Since there are already countless Lync 2013 setup guides online, I only wanted to write about a few caveats with the configuration that I found during my recent deployment of the Mobility features.
In terms of Mobility, Lync 2013 relies on a reverse proxy to broker inside and outside connections to the Lync Front End (or Lync Standard Edition) server. This is in order to mitigate issues with users who roam between the inside and the outside of the corporate network. Whether a user is within the network’s perimeter or not, their mobile client will always connect to the reverse proxy, thus helping to prevent timeouts and disconnects when switching between the two.
I decided to go with Microsoft’s recommended TMG (Threat Management Gateway) 2010 server for the reverse proxy solution. I had not worked with TMG before this point, but found it kind of similar to most firewalls that I’ve worked with in the past, such as Fortinet or Juniper devices. The configuration requirements for this deployment were very simple; open ports 80 and 443 and translate internally to ports 8080 and 4443 going to the Lync FE server. The execution, however, was slightly problematic.
Check out my latest article for a more comprehensive rundown of Lync 2013 and External Services. I’ll describe, in detail, what’s necessary and why in order to help prepare for the daunting task of Lync Topology Planning!
One of the first issue faced was with certificate matching. Lync utilizes two different certificates, or can be set to use just one if you want to include your internal SANs on your public CA cert. We used an Enterprise CA to issue the certificate that is applied to the Lync Server Internal Web Site and a certificate issued by a public CA was applied to the Lync Server External Web Site.
When requesting the public cert be sure that it includes a SAN for the fqdn of your “External web address”. The reverse proxy will use this certificate and web address header to forward packets to the Lync Front End. The same happens with the Simple URLs (Meet and Dial-in). If your external web fqdn is lyncweb.domain.com, add this SAN to the public cert.
Be sure to also add your Lyncdiscover public URL to ensure discovery for your remote clients.
The public cert applied to the reverse proxy and Lync FE server (External Web Site) should include at least the following CN and Subject Alternative Names:
lyncweb.domain.com (External FQDN)
lyncdiscover.domain.com (Lync Autodiscover URL)
meet.domain.com (Meeting Simple URL)
dialin.domain.com (Dial-in Simple URL for phone dial-in)
(Note: SANs such as Dial-in, Meet, and the Edge service URLs are only necessary if these features are deployed but are not required for basic mobility to work.)
If you’re setting up a Lync Edge Server you may want to also include all of the Edge service SANs in order to use a single certificate. The Edge services are A/V, Web Conferencing, and Access service for federation. The entries listed above are only the bare requirements for simple Lync mobility (phone and external clients).
Another catch here is that you must run the Lync Server Deployment wizard in order to correctly apply the certificate to the External Web Site on the Lync Standard Server IIS. You are able to open IIS and change the bindings for this site manually, but this does not fully register the cert within Lync. Don’t be confused by other guides that tell you to just change bindings in IIS, this does not fully commit! Be sure to run the Lync Server Deployment Wizard for the certificate configuration as outlined in the steps below to correctly apply the certificate.
- Log into the Lync FE (or Lync Standard Edition) server
- Make sure the public cert with private key is added to the Computer’s Personal store
- Run the Lync Server Deployment Wizard
- Select Install or Update Lync Server System
- On Step 3 of the deployment wizard, select Run or Run Again
- Click the drop down next to Default certificate and uncheck all boxes except “Web services external”
- Click Assign to select your public CA cert and click Next all the way through
- Verify that the friendly name for “Web services external” is the name of your public cert
This ensures that the external web site in IIS uses the right certificate as well as having it registered within the Lync topology.
One issue I found with DNS was the way that the lyncdiscover record was created. In some Lync setup guides, the steps are to create a CNAME record for lyncdiscover to point to whatever external Lync address you choose to use. I found that the lyncdiscover site would not show up properly in this situation, and that changing the lyncdiscover record to an A name pointing directly to the public IP address resolved issues with automatic discovery.
Another recommendation is that you set the internal A name record for lyncdiscoverinternal.domain.com to point to the external interface of the reverse proxy. This helps users who roam from external to internal networks while connected to Lync on mobile devices, a situation that might cause traffic to be directed somewhere else based on DNS.
TMG Setup Issues
Again, TMG was not so complicated to set up and most of the guides are very easy and accurate to follow. One thing that I did have issues with was in setting the correct “To” address in the Web Publishing rule. Most of the guides were pretty unclear as to what to put here. Some said to put the internal fqdn (ie lyncprod.domain.local) and others showed a public address (ie lyncprod.domain.com). It turns out the To: address on the TMG should be the “External web services” URL that was selected in the Lync topology buider.
This maintains the chain of trust when forwarding from reverse proxy to FE server and back to the client. Also to ensure proper forwarding you should include the Lync FE server’s internal IP address for name resolution when setting up the Web Publishing Rule.
There you have it. I hope this guide helps anyone who finds themselves in a jam and can’t locate any information other than the standard guides that are out there. Please feel free to post any comments if you have any questions!
Is Mobility still an issue? Are you having trouble with Edge services? Desktop Sharing? Check out my latest blog for in-depth explanation of all Lync 2013 Edge and Mobility Requirements!
Reverse Proxy TMG Setup – http://www.darylhunter.me/blog/2011/11/lync-2010-reverse-proxy-part-3.html
Lync External Access Deployment Checklist – http://technet.microsoft.com/en-us/library/gg425910.aspx
Lync Mobility Deployment Process – http://technet.microsoft.com/en-us/library/hh690023.aspx
TMG Publishing Rules for Lync – http://blog.ucmadeeasy.com/2010/09/24/publishing-lync-server-2010-rc-simple-urls-and-web-components-with-forefront-tmg-2010/
If you found this article helpful or interesting, please donate a tip!