Saturday, 20 July 2013

IIS ARR and Lync Server 2013 Reverse Proxy Setup

During a conversation about TMG now being discontinued I was pointed into the direction of using IIS ARR (Application Request Routing) as a reverse proxy for Lync 2013. After some quick digging the use of IIS ARR is a supported method as per the Microsoft Technet article http://technet.microsoft.com/en-us/library/gg398069.aspx.

NOTE: I have also been told by other consultants that they have configured and used IIS ARR with Lync 2010 and is fully supported. Mentioned in the "Information" section of this article  http://technet.microsoft.com/en-us/library/gg398069.aspx

The configuration of IIS ARR for Lync 2013 was very straight forward.

IIS ARR is supported on Windows Server 2008, 2008 R2 and Server 2012. For this post I will be using Server 2012.


As like TMG you will need to configure 2 Network Adapters. One will be for external communication with a default gateway to accept requests from the Internet, and the second adepter will be for communication to your Lync 2013 environment.




Also do not join your IIS ARR server to your domain


 

After your networking is configured, and confirmed you can browse the Internet and still ping your internal Lync 2013 environment, install IIS (Web Server) on your ARR server. Which can be done either by PowerShell or using Server Manager.

Next, Export your public Lync 2013 certificate and import it into your IIS ARR server




Next we will bind our imported certificate to port 443 in IIS.





Next we will install the Web Platform Components for downloading and installing IIS ARR



Internet Explorer will open, and click the green button on the right that says "Free Download"


Download and Install the Web Platform Installer 4.5


Once installed, you will be presented with the WebPI 4.5 Application window, here you can search for KB2589179" which will display the Application Request Routing 2.5. Select and click Add then Install.






After installation we can start the configuration of IIS to support Lync 2013. First close IIS Manager and reopen, you will now notice "Server Farms" option under Sites.




Right click on Server Farms, and select Create Server Farm...



Name your Server Farm (I used the External FQDN of my Lync web service)


Next specify the FQDN of your Enterprise Pool or Standard Edition Lync Server. Also drop down "Advanced Settings..." and change the default ports to 8080 and 4443 (which are our External Web Service ports). And click Finish



After clicking Finish you will be prompted to create the Rewrite Rules, click Yes.


Now your server farm is created with either your Enterprise Pool or Standard Edition Server defined. Next we will make some configuration changes to the Server Farm


Under Caching, disable the disk cache.

Specifically for Lync External web services, under Proxy, change the time-out to 200 seconds. This prevents the Lync Web App from experiencing disconnecting and reconnecting unexpectedly.

Under Routing Rules, disable the SSL offloading option.

Now we are going to configure the URL Rewrite rules. This is similar to what TMG did in rewriting the external meet/dialin/ext urls internally to your Lync Front End Servers.

Click the Root (Server Name) in IIS, and in the IIS settings click "URL Rewrite"


You will see 2 Rewrite rules already created, double click on the ARR_Name_loadbalance_SSL Rule.



The following changes need to be made.

The Pattern needs to be changed to (.*), Using: changed to Regular Expression and Action Properties changed from http:// to https://



Apply your Rewrite rule changes, and test. Now you should be able to open https://meet.domain.com externally (or by HOST record change meet/dialin/ext to external IP of IIS Server) and get to your Lync 2013 external services.


Notice the ping to the external (10.180.213.200) IP Address as shown above, and that I cannot even ping the Standard Edition Front End Server.

Thank you for reading.

7 comments:

  1. Hopefully someone finds this comment helpful. I have been struggling getting this to work with Server 2012 R2 as the reverse proxy. Turns out under 2012 R2 the alternate port settings you define when configuring your servers farms are not saved to applicationhost.config! For those of you not familiar with applicationhost.config, it's an xml configuration file locate at %WINDIR%\system32\inetsrv\config. You can either edit applicationhost.config directly, or use appcmd (in %WINDIR%\system32\inetsrv\) to add them. To add manually, edit the webfarm, this is what's created by IIS Manager:

    <webFarm name="testServerFarm" enabled="true">
    <server address="testServer" enabled="true" />
    </webFarm>

    Modify like so:

    <webFarm name="testServerFarm" enabled="true">
    <server address="testServer" enabled="true" >
    <applicationRequestRouting httpsPort="4443" httpPort="8080" />
    </server>
    </webFarm>

    You can also use appcmd.exe to do the same thing (although it takes as much typing as editing the config manually, though I guess there is some validation and that could keep you out of trouble!):

    %windir%\System32\inetsrv\appcmd.exe set config -section:webFarms -[name='testServerFarm'].[address='testServer'].applicationRequestRouting.httpsPort:4443


    %windir%\System32\inetsrv\appcmd.exe set config -section:webFarms -[name='testServerFarm'].[address='testServer'].applicationRequestRouting.httpPort:8080

    Took me about 3 weeks to figure this out, but at least my Lync Server 2013 environment can now be considered "supported" ... a couple NAT rules seemed so much simpler!

    ReplyDelete
  2. Dear all, I am telling a easy source to access any blocked websites you can get through this link any blocked site very easily.
    access eMp3World in UK

    ReplyDelete
  3. This essay is very attractive and useful. Your this work defiantly helps other.
    access TorrentCrazy in UK

    ReplyDelete
  4. I read your article and get very important information in addition if you have any query you can click here.
    Bomb-mp3 UK proxy

    ReplyDelete
  5. We are the worlds leading publisher of Squid 'Native ACL' formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

    We hope to serve you,

    --
    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

    ReplyDelete
  6. I have Enterprise setup with Pool name pool.xxx.com with 2 frontend servers and internal web is pool.xxx.com and external web is lyncweb.xxx.com i can't able to signin in lync Client getting error of pool.xxx.com web ticker internal server error what could be issue?

    ReplyDelete
  7. I have Enterprise setup with Pool name pool.xxx.com with 2 frontend servers and internal web is pool.xxx.com and external web is lyncweb.xxx.com i can't able to signin in lync Client getting error of pool.xxx.com web ticker internal server error what could be issue?

    ReplyDelete