Lync Desktop Sharing Issue and the Web Security/Proxy Service
Having troubleshot numerous Lync media-related issues, I can testify that the culprit is usually the firewall blocking the required ports used by Lync media. However, I recently helped one of my customers troubleshoot a Lync desktop sharing issue that was found to be caused by something other than the firewall, a Web Security/Proxy service. The issue was reported by a number of users complaining that they weren't able to join Lync meetings hosted by other organizations and even when they were able to join the meetings, they weren't able to view the presenter's desktop being shared in the meeting. I was able to consistently reproduce the issue by joining a Microsoft-hosted Lync meeting from the customer location. The following error message pops up when the presenter shares his or her desktop:
When the users are participating in a Lync meeting hosted by external contacts, they are unable to view shared desktop. All other features including AV, PowerPoint presentation, IM and white boarding appear to be working.
In the testing scenario, I tried to join a Lync meeting hosted by Microsoft from the customer location. The following is a screenshot from the network capture performed on one of the client machines having the desktop sharing issue:
From the network capture, we saw the client successfully completing the TCP handshake with the AV Edge server. Once the TCP connection was made, the client tried to initiate a SSL/TLS handshake and the server responded with two separate packets.
Looking closely at the server's response, it was missing the server certificate (public key) and the server hello done message. Oddly there was a separate response from the server containing the certificate and the server hello done message. As referenced in this TechNet article, the response from the server should have included Server Hello, Server Certificate and Server Hello Done in the same packet.
The following network capture demonstrates what the server response should contain: Server Hello, Certificate and Server Hello Done.
When I examined the certificate that was included in the server's second response, it was not the certificate of Microsoft AV Edge server. Instead, the certificate passed to the client was issued by the Web Security/Proxy server. This proved that the TLS connection between the client and the AV Edge server was being examined and proxied by the Web Security/Proxy service. The Web Security/Proxy service (in this case, it was Websense) was intercepting the SSL/TLS connection from the client. For web browsing, this will not be a problem, but relaying Lync media traffic through the proxied connection caused the issue with viewing shared desktop.
Another way to test this theory is to enter the IP address of the AV Edge on a browser. Instead of getting page not found error, I got an error message from Websense indicating that the SSL/TLS connection could not be completed.
Once we added the IP addresses of the AV Edge servers in the Websense's SSL bypass list, the desktop sharing feature started to work immediately. When my customer contacted Websense support, they were well-aware of the issue and advised the customer to upgrade to Websense version 7.8.
Note: Most Web Security/Proxy products allow you to add the domain name (instead of IP address) to the bypass list.
The lesson learned from working on this issue was that even if you have all the necessary ports opened at the firewall, some of the Lync features may be affected by Web Security/Proxy products.