Wednesday, July 13, 2011

Lync FE External Web Services without Reverse Proxy

Lync installation creates two web sites: Internal Web Services and External Web Services.

The internal website is pubished on ports 80/443, while the external site is pubished on 8080/4443. Microsoft recommends to use a reverse proxy server, such as TMG 2010, to publish the external website and redirect 80/443 from the web to the FE server over 8080/4443.

However, in a small Lync environment where a reverse proxy server is not available which usually sits in the DMZ, this can cause external Lync users unable to access the web services, such as Address Book, Conferencing URL, etc. Here is what we can do to provide external web services to external Lync users without reverse proxy.

  1. Assign an additional IP address to the FE server

     2. Change the external website to use the additonal IP address on port 80/443 from IIS Mananger


     3. Assign a 3rd-party certificate to the external website using Lync Server Deployment Wizard.

     4. Change the firewall to NAT to the additonal IP on the FE server and allow inbound 80/443

You will not be able change port settings for the external web services from the Topology Builder. So just leave it as the way it is.


External Lync users now should be able to access all external web services.

Notes: This can be used as a workaround to bypass reverse proxy for either a small environment where security is not a big convern or in a test\lab enviroment. You should always consider deploying reverse proxy to publish FE servers whenever possible.
Posted by at
Labels:

12 comments:

  1. Adam SmugalaNovember 11, 2011 at 11:26 AM

    You are the man!!!!!@@#@#!!!!

    I've been looking for a post like this forever. Thank you so much. I'm going to repost this for sure!!

    ReplyDelete
  2. Jurgen VerhelstDecember 30, 2011 at 5:07 AM

    Great! I do have an edge server, but not a TMG, will changing the external web sites ports getting me in to trouble with the edge server?

    ReplyDelete
  3. Alan WangDecember 30, 2011 at 7:31 AM

    Actually web services\reverse proxy are for FE server, not edge server. So you don't need to change any port on the edge server, just the external ports (8080\4443) on the FE server. I just did a deployment where I don't even have to change the ports on the FE server. The firewall (SonicWall) actually did the trick by NATing 80/443 to 9090/4443. Hope that helps anwser your question.

    ReplyDelete
  4. Alan WangDecember 30, 2011 at 7:31 AM

    Oops, should be 8080/4443, not 9090/4443.

    ReplyDelete
  5. UnknownJanuary 31, 2012 at 5:07 AM

    Hi,

    I have a single server setup of Lync 2010 in a SBS 2011 environment. Internally all is well. I've tried to follow your setup to not use edge server, but the 8080/4443 ports are already used.. The router actually forward those ports to the SBS server for RWW/OWA/Copmanyweb.. not sure which one exactly..

    Is there a way to get the SBS server to forward Lync 8080/4443 request to the Lync server? If so how? or an alternative way to set it up please?

    Any help will be appriciated..

    ReplyDelete
  6. Alan WangJanuary 31, 2012 at 6:25 AM

    Is the FE server installed on the SBS? I am not quite sure how that works. If 8080/4443 is already used by SBS components, should the installation automatically choose to use different ports? If you have extra IP to use, you can assign an additional IP to Lync internal web service. Or you can change Lync to use different ports, e.g 8081/4444, then NAT the firewall to such ports.

    ReplyDelete
  7. DvSAugust 3, 2012 at 7:55 AM

    Hi Great Work. I have a Lync FE and the internals meetings are working fine. I have an internal ip range 192.168.X.X, DMZ Range 172.16.X.X and a Public IP 201.218.XXX.XXX.

    Sadly I don't have ISA o TMG. What Ip should i use?

    Best REgards,

    DvS

    ReplyDelete
  8. Alan WangAugust 3, 2012 at 4:22 PM

    You would use the public IP. DMZ will not be in the play.

    ReplyDelete
  9. UnknownMarch 21, 2013 at 2:02 AM

    Dear Alan

    First of all, I would like to say "Thank you", before I give you some questionr. You almost saved my life.. almost.. ^^
    In my case, refer to your article and Ken Lasko, I deployed Front End, Edge Server except for TMG and then I could confirm that Lync client, Lync mobility service performed normally.
    But unfortunately Lync mobility in connecting through internal wi-fi network wasn't..
    What part should I check for above the problem?

    ReplyDelete
    Replies
    1. UnknownMarch 21, 2013 at 2:04 AM

      not "except for TMG", but "without TMG".. sorry..

      Delete
  10. Alan WangMarch 28, 2013 at 2:40 PM

    It could be related to certificate if the internal website on the frontend server doesn't have any 3rd-party certificate. This blog would help you better understand how autodiscover works for Lync Mobility.
    http://www.shudnow.net/2012/03/12/using-lync-2010-mobility-on-your-corporate-wifi-networks/

    ReplyDelete
  11. UnknownFebruary 23, 2014 at 7:52 AM

    Hello All,
    Must admit getting to the Lync Party late and just need someone to clear up some tech jargons for me with regards to this.
    I am going to add additional Ip address to my lync server so that
    Internal website : 172.16.1.35 port 80/443 ( which handles internal meeting request)
    External website 172.16.1.50 ( new IP) port 80/443 ( Changed from 8080/4443) - to handle external meeting request)
    now on the sonic wall I have to NAT the New Ip address ( 172.16.1.50) to a public one 69.70.21.44 and also do a port forwarding of 80/443 to 8080/4443 ?
    does that sum it up ?

    ReplyDelete

Subscribe to: Post Comments (Atom)