/
End of Life Products and Features - Configuring the Reverse Proxy Server for Express for Lync 2.0

End of Life Products and Features - Configuring the Reverse Proxy Server for Express for Lync 2.0

Overview

A reverse proxy server is required by Express for Lync is a required component of Express for Lync if you plan on deploying external access to the Lync environment. It can provide access to the following Lync components:

  • Lync Server mobility

  • Lync meetings

  • Lync Dial-in conferencing information

  • Office web apps

Without a reverse proxy server, Lync mobility WILL NOT function. All other components will only function from within the LAN. It is important to note, like the Lync Edge Server, the reverse proxy server MUST NOT be a domain joined computer. This will protect the Active Directory (AD) domain from any unwanted activity or access.

You require 2 SSL certificates for the operation of the Reverse Proxy Server:

  • Internal Active Directory generated certificate which was covered while setting up Active Directory Certificate Services

  • External SSL Unified Communications certificate. Can be purchased online through various different certificate authorities

The external certificate is used to authenticate any requests coming into the reverse proxy server, and the internal certificate is used to authenticate the request after the reverse proxy server modifies the initial web request sent to it.

The reverse proxy role will be configured by using Internet Information Services Application Request Routing (IIS ARR). Several methods exist in creating a reverse proxy server. The most prominent way was using Microsoft Forfront Threat Management Gateway (TMG), however, Microsoft has since discontinued the product.

The Reverse proxy server MUST sit in a De-militerized Zone (DMZ) of any network with a persistant static route to the internal network.

 

Activate the Reverse Proxy Server

In order to begin using the Reverse Proxy role you must turn on the Reverse Proxy server. Follow the steps below to gain access to the server.

  1. Launch the Hyper-V manager from the windows Start Screen.

  2. In the Windows Hyper-V Manager window, select the Virtual Machine labelled "LyncReverseProxy". Right click on it, and select "Settings...".

  3. In the settings window, on the left hand side you will notice configuration options. Scroll down to "Automatic Start Action" and select "Always Start the Virtual Machine automatically". This will always start the domain controller when the Express for Lync appliance boots up. Click OK to accept the changes.

  4. Double click on the virtual machine labelled "LyncReverseProxy" to launch the Remote Terminal Window. Click on the start button to start the virtual machine. The start button is the Green icon at the top of the virtual machine connection window. 

 

Setup Networking for the Lync Reverse Proxy Server

At the virtual machine welcome screen, go to the action menu, and click on the menu item "Ctrl+Alt+Delete" to bring up the login screen. Enter the following credentials to login: 
username: administrator
password: sangoma1!

Configure the Internal and External Network Interfaces

The internal and external network interfaces have to be configured to use static IP addresses. Follow the instructions below in order to setup the static IP addresses for both interfaces.

  1. From the windows start screen, click on the "Control Panel" icon.

  2. In the control panel, select "Network and Sharing Center".

  3. In the Network and Sharing Center, you will notice 2 network interfaces. "Ethernet" is identified as the EXTERNAL interface and "Ethernet 2" is identified as the INTERNAL interface. The first thing we will do is setup the external interface. Click on "Ethernet" to bring up the ethernet properties.

  4. From the Ethernet Status window, click on the "Properties" button to bring up the Ethernet Properties.

  5. From the Ethernet Properties window, select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties".

  6. In the IPv4 properties, enter the DMZ static IP or the External un-NATed IP being used for the Reverse Proxy Server. It is common practice to place this server in a DMZ, however, for smaller installs, you may use a direct external IP address. If using an external IP, make sure that the Windows Firewall is left on as the server will have no protection to malicious activity.
    Once the IP information is entered, click "Ok" to close the window, and click "Ok" to close the ethernet properties window. Click "Close" on the ethernet status window to close that window as well. Return to the Network and Sharing Center to setup the internal NIC.

  7. From the Network and Sharing Center, click on "Ethernet 2" to bring up the ethernet status screen. Repeat steps 4 and 5 to bring up the IPv4 properties window. For the internal NIC, all we need to enter is the IP address and Subnet Mask. You should not enter a Default Gateway and a DNS Server. We will setup a permanent static route so that the reverse proxy server can communicate with the internal LAN.
    Once the IP information is entered, close all the windows again and close the control panel as the IP configuration is now complete.

Setup a Permanent Static Route to the Internal Network

We need to setup a permanent static route to the internal network so the reverse proxy server can communicate with the Lync front end pool. Follow the instructions below to setup the route.

  1. Launch the "Command Prompt" by going to the windows start screen and searching for the app "Command Prompt".

  2. In order to setup the static route, you must first find the numerical value for the internal network interface. This can be done by using the "ROUTE PRINT" command. On this system, my internal interface is "Microsoft Hyper-V Network Adapter #2". The interface ID number is "13".

  3. In the command prompt, enter the following command. Adjust the command depending on the Internal LAN networking schema.
    route add -p 10.10.0.0 mask 255.255.248.0 10.10.2.56 metric 2 if 13

  4. You can confirm if the route addition worked by pinging an IP address on your network. If you were unable to ping, you must delete the old route by using the "ROUTE DELETE" command and re-enter it.

If the ping was successful, then you have successfully setup the static route and can proceed with your configuration.

 

Configure the Lync Reverse Proxy Server

NOTE: The first thing that should be done on your Reverse Proxy Server, is run a Windows Update. There are critical updates to the IIS ARR modules that should be applied. Not applying them will cause ARR not to function as expected. In order to run a windows update go to Control Panel->Windows Update. Click on Check for Updates and then once they show up, click Install. The system should be rebooted after installing the windows updates.

After the LAN interfaces have been configured, you must add the edge server FQDN (Fully Qualified Domain Name) to the internal and external DNS servers.

For the internal DNS Server, you must add the machine FQDN. I.e. if your machine name is lyncexpressproxy.lynctest.local, then you must add this to the internal DNS server as well as the internal IP address of the server.

For the external DNS Server, you must add the FQDN which is published within the lync topology. If you published lync-rproxy.lynctest.com, then you must add this to the external DNS server as well as the external IP address of the lync reverse proxy server as documented within the topology.

In order to configure the Lync proxy server, we must configure our SSL certificates, then configure IIS (Internet Information Services). Follow the steps below to configure the Reverse Proxy Role.

Install the Internal and External SSL Certificates

Follow the instructions below to install the individual certificates in the Certificate Store:

Install the Internal Active Directory Certificate

The steps to installing the Internal Active Directory certificate are identical to when we installed them on the Lync Front End Pool. For instructions on how to install the certificate, please see the link below:
End of Life Products and Features - Configuring the Microsoft Lync 2013 Front End Pool for Express for Lync 2.0

Install the External Trusted Root Certificate

The External Certificate MUST be a Unified Communications (UC) Subject Alternate Name (SAN) based SSL certificate. These types of certificates are generally sold online through various different certificate authorities. You may visit some of the websites below in order to purchase a UC SAN certificate:

You would require at least 5 DNS names within your SSL Certificate. By default, we use the names below:

  • lyncdiscover.<domain> - Autodiscover for Lync Mobility

  • meet.<domain> - For meetings

  • dialin.<domain> - For dial-in conferencing

  • webapps.<domain> - for Office Web Apps

  • rproxy.<domain> - Server name (Should be certificate name not a SAN)

In order to install the external certificate, a certificate request must be created and sent to a certificate authority. Please follow the instructions below to create the request.

  1. Launch Internet Information Services from the Windows Start Screen.

  2. When IIS launches, select the server name from under the "Connections" list and then double click on "Server Certificates".

  3. From under the actions menu, click on "Create Certificate Request".

  4. The Request Certificate wizard will now open. Fill out the Distinguished Name Properties as per your organization and click "Next".

  5. For the Cryptographic Service Provider Properties, make sure the Bit Length is set to "2048". Click "Next" to proceed.

  6. The next window will ask you to specify a filename for the certificate request. Enter the path and filename you wish and click "Finish" to end the wizard.

Once the CSR file is created, it would need to be sent off to the Certificate authority. Please see your certificate authority for more information about placing your SAN addresses into your UC Certificate. Once the SSL certificate is ready, they will send you notice of the file and instructions on how to install it.

To install the completed certificate, you must first copy it into your certificate store. Every SSL certificate authority provides instructions on how to import it into the Windows Server Certificate MMC. Please see your particular Certificate Authority for instructions. Once imported, you must complete the Certificate Request so IIS can use the certificate. Please see the instructions below to import the certificate.

  1. Go to the Server Certificates section in the IIS MMC console and click on "Complete Certificate Request".

  2. When the "Complete Certificate Request" wizard opens, fill out the form. Make sure you put in the Friendly Name specified in the certificate and select "Web Hosting" from the drop down. Click Ok to proceed.

  3. Once installed, the Server Certificate will show up within IIS's Certificate Store.

 Configure IIS ARR

Now that the server certificates have been installed, you can configure IIS ARR. Follow the instructions below to configure IIS ARR.

  1. Within IIS, right click on "Server Farms" and select "Create Server Farm".

  2. Provide a name for the Server farm and click "Next".

  3. In the next screen, enter in a server address and click Add. You will then have the option of entering advanced settings. Change the httpPort to 8080 and the httpsPort to 4443. Click "Finish" to close the wizard.

  4. You will then get a popup asking if you would like to create a URL Rewrite Rule. Click "Yes" to proceed.

  5. Once done, click on the new server farm created. This will display a list of options for this particular server farm. Double click on "Proxy" to open the proxy options.

  6. Within the Proxy options, change the timeout option to 3600 s. This will help with Lync mobility as lower timeout values cause the Lync Mobile client to disconnect. Change this value appropriately if you find users are getting disconnected from their mobile clients. Click "Apply" to accept the changes and to go back to the Server Farm options.

  7. Double click on the "Routing Rules" option in the server farm options. De-select the "Enable SSL Offloading" option and click "Apply". Click on "URL Rewrite" to modify the rules within the rewrite module in IIS.

  8. Double click on the first Rewrite rule in order to modify its contents.

  9. Within the rule make the following changes:

  • Within the matching condition, change the using dropdown to "Regular Expressions" and change the pattern to (.*).

  • In the conditions section, change the logical grouping to "Match Any" and then add a new condition as per the screenshot below. The string to be entered in the Pattern is "lyncdiscover.<domain>|webapps.<domain>|rproxy.<domain>|meet.<domain>|dialin.<domain>". Click OK to continue.

Click "Apply" to accept the changes.

When returned to the "URL Rewrite" options, select the second rule and click "Disable Rule" from the actions menu as it is not used.

Now that you have followed all the steps above, the reverse proxy server is setup. 

Return to Documentation Home | Return to Sangoma's Help Center