Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010

In my first blog post around TMG 2010, I outlined the setup of TMG and configuration for publishing OCS 2007 R2 web components and then CWA services through that same server. Please reference that post for the basics around the network configuration for this TMG server, and I will cover configuring publishing rules for your Lync Server Simple URLs and web components in this post.

Intro Information

First, I assume you have configured simple urls and web services when deploying your topology, and now need to publish this externally.

My URL information is as follows:

Component URL IP Internal IP External Port on Front End Port on External/ISA
Web Services lyncweb.domain.com 10.117.117.9 xxx.39.27.152 8080 and 4443 80 and 443
Dialin Simple URL dialin.domain.com 10.117.117.9 xxx.39.27.152 8080 and 4443 443
Meet Simple URL meet.domain.com 10.117.117.9 xxx.39.27.152 8080 and 4443 443

First off, let me point out by saying that you can use a single external IP address for all three of these URLs, as they go to the same place. Also, if you open IIS manager on your front end server, you will notice there is an internal, and an external site, the internal listens on 80 and 443, and the external on 8080 and 4443. When proxying requests through TMG, you will be sending external clients to the external site, listening on 8080 and 4443.

image

Also, one not so commonly known fact is that the Meet simple URL is required to provide external access to meetings. You will notice when clicking on the link to Join Online Meeting in your outlook, it is directing you to your meet simple URL.

As far as certificates go, you must also have a certificate with the following names:

Common Name: lynecwebservicesexternalurl.domain.com

Subject Alt Name(s): meetsimpleurl.domain.com,dialinsimpleurl.domain.com

Import this certificate to the TMG server, and you can proceed with the following steps for configuration.

Another important thing regarding DNS:

If you have a separate internal domain name, you will need split brain DNS to get this working. You should already have split brain DNS configured to get your internal clients to work with auto signin.

For example, if your internal domain name is domain.local and your external is domain.com, your simple urls should be for the domain.com namespace, however you will need to resolve the domain.com simple URLs to the correct internal address.

Thanks to Adam in the comments for pointing this out and working through the issue with me. Check out this link for a great review on how this DNS
configuration works for the rest of the services:

http://blogs.technet.com/b/drrez/archive/2010/08/17/split-brain-domain-name-services-for-communications-server.aspx

Steps to Create Publishing Rule

While in the TMG or ISA management console, Right click on Firewall Policy and choose New->Web Site Publishing Rule

image

Enter a name for the rule like Lync Web

Follow the wizard with the following options:

Select Rule Action : Allow

Publishing Type: Publish a single web site or load balancer

Server Connectivity Security: Use SSL to connect to the published Web server or server farm

Internal publishing details:

Internal Site Name: FQDN of front end server 

If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is a hardware load balancer VIP that load balances the internal Web farm servers. The TMG Server must be able to resolve the FQDN to the IP address of the internal Web server. If the TMG Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the TMG Server and that it can reach an internal DNS server or a DNS server that resides in the perimeter network.

Path (optional): /*

Public Name Details:

Public Name: FQDN of external web services

Select Web Listener: Select New(This will open the new web listener wizard)

Web Listener Name: Anything you want, something like Lync Web Listener)

Client Connection Security: Require SSL secured connections with clients

Web Listener IP Address: Select External and then Select IP Address choose the appropriate IP address and add it to the listener

Listener SSL Certificates: Select Assign Certificate for Each IP Address, select the IP associated before, and choose your valid certificate.

Authentication Setting: No Authentication

Single Sign On Setting: Ignore, click Next

Complete the web listener wizard and choose Finish

Authentication Delegation: No Delegation, but client may authenticate directly

User Set: Ignore, click Next

Complete the rule configuration wizard and choose Finish. Then at the top hit Apply to save the configuration.

 

Once the rule is created, there are a couple important settings that need to be changed, this is really the only thing that makes the Lync setup different from OCS R2.

Open the newly created rule and modify the following settings.

On the To tab, ensure that the Forward the original host header instead of the actual one check box is checked.

.

image

On the Listener Tab, click to modify the properties of the web listener

Navigate to the Connections tab and enable port 80

image

On the Bridging tab, select to Redirect requests to SSL port and Redirect requests to HTTP port, enter 8080 and 4443 for your ports.

image

On the Public Name tab, add the Simple URLS to the list of allowed public names.

image

Once these changes have been made, Apply the configuration and you are done. To verify access, you can test the following URLs in Internet Explorer.

For address book server: https://externalwebservicesfqdn/abs

You should receive an HTTP challenge, because directory security on the ABS folder is configured for Windows Authentication by default.

For Web conferencing: Generate an online meeting request in Outlook, or a meet now request in Lync 2010, try joining the URL provided from external, it should be similar to this: https://meet.domain.com/rwintle/KG2K4HDM

For Group expansion: https://externalwebservicesfqdn/GroupExpansion/service.asmx 

For Dialin: https://dialinsimpleurl.domain.com

You should now have functioning simple URLs and web services which provide the following functionality:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book Service.
  • Accessing the Reach client
  • Accessing the dial-in Web page
  • Accessing the Location Information Service
  • Enabling external devices to connect to Device Update Service and obtain updates.

(1916)

If you like it, share it!

    Posted on by Randy Wintle in Communications Server 2010, Forefront TMG 2010, Lync, Lync RC, Reach Client, Simple URL, Threat Management Gateway, TMG, TMG 2010 67 Comments

    67 Responses to Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010

    1. Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 « Microsoft UC Made Easy « JC’s Blog-O-Gibberish

    2. Adam

      This is the exact setup i have at the moment. Im unable to get to the services as i always receive a 403 error. I followed your TMG directions to the T. What would really be awesome is if you have a write up from start to finish on a simple one server LYNC and TMG! Im pulling my hair out trying to figure out where i’ve went wrong. Though my LYNC services work flawlessly inside.

       
      • Linn

        I’m having the same problem..

         
        • cenk

          could you work around the problem ??

           
      • Randy Wintle

        And, you have specified your Simple URLs in the topology builder?

        I will review the instructions and make sure they are correct, and look at what I can do to bring in the earlier steps 🙂

         
      • DerekJ

        People getting 403 Forbidden errors should verify that they have a certificate installed on the lync (front end/ standard edition) server with the “Issued To” domain in the certificate MATCH EXACTLY what you have in the TO tab in your published rule.

        I.E. following the example in the article, on the winx-lyncrc1-winxnet.com computer itself (which should be your lync standard edition/Front End server) insure that -in IIS manager- the certificate associated with the external site (4443 ) is issued to (winx-lyncrc1-winxnet.com).

        If it is issued to lync.yourdomain.local for instance, instead of replacing the certificate just change the winx-lyncrc1-winxnet.com to lync.yourdomain.local in the TO tab in the published rule, and insure it can be DNS resolved from the TMG computer.

         
    3. Adam

      Yep…all simple URLs work fine from the inside with no problems. I get the below from the outside following your directions.

      403 – Forbidden: Access is denied.
      You do not have permission to view this directory or page using the credentials that you supplied.

       
      • Randy Wintle

        What are you trying to do when you get the 403? Are you actually going to the dialin url, or are you trying to join a meeting generated in outlook? As much info as you can provide about what you are doing would be great, thanks.

         
    4. Adam

      I can promise you that if you wrote a write up from install of LYNC. And then a write up of TMG, you will get TONS of hits. There are tons of searches right now about how to setup a one server LYNC and allow inside/outside through TMG.

       
    5. Adam

      Im trying too access the external URL. Everything works inside with no problems. I have TMG setup and followed your directions to get outside working. It forwards properly as shown in the logs. But i get the 403 error only when attempting from the outside world.

      All servers are 2008R2

      DC = Windows SBS 7
      Member Server = Lync
      Member Server = TMG

       
      • Randy Wintle

        Okay, can you send me the URL you are trying to access by chance?

        If you want, you can email me rwintle at winxnet dot com

        That will be the best way for me to see what is happening as well and potentially help you.

        Thanks.

         
    6. Adam

      Still no luck getting past the 403 from the outside. Hopefully i can figure it out soon…when i do i will post an update.

       
      • Randy Wintle

        Post has been updated to include information on the fix for Adam’s issue, and hopefully the fix for everyone.

        I will try to get time to write up a end to end blog post including some split DNS config, but that will take some time 🙂

         
        • Adam

          Thank you for all of your help Randy. Lync Server 2010 has REAL potential.

           
    7. bueschu

      Can I use the TMG/ISA Server instead of an HW loadbalancer for publishing the lync web services? I could publish the 2 lync enterprise servers as a webfarm on my TMG enterprise farm. With this solution there should be any need for a HW loadbalancer. Is this correct?

       
      • Randy Wintle

        I know this setup is not supported. However that doesn’t mean it won’t function properly, but only for web traffic. I don’t think you could get any psom traffic to work for conferences, I’ve never tried though.

         
        • bueschu

          Thank’s for your reply – I will soon test this scenario.

           
    8. Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 « Microsoft UC Made Easy « JC’s Blog-O-Gibberish

    9. Pingback: Publishing Lync Server 2010 Simple URLs and Web Components with Forefront TMG 2010 « Mino – The UC Guy

    10. Pingback: Publicação do Lync 2010 com TMG « Rodrigo Rodrigues .:. www.andersonpatricio.org

    11. Pingback: Publishing Lync Server 2010 (RC) Simple URLs and Web Components with Forefront TMG 2010 | Volta82's Blog

    12. David

      Hi Randy,

      Great post, thank you.

      I have one small problem after an amount of time my external Lync clients report that they cannot syncronize with the corporate address book. Everything else seems to work OK (meet dialin etc).

      I have an Enterprise set up with a Front End and an Edge Server so that external Lync clients can sign in and I use PICS and Federation.

      Any advise you can give would be great.

      Thanks

       
    13. Pingback: Deploying an Edge Server with Lync « The OCS Guy's Blog

    14. Pingback: Lync Server 2010 features and how to configure them « msunified.net

    15. Joe

      I have followed these instructions though I am having an issue with external users without lync installed connecting to meetings. When they click the meet.domain.com link in the meeting it redirects them to lync.domain.com. Lync.domain.com is the internal url of my Lync server this is not exposed to the internet. I have published using webext.domain.com, meet.domain.com and dialin.domain.com. Obviously there is a redirection issue here. Do you have any insight to this?

       
    16. Marcin

      Hi.
      I deployed my lync configuration. SFE+edge.
      Edge is ip1,ip2,ip3 (lyncsip.dom lyncweb.dom and lyncav.dom). All IPs are coming out directly to internet.
      On my isa server is ip4 with meet.dom.
      Inside everything is working great.
      Outside i have a little problem. After external user uses my link, attendant is showing and everything is ok to the moment, when i’m admitting him. When ia clikc admin, external client is showing ‘The conferencing service did not respond’ communicate.
      Where should i look for a solution?

       
    17. Pingback: Publishing Lync Server 2010 Simple URLs and Web Components with Forefront TMG 2010 « People Communicate

    18. Pingback: Set Up Reverse Proxy Servers for Lync « haydarkaplan

    19. hlob

      I’m also struggling with this. I’ve setup split dns and everything works fine except the web conferencing. When I hit the URL https://meet..com//…. I initially see a lync web page. This webpage, however, tries to redirect me to the internal lync server…
      This is apparently where it sends me to:
      var reachURL = “https://.loc/Reach/Client/WebPages/ReachJoin.aspx?xml=”;

      Anyone seen this?

       
      • Randy Wintle

        That URL is pulled from your pool settings for external web services.

        If you open topology builder, right click on the front end pool and choose properties.

        You will see an internal URL, and external URL. Make sure that external URL is set to the public address

         
        • hlob

          Thank you for your quick reply 😉
          I cannot put the public address into that configuration as the deployment tools complains about the fact, that the address is in use as a simple url, which it is indeed.

           
      • Jetze Mellema

        Just to add to Randy’s answer, you need to enter the external url of the reverse proxy and not one of the simple url values.

         
    20. Jason

      I’m having an issue with TMG blocking the request. My setup is as follows:

      Standard Edition Front end Pool
      Edge server for external user access
      TMG with a nic in DMZ (Public IP is NAT to this dmz ip), and an internal nic

      I’ve setup the firewall policy (TMG) to allow http and https to meet, dialin, lync and point to the IP of the Lync Front End server.

      When attempting to access the meet.domain.com page, TMG reports:
      Denied Connection
      Log type: firewall service
      Status: the policy rules do not allow the user request
      Rule: default rule
      Source: External (32.168.203.xxx:55595)
      Destination: Local Host 192.168.50.12:8080
      Protocol: http proxy

      If I try to go to https://meet.domain.com, I still get denied, but eh Protocol says: Unidentified IP traffic (TCP:4443)

      Any suggestions?

      Thanks,
      Jason

       
      • Jason

        Randy,
        Any comment to this issue? A year later and I’m revisiting this to try and get TMG working properly.

         
        • Randy Wintle

          Can you confirm your TMG rule is allowing 4443 to the front end server? The briding will be directing that traffic to 4443 or 8080. Thanks.

           
          • Ryan

            I can confirm that I am doing this, but running into the same issue. I am getting error code 408 – operation timeout when going to my various external sites. I can see it hitting the TMG and am getting the unidentified IP traffic messages.

            Any ideas? Thanks!

             
    21. German

      Hi!

      Is it really necessary to publish HTTP for Lync web services? I dislike publishing unencrypted traffic to Internet and would prefer publishing only the HTTPS port.

      Thanks!

       
    22. Max

      Thanks for post, very useful. Seems that all working fine, but external anonymous users cannot download or even view PowerPoint presentations uploaded by internal users. They receive an error: Name couldn’t be resolved. Internal users – OK. I have Lync Edge and TMG.

       
    23. Pingback: Deploying an Edge Server with Lync 2010 « People Communicate

    24. bob-K

      Thanks Randy for your article!

      I am trying to get the 2010 TMG to work with Lync in a lab setting using internal certs. I have an internal root CA setup. The TMG is in a workgroup and not connected to the domain. I have imported root CA certs (via the MMC) and they are “invalid” according to the TMG.

      Can you point me in the right direction?

      Thank you,

      BK

       
    25. Dan

      This is a very good Blog Randy…thank you. I can’t seem to find more information about publishing for many SIP domains. I have about 6 SIP domains (and growing) that work internally. I would like to setup simpleurls to be

      https://lync.domain.com/domain1/meet
      https://lync.domain,com/domain2/meet
      https://lync.domain.com/domain3/meet
      etc…

      In an edge certificate, I know I would require lync.domain.com but what about the sip entry for each domain. What would my certificate require for SAN entries?

      dialin.domain.com
      lync.domain.com
      sip.domain.com
      sip.domain1.com
      sip.domain2.com

       
      • Randy Wintle

        So, when you publish in that format.

        You basically will only need to include lync.domain.com in your certificate, and you should also have the SIP entry for each domain for the access edge service on your edge.

         
    26. Dan

      Excellent! I appreciate it, thank you.

       
    27. Henry

      Late post here: We also have a single name space. I am struggling how I can get internal client to resolve meet.domain.com which is point to hardware load balancer and not resolve external interface of reverse proxy server. You must have gone through this. How did you solve this issue?
      Also, I am thinking of hardware load balancing for reverse proxy server, do I need a VIP for internal interfaces of reverse proxy servers for the out going traffic?

      Thanks in advance.
      -Henry

       
    28. Bob Krangle

      Randy:

      Did you forget to add a graphic for the “Listener Tab” ?

      See U in Dallas later in the month!

      BK

       
    29. Pingback: Publishing Lync Web Services with Forefront UAG SP1- Beta Guide « Microsoft UC Made Easy

    30. Pingback: Deploying an Edge Server with Lync | The Lync Guy's Blog (Formerly OCSGuy)

    31. Tom

      Hi,

      I have a question related to we conferencing. Is it possible to start meet now conferencing when all my test scenario is in local network, my domain is local domain, I’am not using edge server, and I’am not using TMG?
      Whenever I start https://meet… conference user can’t connect to this conference and after timeout conference drop me. When I start conference through https://dialin… or I dial my conference number everything works fine?
      Otherword do I need edge or external access to make it up and running?
      BR
      Tom

       
      • Randy Wintle

        You do not need edge or reverse proxy for any type of internal meeting scenarios.

        Your internal users should resolve meet.domain.com to the front end pool in your environment.

        Everything should work fine as long as that is in place.

         
    32. Robert

      Thank you sir, for the excellent walk though – however, I am having issues. What do you do when your public webservices url is say lyncweb.winxnet.com, but your meet and dialin URLs are meet.winxnet.local and dialin.winxnet.local? Obviously NOT in public DNS. I am getting 404 – File or directory not found. When a user tries invite by email the link provided is https://meet.winxnet.LOCAL/username… I am assuming that an external user would substitute the web services URL https://lyncweb.winxnet.COM/username…? Doing this generates the 404 for the external user.

       
      • Randy Wintle

        You need to specify .com as your meet and dialin urls, not .local

         
    33. Dave

      Hey Randy. Great write up. I have our TMG in a perimeter (dmz) network. Would I have to add an additional IP if there is already a listener setup for our exchange on that IP?

      Thanks much!!

       
      • Randy Wintle

        You can get away with a single IP and single listener only if you have a certificate with all of the names.

        That is not common, so we usually do two ips and two listeners, with two certs.

        Now, if it makes more sense for you to buy a cert with your exchange and lync names on it, and then use a single IP/listener, you can do that no problem.

        TMG will look at the host header in the rule and send based on that.

         
        • Dave

          I took of the External Networks and just left the perimeter network and it lets me get through.

           
    34. Dave

      Thanks for the quick reply. I added another IP to the DMZ nic and changed it to a different IP in the Lync web listener, but it still gives the “specifying the same port and similar IP addresses is already used by rule Exchange, etc., etc.

       
    35. oguzhan

      I have new installed TMG reverse proxy for lync.
      i did everything but when i click the test rule error occurs;
      testing https://lync.domain.com:4443/
      Destination server certificate error.
      Error details: 0x80090322 – The target principal name is incorrect.
      But certificate has lync.domain.com san.

      when i try to this;
      on the bridging tab, redirect 80 and 443(not 8080 and 4443) , test is successfully.
      What is the problem i dont know. do you have any idea?

      Thank you.

       
    36. H Limbada

      Hi,

      Hoping you can help. I have a virtulised setup, with TMG. using a single external IP. the FQDN are same internally and externally. [domain.com] and I chose to have the simple URL as lync.domain.com/meet and lync.domain.com/dialin using internal certificate. The consolidated Lync server has a FQDN of venus.limbada.com both internal and external.

      my problem is, internally mobile clients can login, and urls seem to work. Externally, work station clients and OWA clients can connect, but cant access the simple urls, also mobile access doesnt work externally.

      I’ve been playing around with this for weeks, created from scratch a number of times. Any suggestions or pointers please…?

       
    37. Pingback: Lync 2010 Setup | Adventures of an IT Ninja

    38. DOOMinik

      Hi, Randy.

      First at all, that’s such a very nice and very helpful post,
      but I’m wonderinhg about something with lync external topology.
      In my actual topology I have an one edge server, which has two NICs – one for public net and another one to local NIC connected directly to my Lync FE and AD servers,
      and I have question for You, should I have two public ip addresses – one for edge server and another for TMG server, on maybe after a TMG server I should put an Edge server and in TMG server I should define an edge policy that forwards a 5061 and 443 port to edge server ?
      What should be a proper network topology ?
      I have also a strange case about to using an Attendee Lync client ? when I’m trying to use an domain credentials – it’s not working (maybe I should to do some ldap route on port 389? from internal to external and is it safe to my company ?)
      please advice for help or maybe you or others know some good post about to configure lync environment to cooperate with attendee client for external users ?

       
    39. Rberger0013

      Randy,

      I have been working on my Lync implementation for a while now and have found your documentation to be some of the best. I am still struggling with a couple things though. I have a single standard edition server and a single legged TMG box for my reverse proxy. Most of my internal clients are good with autoconfiguration with the exception of my apple and android devices. From Externally however, my PC clients get the infamous 403 error when browsing to my simple URL. My question is this, should I have a edge server, and can it be on the same box as my standard/FE box? This is a small implementation (250 users) or should I build a seperate box for edge if I need one. Any thoughts you have are greatly appreciated…….

       
      • Randy Wintle

        Let me try to help you out here.

        1. For any external users, you must have an edge server. This server cannot be collocated with any other role, and it should live in a DMZ for security purposes. The edge server with securely proxy users through to the internal front end servers. The edge server also is a secure media relay, so it opens up your internal users to audio/video/sharing with external users, securely.
        2. What simple URL are you saying is giving a 403 error to your external PC clients?

         
        • Rberger0013

          Thanks, that clears things up for me a little bit, but adds questions too. I am using the URL https://lyncdiscover.domain.com/abs from my external test PC and Mac withe the same result – the 403. The additional question is this, with the implementation of the edge box, everything I see about setting up my reverse proxy says to point my publishing rules to the internal server, so how does the Edge box proxy the communications? Or is that just how Lync gets the valid data back out to the external network……..Thank you so much for taking the time to help me with these questions.

           
    40. Mohammad Rahim

      great post !
      but i’m wondering, since TMG 2010 is now abandoned by microsoft , what are the alternatives for publishing those securely ?? especially with lync 2013 now, what did Microsoft suggested ?

       
      • Randy Wintle

        There are many solutions available to publish these web services. UAG is a Microsoft product that is somewhat capable of doing it, however it does not work for all scenarios and I would not recommend it.

        However, you can work with various HLB providers such as Kemp, F5 or A10 to perform the same steps. Also, the product group will be publishing documentation shortly on common configurations for third party solutions, so look out for that.

         
    41. Rao

      Hi Randy,

      As UAG is not an best option, can we use F5 to publish web services or any other good options available for LYNC 2010?

      -Rao

       
      • Randy Wintle

        Hi Rao! Yes, many of my customers these days actually use F5 instead of TMG or UAG.

        Any HLB solution that allows reverse proxy publishing will work. I know F5 works very well!

         
    42. Pingback: Lync 2013 Server – Mobile Setup Tips | ScriptdEEZ

    Add a Comment