Monday, January 24, 2011

Lync External Web Services without Reverse Proxy

PLEASE NOTE:  While the procedures below has worked in a Lync 2010 environment, it may not work in Lync 2013 or Skype for Business.  It is HIGHLY recommended to employ a reverse-proxy solution.  Opening up an internal domain-joined computer to the Internet can be a recipe for disaster. I myself, have only done this procedure once, and have since made a reverse-proxy mandatory for customers looking for help from me. Not only that, but I've heard from some that the mobility features do not work using the alternate IP method.  If you find yourself in that situation, please be aware that Microsoft (and any consulting company worth their salt) WILL NOT support this method.  Also, this is not a substitute for deploying an edge server.  If you want external connectivity to work, you MUST deploy an edge server.  There is no other way, supported or not.  Caveat emptor.

And now on with the show....

While working on a Lync deployment for a small customer, it came up during the planning stages that they didn't have a reverse proxy server (like ISA/TMG) to publish the Meet/Dialin simple URLs and web components URL, nor were they planning to. In the past, I had tried to make OCS work without a reverse proxy, but some things just didn't work right. After advising them about the risks involved with opening up an internal domain-joined computer to the Internet, I told them I would try to make Lync work without a reverse proxy, but cautioned that it may not work.


During Lync installation, it creates two web sites: Lync Server Internal Web Site and Lync Server External Web Site. As the names suggest, each website is configured for either internal or external access.  The internal site is published on ports 80/443, while the external site is published on 8080/4443.  Microsoft's documentation says you should use a reverse proxy server to publish the external simple URLs and web components URL and redirect ports 80/443 from the web to the internal Lync server over 8080/4443.

After a few unsuccessful tries at making their firewall proxy 80/443 to 8080/4443, I thought I would try to configure their front-end server with an additional IP address, and setup the Lync Server External Web Site with 80/443 on the new IP address. We updated the firewall rules to redirect 80/443 from the simple URL and web components URL external IP addresses to the new internal IP address over 80/443.  We tested external client address book downloading, meeting/dialin URL access, and meeting content downloading. All worked without issue.

Before going the route of adding a new IP address, try to make your firewall redirect 80/443 to 8080/4443. If it works, then you don't have to create the new IP.  Please note, if you add any additional components, like the Lync Mobility Service, you may have to reset the ports because it seems that the setup process resets the ports back to 8080/4443.  Thanks to Coupon Flea Market for mentioning this in the comments.

One other thing to consider with this method is certificates.  Since external users will be connecting directly to your front-end, you will need a 3rd party trusted certificate installed for the External Web Services. Start the Certificate Wizard from the Lync Deployment Wizard, and put a checkbox beside ONLY Web services external (as shown below).  Go through the wizard, making sure you have the right names selected for Meet/Dialin (should pick them up from the topology).  Obtain the cert and install it. Everything should work fine after that.

So, while a reverse proxy solution is still highly recommended for its ability to block malicious attacks, you can make Lync work for external access by adding a new IP address to your internal Lync server and setting the bindings of the Lync Server External Web Site to use the new IP address over 80/443. 

For a more general overview on how to configure Lync for external connectivity, see this post.

168 comments:

  1. I would be very curious about the actual product that you used in the DMZ to publish the Lync IIS, especially because I had ugly authentication and URL rewriting issues with 3rd party / Free / Linux based solutions. Thanks in advance!

    ReplyDelete
  2. I have had success redirecting 80/443 to 8080/4443 through a NAT firewall. Depending on the firewall solution, it may not be necessary to add the second address for the External Web Site without a Reverse Proxy.

    ReplyDelete
  3. I did the same thing with OCS before , i had to add another IP on the Front end server on a separate NIC card and make sure to uncheck the Register DNS option so that it would create another record for the machine name.
    it worked fine for me too .... my client was using Cisco ASA firewall for publishing and NATing

    ReplyDelete
  4. Anonymous,
    The client was using a Fortigate firewall.

    Ken

    ReplyDelete
  5. Ken,

    I was actually using a Fortigate 60 when I had this working. This was back in Lync RC days this past Summer in my lab. I would be curious to know why it would not work for you since theoretically it *should* work. All that should be happening is the NAT translation and the port redirection...

    ReplyDelete
  6. Hi Ken,
    I have a question for you regarding skipping reverse proxy. I keep doing it on OCS R2 by using separate REAL IP addresses (that redirect/NAT from the router to separate DMZ IP addresses that OCS Edge uses for separate services). Works fine (yes with my prefered router/firewalls too) and I was planning on doing the same on Lync.
    Until I saw the Topology Builder asking for a single public IP for the NAT. Does this mean I can no longer use my method? (I have no idea how the new Lync Edge console looks like) Or it is just for Topology Builder use?

    Thanks.

    ReplyDelete
  7. The NAT address the Topology builder is looking for is ONLY for the AV edge service. The topology builder isn't very clear on that, unfortunately. Lync needs to know the external IP for the AV edge so media can traverse the edge. It's pretty much the same as in OCS R2. So, your method should still work fine, I would imagine.

    BTW, there isn't an edge console at all. All is managed through the Topology builder. Any changes to the topology are replicated to the edge via port 4443.

    ReplyDelete
    Replies
    1. Good point here; doesn't the Edge server download/replicate the topology using port 4443? What happens if we are changing this port to 443?

      Delete
    2. Hey Anonymous,
      Yes the edge gets topology updates via 4443. The edge doesn't have to talk to the front-end over that same port. All replication is triggered by the front-end. So, any changes to the web services port won't affect edge communication.

      Ken

      Delete
  8. Hi Ken,

    does this mean there is no edge server in this environment at all? I'm lookin for a solution with just one Lync box for internal and external use.
    Thanks
    Chris

    ReplyDelete
  9. No Chris,
    An edge server is still required for external access.

    Ken

    ReplyDelete
  10. Hi Guys, I am at the same situation and have been for two days flat now! So really appreciate any help. I have a single lync box works fine internally (by entering manual internal server name) within datacentre but what I want is external. I have tried both additional IP on the same box and via a firewall with NATting 4443 - > 443 & 8080 > 80. In both situations the SSL (godaddy) returns fine on a browser. But when I connect using LYNC "there was a problem verifying the certificate from the server" I have tried on multiple external computers, no luck. I have not setup any DNS but not sure if this is necessary as I will only be using external access

    If it helps My topology is Default SIP domain – my.local Simply URLs – dialin.my.local, meet.my.local administrative URL admin.server.my.local I have a single site1

    Any ideas ?

    ReplyDelete
  11. Hi Botta,
    From what you describe, you don't have an edge server. An edge server is absolutely required for external access. What this post describes is how to get away without using a reverse proxy server. If you do have an edge server and you haven't set any DNS records, then I suspect you're trying to connect to Lync via IP address. You have to connect via FQDN for certificates to work. If you don't want to set DNS entries, then you can use a HOSTS file instead.

    ReplyDelete
  12. Hi Ken

    Thanks a lot for the quick reply. Yes I only have the basic lync server without an edge (!), is there anyway I can install Edge onto the same server as lync server.

    I am connecting via FQDN not IP and internal DNS works fine (i did add teh SRV record) for external am not sure if I need 3 certificates for dialin and meet. as well

    thanks a lot !

    ReplyDelete
  13. Hi Botta,
    There is no way to install the edge server on the same server as your Lync front-end. You would be blocked from even trying to set that up in the topology builder.

    One thing I should update this post with is certificate requirements. For this scenario to work, you do need to have a certificate with the external names installed on your front-end (ie meet/dialin). To minimize costs, you can change your topology to use something like lync.contoso.com/Meet and lync.contoso.com/dialin, so your cert will only need to have the lync name instead of both meet and dialin.

    Hope this helps!

    ReplyDelete
  14. Hi Ken

    Great, thanks for the certificate tip.

    I have been wondering over the weekend if I simply re-create a new Lync server and build it with a public FQDN (lync.me.com) and then publish a full certificate on the "internal web services site" this should give me the same result (technically?) without an edge, right ?

    My requirement is for 5 users (max, I two servers is a bit an overkill), I will never have true “internal” clients only external, so no need to ever use the external this way.

    Any ideas ?

    Ta
    Mal

    ReplyDelete
  15. Hi Botta,
    Sorry for the delay in getting back to you. I just got back from vacation.

    Unfortunately, there's no getting around the edge server requirement, unless you force your users to use a VPN (but that would mean federation won't work). Without an edge, you'll run into issues with audio/video.

    You shouldn't have to rebuild the server. Just regenerate a new cert with the names you require. Plus, if you do go the rebuild route, you'll probably run into more difficulties if you don't uninstall properly.

    ReplyDelete
  16. Thanks for this post, I use a fortigate 80CM and this method works really well. i dont think the security is at MS standard doing it this way but sure beats getting another server to do RP on!

    Thanks!

    ReplyDelete
  17. Also I would like to add to my post right above, all i did was create 2 services on the fortigate 1 for incoming 80 -> outgoing 8080 and incoming 443 -> outgoing 4443 and added thoes 2 services to a firewall policy that points to my frontend!

    Again works great!

    ReplyDelete
  18. Hi - I have this working but audio is not available via the web client (even if I try it from within the network).

    How does the web client find the AV server?

    Thanks
    craig

    ReplyDelete
  19. Hey Craig,
    The web client doesn't support audio/video at this time. If you have Enterprise Voice configured, the web client will offer users an option for the Lync server to call them at a number they provide.

    Ken

    ReplyDelete
  20. I'm confused a bit. Shouldn't the extra IP addresses be added to the Edge Server and the firewall pointing to the Edge? I'm reading from the original article that the traffic flow is bypassing the Edge and going straight to the Front End servers on a new IP instead of through the firewall to the Edge Server.

    I'm struggling with this setup right now. Our internal meetings work fine but I can't even get the Meet URL to pull up from outside, but I have the traffic ported 443 -> 443 on the edge server by NAT.

    Chris

    ReplyDelete
  21. Hi Chris,
    HTTP/HTTPS traffic does not use the edge server at all. Your Meet/Dialin URLs should be directed to your front end server, preferably via ISA/TMG or some other reverse proxy. If you don't have a reverse proxy solution, then you should be able to make it work by either using your firewall to redirect 80/443 to 8080/4443 on your Lync front-end, or by creating a new IP and assigning it to the external Lync website on the Lync front-end.

    Make sense?

    ReplyDelete
    Replies
    1. Hi Ken,

      I have tried so manny attempt anot not able to install 3rd party certificate in Lync External Web Services.

      Please advice me how i can install 3rd party certificate in Lync.

      Thanks
      Amit

      Delete
  22. Ken,
    Thanks for the super-quick response. I can make the firewall changes, but if the Meet/Dial-In URLs don't hit the edge then I'm completely misunderstanding why we have a seperate server for the Edge. What role does it play in the traffic flow if the packets never go to it? I'm unsure now why we even have to have an edge.

    Please forgive my elementary questions. I'm new to Lync.

    Chris

    ReplyDelete
  23. Hey Chris,
    Only HTTP/HTTPS traffic for address book downloads, meet/dialin URLs and meeting content bypass the edge. That's a pretty small fraction of what's going on. Everything else - external logon, IMs between onsite and offsite users, audio/video between onsite and offsite users, federation with other companies - they all require the edge server.

    Let's put it this way. If you can't get HTTP/HTTPS working from external, your external users might notice an error about being unable to download the address book. Meetings with external users can't start, because they need the URLs. But by and large, users can still function as long as the edge is working. They can use IM/audio/video and make phone calls.

    If the edge were to go away, then nothing will work externally. The edge is the main thing for external access.

    Hope that makes sense!
    Ken

    ReplyDelete
  24. Thank you VERY much. Your guidance is very appreciate.d
    I'll post any updates after we make the needed changes.

    Thanks Again,
    Chris

    ReplyDelete
  25. I really understand all this concept and i'm planning in going the same way for the time being.

    My real question is related with External DNS records.

    Can i ask to create external dns records for both meet..pt and dialin..pt pointing at the same Public IP of my organization?

    Or must i have an external ip for each record?

    cheers

    ReplyDelete
  26. You can have the meet and dialin URLs pointing to the same IP. They're both ending up at the same place anyways (your front-end).

    ReplyDelete
  27. Ken, can you use a load balancer in this setup or does it have to be a static NAT from the external firewall? Thanks Jamie

    ReplyDelete
  28. Hey Jamie,
    You can use a load balancer in this setup. You're just dealing with HTTPS traffic so you shouldn't have any issues. Just make sure your connections are "sticky" (ie. if a connection is initiated on one server, use the same server for the duration of the connection).

    Ken

    ReplyDelete
  29. This is Jamie again. I just wanted to add some information to my previous question. We have our system setup as follows:
    2 front end servers in a front end pool
    2 edge servers in an edge pool
    1 Hardware load balancer for external incoming traffic
    DNS Load Balancing for internal traffic
    Only an external firewall
    and our hardware load balancer acts as a reverse proxy, but does not support SSL offloading so we are unable to use it... any suggestions for gaining access to external meetings? Everything else works perfectly!

    ReplyDelete
  30. Jamie again:
    I believe it is "sticky" connections. However, even external users try to join an online meeting, they are receiving the initial Lync pop up like it is trying to access the Web-App, then it just cancels out and gives the error "Navigation to this page has been canceled" and the only suggestion it gives is to refresh the page.

    ReplyDelete
  31. Do you get the same thing when you go to the dialin URL?

    ReplyDelete
  32. Hey Jamie,
    Send me an email with your Meet/dialin URLs and I'll take a look. ken.lasko at gmail

    ReplyDelete
  33. We got it figured out... we forgot to add the external DNS record for our External Web Service address. Working perfectly now :) thanks for the post it really helped us with the deployment :) -Jamie

    ReplyDelete
  34. Hello Ken,
    How will this work if i have both the FE and Edge servers load balanced using a hardware load balanced.

    Cheers,
    Adham

    ReplyDelete
  35. Yes Adham,
    You can use this in a load-balanced scenario. You're just dealing with HTTPS traffic so you shouldn't have any issues. Just make sure your connections are "sticky" (ie. if a connection is initiated on one server, use the same server for the duration of the connection).

    ReplyDelete
  36. Hi how can I update the edge pool topology as the gui interface does not allow me to import the topology from the builder after the install i.e. when I want to update it??

    Steve

    ReplyDelete
  37. Hey Steve,
    When you update the topology on your internal network, the edge should pick up the changes via port 4443. There shouldn't be any need to do anything on the edge itself. If its not working, check that you can reach the edge from the front-end via 4443 (use telnet). Also, look at the event logs on both the front-end and edge for any clues.

    Ken

    ReplyDelete
  38. I currently have a standard lync server deployed with UM integration and all that good stuff. I will be configuring an Edge server but I am still trying to figure out external web services access before then.

    Please correct me if I am misunderstanding this. Not having an edge server should not stop me from configuring the meet and dial in URLs. So if I have my simple URLs as lync.webdomain.com/meet and lync.webdomain.com/dialin and my external and internal web services FQDN set as lync.domain.local, I should be able to still make web meetings work right?

    Im losing my mind trying to grasp where to turn next. Should the external web services FQDN be an external IP address or just a different internal address. At one point I was changing simple urls from lync.domain.local to lync.webdomain.com and it wouldnt work because I had lync.webdomain.com as the external web services fqdn.

    I'd appreciate any help because I am lost.

    ReplyDelete
  39. This was very helpful Ken. Thanks so much.

    ReplyDelete
  40. The External Web Services FQDN should be an external IP address/FQDN. In your situation, you already have lync.webdomain.com pointing to your meet and dialin URLs. I usually setup lyncweb.webdomain.com as the external web services FQDN. It can point to the same IP address as lync.webdomain.com. So, this should be your setup:
    Simple URLs: lync.webdomain.com/meet and dialin pointing to external IP address X.
    External web services: lyncweb.webdomain.com also pointing to external IP address X
    Internal web services: lyncweb.domain.local pointing to your front-end pool IP

    All the FQDNs will eventually make it to your front-end server.

    Make sense?

    Ken

    ReplyDelete
  41. Thank you so much, that makes much more sense.

    Now I'm dealing with an error when trying to join a meeting.

    Server Error in '/' Application.
    The resource cannot be found.
    Description: HTTP 404 ....
    RequestedURL: /reach/Client/WebPages/ReachJoin.aspx

    I'll google this some more but I was wondering if you've come across this before.

    Thanks for your help.

    ReplyDelete
  42. Just offhand, make sure you updated your ISA/TMG rules to accept the lyncweb.webdomain.com URL.

    ReplyDelete
  43. I'm not using one, I used your guide and configured my firewall and before I did that I got nothing so I think its right. The flow diagram shows:
    internal ip<-8080/4443->Firewall<-80/443->external ip

    Our domain is through network solutions and lync.webdomain.com points to our external ip.Should lyncweb.webdomain.com also be pointed there? Would it be easier to just make the external web services the external ip?

    Thanks for your help so far.

    ReplyDelete
  44. Yes, Lyncweb.webdomain.com should point to the same IP as lync.webdomain.com. Make sure your cert you have for Web Services External has both names on it.

    ReplyDelete
  45. Thank you Ken! Its working great now.

    ReplyDelete
  46. Does Desktop and Application sharing rely on the edge server or the FE server?

    I can share from and internal user to an external user but not from an external user to an internal user??? Whiteboard sharing works but not application and desktop sharing. It acts like it will work on the external web app user and says sharing but after a few seconds closes.

    Thanks,
    Daniel

    ReplyDelete
  47. Daniel,
    Desktop/Application sharing depends on the edge AND the FE in an internal/external scenario. The most likely culprit for failures like yours are firewall rules. Make sure everything matches up properly. If you're using a single IP for Access/WebConf/AV, make sure you open port 444 (typically) from the internet into the edge. This is omitted from the standard firewall port docs that Microsoft has out.

    ReplyDelete
  48. Ken, thanks for this post (and excuse at this second attempt to make sure I have my details correct). I've just finished setting up my own private Lync lab at home and using some of these concepts have been able to get external access working without a hitch. Plus, what’s even better is that it’s on a single IP address without TMG/ISA 

    For my environment I setup my Edge server on the same subnet as my LAN. For example my FE is 10.0.0.5, while the “internal IP” of my EDGE is 10.0.0.6 and “external IP” as 10.0.0.7. In my firewall I redirected my TCP/UDP ports (and noted in this article: http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/) to 10.0.0.7. Now while I have yet to venture into SIP/phone calls (which is my next challenge), I have been able to get IM, meetings, and sharing working!

    Originally I had tried the redirection of 80/443 to 8080/4443 (which my Watchguard x1000 allows me to do easily and without the need for a second IP) on my FE (ie, 10.0.0.5) and while this worked for connectivity and chat externally, when I tried to establish desktop/application sharing it failed. I went back into the firewall and redirected 80/443 to the Edge server (ie, 10.0.0.7) without redirecting, along with the other AV ports that were already pointed to it, then it worked.

    I know Microsoft would scoff at this (as I've read throughout their forums) but not every environment has the luxury of dropping 5-6 digits on licensing and hardware.

    ReplyDelete
  49. Hi Ken,

    I just wonder why there even is an option to fill out information about the "Web Conferencing Edge Service" during the deployment of an Edge Server in topology builder, if it's not used by the the edge server.

    You mentioned that web services always by-pass the edge server straight to FE or via a reverse proxy depending on your company setup.

    What should certificates be like? If using reverse proxy public cert should be on the reverse proxy? And if going straight to FE, extra IP on FE and add public cert to that interface/IP.

    Thanks for a great blogg!
    /Jonas, Sweden.

    ReplyDelete
  50. Hey Jonas,
    I think you're confusing the "web conferencing edge services" FQDN (which is part of the edge) and the "web services" FQDN which is part of the front-end (which the reverse proxy server points to).

    Yes, your public cert should be on the reverse proxy and should have the name defined in your site's External Web Services FQDN.

    If going straight to the front-end, then either redirect 80/443 to 8080/4443 or do the new IP thing. You'll want to assign your public cert to the External Web Services on the front-end.

    ReplyDelete
  51. Hi ken;

    for a quick summary, if i will not use a reverse proxy solution and have following configurations;

    my external web services url : pool1.domain.com
    i will use only one single ip and name lync.domain.com for (access, a/v etc.)

    On my firewall i will redirect 80/443 to the 8080/4443 front end server right? So i have to nat my front end server on my firewall?

    Then which public dns a records will point edge server?
    Should edge server need an natted ip too?

    lync.domain.com will point front end natted ip
    sip.domain.com will point front end or edge?
    meet, dialin simple url will point front end or edge?

    ReplyDelete
  52. In your case, you should set your external web services URL to lyncweb.domain.com. From the outside, HTTP/HTTPS bound for lyncweb.domain.com will be NATted and redirected to your front-end server via 8080/4443. To keep the certificates simple, set your meet/dialin URLs to lync.domain.com/meet and lync.domain.com/dialin. These will point to your front-end as well.

    Your edge should be set to use sip.domain.com (access/webconf/AV). Whether you use NAT or not is up to you. Just make sure you put a checkbox in the right place in the topology. sip.domain.com will point to the edge.

    ReplyDelete
  53. Thanks for clarifcation.

    I will not redirect 80/443 to 8080/4443 for edge server right? Just for front end public ip?

    and if i didn't understand worong, my web services url will be lyncweb.domain.com and external dns record will be lync.domain.com? Or both of them will be lync.domain.com?

    ReplyDelete
  54. Yes, redirect 80/443 for just the front-end public IP. And yes, web services will be lyncweb.domain.com and external DNS will be lync.domain.com. You need to have an external DNS A record for both, pointing to the same IP that gets redirected to the front-end.

    When I get a chance, I will update this post to clarify this, because it seems to come up a lot.

    Ken

    ReplyDelete
  55. Ken,

    I'm planning to add the Edge server and had some questions you may be able to guide me on.
    1:In your article you refer to "front-End" you mean the Edge Pool server, correct?
    2: I currently have a Lync server working 100% with internal chat service.On this server can you use the same certificate for the new Edge Server? Thanks in advance.
    Jerry

    ReplyDelete
  56. Thanks again,
    Last question,
    Could i use only one commercial certificate which includes lyncweb.domain.com, lync.domain.com, sip.domain.com...
    I will import this same certificate for front-end external and edge external?
    Or should i seperate names and buy two certificate for edge and front end?

    ReplyDelete
  57. Hey Jerry,
    In answer to your questions:
    1. The "front-end" refers to the main server you deploy in your internal environment (assuming you're doing a single standard-edition deployment)

    2. You likely won't be able to use the certificate you installed on the front-end on the edge, unless you were thinking ahead and added the names required for the edge to the internal cert. You need at least 2 certificates for the edge, one for the internal network interface and one for the external.

    Ken

    ReplyDelete
  58. Hey "Anonymous",
    Yes, you could use a single cert for the front-end external web services and the edge external services. I would put sip.domain.com as the CN and lync.domain.com and lyncweb.domain.com as SANs. Putting the sip.domain.com name first will work better when federating with older versions of OCS.

    Ken

    ReplyDelete
  59. Thanks a lot, these ara great informations.
    And for the SRV records;


    _sip._tls.domain.com srv kaydı
    _Sipfederationtls._tcp.domain.com

    will point lync.domain.com or lyncweb.domain.com or sip.domain.com?

    ReplyDelete
  60. The SRV records will point to sip.domain.com.

    ReplyDelete
  61. Ken,

    Can you please explain how the certificates work with Lync/Edge server (already in production)? I currenlty have a SANS certificate installed on my front end Lync server with IM working internally and meetings working internally/externally.
    As per instructions, Edge server requires one certificate. Could you explain exactly how that certificate works and what kind it needs to be? Could I use an SSL certificate or do I need to re-use my SANS certificate? If I re-use my SANS certificate for Edge, my front end certificates become invalid. Please advise.

    ReplyDelete
  62. The edge requires at least two certificates: one for the internal interface that only has the internal FQDN of the edge (ideally generated from your internal CA), and at least 1 certificate on your external interface (3rd party cert). If you're using only 1 IP for your external interface, then you'll only need 1 regular single-name cert with something like sip.company.com. If you're using multiple IPs then you'll either need a single SAN cert or multiple single-name certs.

    Make sense?

    ReplyDelete
  63. I just built my first Lync server, upon going through the deployment Setup I am stuck at the certificate portion. Why does Lync require me to use certificates for internal use only. We have no need for external use. The customer does not have an internal Certificate server so I have either build one, which wouldn't be hard to do or purchase an external UCC SSL cert that will never be used outside of the location.

    Any advice would be greatly appreciated. I am fairly new to Lync so I am still learning here.

    ReplyDelete
  64. Lync is built to be secure by default. This means that certificates are a requirement. If you're just going to be doing an internal deployment, it's not that difficult to install an Enterprise CA. I would go that route.

    Ken

    ReplyDelete
  65. Great article Ken, just wondering how a Director might fit into to this configuration. Would the NAT'd address point to Director instead of FE?
    Cheers
    T.

    ReplyDelete
  66. If you use a director in your deployment, you'll need to publish the director's external web services URL IN ADDITION to the front-end. So, Lyncweb.contoso.com would point to the front-end and LyncDirWeb.contoso.com (or whatever) would point to the director.

    Your meet/dialin URLs can point to either the front-end or the director. MS doesn't say which is better.

    ReplyDelete
  67. Ken,

    When setting up the NAT on my firewall to redirect 80/443--> 8080/4443 I can only use public IP to Internal IP. That being said, Can I assign Internal IP's on the EDGE EXTERNAL network card for my NAT to work?

    Jerry

    ReplyDelete
  68. Hey Jerry,
    I'm not quite sure what you're trying to accomplish. The http/https redirect for web services doesn't have anything to do with the edge server.

    ReplyDelete
  69. Ken,

    When I get to the Edge setup screen to enter " External FQDNs entries, under "define conference", Is this entry a setting name used in the orginal Lync deployment or is a new website? If this is a settings name used in the orginal LYNC deployment do I use the FQDN name from the general settings of the front end server.

    Please advise.

    JG

    ReplyDelete
  70. JG,
    Web conferencing doesn't have anything to do with a website. For a good explanation, take a look at this post: http://ucken.blogspot.com/2011/07/configuring-lync-for-external-access.html

    Ken

    ReplyDelete
  71. Hello Ken,

    I have redirected ports 80, 443 to 8080, 4443 in my sonicwall 4060 to my frontend server and also imported public CA (made sure my webservices, meet urls are populated in Certficate) to external site in FE. If i try logging into the meeting url link, internally it works fine but when i try it from External, Lync Web comes for a sec and goes to page cannot be displayed.
    Can you please guide me on this if i am doing something wrong?? Appreciate your help..

    ReplyDelete
  72. Hello Ken,

    I have redirected ports 80, 443 to 8080, 4443 in my sonicwall 4060 to my frontend server and also imported public CA (made sure my webservices, meet urls are populated in Certficate) to external site in FE. If i try logging into the meeting url link, internally it works fine but when i try it from External, Lync Web comes for a sec and goes to page cannot be displayed.
    We also have an Edge server which has the same certificate for the ExternalSite in FE with all the URL's.
    Can you please guide me on this if i am doing something wrong?? Appreciate your help..

    ReplyDelete
  73. Hi Ken,
    Great post..I like being able to do without the additional cost.
    Our setup is a single SE server w/no edge or reverse proxy currently....and we have the firewall redirect 80/443 to 8080/4443 to our SE. We use the same "A" record for our SE for internal use as well external use, with the IP's being the obvious differentiator...our simple urls use the server.domain.com/meet style and overall, things work pretty well. We have a 3rd party cert installed on the SE server that contains the A record we use for the server for internal and external access and the FQDN of the actual server name on our network. Internal users have no issues at all, but from external we can't do the address book download, whiteboard, polls, etc....and trying to fix that is how I found this post of yours.

    I am wondering if your described fix above is possible with the setup I currently have...without having to update our cert...if so, how exactly? My apologies, I'm brand new to OCS altogether.

    Thanks!

    ReplyDelete
  74. Hi Vanu,
    Hard to say what the issue is, based on what you've told me. I would see what happens when you go to the Dialin URL from external. Check that you've got all the right cert names and DNS A records published externally, and that it matches what you've got in the topology.

    Ken

    ReplyDelete
  75. Hi Anonymous (Aug 11),
    You can't get away without an edge server, unfortunately. I'm surprised you can even log in, unless you've opened your front-end entirely to the internet (Bad Idea Jeans). Put in an edge, and you'll have better luck.

    Ken

    ReplyDelete
  76. Hi Ken,
    My name is Adam. Do you have walkthrough written somewhere on how to do this? Possibly with pictures? Your article is great, but I'm looking for more detail. Could you provide the specifics?

    ReplyDelete
  77. hi everybody,

    is thee any way or step by step configuration to configure lync 2010 web conferencing with gmail?


    K.

    ReplyDelete
  78. Hi Adam,
    What kind of specifics are you looking for?

    Ken

    ReplyDelete
  79. All right guys, I’m completely confused on this external edge setup I have hundreds of papers laying around with different topologies and setups and I’m just fried trying to get this thing ironed out and need a little help PLEASE!!!. We have an internal setup and its working great. We are a school and as you can imagine now they want to be able to email out a meeting link and have a parent webconf in with a teacher. I have the edge server setup, the public IP (one only it’s all we have) pointed in and the external Godaddy cert. I’m just so confused as to how our router/firewall needs to be setup does it need to be pointed to the FE? Or the Edge???. Could someone email me and maybe we could go through our setup over the phone and RDP and make sure it’s right? My email is: smueller@rivertonschools.org I’m willing to throw a little money your way if need be.. We are a very small school so ill do what I can!

    Steve

    ReplyDelete
  80. Steve,
    In your scenario, you need 2 external IP addresses for everything to work. One IP will point to your edge server for access/webconf/AV. The other will point to either a reverse proxy server (recommended) or directly to your Lync front-end. To clarify, see this post: http://ucken.blogspot.com/2011/07/configuring-lync-for-external-access.html.

    Read it carefully, and then come back to this post. If you're still having trouble, contact me at ken.lasko at gmail.

    Ken

    ReplyDelete
  81. Hello Ken,

    I am a bit lost here between the Edge IPs and the FE public IPs.
    i was under the impression that the Edge server will handle all the external connections, and the front end will communicate only with the edge when it comes to external users.
    from the discussion above it seems Microsoft chose to leave some of the traffic to be handled by other means than the Edge server!
    i have the following setup,
    edge server with 1 public IP
    A/V on port 443
    Web conferencing edge on port 444
    SIP on 5061
    the FQDN is ABClync.ABC.com

    the FE setup is:

    FE server: lyncserver.abc.local
    default sip domain: abc.com
    additional supported sip domains: abc.local
    dialin address: abcdialin.abc.com
    meet address: abcmeet.abc.com
    The external web services: lyncserver.abc.local (it seems this address is wrong after i read your article)

    now when i create a new conference the URL that i got is https://abcmeet.abc.com\user\meetingID

    so from what i understood, to make it work externally i need to:
    - change the external web services to soemthign like lyncweb.abc.com
    - obtain a new public IP and direct it to the FE after mapping hte name lyncweb.abc.com??

    but the lyncweb.abc.com is not the link showing in my meetings invitations!

    sorry for the long question, but i am really confused here.

    have a nice day,

    Shady

    ReplyDelete
  82. Shady, you've got it exactly right. Don't worry about the lyncweb.abc.com not showing up in your meeting requests. External Web Services has nothing to do with Meet/Dialin URLs. It's a behind-the-scenes URL for address book and meeting content downloads. Nobody will ever see Lyncweb.abc.com.

    Ken

    ReplyDelete
  83. Ken, we're a small shop with pretty large tastes as well. We don't really plan on using the PBX side of Lync since we're pretty happy with our Mitel system, even though I know it has some very interesting features with Exchange integration. But that's neither here nor there.

    We have a local Lync box setup right now no Edge server yet. I just wanted to make sure the purpose of the Reverse proxy in this case is just for security + forwarding port 80 to 8080 and port 443 to 4443?

    Security wise I'm not overly concerned as we use Cisco ASAs for our firewall. I'm not sure if it can be used as a reverse proxy, but I would assume the malicious attacks would be negated by the ASA.

    ReplyDelete
  84. Julez,
    Yes, the purpose of the reverse proxy is for security and forwarding 80/443 to 8080/4443. I don't think the ASA will function as a reverse proxy.

    Just as an FYI, if you're going to be doing external access for your users, you're going to need a separate Lync edge server. There's no way around that requirement.

    Ken

    ReplyDelete
  85. Hi Ken,

    Thanks for putting work to educate the world with Lync.

    With that said, I'm one of those newbies that are a bit confused with the lync external setup...Just for clarification purposes, our setup is relatively small so we're running Lync 2010 SE without Edge/Director roles and everything collocated on one VM with a godaddy SAN cert available plus a CISCO ASA firewall...Our domain is split DNS, i.e. company.locl and company.com...So my grand question is, with the aforementioned setup, can we publish lync external web services, i.e AV Conferencing? Or do we need to have an Edge server installed/configured?

    ReplyDelete
  86. Hey Ethan,
    You definitely need a separate edge server. This procedure is only for getting around the web publishing requirements. An edge server is still required for all signalling, IM, audio/video and desktop/app sharing.

    Ken

    ReplyDelete
  87. Thanks for the clarifiction.

    I'm curious though, when testing internally, we're able to do IM and whiteboard with lync web app.

    ReplyDelete
  88. Hey Ethan,
    Lync Web App has nothing to do with the edge server actually. It's all web-based, so its going through reverse proxy to your front-end. Audio/video - which requires full Lync client or Lync Attendee - needs an edge.

    Ken

    ReplyDelete
  89. so that's where I'm stuck...Internally, I can connect to lync web app no problem...When i try externally, it seems to bomb out when it tried to redirect. So when externally, i go to: https://meet.company.com/user/meetingID...The address resolves and it looks like it tries to redirect to lync.company.local...Any clue on this?

    ReplyDelete
  90. Read my post on Configuring Lync for External Access (http://ucken.blogspot.com/2011/07/configuring-lync-for-external-access.html). You've got the Meet and Dialin URLs or External Web Services URL specified incorrectly in the topology. Your Meet/Dialin and External Web Services URLs should be public names (not company.local).

    Ken

    ReplyDelete
  91. Hey Ken,

    Thanks for this great article. Below is my setup,
    Currently Lync is place & I am able to login to Lync via Edge server from Internet. But I am not able to open my meeting & dialin URL. Below is my scenario..

    1. Lync std edition Server.
    2. IP address-
    Intenal IP’s
    Lync Front End server – 192.168.1.6
    Edge Server Internal – 192.168.1.10
    DMZ – 10.10.10.2

    Public DNS Entries
    sip.abc.com 122.x.1.221
    lync.abc.com 122.x.1.221
    meet.abc.com 122.x.1.221
    dialin.abc.com 122.x.1.221

    2. Edge server wit single IP address implementation
    External Web Services
    FQDN – lync.abc.com listing ports 8080 & 4443 (I have created public DNS record for lync.abc.com)
    3. Edge Server External Settings..
    SIP access
    FQDN sip.abc.com -> 122.x.1.221 Port 5061 TCP
    Web Conferencing edge service sip.abc.com -> 122.x.1.221 Port 444 (TLS)
    A/V Service sip.abc.com -> 122.x.x.221 Port 443 TCP

    4. I have created PAT on my cisco asa 5510..as below
    Original
    Interface – Outside
    Source – 122.x.1.221
    translated
    Interface – Inside
    User Ip Address – 192.168.1.6
    PAT
    Protocol TCP
    original prot 80 & 443
    Translated to 443 & 4443

    But nothing is working my case. I am not able to access meeting/dialin URL. What would be the meeting & dialin URL in my case.. I think I have missed something might be DNS configuration..

    Thanks in advance

    ReplyDelete
  92. Hi Santosh,
    Two questions, you're using the same external IP to route to both the edge and the front-end. Can your firewall distinguish between data sent to sip.abc.com and lync.abc.com? Also, in #4, you should be translating 80 to 8080, not 443 or was it just a typo?

    Ken

    ReplyDelete
  93. Hi Ken,

    I am using two Public IP's to route the Edge & Front End.
    Yes firewall distinguish between data sent to sip.abc.com & lync.abc.com .. It was typo...Port 80 traffic is redirected to the 8080 & port 443 traffic is redirected 4443..

    My edge server is working fine I am able to login to edge. I can make calls, IM,desktop sharing,conference calls..
    After couple of tries now I was able to access http://lync.abc.com/meet & http://lync.abc.com/dialin...
    but for http://lync.abc.com/dialin I am getting below error,
    The server at lyncweb.abc.com can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Google Chrome from accessing the network.

    Thanks in advance..

    ReplyDelete
  94. Hey Santosh,
    Do you have lyncweb.abc.com published externally? It should also point to your front-end and map 80/443 to 8080/4443

    Ken

    ReplyDelete
  95. Linux/Apache Setup to do the reverse proxy worked for me. Easy to setup and no license costs. Stable too!

    ReplyDelete
  96. Ken,
    This is Adam again. Do I need to have a separate NIC on my FE server or can I just attach another IP address to my single nic? Can you make a write-up with screen shots on how this setup looks? There are lots of people who are interested in this topic, but there is no full-featured walk-through out there on how to do it. Heck, if you can help me get it going, I will make a video on it and share it with the world.

    ReplyDelete
  97. Hey Adam,
    You can just attach another IP to the existing NIC on your FE, but only do this if you're having issues translating 80/443 to 8080/4443 at the firewall. And I'll consider doing a more detailed walkthrough for everyone.

    Ken

    ReplyDelete
  98. Your guide is great. it worked perfectly. Thank you very much.

    ReplyDelete
  99. Hey Ken,

    Here is my question... I have a lync STD 2010 server and an edge server. I have added the "additional" IP to the lync box and set the bindings to 80 and 443. I then created a NAT on my ASA from public ip to internal "additional" IP on lync box and opened 80 and 443 to it. I also have my external SRV records and a GoDaddy cert on the Edge box. I am able to log in externally, but do not get the GAL, and cannot join meetings from the outside. What am I missing?

    ReplyDelete
  100. Hey Brian,
    First check that you can access the external Meet and dialin URLs internally. Use your local HOSTS file on your PC to set the meet/dialin URLs to point to the new IP you assigned. If that works, then doublecheck your firewall rules.

    Ken

    ReplyDelete
  101. Ken Thanks for your help…

    PAT did'nt work for me.. But below trick works for me..

    1. ON Lync Front End Server From IIS manager I have stopped Lync Server Internal Website & changed binding port for “Lync Server ExternalWebsite” from 4443 to 443 & 8080 to 80

    2. Assigned one more IP address to Lync front End server for Lync Simple URL’s & Lync Web services.

    3. NATed Front End server additional internal IP to Public IP (e.g. 1.2.3.4).. Created three DNS entries for my Public IP i.e. meet.abc.com, dialin.abc.com & lyncweb.abc.com all pointed to same Public IP i.e. (e.g. 1.2.3.4)

    4. Opened port 443 for meet.abc.com, dialin.ab.com & lyncweb.abc.com which is NATed to Public IP (e.g. 1.2.3.4)

    5. Installed Godaddy UCC certificate on “Lync Server ExternalWebsite”

    Now I am able to access Simple URL’s & webserivces from internally & externally no issues so far..

    Jacob, is it required to open additional ports on Firewall? for address book download & other stuff?

    Thanks for your help!!!!

    ReplyDelete
  102. Hey Santosh,
    Address book download and other stuff are all done through HTTP/HTTPS.

    Ken

    ReplyDelete
  103. This comment has been removed by the author.

    ReplyDelete
  104. Hello Ken. I followed your guide and i got most of it working. thanks alot. the issue i am having is that my lync web app is not working from outside. when i check from inside it shows the internal server fqdn in the web app when opend. if i use lync client it works from outside and inside. web app only works inside. can you please give me some idea on whats going on. im bit new to lync. am using a fortigate firewall also

    ReplyDelete
  105. I've got same issue. I fixed it configuring the front-end external website to listen only by the external address (not all addresses, only the ip configured to listen on ports 8080 and 4443), and hostname, the internet fqdn.

    Hope it helps.

    ReplyDelete
  106. Thank you Lillo. You mean to say i need to change the IP address in IIS of FE external website to my external real ip address right?

    ReplyDelete
  107. That's right. You need to change the ip address of the external website, to listen by external (real Nic) address. In addition, you must add de hostname to the internet fqdn published for webservices.

    ReplyDelete
  108. I tried it but still have the same problem. Do i need to publish my Lync server FE website to outise using a real ip also?

    ReplyDelete
  109. I'm not using my real IP in internet. Had you configure the internal web site to listen only by the internal ip? Had you confirm that edge server resolves the "external"(real) ip of the pool if you ping to the internet name fronm the edge server?

    ReplyDelete
  110. Had you restarted IIS afetr the change?

    ReplyDelete
  111. yes. restarted alraedy. basically my simple meeting url is working fine. i have configured my lync FE external website on port 80 to listen to my real ip and changed the fqdn. but issue is i cant change the external site on port 443. is there anytime i am missing? do you have any guide with screenshots

    ReplyDelete
  112. Ken,

    Question regarding front end server url's and ssl certs.

    Should the FE FQDN be my internal (.local) address or an external (.com) address. Does it make a difference? And what about the FE External Web Service FQDN? I assume that should be external.

    Do I need a cert from a certified public CA on my FE server? Can I use a local CA for certain portions? I see three different components that have certificates assigned, Server Default, Web Services Internal, and Web Services External. Could I use a Public cert for the External only and sign the rest internally? Thank you in advance. Rob.

    ReplyDelete
  113. Hey Rob,
    the FE FQDN can be either a .local or .com address. If you're using Enterprise Edition, I normally recommend that the pool FQDN is a .com, while the server names would still be .local.

    And yes, the FE External Web Service FQDN has to be external. Check the link at the bottom of the original post for more information.

    And finally, yes, you can use an internal CA for the Server Default and web services internal, and an external cert for the external web services.

    Ken

    ReplyDelete
  114. Thanks for the help! That link spelled things out beautifully.

    ReplyDelete
  115. Hi there Ken..
    After reading your blog (including comments and questions) my head went into a perpetual spin. I have decided the best method for an answer is to ask the questions which best suites the environment I am running here.
    We have a TMG 2010 Server which is also hosting Exchange Edge with AutoDiscover, ActiveSync and Webmail. We also have LDAP and Radius running on the TMG (say internal 10.0.0.1). I have configured and built an FE Lync Server (say 10.0.0.10) and a Lync Edge with Certs for internal network 10.0.0.7 and external network 10.0.0.8) Though the Lync Edge is sitting on the inside of the network. Now here the big question, when I assign a translation of 443 and 80 to 4443 and 8080 for the Lync Edge I end up with an error on the TMG referring to the name already in use on the network, one can only assume this is referring to the port 443 already being in use with Exchange? Anyway how can I get around this issue? (if indeed it is an issue at all) I would be very keen to know what I can do to get my Lync Servers up running on the outside world. Everything inside is working perfectly. Also I only have one static IP available for use and it is being used for Exchange.... Cheers in advance.

    ReplyDelete
  116. Yes, you are likely to run into issues with the way you've got it setup. You could try to use the same listener you're using for Exchange, and add all the Lync names to the cert. Then you can redirect based on the incoming FQDN. I doubt it will work right though.

    Ken

    ReplyDelete
  117. Hi Ken,

    Thanks for the response, I think you are right. Either a certificate with Lync names added or a wildCard Certificate may work. I guess I will need to do some more homework on this as I am not 100% sure when it comes to creating the web listener, whether this would work or not. The issue I have here is the limited Static IP addresses (one only)and the number of services appointed to it for port 443. If there is anything you could suggest other than the certificate option please let me know. =0) Thanks... Regards Adrian.

    ReplyDelete
  118. Hey Adrian,
    Yes, you are definitely limited if you only have a single external IP address. One thing you can try is to avoid 443 altogether and use another port. By default, when you setup the Lync edge to use a single IP, it will suggest ports 5061 (access), 444 (Webconf) and 443 (A/V). There's nothing stopping you from changing the A/V port to something else, like 445.

    Now as for the certificate on the listener, you'll experience some issues with some devices if you use a wildcard certificate, but that's something you'll have to live with.

    Ken

    ReplyDelete
  119. For anyone enabling Lync mobility. After you complete the installation of the mobility service you must go back into iis and reset your external website to use ports 80/443 because during the set up process they will be set to the default 8080/4443 (took me 2 days to figure that out)

    ReplyDelete
  120. Hi Ken:

    In my environment I'm using TMG to publish Exchange services(owa and etc),when I create a new web listener for Lync, there is an error saying port 443 already in use by other rule,may I know how should I overcome this?

    Thanks.

    ReplyDelete
  121. Hi Ken,

    I'd like to ask if you know some bug in Lync.

    Because in our set up whenever we have an internal and external connection (1:1), when we try to share a program or desktop, we are having a network-issue error message but if we start the sharing with a whiteboard first, it does not show any error. Then, we can start sharing other things like programs and desktop.

    On the other hand, when we start a conference (3 users composed of 2 internal users and 1 external), we do not experience any error when sharing a program or doing desktop sharing even during our first try.

    ReplyDelete
  122. Hello Ken or any one

    Is there a way that we can develop the Lync server dummy which can be used to intercept the messages and store in a copy of DB?

    any clue?

    ReplyDelete
  123. Hey "Unknown",
    I suspect you have the internal firewall between your edge server and internal network configured incorrectly. Review your settings against the MS list. Some ports are meant to be open to just the internal Lync servers, and others are meant to be open to the entire internal network. I think you've got some ports locked down to the internal Lync servers instead of the entire network.

    Ken

    ReplyDelete
  124. Anonymous,
    I'm not exactly clear on what you want to do, but it sounds like you need the archiving server role, which archives every IM conversation in a DB.

    Ken

    ReplyDelete
  125. Hi Ken

    How does this work in a co-existence scenario with simple URLs. We have our OCS 2007 doing reverse proxy through ISA and this needs to remain for some time as we are doing a phased migration and are at this point are using the OCS edge server for edge server functionality for both Lync and OCS. We need to have the meet.domain.com work externally do I NAT from an external dns address assigned to meet.domain.com to my Lync FE server or do I have to go through the the OCS Edge.

    ReplyDelete
  126. Ken,

    VERY informative site! However, like others my head is spinning trying to figure out how to make external users able to access our lync environment w/o use of a proxy. So, here's what I have:

    1 FE Server (Standard)
    External Web Services
    FQDN: lync.CONTOSO.com
    ports: 8080 and 4443

    1 Edge Server using single IP
    (Server is not joined to domain and has two IPs, one internal and one external - external is NAT'd to a public IP)
    SIP Access/WebConf/Audio/Video - meet.CONTOSO.com

    I have ports 443, 444, and 5061 from the public IP open to the edge server. I'm at a standstill of what I do not have set up correctly. I have two certs installed on the edge (one for internal and external).

    Any guidance you'd give would be GREATLY appreciated!

    ReplyDelete
  127. Hi Marc,

    do you have service record set on the public DNS for your lync edger external interface?

    ReplyDelete
  128. Pankaj,


    I am not doing auto-discover externally yet but I do have a public DNS record for my edge public IP.

    ReplyDelete
  129. James,
    Your meet/dialin URLs can reverse proxy through the ISA server along with your OCS URLs. The ISA server should redirect users directly to the Lync front-ends. Its just HTTP stuff so the edge servers are not involved.

    Ken

    ReplyDelete
    Replies
    1. So to clarify I can NAT meet.domain.com to my Lync2010 FE servers via my firewall as discussed in the article meet and dialin have no requirements for an edge server?

      Delete
    2. Hey James,
      Technically, you won't be NATTING meet/dialin URLs thru TMG. You'll be reverse proxying via web publishing rules. As for edge, you absolutely require one of those. You will use the firewall features of the TMG to lock down access to the ports required. See my post on External Access (there's a link to it in this post).

      Ken

      Delete
  130. Hey Marc,
    What exactly isn't working for you right now? Can users sign in? Can they do A/V? Can they get the updated address book/meeting content? I can try to help, but I need a bit more detail as to what's wrong.

    Ken

    ReplyDelete
    Replies
    1. Internal is just fine. External, I can use the testocsconnectivity site and everything works until the end when testing port 5061. It says "Subscription for provisioning data did not return a valid MRAS URI."

      In other words, no user access from the outside. Trying to do this w/o proxy server. Thanks!

      Delete
    2. I guess the first thing to check is that you can telnet to your edge server via port 5061. The TestOCSConnectivity site relies on your DNS being setup properly, so make sure you've got the appropriate SRV records configured. If you tell me your SIP domain, I can check it from here.

      Ken

      Delete
    3. Ken,

      I can successfully telnet to my edge server's public IP via port 5061. I also have the SRV _sip._tls.mccsc.edu on my DNS server set to port 443. Still, I cannot get an external connection with lync (using iPhone to test, also have Android tablet that won't connect either)

      Delete
    4. Hey Marc,
      I did a nslookup against _sip._tls.mccsc.edu and it points to meet.mccsc.edu. Your meet/dialin URLs should be pointing to your front-end server (via reverse proxy if available). Your edge server external IP should have a DNS name something like sip.mccsc.edu. That's what the SRV record should be pointing to. What name is on the external certificate for the edge server?

      Now, if you're using an iPhone or Android to test, you won't be hitting the edge server. You'll be directed through the reverse proxy to your front-end. That server needs to have a cert that includes lyncdiscover.mccsc.edu. Before you worry about mobile clients, I would straighten out your edge config using a full Lync client to test.

      Ken

      Delete
    5. I need to do this w/o reverse proxy. So, if you are saying I shouldn't be using the server that resolves to meet.mccsc.edu (my edge server in this case) and instead it should be pointing to my lync FE server, then how do i get my client's traffic from internet-edge-FE?

      Delete
    6. Marc,
      You should have a look at my post on Configuring Lync for External Access. There's a picture that might clear things up. In essence, your URLs for meet/dialin/external web services will go directly to your front-end server. Everything else will go through your edge.

      Ken

      Delete
  131. Hi, Ken! It's Manny again. I have a quick question but I first want to give you a huge thanks because I managed to successfully setup Lync Edge and have external access due to your insights to certain key parts of this deployment.

    With that said, everything's working, but when I test getting on the Lync Web App, the certificate seems to be from the internal local CA (which isn't trusted externally of course), even though I have the third-party cert for lync.domain.com.

    Is this due to going straight to the FE and not having a Reverse Proxy? That would still confuse me though. Again, all works, it's just I thought I wouldn't get any certificate validation complaints since I do have (and installed) the cert. When I view the details, the cert is not the 3rd-party cert but the local CA. Any thoughts?

    Thanks a gazillion!! You should write a book on Lync because I'm sure it would be a lot clearer than the one I'm using right now.

    Manny

    ReplyDelete
    Replies
    1. Hey Manny,
      Glad that I was able to help with your deployment. It can be hard to get all the bits working together the first time.

      As for your issue, I'm assuming you've assigned the 3rd party cert to the external web services on your front-end as described. Double-check that to make sure. Also, make sure your firewall is sending external requests from 80/443 to 8080/4443, which is the ports the external web services site is listening on (unless you changed the IPs).

      Ken

      Delete
    2. Thanks for replying, Ken. I have double-checked what you suggested and they are all in place. I even went to IIS7 to check the Lync Server External Web Site and made sure it had the 3rd party cert bound to it as well (aside from checking in the Deployment Wizard Certificate Wizard).

      Everything is working, including application sharing. What happens is that I would click the meeting link (https://lync.domain.com/meet/user/T5SRB78J) in an email so browser opens to that page as normal, then the Lync Web App opens on a separate window and HERE is where the issue comes up.

      The URL is now changed to something along the lines of https://lyncFEserver.domain.local/Reach/Client/WebPages/ReachClient.aspx.../. So naturally that domain isn't trusted outside as it's internal. How come the URL got switched? I guess I don't know where to go from here and hoped that you did, you being a Jedi and all. :-)

      Thanks,
      Manny

      Delete
    3. Hey Manny,
      I suspect that the cause might be your external web services FQDN is set incorrectly. Use the Topology Builder to check what it says. You'll see it in the properties of the front-end server. The External Web Services FQDN should be an externally accessible FQDN. I suspect you'll see that its pointing to your front-end's internal FQDN.

      Ken

      Delete
    4. Hey Ken,

      Just checked the Ext Web Serv FQDN and it's pointing to LyncWeb.domain.com and listening on ports 8080/4443; forwarded on the firewall as stated before.

      I did notice that I don't have an external DNS record for it. Could that be it? Sounds like it should; some IT guy I am, huh?!?

      Delete
    5. Ugh!! I feel stupid! Sure enough, that's what it was. Also, realized that my tests may not have actually been from the outside, though I thought I was connected externally. Thanks for your help again. You at least got me thinking.

      Delete
  132. hi ken, hi people!
    i have a problem with our lync-configuration and external user access.
    external user access is all ok - except desktop sharing.
    desktop sharing is ok, if i go online over an usb-internet-stick connection. so i get a public ip directly on my laptop.
    but if i go online over a lan connection (eg: at home or wifi tethering over my mobile) and i get an internal ip from my private lan, desktop sharing does not function anymore.
    if i try to establish a desktop sharing session from my private lan, i get the notification on my laptop inside our company lan. i confirm the request, but after i few seconds i get an error: failed to connect due to network issues. try again later.
    does anyone has a hint for me?
    thanks!
    zep

    ReplyDelete
  133. hello Ken
    i want to setup lync mobility feature in my environment which is as follow
    Hello Friends,

    First here is a little information about my environment I have.

    A: i have 1 Frontend Lync server with 1 NIC

    B: i have 1 Edge server with 2 NIC configured

    i have plan to setup Lync Mobility and also I have checked all the prerequisites in documentation because but a little confused about DNS Autodiscover record i know need to 2 create DNS new record internal and external for Autodiscover.

    My main Questions is here

    1- Internal Autodiscover Record should point to internal IP of Lync server.

    2- And there are have 3 IPs mapped publicly for Edge server like webconf,av and sip so to which of A record/IP Public of edge server should point the External Autodiscover record of mobility in order to work fine??

    3- since i am using Public CA and Local CA for both Lync and Edge server do i need to edit any public CA either for Lync or Edge?

    do you THINK i can setup lync mobility without configuring any reverse proxy ???
    your cooperation will be appreciated

    thanks

    Greenman

    ReplyDelete
  134. Hi Ken,
    Can you tell me why the Edge server is a requirement for external conferencing? We have firewall rules for NAT and port access and all the necessary ports are open. The server should end up seeing the external clients as internal, correct? I know it's not recommended, but it seems that it should be possible to do a Standard single server deployment with a single server and get internal/external access. Our certificates are set up for all names. IM works externally but desktop sharing does not.

    Thanks,
    Robert

    ReplyDelete
    Replies
    1. Link Mobility is working with our current setup as well.

      Delete
    2. Hi Robert,
      Yes, setting it up the way you describe will work.....for IM. However, all other modes (desktop sharing/audio/video) won't work, and that's why you need an edge server. There are lots of good reasons for this (mostly around networking and NAT), but there isn't any way of getting Lync working properly externally without an edge.

      Also, Mobility works because it doesn't actually use the edge for anything. It's all http/https and goes either via a reverse proxy or direct to the front-end.

      Ken

      Delete
    3. Ken regarding your statement about Mobility. I am in then design phase and have a single FE standard with single IP and port forwarding on the firewall. Seems like from MS docs the mobility URL always resolves to the external web services. Presumably because our phones are not domain joined and most internal services utilize domain CA. My question is how do I ensure that I get my mobile devices to resolve to the external domain without hairpinning through the firewall. It seems like it may be necessary to setup the external services on a second IP since they are hosted on 8080 and 4443 by default. Without going through the firewall I dont see a way of translating those.

      Delete
  135. For anyone who might be interested, here's an example of how I've setup Lync Web Services through a Cisco ASA without a reverse proxy server, using the default 8080 & 4443 ports on a Lync Standard Edition Front-End server.

    In this example we will use the following IP addresses:

    Lync Standard Edition Front-End: 192.168.1.100
    External Public IP address to be translated to the Front End Server: 66.77.88.100

    The commands would look like this:

    static (inside,outside) tcp 66.77.88.100 www 192.168.1.100 8080 netmask 255.255.255.255

    static (inside,outside) tcp 66.77.88.100 https 192.168.1.100 4443 netmask 255.255.255.255

    access-list outside_acl extended permit tcp any host 66.77.88.100 eq https

    access-list outside_acl extended permit tcp any host 66.77.88.100 eq www

    access-group outside_acl in interface outside

    This configuration seems to work fine, and allows the Web Services (including the address book) to be pulled directly from the Front-End server, however it is suggested that you use a Reverse Proxy like TMG. Also, be sure and have the Web Services URL in the SAN list on your Front-End certificate.

    Hope this helps.
    Brent
    Penton Media

    ReplyDelete
  136. Brent,

    Keep in mind your configuration is ASA version dependent. 8.3 and beyond have a different NAT command set and reference the real IP in ACL's. Using your information the config would look something like this.

    object network obj-192.168.1.100-HTTP
    host 192.168.1.100
    object network obj-192.168.1.100-SSL
    host 192.168.1.100

    object network obj-192.168.1.100-HTTP
    nat (inside,outside) static 66.77.88.100 service tcp 8080 www
    object network obj-192.168.1.100-SSL
    nat (inside,outside) static 66.77.88.100 service tcp 4443 https

    access-list acl-outside extended permit tcp any host 192.168.1.100 eq 8080
    access-list acl-outside extended permit tcp any host 192.168.1.100 eq 4443

    access-group outside_acl in interface outside

    ReplyDelete
    Replies
    1. Robert, you are correct the example that I provided was for the ASA pre-8.3

      Thanks for providing the 8.3 example!
      Brent

      Delete
  137. Hi Ken.

    i've followed your article to work around the reverse proxy issue, and so now have one nic with two ips, for the internal and external iis websites on 80/443. however, the only way that i can successfully create an "external" meeting is when i forward port 443 from the router, direct to my lync front end server. unfortunately this is not a long term solution for me as our DC needs port 443 going to it for owa etc...

    I've briefly messed about with url rewrites on the iis of our DC, but i kinda feel that i'm barking up the wrong tree. could you point me in the right direction? do i need/should i have 443 going directly to the front end server for external meetings to work? do i need a router that can port forward to multiple LAN ips?

    thanks in advance,

    dug.

    ReplyDelete
    Replies
    1. Hi Dug,
      It sounds like you're trying to use a single external IP address to route to multiple servers/services. Sorry, but that's not going to work very well without a reverse proxy solution. A reverse proxy solution like TMG will be able to route 443 requests to different servers based on the target host name. Most firewalls won't be able to do that.

      Ken

      Delete
    2. Hey Ken, thanks for your quick response. I think I might be a little confused, as I thought that I was trying to achieve what you were referencing in your article.

      From my interpretation the lync front end and my DC are naturally behind the same external IP, as they belong to the same domain. My Lync edge has a different external IP, and is internally connected to the domain. An external meeting request on 443 (say meet.domain.com) will reach my hosts DNS panel and find that meet.domain.com goes to the external IP for my domain (let's say 82.10.234.5), then my external facing router will have to forward any 443 requests to either my DC (let's say 192.168.0.1) OR my Lync Front End's iis external site IP (let's say 192.168.0.9).

      When my router sends 443 requests to my DC the meeting fails, but when the router sends 443 requests to the Lync Front End's, the meeting succeeds.

      Would this not be the same config/principle as the one you reference in your article? Would this company not also need 443 going to their Exchange server for OWA etc.. as well as the Lync Front End?

      Thanks in advance for any more input, otherwise it's gunna be back to the drawing board ...i certainly don't fancy a TMG install!

      dug.

      Delete
    3. Hi Dug,
      Yes, you've got the config/principal idea down regarding routing directly to the front-end. However, in your situation you're trying to share the same IP address with multiple internal servers. A router isn't going to be able to route incoming traffic from 1 external IP to more than one internal server. I assume that you've got a dedicated external IP address mapped to meet/dialin. In your situation, if external IPs are not available, I would recommend installing TMG which is the supported way of doing this anyways.

      Ken

      Delete
    4. Hey Ken,
      Yes, I do have a dedicated external IP for my meet and dialin, and it points to one of our routers in which our main LAN/Domain sits behind (containing our DC & Lync FE). Both the internal and external meet IIS sites on the Lync FE are internal IPs (192.168.0.*).

      I do have more external IPs at my disposal. Are you saying that the external meet IIS site on the Lync FE should be on an external facing IP to recieve 443 meet requests? and that the internal meet IIS site should be on the internal facing IP? Wouldnt this basically be the same n/w config as the Lync Edge? It certainly isn't advisable to expose an internal domain joined server directly out to the internet is it?

      Many thanks again,
      dug.

      Delete
  138. Hi everybody,

    I am new in Lync communication.Is it possible to log in by lync client without lync edge.My lyncfe.contosto.com where I have created user.Can I log in directly to this end.

    ReplyDelete
    Replies
    1. You can log into Lync internally without an edge server. However, if you want to log onto Lync from the Internet, an edge server is a requirement.

      Ken

      Delete
  139. Hi Ken,

    Thanks for this blog! We've configured our environment without the reverse proxy as you have documented, but we've initially used internally published certificates. We are now about to purchase public certs - my question is do I need to include all simple URLs when replacing the web services external certificate or just the dialin and meetnow? Also if I purchase a certificate for the edge including all these SANs, would I be able to use this on both edge and front end?

    I hope that isn't a dumb question!

    Many thanks in advance.

    Matt

    ReplyDelete
    Replies
    1. Hey Matt,
      You will need a cert with your simple URLs (dialin/meet) as well as the external web services FQDN (as defined in your topology). If you want, you can combine all the certs for the edge and the front-end into one, but I find that its easier to keep them separate.

      Ken

      Delete
    2. I've set this up today with seperate certificates and it works great.

      Thanks a lot for the advice!

      Matt

      Delete