Installing and configuring IIS ARR Reverse Proxy on Windows Server 2012 for Lync Server 2013 \ Skype for Business External access

As Forefront TMG 2010 is becoming end of life, Microsoft’s official and at the moment only supported Reverse Proxy solution for Lync Server 2013 is IIS ARR.
For Skype for Business Server the only supported solution is Server 2012 WAP, but IIS ARR 3.0 will also work for you.

Doing this is rather simple, and this post will demonstrate the steps to publish Lync 2013 External Web Services using IIS ARR on Windows Server 2012.

First things first, an installation and two downloads:

– OR –

  • Install IIS on Windows Server 2012 with all defaults, nothing too smart.
  • Download Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64), we’ll use that later.
  • Use Microsoft Web Platform Installer to install IIS ARR 2.5.

Whichever platform you choose (ARR 2.5 or ARR 3.0), it’s an identical installation and configuration process:

You’ll get the first installation screen, telling you it will install 2 features:

first installation screen

Hitting “Install” will show you the features you’re about to install. That’s 4 components all together:

Installation list

Click “I Accept” and enjoy the commercial content from Microsoft whilst the installation is taking place:

Installation in progress

When the installation is finished, You’ll see it has installed four components:

Installation OK

If your server can’t access the internet for some reason, you’re up for a real treat:

Checking Windows 2012’s Programs and features will show you these exact 4 items. This is all you need for IIS ARR to work:

Installed components

Open IIS Manager, and you’ll see you have two new features:

  • “Server Farms” under the server node.
  • “Web Platform Installer” in the management node.

New IIS features

Configuring the website:

Import your Lync 2013 external certificate to the server:

Certificate list

Navigate to your default website in IIS Manager and click “Bindings”:

Website Bindings

You’ll see it has only the HTTP binding. Click “Add” to edit the HTTPS binding:

Add Bindings

In the next window, choose “HTTPS” from the drop down menu, then choose your Lync external certificate, and press “OK”:

Choose Certificate

This completes the configuration of the web site.

Create Server Farms:

Guidelines:

  • We need to create a server farm for each name we’re publishing.
  • The Internal root CA (The one that’s used for signing the internal Lync certificates) must be placed in the “Trusted Root Certification Authorities” container in your IIS ARR machine.
  • The Internal names of your Lync servers and WAC servers must be resolvable from this server, so don’t forget to add them to your hosts file.

To build the first Server Farm, right click “Server Farms” and choose “Create Server Farm”:

Create server farm

In “Server Farm Name” enter the external FQDN of the service you want to publish.

This can be “Meet.MyDomain.com”, “DialIn.MyDomain.com”. etc. After you enter the name of the server farm, click “Next”:

Meet Farm

On the “Add Server” window, type the name of the server you want to publish and then click “Advanced settings”:

Add Server and advanced settings

Remember to click “Advanced settings” BEFORE you click “Add”. You need to add the server to the farm only after you set the advanced settings for the server.

“Advanced settings” is where we set the port bridging rules from 443 to 4443, just like we used to do with TMG 2010.

Set the HTTP port to 8080 and the HTTPS port to 4443, then click “Add”:

*** For the Office Web Apps farm leave the ports 443 and 80, as these are redirected directly to the server’s website.

Advanced Settings

Now you can see the server in the server farm:

Server ok

Once you click “Finish”, you’ll get a prompt asking if you would like to create a URL rewrite rule:

Rewrite prompt

Choose “Yes”. This will come in very handy in just a few more moments.

Do the same steps for every external address you want to publish.

Eventually, you’ll end up with enough farms to publish all your external addresses:

All Farms

Now, a few adjustments to make this work right with Lync. For each server farm, do the following steps:

Step 1:

Click each server farm and choose “Caching”:

Meet Caching

In “Caching”, uncheck the “Enable disk cache” box:

Disable Caching

Step 2:

Click each server farm and choose “Proxy”:

Meet Proxy

In “Proxy”, change the Time-out to 200:

Time-out

Step 3:

Click each server farm and choose “Routing Rules”:

Meet Routing

In “Routing Rules”, uncheck the “Enable SSL offloading” box:

Disable SSL offloading

After completing these three steps for all server farms, go to the IIS Server Home and click “URL Rewrite”:

URL Rewrite button

The next window will show you all the Server farms with the url rewrite rules that were created earlier (Remember that button?):

URL Rewrite main window

Clicking the ‘+’ sign on the left of each of the server farms will show you the existing URL Rewrite options. One of them is for HTTP, the other for HTTPS:

URL rewrite with HTTP

Since we are not using HTTP, you can remove the HTTP rule (the one that does NOT have the “_SSL” suffix). This will leave you with only the HTTPS rewrite rule.

Click “Add” to add a condition to the HTTPS rule:

URL rewrite only HTTPS

Start typing ‘{HTTP_‘ and choose the {HTTP_HOST} option from the drop-down menu. at the pattern, type the beginning of the FQDN followed by a star, e.g.: “Meet.*”, or “DialIn.*”:

HTTP_HOST add

The result should be like this:

URL Rewrite completed

Repeat these steps for each server farm on your list.

Important note regarding WAC:

One option is to publish it as a server farm as described above.

Another option is described in Koen Wagenveld’s great article on TechNet, to use a regular expression. Please refer to the article if you would like to use this option.

That’s about it! IIS ARR is now publishing your Lync 2013 services.

Advertisements

Download: Microsoft Lync Server 2013 Multitenant Hosting Pack Deployment Guide

Microsoft has Announced the Release of Lync Server 2013 Multitenant Hosting Pack Deployment Guide.
The Lync Server 2013 Multitenant Hosting Pack enables service providers to sell value-added, Lync-based solutions to small and midsized customers. The hosting pack topology, based on Lync Online, enables partners to offer a more cost-effective topology to manage a large number of tenants with fewer users, which makes the offering compelling to small-to-midsized customers.

What’s Available in the Lync Server 2013 Multitenant Hosting Pack?

The features that integrate with other components and applications include the following:

  • Presence   A collection of attributes that provides an indication of a person’s status, activity, location, willingness to communicate, and contact information.
  • Instant messaging (IM)   A form of real-time text-based communication.
  • Data and desktop sharing   A feature that allows users to share files, use whiteboard, and display their desktop to a meeting or to conversation participants.
  • Conferencing   Two-way video and audio transmissions between users in multiple locations.
  • Unified Messaging   This feature is available only in combination with Microsoft Exchange Server. An application that consolidates a user’s voice mail, fax, and email into one mailbox, so that the user only needs to check a single location for messages, regardless of type. The email server is the platform for all types of messages, making it unnecessary to maintain separate voice mail and email infrastructures.
  • Private branch exchange (PBX) replacement   UC integration with Voice over Internet Protocol (VoIP) systems can replace traditional phone exchange systems.

Lync Server Multitenant Hosting Pack partner feature set includes:

  • Appliances   Hand and head set I/O devices.
  • Conferencing server gateway video   Real-time IP video, voice, and data services.
  • Audio conferencing provider   Integration with hosted conferencing systems.
  • Short Message Service (SMS)   Text messaging systems used by phones and mobile communication systems.

 

Lync Server 2013 WAC (Office Web Apps Server) – Part 2: Publishing

In part 1 of this post, we learned how to install and configure the Lync Server 2013 WAC Server.

In this part, we’ll publish it to enable external users access to our conference resources.

Add External Access url:

In part 1, we used the following command:

New-OfficeWebAppsFarm -InternalURL “https://LyncWAC.YourDomain.Local” –CertificateName “My WAC Server”

For external access, use the same command, but add -ExternalURL “<WAC server external DQDN>”. So if you want to run is together, the command would be:

New-OfficeWebAppsFarm -InternalURL “https://LyncWAC.YourDomain.Local” -ExternalURL "https://WACsrv.domain.com" –CertificateName “My WAC Server”

That’s all the configuration needed on the Lync side.

Next step is to configure a publishing rule in TMG 2010. Unfortunately, you cannot use your External web url, since Lync traffic is bridged to port TCP 4443, and Office Web Apps Server works HTTPS, meaning TCP 443.#

Update:

Since TMG is end of life, You can now use IIS ARR to publish Lync Server 2013.

Refer to this post if you want to use IIS ARR.

Publish your server with Forefront TMG 2010:

Form your TMG cosnsole, select “New Web Publishing Rule”. Give your rule a name and click “Next”:

In the “select Rule Action window, choose “Allow” and click next:

In the “Publishing Type” windows choose “Publish a single Web site or load balancer”:

Then choose “Use SSL”:

In the next window, enter you Internal site name – That’s the one entered earlier in the command. If your TMG cannot resolve this name to an IP, you might enter it it in the field below:

In the Internal Publishing Details window, Enter /* in the path field, and remember to check the “Forward the original host header…” checkbox:

In “Public Name Details” enter the external FQDN of your WAC server. This is the name you entered earlier in the -ExternalURL command:

In the “Select Web Listener” window select “New”:

Name your listener and click next:

Choose “Require SSL” in the Client Connection Security window:

Choose your listener IP:

Choose your listener’s certificate:

(Must contain you external FQDN)

In the “Authentication Settings” window select “No Authentication”:

Click “Next” on the SSO settings page, review your listener’s settings and click Finish:

The new listener is now selected for your rule:

In the next window, choose “No delegation, but client may authenticate directly”:

Leave the user sets with “All Users”:

In the last window, review your settings and click Finish:

Locate your rule in the TMG console and right click to edit it:

Navigate to the “Traffic” tab, click “Filtering” and “Configure HTTP”:

Uncheck the “Verify normalization” box and click OK:

Verify_Normalization

Apply the changes to your Forefront TMG 2010 Server.

To test your WAC publishing, open a web browser and type: https://<ExternalFQDN.Domain.Com/hosting/discovery

You should get a XML output similat to this:

<?xml version="1.0" encoding="UTF-8"?>
-<wopi-discovery>-<net-zone name="internal-https">-<app name="Excel" checkLicense="true" favIconUrl="https://lyncwac.mydomain.local/x/_layouts/images/FavIcon_Excel.ico"><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="ods"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xls"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsb"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsm"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsx"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="ods" requires="update"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb" requires="update"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm" requires="update"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx" requires="update"/><action name="editnew" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx" requires="update"/><action name="interactivepreview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlpreview.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsb"/><action name="interactivepreview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlpreview.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsm"/><action name="interactivepreview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlpreview.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsx"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xls"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx"/><action name="embedview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlembed.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb"/><action name="embedview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlembed.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm"/><action name="embedview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlembed.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx"/><action name="formsubmit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlform.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb"/><action name="formsubmit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlform.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm"/><action name="formsubmit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlform.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>"

Note you will have two “net zones”: “internal-https” and “external-https”, each with the following applications offered:

  • Excel
  • OneNote
  • PowerPoint
  • Word

Your Lync 2013 WAC Server is ready.

Lync Server 2013 and Skype for Business Server 2015 – WAC (Office Web Apps Server) – Part 1: Installing and configuring

27.03.2013: Updated to the latest version of Office Web Apps Server.

Lync Server 2013 WAC is a new requirement in the Lync Server 2013 deployment. You’ll have to have this server is you want to be able to share PowerPoint presentations.

The installation and configuration of this server is quite easy,  let’s take a look:

Prerequisites:

First, download the Microsoft Office Web Apps Server from here and the update from here. While it downloads, we can configure the other prerequisites.

If you’re using Windows Server 2008R2, please download Microsoft’s .Net Framework 4.5, download Windows Management Framework 3.0, and download KB2592525, which will allow you to run the applications in a Server 2008R2 environment.

Install all of the above, Then, run this using an elevated PowerShell:

Import-Module ServerManager
Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support

Restart the server if you’re prompted to do so.

If you’re using Windows Server 2012, it’s even easier; Just run the following from an elevated  PowerShell (Server 2012 imports the relevant PS modules automatically, so you don’t have to use the “Import-Module” command) :

Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices

Restart the server if you’re prompted to do so.

Install the Microsoft Office Web Apps Server:

For Server 2012, double-click the .img file and run “Setup.exe”.

For Server 2008R2, open the .img file with any software of your choice and run “Setup.exe”

Restart the server if you’re prompted to do so and install the update.

Create a certificate:

Like most Lync services, you’re required to assign a certificate to this service as well.

We’ll use the IIS Manager to do that:

Launch the IIS Manager and scroll down to “Server Certificates”:

In the “Server Certificates” window, click on “Create Domain Certificate” in the Action pane:

In the “Create Certificate” window, fill the details of your server and organization. Note that the “Common Name” must be in the “Server.Domain.Local” format:

In the next window, choose you CA, and give your certificate a friendly display name – We’ll use that name later:

When you click “Finish”, you’ll see you have a new certificate:

Configure the WAC Server:

From an elevated PowerShell, run the following command:

New-OfficeWebAppsFarm -InternalURL “https://LyncWAC.YourDomain.Local” –CertificateName “My WAC Server”

In -CertifiacteName, enter the friendly name you gave your certificate earlier.

The result should look like this:

To check that, open a web browser and go to https://LyncWAC.YourDomain.Local/hosting/discovery, you should get this result:

If you get an error, try fixing your .Net Framework 3.5 components with this command:

%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru,

Then, run iisreset /restart /noforce.

Your WAC Server is ready!

Add the Server to Lync Topology:

Open the Lync Server Topology Builder, expand “Shared Components”,right click “Office Web Apps Servers”, and choose “New Office Web Apps Server…”:

In the new window, type your server’s FQDN. the wizard will fill-in the discovery address:

Press OK, and the server is in your topology:

Associate your  Front-End pools with your Office Web Apps Server, publish the topology, and you’re done!

See how to publish your WAC server in Part 2 of this post

Install Lync Server 2013 prerequisites on Windows Server 2008R2, Windows Server 2012 and Windows Server 2012R2

Updated: Dec 16, 2012

Lync 2013 is out, along with a new set of demands to install it right on your Windows Server.

Here’s how to get it done:

Windows Server 2008R2:

First, install the roles and features required:
Import-Module ServerManager
Add-WindowsFeature Web-Dyn-Compression,desktop-experience,RSAT-ADDS,Web-Server,Web-Scripting-Tools,Web-Windows-Auth,Web-Asp-Net,Web-Log-Libraries,Web-Http-Tracing,Web-Stat-Compression,Web-Default-Doc,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Errors,Web-Http-Logging,Web-Net-Ext,Web-Client-Auth, Web-Filtering,Web-Mgmt-Console,Msmq-Server,Msmq-Directory

Then, Install .Net 4.5 Framework (Download).

Next, install Windows Identity Foundation (Download) and Windows Management Framework 3.0 (Download) that contains PowerShell 3.0.

You might also have to download and install KB2646886.

Windows Server 2012 and Windows Server 2012R2:

Make sure you have the Windows Server installation CD or source. It’s required to install ,Net 3.5 Framework.

Then, from an elevated PowerShell, run the following command:

Note: You don’t need to run “Import-Module ServerManager”, Windows 2012 loads the modules automatically

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Windows-Identity-Foundation, Telnet-Client, BITS -Source D:\sources\sxs

If your Windows Server 2012 installation source is not your D drive, change it to your desired location.

On Windows Server 2012R2 you should install Lync Server 2013 with at least CU3 (Download the latest here).

To avoid Event IDs 32402, 61045 on Lync 2013 Front End Servers (See KB2901554), run the following from an elevated command prompt:

Reg Add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel" /V "EnableSessionTicket" /D 2 /T REG_DWORD /F

Now you’re all ready to install Lync Server 2013.