Thursday, June 11, 2015

Windows 2012 R2 IIS 8.5 and ARR 3.0 as reverse proxy for Skype for business or Lync

To start out I must point out that this not actually a supported configuration if I understand the docmentation right, but it works fine!

On the Infrastructure qualified for Microsoft Lync page, ARR 2.5 is listed as a supported reverse proxy. And the documentation to configure it is found here: Using IIS ARR as a Reverse Proxy for Lync Server 2013

On the Skype for Business Certification Program page, under reverse proxies you can find that the Web Application Proxy running on Windows Server 2012 R2 is supported. And the documentation to configure is found here: Configuring the Windows Server 2012 Web Application Proxy as a Reverse Proxy for Lync Server (Well the documentation is for Lync, but you'll get the picture...)

Anyhow, let's get down to using ARR 3.0 instead.

Start with a Windows 2012 R2 server with two network cards. Set the defalt gateway to point out towars the internet and also use a public DNS server. Next use the "route add" to find your way in to the internal server network holding the Skype for business or Lync server(s), and also the internal CA. For example:

route add 192.168.1.0 MASK 255.255.255.0 192.168.1.1 IF 12 -p

To verify, try to ping the internal Lync server(s) using the IP-address.

Hosts

Open Notepad as Administrator and edit the local Hostfile, normally found under C:\Windows\system32\drivers\etc. Add the following lines to the hostfile. (Note, this is an example, your external webservices URL can be named diffrently, check in the topology builder.)
dialin.domain.com     -     ip of the standard server (or loadbalancer)
meet.domain.com     -     ip of the standard server (or loadbalancer)
lyncexternalweb.domain.com     -     ip of the standard server (or loadbalancer)
lyncdiscover.domain.com     -     ip of the standard server (or loadbalancer)
certificateauthority.domain.com     -     ip of the CA server

Also, the Internal and External DNS should be configured like:

Internal DNS

dialin.domain.com     -     ip of the standard server (or loadbalancer)
meet.domain.com     -     ip of the standard server (or loadbalancer)
lyncexternalweb.domain.com     -     ip of the reverse proxy
lyncdiscover.domain.com     -     ip of the reverse proxy

External DNS

dialin.domain.com     -     ip of the reverse proxy
meet.domain.com     -     ip of the reverse proxy
lyncexternalweb.domain.com     -     ip of the reverse proxy
lyncdiscover.domain.com     -     ip of the reverse proxy

Server preparation

The reverse proxy server must not be "domain joined" therefore you need to have the internal Certificate Authority Root Certificate installed in the certificate store under Local Computer \ Trusted Root Certification Authorities. (This is not applicable if your internal Skype for business / Lync server is using a Public Certificate.) Use the CA/certsrv webpage if available from the internal CA.

Start powershell as Administrator and run the following commands to install IIS which is a prerequisite for the Application Request Routing of course.

Import-Module ServerManager
Add-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,NET-Non-HTTP-Activ,NET-HTTP-Activation


Internet Information Server Configuration

Start the Internet Information Server (IIS) Manager tool, click the IIS server in the tool, and now you get the following question.


Answer yes and you will arrive at a webpage where you can download and install the Microsoft Web Platform Installer 5.0. After the Web Platform is installed, search for "arr" and add Application Request Routing 3.0 (not 2.5 or 2.5 with KB.)


Click Install, Finish, and restart the Internet Information Server (IIS) Manager tool. Now there should be a "Server farms" hive in the IIS management tool and this is were one Server farm per external URL need to be created.

Create a server farm called dialin.domain.com that points to the server address dialin.domain.com (that we have pointed to the standard server or loadbalancer in the host file); set the httpPort to 8080 and the httpsPort to 4443. Also make sure the internal firewall is letting traffic through these ports.


If you need to verify that you really did set these values, you cannot do it from the IIS interface. However, you can check out my previous IIS AAR blog post "Using IIS ARR as a Reverse Proxy for Lync Server 2013" for information on how to verify this.

Next, configure the Caching, Routing and Proxy Rules of the server farm.


Disable the disk cache, change the Proxy time-out to more seconds (I like 600), and disable the SSL offloading under Routing Rules

The Proxy time-out is a value you need to configure according to your environment. This is especially important for the lyncexternalweb.domain.com URL, the value should be more than 180 or even as much as 600. Just try to raise the value to where your mobile client does not display the message "Your server configuration has changed. Please restart Lync." all the time.

Amazing - a blog with both Microsoft server config and iOS screen shots...

Now you will find two URL rewrite rules per server farm under root\IIS\URL rewrite. Keep all the rules ending with _SSL and delete the rules that does not. In all the rules ending with _SSL add a {HTTP_HOST} condition matching the name of the server farm, e.g. lyncexternalweb.*


Testing

1. Test the meet URL from Internet explorer on the reverse proxy server. https://meet.domain.com:4443/
Here you should receive the meeting join page and you should not get a certificate error.

2. Test the meet URL from an external computer on the Internet.
https://meet.domain.com
Here you should receive the meeting join page and you should not get a certificate error.

3. Test the dialin URL from an external computer on the Internet.
https://dialin.domain.com
Here you should receive the dialin conferencing settings page and you should not get a certificate error.

4. Download and install the Microsoft Lync Connectivity Analyzer.
This tool helps Lync administrators find out if the deployment and configuration of their Lync Server environment meets the requirements to support connections from Lync mobile apps. If this works both the lyncdiscover and lyncexternalweb URLs are fine.

5. Login with your mobile unit and - happy Lyncing / Skyping!

7 comments:

  1. Excellent write-up, and very helpful for getting Skype for Business up and running on IIS ARR 3.0! Only thing I would add, is that before you configure Caching, Timeout, and SSL Offloading, you are prompted to automatically create the URL Rewrite rules. If you are not paying attention and click "Cancel", the URL Rewrite rules that you mention afterward will not be present. I only mention for the sake of thoroughness, but it really should be common sense at that point, if the tech is paying attention.

    Thanks again!

    ReplyDelete
  2. does it work for WS 2012 R2 + IIS + ARR 3.0 with exchange and skype4business in the same server?

    ReplyDelete
  3. Hello Thiago, Unfrotunately not on the same server, the reverse proxy must be separate from the Skype 4B Standard or enterprise Edition server.

    ReplyDelete
  4. Followed this article and I receive 403 error when trying to hit the dialin page from the RP server. Any suggestions?

    ReplyDelete
  5. Great write up. Only issues I have is I get 403 forbidden error when going to the dialin page from the RP server. When I try lyncdiscover i do get the json config file so it appears ports are passing through.

    ReplyDelete
  6. Hi Kressmark,
    I have configured ARR as my lync 2013. But browsing to meet.domain.com and Dialin.domain.com during a meeting externally resolves back to the FE server which has a .local suffix and it is not routable. You then get a DNS error cannot resolve fe.domain.local

    ReplyDelete
    Replies
    1. Did you try to put fe.domain.local in the hosts file on the Reverse Proxy?

      Delete