Configuring the Reverse Proxy for Mobility

 

Topic Last Modified: 2012-05-11

If you want to use automatic discovery for mobile device clients, you need to create a new web publishing rule for the reverse proxy whether or not you update the subject alternative name lists on the reverse proxy certificates.

If you decide to use HTTPS for initial Microsoft Lync Server 2010 Autodiscover Service requests you will request and assign an updated public certificate with the new subject alternative name for lyncdiscover.<domain name> to the Secure Sockets Layer (SSL) Listener on your reverse proxy. For details about the required subject alternative name entries, see Technical Requirements for Mobility. Then you need to create a new web publishing rule for the external Autodiscover Service URL. If you do not already have a web publishing rule for the external Lync Server Web Services URL for your Front End pool, you also create a publishing rule for that.

If you decide to use HTTP for the initial Autodiscover Service requests, you will create a new web publishing rule for port 80. By using HTTP to make the initial connection and request, you do not need to update subject alternative names on the certificate for the reverse proxy listener.

The procedures in this section describe how to create the new web publishing rules in Microsoft Forefront Threat Management Gateway 2010 for automatic discovery.

Important

If you have a Director or a Director pool deployed, you must also configure a listener for the Director. Some traffic will go to the Director before being directed to the Front End Server or Front End pool. In the following scenario, assume that Front End Server is synonymous to a Standard Edition server if you have a Standard Edition server instead of a Front End Server or Front End pool.

Note

These procedures assume that you have installed the Standard Edition of Forefront Threat Management Gateway (TMG) 2010.

To create a web publishing rule for the external Autodiscover URL

  1. Click Start, point to Programs, point to Microsoft Forefront TMG, and then click Forefront TMG Management.

  2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.

  3. On the Welcome to the New Web Publishing Rule page, type a display name for the new publishing rule (for example, LyncDiscoveryURL).

  4. On the Select Rule Action page, select Allow.

  5. On the Publishing Type page, select Publish a single Web site or load balancer.

  6. On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm.

  7. On the Internal Publishing Details page, in Internal Site name, type the fully qualified domain name (FQDN) of your Director pool external web services (for example, dir-pool.contoso.net). If you are creating a rule for the external web services URL on the Front End pool, type the FQDN of the Front End pool external web services (for example, web-pool.contoso.com).

  8. On the Internal Publishing Details page, in Path (optional), type /* as the path of the folder to be published, and then select Forward the original host header.

  9. On the Public Name Details page, do the following:

    • Under Accept Requests for, select This domain name.

    • In Public Name, type lyncdiscover.<sipdomain> (the external Autodiscover Service URL. If you are creating a rule for the external web services URL on the Front End pool, type the FQDN for the external Web Services on your Front End pool (for example, web-pool.contoso.com).

    • In Path, type /*.

  10. On Select Web Listener page, in Web Listener, select your existing SSL Listener with the updated public certificate.

  11. On the Authentication Delegation page, select No delegation, but client may authenticate directly.

  12. On the User Set page, select All Users.

  13. On the Completing the New Web Publishing Rule Wizard page, verify that the web publishing rule settings are correct, and then click Finish.

  14. In the Forefront TMG list of web publishing rules, double-click the new rule you just added to open Properties.

  15. On the To tab, do the following:

    • Select Forward the original host header instead of the actual one.

    • Select Requests appear to come from the Forefront TMG computer.

  16. On the Bridging tab, configure the following:

    • Select Web server.

    • Select Redirect requests to SSL port, and type 4443 for the port number.

  17. Click OK.

  18. Click Apply in the details pane to save the changes and update the configuration.

  19. Click Test Rule to verify that your new rule is set up correctly.

To create a web publishing rule for port 80

  1. Click Start, point to Programs, point to Microsoft Forefront TMG, and then click Forefront TMG Management.

  2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.

  3. On the Welcome to the New Web Publishing Rule page, type a display name for the new publishing rule (for example, Lync Autodiscover (HTTP)).

  4. On the Select Rule Action page, select Allow.

  5. On the Publishing Type page, select Publish a single Web site or load balancer.

  6. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server or server farm.

  7. On the Internal Publishing Details page, in Internal Site name, type the external web services FQDN for your Front End pool (for example, web-pool.contoso.com).

  8. On the Internal Publishing Details page, in Path (optional), type /* as the path of the folder to be published, and then select Forward the original host header instead of the one specified in the Internal site name field.

  9. On the Public Name Details page, do the following:

    • Under Accept Requests for, select This domain name.

    • In Public Name, type lyncdiscover.<sipdomain> (the external Autodiscover Service URL).

    • In Path, type /*.

  10. On Select Web Listener page, in Web Listener, select a Web Listener or use the New Web Listener Definition Wizard to create a new one.

  11. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly.

  12. On the User Set page, select All Users.

  13. On the Completing the New Web Publishing Rule Wizard page, verify that the web publishing rule settings are correct, and then click Finish.

  14. In the Forefront TMG list of web publishing rules, double-click the new rule you just added to open Properties.

  15. On the Bridging tab, configure the following:

    • Select Web server.

    • Select Redirect requests to HTTP port, and type 8080 for the port number.

    • Verify that Redirect requests to SSL port is not selected.

  16. Click OK.

  17. Click Apply in the details pane to save the changes and update the configuration.

  18. Click Test Rule to verify that your new rule is set up correctly.

  19. Verify that the external Autodiscover Service URL is not defined on any other web publishing rule.