In my first blog post around TMG 2010, I outlined the setup of TMG and configuration for publishing OCS 2007 R2 web components and then CWA services through that same server. Please reference that post for the basics around the network configuration for this TMG server, and I will cover configuring publishing rules for your Lync Server Simple URLs and web components in this post.
Intro Information
First, I assume you have configured simple urls and web services when deploying your topology, and now need to publish this externally.
My URL information is as follows:
| Component | URL | IP Internal | IP External | Port on Front End | Port on External/ISA |
| Web Services | lyncweb.winxnet.com | 10.117.117.9 | 24.39.27.152 | 8080 and 4443 | 80 and 443 |
| Dialin Simple URL | dialin.winxnet.com | 10.117.117.9 | 24.39.27.152 | 8080 and 4443 | 443 |
| Meet Simple URL | meet.winxnet.com | 10.117.117.9 | 24.39.27.152 | 8080 and 4443 | 443 |
First off, let me point out by saying that you can use a single external IP address for all three of these URLs, as they go to the same place. Also, if you open IIS manager on your front end server, you will notice there is an internal, and an external site, the internal listens on 80 and 443, and the external on 8080 and 4443. When proxying requests through TMG, you will be sending external clients to the external site, listening on 8080 and 4443.
Also, one not so commonly known fact is that the Meet simple URL is required to provide external access to meetings. You will notice when clicking on the link to Join Online Meeting in your outlook, it is directing you to your meet simple URL.
As far as certificates go, you must also have a certificate with the following names:
Common Name: lynecwebservicesexternalurl.domain.com (lyncweb.winxnet.com
Subject Alt Name(s): meetsimpleurl.domain.com,dialinsimpleurl.domain.com(meet.winxnet.com,dialin.winxnet.com)
Import this certificate to the TMG server, and you can proceed with the following steps for configuration.
Another important thing regarding DNS:
If you have a separate internal domain name, you will need split brain DNS to get this working. You should already have split brain DNS configured to get your internal clients to work with auto signin.
For example, if your internal domain name is winxnet.local and your external is winxnet.com, your simple urls should be for the winxnet.com namespace, however you will need to resolve the winxnet.com simple URLs to the correct internal address.
At winxnet, we actually have a single namespace, winxnet.com so it was an oversight to point out the fact that you would need these DNS entries resolvable
internally and externally for this to work.
Thanks to Adam in the comments for pointing this out and working through the issue with me. Check out this link for a great review on how this DNS
configuration works for the rest of the services:
Steps to Create Publishing Rule
While in the TMG or ISA management console, Right click on Firewall Policy and choose New->Web Site Publishing Rule
Enter a name for the rule like Lync Web
Follow the wizard with the following options:
Select Rule Action : Allow
Publishing Type: Publish a single web site or load balancer
Server Connectivity Security: Use SSL to connect to the published Web server or server farm
Internal publishing details:
Internal Site Name: FQDN of front end server (winx-lyncrc1.winxnet.com)
If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is a hardware load balancer VIP that load balances the internal Web farm servers. The TMG Server must be able to resolve the FQDN to the IP address of the internal Web server. If the TMG Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the TMG Server and that it can reach an internal DNS server or a DNS server that resides in the perimeter network.
Path (optional): /*
Public Name Details:
Public Name: FQDN of external web services (lyncweb.winxnet.com)
Select Web Listener: Select New(This will open the new web listener wizard)
Web Listener Name: Anything you want, something like Lync Web Listener)
Client Connection Security: Require SSL secured connections with clients
Web Listener IP Address: Select External and then Select IP Address choose the appropriate IP address and add it to the listener
Listener SSL Certificates: Select Assign Certificate for Each IP Address, select the IP associated before, and choose your valid certificate.
Authentication Setting: No Authentication
Single Sign On Setting: Ignore, click Next
Complete the web listener wizard and choose Finish
Authentication Delegation: No Delegation, but client may authenticate directly
User Set: Ignore, click Next
Complete the rule configuration wizard and choose Finish. Then at the top hit Apply to save the configuration.
Once the rule is created, there are a couple important settings that need to be changed, this is really the only thing that makes the Lync setup different from OCS R2.
Open the newly created rule and modify the following settings.
On the To tab, ensure that the Forward the original host header instead of the actual one check box is checked.
On the Listener Tab, click to modify the properties of the web listener
Navigate to the Connections tab and enable port 80
On the Bridging tab, select to Redirect requests to SSL port and Redirect requests to HTTP port, enter 8080 and 4443 for your ports.
On the Public Name tab, add the Simple URLS to the list of allowed public names. In my example: meet.winxnet.com and dialin.winxnet.com.
Once these changes have been made, Apply the configuration and you are done. To verify access, you can test the following URLs in Internet Explorer.
For address book server: https://externalwebservicesfqdn/abs (https://lyncweb.winxnet.com/abs) You should receive an HTTP challenge, because directory security on the ABS folder is configured for Windows Authentication by default.
For Web conferencing: Generate an online meeting request in Outlook, or a meet now request in Lync 2010, try joining the URL provided from external, it should be similar to this: https://meet.winxnet.com/rwintle/KG2K4HDM
For Group expansion: https://externalwebservicesfqdn/GroupExpansion/service.asmx (https://lyncweb.winxnet.com/groupexpansion/service.asmx)
For Dialin: https://dialinsimpleurl.domain.com(https://dialin.winxnet.com)
You should now have functioning simple URLs and web services which provide the following functionality:
- Enabling external users to download meeting content for your meetings.
- Enabling external users to expand distribution groups.
- Enabling remote users to download files from the Address Book Service.
- Accessing the Reach client
- Accessing the dial-in Web page
- Accessing the Location Information Service
- Enabling external devices to connect to Device Update Service and obtain updates.
Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 « Microsoft UC Made Easy « JC’s Blog-O-Gibberish
This is the exact setup i have at the moment. Im unable to get to the services as i always receive a 403 error. I followed your TMG directions to the T. What would really be awesome is if you have a write up from start to finish on a simple one server LYNC and TMG! Im pulling my hair out trying to figure out where i’ve went wrong. Though my LYNC services work flawlessly inside.
I’m having the same problem..
could you work around the problem ??
And, you have specified your Simple URLs in the topology builder?
I will review the instructions and make sure they are correct, and look at what I can do to bring in the earlier steps
People getting 403 Forbidden errors should verify that they have a certificate installed on the lync (front end/ standard edition) server with the “Issued To” domain in the certificate MATCH EXACTLY what you have in the TO tab in your published rule.
I.E. following the example in the article, on the winx-lyncrc1-winxnet.com computer itself (which should be your lync standard edition/Front End server) insure that -in IIS manager- the certificate associated with the external site (4443 ) is issued to (winx-lyncrc1-winxnet.com).
If it is issued to lync.yourdomain.local for instance, instead of replacing the certificate just change the winx-lyncrc1-winxnet.com to lync.yourdomain.local in the TO tab in the published rule, and insure it can be DNS resolved from the TMG computer.
Yep…all simple URLs work fine from the inside with no problems. I get the below from the outside following your directions.
403 – Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
What are you trying to do when you get the 403? Are you actually going to the dialin url, or are you trying to join a meeting generated in outlook? As much info as you can provide about what you are doing would be great, thanks.
I can promise you that if you wrote a write up from install of LYNC. And then a write up of TMG, you will get TONS of hits. There are tons of searches right now about how to setup a one server LYNC and allow inside/outside through TMG.
Im trying too access the external URL. Everything works inside with no problems. I have TMG setup and followed your directions to get outside working. It forwards properly as shown in the logs. But i get the 403 error only when attempting from the outside world.
All servers are 2008R2
DC = Windows SBS 7
Member Server = Lync
Member Server = TMG
Okay, can you send me the URL you are trying to access by chance?
If you want, you can email me rwintle at winxnet dot com
That will be the best way for me to see what is happening as well and potentially help you.
Thanks.
Still no luck getting past the 403 from the outside. Hopefully i can figure it out soon…when i do i will post an update.
Post has been updated to include information on the fix for Adam’s issue, and hopefully the fix for everyone.
I will try to get time to write up a end to end blog post including some split DNS config, but that will take some time
Thank you for all of your help Randy. Lync Server 2010 has REAL potential.
Can I use the TMG/ISA Server instead of an HW loadbalancer for publishing the lync web services? I could publish the 2 lync enterprise servers as a webfarm on my TMG enterprise farm. With this solution there should be any need for a HW loadbalancer. Is this correct?
I know this setup is not supported. However that doesn’t mean it won’t function properly, but only for web traffic. I don’t think you could get any psom traffic to work for conferences, I’ve never tried though.
Thank’s for your reply – I will soon test this scenario.
Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 « Microsoft UC Made Easy « JC’s Blog-O-Gibberish
Pingback: Publishing Lync Server 2010 Simple URLs and Web Components with Forefront TMG 2010 « Mino – The UC Guy
Pingback: Publicação do Lync 2010 com TMG « Rodrigo Rodrigues .:. www.andersonpatricio.org
Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 | Volta82's Blog
Hi Randy,
Great post, thank you.
I have one small problem after an amount of time my external Lync clients report that they cannot syncronize with the corporate address book. Everything else seems to work OK (meet dialin etc).
I have an Enterprise set up with a Front End and an Edge Server so that external Lync clients can sign in and I use PICS and Federation.
Any advise you can give would be great.
Thanks
Pingback: Deploying an Edge Server with Lync « The OCS Guy's Blog
Pingback: Lync Server 2010 features and how to configure them « msunified.net
I have followed these instructions though I am having an issue with external users without lync installed connecting to meetings. When they click the meet.domain.com link in the meeting it redirects them to lync.domain.com. Lync.domain.com is the internal url of my Lync server this is not exposed to the internet. I have published using webext.domain.com, meet.domain.com and dialin.domain.com. Obviously there is a redirection issue here. Do you have any insight to this?
Hi.
I deployed my lync configuration. SFE+edge.
Edge is ip1,ip2,ip3 (lyncsip.dom lyncweb.dom and lyncav.dom). All IPs are coming out directly to internet.
On my isa server is ip4 with meet.dom.
Inside everything is working great.
Outside i have a little problem. After external user uses my link, attendant is showing and everything is ok to the moment, when i’m admitting him. When ia clikc admin, external client is showing ‘The conferencing service did not respond’ communicate.
Where should i look for a solution?
Pingback: Publishing Lync Server 2010 Simple URLs and Web Components with Forefront TMG 2010 « People Communicate
Pingback: Set Up Reverse Proxy Servers for Lync « haydarkaplan
I’m also struggling with this. I’ve setup split dns and everything works fine except the web conferencing. When I hit the URL https://meet..com//…. I initially see a lync web page. This webpage, however, tries to redirect me to the internal lync server…
This is apparently where it sends me to:
var reachURL = “https://.loc/Reach/Client/WebPages/ReachJoin.aspx?xml=”;
Anyone seen this?
That URL is pulled from your pool settings for external web services.
If you open topology builder, right click on the front end pool and choose properties.
You will see an internal URL, and external URL. Make sure that external URL is set to the public address
Thank you for your quick reply
I cannot put the public address into that configuration as the deployment tools complains about the fact, that the address is in use as a simple url, which it is indeed.
Just to add to Randy’s answer, you need to enter the external url of the reverse proxy and not one of the simple url values.
I’m having an issue with TMG blocking the request. My setup is as follows:
Standard Edition Front end Pool
Edge server for external user access
TMG with a nic in DMZ (Public IP is NAT to this dmz ip), and an internal nic
I’ve setup the firewall policy (TMG) to allow http and https to meet, dialin, lync and point to the IP of the Lync Front End server.
When attempting to access the meet.domain.com page, TMG reports:
Denied Connection
Log type: firewall service
Status: the policy rules do not allow the user request
Rule: default rule
Source: External (32.168.203.xxx:55595)
Destination: Local Host 192.168.50.12:8080
Protocol: http proxy
If I try to go to https://meet.domain.com, I still get denied, but eh Protocol says: Unidentified IP traffic (TCP:4443)
Any suggestions?
Thanks,
Jason
Randy,
Any comment to this issue? A year later and I’m revisiting this to try and get TMG working properly.
Can you confirm your TMG rule is allowing 4443 to the front end server? The briding will be directing that traffic to 4443 or 8080. Thanks.
I can confirm that I am doing this, but running into the same issue. I am getting error code 408 – operation timeout when going to my various external sites. I can see it hitting the TMG and am getting the unidentified IP traffic messages.
Any ideas? Thanks!
Hi!
Is it really necessary to publish HTTP for Lync web services? I dislike publishing unencrypted traffic to Internet and would prefer publishing only the HTTPS port.
Thanks!
Thanks for post, very useful. Seems that all working fine, but external anonymous users cannot download or even view PowerPoint presentations uploaded by internal users. They receive an error: Name couldn’t be resolved. Internal users – OK. I have Lync Edge and TMG.
Pingback: Deploying an Edge Server with Lync 2010 « People Communicate
Thanks Randy for your article!
I am trying to get the 2010 TMG to work with Lync in a lab setting using internal certs. I have an internal root CA setup. The TMG is in a workgroup and not connected to the domain. I have imported root CA certs (via the MMC) and they are “invalid” according to the TMG.
Can you point me in the right direction?
Thank you,
BK
This is a very good Blog Randy…thank you. I can’t seem to find more information about publishing for many SIP domains. I have about 6 SIP domains (and growing) that work internally. I would like to setup simpleurls to be
https://lync.domain.com/domain1/meet
https://lync.domain,com/domain2/meet
https://lync.domain.com/domain3/meet
etc…
In an edge certificate, I know I would require lync.domain.com but what about the sip entry for each domain. What would my certificate require for SAN entries?
dialin.domain.com
lync.domain.com
sip.domain.com
sip.domain1.com
sip.domain2.com
…
So, when you publish in that format.
You basically will only need to include lync.domain.com in your certificate, and you should also have the SIP entry for each domain for the access edge service on your edge.
Excellent! I appreciate it, thank you.
Late post here: We also have a single name space. I am struggling how I can get internal client to resolve meet.domain.com which is point to hardware load balancer and not resolve external interface of reverse proxy server. You must have gone through this. How did you solve this issue?
Also, I am thinking of hardware load balancing for reverse proxy server, do I need a VIP for internal interfaces of reverse proxy servers for the out going traffic?
Thanks in advance.
-Henry
Randy:
Did you forget to add a graphic for the “Listener Tab” ?
See U in Dallas later in the month!
BK
Pingback: Publishing Lync Web Services with Forefront UAG SP1- Beta Guide « Microsoft UC Made Easy
Pingback: Deploying an Edge Server with Lync | The Lync Guy's Blog (Formerly OCSGuy)
Hi,
I have a question related to we conferencing. Is it possible to start meet now conferencing when all my test scenario is in local network, my domain is local domain, I’am not using edge server, and I’am not using TMG?
Whenever I start https://meet… conference user can’t connect to this conference and after timeout conference drop me. When I start conference through https://dialin… or I dial my conference number everything works fine?
Otherword do I need edge or external access to make it up and running?
BR
Tom
You do not need edge or reverse proxy for any type of internal meeting scenarios.
Your internal users should resolve meet.domain.com to the front end pool in your environment.
Everything should work fine as long as that is in place.
Thank you sir, for the excellent walk though – however, I am having issues. What do you do when your public webservices url is say lyncweb.winxnet.com, but your meet and dialin URLs are meet.winxnet.local and dialin.winxnet.local? Obviously NOT in public DNS. I am getting 404 – File or directory not found. When a user tries invite by email the link provided is https://meet.winxnet.LOCAL/username… I am assuming that an external user would substitute the web services URL https://lyncweb.winxnet.COM/username…? Doing this generates the 404 for the external user.
You need to specify .com as your meet and dialin urls, not .local
Hey Randy. Great write up. I have our TMG in a perimeter (dmz) network. Would I have to add an additional IP if there is already a listener setup for our exchange on that IP?
Thanks much!!
You can get away with a single IP and single listener only if you have a certificate with all of the names.
That is not common, so we usually do two ips and two listeners, with two certs.
Now, if it makes more sense for you to buy a cert with your exchange and lync names on it, and then use a single IP/listener, you can do that no problem.
TMG will look at the host header in the rule and send based on that.
I took of the External Networks and just left the perimeter network and it lets me get through.
Thanks for the quick reply. I added another IP to the DMZ nic and changed it to a different IP in the Lync web listener, but it still gives the “specifying the same port and similar IP addresses is already used by rule Exchange, etc., etc.
I have new installed TMG reverse proxy for lync.
i did everything but when i click the test rule error occurs;
testing https://lync.domain.com:4443/
Destination server certificate error.
Error details: 0×80090322 – The target principal name is incorrect.
But certificate has lync.domain.com san.
when i try to this;
on the bridging tab, redirect 80 and 443(not 8080 and 4443) , test is successfully.
What is the problem i dont know. do you have any idea?
Thank you.
Hi,
Hoping you can help. I have a virtulised setup, with TMG. using a single external IP. the FQDN are same internally and externally. [domain.com] and I chose to have the simple URL as lync.domain.com/meet and lync.domain.com/dialin using internal certificate. The consolidated Lync server has a FQDN of venus.limbada.com both internal and external.
my problem is, internally mobile clients can login, and urls seem to work. Externally, work station clients and OWA clients can connect, but cant access the simple urls, also mobile access doesnt work externally.
I’ve been playing around with this for weeks, created from scratch a number of times. Any suggestions or pointers please…?
Pingback: Lync 2010 Setup | Adventures of an IT Ninja
Hi, Randy.
First at all, that’s such a very nice and very helpful post,
but I’m wonderinhg about something with lync external topology.
In my actual topology I have an one edge server, which has two NICs – one for public net and another one to local NIC connected directly to my Lync FE and AD servers,
and I have question for You, should I have two public ip addresses – one for edge server and another for TMG server, on maybe after a TMG server I should put an Edge server and in TMG server I should define an edge policy that forwards a 5061 and 443 port to edge server ?
What should be a proper network topology ?
I have also a strange case about to using an Attendee Lync client ? when I’m trying to use an domain credentials – it’s not working (maybe I should to do some ldap route on port 389? from internal to external and is it safe to my company ?)
please advice for help or maybe you or others know some good post about to configure lync environment to cooperate with attendee client for external users ?
Randy,
I have been working on my Lync implementation for a while now and have found your documentation to be some of the best. I am still struggling with a couple things though. I have a single standard edition server and a single legged TMG box for my reverse proxy. Most of my internal clients are good with autoconfiguration with the exception of my apple and android devices. From Externally however, my PC clients get the infamous 403 error when browsing to my simple URL. My question is this, should I have a edge server, and can it be on the same box as my standard/FE box? This is a small implementation (250 users) or should I build a seperate box for edge if I need one. Any thoughts you have are greatly appreciated…….
Let me try to help you out here.
1. For any external users, you must have an edge server. This server cannot be collocated with any other role, and it should live in a DMZ for security purposes. The edge server with securely proxy users through to the internal front end servers. The edge server also is a secure media relay, so it opens up your internal users to audio/video/sharing with external users, securely.
2. What simple URL are you saying is giving a 403 error to your external PC clients?
Thanks, that clears things up for me a little bit, but adds questions too. I am using the URL https://lyncdiscover.domain.com/abs from my external test PC and Mac withe the same result – the 403. The additional question is this, with the implementation of the edge box, everything I see about setting up my reverse proxy says to point my publishing rules to the internal server, so how does the Edge box proxy the communications? Or is that just how Lync gets the valid data back out to the external network……..Thank you so much for taking the time to help me with these questions.
great post !
but i’m wondering, since TMG 2010 is now abandoned by microsoft , what are the alternatives for publishing those securely ?? especially with lync 2013 now, what did Microsoft suggested ?
There are many solutions available to publish these web services. UAG is a Microsoft product that is somewhat capable of doing it, however it does not work for all scenarios and I would not recommend it.
However, you can work with various HLB providers such as Kemp, F5 or A10 to perform the same steps. Also, the product group will be publishing documentation shortly on common configurations for third party solutions, so look out for that.
Hi Randy,
As UAG is not an best option, can we use F5 to publish web services or any other good options available for LYNC 2010?
-Rao
Hi Rao! Yes, many of my customers these days actually use F5 instead of TMG or UAG.
Any HLB solution that allows reverse proxy publishing will work. I know F5 works very well!