Reverse Proxy Requirements
Reverse proxies, such as ISA 2006
SP1 or Forefront Threat Management Gateway (TMG), are excellent ways to
securely publish applications, such as Lync Server, to users on the
Internet. By controlling specific ports to pass traffic and limiting
destination URLs to only the desired paths, you can safely pass traffic
from the Internet to Lync Server roles. The following sections discuss
how to configure reverse proxies to work with Lync Server.
Why a Reverse Proxy Is Required
It is important to understand why a reverse
proxy solution is required for Lync Server 2013. In Lync Server 2013, a
reverse proxy is required to publish Lync Web Services to external
users. These services are responsible for the following:
• Simple URL Publishing—This is required for users to join a Lync Online Meeting.
• Web Conferencing Content—Users will download PowerPoint, Whiteboard, and Poll data through the Lync Web Services when in a meeting.
• Address Book and Distribution List (DL) Expansion—This is required for users to download the Lync Address Book and perform DL expansion.
• User Certificates—Lync
Server utilizes client certificate authentication for many purposes;
external users must connect to the Lync Web Services to obtain
certificates.
• Device Updates—Lync Phone Edition devices require access to the Lync Web Services to obtain software updates.
• Mobility—Lync Mobile clients on Windows Phone, Android, and Apple IOS connect through the Lync Web Services.
Deploying a Reverse Proxy solution with Lync
Server 2013 is absolutely critical in order to enable external user
access. This book provides a configuration guide for Microsoft
Forefront Threat Management Gateway 2010; many other solutions are
available to securely publish these services. To deploy Lync Web
Services, the reverse proxy solution must meet the following
requirements:
• HTTP and HTTPS Publishing—Devices
must be capable of securely publishing application content. Devices
that support this functionality will specifically call this out as a
feature.
• SSL Bridging—Lync
Server 2013 requires the reverse proxy server to listen for connections
on TCP port 443, but to bridge these connections to the Front End
Server Pool on TCP port 4443. This is required because the Lync Web
Services contain separate virtual web directories for security
purposes. The external Lync Web Services directory listens on port
4443, and should be used when publishing to the Internet.
• Authentication Bypass—The proxy solution should allow for authentication to occur at the Lync Servers, not at the proxy itself.
Caution
It is not supported by Microsoft, and it is
not recommended to deploy external web services without a reverse proxy
solution. Do not use NAT as a replacement for a reverse proxy solution.
Certificate Requirements
In general, the reverse
proxy certificate requires a public certificate with the following
entries:
• Lync Web Services External FQDN—This is defined in the topology and should be configured as the Subject Name of your certificate.
• Simple URL Entries—There
should be a certificate entry in the SAN field for every meeting and
dial-in simple URL. There is typically a single dial-in FQDN, and there
will be a meeting FQDN for each SIP domain in the environment.
• LyncDiscover—Lync Mobile devices are hard-coded to look for the DNS entry lyncdiscover.<sipdomain>. This should terminate at the reverse proxy, as such a certificate entry is required for each SIP domain in your environment.
