We seem to see to encounter a specific connectivity error a lot across a variety of Lync environments. In some instances, users will complain about slow connectivity or no connectivity. The primary symptom is the following event log entry (repeated every 20 minutes or so):
No connectivity with the Lync Web App. Affected Web browser clients cannot use Web Conferencing modality.
Server Machine FQDN: lyncfrontend.yourdomain.com, Port:8061
Server Type: External-WebApp-Edge [HTTP side error:The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
If the problem persists this event will be logged again after 20 minutes
Cause: Service may be unavailable or Network connectivity may have been compromised.
Never fear, this one is easy to fix!
The Root Issue
The application pool registered to the Lync Server External Web Site\Reach application is set to activate On Demand. This results in an IIS application pool that is not spun up when an external reach request is received resulting in a connectivity fault.
The Solution
Important: The UI based solution only works in IIS8. If you are running IIS7.5, See the “Manually Fix This Issue” below
- Launch Internet Information Services (IIS) Manager on your front-end pool server
- Navigate to Sites –> Lync Server External Web Site –> Reach
- Right click on Reach and select Manage Application –> Advanced Settings
- Note the Application Pool in the advanced settings pop-up
This will be set to LyncExtReach in normal environments - Click on Application Pools and locate the application pool noted in step#4 above
- Right click on the Application Pool and select Advanced Settings
- Change the Start Mode to AlwaysRunning
- Restart IIS
Told you it was easy!
UPDATED 09/2014: How to Manually Fix This Issue
Running IIS7.5? Don’t see the Start Mode in IIS, here is the manual method!
- Edit the following file in the editor of your choice
%windir%\system32\inetsrv\config\applicationHost.config
Important: Make sure you are running your editor as an Administrator! - Search for name=”LyncExtFeature”
Important: You are looking for the <add name=”LyncExtReach” within the <system.applicationHost><applicationPools> section! - Edit the entry to include the startMode attribute (see bold text below)
<add name=”LyncExtReach” autoStart=”true” managedRuntimeVersion=”v4.0″ managedPipelineMode=”Integrated” startMode=”AlwaysRunning”> - Save the file and restart IIS
I have followed your steps but I dont see the start mode option at all.
I am using WS2008 so what would the option be ?
Verify the following:
1) You are on the Lync Front End server
2) You are running an install of Lync 2010 or better
3) You are an administrator on the server
I couldn’t find a value for “start mode” either. Under general options, I see that we have only 6-options and the last one mentioned in your screen shot is missing. Is this screen shot from an enterprise edition FE?
What CU Level?
Felix
The original write-up was targeted for IIS8 / Server 2012 users. Unfortunately, we did a poor job of calling out the IIS8 requirement. We have updated the write-up to include instructions for those users running IIS7.5.
Enjoy!
Just thought I would search for this error again and found this site with the added information on how to manually solve it. SO far It is holding up. Thanks.
Hello,
The error came back on Friday. So after 24hours it re-occurred. I tend to agree that the error is based on the certificate used not being a SAN cert. I have both internal & external URL & and I am using a CA and the certificate used is one I created using the Internal certificate from the ( Internal Web URL ) I added the new servers to it webapps.local and webapps.domain.com to it) everything works but for the annonying error.
Great write up exactly what i was looking for. One note you may want to include is Recycling the app pool. I followed the instructions above and it wouldn’t work after an iis reset until i recycled the app pool. Keep up the good work.
i cant find the option through GUI and Manual edit also, am using windows 2012, but i cant find the option can help.
below is the is the config.
Anantha, I have got the same problem, but you have to find out first what is exact name of your reach application, go on first to IIS manager and you will find it there, when you open advance settings of reach app and the very first row is the name of your reach app.