I recently touched on this topic in the blog article Deploying Lync Phone Edition Devices and decided it warranted its own article as it’s commonly misunderstood that all Aries devices must be first provisioned from inside a corporate network first, but that is not the always the case. Devices with a USB interface can be provisioned and fully-utilized externally.
The process covered in this article is supported on the Polycom CX600 and CX3000 (and theoretically the Aastra 6725ip but I have not personally tested it ) devices in the Aries family, as well as the CX700 Tanjay device.
Neither the CX500 nor the 6721ip device can be used externally as they do not contain USB interfaces and thus are limited to utilizing the PIN authentication process only to connect to a Lync Server. As this method uses customized DHCP options to support PIN login they will not work on a standard Internet connection in a home office or other unmanaged external sites. These are common-area phone designed for internal-only applications and not for mass-deployment.
As long as a valid IP address is handed out to the device via DHCP and a router option is included along with at least one DNS server entry than the device has everything it needs to later connect to the Edge Server on its own.
Be aware that there are some pre-release beta and early revision Aries devices out there in the wild which may not follow these exact steps, so if you have one of these evaluation devices then the software may need to be upgraded to a newer version before it behaves the same as detailed in this article. Also note that for CX700 devices they must be on at least an OCS 2007 R2 firmware version, as older versions (e.g. 1.0.522.101) did not yet support USB tethering.
Connecting Aries Devices
I’ve tested this with both a CX600 and CX3000 (both Rev B devices running 4.0.7457.0 software) from my home office using basic Internet connectivity and no VPN or any other bridged connection. This same process has also been used with other devices in various customer locations with just Internet access and a workstation with the Lync client installed, connected to a Edge Server.
- Connect the Ethernet LAN interface to the network, and if not using Power over Ethernet (PoE) then connect the 24V DC power supply.
If desired, an out-of-the-box experience can be emulated on a device currently provisioned to truly test this process by performing either a hard reset or factory reset. (This is not required and an existing device may simply just need to have the current user signed-out by using the Switch User menu selection.)
Although the phrase “factory reset” implies that the device will be returned to original factory default settings this process does not actually return the device to a factory-shipping state. All Lync Phone Edition devices (both Tanjay and Aries families) contain two separate firmware partitions, an active partition and an inactive partition. Whenever the devices are upgraded to a new firmware they install the new version on the inactive partition and then reboot into that partition, effectively swapping the active/inactive partitions. The previous partition can be re-activated using this process to essentially roll back to the last firmware version installed.
- To perform a hard reset on a Polycom Aries device (CX500, CX600, or CX3000) simply hold down both the * and # buttons while connecting the power. Continue to hold the keys for approximately 10 seconds until the following screen appears, indicating that all user data and configuration settings will be erased.
- Or, to perform a factory reset on a Polycom Aries device (CX500, CX600, or CX3000) simply hold down both the 4 and 6 buttons while connecting the power. Continue to hold the keys for approximately 10 seconds until the following screen appears, indicating that the phone will be rolled back to the previously installed firmware version as well as erasing all settings.
- Select Yes to begin the selected process, which should normally take about 2 to 3 minutes for a hard reset
- Once the reset process is completed (or if a brand new device was used instead) the following animated screen will appear, instructing the user to press the selection key on the phone.
- After pressing the selection key the Welcome menu asks for which method to use to provision the device. As the device is not connected to the corporate internal network then Yes must be selected.
- Make sure that the Lync client is signed on a workstation and then connect the USB cable from the device to the computer. At this point the device will continue to display the animated screen below.
- As soon as the USB cable is connected though the workstation should indicate that the device drivers were successfully installed (this is automatic, and if the device was already connected to the same workstation prior then this balloon alert would not be seen).
- Immediately after the Lync client should present a new window asking for Login information for the device. Sometimes this window will not always appear on the top of the desktop so try looking at the Lync taskbar icon to see if the new window is hidden or minimized.Enter the Active Directory user credentials for the Lync account in either NetBIOS format (DOMAIN\username) or UPN format (username@domain.com) and click OK.
Take note that often the Lync client will pre-populate these fields with data that is incorrect (like a local workstation hostname instead of a domain name) depending on the network and Windows client configuration. The same credentials used to sign-in to the Lync client are what should be entered here.
- Back on the device screen messages should be displayed indicating that the device is locating a time server, contacting the Lync Server, and then attempting to download a certificate. In practice I have seen this process typically fail on the first attempt, resulting in the error shown below:
- If this happens, simply re-enter the password in the Logon Information Needed window on the workstation again and re-submit. The successful connection to the server will be verify by the device asking to set a phone-unlock PIN. Enter any desired PIN (e.g. 123456) and select Next. Confirm the new PIN and select Done.
At this point either the Next button can be pressed to select a Time Zone, Date and Time Formats, and a customized Ring Tone. After completing (or skipping) the setup the home screen will appear.
Enhanced Mode
At this point the device can be left tethered to the workstation as all the feature will be available when in this enhanced, ‘better together’ mode. The features only available when tethered include access to individual voice mails, detailed call logs, and calendar information. This data is pulled directly from the user’s Exchange mailbox via Exchange Web Services connections which are not natively available on the device itself.
Basic Mode
So if the USB cable is now disconnected then the basic mode features still available would be the contact list, user photos, voice mail Message Waiting Indicator (MWI), and local call logs. There will also be Conference leader options available when connected to a Lync conference.
Additionally the device can be powered off and rebooted and will still login as the same user account with needing to re-tether via USB to a workstation. This is because both the SIP Registrar FQDN (the Access Edge Server FQDN) and the windows credentials currently supplied are both cached in the phone, even after rebooting. (If a factory-reset is performed than all data is wiped and the process must be repeated). After a normal reboot (disconnect and reconnect the power source) the device will automatically login as the cached user account and immediate lock, preventing unauthorized access to the phone be someone attempting to just restart it to gain access.
If the user is later manually signed-out then the tethering process will again be required to download the certificate and cached credentials into the phone again.
very usefull
thank's a lot
Hi Jeff,
Have you seen where the phone loses Calendar after a day or so? We have recently moved to Exchange in the cloud, Works well for most, but we have a couple of folks who after logging into the phone using the USB, they disconnect the USB and after a day or so lose connection to Calendar on their CX600. Seems the folks who stay connected via USB do not see this issue.
Micky
I have not seen that before, I assume you are using Exchange Online in O365?
The sign-in failure may happen if you dont have a WINS server available (or not advertised via DHCP). In this case, the DOMAINFQDNusername format should be used and work even at the first try.
If you remove the USB cable after the signin process finished, does this break the "enhanced" functionality? I dont believe so. This stupid limited functionality (not being able to access exchange-related stuff) happens only because there is no valid entered AD credentials available in the device's memory if you logged in via the PIN authentication. If you used the USB cable, the phone for sure HAS acquired this credentials data (as even you have said in the article),so as the result the device and can live on its own with that saved credentials.
What are your thoughts about that? Unfortunately I only have a beta Rev. device, which refuses to update to RTM FW, so I cannot confirm my idea in the real world scenario.
Richard, Yes the WINS/NetBIOS issue is referenced in my previous post (as a link to Rick Varvel's excellent Tanjay post). Also, after untethering the phone still operates in Enhanced Mode as the device caches the AD credentials entered during tether. Those credentials remain cached in the phone even after a reboot and only events like signing-out or the password changing would later break the enhanced features, require a re-tether. (This is also explained in my previous post on Lync Phone Edition).
Hi Jeff, I've not been able to track down the Rick Varvel post you speak of, please can you point me in the right direction?
Paul, I'm not sure which of Rick's articles you are referring to but these are what I'm aware of: http://blogs.technet.com/b/rickva
This process doesn't work for me and I'm a bit stuck as to why. I have a few ideas but wanted to see if anyone knew.
First of all we don't use DNS SRV for client auto-config. We have configured the .msi file for Lync to contain the settings. There are a number of reasons for this that I won't go into.
Second of all we haven't use exposed web services externally, again varies reasons. I suspect this is the primary reasons but couldn't be sure.
Last but not least. I sign in with a domain eg at fabikam.com. My edge server is sip.ap.fabikam-servers.com. The Cert is valid for the edge address, WC and AV. I do not however have sip.fabikam.com or anything similiar in my SANs. We have around 200 possible SIP domains so this isn't practical. Is this a requirement when using this process? I would have thought that given the phone is getting Lync settings direct from the client auto-discovery wouldn't be an issue.
Thanks for any points you might be able to offer
David, from some initial testing and clarification with Microsoft support it appears that the Phone Edition client still performs a register to SIP domain portion of the stored SIP URI. The Lync client does not pass the Manual Configuration information to the phone, thus DNS records would be required for each SIP domain a phone would need to login to. The lack of a reverse proxy would prevent the phone from performing device updates but not prevent signing-in.
It's unfortunate because that means we would have to have sip.domain.com for every domain as SANs. Creates a real problem when we have 270 domains to deal with. Hopefully in the future Microsoft will support the use of SRV records as it is with the Lync Client and just throw a single certificate warning on first sign in.
David
This is the way it has always been as TLS requires the name to patch exactly. Maybe in the future wildcard entries will be fully supported but right now that is just not the case.
Hello,
How can set a phone lock code for Polycom CX600. When click "Lock Phone" in "Menu" nothing happens.
Also when sign in directly without usb connection, it doesn't take extension and pin number.
If I type wrong pin number it says "Invalid pin number". But when I enter correct pin number it says "Phone number or Extension not found"
Please help…
The Phone Policy in your Lync environment may have the Phone Lock feature disabled. Also when using USB PIN Authentication is not used as the credentials are pulled directly from the computer's Lync client via the authentication prompt.
Hello,
Thanx a lot for this post and for your entire blog which helps me a lot !
I'm deploying a POC for a customer. Lync is on premise but exchange is in the cloud (Office 365).
In enhance mode, CX600 can't access exchange web services (so no calendar and no voice mail) ….
My customer does not want to allow direct access to the internet from the LAN.
So I have 3 questions
– Is there a way to use some proxy settings on CX600 phones ?
– Does the CX600 verify server certificate ?
– If yes, Does the Airies store public root certificates (like verisign) ? In office 365, certificates seem to be signed by verisign so …
Thanx a lot for your help,
Regards,
Bastien.
Bastien, there are no configuration options I am aware of to provide the Lync Phone Edition client with the ability to leverage a web proxy; only the DHCP-passed default route is used. And regarding certificates, yes the client does support a number of public CA root and issuing certificates by default. Here is the list of which are trusted by the phones: http://technet.microsoft.com/en-us/library/gg3982…
I'm setting up a CX600, but when I tether it to my pc, and it asks for my login info, it will not accept my user name in the format 'domainusername'. Instead, I have to enter it as username@domain.com. Why is this?
This is usually an indication of NetBIOS name lookup failures as the DOMAINusername format relies on NetBIOS broadcasts and WINS server lookups for proper name resolution. When externally connecting via the Internet it is best to utilize the DNS domain name in either the UPN format (username@domain.com) or the Legacy format (domain.comusername).
I have looked all over the technet library for how to configure the better together, but can not find a clear step by step method. Can anyone direct me?
There is no configuration of the 'Better Together' functionality as all you need to do is USB tether a device to a workstation running the Lync client and enter user credentials when prompted. To actually access those features (primarily Exchange UM features) you'll need to make sure that Exchange UM is properly deployed and configured and that you are following best practices (e.g. not using Wildcard or untrusted certs) so that the devices can successfully connected to and authenticate to Exchange.
Nice post there. That is helpful.
I was wondering can I get a CX600 phone for OCS-R2 deployment? Would it interop with them as well?
If not, which phones would you suggest for OCS-R2 deployments?
Appreciate your response.
– Thanks
Dister
Dister, the Aries phones only work with Lync and do not function (nor are they supported) with OCS. The only IP-based Phone Edition device for OCS is the CX700 (the Tanjay). SNOM also has an IP phone that partially interoperates with OCS (the 300 series) and there are a number of USB only devices which work with OCS as well (Polycom CX100, CX200, CX300).
[…] (quickly learned I cannot read Chinese). The easiest way to fix this is just perform a quick hard-reset on the phone to revert it back to the default […]
[…] them a Lync Phone Edition device that registers via Edge servers (see Jeff Schertz’ great bit here), and they have full functionality. Isolating these users is the hard […]
[…] a Lync Phone Edition device that registers via Edge servers (see Jeff Schertz’ great bit here), and they have full functionality. Isolating these users is the hard […]
Is it possible to use a cx600 with office 365 E3 or E4? My new cx600 says it is connecting to Lync Server, but never connects.
No, none of the Lync Phone Edition devices are currently supported with O365 for a few reasons. Mainly the devices do not natively support the ADFS authentication method required to access O365; the windows O365 sign-in client provides this for the Windows Lync client but since LPE must authenticate directly to the Lync server then this will not work. Secondly the user's Telephony Mode must be set to 'Enterprise Voice' in order to use any Lync Phone Edition devices, even via USB tethering; O365 does not yet have include EV capabilities.
This works perfect for me when running a Cisco 877 at home all is fine. The problem is I have one of my Directors who we are giving a phone to and he has a Belkin router and it will not work. Do you know what would be causing this? We have exhausted just about all possibilities within his network config?
Ryan, I'm not sure what you mean by 'it works' with the Cisco phone, but if you cannot get the LPE device to work in this environment it could be a number of things: DNS, Firewall SNAT capabilities, etc. Depends on what exactly is not working: sign-in, media, etc?
Great Post – very helpful – I was I have a CX600 with a Rev of X5 (Assume this is a Beta verison Device). I know that the hard reset is holding 4 # and Backspace while powering on. Do you happen to know what the Factory Reset key sequence is? I in advertantly approve the latest version 4 patch and it bricked the phone. I can get the hard reset to work but when I approve the erase of the user information it just goes back to the error. It doesn't reload the previous firmware.
Lance, you are correct that the hardware revision you have is a pre-production phone (denoted by the X) where production devices start with A,B,C,D,E etc. Unfortunately once CU2 or newer firmware is installed the phone is no longer functional and cannot be manually restored. You can try the Factory Reset procedure for beta devices which is to hold the * key, the 2 and the Home key but I have not gotten this to work once the device is disabled by the newer firmware. I suggest contacting your Polycom or partner rep to get a replacement device as those beta devices are not supported and where only intended to be used for early demos prior to the Lync 2010 release.
Is there any way to configure the Polycom CX600 to work with a SIP Server other than Lync? or is there a way to change the firmware to one that does not support Microsoft Lync?
No, these CX devices are specifically designed to only run the Lync Phone Edition firmware which is a Microsoft-only client.
if i login to the CX 600 "better together" and put in the NETBIOS (domainusername) it takes it but 5min later the phone shows the outlook integration error screen. However, if i use (domain.comusername) it works fine until the users changes the password or the account gets locked out.
That seems to point to an issue with the Exchange server handling NetBIOS name resolution, since the DNS domain name works during authentication.
[…] ability to provision a Lync Phone Edition device out-of-the-box is covered in detail in this previous blog article but this process only works on some devices, not all. Any of the Common Area Phone models […]
Hi, when users use USB cable for login to the CX phone, it's possible to configure the time zone, date format or language for them? By Lync server or by DHCP? We want to reduce the steps necessary for configuring a client
Thank you
Sam
No, that information is device-specific and must be selected during the initial device sign-in process.
I have this working with a CX600 and everything works but searching the GAL. It displays a message that “search results are limited” and only searches my preexisting Lync contacts. Is that your experience as well when running externally?
If the directory search is failing then you may not have published the internal web services properly on your Reverse Proxy. If this works for Windows Lync client then there could be something like an untrusted certificate on the reverse proxy or some other configuration issue.
"Back on the device screen messages should be displayed indicating that the device is locating a time server, contacting the Lync Server, and then attempting to download a certificate."
After this point I get error:
Network cable was not detected. Please check that your cable is connected to the network port and that you have a network connection.
Desk phone is not able to sign in through usb cable. It only signs in with network cable.
According to this post it should work with usb as well, shouldn't it?
I'm not sure what you are asking but if you are using the USB cable you still must have an Ethernet connection on the phone; it does not operate with only a USB connection.
Is it possible to get the CX600 to logon with the credentials that the PC is logged on with so avoiding the need to logon twice?
No, the credentials must be entered manually when prompted, they cannot be passed automatically to the device.
Hello Jeff
You may have a problem with Lync IP Phone external connectivity through the Edge in case if your Edge External Certificate Root CA is not listed in the IP Phone trusted Root CA list. I will email you the problem details and how to fix it (too much formatting for the comment space 🙂 )
Regards,
Vakhtang
Yes, a workaround for this issue has been covered on other blogs, like by Kevin Peters in this article.
I'm having this problem trying to provision a CX600 out of the box externally on a home network. The phone is USB-tethered to a domain-joined laptop, connected to the internal network via Cisco VPN client. I just spent a couple days with Microsoft Support and they've pointed at this article http://technet.microsoft.com/en-us/library/gg3982… where it indicates that phones MUST first be connected to the internal network before being provisioned externally. All my certs are legit so it could explain my certificate download issues. I am using a Trusted Public CA (Thawte) issued certificate which I thought was trusted by LPE. This article seemingly indicates I CAN provision a phone OOTB so – please let me know if you've found a workaround. I'd like to ship phones to new remote users without having to fiddle and ship them again. Cheers!
The phone does not need to be provisioning internally if a public certificate is installed on the Access Edge service. If your Lync environment is not properly configured to utilize an Edge server and you must use the Cisco VPN client on your workstations to connect to Lync then the phone cannot has no access to the VPN over its own network connection in your home office. USB-tethering the phone to a workstation does not provide it any access to the VPN network established on the workstation.
I have a public certificate on my Edge server. I can connect to Lync externally with our without the VPN just fine. When attempting to provision a brand new CX600 (4.0.7577.4100) externally, it fails indicating "Cannot download certificate because domain is not accessible." Any ideas? Microsoft is telling me it's not possible.
The phone should not attempt to download a certificate when connecting to an Edge server with a public CA certificate. They are correct in that it is not possible to download certs externally, but the environment should be configured so that is not required. I can only guess that the public CA which signed your certificates is not trusted by Lync Phone Edition. As listed here LPE does trust the Verisign-issued Thawte CAs but you might be using a different, untrusted chain.
[…] a soft-reset on the phone to wipe any cached client credentials or […]
Jeff,
Your articles are always awesome, and I have had to reference them a lot during my first Lync implementations, so thank you for everything!
Can you provide that workaround that you gave to Vakhtang, please? We have a DigiCert UC, and unfortunately when we were deploying Lync we didn't realize that it isn't supported for Lync Phone Edition. The link you provided to him just brings me back to here, unfortunately.
You can use the process shown in this article to import additional CA certificates into the phones: http://ocsguy.com/2012/05/19/lync-phone-edition-c…
You basically need to add the 3rd party root cert to FE server so it publishes when IP Phones request the list of root certificates.
1* Add the 3rd party root cert to the FE trusted root certs
2* add the root cert for FE to publish when IP Phones requesting the root certs, use Lync management shell
get-cscertificate
get the list of all certificates
get-csWebServiceConfiguration
get the list of trusted CA certificates
$cert = new-cswebtrustedCACertificate -thumbprint “?Thumbprint_Here” -castore TrustedRootCA
set-cswebserviceConfiguration -trustedCACerts @{Add=$cert}
be aware that you may need to reset existing client PIN
Set-CsWebServiceConfiguration -Identity site:Redmond -TrustedCACerts $Null
remove all associated certificates or remove line by line
Additional references: http://blogs.technet.com/b/csps/archive/2011/07/2…
OCSGuy http://ocsguy.com/2012/05/19/lync-phone-edition-c…
I didn't understand the external sign in part. Phone need to have a cert trusted by my edge server . Public cert have got lot of intermediate cert which normally phone do not have in it by default. then how will they sign in externally .
please help to understand this .
thanks
LPE already trusts a large number of public CA root certificate authorities, so when the device is connecting to an Edge Server there is no need to download the certificate chain like when connecting to an internal server which typically uses a private CA.
Hi Jeff,
How can a devices with a USB interface can be provisioned and fully-utilized externally without signing in even once from inside .
How phone will download the root and intermediate cert of the edge .
Thank you
Arnrkrk
External devices register to an Edge Server which is equipped with a trusted public certificate, so there is no need for the device to download a root certificate. This article lists all of the preloaded public certificates in LPE: http://technet.microsoft.com/en-us/library/gg3982…
Hi Jeff,
We recently updated our external certificate on our edge servers and rebooted them. The next morning we came in and our cx600 devices that got rebooted, can no longer login. We then rolled back our certs to the old certs thinking that was where the problem existed . Still cannot get them to login. All phones are external to our domain. Error we are receiving is: Cannot download certificate because the domain is not accessible. Any ideas you could suggest would be great. We have looked everywhere and also have Microsoft working on it as well.
Scott, unless you changed the certificate to one from a completely different certificate authority I can't see what the issue could be here. I can only assume that the configuration between the two is somehow different and a required name might be missing from the new certificate.
Hello Jeff,
We have Lync 2013 installed and am using a combination of Snom 300 and Polycom CX700 from an earlier install of OCS 2007R2. My question: I am getting beaten up by users with the same old "I changed my password in Windows and now my phone does not work, I want to change my password in one place nad expect my phone to update"
So, looking at USB tethered phones, such as the CX600…do these allow for automatic update of password changes??? and/or any other ideas would be appreciated??
Regards,
Graham Brewer
Graham, if the AD password is changed the CX phones will still continue to sign-in to Lync as they utilize a client certificate for Lync authentication which is generated after the first successful NTLM authentication. But Exchange integration will be unavailable as that must use the AD username/password for every connection attempt as Exchange does not support the client certificate authentication (TLS-DSK) that Lync provides. Once the password is changed it can only be changed on the phone by having the user sign out and back in again to refresh the credentials.
Thankyou for clearing this up.
Regards,
Graham
Hi Jeff,
We have Lync 2013 with Edge and my CX600 phones are unable to sign-in externally when using the "better together" USB connection. The phones just go back to the "Sign-in Error" screen" I just have a generic network setup externally with no DHCP options specified (other than gateway & DNS).
The CX600s are running firmware version 4.0.7577.4066 which I know is a few versions old. I'm hoping this is the issue and I can update the phones by connecting them directly to the network with Lync. Other Lync clients are able to connect automatically (Lync client 2013, Mobility client, etc), it's just the phone that's not working. I thought about running a capture of the network traffic to see what's going on but was also wondering what logs I might review on the server itself. Your thoughts and suggestions are greatly appreciated.
Thanks!
Jody
Jody, are you using a DigiCert-issued certificate on your Edge external services by chance?
Hi Jeff
I have the same problem and yes to Digicert edge certificate that has recently been renewed. I have followed the instructions to add the thumbprint into the web service and made digicert root certicate is all both front ends and directors but still i get the "cannot download the certificate because domain is not accessible"
Help!
That process is only applicable for internal devices as external device do not automatically download any root certificates. The Edge server certificate must be trusted by the device beforehand. DigiCert has recently changed their signing CAs to use a different chain which utilizes a new DigiCert Root CA, as opposed to the older certificates which were actually signed by an Entrust Root CA. Lync Phone Edition trusts that Entrust server by default but not the new DigiCert server. Until Microsoft releases a Cumulative Update containing the new DigiCert root CA certificates you'll need to use a different certificate on your external services. Contact Digicert and they can re-issue your certificate from the old CA chain (the recommended method). An alternative (and not ideal) is to dig up the old DigiCert Tool and 'fix' the server. This is not recommended because you'll actually be reverting the server configuration to use an older, expiring chain which may impact other things, but will resolve the LPE issues (temporarily).
Hi, i have the same issue as Jody and am new to this post, i also am using Digicert certificates on my Edge and have been trying to fault find this with no progress….. What is this i hear about digicert not working? how long ago did this stop working? is there a work around?
i am very much in need of getting the CX600 phones working externally…… cheers
I've already explained the two available workarounds in my previous reply to Jody.
Have you ever tried a Lync phone edition device with a contact based user? Ie an external Forrest AD which uses contacts to describe how to use the external trust?
I have a CX3000 device that is only able to login with users from the forrest that he lync server is part of. It mentions that it cannot locate the domain controller on the screen when attempting to login as the contact user. It is connected via the usb link and I have attempted to login using the upn name and [FQDN domain name]USER
Cheers
Hi Jeff,
The router option you describe in the beginning of this article which has to be set, can you tell which one that is?
Regards
Lars
That was just a reference to the Default Gateway IP address that any DHCP server should be passing out to clients.
Can I configure my Polycom Cx600 and CX3000 Phones from external network by using extension and PIN ? I have a DHCP server in the external network. How should I create the DHCP options for supporting PIN authentication. I can configure the Phone from external network by using USB cable.
You cannot use PIN Authentication externally. Even if you attempted to setup DHCP Options 43 and 120 on a remote DHCP server in that external network you must have direct connectivity to the Front End pool, this does not work through an Edge Server. USB pairing is the only possible provisioning method for external Lync Phone Edition devices..
Hi Jeff,
I have been working with CX3000, CX600 and CX700 without any issue till I added a new sip domain. The phones work perfectly with the primary domain which is also the AD domain. The desktop client works well with the new sip domain but when USB teethering the phone stucks at "connecting to lync server". Your help is needed desperately.
Thanks,
Shoaib
Most likely you are either missing the proper SRV/A records for Automatic DNS Lookup for the new SIP domain or you have a domain name mismatch in the new records (e.g. pointing SRV record for newdomain.com to the A record of pool.olddomain.com). See this article for more details on the second scenatio: http://blog.schertz.name/2013/08/lync-phone-editi…
Thanks Jeff, It looks like in multi-tenant environment the SRV have to point to the primary SIP domain and not the new domain A record. That made my Polycom CX phone work.
Once again thanks for the help.
The SRV record for the SIP domain must point to an A record in the same domain as the SRV record, as discussed in my article I linked it. It doesn't matter which domain you use as long as they are the same between the SRV and A. This would mean that for multi-tenant environments you need to have a a pair of SRV (…domain1.com) and A records (sip.domain1.com) record for every supported SIP domain defined in DNS and the A record included in the certificate. This is one of the reasons that Microsoft does not officially support Lync Phone Edition devices with Lync Holster Pack for any other multi-tenant environment (outside of Office 365).
Hi Jeff,
Your blog is always very helpful. I really appreciate the efforts you are putting to help the community.
is it possible to disable "Switch user" option on CX3000 conf phone as we are using them externally with ‘better together’.
Thanks
No, you cannot disable the sign-out menu option on LPE devices.
Thanks Jeff, i take it is not possible either in-band OR out-of-band Provisioning?
There is no 'out-of-band' provisioning model for LPE devices; they get their entire configuration from the Lync Server during registration.
Thanks you
Hi Jeff,
I’ve been using a VVX500 at home but want to trial the CX600 before potentially deploying one or the other to a bunch of homeworkers. (I’ve been doing this as a novice, and don’t work for my corporation’s IT Dept.)
I am using a Macbook and cannot get the USB setup menu to run on the CX600. Does this only work on a PC? Is there a workaround?
Also, should I expect calendar integration to be possible purely by using Exchange credentials or is it likely the phone will need a certificate? I have everything working on the VVX500 EXCEPT the calendar. It’s a nicer phone than the CX600 but I’d take the latter if I can dial into Lync Conferences directly from a reminder on the phone.
Thanks. Andy
Andy, the USB tethering feature of Lync Phone Edition devices like the CX600 is only supported on the Windows Lync clients. Microsoft does not support USB tethering of any Lync IP Phones with the Mac client (only the CX300 is supported but that is not an IP phone). I suggest you contact your Polycom sales representative for more details on the VVX500 before making a decision as I believe you will be happier with the VVX in the long-run.
I bought this to upgrade from my 300. I work from home. How do I get this phone to work?? If I plug it into my home router, it will never see the corp network. Why can’t ALL of this be done via USB?
External phones require the Lync Edge Server Lync was not designed for VPN-based connectivity for external clients. I suggest you contact your IT department to verify that they have deployed Lync to support external clients and IP phones.
this process is not working for me.. actually i m doing all as per the process, but after accepting the certificate by phone it goes to the lync server for sign in and revert back with the error :- can not sign in because user name and password is not corrert. i m using cx 600 polycom. and getting power from Ethernet. i thing somthing is blocking from enternet (Domain) or else. any port number is blocking.
immediate help would be appricated. plz help.
thanks
vijay
If there is an old firmware version on the phone it may be using an expired third party root certificate. Check my more recent articles on this topic.
We are having an issue with address book for aastra 6721ip and CX600. These are external users so when they try to search by name or externsion they receive “unable to access server please try again later” have you seen this before.
Rick, did you figure this out? I’m in a hosted environment, new Skype4B install and my phones are getting this intermittently.
Hi Jeff,
I am deploying CX phones from internet, tested some CX series in my home internet everything works fine, But when I tried from my internet based office, its ending with a Sign in error. While prompting for username password Tried DOMAINusername, domain.comusername, username@domain.com but nothing works. Please help with your suggestions.
Thanks,
Reji
Might be certificate related but I can’t say what might be causing you issues. I suggest you read through the troubleshooting article: http://blog.schertz.name/2012/03/troubleshooting-lync-phone-edition-issues/
Hi jeff
We have a Lync 2013 server deployment and use CX600 LPE. There is no internal network and users connect to wifi, or VPN when in the office, thus the phones are externally provisioned. I cannot get the firmware to update nor can we use address book look up on the phones – any ideas?
Both of those features are delivered by the Reverse Proxy server so make sure that you have one properly deployed for external clients. The phone will pickup updates externally via HTTPS connections through the reverse proxy.
Hi Jeff,
I am deploying the HP 4110 and HP 4120 phones internally.
We wanted 250 of the HP 4110, to setup using PIN code authentication, because AD passwords expire on a schedule and users complain.
We tried and could not get the 4110 anymore. HP and Snom had a falling out it would seem.
So we ended up having to get 107 of the 4120 phones.
The problem i have is we are not using USB tether to authenticate, so all the phones show the exclamation point where the Menu button usually is.
Is there a way to turn off the exclamation icon related to the notification about limited exchange integration?
Or
Is there a location to download a previous version of the HP 4120 firmware?
4.0.7577.4633 the December 2012 CU does not show the exclamation.
All other CU do.
Lastly, that exclamation icon covers up the menu button, which is where the in call options are.
Correction
4.0.7577.4366 is the version that does not show the exclamation icon.
Tested all releases after 4420 and they show the icon.
Hoping someone has a copy of the UCupdates file from December 2012 CU for HP 4120.
Thanks,
Shane
Can I plug an external speaker in order to use it for conference room to the usb port?
No.