Lync 2013 Reverse Proxy Configuration using IIS/ARR

Lync 2013 Reverse Proxy Configuration using IIS/ARR

In previous versions of Lync the Forefront Threat Management Gateway (TMG) was the Microsoft recommended and documented way of implementing the reverse proxy for Lync. Starting with 2013 TMG can no longer be licensed for use. It seems that the alternative to this is to use IIS/ARR to handle the reverse proxy.

The following directions outline how to configure and enable IIS/ARR on a windows server 2012(GUI) Standard Edition Server. *Please note that currently we had to use the GUI because you need to use the Web Platform Installer which is not supported in Server 2012 (core) configuration. We had tried to manually install the components and something in the Web Farm Framework 1.1 doesn't correctly get added.

The reverse proxy is required for things like mobile device connectivity, meeting presentations to external contacts and dial-in users.

Machine and Enviroment Specifications/Settings

• Server 2012 Standard Gui
• 2 NICs 1 external DMZ , 1 internal DMZ
• The default gateway should be on the external nic and if using OfficeWebApps servers to be able to present PowerPoint slides it will need 2 IP addresses in that external sub-net. In our example we will be using the following:
• x.x.36.84/32 will redirect to the Lync Front End Pool
• x.x.36.88/32 will redirect to the Office Web Apps Server
• The internal DMZ will need a single address with no default gateway. Instead you will need to manually add persistent routes to all internal networks that it will need to contact. Use a command similar to the following:
• route -p ADD 192.168.0.0 Mask 255.255.0.0 (NIC IP) if (NIC#)
• Add the following example DNS entries to outside DNS if using Split-Brain DNS based on the naming conventions you choose and purchased certificates for.
• dialin.company.com A record =  x.x.36.84
• meet.company.com A record = x.x.36.84
• lyncdiscover.company.com A record = x.x.36.84
• lyncwebext.company.com A record = x.x.36.84
• lyncwebapps.company.com A record = x.x.36.88
• Add the all same DNS records from above to internal DNS as follows:
• If the record pointed to x.x.36.84 point it to a CNAME of the FQDN of your lync front end pool. For example, dialing.company.com CNAME record = lyncfepool1.local.company.com
• lyncwebsapps.company.com A record = (LyncWebApps Server FQDN) lyncwebapps.local.company.com
• Install Certificates that include all used DNS Subject Alternate names. To save in costs we used the same certificates used on the Lync edge server and included all SANS in that.
• Configure Firewall Rules according to Diagram 1.



Diagram 1

Installation and Configuration

1. Open Server Manager > Dashboard
2. Choose Add roles and features > Select your Server > Add the Web Server(IIS) role
3. Open the IIS Server Manager from the search or Tools dropdown.
4. Open the Microsoft Web Platform Components Installer or install it if needed then open it. (You may have to temporarily turn off the extended security features and change the trust zone of *.microsoft.com.
5. Search for ARR
6. Choose "Application Request Routing 2.5 with KB2589179." 
7. This will install several other dependent items you can see in the items to be installed including the following:
1. IIS URL Rewrite Module 2
2. Microsoft Application Request Routing 2.5
3. Microsoft External Cache Version 1 for IIS 7
4. Microsoft Web Farm Framework

8. 

   Image 2

   After installation Re-open IIS Management Tools. You should now see a "Server Farms" option under the server connection as shown in Image 2.
9. Create one empty folder to use as a physical path for the new websites for example "C:\inetpub\wwwroot\lync"
10. Create 2 new websites. One for Front End Pool Services and One for Web Apps. Choose the folder created in the previous step for the Physical path. Bind both sites to HTTPS using the certificate containing SANs. Change the IP Address from :All Unassigned to the address according to what the site will proxy per above configuration. For Example, lyncWebExt site will be mapped to x.x.36.84. Leave the host name blank.
11. Go to Server Farms and Create Server Farm.
12. Create the LyncWebApps Farm by giving it a name
13. At the Add Server screen add the full DNS name of officewebapps server. *Note this should match what you have in your Lync Topology Manager. In topology manager we used the lyncwebapps.company.com instead of the FQDN (lyncwebapps.private.domain.com) and ensure internal DNS is configured to reflect that.
1. After you add the address you can expand that advanced settings and expand applicationRequestRouting. You can leave these settings to the default of 80 and 443 here.
2. Click Finish
3. Choose Yes to create the URL rewrite rule
14. Open the Routing Rules feature under the farm you just created.
1. Ensure both "Use URL Rewrite to inspect incoming requests" and "Enable SSL offloading" and checked
2. On the right under Advanced Routing choose URL Rewrite
3. Modify the pattern of the rule to match m/*
4. Change the Scheme to HTTPS://
5.  Check to Stop processing of Subsequent Rules.
6. Create a new rule and repeat the options above expect have it match the pattern of p/*. This will allow PowerPoint Presentations to work.
15. Create a new LyncWebExt Farm and point it to you LyncFrontEnd pool FQDN.
1. After you add the address you can expand that advanced settings and expand applicationRequestRouting. Change port 80 to port 8080 and change port 443 to 4443.
2. Click Finish
3. Choose Yes to have the rule created.
4. In the Routing Rules > Advanced Routing > URL Rewrite 
5. Change the scheme to HTTPS:// 
6. When finished your URL Rewrite should look like Image 3.



Image 3
16. Optional: For some additional security you can add a blank default HTML page to the default web site.

Troubleshooting/Testing

To troubleshoot the configuration for officewebapps you can try and visit https://lyncwebapps.company.com/hosting/discovery. If successful, you should see XML output. If you are on an internal network, either change your test machines DNS servers or your host files to point to the external interfaces.