Sunday, August 16, 2015

Configuring Reverse Proxy for Lync 2010 Server


Reverse proxy is a requirement for Lync 2010 server for external access.There are few benefits of using a reverse proxy. Lync 2010 users can access Lync web app, meeting content, and address book, etc.
Security is main reason for setting up a reverse proxy rule for external access in Lync 2010 environment.

Lync 2010 has two set of Urls, First, dial-in conferencing url and address book, meeting content download url. Let take a look at those urls.

Simple Urls

meet.uc-tech.com - Used for accessing Lync web app for web conferencing.
dialin.uc-tech.com - Used for accessing a portal containing dialin conferencing number and reset pin for individual users.

External web service Urls

feext.uc-tech.com - It is used for downloading meeting content and address book for Lync clients.

DNS requirements

DNS requirement is very simple. We need to create host 'A' record for all the Urls resolving public ip address of following 


All of the above Urls resolve same public ip address.

Certificate requirements

Certificate should be a public certificate or certificate issued by a Windows Enterprise Certificate Authority. The new certificate should have SAN entries for all the Urls mentioned above.
If the certificate is issued by a "Windows Enterprise CA" then we must install 'root' certificate on all the servers and clients.

Network Configuration

To configure the reverse proxy on TMG , we need two network adapter. Now we need to configure our adapter using following settings.

Internal NIC configuration

IP Address:   
Subnet Mask:
Default gateway:     None

External NIC configuration

IP Address:    
Subnet mask: 
Default gateway:

Reverse Proxy Configuration

To configure reverse proxy we need a Microsoft Forefront TMG 2010 server for Lync 2010 server. Installation of Forefront TMG is not scope of this article, I will cover that in a different post.

After installing Microsoft Forefront TMG 2010 for Lync 2010 server. Create a new Firewall policy > Web Site Publishing Rule.

Select "Web Site Publishing Rule"

Give a name to the new rule and click Next.

New Web Publishing Rule wizard

Select 'Allow' for "Select a Rule Action".Then click 'Next'.

Select a Rule action

The next option is to select 'Publishing Type'.In this example, we will select 'publish a single web site or load balancer' option.

Choose a 'Publishing Type' 

The reverse proxy connectivity is established on HTTPS or SSL with help of certificate. Select 'Use SSL to connect to Web server or server farm'. The connection will use port 443 for SSL.

Sever Connectivity Security options

Next window is 'Internal publishing details', we need to enter the next hop of Microsoft Forefront TMG which is nothing but Lync 2010 Front-end pool name. In my lab setup, I have deployed a Lync 2010 standard server. Hence, the pool name is same as my front-end server fqdn.

Under 'computer name or ipaddress', enter ipaddress or name of the front-end server. 

Internal publishing details

Under 'Path(optional)', enter /*, which means that you should be able to get to any virtual directory under specified 'web site' to which the request is being forwarded.
Also, select 'forward the original host header....' option and click 'Next'.

Path (optional) and forward host header value

Under 'Public Name' type meet.uc-tech.com. But this is just one of the public name that we are going to add later.
Click 'Next' to create a new 'Listener' for the web publishing rule.

Enter the public name for the rule

Create a new Web Listener

Add a new web listener

Give a name to the web listener. For connectivity, select 'require SSL secured connections with clients', means we will listen on 443.

Client connectivity security

The web server listening ipaddress is given to external network adapter of the Microsoft Forefront TMG server. Internal network adapter is configured for internal network which should be in the same network as front-end server. TMG should be able to communicate with Front-end server.

Listening IP address

On the Next window, select the certificate that you created for the TMG server. The certificate should have required SAN entries. Then click 'Next'.

SAN Certificate Selection 

Change the authentication settings to 'No Authentication' because Lync listener do not need any authentication in most cases on TMG server.

Select 'No Authentication'

Similarly authentication delegation is set to 'No Delegation, client cannot authenticate directly' by default. This option should changed to "No Delegation, Client may authenticate directly".

Authentication Delegation settings

Open the property of the web publishing rule and verify the entries that are correct. The 'To' tab shows the front-end server name.

Web publishing rule property

The 'Listener' tab shows the information related to 'Listener'.

Listener Property

The 'Public ' tab of the web publishing rule shows only one entry initially. Enter all the other Urls for the reverse proxy. Any name which is not in the certificate should not be included in this tab.

Public Names of the Web publishing rule

Select the 'Bridging' tab and make sure that 'Redirect requests to SSL port' is selected and port 4443 is configured.
Now when the client connects on 4443, reverse proxy will redirect the request on port 443 successfully and also change the request url from external to internal front-end name.


Reverse proxy is supported by many firewalls other than Microsoft Forefront TMG 2010. It is more secured way of protecting Lync 2010 front-end connectivity, compared to port forwarding. The only problem with reverse proxy is the right certificate and very common mistake during configuration is no certificate entry for the external urls mentioned in web publishing rules.

My next post would be about changing MusicOnHoldAudioFile in Lync 2010 client.

No comments:

Post a Comment