Share via

How to Configure ForeFront TMG 2010 as Reverse Proxy for Lync Server 2010

  • Article

Overview

To publish the services of Lync Server for Internet users need to configure two separate server roles, the Edge and Reverse Proxy Serve. In this article I show the steps for configuring the Forefront Threat Management Gateway 2010 as Reverse Proxy publishing Web Services Front End  

For configuration I have a Domain controller and a Lync Server Front End servers are configured with the following IP addresses:

Role

Server Name

IP

Domain Controller

hm01.home.intranet

192.168.1.200

Front End

hm02.home.intranet

192.168.1.201

TMG 2010

hm06.home.intranet

Internal Network: 192.168.1.205

External Network: xxx.xxx. 235.40

With the Reverse Proxy web publishing services Lync Server the following services are available to remote users

  • Download meeting content 
  • Expansion distribution group
  • Download Address Book Service
  • Provides Lync Web App Client
  • Conference Dial-in web page
  • Access to Location Information Service
  • Connection to the update service devices
  • Mobility Services

During the installation of Lync Server are two sites created in IIS:

  1. Lync Server Internal Web Site: configured on ports 80 and 443, responsible for providing services to internal customers
  2. Lync Server External Web: configured on ports 8080 and 4443, a site that should be published by the Reverse Proxy

http://4.bp.blogspot.com/-qyy_CS9EuWY/TqIMXCsHi_I/AAAAAAAABtM/wQb8-yiDd4o/s320/rev01.png

TMG's role in this scenario is to direct Internet traffic from ports 80/HTTP and 443/HTTPS to 8080/HTTP and 4443/HTTPS in Lync Server Front End

URL configuration

For the publication of the Web service will use three different url's set in the Front End  

Two Url's are configured by default during installation of the Front End, addresses and meet.home.com.br dialin.home.com.br. To check this setting run the Topology Builder and click Lync Server 2010

http://3.bp.blogspot.com/-qgK6IX1gF78/TqIiQl0RI4I/AAAAAAAABtU/rt0Pd11DADY/s320/rev02.png

The third URL must be configured in the properties of the Front End pool. Open the properties of the Front End, Web Services set the url of the External Web Services

http://3.bp.blogspot.com/-2su7cQvirMg/TqIiRpYKkHI/AAAAAAAABtc/MybOMOCkI24/s320/rev03.png

No external DNS hosts were created by solving all of these URLs to the ip of external network interface of the TMG.

Host

IP

LyncPortal.home.com.br

xxx.xxx. 235.40

dialin.home.com.br

xxx.xxx. 235.40

meet.home.com.br

xxx.xxx. 235.40

LyncDiscover.home.com.br (new URL for Mobility Service)

 xxx.xxx. 235.40 

For more information on configuring the Mobility Service to access the article  Configuring Lync Server 2010 Mobility Service

Configuring the Digital Certificate

For publication, you must configure a certificate server in TMG container, this will be associated to https port in TMG. The certificate was issued by the same certificate that was used in the certificates of the Front End

http://4.bp.blogspot.com/-Ecw_KD8zJB8/TqMLuNP7KrI/AAAAAAAABtk/GAgUum9UErc/s320/rev04.png

The certificate must be configured with the Common Name to FQDN configured in the External Web Services, this scenario LyncPortal.home.com.br. The SAN certificate must be configured with all the URLs created in the Front End  

For the new service to external URL Mobility Service Discovery Service should be added to the SAN certificate, the URL LyncDiscover. <domain Sip> should be added. The figure below shows the configuration of the certificate: 

http://4.bp.blogspot.com/-jb7fspBVsFk/TqMLu7xyY4I/AAAAAAAABts/LsNdXBfbsfk/s320/rev05.png

http://4.bp.blogspot.com/-igxNpmlYvGA/TqMLvUbRu9I/AAAAAAAABt0/_lU1wvkr3Pw/s320/rev06.png

If you need help configuring the digital certificate access the article [[Create a Certificate Request using Microsoft Management Console (MMC)]]

Publishing Rule

With the certificate start the TMG management console, right-click on Firewall Policy, select New , and start the wizard  Web Site Publishing Rule ...

http://4.bp.blogspot.com/-EOE5LbS9pyM/TqMXURGcJEI/AAAAAAAABt8/2p-3WVJLXdk/s320/rev07.png

Set the name of the publishing rule

http://4.bp.blogspot.com/-rLemdnkHwdM/TqNBuvOYKFI/AAAAAAAABuE/y2yrge2CAQU/s320/rev08.png

Create a rule to Allow

http://3.bp.blogspot.com/-d-2BPMQuMLg/TqNBu8xXXTI/AAAAAAAABuM/e_LAzGYIZSA/s320/rev09.png

In the Publish Type select  Publish a single Web site or load balancer.

http://3.bp.blogspot.com/-wY49LNyooZk/TqNBvvP6kKI/AAAAAAAABuU/j2ml7SBS1u0/s320/rev10.png

In the  Server Connection Security select the option  Use SSL to connect to the published Web Server or Server Farm

http://2.bp.blogspot.com/-vVOrcLYvERI/TqNBwK_TWZI/AAAAAAAABuc/DFeLOr3JzOs/s320/rev11.png

Configure  *Internal Publishing details * and configure the Internal site name: the FQDN of your Front End server Verify that the TMG is able to correctly resolve the FQDN and successfully ping the server Front End

http://1.bp.blogspot.com/-8gO3_lK8li0/TqNBwmNE0AI/AAAAAAAABuk/xUCRZJWsxbI/s320/rev12.png

In Internal Publish Details and set the *Path */ *

http://3.bp.blogspot.com/-MgBpHq31kgM/TqNBxMsITTI/AAAAAAAABus/hrNE86MTIWk/s320/rev13.png

In the Public Name Details select the This domain name (type below), set the Public Name LyncPortal.home.com.br, which was set to the URL *External Site. *

http://1.bp.blogspot.com/-BbvZUN7wEdw/TqNBx5IBIXI/AAAAAAAABu0/p-T1Y6U9QB8/s320/rev14.png

In the Web Listener create a new listener

http://4.bp.blogspot.com/-zPD0G6JwJ6A/TqNByJoeKGI/AAAAAAAABu8/Fw7ByyejhrQ/s320/rev15.png

Set a name for the new listener

http://4.bp.blogspot.com/-JJbGTrYbclc/TqNByrcgJRI/AAAAAAAABvE/YqByLG3D_t8/s320/rev16.png

In the Client Connection Security select Require SSL secured connections with clients

http://4.bp.blogspot.com/-AGM2si8562E/TqNBzV81paI/AAAAAAAABvM/hEnZ5AdIUEE/s320/rev17.png

In the Web Listener IP Address select the network External , and then click Select IP Address

http://3.bp.blogspot.com/-Tg19G8bMXc8/TqNB0P_96TI/AAAAAAAABvU/mpKEEgektl8/s320/rev18.png

Select the URL set to ip in DNS

http://1.bp.blogspot.com/-WQyihZS89N0/TqNB00CZJ5I/AAAAAAAABvc/piMGm1lgIME/s320/rev19.png

Configured with the IP advance.

http://2.bp.blogspot.com/-CyMpCp65NKg/TqNB1TeMmtI/AAAAAAAABvk/geIDEYUclQ4/s320/rev20.png

In the Listener SSL Certificate select Use single certificate for the Web Listener and click Select Certificate ...

http://2.bp.blogspot.com/-wFszJFkFxrY/TqNB16dbcCI/AAAAAAAABvs/NT7YkTwVQDw/s320/rev21.png

Select the certificate configured with the URL's Lync Server

http://3.bp.blogspot.com/-vow7vRK-cNk/TqNB2RmpEKI/AAAAAAAABv0/HwkFauTolzI/s320/rev22.png

Proceed with the configured certificate.

 http://4.bp.blogspot.com/-cmSLmi6-mts/TqNM4C9RkkI/AAAAAAAABxU/fSj5pYRB6n0/s320/rev23.png

In Authentication Settings option set No Authentication.

http://1.bp.blogspot.com/-RCOk9O3VpHA/TqNB3W8yEdI/AAAAAAAABwE/CmkTs8Lm7v4/s320/rev24.png

In Single Sign On Settings do not change any setting and advance

http://4.bp.blogspot.com/-WO7ruuxkQRk/TqNB347MOlI/AAAAAAAABwM/qwWPHfTKeYM/s320/rev25.png

Finalize the creation of the Web Listener

http://3.bp.blogspot.com/-md3G37zKv_o/TqNB4RVVJGI/AAAAAAAABwU/ffBgzNj4fyQ/s320/rev26.png

Go in creating the rule

http://3.bp.blogspot.com/-FgnOcgdqRiQ/TqNB4y_7x3I/AAAAAAAABwc/rPnn6gBXOcU/s320/rev27.png

In Authentication Delegation select  No delegation, but client may authenticate directly

http://2.bp.blogspot.com/-CRxWXpmx584/TqNB5ZyFEQI/AAAAAAAABwk/FxbjI_VXthM/s320/rev28.png

Do not change the security settings of the rule.

http://2.bp.blogspot.com/-7s8E3eHgOaE/TqNB59RL7KI/AAAAAAAABws/KyIFcgN-Tdg/s320/rev29.png

Complete the setup wizard.

http://1.bp.blogspot.com/-9VgIGdSMYXY/TqNB6eG_sqI/AAAAAAAABw0/MS_Ff7j-FYs/s320/rev30.png

Return to the management console and open the rule properties

http://3.bp.blogspot.com/-oc3znojqPEs/TqNU6kEEObI/AAAAAAAABxc/j2jo_AobDj0/s320/rev34.png

Tab To check the Forward the original host header instead of the current one

http://4.bp.blogspot.com/-7kMB0ZWMdFc/TqNB65ougYI/AAAAAAAABw8/LpNxfAGw6JY/s320/rev31.png

Tab  Binding set the Redirect requests to HTTP port: 8080;   Redirect requests to HTTP port: 4443

http://4.bp.blogspot.com/-OE1gU7c2Hio/TqNB7VHiVjI/AAAAAAAABxE/ftT34QR4DhQ/s320/rev32.png

Tab Public Name add the URL's configured. Also add the URL of the Discover Service: LyncDiscover.home.com.br

http://3.bp.blogspot.com/-3sBR57ZTstM/TqNB719NjwI/AAAAAAAABxM/ezpmMKFl1gA/s320/rev33.png

Test Your Configuration

To test the settings, access the URL's 

  • https://ExternalWebServices/abs, this is the folder from the Address Book Server. The page should require username and password. If you get another result of publication review your configuration

http://4.bp.blogspot.com/-PHZ8rXX9fwM/TrPZO_MtnsI/AAAAAAAAB-c/5aF3rjJFNFE/s320/revTMG01.png

  • https://ExternalWebServices/meet, this is the meeting page, it should show code for troubleshooting 

http://1.bp.blogspot.com/-hc4ItyuiCMc/TrPZQEtjYhI/AAAAAAAAB-k/pHqpXk_1KD4/s320/revTMG02.png
**
**

  • **https://ExternalWebServices/ GroupExpansion / service.svc, **this is the folder to expand groups. On page must ask for authentication.

**http://3.bp.blogspot.com/-PgB0vAEiANg/TrPZQkWqpJI/AAAAAAAAB-s/BoqoTjru3jA/s320/revTMG03.png

**

  • **https://DialIn.dominio.com.br, **this is the page Dialin,

http://4.bp.blogspot.com/-v2vCZucCYKY/TrPZRYKXPWI/AAAAAAAAB-0/zl8odfvXoQ0/s320/revTMG04.png
**

**

Reference

http://technet.microsoft.com/en-us/library/gg398069.aspx

Configuring Lync Server 2010 Mobility Service

This article was originally written by: 

**Fernando Lugão Veltem 

blog:  **http://flugaoveltem.blogspot.com/

**twitter:  **@ flugaoveltem

Forefront TMG Wiki Portal Page