Set Up Reverse Proxy Servers
Topic Last Modified: 2012-07-22
For Microsoft Lync Server 2010 Edge Server deployments, an HTTPS reverse proxy in the perimeter network is required for external clients to access the Lync Server 2010 Web Services (called Web Components in Office Communications Server) on the Director and the user’s home pool. Some of the features that require external access through a reverse proxy include the following:
Enabling external users to download meeting content for your meetings.
Enabling external users to expand distribution groups.
Enabling remote users to download files from the Address Book service.
Accessing the Microsoft Lync Web App client.
Accessing the Dial-in Conferencing Settings webpage.
Accessing the Location Information service.
Enabling external devices to connect to Device Update web service and obtain updates.
Enabling mobile applications to automatically discover mobility URLs from the Internet.
We recommend that you configure your HTTP reverse proxy to publish all Web Services in all pools. Publishing https:// ExternalFQDN/* publishes all IIS virtual directories for a pool. You need one publishing rule for each Standard Edition server, Front End pool, or Director or Director pool in your organization.
In addition, you need to publish the simple URLs. If the organization has a Director or Director pool, the HTTP reverse proxy listens for HTTP/HTTPS requests to the simple URLs and proxies them to the external Web Services virtual directory on the Director or Director pool. If you have not deployed a Director, you need to designate one pool to handle requests to the simple URLs. (If this is not the user’s home pool, it will redirect them onward to the Web Services on the user’s home pool). The simple URLs can be handled by a dedicated web publishing rule, or you can add it to the public names of the web publishing rule for the Director.
If you are deploying mobile applications and plan to use automatic discovery, you also need to publish the external Autodiscover Service URL.
You can use Microsoft Forefront Threat Management Gateway 2010 or Microsoft Internet Security and Acceleration (ISA) Server 2006 SP1 as a reverse proxy. The detailed steps in this section describe how to configure Forefront Threat Management Gateway (TMG) 2010, and the steps for configuring ISA Server 2006 are almost identical. If you are using a different reverse proxy, consult the documentation for that product.
If there are two or more reverse proxies configured in a farm, you would configure source address persistence for the published resources for Lync Server. Mobility services use cookie persistence. The cookie persistence would be configured at the load balancer serving the Director pools or Front End pool and does not need to be configured at the load balancer you might use for a farm of reverse proxies.
You can use the information in this section to set up a TMG 2010 reverse proxy, which requires completing the procedures in this section.
- Configure Web Farm FQDNs
- Configure Network Adapters
- Request and Configure a Certificate for Your Reverse HTTP Proxy
- Configure Web Publishing Rules for a Single Internal Pool
- Verify or Configure Authentication and Certification on IIS Virtual Directories
- Create DNS Records for Reverse Proxy Servers
- Verify Access through Your Reverse Proxy
Set up the computer and reverse proxy software you use for your reverse proxy before continuing with the configuration for reverse proxy. Or configure the device or appliance that you will use for your reverse proxy function. You can use a reverse proxy that is already deployed in your infrastructure.