Lync publishing on UAG

Following SP1 Update 1, UAG now supports publishing of Lync. This, however, has some important considerations that need to be followed, with regards to the trunk configuration and the certificates.

Even though the Lync application can be added to ANY trunk, a common scenario is the need to invite guests to a meeting. Naturally, few organizations can provision a login to each guest, so in such a case, it may be beneficial to create an unauthenticated trunk for the Lync application. Since you typically would have other apps (like SharePoint or Exchange) only for corporate users, you would want these on a regular, authenticated trunk, and publish the Lync application on a separate trunk, which has been set to be unauthenticated:

clip_image002

If you indeed proceed with an unauthenticated trunk, keep in mind that you need to set two registry keys to enable a pass through authentication:

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\FullAuthPassthru

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KeepClientAuthHeader

Set both keys to 1, and then activate your configuration, and perform an IISRESET.

Another consideration is the certificate. Most organizations prefer to use Wildcard certificates, as they a more economic solution when there’s a need for multiple public hostnames. However, Lync publishing has some limitations regarding wildcard certificates. To publish lync to the internet, the organization would require a SAN certificate (a single certificate which has multiple hostnames embedded into it). The SAN certificate would have to accommodate for the following 4 URLs:

1. The UAG’s trunk URL

2. The Lync’s primary publishing URL

3. The Lync’s meet URL

4. The Lync’s dialin URL

In addition, you may want to include additional names, if the UAG will be used for additional applications like SharePoint. However, when purchasing the certificate, it’s important to make sure the primary URL in the certificate, which appears in the certificate’s subject field, is the Lync’s URL (2 above) and not the other names. For example, here’s a certificate that has been configured correctly:

clip_image004

Above, “blrext.future.in” is the primary public URL for Lync (left) and “uagtest.future.in”, “meet.future.in” and “dialin.future.in” are the UAG public hostname and the secondary URLs for Lync (right). Here they are in the UAG configuration:

image

Naturally, if you use two trunks on the UAG, you can have a regular wildcard certificate for it, and the specially-created SAN cert for the Lync trunk.

For more information, the following link discusses the certificate fields for Lync publishing: https://technet.microsoft.com/en-us/library/gg429704.aspx

Props to Yan Mintz and Robby C. for their help with this guide!

Comments

  • Anonymous
    January 01, 2003
    Where does the public host name "clrext" come into play here?  In your last screenshot you have 3 unique names highlighted, uagtest, blrext, and clrext, but I don't see clr mentioned at all in the article or in your SAN list.

  • Anonymous
    January 01, 2003
    To Bill and others, the blog comments are not the appropriate platform for asking technical questions, esp. outside the scope of the article. Please post your questions on the UAG support forum at social.technet.microsoft.com/.../forefrontedgeiag or contact me directly via the Email Blog Author link on the top right of the page.

  • Anonymous
    January 01, 2003
    Answer to RenhsrakJ: This was a type in the image, and I've replaced it with the correct one. Thank you for bringing this to my attention! Erez

  • Anonymous
    February 13, 2012
    Fascinating

  • Anonymous
    February 13, 2012
    Awesome....

  • Anonymous
    May 21, 2012
    I am new to TMG and UAG, so excuse me if I'm not even close on this, but you're including the public host name in the SAN certificate due to you wanting to go through the portal address instead of the primary publishing URL. Can you not use the primary publishing FQDN of Lync (ie...lyncweb.domain.com) as the public host name and wouldn't need to have yet another name in the certificate?

  • Anonymous
    May 21, 2012
    UAG needs it's own, separate public hostname, that's different than the names used by the application. This allows UAG to identify requests that pertain to UAG's administrative website (InternalSite). You can access Lync by using it's public hostname, but the UAG needs the hostname as well.

  • Anonymous
    May 22, 2012
    I have this resolved thanks to your reply with the exception of when I go to the site now from the Internet, I am having to append the url with the the /dialin to get to the page even though the application url clearly has that in there. Any ideas?

  • Anonymous
    May 23, 2012
    I'm afraid UAG does not have the ability to do this when connecting to the URL directly.

  • Anonymous
    September 13, 2012
    Is the requirements for a non-wildcard cert for Lync specific to UAG? Because we are publishing Lync via TMG with a wildcard certificate just fine. That would be disappointing.

  • Anonymous
    December 10, 2012
    Matt B, I am running this configuration with a wildcard cert and it works fine for Lync 2010 and Lync mobile clients (I do have a SAN cert for the Lync edge server though).  I have not tested other devices (such as Lync phones).  Hope this helps.

  • Anonymous
    December 12, 2012
    The comment has been removed

  • Anonymous
    May 08, 2013
    You recommend publishing Lync into a separate trunk. How do you address the issue of the Lync trunk going on the same IP and port as the other trunks (exchange)?

  • Anonymous
    February 25, 2014
    This issue we had is that is that the Lync iPhone client will not be able to access EWS via UAG to retrieve calendar info. Even with passthrough enabled, it will not work and is unsupported.

    We had to use a third-party reverse proxy solution for EWS to function correctly.

  • Anonymous
    May 16, 2014
    We’ve gathered the top Microsoft Support solutions for the most common issues experienced when

  • Anonymous
    July 21, 2014
    We’ve gathered the top Microsoft Support solutions for the most common issues experienced when

  • Anonymous
    November 23, 2015
    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets. http://movieboxappdownloads.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment it doesn't charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on 'Obscure sources'.