Troubleshooting Lync phone edition is one of the harder aspects of Lync deployment engineering. One significant hurdle to overcome is the inability to directly capture network traffic on a Lync phone edition device.
Remember, you can always ask the closest network engineer to SPAN the traffic for you, but in some situations that individual may not be available, or the process may take an extended amount of time. This process gives an alternative way to directly capture network traffic.
What you’ll need:
* a Network TAP device. This provides the SPAN functionality to any network device. In this scenarios I’m using the Dualcomm DCSW-1005PT. I prefer this device as it’s cheap (under $100) and provides POE passthrough, perfect for Lync Phone Edition devices. It’s also usb powered so no power adapter is needed.
* Network sniffing software (Network Monitor 3.4 or Wireshark are popular)
* An Ethernet card (yes, seems obvious but just in case you have a laptop or tablet without an Ethernet NIC, you’ll need an adapter)
* Network Monitor Lync Parsers, for parsing Lync application-specific traffic
* Certificates of Lync servers (with private keys) – these allow for decryption of TLS and SSL traffic, aiding in the troubleshooting process
Let’s get started.
1. First, you’ll need to plug the devices into the right places. I’m using the dualcomm TAP, which is pretty straightforward.
A. Plug port 1 into the network uplink or POE injector (the port the phone was originally plugged into.
B. Plug port 2 into the phone (labeled “LAN” on the phone port)
C. Plug this into the PC used to monitor the traffic
2. Configure the Network card
A. Deselect all protocols except the “Microsoft Network Monitor 3 Driver” on the NIC used for capturing traffic.
This is necessary for the Dualcomm TAP as it acts as a port mirror AND a switch. The captures can be messy to analyze without disabling the additional protocols.
2. Configure network monitoring software
A. Start Network Monitor and select the appropriate network adapter.
NOTE: If no network cards are available, make sure you run Network Monitor “As Administrator.”
B. Select “P-Mode” for the adapter. This enables promiscuous mode, which is necessary because all protocols were disabled on the network card.
C. Start a “New Capture.” Click “Start.”
At this point all network traffic to and from the phone will be captured. If the phone is getting an IP address, add a filter to only show traffic to an from the phone using the “ipv4.Address==X.X.X.X” display filter in Network Monitor.
In the case above, we see the phone communicating with Exchange Web Services (EWS) and the Lync AV Edge server. In the next section I’ll cover analyzing Lync traffic with Network Monitor Parsers, as well as decrypting the SSL and TLS traffic being sent.