Tag Archives: Lync External Connectivity

IIS ARR on Windows 8.1 for Lync 2013


Reverse Proxy is a key part of the infrastructure topology which help users to access application from the internet. As Microsoft has no futuristic road-map for TMG/UAG and other products which provide same kind of functionality may expensive and costly. Therefore, Microsoft came up with inexpensive reverse proxy solution which works on IIS 7 onwards. It is very simple to configure and can be configured on Windows server operating system as well as on client operating system.

Let’s start step by step procedure to configure Internet Information Service Application Request Routing (IIS ARR) on window 8.1. The basic requirements to configure IIS ARR is 2 NIC’s and IIS 7 & above.

(Note: If you are using IIS ARR behind the internal firewall then don’t forget to add the route for inbound traffic and don’t specify any gateway in your internal NIC.)

The system should not be part of the domain. One network will connect to your internal network and another network will connect to the internet.

 

 

Install windows 8.1 Enterprise.

 

Add DNS Suffix.

 

Configure both NIC’s. In my setup “Edge” will talk to internal network and “External” will talk to Internet. Don’t configure gateway and dns in internal NIC.

 

Install IIS with default features.

 

There are two ways two install IIS ARR components.

  1. Automatic (If you have internet connection on your IIS ARR, you can use this option.)
  2. Manual (if you don’t have internet connectivity.)

For automatic installation just download “Windows Platform Installer” and run wpilauncher.exe.

 

Type ARR in search menu and enter, you will get Application Request Routing 3.0 and click on add and then click on install.

 

You will get the list of dependency including AAR 3.0. Click on I accept to install.

 

If you don’t have internet connection on your IIS ARR server, you can follow the same steps till now on any machine where you have internet connection and can download all dependencies by clicking on “Direct Download Link”.

Now, you can install everything manually including IIS features which are not installed by default by cross checking in the above window.

 

 

 

 

 

 

 

 

 

 

 

Once you have done with installation, please assign certificate to IIS which should have following SAN’s.

  1. Lyncdiscover.doamin.com
  2. Dailin.domain.com
  3. Meet.domain.com
  4. LyncExternalWebSerivice.domain.com (FQDN of external Lync Web Services)
  5. WACExt.domain.com (FQDN of external WAC services) – only if you are publishing WAC url.

     

Open IIS Manager and cross verify assigned certificate.

 

Right click on Server Farms and create new server farm.

 

Define server farm name and click on next.

 

Define IP address of you FE Pool or FQDN* of your FE Pool.

(Note: If you use FQDN then you should make entry in host file.)

 

Make server entry and change the port in advance settings as below.

 

Now, you can see your server farm.

 

Follow the same steps and add all your require server farms.

 

Now go to you websites and click on bindings.

 

Do the necessary bindings with port 443 for https.

 

 

 

Now, you have to go to in each farm and change configuration under Caching, Proxy and Routing rules.

 

Uncheck “Enable disk cache”

 

Click on apply.

 

Now, change time-out (seconds) to 180-200.

 

Click on apply.

 

Uncheck “Enable SSL offloading” in Routing Rules.

 

Click on apply.

 

Now, It is time to configure URL Rewrite settings.

 

You have to keep only _SSL URL path.

 

Click on each and add the condition (HTTP_HOST)

 

 

 

 

 

Follow the same steps for all server farms.

Now, we are done with the configuration.

Advertisements

Step by Step Lync 2013 Edge Server


Lync server consists of multiple roles and Edge server role is one of them. Lync server 2013 Edge server role take care of external connectivity of Lync users. It provides connectivity to Remote, PIC, Mobile, Federated and Anonymous users. Edge server deployment provides external access to different communication modalities IM & Presence, Web Conferencing and Audio/Video Conferencing.

Edge server deployment is not as simple as other Lync server roles and requires attentive preparation before jump into the installation. Let’s start the preparation for deploying standalone Edge server role.

IP Address Planning:

I am using 192.168.x.x/16 IP addressing for Internal Network, 172.25.x.x/16 IP addressing for Perimeter Network and 10.x.x.x/8 IP addressing for External Network. IP address on internal firewall is 172.25.33.100 which will act as a gateway for communication between perimeter network and internal network, IP address on External firewall is 10.1.1.100.

As internal NIC of Edge server is behind internal firewall and don’t have gateway in internal network address. So, we will have to route traffic from 172.25.33.10 to internal network via 172.25.33.100.

Follow below steps to add route.

Open command prompt with administrative rights on Edge Server.

Run “ipconfig /all” and note down the physical address and Ethernet adapter description of internal NIC.

 

Now run route print and note the Interface List ID of the internal NIC.

 

Now add the persistent route for internal traffic.

 

Open Lync Server Topology Builder on Lync Front-End / Standard Edition Server.

Right click on Edge Pool and select New Edge Pool.

 

Click on Next.

 

Write Edge Server FQDN.

 

Select appropriate features as per your requirements.

 

Select IP versions and NAT option according to your requirement.

 

Specify external FQDN and associated port numbers. (Note: If you have selected “Use a Single FQDN and IP address” then you will have to use different port numbers for all three FQDNs).

 

Specify the IP address for Edge server internal NIC.

 

Now specify the external IP address for all services.

 

Please specify the Public IP address which will be NAT to the A/V edge service. (In my case, the deployment has been done in LAB and don’t have public IP address. That’s why I am taking a different IP address.)

 

Define the next hop server. Next hop server will be your Lync pool if you don’t have director otherwise next hop will be your director pool.

 

Select pool and click on finish.

 

Now publish your topology.

 

 

 

Open Lync management shell with administrative privilege on Lync FE server and export the configuration.

 

Login to the Edge Server with administrative privilege and run Microsoft Lync Server 2013 setup and follow the steps.

 

 

 

 

After installing Lync 2013 core components, open Lync server 2013 deployment wizard.

 

Click on “Install or Update Lync Server System”.

 

Run “Install Local Configuration Store”

 

Browse Edge configuration file which you had exported in Lync FE server.

 

Click on Next.

 

 

 

Cross verify the installation through log file.

 

Now, Run “Setup or Remove Lync Server Components”.

 

 

 

 

 

Now, it’s time to request and assign certificates.

 

Follow the steps to request the Edge Internal Certificate.

 

 

 

 

 

 

Fill the appropriate information.

 

 

 

 

 

 

 

Now, request External Edge certificate.

 

 

 

 

 

 

 

 

(Note: If you want to use same public certificate for Reverse proxy also, add additional SAN’s for reverse proxy: lyncdiscover.domain.com, lyncwebservicesexternalname.domain.com, dailin.domain.com, meet.domain.com)

 

 

 

 

Once you have generated certificate request, can send these request to your certification authority to generate the certificates for you. As we are doing this setup in our lab, so we will use our internal AD CA.

Once you have generated the certificates open mmc and add certificates (Local Computer) via add/remove snap-in to import the generated certificates.

 

Import root CA onto Trusted Root Certification Authority.

 

Import generated certificates into Personal store.

 

 

 

 

 

Follow same step to import Edge Public cert also.

 

Now, It’s time to assign certificate to Edge services.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Once certification assignment is done, open Lync control panel in Lync FE server and go to Federation and External access.

 

Change External access policy as shown below.

 

Change Access Edge configuration policy as shown below.

 

Now everything has been done, it’s time to perform last step. Add Front End Pool / FE server entry into Edge server host file.

 

Finally, your external Lync clients will be able to login and you can use Edge services for external connectivity.

But, still you cannot use those services which require Reverse proxy. Therefore, configure your reverse proxy also to get all the things worked seamlessly.