Configuring the Windows Server 2012 Web Application Proxy As a Reverse Proxy for Lync Server

Configuring the Windows Server 2012 Web Application Proxy as a Reverse Proxy for Lync Server

Lync Server 2013

Published: November 2014

Author: Dave Howe, Eric Curtis

Abstract: This whitepaper describes how to configure the Windows Server 2012 R2 Web Application Proxy as a reverse proxy for Lync Server. The service allows internal applications such as Microsoft Lync and Exchange to be published for external access. The Web Application Proxy service functions as both a reverse proxy and an Active Directory Federation Services (AD FS) proxy.

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Copyright © 2014 Microsoft Corporation. All rights reserved.

Contents

1 Introduction 1

2 Requirements 1

2.1 Hardware requirements 1

2.2 Software requirements 1

3 Planning 2

3.1 Architectural Components 2

3.2 Firewall Considerations 3

3.3 Load Balancing 3

3.4 Name resolution 3

3.5 Certificates 3

3.6 Authentication 5

4 Installation and Configuration 5

4.1 Networking configuration 5

4.2 DNS Suffix 5

4.3 Internal Name Resolution 6

4.4 Importing Certificates 6

4.5 Installing the Web Application Proxy feature 7

4.6 Configure the Web Application Proxy feature 7

4.7 Launch the Remote Access Management Console 11

4.8 Create a Publishing Rule for Lync Autodiscover 11

4.9 Create Publishing Rules for Lync Simple URLs 15

4.10 Create Publishing Rules for External Lync Web Services 19

4.11 Create Publishing Rule for Office Web Apps 24

4.12 Summary List of Publishing Rules 30

5 Lync Phone Edition Devices 30

5.1 Configure a Fallback Certificate 31

Configuring the Windows Server 2012 Web Application Proxy as a Reverse Proxy for Lync Server

1  Introduction

Windows Server 2012 R2 includes a new service called the Web Application Proxy as part of the Remote Access role. The service allows internal applications such as Microsoft Lync and Exchange to be published for external access. The Web Application Proxy service functions as both a reverse proxy and an Active Directory Federation Services (AD FS) proxy.

Note:The Web Application Proxy service does not provide firewall capabilities, nor does it function as an authenticating proxy for outbound internet connections.

2  Requirements

The following table lists the roles and features that are required for Web Application Proxy and describes how they support it.

Services required to support the Web Application proxy

Role / feature / How it supports this scenario /
Active Directory Domain Services (AD DS) / Active Directory® Domain Services is required as a prerequisite before you can deploy AD FS. It is also required for Web Application Proxy deployments that use Kerberos constrained delegation.
Active Directory Federation Services (AD FS) / AD FS is required to provide authentication and authorization services to Web Application Proxy and to store the Web Application Proxy configuration
Remote Access (DirectAccess, Routing and Remote Access) / Remote Access is the role containing the Web Application Proxy role service

2.1  Hardware requirements

Hardware requirements for this scenario include the following:

·  A computer that meets the hardware requirements for Windows Server 2012 R2 running one of the following server editions: Essentials, Standard, or Datacenter.

·  The server must have at least one network adapter installed, enabled, and connected to the internal network either directly, or through a firewall or NAT device. When two adapters are used, there should be one adapter connected to the internal corporate network, and one connected to the external network (Internet, or private network).

2.2  Software requirements

Software requirements for this scenario include the following:

·  The Web Application Proxy server is located behind an edge firewall or NAT device and it is typically in the DMZ, the device must be configured to allow traffic to and from the Web Application Proxy server.

·  Deploying Web Application Proxy on the server requires local administrator permissions on the server. In addition, when you connect the Web Application Proxy server to the AD FS server, you require the credentials of the local administrator on the AD FS servers.

·  You must deploy AD FS on a server running Windows Server 2012 R2 in your organization before you can deploy Web Application Proxy.

·  If you want to remotely manage Web Application Proxy servers, you must enable remote PowerShell management on the Web Application Proxy servers. See Running Remote Commands.

3  Planning

Deploying Web Application Proxy as a reverse proxy for Lync Server 2013 requires detailed planning. This section describes several of the deployment considerations that are associated with using Web Application Proxy as a reverse proxy for Lync Server 2013. The following image shows a high-level network diagram including the Web Application proxy.

High Level Diagram of Web Application Proxy Deployment

3.1  Architectural Components

The following is a list of architectural components that are required for deploying Web Application Proxy as a reverse proxy for Lync Server 2013.

·  Active Directory Domain Services

·  Active Directory Federation Proxy Server

·  Active Directory Federation Server

·  Microsoft Internal Certificate server

·  Web Application Proxy Server

·  Public Key Infrastructure

·  Back End Application server (Exchange/ Lync)

3.2  Firewall Considerations

Web Application Proxy can be deployed behind a front end firewall to separate it from the Internet, or between two firewalls; a front end firewall to separate it from the Internet, and a backend firewall to separate it from the corporate network.

Deploying Web Application Proxy behind a firewall adds network level protection and reduces the attack surface of the Web Application Proxy servers. If the Web Application Proxy server is located in front of a firewall that separates it from the corporate network, you must make sure that the firewall does not block traffic to URLs configured for the backend servers. This could be over HTTP or HTTPS and on any specified port.

3.3  Load Balancing

Web Application Proxy does not include integrated load-balancing functionality. If you plan to deploy multiple Web Application Proxy servers, you should consider deploying a load-balancer to ensure that the external traffic is distributed evenly between Web Application Proxy servers. You can use any hardware or software load-balancer that supports HTTP and HTTPS, including Windows Network Load Balancing.

You can also configure a load-balancer for published web applications. That is, you can deploy a load-balancer between the Web Application Proxy servers and the published web application. You can use any hardware or software load-balancer that supports HTTP and HTTPS, including Windows Network Load Balancing.

3.4  Name resolution

DNS planning requirements for Web Application Proxy include the following:

·  Web Application Proxy requires internal name resolution through your internal DNS infrastructure to resolve the names of backend servers, and of infrastructure servers such as the AD FS server. Using hosts file entries to provide name resolution of internal servers is also possible, although it is not recommended from a manageability perspective.

·  When publishing web applications via Web Application Proxy, every web application you publish requires an external URL. For clients to reach these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.

3.5  Certificates

To successfully publish AD FS services and establish SSL connectivity with Active Directory Federation Services, the Web Application Proxy must be configured with a public certificate that contains the FQDN of the AD FS service. If you plan to publish web service URLs for other applications such as Lync and Exchange, the Web Application Proxy must be configured with a public certificate that contains the web service FQDNs of those applications.

It is possible to use a single certificate to publish all web services via the Web Application Proxy. However, for the purposes of this document, the Web Application Proxy server will be configured with two public certificates. One certificate will be used for the ADFS Proxy service certificate, while the other certificate will be used to publish web services for Lync, Exchange, and Office Web Apps. For more information, see Planning to Publish Applications Using Web Application Proxy.

To successfully publish Lync Web Services URLs for external access, a public web server certificate must be installed on the Web Application Proxy server. This certificate should be configured with the published external web service fully qualified domain names (FQDNs) of each pool that is home to users that are enabled for remote access. The subject alternative name value from this certificate must also contain the meeting simple URL, the dial-in simple URL, the web scheduler simple URL, and external Autodiscover Service URL.

The root certification authority certificate and any intermediate certification authority certificates from the CA that issued the public certificate must be installed on the Web Application Proxy server. Likewise, certificates from internal Enterprise or Standalone certificate authorities should be installed on the Web Application Proxy server.

The following table describes how the public certificate should be configured for publishing the various web services that are consumed by the Lync 2013 client:

Certificate values required for this scenario

Web Application Proxy Certificate /
Subject Name (CN) / meet.fabrikam.com / Meet Simple URL /
Subject Alternative Name (SAN) / meet.fabrikam.com / Meet Simple URL
dial-in.fabrikam.com / Dial-In Simple URL
scheduler.fabrikam.com / Web Scheduler Simple URL
Lyncdiscover.fabrikam.com / External Lync Autodiscover URL
lyncweb01.fabrikam.com / External Lync Web Services FQDN
wacweb01.fabrikam.com / External Office Web Apps URL
autodiscover.fabrikam.com / Exchange Autodiscover URL
mail.fabrikam.com / External Exchange Web Services FQDN
*.fabrikam.com / Wildcard for fabrikam.com URLs (optional)

For more details on Lync Server 2013 specific certificate requirements for reverse proxy servers, please see Request and configure a certificate for your reverse HTTP proxy in Lync Server 2013.

Note:It is not supported to use a certificate with a wildcard entry as the subject name (also referred to as the common name or CN) in Lync Server 2013. If you need to use wildcard values on your reverse proxy certificate, the wildcard values must appear in the list of subject alternative names on the certificate assigned to the Web Application Proxy server.

For more information about using wildcard certificates in Lync Server 2013, please see Wildcard certificate support in Lync Server 2013.

3.6  Authentication

Although Web Application Proxy supports several authentication methods, pass-through authentication should be used for publishing any web service URL that is used by the Lync client. In environments where both Lync Server and Exchange Server are deployed, Web Application Proxy should be configured to use pass-through authentication for both Lync and Exchange web services URLs.

4  Installation and Configuration

The following section describes how to install and configure the Web Application Proxy feature.

4.1  Networking configuration

The Web Application Proxy server should be configured with two network adapters:

·  External (Internet facing network adapter)

·  Internal (Corporate Network facing network adapter)

Note:The external network adapter should be configured with a default gateway value and external DNS server values. The Internal network adapter should be configured only with an internal DNS server. The internal network adapter should not be configured with a default gateway value, but rather connectivity to internal subnets should be provided through the use of persistent routes.

4.2  DNS Suffix

The DNS suffix value on the Web Application Proxy server should be configured to match the internal DNS name from Active Directory, as shown in the following image.

DNS Suffix and NetBIOS Computer Name dialog

4.3  Internal Name Resolution

To provide name resolution for internal servers, the internal network adapter on the Web Application Proxy should be configured with the IP address of an internal DNS server. Alternatively, the Web Application Proxy server can be configured with a hosts file that contains the fully qualified domain name (FQDN) of all Lync simple URLs, the Lync autodiscover FQDN, and the internal Lync Web Services FQDN of each pool that will be published for external access.

An example Hosts file

4.4  Importing Certificates

The public certificate that will used for the ADFS Proxy service must be imported with the private key to the Personal Store on the Web Application Proxy server. Import the issuing root CA certificate into the Trusted Root Certification Authorities container and any intermediate CA certificates into the Intermediate Certification Authorities container.

The public certificate that will be used to publish Lync Web Services must be imported with the private key to the Personal Store on the Web Application Proxy server. Import the issuing root CA certificate into the Trusted Root Certification Authorities container and any intermediate CA certificates into the Intermediate Certification Authorities container.

Lastly, import the internal Enterprise or Standalone CA certificates into the Trusted Root Certification Authorities container and any internal intermediate CA certificates into the Intermediate Certification Authorities container.

4.5  Installing the Web Application Proxy feature

To install the Web Application Proxy feature, open a Windows PowerShell console, and then run the following cmdlet:

Install-WindowsFeature Web-Application-Proxy,RSAT-RemoteAccess-Mgmt, RSAT-RemoteAccess-PowerShell, GPMC, CMAK

4.6  Configure the Web Application Proxy feature

After the cmdlet to install the feature finishes, perform the following steps to complete the configuration of the Web Application Proxy feature.