Using Lync without a reverse proxy is possible but not a supported deployment method by Microsoft.
Purpose of Reverse Proxy,
- Enabling external users to download meeting content for your meetings.
- Enabling external users to expand distribution groups.
- Enabling remote users to download files from the Address Book service.
- Accessing the Microsoft Lync Web App client.
- Accessing the Dial-in Conferencing Settings webpage.
- Accessing the Location Information service.
- Enabling external devices to connect to Device Update web service and obtain updates.
In my case I am using below URL’s
meet.mytricks.in ->simple URL
dialin.mytricks.in ->simple URL
yncweb.mytricks.in -> External Web Services URL
I am usening Cicso ASA 5510 Firewall.
I am able to connect my Lync Front End server from Internet via Edge server. All in place now just need to expose Simple URL’s & External Web Services.
While installing Lync it creates two web sites such as “Lync Server Internal Web Site” and “Lync Server External Web Site”. Each website is configured for either internal or external access. The internal site is published on ports 80 & 443 & the external site is published on 8080 & 4443.
As per Microsoft’s documentation you have to use a reverse proxy server to publish the external simple URLs and External web Services.
So let get started,
1. Assign additional IP address to your Lync Front End Server as shown below,
2. Open Internet Information Services (IIS) Manger ( start->Run-> type inetmgr and press Enter
3. Click on “Lync Server Internal Web Site” & click on Stop from right Pane “Mange Web Site” option as shown below,
4. Now click on “Lync Server External Web Site” & click on Bindings option as shown below,
5. Now Change the HTTP port from 8080 to 80 & https port from 4443 to 443, and change IP addres from * to IP address which we added in our first step (i.e. second IP address of front End server)
6. Please follow [Guide] Installing trusted Certificate on Microsoft Lync External Web Services & Simple URL’s
7. Now we need to configure our Cisco ASA 5510 firwall,
Open Cisco ASA 5510 ASDM & go to Firewall-> Nat Rules -> Click on Add -> Add Static NAT Rule.. as shown below
8. Now we need to allow “HTTPS” for all outside users to access Simple URL’s & Web External Services..
Open Cisco ASA 5510 ASDM & go to Firewall-> Access Rules -> Add-> Click Add Access Rules,
9. Now login to Lync from Intenet via Lync Client & try to access Dialin,mytricks.in, meet.mytricks.in & lyncweb.mytricks.in
Hi,
Thanks for this KT. We have setup same thing as per your deployment triks. but there some problem with Lync Mobile client still its not working. We dont have any reverse proxy installed in our Office.
Please suggest me how i can make it done.
Thanks :
Amit Sharma
Hi Amit,
Reverse is not mandatory for lync mobile & edge Server, but for security reasons its recommended by Microsoft. In my case i have used my Cisco ASA Firewall to publish my Lyncdiscover URL. I have one question for you.. are you able to access your Lyncdiscover URL over the internet i.e. from outside your network?
Check my below guide on Lync mobility.. it covers all Lync mobility steps
http://mytricks.in/2012/01/guide-step-by-step-microsoft-lync/
Hi, thanks for the tutorial. I’m searching on this one for a few days now. I have a lync front end server and an edge server, using a Cisco asa 5510 without reverse proxy. But it won’t work on mobile devices (iphone). Can you help me with this?
Thanks!
Tforie,
One question for you… are you able to access your Lyncdiscover URL (example https://lyncdiscover.mytricks.in)over the internet i.e. from outside your network?
have you installed public ssl certificate for your Lync discover in IIS..
Do you have SAN certificate for Lync?
Thanks for your quick reply, I am able to access https://lyncdiscover.domain.com from outside, it asks to download a file. I have installed the certificate on the front end lync server.
It’s like this example: http://salahuddinkhatri.files.wordpress.com/2012/02/lync-mobility12.jpg without lyncweb and admin.
When I turn on logging on the iphone I receive the following:
403 – Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
2012-04-16 15:23:00.169 Lync[8025:707] ERROR TRANSPORT /Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../authenticationResolver/private/CAuthenticationResolver.cpp/562:Unable to get the meta data for server url https://lyncdiscover.xxx.xxx/webticket/webticketservice.svc
2012-04-16 15:37:25.622 Lync[8025:707] is not a valid email address.
/Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../authenticationResolver/private/CAuthenticationResolver.cpp/562:Unable to get the meta data for server url https://lyncdiscover.xxx.xxx/webticket/webticketservice.svc
is your https://lyncdiscover.xxx.xxx/webticket/webticketservice.svc URL working internally??? might be while login externally user’s is not getting webticket for authetication…
Are you able to login externally via dekstop lync client?
Yes, I am able to login externally via desktop lync client.
https://lyncdiscover.xxx.xxx/webticket/webticketservice.svc gives 403 – Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied. (internal and external)
Hi Tforie,
What mobile device are you using? If Android the it should work if iPhone you will get 403- forbidden.. As I have faced the similar issue. For iPhone to work with Lync you need to configure Lync Push notification.
Configure Push notification & try.
Thanks
Santsh
I’m curious if it would be possible to re-key the UCC cert I used on my LYNC Edge server to add ‘lyncdiscover.domain.com’. I have actually tried this but the cert does not show up as an assignable cert from the LYNC FE server’s external site.
Is this even possible or will I have to purchase a 2nd UCC cert for the FE External site?
Thanks,
Jason
Hey Jason,
You can re-key the existing certificate to add or remove subject alternative names (SANs) in a UCC SSL..
After re-key you need to download the new certificate & need to assign it..
Check below info for more details,
http://support.godaddy.com/help/4976
Thanks
Santosh
Hi Santosh, thanks for certificate tip. I feel like I am 95% complete with a full Lync + mobility + federation deployment. Before I describe the final pending issue I’d like to update my lessons learned where DNS is concerned.
When deploying a Lync Edge server withOUT a reverse proxy you must create an A record to the hostname that points to the 2nd NIC on your POOL server. Secondly you must create a CNAME of ‘lyncdiscover’ that points to this A record. Here is my example:
Internal Pool Server:
10.10.1.73 FQDN lyncpool.domain.com
10.10.1.77 (this is acting as the reverse proxy) FQDN lyncweb.domain.com
HOST A = lyncpool.domain.com – 10.10.1.73
HOST A = lyncweb.domain.com – 10.10.1.77
CNAME = lyncdiscover.domain.com – lyncweb.domain.com
This rule also applies to external DNS. My external DNS looks like this:
HOST A = lyncweb.domain.com – 173.226.x.x
CNAME = lyncdiscover.domain.com – lyncweb.domain.com
I hope this helps future users when deploying Lync Edge services withOUT a reverse proxy.
My next comment will describe the final missing piece to this deployment in hopes of resolving the issue.
Many thanks to Santosh for updating this post with his helpful comments.
-Jason
My final issue with deploying Lync Edge services is with Lync Sharing with Federated users.
First off let me describe what is currently working:
Internal and External users of my domain can chat, share, and video call between one another without being on our LAN/WAN. External client connectivity works without issue.
We can chat and gather presence data with Federated users.
Now the final piece…
We are unable to share or launch video chats with Federated users. The error reported from the client is “Lync Sharing failed due to network connectivity issues”.
Does anyone have thoughts on where I can activity debug this issue?
Also, is anyone out there willing to federate with my domain in an effort to troubleshoot this?
Thanks,
Jason
Hello Jason,
You need to take a look at network trace during the call. Check network trace on edge server during the call. Use Microsoft Network Monitor or wireshark..
I think there might be a issue @ your firewall side.. might need to recheck ports required to be open for Microsoft Lync…
By checking Traces you will get more idea..
Thanks.
Santosh
So we’re forwarding web and https traffic to ports 8080 and 4443 on the front end server. It works. Question is what if we have 2 front servers in a pool. If the front end server that’s asa if forwarding traffic to goes down we’re not going to have Lync mobility and application sharing features. Is there a way to implement the redundancy ?
Thanks!