How can I get IIS ARR accepting internal servernames with underscore

I am working in a Project were we plan to replace the existing ISA server with IIS ARR, for Lync and Exchange. But when testing reverse proxy for Lync and Exchange with IIS ARR in my test lab I just realized that it turns out that IIS ARR is not that happy about configuring reverse proxy to internal servernames with underscore in the servername (e.g.: lync_frontend.mydomain.local). I get an error message when trying to configure the Server Farms' server address. Maybe somebody else have experienced the same problem and maybe has a workaround for this?
Børge SkåtevikAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Technically, an underscore is not a valid DNS character.  See RFC 952:   **Note the ASSUMPTIONS section, first point.

   1. A "name" (Net, Host, Gateway, or Domain name) is a text string up
   to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
   sign (-), and period (.).  Note that periods are only allowed when
   they serve to delimit components of "domain style names". (See
   RFC-921, "Domain Name System Implementation Schedule", for
   background).  No blank or space characters are permitted as part of a
   name. No distinction is made between upper and lower case.  The first
   character must be an alpha character.  The last character must not be
   a minus sign or period...

So it is not surprising that a proxy service is complaining about underscores.

My suggestion is to create a CNAME in DNS for the servers in question.  In the CNAME, use the actual name but replace the underscores with the dash (minus) character.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dan McFaddenSystems EngineerCommented:
And from Microsoft's support site.


Børge SkåtevikAuthor Commented:

Thank you for Your reply. Yes, it turns out that the Lync installation for this Company was done without following standards and good practice. It is the only server in the Company with an underscore in the hostname. In nearest future will migrate to a new solution, but at the moment we are trying to get the existing system to work and become stable. On the Proxy server (IIS ARR) I am planning to use host file in stead of DNS so I think that will be ok. I am more worried about the certficiate chain that need to be accepted throughout the solution. Do you think the Front End server will work fine even the Proxy server forwards the request to a different hostname (but tweaked so that same IP and Frontend Server will be contacted)?

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Dan McFaddenSystems EngineerCommented:
Will the setup be used to allow external access to the servers in question?

If yes, then the cert needs to correspond to the publicly visible DNS name of the Lync server.  If it is only for internal access, then the cert must reference whatever users use to connect the server.

I recommend using DNS to control the CNAME especially if there are SSL certificates involved.  And pointing the cert at the CNAME and not the name with the underscore.

Børge SkåtevikAuthor Commented:
Yes, external mail and lync web services will be routed through this web proxy server. It is the internal lync server that is the issue, all other servers are using valid hostnames. Example of the present design:

external server/Client -> | -> proxysrv ->|-> lync_edge
external server/Client -> | -> proxysrv ->|-> exchsrv

The plan is to use IIS ARR reverse Proxy (proxysrv) to service both Lync and Exchange. The pipe symbols firewalls as the proxysrv is located in a DMZ. Exchange is tested and fully working, since all the servers for external webmail services are all using valid hostnames. So the issue is only for Lync where the internal Front End server has a hostname with a "_"...

By using your input and also find a way to give the lync_edge server a SAN or wildcard certificate (split DNS with domain.local name internal) I think this should work.

I will try it out as soon as possible and post a new comment aftwards.

Thanks for you input.

Børge SkåtevikAuthor Commented:
Finally, after waiting for firewall reconfigurations, I have now tested the IIS ARR reverse Proxy. And it Works fine With Your solution. I only needed to add the new name (without the underscore) to the SAN certificate for the internal server, and add this servername to the hostfile on the reverseproxy server (I am not using DNS on the IIS ARR reverseproxy server). And of course the IIS ARR configuration always references the Lync Frontend server with the 'new' name (without underscore).  


Best regards,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.