Lync 2013 Reverse Proxy Solution with IIS ARR (Application Request Routing) - Instllation and Consulting guide
By today, the date of writing this blog, Microsoft has to supported solutions.
1. Microsoft TMG (Thread Management Gateway) - if the TMG was purchased before the EOL date.
2. Microsoft IIS ARR (Internet Information Server Application Request Routing)
A third solution, the Microsoft Web Application Proxy introduced with Windows Server 2012 R2 is not jet supported. This is due to the reason that WAP has a problem with multiple SIP Domains, meaning here: I cannot handle requests other than for the primary SIP domain, especially the MEET simple URL.
The configuration guide here runs through the entire process from the ISS ARR Installation and setup. The guide concentrates on Windows Server 2012 R2. Therefore we need to understand the installation process for IIS ARR first. ARR cannot simply installed by download the MSI package, rather than using the Web Installer. If you are going to use the Standalone installer, you need to distribute it.
(Typical Lync Reverse Proxy Design with IIS ARR)
Since this we are focusing on Windows Server 2012 R2, the IIS ARR Version described here is: Version 3.0
Web Platform Installer: http://www.microsoft.com/web/gallery/install.aspx?appid=ARRv3_0
Installer Package: http://www.microsoft.com/en-us/download/details.aspx?id=39715
Install Application Request Routing 3.0:Before we install ARR, we need to have the following prerequisites installed for IIS.
Therefore we install with this command (WIN 2012 + 2012 R2)
You might find the RSAT-Web-Server and the NET-Win-CFAC Feature added, this is a setup on Windows Server 2008 with .NET 3.5.1
|Windows Communication Foundation Activation Components||Windows Communication Foundation Activation Components||NET-Win-CFAC|
Fully automated Installation:
If you want a installation without all this manual feature setup, simply download the Microsoft Web Platform Installer (PI): download here
If you should have the ARR Installer, it looks this.
If you try using the Installer, you might run into an error: Web Farm Framework is a requisite for installing Application Request Routing. (PI is installing Web Farm Framework automatically)
Us the PI and start over again:
The PI provides several options and make sure you select ARR version 3.0:
Once the installation has ended, you might restart the server and please ensure the Windows 2012 R2 server is fully patched/ updated.
Next we start configuring ARR according to the need.
In our case here, we have multiple SIP domains. As in Lync recommended, you will have multiple MEET pages, a single DIALIN page and the Lync Web Service, as well as the LYNCDISCOVER URLs. It is necessary regarding Lync Mobility Service, that your internal Deployment allows the internal Mobile device to connect the mobility service via the IIS ARR.
This is not part of this article, but keep in mind the mobility service URL is related to the external Web Service FQDN.
Configuration of IIS ARR (Application Request Routing):First Step is creating the Server Farm. this is not related to a IIS Farm of Servers, e.g. which you might create for HA/ redundancy.
A Farm is related to the URL you are going to publish.
Since Lync simple URL publishing does not require any SSL Offloading if you have the External Web Site in Lync assigned with a Public Certificate, you do not need a certificate installed on the IIS.
Most likely you have assigned a private certificate from your internal Certificate Authority, you have to assign the IIS ARR an public certificate and reencrypt the traffic for internal use.
Be aware of two point here:
1. this is called SSL Offloading and requires some extra CPU load on your server
2. IIS must not be "domain joined" therefore you need to have the internal Certificate authority Root Certificates assigned as TRUSTED !
Also you must be aware of the TCP Port redirection.
for HTTP request redirect 80 -> 8080
for HTTPS request redirect 443 -> 4443
Lync internal IIS has two web site identified, Lync internal and external Web Services. The web sites are assigned with different ports, while the external service interact with 8080 and 4443.
You have to repeat all the following steps for each simple URL!
Identify the simple URL here:
Ensure you have set the internal TCP Ports (8080 and 4443):
Remember, you must specify the HTTP port too. If you don't want to expose HTTP to the Internet, you have to restrict this on you fronting Firewall.
Set MEMORY CACHE DURATION to: 60 seconds:
HTTP version is: PASS THROUGH and Time-Out is set to 200 seconds:
Routing: is defined as use URL Rewrite to inspect incoming requests:
Choose your public certificate for this service:
Repeat this steps for all Simple URLs.
Finally assure all URLs are defined and have the correct settings:
Next step should be a Test. I prefer the Dialin web page, since I doesn't require an immediate login. If you can see this page, try also if you can login. This will ensure you that the Web Ticket Service in Lync is working correctly too.
Last but not least, you can validate all URL Requites if you click to the IIS Root and click Rewrite:
So far this is the entire configuration for Lync 2013 and Lync 2010 too. If you need to publish other service e.g. Exchange, you might choose similar settings. In Exchange you might want to use a pre-authentication, which Lync 2013 does not require.
Happy IIS ARR setup ;)