Using a Reverse Proxy to Enable Remote User Access

Topic Last Modified: 2009-01-25

External users (that is, users outside the organization firewall) log on to Communicator Web Access (2007 R2 release) by pointing their Web browser towards a virtual server created especially for them. It is possible for external users to directly access the Communicator Web Access server. However, this is discouraged for security reasons. Instead, it is highly recommended that external users first go through a reverse proxy server.

A reverse proxy server is a computer running proxy server software such as Microsoft Internet Security and Acceleration (ISA) Server. The reverse proxy server is located within the perimeter network (also known as the DMZ or demilitarized zone), a network that exists between the internal corporate network and the Internet. When an external user tries to connect to a Communicator Web Access virtual server the Domain Name System (DNS) service automatically routes the request to the reverse proxy server. The reverse proxy server then forwards the request for service to the Communicator Web Access server. For end users, the process is completely transparent. As far as they know, the reverse proxy server is the Communicator Web Access server.

Having a single point of access makes it easy for administrators to determine who can and cannot connect to your servers, and to control the content that users are allowed to access. By “hiding” server names behind the reverse proxy you can also swap hardware or make host name changes without affecting your clients. Users will continue to same URL regardless of which computers might be stationed behind the proxy server.

Communicator Web Access is compatible with most of the reverse proxy servers on the market. That means you can use almost any reverse proxy software, with one exception. If you have use single sign-on authentication then you must use Microsoft Internet Security and Acceleration (ISA) Server 2006 with single sign on (SSO) enabled on the Web listener.

Regardless of which reverse proxy server you choose to use, it is recommended that the server be a workgroup member and not a member server of the internal, trusted domain. This provides an additional level of security. If the reverse proxy server should be compromised the attackers will have access only to that server and not to the internal network.

For performance reasons, it is recommended that no other software be installed on the reverse proxy. However, the same computer that acts as a reverse proxy server for Communicator Web Access can also be used as a reverse proxy server for other applications (for example, Outlook Web Access).

Because different reverse proxy servers are configured in different ways, this document will not discuss the detailed steps for setting up a reverse proxy server. For details, see the documentation for your reverse proxy server.