This section outlines tasks for configuring a reverse proxy solution or Lync Server 2013.
Create DNS Records for Lync Server Reverse Proxy
To enable clients on the Internet to find
Lync Server services, add an Address (A) record to an external DNS that
is authoritative for the DNS domain that services Lync Server
externally.
Note
The procedure for creating records depends on
the DNS server used. In the case of an externally hosted DNS, it might
be as simple as calling your service provider and requesting the
records.
Keep in mind that it might take several
minutes to as much as a few hours for the new records to propagate to
an external DNS server and become available to clients.
On most reverse proxy solutions, it is possible to have all external Lync Web Services DNS records point to the same IP Address.
Verifying Access to the Lync Web Services
Before making Lync Server available
externally, the administrator should verify that the environment is
working correctly through the reverse proxy. Assuming that the firewall
rules are in place and that the necessary DNS
records are available externally, the following procedure helps
administrators determine whether their environment is configured
correctly:
1. From an externally connected computer, open a web browser and type https://externalwebfarmFQDN/abs/, where externalwebfarmFQDN
is the external FQDN of the web farm that hosts the Address Book
Service. If the URL returns an HTTP challenge, the site is configured
correctly. You receive this challenge because the Address Book Server
folder is configured to use Microsoft Windows Integrated Authentication.
2. From an externally connected computer, open a web browser and type https://externalwebfarmFQDN/conf/Tshoot.html, where externalwebfarmFQDN
is the external FQDN of the web farm that hosts meeting content. This
URL should display the troubleshooting page for web conferencing if it
is configured correctly.
3. From an externally connected computer, open a web browser and type https://externalwebfarmFQDN/GroupExpansion/ext/service.asmx, where externalwebfarmFQDN
is the external FQDN of the web farm that hosts Group Expansion. If the
URL returns an HTTP challenge, the site is configured correctly. You
receive this challenge because the Address Book Server folder is
configured to use Microsoft Windows Integrated Authentication.
4. From an externally connected computer, open a web browser and type https://lyncdiscover.<sipdomain> where <sipdomain>
is the external SIP domain defined for the users. This URL should
prompt your web browser to download a file; if you open this file with
notepad, it should contain the external web farm FQDN URL.
Configuring Microsoft Threat Management Gateway (TMG) for Lync Server
Forefront TMG is the logical successor of ISA 2006 SP1 and a common choice for use as a reverse proxy with Lync Server.
Assuming that TMG 2010 is already installed
and network cards are already configured, the following steps outline
how to publish the Lync Web Services through TMG:
1. Configure a web farm FQDN.
2. Request and configure SSL certificates.
3. Create a web server publishing rule.
4. Configure authentication and certification on IIS virtual directories.
5. Create an external DNS entry.
6. Verify access.
Configure Web Farm FQDN
During the setup of Enterprise pools and
Standard Edition servers, there is an option to configure an external
web farm fully qualified domain name (FQDN) on the web farm FQDN’s page
during the Create Pool Wizard (or the Deploy Server Wizard). If a URL
was not chosen during this process, it is necessary to configure the
settings using the following procedure:
1. Open the Lync Server Topology Builder.
2. Choose Download Topology from Existing Deployment and click OK.
3. In Topology Builder, in the console tree, navigate to your Enterprise or Standard pool, and right-click the name of the pool.
4. Click Edit Properties.
5. In the middle of
the Edit Properties screen, there is a field under external web
services titled FQDN. Enter the FQDN to be used for Web Services and
click OK.
6. In the left pane right-click Lync Server, and then click Publish topology.
7. Click Next.
8. Select the database where the topology will live, and click Next.
9. Click Finish.
Request and Configure SSL Certificates
Before configuring your Web Publishing Rules
in TMG 2010, the certificate that will be used on your Lync Server
rules must be installed correctly with the private key. Instructions
for installing this certificate can typically be obtained from the
provider of the certificate.
Tip
If your Public Certificate Authority provides
a package of certificates, it is recommended to install all
certificates they provide. This can include root and intermediate
certificates. If these certificates are not installed on your servers,
it can often cause issues with external clients.
