« Lync 2010 - Reverse Proxy - Part 2 | Main | Lync 2010 - Monitoring Role »



Feed You can follow this conversation by subscribing to the comment feed for this post.


Hi Daryl,thank you for this great post.I have a similar setup with you(single NIC TMG) but I've encounter some problem here.

My TMG server is currently act as a reverse proxy for Exchange server too, so when I create a new web listener for Lync, an error "A web server specifying the same port and similar IP address is alreay used by "My_exchange_rule".The port and IP addresses specified in a web listener cannot overlap with IP address and port in another web listener.

Do you have any idea with this?

Merry Christmas and hope to hear from you soon.


DW Hunter

You've already got a port 443 for exchange so you cannot an additional 443 for Lync. Only one since you've got a single NIC/IP.


You can add an additional IP address on your NIC if you'd like.

But you'd have to adjust your various rules... somehow identifying traffic meant for Lync (currently set to /*) and traffic meant for Exchange (how did you identify the traffic?)


Daryl,many thanks for your valuable time to reply my question above,I truly appreciate it.

Regarding how I identify the traffic, currently I NAT the 443 traffic to TMG server from firewall.

Could you hint me some requirement how to adjust the various rules please?



DW Hunter

Joe, I've never setup Exchange via TMG/ISA so I'm not sure how to help you.

I think the part you are missing here is you need to have unique "public names" and "IP Addresses" here.

For example, in this post, we're doing "public names" like "meeting.mirazon.com" and "meet.mirazon.com" and "dialin.mirazon.com" right?

Your Exchange OWA would be "mail.domain.com" or something similar. So, you'll need an additional web publishing rule / web listener combination listening to your OWA "public name" which matches a certificate on your exchange server.

Likewise, since you're using port 443 for Exchange OWA on an IP address bound to your single NIC... you cannot use that same IP address & port 443 for Lync. You'll have to add a secondary IP address on your NIC (Windows Control Panel) adn then you can utilize that secondary IP when you create your new Lync Web Listener.

Does that give you better help?

Pankaj Ghsoh

Hi Daryl,

Thanks so much for this valuable article in setting up TMG for Lync. I need some help. Every time I try to access a meeting request from outside I get an error:

"The policy rules do not allow the user request

Rule: Default rule "

Here is my set up:

Two interfaces. One facing internal and the other external. Public ip has been NATed to the external interface. Certificate from godaddy is in place and has been applied on the external interface. Traffice from port 443 is forwarded to 4443. I see the request come to TMG on the logs but I see the Default rule at this point blocking it. On the browser I get Error 403, server not found.

Do I need to create any outbound rule allowing traffic leaving from inside the network to Internet? Not sure.

Any help will be appreciated.

Thanks, Pankaj.

Sam Edson

Hi, thanks for the walk through!

I was wondering...how do I get certificates on my TMG server? I see nothing in my list of available certs when I am trying to set up my Web Listener.

I have a lync deployment with a FE/Mediation, Edge, and Conferencing server. I do not use a Public Cert (like you said to use in this article) for anything but the Edge server's external cert. I have installed both my main Lync cert and the external public cert on my TMG server and they are both imported into 'Trusted Root Certification Authority'. But I still see nothing in the list.

What am I doing wrong? Certs have always been a weak point for me.


From a certificate assignment stand point, my configure sounds similar to that of S. Edson and I too am experiencing the same issue he has reported.

Sam were you able to resolve this problem?

Vineet Chawla

Hi sam, you should install those certificates in the personal store. Better use MMC and add the certificate snap-in. Then import the certificate to the personal store. It will show the certificate then.


Darryl, many thanks for this

My setup is as below:
1 x FE / Mediation server - was setup with local domain name initially for internal and external web services
1 x Edge server - have deployed topology and got services running
I have a Hardware firewall doing NAT from my public DNS to my internal private range

I have been told i should do the reverse proxy option for security purposes.

I setup TMG and imported my public cert and internal FE cert to my TMG server

However i when trying to connect from my mobile device, i get certificate error

Any suggestions???


I see there are several supported scenarios. Do we need to join the TMG to the domain or leave it workgroup only?


Hi... i am also working on the same infra and my TMG is with single NIC and it is already used for publishing share point rule. but when i am trying to publish the lync through this TMG by assigning another IP on the same IP and trying to telnet my Front end on 4443 and 8080 traffic goes through my share point IP not bye my second IP which i want to use for lync server.but ports are open for my second ip so i am unable to telnet my front end server please suggest thanks in advance

The comments to this entry are closed.

Twitter Updates

    follow me on Twitter