Tuesday, August 26, 2014

Lync 2013 Reverse Proxy Solution with IIS ARR (Application Request Routing) - Instllation and Consulting guide

Before we start with the Lync 2013 Reverse Proxy solution design and setup guide. I want to keep some supportability statement in mind.

By today, the date of writing this blog, Microsoft has to supported solutions.
1. Microsoft TMG (Thread Management Gateway) - if the TMG was purchased before the EOL date.
2. Microsoft IIS ARR (Internet Information Server Application Request Routing)

A third solution, the Microsoft Web Application Proxy introduced with Windows Server 2012 R2 is not jet supported. This is due to the reason that WAP has a problem with multiple SIP Domains, meaning here: I cannot handle requests other than for the primary SIP domain, especially the MEET simple URL.

The configuration guide here runs through the entire process from the ISS ARR Installation and setup. The guide concentrates on Windows Server 2012 R2. Therefore we need to understand the installation process for IIS ARR first. ARR cannot simply installed by download the MSI package, rather than using the Web Installer. If you are going to use the Standalone installer, you need to distribute it.

(Typical Lync Reverse Proxy Design with IIS ARR)

Since this we are focusing on Windows Server 2012 R2, the IIS ARR Version described here is: Version 3.0

Download Links:
Web Platform Installer: http://www.microsoft.com/web/gallery/install.aspx?appid=ARRv3_0
Installer Package: http://www.microsoft.com/en-us/download/details.aspx?id=39715

Install Application Request Routing 3.0:

Before we install ARR, we need to have the following prerequisites installed for IIS.

Therefore we install with this command (WIN 2012 +  2012 R2)

Import-Module ServerManager
Add-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,AS-Web-Support,NET-Non-HTTP-Activ,NET-HTTP-Activation,Web-Server


Comment:
You might find the RSAT-Web-Server and the NET-Win-CFAC Feature added, this is a setup on Windows Server 2008 with .NET 3.5.1
Windows Communication Foundation Activation ComponentsWindows Communication Foundation Activation ComponentsNET-Win-CFAC


Fully automated Installation:
If you want a installation without all this manual feature setup, simply download the Microsoft Web Platform Installer (PI): download here

 
If you should have the ARR Installer, it looks this.
 
If you try using the Installer, you might run into an error: Web Farm Framework is a requisite for installing Application Request Routing. (PI is installing Web Farm Framework automatically)

 
Us the PI and start over again:
 
The PI provides several options and make sure you select ARR version 3.0:
 
 
 

Once the installation has ended, you might restart the server and please ensure the Windows 2012 R2 server is fully patched/ updated.

Next we start configuring ARR according to the need.
In our case here, we have multiple SIP domains. As in Lync recommended, you will have multiple MEET pages, a single DIALIN page and the Lync Web Service, as well as the LYNCDISCOVER URLs. It is necessary regarding Lync Mobility Service, that your internal Deployment allows the internal Mobile device to connect the mobility service via the IIS ARR.
This is not part of this article, but keep in mind the mobility service URL is related to the external Web Service FQDN.

Configuration of IIS ARR (Application Request Routing):

First Step is creating the Server Farm. this is not related to a IIS Farm of Servers, e.g. which you might create for HA/ redundancy.
A Farm is related to the URL you are going to publish.

Since Lync simple URL publishing does not require any SSL Offloading if you have the External Web Site in Lync assigned with a Public Certificate, you do not need a certificate installed on the IIS.
Most likely you have assigned a private certificate from your internal Certificate Authority, you have to assign the IIS ARR an public certificate and reencrypt the traffic for internal use.
Be aware of two point here:
1. this is called SSL Offloading and requires some extra CPU load on your server
2. IIS must not be "domain joined" therefore you need to have the internal Certificate authority Root Certificates assigned as TRUSTED !

Also you must be aware of the TCP Port redirection.
for HTTP request redirect 80 -> 8080
for HTTPS request redirect 443 -> 4443

Lync internal IIS has two web site identified, Lync internal and external Web Services. The web sites are assigned with different ports, while the external service interact with 8080 and 4443.

You have to repeat all the following steps for each simple URL!


 Identify the simple URL here:


Ensure you have set the internal TCP Ports (8080 and 4443):
Remember, you must specify the HTTP port too. If you don't want to expose HTTP to the Internet, you have to restrict this on you fronting Firewall.


Set MEMORY CACHE DURATION to: 60 seconds:

HTTP version is: PASS THROUGH and Time-Out is set to 200 seconds:

Routing: is defined as use URL Rewrite to inspect incoming requests:

Choose your public certificate for this service:

Repeat this steps for all Simple URLs.


Finally assure all URLs are defined and have the correct settings:


Next step should be a Test. I prefer the Dialin web page, since I doesn't require an immediate login. If you can see this page, try also if you can login. This will ensure you that the Web Ticket Service in Lync is working correctly too.


Last but not least, you can validate all URL Requites if you click to the IIS Root and click Rewrite:


 So far this is the entire configuration for Lync 2013 and Lync 2010 too. If you need to publish other service e.g. Exchange, you might choose similar settings. In Exchange you might want to use a pre-authentication, which Lync 2013 does not require.

Happy IIS ARR setup ;)




4 comments:

  1. NET-Win-CFAC and RSAT-Web-Server are not avaliable features in Windows 2012 R2. Please update Your instuction.

    ReplyDelete
    Replies
    1. Hi Erik, you are right, thanks highlighting the typo!!

      Delete
  2. When we perform dialin test from outside (public internet) we receive:

    Server Error
    403 - Forbidden: Access is denied.
    You do not have permission to view this directory or page using the credentials that you supplied.

    When using Skype for Business 2015 client from outside there are no contacts in the distribution groups and another error:

    Cannot use the distribution group service because the address is incorrect, although the service is available. Contact your support team with this information

    Inside it is OK.

    ReplyDelete
    Replies
    1. HI, it seems you have an authentication issue.
      1. did you modify the internal IIS (external web)? maybe you reinstall if you did
      2. did you really use 443->4443 and therefor hit the external web on IIS?
      3. the distribution groups are also expanded via the WebService.

      also start logging on the IIS external web site.

      You can contact me via the contact from, you will reach out to me personally and I can reply in privat. So don't post logs here for safety reason.
      looking forward helping you

      Delete