Solved

Lync 2013 reverse proxy server setup

Posted on 2014-09-12
56
260 Views
Last Modified: 2015-02-12
To make this easy so I wont run into the snags I have instead just ask if anyone has, from scratch, the steps to add a reverse proxy server to my existing Lync setup. All I am finding is bits and pieces and going in circles. A step by step from server (installed) to possibly network settings, certificates and DNS (if needed) entries. Here is my setup:

DC = 2008 R2 Standard, Physical machine. domain
Lync Server = 2012 Standard R2, virtual machine, Lync 2013. domain
Edge Server = 2012 Standard R2, Physical machine, Lync 2013. not on domain
Rev Prox Server = 2012 Standard, physical machine, nothing configured except the 2 NIC cards. not on domain

Everything works at this moment. Inside the network all features work. Outside most features work with other domain users, does not see AD when searching users field. Lync meetings with outside users does not work.

My purpose of the Reverse Proxy using IIS is to gain more features outside of the building. Mobile Lync of course to work, outside users to Lync meetings, basically any features that can be added by adding a Rev Prox server
0
Comment
Question by:ZeroDogg
  • 33
  • 21
  • 2
56 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Windows doesn't have a built-in reverse proxy package. You *might* be able to beat IIS into doing reverse proxy duties. But that's be little better than must doing NAT with port translation. The reason Lync implements this as it does is a reverse proxy adds a security boundary, soma good reverse proxy really should be used to achieve that goal.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Cliff - Server 2012 R2 includes a Web Application Proxy role which serves this purpose.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
No, it doesn't. It serves a different purpose. Most notably, it is built on (and requires) ADFS. Which is great for applications that can understand ADFS or web pages for pre-authentication. But try that with a remote Lync client and see how well it works...
0
 
LVL 6

Accepted Solution

by:
Steve Whitcher earned 500 total points
Comment Utility
It does require ADFS, but it's not limited to use for ADFS based applications.  It works beautifully for Lync.  Here is one of the articles I followed when setting it up recently in our environment:

http://blogs.technet.com/b/dodeitte/archive/2013/10/29/how-to-publish-lync-server-2013-web-services-with-windows-server-2012-r2-web-application-proxy.aspx
0
 

Author Comment

by:ZeroDogg
Comment Utility
Steve,
" It does require ADFS". Meaning it needs to be joined to the domain?
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
The WAP server does not have to be domain joined, but you would need to install the ADFS role on a server that is a part of the domain.  You can just add the role to an existing domain controller, if you have one running Server 2012R2.  

http://technet.microsoft.com/en-us/library/dn383648.aspx
0
 

Author Comment

by:ZeroDogg
Comment Utility
Unfortunately the only servers with 2012 R2 at this time are the 3 (2 right now) servers in a Lync Role (Lync, Edge and RevProx).
0
 

Author Comment

by:ZeroDogg
Comment Utility
Can I not put AD FS on a 2008 R2 server? Or will the version of that on a 2008 not work with the 2012 R2 servers?
0
 

Author Comment

by:ZeroDogg
Comment Utility
Anyone?
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
I believe that the Web Application Proxy in 2012R2 requires the 2012R2 version of ADFS.  ADFS doesn't necessarily have to be installed on a domain controller though, so in theory you should be able to install it on the Lync 2013 server*.  ADFS isn't going to tax the server much, especially considering that you're only installing it because it's required by the WAP.  

* I don't see any reason why this wouldn't work, but I haven't tried it myself.
0
 

Author Comment

by:ZeroDogg
Comment Utility
Just to clarify the WAP server would take the place of a Reverse Proxy server, correct? I would still only have three servers in the Lync role (Lync, Edge & WAP)?
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Correct, the "Web Application Proxy" is the reverse proxy.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I will start working on this and let you know.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I am looking at this setup. AD FS should not be put on the WAP(x) server, is that correct?
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Correct, the ADFS role should be on a server on the internal network, where the server running WAP should be in the perimeter network, where it will proxy traffic from the external network to the internal network.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I am migrating the domain controller to 2012 before I move on.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I haven't forgot about this but I am running into a few small issues as I always do. I now have a 2012 R2 DC, 2012 R2 AD FS and the 2012 R2 WAPX (web application proxy server). First issue is the cert (SSL) that the WAPX server asks for when configuring the web application proxy wizard. The only thing that shows is the localhost even though I created one in the AD FS server. That also is an issue because that cert is the FQDN of that server and not a wildcard. What did I miss here?

Also the WAPX server pings the AD FS server but not the other way around. WAPX is not on the domain but with the DNS suffix added to it (advanced system properties). AD FS is on the domain and pings other servers. I have not yet configured the Cisco ASA to let traffic to the WAPX yet. Help?
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
The certificate must be installed in the server's certificate store before the cert will be listed in the wizard.  Export it from the ADFS server, copy the exported file to the wapx server, and double click the file to install the cert.

You will also need a wildcard cert or individual certs for the names you'll be publishing through the wapx server, but those will come in later.

As for not being able to ping WAPX from ADFS server, there are a few simple things it might be.   The first thing I'd check is name resolution... Are you pinging by name or by IP?  Since the WAPX server isn't on the domain, I wonder if it isn't registering in DNS.    If you can't ping by IP either, then check the firewall on the WAPX server, is it enabled and possibly blocking inbound ICMP?
0
 

Author Comment

by:ZeroDogg
Comment Utility
Certs are my nemesis. I created a cert while configuring the ADFS using this link ( https://www.youtube.com/watch?v=iKpi8UomRDo ) so now I have a cert ( rootca type ) called adfsserver.mydomain.com. Is this what I export to WAPX? My CA server is on a 2008 R2 DC. From the sounds of it I will have 3 certs by the time this is over or 2 for these last steps of setting up and publishing for the WAPX. When I started to export this cert that is by the FQDN of the ADFS I have all kids of options and so I have stopped everything for now. I really can't find a complete guide from start to finish when adding the ADFS, WAPX and adding a 2012 R2 DC to the mostly 2008 R2 domain.
0
 

Author Comment

by:ZeroDogg
Comment Utility
This is where I have to stop when on the WAPX server
wapx.png
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
I'm not sure what you mean, "rootca type".  Did you put active directory certificate services on the adfs server? Or did you already have ADCS elsewhere in your environment?  

The youtube video you linked to says to create a certificate for the ADFS server using the "Computer" template (certificate type).  If you did that, then you would export that "Computer" certificate for ADFS and then install it on the WAPX server.  (Or, you could use a wildcard cert on the WAPX server, as they did in the video.)

If you go with the wildcard cert on the WAPX server, then it should serve for the ADFS part as well as the application part when you get there.

FYI, I'll be on vacation for the next 10 days or so, and may not respond to comments during that time.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Re: your screenshot - that dropdown will only show certificates installed on the WAPX server.  Until you install a wildcard cert or the exported cert from the adfs server, you won't be able to move forward with that configuration.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I inherited this 2008 R2 network. This Lync project is the first time it is seeing 2012 R2 servers. There is a 2008 R2 domain controller with AD CS already installed on it (eventually as migration starts this server will eventually be gone) and it holds certs for Exchange and Lync (plus others). In the video it shows setting up a cert on AD FS but as you noticed she already had a wildcard established. I just need to know how to do it correctly and what steps. If this were a straight 2008 or 2012 fresh network it would be easy because I would creating from scratch and I would not be looking for consulting. Instead I have to be careful because this network is "delicate" to say the least. Remember I have Lync working inside and somewhat outside ( I have the basic outside services working ). My goal is to have Lync working on mobile devices and pretty much everything short of integrating it into the phone system. I do miss vacations :)
0
 

Author Comment

by:ZeroDogg
Comment Utility
Should I install ADCS on the ADFS?
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
NO,  if you already have ADCS running, don't install it elsewhere.  

When you created the certificate for the ADFS server, did you use the "Computer" template?  

Your easiest option is going to be to get the wildcard certificate from a Public CA, and import that on the WAPX server.  It will then serve as the cert for the FS service as well as the cert for the publishing applications.  

I'm not sure if you've looked at the technet pages on this.  I know they can sometimes be quite confusing, but there is usually good information in there if you can follow it.  
http://technet.microsoft.com/en-us/library/dn383662.aspx#ConfigCAs
0
 

Author Comment

by:ZeroDogg
Comment Utility
I did as in the link I shared (Computer Template). You're saying I need to go to the 2008 R2 server and pull its cert for what I have already created for the Lync or create a new one (public CA)? Im here because the technet pages are confusing, you click on a few links then you wonder why you are looking at how to configure a rubix cube.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
I understand, I just thought I'd offer it up as a reference if you hadn't seen it yet.  

Do you already have a wildcard certificate from a public CA that you've used for Lync or something else?  

If you have, or get, a wildcard certificate from a public CA and install it on the WAPX server, then re-run the wapx configuration wizard, the wildcard cert should appear in the drop down you posted the screenshot of earlier.  Select the wildcard cert, and then you'll be able to finish the WAPX config wizard.

Once you've gotten that done, you'll need to publish the lync web services through wapx so that they're accessible from the outside.   Then you'll configure entries in your external DNS for the lync services pointing to the external IP of the WAPX server.  (i.e. lyncdiscover.domain.com, meet.domain.com, dialin.domain.com)  Then, allow outside traffic to get to the WAPX server, and it should proxy traffic through to the internal lync server.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I do have a wildcard for Lync. This is what I needed. I will get to work first thing in the morning. Check in when you can but overall have a great vacation and thanks.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:ZeroDogg
Comment Utility
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
When the WAPX config wizard asks for credentials to establish the trust, try entering an Enterprise Administrator account.
0
 

Author Comment

by:ZeroDogg
Comment Utility
Still doesnt work.
0
 

Author Comment

by:ZeroDogg
Comment Utility
Well I am stuck and frustrated. I can't pull in any certs. I keep getting the same error as above no matter what I do. Has anyone successfully implemented Lync for inside and  outside use with 2012 R2 setup?
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Sorry for not getting back to you sooner.  I got back to the office yesterday, but will be playing catchup for at least another day or two.  

Just to confirm the current state of things, I understand that you're still failing to configure the Web Application Proxy server.  You're going through the steps described below, from the section "To configure Web Application Proxy" on this technet page:

1.

On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2.

In the navigation pane, click Web Application Proxy.

3.

In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

4.

On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

5.

On the Federation Server dialog, do the following, and then click Next:
In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.contoso.com.
In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

6.

On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

7.

On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

8.

On the Results dialog, verify that the configuration was successful, and then click Close.
For Step 5, you are entering the fqdn of the adfs server, and credentials for an account that is a member of the Enterprise Administrators group in the forest that contains the ADFS server.

For Step 6, you select your wildcard certificate, issued by a public CA.  

When you get to the end of the wizard, the Results screen shows the following error:
ADFS proxy could not be configured.  
An error occurred when attempting to establish a trust relationship with the federation service.  Error: The underlying connection was closed: Could not establish a trust relationship for the SSL/TLS secure channel.

Does that pretty much sum up the situation as it stands currently?

Earlier you mentioned some possible connectivity issues between the WAPX and adfs servers (only being able to ping one way), have those issues been resolved?  Can the WAPX server contact the ADFS server by FQDN?  (This should be occurring over the internal interface of the WAPX server.)
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
ZeroDogg - Just following up, are you still having trouble with this?
0
 

Author Comment

by:ZeroDogg
Comment Utility
Yes, I have not worked on this since my last post. My company is going to a convention and I have a vendor that has dropped the ball on our anti-virus. I am working all day today to fix that before everyone leaves then I will have the time without interruptions starting tomorrow.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I get to step 7 and then I get the error: An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

I have turned off all firewalls. They both can "see" each other. I have used to the local admin account on the ADFS server and the enterprise domain admin user. I have tried all the certs is pulls up and it all ends up with the same error.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I am obviously doing something wrong with the certs, whether it be where I am putting them or if they are the right ones or configured correctly. I can't seem to figure out the cert thing so I can stop getting this error even with all the research I have done.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
It seems like there's a missing piece here somewhere.  Other than the error text I quoted previously, and you posted again on the 24th, there is no additional text to the error, or perhaps a "more details" button?  What about the event logs, on both the WAP and the ADFS servers, from around the time that you tried to run the wizard and got the error?

Is the WAP server a domain member?
0
 

Author Comment

by:ZeroDogg
Comment Utility
I will look up the event logs but to answer the question about the WAP, no it is not on the domain. I did put the DNS suffix of the domain of the computer in the Computer Name/ Domain Changes under the System Properties.
0
 

Author Comment

by:ZeroDogg
Comment Utility
ID 393/ Severity= Error/ Source= AD FS/ Log= ADFS/Admin. This is on the WAP server when I try running the WAP Wizard.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Ok, if the wap server isn't on the domain, then I believe you will need to import your Certificate Authority's cert into the Trusted Root Certificates store on the WAP server.   Export the cert from your CA (just the public key, not the private), copy the file over to the WAP server and import it.  When you do, be sure you choose which folder/store the key is to be imported into, don't let it just assign it to the default.  It would need to be in the trusted root certificates store.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I wish I had better news but I am a stand still. Your above comment made sense so I was looking forward to getting this done. I took the cert created on the ADFS Server (hopefully this is the right one) I exported that cert to the WAP Server and stored it in the trusted root certs. So far so good. Then I ran the WAP Wizard, the cert doesnt show up. So I decided to import it into the personal cert. Still doesnt show up during the wizard. The closest thing I for was instead of the last error now I get An error occurred when attempting to save the proxy configuration. And this error is not on the cert I created. I just picked one to see what happened.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
For the Cert being imported into the trusted root store, it would not be expected to show up in the list in the wizard.  It's just being added so that the WAP server will trust certs from your domain.

On your server running AD Certificate Services, open the "Certification Authority" console.  In the left pane, right click on the name of your CA and choose Properties.  On the "General" tab under "CA certificates"  select "Certificate #0".  (If there is more than one certificate here, choose the higher number.)  Click "View Certificate".  On the Details tab of the Certificate window, cilck "Copy to File".  Follow through the Export Certificate wizard to save a copy of the server's public certificate to a file.  Copy that file over to the wap server and import it into the Trusted Root Certificates store.  

Now, the WAP server should trust any certificates that were issued by your internal certificate authority.  That includes the ADFS server's cert, assuming the cert is signed by the internal CA.

Next, I would suggest rebooting at least the WAP server, and possibly the ADFS server as well if nothing production would be affected by it.  After rebooting, try running the WAP configuration wizard again.  When you are prompted to select a certificate, choose the wildcard cert.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I do believe the CA Authority is sitting on a different server (an old DC), does this process change.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
No change.  You'll want to get the certificate from the CA, regardless of where it is located.  If you put it in the Trusted Root Certificates store, then the WAP server should trust any certificate that is signed by the CA.  

I assume your ADFS server's cert is signed by the CA.  You can double check, open the ADFS server certificate and check the "Certification Path" tab.  It should show the certificate of your CA.
0
 

Author Comment

by:ZeroDogg
Comment Utility
baby steps....ugh. Ok. Now I have The certificate that is represented by thumbprint xxxxxxxxxx does not have a private key. Specify a certificate with a private key.
0
 

Author Comment

by:ZeroDogg
Comment Utility
Here is what happens when I try to redo with a key.
Key.PNG
0
 

Author Comment

by:ZeroDogg
Comment Utility
I got it to work (I think). The certs were being created as X.509 (.CER) which the key can't export. When I exported as a PKCS#12 (.PFX) it took the cert and completed the WAP Wizard. I have stopped there just to clarify that is correct.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
I'm not clear on which cert you exported with the private key.  If I recall correctly, we have at least 3 different certificates involved at this point:

1) Wildcard certificate
2) Root certificate from your CA
3) ADFS server's certificate

Which one of those did you import the private key for?  And which did you choose when you ran the wizard again?
0
 

Author Comment

by:ZeroDogg
Comment Utility
Well atleast it's the step in right direction. I believe it is the Root Cert from the CA.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Ok, the CA root cert is not what I would have recommended, but if it works for you, then I guess you can go with it.
0
 

Author Comment

by:ZeroDogg
Comment Utility
I need best practices. Which one should I have imported? I went by the instructions above for the certificate from the CA, did I read that wrong and import the wrong one?? I dont want to do anything half axx. I am willing to start over if need be. Should we swap emails for this cert issue? Obviously its not my strong point (certs)
0
 

Author Comment

by:ZeroDogg
Comment Utility
My bad, Ive been working late alot, the cert I pulled in was from the ADFS server.
0
 
LVL 6

Expert Comment

by:Steve Whitcher
Comment Utility
Ok, that sounds better.  It's probably not a bad idea to take this discussion private at this point though.  I was just writing a message to you when I saw your post come through.  Watch for a PM shortly.
0
 

Author Comment

by:ZeroDogg
Comment Utility
Ok Thanks. :)
0
 

Author Closing Comment

by:ZeroDogg
Comment Utility
Thanks Steve for all your help! I would say anyone taking on this project to really study it. It gets more complicated when your inside domain does not match the outside and there are a ton of variables when building your own Lync on a network you didn't build. It's worth it though.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now