As Forefront TMG 2010 is becoming end of life, Microsoft’s official and at the moment only supported Reverse Proxy solution for Lync Server 2013 is IIS ARR.
For Skype for Business Server the only supported solution is Server 2012 WAP, but IIS ARR 3.0 will also work for you.
Doing this is rather simple, and this post will demonstrate the steps to publish Lync 2013 External Web Services using IIS ARR on Windows Server 2012.
First things first, an installation and two downloads:
- Install IIS on Windows Server 2012R2 with all defaults, nothing too smart.
- Use Microsoft Web Platform Installer to install IIS ARR 3.0
– OR –
- Install IIS on Windows Server 2012 with all defaults, nothing too smart.
- Download Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64), we’ll use that later.
- Use Microsoft Web Platform Installer to install IIS ARR 2.5.
Whichever platform you choose (ARR 2.5 or ARR 3.0), it’s an identical installation and configuration process:
You’ll get the first installation screen, telling you it will install 2 features:
Hitting “Install” will show you the features you’re about to install. That’s 4 components all together:
Click “I Accept” and enjoy the commercial content from Microsoft whilst the installation is taking place:
When the installation is finished, You’ll see it has installed four components:
If your server can’t access the internet for some reason, you’re up for a real treat:
- Download Web Platform Installer 3.0.
- Download Web Deploy v2.0.
- Download Web Farm Framework 2.2 (Scroll to bottom of page).
- Download ARR 3.0.
- Install IIS on Windows Server 2012R2 with all defaults, nothing too smart.
- Install all of the above in respected order.
Checking Windows 2012’s Programs and features will show you these exact 4 items. This is all you need for IIS ARR to work:
Open IIS Manager, and you’ll see you have two new features:
- “Server Farms” under the server node.
- “Web Platform Installer” in the management node.
Configuring the website:
Import your Lync 2013 external certificate to the server:
Navigate to your default website in IIS Manager and click “Bindings”:
You’ll see it has only the HTTP binding. Click “Add” to edit the HTTPS binding:
In the next window, choose “HTTPS” from the drop down menu, then choose your Lync external certificate, and press “OK”:
This completes the configuration of the web site.
Create Server Farms:
Guidelines:
- We need to create a server farm for each name we’re publishing.
- The Internal root CA (The one that’s used for signing the internal Lync certificates) must be placed in the “Trusted Root Certification Authorities” container in your IIS ARR machine.
- The Internal names of your Lync servers and WAC servers must be resolvable from this server, so don’t forget to add them to your hosts file.
To build the first Server Farm, right click “Server Farms” and choose “Create Server Farm”:
In “Server Farm Name” enter the external FQDN of the service you want to publish.
This can be “Meet.MyDomain.com”, “DialIn.MyDomain.com”. etc. After you enter the name of the server farm, click “Next”:
On the “Add Server” window, type the name of the server you want to publish and then click “Advanced settings”:
Remember to click “Advanced settings” BEFORE you click “Add”. You need to add the server to the farm only after you set the advanced settings for the server.
“Advanced settings” is where we set the port bridging rules from 443 to 4443, just like we used to do with TMG 2010.
Set the HTTP port to 8080 and the HTTPS port to 4443, then click “Add”:
*** For the Office Web Apps farm leave the ports 443 and 80, as these are redirected directly to the server’s website.
Now you can see the server in the server farm:
Once you click “Finish”, you’ll get a prompt asking if you would like to create a URL rewrite rule:
Choose “Yes”. This will come in very handy in just a few more moments.
Do the same steps for every external address you want to publish.
Eventually, you’ll end up with enough farms to publish all your external addresses:
Now, a few adjustments to make this work right with Lync. For each server farm, do the following steps:
Step 1:
Click each server farm and choose “Caching”:
In “Caching”, uncheck the “Enable disk cache” box:
Step 2:
Click each server farm and choose “Proxy”:
In “Proxy”, change the Time-out to 200:
Step 3:
Click each server farm and choose “Routing Rules”:
In “Routing Rules”, uncheck the “Enable SSL offloading” box:
After completing these three steps for all server farms, go to the IIS Server Home and click “URL Rewrite”:
The next window will show you all the Server farms with the url rewrite rules that were created earlier (Remember that button?):
Clicking the ‘+’ sign on the left of each of the server farms will show you the existing URL Rewrite options. One of them is for HTTP, the other for HTTPS:
Since we are not using HTTP, you can remove the HTTP rule (the one that does NOT have the “_SSL” suffix). This will leave you with only the HTTPS rewrite rule.
Click “Add” to add a condition to the HTTPS rule:
Start typing ‘{HTTP_‘ and choose the {HTTP_HOST} option from the drop-down menu. at the pattern, type the beginning of the FQDN followed by a star, e.g.: “Meet.*”, or “DialIn.*”:
The result should be like this:
Repeat these steps for each server farm on your list.
Important note regarding WAC:
One option is to publish it as a server farm as described above.
Another option is described in Koen Wagenveld’s great article on TechNet, to use a regular expression. Please refer to the article if you would like to use this option.
That’s about it! IIS ARR is now publishing your Lync 2013 services.