Installing and configuring IIS ARR Reverse Proxy on Windows Server 2012 for Lync Server 2013 \ Skype for Business External access

As Forefront TMG 2010 is becoming end of life, Microsoft’s official and at the moment only supported Reverse Proxy solution for Lync Server 2013 is IIS ARR.
For Skype for Business Server the only supported solution is Server 2012 WAP, but IIS ARR 3.0 will also work for you.

Doing this is rather simple, and this post will demonstrate the steps to publish Lync 2013 External Web Services using IIS ARR on Windows Server 2012.

First things first, an installation and two downloads:

– OR –

  • Install IIS on Windows Server 2012 with all defaults, nothing too smart.
  • Download Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64), we’ll use that later.
  • Use Microsoft Web Platform Installer to install IIS ARR 2.5.

Whichever platform you choose (ARR 2.5 or ARR 3.0), it’s an identical installation and configuration process:

You’ll get the first installation screen, telling you it will install 2 features:

first installation screen

Hitting “Install” will show you the features you’re about to install. That’s 4 components all together:

Installation list

Click “I Accept” and enjoy the commercial content from Microsoft whilst the installation is taking place:

Installation in progress

When the installation is finished, You’ll see it has installed four components:

Installation OK

If your server can’t access the internet for some reason, you’re up for a real treat:

Checking Windows 2012’s Programs and features will show you these exact 4 items. This is all you need for IIS ARR to work:

Installed components

Open IIS Manager, and you’ll see you have two new features:

  • “Server Farms” under the server node.
  • “Web Platform Installer” in the management node.

New IIS features

Configuring the website:

Import your Lync 2013 external certificate to the server:

Certificate list

Navigate to your default website in IIS Manager and click “Bindings”:

Website Bindings

You’ll see it has only the HTTP binding. Click “Add” to edit the HTTPS binding:

Add Bindings

In the next window, choose “HTTPS” from the drop down menu, then choose your Lync external certificate, and press “OK”:

Choose Certificate

This completes the configuration of the web site.

Create Server Farms:


  • We need to create a server farm for each name we’re publishing.
  • The Internal root CA (The one that’s used for signing the internal Lync certificates) must be placed in the “Trusted Root Certification Authorities” container in your IIS ARR machine.
  • The Internal names of your Lync servers and WAC servers must be resolvable from this server, so don’t forget to add them to your hosts file.

To build the first Server Farm, right click “Server Farms” and choose “Create Server Farm”:

Create server farm

In “Server Farm Name” enter the external FQDN of the service you want to publish.

This can be “”, “”. etc. After you enter the name of the server farm, click “Next”:

Meet Farm

On the “Add Server” window, type the name of the server you want to publish and then click “Advanced settings”:

Add Server and advanced settings

Remember to click “Advanced settings” BEFORE you click “Add”. You need to add the server to the farm only after you set the advanced settings for the server.

“Advanced settings” is where we set the port bridging rules from 443 to 4443, just like we used to do with TMG 2010.

Set the HTTP port to 8080 and the HTTPS port to 4443, then click “Add”:

*** For the Office Web Apps farm leave the ports 443 and 80, as these are redirected directly to the server’s website.

Advanced Settings

Now you can see the server in the server farm:

Server ok

Once you click “Finish”, you’ll get a prompt asking if you would like to create a URL rewrite rule:

Rewrite prompt

Choose “Yes”. This will come in very handy in just a few more moments.

Do the same steps for every external address you want to publish.

Eventually, you’ll end up with enough farms to publish all your external addresses:

All Farms

Now, a few adjustments to make this work right with Lync. For each server farm, do the following steps:

Step 1:

Click each server farm and choose “Caching”:

Meet Caching

In “Caching”, uncheck the “Enable disk cache” box:

Disable Caching

Step 2:

Click each server farm and choose “Proxy”:

Meet Proxy

In “Proxy”, change the Time-out to 200:


Step 3:

Click each server farm and choose “Routing Rules”:

Meet Routing

In “Routing Rules”, uncheck the “Enable SSL offloading” box:

Disable SSL offloading

After completing these three steps for all server farms, go to the IIS Server Home and click “URL Rewrite”:

URL Rewrite button

The next window will show you all the Server farms with the url rewrite rules that were created earlier (Remember that button?):

URL Rewrite main window

Clicking the ‘+’ sign on the left of each of the server farms will show you the existing URL Rewrite options. One of them is for HTTP, the other for HTTPS:

URL rewrite with HTTP

Since we are not using HTTP, you can remove the HTTP rule (the one that does NOT have the “_SSL” suffix). This will leave you with only the HTTPS rewrite rule.

Click “Add” to add a condition to the HTTPS rule:

URL rewrite only HTTPS

Start typing ‘{HTTP_‘ and choose the {HTTP_HOST} option from the drop-down menu. at the pattern, type the beginning of the FQDN followed by a star, e.g.: “Meet.*”, or “DialIn.*”:


The result should be like this:

URL Rewrite completed

Repeat these steps for each server farm on your list.

Important note regarding WAC:

One option is to publish it as a server farm as described above.

Another option is described in Koen Wagenveld’s great article on TechNet, to use a regular expression. Please refer to the article if you would like to use this option.

That’s about it! IIS ARR is now publishing your Lync 2013 services.