Thursday, December 2, 2010

Lync reverse proxy using IIS ARR

Disclaimer : this is part of my Lab install series of posts, it works for me in my lab with a  small number of users but is neither a recommended or supported topology (AFAIK).
I have Lync standard edition server with mediation on the front end running in media bypass mode, Lync Edge server and Exchange server 2010 running on a single server with all roles.
I have decided to use IIS ARR + URL Rewrite as my reverse proxy for Exchange OWA, web services, etc and Lync reach client and web services all on my Lync Edge server. I did this because its already internet facing (and therefore ‘at risk’) and I figured its better to keep machines like this at a minimum. It is also the only machine not domain joined and has very few permissions on my network. Of course I could have setup ISA / TMG / whatever, but I want to focus on building software, not maintaining infrastructure.
  1. Ensure IIS and .net are installed.
  2. Download & Install ARR (includes rewrite).
  3. Add a binding for your certificate (As this is on my edge server and I use the same certificate for both SIP and HTTPS I already have it installed on the machine)
  4. Setup server farms for Exchange and Lync
    1. image
    2. image(select advanced settings, choose ports 8080, 4443 – which point to the external bindings on the front end server))
    3. image (Choose Yes if you see this)
    4. image(double click routing rules)
    5. image(ensure URL rewrite is checked and optionally SSL offloading – depending on your bindings on the target server you may need this checked)
    6. Repeat from step 4 for Exchange
    7. Go to the URL rewrite configuration, either by clicking the link on the right pane on the routing rules screen in step 5 or on the main URL Rewrite icon under IIS when on the Features page for your server.image
    8. Modify the Lync rule as follows:
      image
      Choose Using Regular Expressions and enter this expression :
      ((?:^dialin|^meet|^Fonts|^Abs|^CertProv|^ColabContent|^GroupExpansion|^LMStaticData|^MeetingContent|^MeetingFiles|^Reach|^RequestHandlerExt|^RgsClients|^WebTicket).*)

    9. Same for Exchange with this expression :
      ((?:^owa|^OAB|^Microsoft-Server-ActiveSync|^EWS|^ecp|^Autodiscover).*) 
      Also select https protocol (depending on your bindings for exchange)
    10. For completeness I have an OCS R2 CWA server in my Lync farm and have added a similar proxy for that too.


Now lets test




  1. Go to https://yourdomain/owa
    image
  2. You should also run the tests here https://www.testexchangeconnectivity.com/
  3. Go to https://yourdomain/meet
    image (you can also create and join a meeting in outlook)
  4. Go to https://yourdomain/reach/client/webpages/reachclient.aspx
    image

5 comments:

  1. Thanks for the detailed steps

    I configured ARR on edge server a.

    I have multpile SIP domains and I need to publish simple urls for only one sip domain
    my simple urls are meet.mydomain.com and dialin.mydomain.com. Edge server ext FQDN is sip.mydomain.com
    After configuration I am able to access https://meet.mydomain.com/meet from external n/w but the meetnow url https://meet.mydomain.com/username/meetingid is not accessible
    Do I need to change the simpleurls or regular expressions

    ReplyDelete
  2. I changed my simpleurls to all be on the same domain - if you want different domains then you need a seperate rule in ARR per domain.

    ReplyDelete
  3. I'm having difficulties implementing this. Some settings that seem to be missing?
    Do you really not add any servers in step 2 when you put 8080 and 4443 in?
    Do you select https as the scheme in the url rewrite in step 8 & 9? What about the path?

    ReplyDelete
  4. @Aaron, you need to enter the fqdn of the lync / exchange server in step 1 to continue.
    I updated the screenshot to show the scheme and path.
    You may note the new screenshot has slightly different farms than described - I had issues with the certificate issueing services for owa im integration and split out the web services into a seperate farm - this didnt fix my problem. I havent gone back to it in a while, so once I get back to solving that I will do a new post to cover it.

    ReplyDelete