On the Infrastructure qualified for Microsoft Lync page, ARR 2.5 is listed as a supported reverse proxy. And the documentation to configure it is found here: Using IIS ARR as a Reverse Proxy for Lync Server 2013
On the Skype for Business Certification Program page, under reverse proxies you can find that the Web Application Proxy running on Windows Server 2012 R2 is supported. And the documentation to configure is found here: Configuring the Windows Server 2012 Web Application Proxy as a Reverse Proxy for Lync Server (Well the documentation is for Lync, but you'll get the picture...)
Anyhow, let's get down to using ARR 3.0 instead.
Start with a Windows 2012 R2 server with two network cards. Set the defalt gateway to point out towars the internet and also use a public DNS server. Next use the "route add" to find your way in to the internal server network holding the Skype for business or Lync server(s), and also the internal CA. For example:
route add 192.168.1.0 MASK 255.255.255.0 192.168.1.1 IF 12 -p
To verify, try to ping the internal Lync server(s) using the IP-address.
Hosts
Open Notepad as Administrator and edit the local Hostfile, normally
found under C:\Windows\system32\drivers\etc. Add the following lines to
the hostfile. (Note, this is an example, your external webservices URL
can be named diffrently, check in the topology builder.)
dialin.domain.com - ip of the standard server (or loadbalancer)
meet.domain.com - ip of the standard server (or loadbalancer)
lyncexternalweb.domain.com - ip of the standard server (or loadbalancer)
lyncdiscover.domain.com - ip of the standard server (or loadbalancer)
certificateauthority.domain.com - ip of the CA server
Also, the Internal and External DNS should be configured like:
Internal DNS
dialin.domain.com - ip of the standard server (or loadbalancer)
meet.domain.com - ip of the standard server (or loadbalancer)
lyncexternalweb.domain.com - ip of the reverse proxy
lyncdiscover.domain.com - ip of the reverse proxy
External DNS
dialin.domain.com - ip of the reverse proxy
meet.domain.com - ip of the reverse proxy
lyncexternalweb.domain.com - ip of the reverse proxy
lyncdiscover.domain.com - ip of the reverse proxy
Server preparation
The reverse proxy server must not be "domain joined" therefore you need to have the internal Certificate Authority Root Certificate installed in the certificate store under Local Computer \ Trusted Root Certification Authorities. (This is not applicable if your internal Skype for business / Lync server is using a Public Certificate.) Use the CA/certsrv webpage if available from the internal CA.
Start powershell as Administrator and run the following commands to install IIS which is a prerequisite for the Application Request Routing of course.
Import-Module ServerManager
Add-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,NET-Non-HTTP-Activ,NET-HTTP-Activation
Internet Information Server Configuration
Start the Internet Information Server (IIS) Manager tool, click the IIS server in the tool, and now you get the following question.
Answer yes and you will arrive at a webpage where you can download and install the Microsoft Web Platform Installer 5.0. After the Web Platform is installed, search for "arr" and add Application Request Routing 3.0 (not 2.5 or 2.5 with KB.)
Click Install, Finish, and restart the Internet Information Server (IIS) Manager tool. Now there should be a "Server farms" hive in the IIS management tool and this is were one Server farm per external URL need to be created.
If you need to verify that you really did set these values, you cannot do it from the IIS interface. However, you can check out my previous IIS AAR blog post "Using IIS ARR as a Reverse Proxy for Lync Server 2013" for information on how to verify this.
Next, configure the Caching, Routing and Proxy Rules of the server farm.
Disable the disk cache, change the Proxy time-out to more seconds (I like 600), and disable the SSL offloading under Routing Rules
The Proxy time-out is a value you need to configure according to your environment. This is especially important for the lyncexternalweb.domain.com URL, the value should be more than 180 or even as much as 600. Just try to raise the value to where your mobile client does not display the message "Your server configuration has changed. Please restart Lync." all the time.
Amazing - a blog with both Microsoft server config and iOS screen shots...
Now you will find two URL rewrite rules per server farm under root\IIS\URL rewrite. Keep all the rules ending with _SSL and delete the rules that does not. In all the rules ending with _SSL add a {HTTP_HOST} condition matching the name of the server farm, e.g. lyncexternalweb.*
Testing
1. Test the meet URL from Internet explorer on the reverse proxy server. https://meet.domain.com:4443/
Here you should receive the meeting join page and you should not get a certificate error.
2. Test the meet URL from an external computer on the Internet.
https://meet.domain.com
Here you should receive the meeting join page and you should not get a certificate error.
3. Test the dialin URL from an external computer on the Internet.
https://dialin.domain.com
Here you should receive the dialin conferencing settings page and you should not get a certificate error.
4. Download and install the Microsoft Lync Connectivity Analyzer.
This tool helps Lync administrators find out if the deployment and configuration of their Lync Server environment meets the requirements to support connections from Lync mobile apps. If this works both the lyncdiscover and lyncexternalweb URLs are fine.
5. Login with your mobile unit and - happy Lyncing / Skyping!
Excellent write-up, and very helpful for getting Skype for Business up and running on IIS ARR 3.0! Only thing I would add, is that before you configure Caching, Timeout, and SSL Offloading, you are prompted to automatically create the URL Rewrite rules. If you are not paying attention and click "Cancel", the URL Rewrite rules that you mention afterward will not be present. I only mention for the sake of thoroughness, but it really should be common sense at that point, if the tech is paying attention.
ReplyDeleteThanks again!
does it work for WS 2012 R2 + IIS + ARR 3.0 with exchange and skype4business in the same server?
ReplyDeleteHello Thiago, Unfrotunately not on the same server, the reverse proxy must be separate from the Skype 4B Standard or enterprise Edition server.
ReplyDeleteFollowed this article and I receive 403 error when trying to hit the dialin page from the RP server. Any suggestions?
ReplyDeleteGreat write up. Only issues I have is I get 403 forbidden error when going to the dialin page from the RP server. When I try lyncdiscover i do get the json config file so it appears ports are passing through.
ReplyDeleteHi Kressmark,
ReplyDeleteI have configured ARR as my lync 2013. But browsing to meet.domain.com and Dialin.domain.com during a meeting externally resolves back to the FE server which has a .local suffix and it is not routable. You then get a DNS error cannot resolve fe.domain.local
Did you try to put fe.domain.local in the hosts file on the Reverse Proxy?
Delete