTLM authentication. But Exchange integration will be unavailable as that must use the AD username/password for every connection attempt as Exchange does not support the client certificate authentication (TLS-DSK) that Lync provides. Once the password is changed it can only be changed on the phone by having the user sign out and back in again to refresh the credentials.

  26. Jody says:

    Hi Jeff,

    We have Lync 2013 with Edge and my CX600 phones are unable to sign-in externally when using the "better together" USB connection. The phones just go back to the "Sign-in Error" screen" I just have a generic network setup externally with no DHCP options specified (other than gateway & DNS).

    The CX600s are running firmware version 4.0.7577.4066 which I know is a few versions old. I'm hoping this is the issue and I can update the phones by connecting them directly to the network with Lync. Other Lync clients are able to connect automatically (Lync client 2013, Mobility client, etc), it's just the phone that's not working. I thought about running a capture of the network traffic to see what's going on but was also wondering what logs I might review on the server itself. Your thoughts and suggestions are greatly appreciated.

    Thanks!
    Jody

    • jeffschertz says:

      Jody, are you using a DigiCert-issued certificate on your Edge external services by chance?

      • Craig Gauntlett says:

        Hi Jeff

        I have the same problem and yes to Digicert edge certificate that has recently been renewed. I have followed the instructions to add the thumbprint into the web service and made digicert root certicate is all both front ends and directors but still i get the "cannot download the certificate because domain is not accessible"

        Help!

        • jeffschertz says:

          That process is only applicable for internal devices as external device do not automatically download any root certificates. The Edge server certificate must be trusted by the device beforehand. DigiCert has recently changed their signing CAs to use a different chain which utilizes a new DigiCert Root CA, as opposed to the older certificates which were actually signed by an Entrust Root CA. Lync Phone Edition trusts that Entrust server by default but not the new DigiCert server. Until Microsoft releases a Cumulative Update containing the new DigiCert root CA certificates you'll need to use a different certificate on your external services. Contact Digicert and they can re-issue your certificate from the old CA chain (the recommended method). An alternative (and not ideal) is to dig up the old DigiCert Tool and 'fix' the server. This is not recommended because you'll actually be reverting the server configuration to use an older, expiring chain which may impact other things, but will resolve the LPE issues (temporarily).

  27. Jarrah says:

    Hi, i have the same issue as Jody and am new to this post, i also am using Digicert certificates on my Edge and have been trying to fault find this with no progress….. What is this i hear about digicert not working? how long ago did this stop working? is there a work around?
    i am very much in need of getting the CX600 phones working externally…… cheers

  28. Mark Radcliffe says:

    Have you ever tried a Lync phone edition device with a contact based user? Ie an external Forrest AD which uses contacts to describe how to use the external trust?

    I have a CX3000 device that is only able to login with users from the forrest that he lync server is part of. It mentions that it cannot locate the domain controller on the screen when attempting to login as the contact user. It is connected via the usb link and I have attempted to login using the upn name and [FQDN domain name]USER

    Cheers

  29. Lars S says:

    Hi Jeff,

    The router option you describe in the beginning of this article which has to be set, can you tell which one that is?

    Regards
    Lars

    • jeffschertz says:

      That was just a reference to the Default Gateway IP address that any DHCP server should be passing out to clients.

  30. Manesh says:

    Can I configure my Polycom Cx600 and CX3000 Phones from external network by using extension and PIN ? I have a DHCP server in the external network. How should I create the DHCP options for supporting PIN authentication. I can configure the Phone from external network by using USB cable.

    • jeffschertz says:

      You cannot use PIN Authentication externally. Even if you attempted to setup DHCP Options 43 and 120 on a remote DHCP server in that external network you must have direct connectivity to the Front End pool, this does not work through an Edge Server. USB pairing is the only possible provisioning method for external Lync Phone Edition devices..

  31. M. Shoaib Irtaza says:

    Hi Jeff,

    I have been working with CX3000, CX600 and CX700 without any issue till I added a new sip domain. The phones work perfectly with the primary domain which is also the AD domain. The desktop client works well with the new sip domain but when USB teethering the phone stucks at "connecting to lync server". Your help is needed desperately.

    Thanks,
    Shoaib

    • jeffschertz says:

      Most likely you are either missing the proper SRV/A records for Automatic DNS Lookup for the new SIP domain or you have a domain name mismatch in the new records (e.g. pointing SRV record for newdomain.com to the A record of pool.olddomain.com). See this article for more details on the second scenatio: http://blog.schertz.name/2013/08/lync-phone-editi

      • M. Shoaib Irtaza says:

        Thanks Jeff, It looks like in multi-tenant environment the SRV have to point to the primary SIP domain and not the new domain A record. That made my Polycom CX phone work.

        Once again thanks for the help.

        • jeffschertz says:

          The SRV record for the SIP domain must point to an A record in the same domain as the SRV record, as discussed in my article I linked it. It doesn't matter which domain you use as long as they are the same between the SRV and A. This would mean that for multi-tenant environments you need to have a a pair of SRV (…domain1.com) and A records (sip.domain1.com) record for every supported SIP domain defined in DNS and the A record included in the certificate. This is one of the reasons that Microsoft does not officially support Lync Phone Edition devices with Lync Holster Pack for any other multi-tenant environment (outside of Office 365).

  32. N Khan says:

    Hi Jeff,

    Your blog is always very helpful. I really appreciate the efforts you are putting to help the community.

    is it possible to disable "Switch user" option on CX3000 conf phone as we are using them externally with ‘better together’.

    Thanks

Trackbacks

Check out what others are saying about this post...
  1. [...] (quickly learned I cannot read Chinese).  The easiest way to fix this is just perform a quick hard-reset on the phone to revert it back to the default [...]

  2. [...] them a Lync Phone Edition device that registers via Edge servers (see Jeff Schertz’ great bit here), and they have full functionality.  Isolating these users is the hard [...]

  3. [...] a Lync Phone Edition device that registers via Edge servers (see Jeff Schertz’ great bit here), and they have full functionality.  Isolating these users is the hard [...]

  4. [...] ability to provision a Lync Phone Edition device out-of-the-box is covered in detail in this previous blog article but this process only works on some devices, not all.  Any of the Common Area Phone models [...]

  5. [...] a soft-reset on the phone to wipe any cached client credentials or [...]



Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!