To start out I must point out that this not actually a supported configuration if I understand the docmentation right, but it works fine!
On the
Infrastructure qualified for Microsoft Lync page, ARR 2.5 is listed as a supported reverse proxy. And the documentation to configure it is found here:
Using IIS ARR as a Reverse Proxy for Lync Server 2013
On the
Skype for Business Certification Program page, under reverse proxies you can find that the Web Application Proxy running on Windows Server 2012 R2 is supported. And the documentation to configure is found here:
Configuring the Windows Server 2012 Web Application Proxy as a Reverse Proxy for Lync Server (Well the documentation is for Lync, but you'll get the picture...)
Anyhow, let's get down to using
ARR 3.0 instead.
Start with a Windows 2012 R2 server with two network cards. Set the defalt gateway to point out towars the internet and also use a public DNS server. Next use the "route add" to find your way in to the internal server network holding the Skype for business or Lync server(s), and also the internal CA. For example:
route add 192.168.1.0 MASK 255.255.255.0 192.168.1.1 IF 12 -p
To verify, try to ping the internal Lync server(s) using the IP-address.
Hosts
Open Notepad as Administrator and edit the local Hostfile, normally
found under C:\Windows\system32\drivers\etc. Add the following lines to
the hostfile. (Note, this is an example, your external webservices URL
can be named diffrently, check in the topology builder.)
dialin.domain.com - ip of the standard server (or loadbalancer)
meet.domain.com - ip of the standard server (or loadbalancer)
lyncexternalweb.domain.com - ip of the standard server (or loadbalancer)
lyncdiscover.domain.com - ip of the standard server (or loadbalancer)
certificateauthority.domain.com - ip of the CA server
Also, the Internal and External DNS should be configured like:
Internal DNS
dialin.domain.com - ip of the standard server (or loadbalancer)
meet.domain.com - ip of the standard server (or loadbalancer)
lyncexternalweb.domain.com - ip of the reverse proxy
lyncdiscover.domain.com - ip of the reverse proxy
External DNS
dialin.domain.com - ip of the reverse proxy
meet.domain.com - ip of the reverse proxy
lyncexternalweb.domain.com - ip of the reverse proxy
lyncdiscover.domain.com - ip of the reverse proxy
Server preparation
The reverse proxy server must not be "domain joined" therefore you need to have the internal Certificate Authority Root Certificate installed in the certificate store under Local Computer \ Trusted Root Certification Authorities. (This is not applicable if your internal Skype for business / Lync server is using a Public Certificate.) Use the CA/certsrv webpage if available from the internal CA.
Start powershell as Administrator and run the following commands to install IIS which is a prerequisite for the Application Request Routing of course.
Import-Module ServerManager
Add-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,NET-Non-HTTP-Activ,NET-HTTP-Activation
Internet Information Server Configuration
Start the Internet Information Server (IIS) Manager tool, click the IIS server in the tool, and now you get the following question.
Answer yes and you will arrive at a
webpage where you can download and install the Microsoft Web Platform Installer 5.0. After the Web Platform is installed, search for "arr" and add Application Request Routing 3.0 (not 2.5 or 2.5 with KB.)
Click Install, Finish, and restart the Internet Information Server (IIS) Manager tool. Now there should be a "Server farms" hive in the IIS management tool and this is were one Server farm per external URL need to be created.
Create a server farm called dialin.domain.com that points to the server address dialin.domain.com (that we have pointed to the standard server or loadbalancer in the host file); set the httpPort to 8080 and the httpsPort to 4443. Also make sure the internal firewall is letting traffic through these ports.
If you need to verify that you really did set these values, you cannot do it from the IIS interface. However, you can check out my previous IIS AAR blog post "
Using IIS ARR as a Reverse Proxy for Lync Server 2013" for information on how to verify this.
Next, configure the Caching, Routing and Proxy Rules of the server farm.
Disable the disk cache, change the Proxy time-out to more seconds (I like 600), and disable the SSL offloading under Routing Rules
The Proxy time-out is a value you need to configure according to your environment. This is especially important for the lyncexternalweb.domain.com URL, the value should be more than 180 or even as much as 600. Just try to raise the value to where your mobile client does not display the message "Your server configuration has changed. Please restart Lync." all the time.
Amazing - a blog with both Microsoft server config and iOS screen shots...
Now you will find two URL rewrite rules per server farm under root\IIS\URL rewrite. Keep all the rules ending with _SSL and delete the rules that does not. In all the rules ending with _SSL add a {HTTP_HOST} condition matching the name of the server farm, e.g. lyncexternalweb.*
Testing
1. Test the meet URL from Internet explorer on the reverse proxy server. https://meet.domain.com:4443/
Here you should receive the meeting join page and you should not get a certificate error.
2. Test the meet URL from an external computer on the Internet.
https://meet.domain.com
Here you should receive the meeting join page and you should not get a certificate error.
3. Test the dialin URL from an external computer on the Internet.
https://dialin.domain.com
Here you should receive the dialin conferencing settings page and you should not get a certificate error.
4. Download and install the
Microsoft Lync Connectivity Analyzer.
This tool helps Lync administrators find out if the deployment and configuration of their Lync Server environment meets the requirements to support connections from Lync mobile apps. If this works both the lyncdiscover and lyncexternalweb URLs are fine.
5. Login with your mobile unit and - happy Lyncing / Skyping!