UCWA - Fiddler and Firefox

Using Fiddler2 to decrypt HTTPS traffic aids in determining what responses are received from various requests. One thing I have noticed while debugging in Firefox with Fiddler2 active is the initial Autodiscovery fails (trace) rather rapidly and all I can see in the trace is a CONNECT request to http://lyncdiscover.domain.com:443. First off, it is good to verify that Fiddler2 is setup to decrypt HTTPS traffic, but not Ignore server certificate errors as seen below: Fiddler2 is acting as a man in the middle of the HTTPS conversation and presenting the response decrypted and it achieves this by installing a Root Certificate. I've noticed most browsers do not have a security problem with Fiddler2's Root certificate with the exception of Firefox.

To fix up Autodiscovery it is possible that two security exceptions will need to be added depending on the Lync Server configuration. To achieve this in Firefox navigate Tools -> Options -> Advanced -> Encryption tab -> View Certificates -> Servers tab and choose Add Exception.

Based on Lync Server configuration it is possible that Autodiscovery exposes an internal location (lyncdiscoverinternal.domain.com) and/or an external location (lyncdiscover.domain.com). Test out both address types to see which exist and add the appropriate exception. Each exception will be stored under DO_NO_TRUST (Fiddler2 certificate) as shown below for gotuc.net:

At this point it is possible to re-test Autodiscovery and track how far Firefox can get before the next hurdle. The hurdle (trace) in the case of gotuc.net is that Autodiscovery changes domain from lyncdiscover.gotuc.net to ocsrp.gotuc.net. This can be seen by viewing a Fiddler2 trace after Autodiscovery and see the CONNECT request against http://ocsrp.gotuc.net:443. Adding another exception for this domain should enable Firefox and Fiddler2 to play nice while debugging network traffic.

This process can be repeated for any domains where you plan on testing UCWA with Firefox and Fiddler2. It should be noted that the Autodiscovery process should be similar on each Lync Server 2013 system (with CU1), but the domain returned by Autodiscovery can vary due to Lync Server configurations. In the case of gotuc.net it is http://ocsrp.gotuc.net where as a few other domains I have poked at have varied from http://lync.domain.com to http://lync2k13.domain.com (so no hard-coding links...).

Happy Debugging...