Lync 2010 – Reverse Proxy – Part 3

I think we'll wrap up the setup/config of the Lync 2010 Reverse Proxy today.

We started in Part 1 with Installation & some initial Setup

Then, in Part 2 we continued setup and got to the TMG Control Panel

Today we'll pick up (and finish) with the Web Publishing & Web Listener configuration.

51

Firewall Policy -> New -> Web Site Publishing Rule

52

Give your rule a useful name.  Click Next.

53

We are creating an "Allow" Publishing Rule.  Click Next.

54

We are choosing the top option.  Click Next.

55

SSL.  Next.

56

This is the destination – in our case, the Consolidated Front End. Next.

57

We want all traffic involved. Click Next.

58

The Public Name is the "External Web Services" entry from our topology. Click Next.

59

Now we create a new Web Listener.  Click New.

60

Give your Web Listener a useful name.  Click Next.

61

We're requiring SSL here.  Click Next.

62

Where does the Web Listener – "listen" – on?  This is a single NIC – so – the Internal Network is the choice here.  Check that and click "Select IP Addresses" option.

63

We only have one IP on our one NIC.  Choose that and click move it to the Selected IP Addresses part of this screen.  Click OK.

64

So, this is a good place to remind you of something.  You need to import the Public SSL certificate to your Reverse Proxy.  I should have probably said something earlier.  You've already exported and imported SSL certificates through our Lync process – so – go get the SSL certificate that's from a Public CA – this is the same SSL you assigned to the "External Web Services" option on your Front End box.  Choose that certificate here – sip.mirazon.com is ours.  Click Select.

65

Assign that SSL to the right IP Address.  Click Next.

66

No authentication necessary here.  This is done on the Front End External IIS instance.  Click Next.

67

Click Next.

68

Web Listener configured.  Click Finish.

69

Now that the Web Listener is done, we can continue with our Web Publishing Rule setup.  Click Next.

70

Choose appropriate option.  Click Next.

71

All Users.  Click Next.

72

Verify & Finish.  Now, Apply settings as you've already learned.

76

Almost done.  We need to finish the final setup of the Web Access Policy.  Click Properties on the rle we just created.

77

Double Check the "To" Tab.

78

Now on the Listener Tab, Click Properties.

79

Double Check the Connections Tab. Click OK.

80

Back to the Bridging Tab.  Make sure we redirect to 8080/4443 as appropriate.  These ports were the ports chosen in your Topology for the External Web Services.

81

Finally, go to the Public Name Tab.  We want to Add more websites here for this Lync Rule.

82

Add our Simple URLs – meet and dialin – and now you're done.  Click OK until you're back at the TMG Control Panel.

73

Apply your new settings.  And once the new settings are committed to TMG 2010, we're ready to completely test.  You did it!  You've now setup your TMG 2010 Reverse Proxy for all of the associated/appropriate External Web Access needs for Lync 2010.

11 thoughts on “Lync 2010 – Reverse Proxy – Part 3

  1. Hi Daryl,thank you for this great post.I have a similar setup with you(single NIC TMG) but I’ve encounter some problem here.

    My TMG server is currently act as a reverse proxy for Exchange server too, so when I create a new web listener for Lync, an error “A web server specifying the same port and similar IP address is alreay used by “My_exchange_rule”.The port and IP addresses specified in a web listener cannot overlap with IP address and port in another web listener.

    Do you have any idea with this?

    Merry Christmas and hope to hear from you soon.

    regards,
    Joe

  2. You’ve already got a port 443 for exchange so you cannot an additional 443 for Lync. Only one since you’ve got a single NIC/IP.

    However.

    You can add an additional IP address on your NIC if you’d like.

    But you’d have to adjust your various rules… somehow identifying traffic meant for Lync (currently set to /*) and traffic meant for Exchange (how did you identify the traffic?)

  3. Daryl,many thanks for your valuable time to reply my question above,I truly appreciate it.

    Regarding how I identify the traffic, currently I NAT the 443 traffic to TMG server from firewall.

    Could you hint me some requirement how to adjust the various rules please?

    Thanks.

    regards,
    Joe

  4. Joe, I’ve never setup Exchange via TMG/ISA so I’m not sure how to help you.

    I think the part you are missing here is you need to have unique “public names” and “IP Addresses” here.

    For example, in this post, we’re doing “public names” like “meeting.mirazon.com” and “meet.mirazon.com” and “dialin.mirazon.com” right?

    Your Exchange OWA would be “mail.domain.com” or something similar. So, you’ll need an additional web publishing rule / web listener combination listening to your OWA “public name” which matches a certificate on your exchange server.

    Likewise, since you’re using port 443 for Exchange OWA on an IP address bound to your single NIC… you cannot use that same IP address & port 443 for Lync. You’ll have to add a secondary IP address on your NIC (Windows Control Panel) adn then you can utilize that secondary IP when you create your new Lync Web Listener.

    Does that give you better help?

  5. Hi Daryl,

    Thanks so much for this valuable article in setting up TMG for Lync. I need some help. Every time I try to access a meeting request from outside I get an error:

    “The policy rules do not allow the user request

    Rule: Default rule ”

    Here is my set up:

    Two interfaces. One facing internal and the other external. Public ip has been NATed to the external interface. Certificate from godaddy is in place and has been applied on the external interface. Traffice from port 443 is forwarded to 4443. I see the request come to TMG on the logs but I see the Default rule at this point blocking it. On the browser I get Error 403, server not found.

    Do I need to create any outbound rule allowing traffic leaving from inside the network to Internet? Not sure.

    Any help will be appreciated.

    Thanks, Pankaj.

  6. Hi, thanks for the walk through!

    I was wondering…how do I get certificates on my TMG server? I see nothing in my list of available certs when I am trying to set up my Web Listener.

    I have a lync deployment with a FE/Mediation, Edge, and Conferencing server. I do not use a Public Cert (like you said to use in this article) for anything but the Edge server’s external cert. I have installed both my main Lync cert and the external public cert on my TMG server and they are both imported into ‘Trusted Root Certification Authority’. But I still see nothing in the list.

    What am I doing wrong? Certs have always been a weak point for me.

  7. From a certificate assignment stand point, my configure sounds similar to that of S. Edson and I too am experiencing the same issue he has reported.

    Sam were you able to resolve this problem?

  8. Hi sam, you should install those certificates in the personal store. Better use MMC and add the certificate snap-in. Then import the certificate to the personal store. It will show the certificate then.

  9. Darryl, many thanks for this

    My setup is as below:
    1 x FE / Mediation server – was setup with local domain name initially for internal and external web services
    1 x Edge server – have deployed topology and got services running
    I have a Hardware firewall doing NAT from my public DNS to my internal private range

    I have been told i should do the reverse proxy option for security purposes.

    I setup TMG and imported my public cert and internal FE cert to my TMG server

    However i when trying to connect from my mobile device, i get certificate error

    Any suggestions???

  10. I see there are several supported scenarios. Do we need to join the TMG to the domain or leave it workgroup only?

  11. Hi… i am also working on the same infra and my TMG is with single NIC and it is already used for publishing share point rule. but when i am trying to publish the lync through this TMG by assigning another IP on the same IP and trying to telnet my Front end on 4443 and 8080 traffic goes through my share point IP not bye my second IP which i want to use for lync server.but ports are open for my second ip so i am unable to telnet my front end server please suggest thanks in advance

Comments are closed.