Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010

In my first blog post around TMG 2010, I outlined the setup of TMG and configuration for publishing OCS 2007 R2 web components and then CWA services through that same server. Please reference that post for the basics around the network configuration for this TMG server, and I will cover configuring publishing rules for your Lync Server Simple URLs and web components in this post.

Intro Information

First, I assume you have configured simple urls and web services when deploying your topology, and now need to publish this externally.

My URL information is as follows:

Component URL IP Internal IP External Port on Front End Port on External/ISA
Web Services lyncweb.winxnet.com 10.117.117.9 24.39.27.152 8080 and 4443 80 and 443
Dialin Simple URL dialin.winxnet.com 10.117.117.9 24.39.27.152 8080 and 4443 443
Meet Simple URL meet.winxnet.com 10.117.117.9 24.39.27.152 8080 and 4443 443

First off, let me point out by saying that you can use a single external IP address for all three of these URLs, as they go to the same place. Also, if you open IIS manager on your front end server, you will notice there is an internal, and an external site, the internal listens on 80 and 443, and the external on 8080 and 4443. When proxying requests through TMG, you will be sending external clients to the external site, listening on 8080 and 4443.

image

Also, one not so commonly known fact is that the Meet simple URL is required to provide external access to meetings. You will notice when clicking on the link to Join Online Meeting in your outlook, it is directing you to your meet simple URL.

As far as certificates go, you must also have a certificate with the following names:

Common Name: lynecwebservicesexternalurl.domain.com (lyncweb.winxnet.com

Subject Alt Name(s): meetsimpleurl.domain.com,dialinsimpleurl.domain.com(meet.winxnet.com,dialin.winxnet.com)

Import this certificate to the TMG server, and you can proceed with the following steps for configuration.

Another important thing regarding DNS:

If you have a separate internal domain name, you will need split brain DNS to get this working. You should already have split brain DNS configured to get your internal clients to work with auto signin.

For example, if your internal domain name is winxnet.local and your external is winxnet.com, your simple urls should be for the winxnet.com namespace, however you will need to resolve the winxnet.com simple URLs to the correct internal address.

At winxnet, we actually have a single namespace, winxnet.com so it was an oversight to point out the fact that you would need these DNS entries resolvable
internally and externally for this to work.

Thanks to Adam in the comments for pointing this out and working through the issue with me. Check out this link for a great review on how this DNS
configuration works for the rest of the services:

http://blogs.technet.com/b/drrez/archive/2010/08/17/split-brain-domain-name-services-for-communications-server.aspx

Steps to Create Publishing Rule

While in the TMG or ISA management console, Right click on Firewall Policy and choose New->Web Site Publishing Rule

image

Enter a name for the rule like Lync Web

Follow the wizard with the following options:

Select Rule Action : Allow

Publishing Type: Publish a single web site or load balancer

Server Connectivity Security: Use SSL to connect to the published Web server or server farm

Internal publishing details:

Internal Site Name: FQDN of front end server (winx-lyncrc1.winxnet.com)

If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is a hardware load balancer VIP that load balances the internal Web farm servers. The TMG Server must be able to resolve the FQDN to the IP address of the internal Web server. If the TMG Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the TMG Server and that it can reach an internal DNS server or a DNS server that resides in the perimeter network.

Path (optional): /*

Public Name Details:

Public Name: FQDN of external web services (lyncweb.winxnet.com)

Select Web Listener: Select New(This will open the new web listener wizard)

Web Listener Name: Anything you want, something like Lync Web Listener)

Client Connection Security: Require SSL secured connections with clients

Web Listener IP Address: Select External and then Select IP Address choose the appropriate IP address and add it to the listener

Listener SSL Certificates: Select Assign Certificate for Each IP Address, select the IP associated before, and choose your valid certificate.

Authentication Setting: No Authentication

Single Sign On Setting: Ignore, click Next

Complete the web listener wizard and choose Finish

Authentication Delegation: No Delegation, but client may authenticate directly

User Set: Ignore, click Next

Complete the rule configuration wizard and choose Finish. Then at the top hit Apply to save the configuration.

 

Once the rule is created, there are a couple important settings that need to be changed, this is really the only thing that makes the Lync setup different from OCS R2.

Open the newly created rule and modify the following settings.

On the To tab, ensure that the Forward the original host header instead of the actual one check box is checked.

.

image

On the Listener Tab, click to modify the properties of the web listener

Navigate to the Connections tab and enable port 80

image

On the Bridging tab, select to Redirect requests to SSL port and Redirect requests to HTTP port, enter 8080 and 4443 for your ports.

image

On the Public Name tab, add the Simple URLS to the list of allowed public names. In my example: meet.winxnet.com and dialin.winxnet.com.

image

Once these changes have been made, Apply the configuration and you are done. To verify access, you can test the following URLs in Internet Explorer.

For address book server: https://externalwebservicesfqdn/abs (https://lyncweb.winxnet.com/abs) You should receive an HTTP challenge, because directory security on the ABS folder is configured for Windows Authentication by default.

For Web conferencing: Generate an online meeting request in Outlook, or a meet now request in Lync 2010, try joining the URL provided from external, it should be similar to this: https://meet.winxnet.com/rwintle/KG2K4HDM

For Group expansion: https://externalwebservicesfqdn/GroupExpansion/service.asmx (https://lyncweb.winxnet.com/groupexpansion/service.asmx)

For Dialin: https://dialinsimpleurl.domain.com(https://dialin.winxnet.com)

You should now have functioning simple URLs and web services which provide the following functionality:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book Service.
  • Accessing the Reach client
  • Accessing the dial-in Web page
  • Accessing the Location Information Service
  • Enabling external devices to connect to Device Update Service and obtain updates.
Advertisements

About Randy Wintle

Unified Communications Architect

Posted on September 24, 2010, in Communications Server 2010, Forefront TMG 2010, Lync, Lync RC, Reach Client, Simple URL, Threat Management Gateway, TMG, TMG 2010. Bookmark the permalink. 42 Comments.

  1. This is the exact setup i have at the moment. Im unable to get to the services as i always receive a 403 error. I followed your TMG directions to the T. What would really be awesome is if you have a write up from start to finish on a simple one server LYNC and TMG! Im pulling my hair out trying to figure out where i’ve went wrong. Though my LYNC services work flawlessly inside.

  2. Yep…all simple URLs work fine from the inside with no problems. I get the below from the outside following your directions.

    403 – Forbidden: Access is denied.
    You do not have permission to view this directory or page using the credentials that you supplied.

    • What are you trying to do when you get the 403? Are you actually going to the dialin url, or are you trying to join a meeting generated in outlook? As much info as you can provide about what you are doing would be great, thanks.

  3. I can promise you that if you wrote a write up from install of LYNC. And then a write up of TMG, you will get TONS of hits. There are tons of searches right now about how to setup a one server LYNC and allow inside/outside through TMG.

  4. Im trying too access the external URL. Everything works inside with no problems. I have TMG setup and followed your directions to get outside working. It forwards properly as shown in the logs. But i get the 403 error only when attempting from the outside world.

    All servers are 2008R2

    DC = Windows SBS 7
    Member Server = Lync
    Member Server = TMG

    • Okay, can you send me the URL you are trying to access by chance?

      If you want, you can email me rwintle at winxnet dot com

      That will be the best way for me to see what is happening as well and potentially help you.

      Thanks.

  5. Still no luck getting past the 403 from the outside. Hopefully i can figure it out soon…when i do i will post an update.

    • Post has been updated to include information on the fix for Adam’s issue, and hopefully the fix for everyone.

      I will try to get time to write up a end to end blog post including some split DNS config, but that will take some time 🙂

  6. Can I use the TMG/ISA Server instead of an HW loadbalancer for publishing the lync web services? I could publish the 2 lync enterprise servers as a webfarm on my TMG enterprise farm. With this solution there should be any need for a HW loadbalancer. Is this correct?

    • I know this setup is not supported. However that doesn’t mean it won’t function properly, but only for web traffic. I don’t think you could get any psom traffic to work for conferences, I’ve never tried though.

  7. Hi Randy,

    Great post, thank you.

    I have one small problem after an amount of time my external Lync clients report that they cannot syncronize with the corporate address book. Everything else seems to work OK (meet dialin etc).

    I have an Enterprise set up with a Front End and an Edge Server so that external Lync clients can sign in and I use PICS and Federation.

    Any advise you can give would be great.

    Thanks

  8. I have followed these instructions though I am having an issue with external users without lync installed connecting to meetings. When they click the meet.domain.com link in the meeting it redirects them to lync.domain.com. Lync.domain.com is the internal url of my Lync server this is not exposed to the internet. I have published using webext.domain.com, meet.domain.com and dialin.domain.com. Obviously there is a redirection issue here. Do you have any insight to this?

  9. Hi.
    I deployed my lync configuration. SFE+edge.
    Edge is ip1,ip2,ip3 (lyncsip.dom lyncweb.dom and lyncav.dom). All IPs are coming out directly to internet.
    On my isa server is ip4 with meet.dom.
    Inside everything is working great.
    Outside i have a little problem. After external user uses my link, attendant is showing and everything is ok to the moment, when i’m admitting him. When ia clikc admin, external client is showing ‘The conferencing service did not respond’ communicate.
    Where should i look for a solution?

  10. I’m also struggling with this. I’ve setup split dns and everything works fine except the web conferencing. When I hit the URL https://meet..com//…. I initially see a lync web page. This webpage, however, tries to redirect me to the internal lync server…
    This is apparently where it sends me to:
    var reachURL = “https://.loc/Reach/Client/WebPages/ReachJoin.aspx?xml=”;

    Anyone seen this?

    • That URL is pulled from your pool settings for external web services.

      If you open topology builder, right click on the front end pool and choose properties.

      You will see an internal URL, and external URL. Make sure that external URL is set to the public address

      • Thank you for your quick reply 😉
        I cannot put the public address into that configuration as the deployment tools complains about the fact, that the address is in use as a simple url, which it is indeed.

    • Just to add to Randy’s answer, you need to enter the external url of the reverse proxy and not one of the simple url values.

  11. I’m having an issue with TMG blocking the request. My setup is as follows:

    Standard Edition Front end Pool
    Edge server for external user access
    TMG with a nic in DMZ (Public IP is NAT to this dmz ip), and an internal nic

    I’ve setup the firewall policy (TMG) to allow http and https to meet, dialin, lync and point to the IP of the Lync Front End server.

    When attempting to access the meet.domain.com page, TMG reports:
    Denied Connection
    Log type: firewall service
    Status: the policy rules do not allow the user request
    Rule: default rule
    Source: External (32.168.203.xxx:55595)
    Destination: Local Host 192.168.50.12:8080
    Protocol: http proxy

    If I try to go to https://meet.domain.com, I still get denied, but eh Protocol says: Unidentified IP traffic (TCP:4443)

    Any suggestions?

    Thanks,
    Jason

  12. Hi!

    Is it really necessary to publish HTTP for Lync web services? I dislike publishing unencrypted traffic to Internet and would prefer publishing only the HTTPS port.

    Thanks!

  13. Thanks for post, very useful. Seems that all working fine, but external anonymous users cannot download or even view PowerPoint presentations uploaded by internal users. They receive an error: Name couldn’t be resolved. Internal users – OK. I have Lync Edge and TMG.

  14. Thanks Randy for your article!

    I am trying to get the 2010 TMG to work with Lync in a lab setting using internal certs. I have an internal root CA setup. The TMG is in a workgroup and not connected to the domain. I have imported root CA certs (via the MMC) and they are “invalid” according to the TMG.

    Can you point me in the right direction?

    Thank you,

    BK

  15. This is a very good Blog Randy…thank you. I can’t seem to find more information about publishing for many SIP domains. I have about 6 SIP domains (and growing) that work internally. I would like to setup simpleurls to be

    https://lync.domain.com/domain1/meet
    https://lync.domain,com/domain2/meet
    https://lync.domain.com/domain3/meet
    etc…

    In an edge certificate, I know I would require lync.domain.com but what about the sip entry for each domain. What would my certificate require for SAN entries?

    dialin.domain.com
    lync.domain.com
    sip.domain.com
    sip.domain1.com
    sip.domain2.com

    • So, when you publish in that format.

      You basically will only need to include lync.domain.com in your certificate, and you should also have the SIP entry for each domain for the access edge service on your edge.

  16. Excellent! I appreciate it, thank you.

  17. Late post here: We also have a single name space. I am struggling how I can get internal client to resolve meet.domain.com which is point to hardware load balancer and not resolve external interface of reverse proxy server. You must have gone through this. How did you solve this issue?
    Also, I am thinking of hardware load balancing for reverse proxy server, do I need a VIP for internal interfaces of reverse proxy servers for the out going traffic?

    Thanks in advance.
    -Henry

  18. Randy:

    Did you forget to add a graphic for the “Listener Tab” ?

    See U in Dallas later in the month!

    BK

  1. Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 « Microsoft UC Made Easy « JC’s Blog-O-Gibberish

  2. Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 « Microsoft UC Made Easy « JC’s Blog-O-Gibberish

  3. Pingback: Publishing Lync Server 2010 Simple URLs and Web Components with Forefront TMG 2010 « Mino – The UC Guy

  4. Pingback: Publicação do Lync 2010 com TMG « Rodrigo Rodrigues .:. www.andersonpatricio.org

  5. Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 | Volta82's Blog

  6. Pingback: Deploying an Edge Server with Lync « The OCS Guy's Blog

  7. Pingback: Lync Server 2010 features and how to configure them « msunified.net

  8. Pingback: Publishing Lync Server 2010 Simple URLs and Web Components with Forefront TMG 2010 « People Communicate

  9. Pingback: Set Up Reverse Proxy Servers for Lync « haydarkaplan

  10. Pingback: Deploying an Edge Server with Lync 2010 « People Communicate

  11. Pingback: Publishing Lync Web Services with Forefront UAG SP1- Beta Guide « Microsoft UC Made Easy

Leave a Reply to bob-K Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: