tag:blogger.com,1999:blog-2156539095375223979.post309345289013313372..comments2024-03-20T03:35:01.157-04:00Comments on Ken's Unified Communications Blog: Lync External Web Services without Reverse ProxyKen Laskohttp://www.blogger.com/profile/14298995806059683301noreply@blogger.comBlogger168125tag:blogger.com,1999:blog-2156539095375223979.post-28125813493205512852012-03-23T11:55:33.647-04:002012-03-23T11:55:33.647-04:00I've set this up today with seperate certifica...I've set this up today with seperate certificates and it works great.<br /><br />Thanks a lot for the advice!<br /><br />MattMattnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-26475479344659672102012-03-23T09:35:38.008-04:002012-03-23T09:35:38.008-04:00Hey Matt,
You will need a cert with your simple UR...Hey Matt,<br />You will need a cert with your simple URLs (dialin/meet) as well as the external web services FQDN (as defined in your topology). If you want, you can combine all the certs for the edge and the front-end into one, but I find that its easier to keep them separate.<br /><br />KenKen Laskohttps://www.blogger.com/profile/14298995806059683301noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-49420380226799272412012-03-22T12:32:44.164-04:002012-03-22T12:32:44.164-04:00Hi Ken,
Thanks for this blog! We've configure...Hi Ken,<br /><br />Thanks for this blog! We've configured our environment without the reverse proxy as you have documented, but we've initially used internally published certificates. We are now about to purchase public certs - my question is do I need to include all simple URLs when replacing the web services external certificate or just the dialin and meetnow? Also if I purchase a certificate for the edge including all these SANs, would I be able to use this on both edge and front end?<br /><br />I hope that isn't a dumb question!<br /><br />Many thanks in advance.<br /><br />MattMattnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-50672350564876772132012-03-14T12:41:24.186-04:002012-03-14T12:41:24.186-04:00You can log into Lync internally without an edge s...You can log into Lync internally without an edge server. However, if you want to log onto Lync from the Internet, an edge server is a requirement.<br /><br />KenKen Laskohttps://www.blogger.com/profile/14298995806059683301noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-11683745123339237912012-03-12T07:38:55.456-04:002012-03-12T07:38:55.456-04:00Hi everybody,
I am new in Lync communication.Is i...Hi everybody,<br /><br />I am new in Lync communication.Is it possible to log in by lync client without lync edge.My lyncfe.contosto.com where I have created user.Can I log in directly to this end.Anime Serieshttps://www.blogger.com/profile/16815178195458170215noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-1201473988432173092012-03-01T05:12:49.542-05:002012-03-01T05:12:49.542-05:00Hey Ken,
Yes, I do have a dedicated external IP fo...Hey Ken,<br />Yes, I do have a dedicated external IP for my meet and dialin, and it points to one of our routers in which our main LAN/Domain sits behind (containing our DC & Lync FE). Both the internal and external meet IIS sites on the Lync FE are internal IPs (192.168.0.*).<br /><br />I do have more external IPs at my disposal. Are you saying that the external meet IIS site on the Lync FE should be on an external facing IP to recieve 443 meet requests? and that the internal meet IIS site should be on the internal facing IP? Wouldnt this basically be the same n/w config as the Lync Edge? It certainly isn't advisable to expose an internal domain joined server directly out to the internet is it?<br /><br />Many thanks again,<br />dug.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-61466669598258539552012-02-29T12:14:57.170-05:002012-02-29T12:14:57.170-05:00Hi Dug,
Yes, you've got the config/principal i...Hi Dug,<br />Yes, you've got the config/principal idea down regarding routing directly to the front-end. However, in your situation you're trying to share the same IP address with multiple internal servers. A router isn't going to be able to route incoming traffic from 1 external IP to more than one internal server. I assume that you've got a dedicated external IP address mapped to meet/dialin. In your situation, if external IPs are not available, I would recommend installing TMG which is the supported way of doing this anyways.<br /><br />KenKen Laskohttps://www.blogger.com/profile/14298995806059683301noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-13479455650440350972012-02-29T10:32:08.280-05:002012-02-29T10:32:08.280-05:00Hey Ken, thanks for your quick response. I think I...Hey Ken, thanks for your quick response. I think I might be a little confused, as I thought that I was trying to achieve what you were referencing in your article. <br /><br />From my interpretation the lync front end and my DC are naturally behind the same external IP, as they belong to the same domain. My Lync edge has a different external IP, and is internally connected to the domain. An external meeting request on 443 (say meet.domain.com) will reach my hosts DNS panel and find that meet.domain.com goes to the external IP for my domain (let's say 82.10.234.5), then my external facing router will have to forward any 443 requests to either my DC (let's say 192.168.0.1) OR my Lync Front End's iis external site IP (let's say 192.168.0.9). <br /><br />When my router sends 443 requests to my DC the meeting fails, but when the router sends 443 requests to the Lync Front End's, the meeting succeeds.<br /><br />Would this not be the same config/principle as the one you reference in your article? Would this company not also need 443 going to their Exchange server for OWA etc.. as well as the Lync Front End?<br /><br />Thanks in advance for any more input, otherwise it's gunna be back to the drawing board ...i certainly don't fancy a TMG install!<br /><br />dug.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-4394930731247175722012-02-28T12:37:41.297-05:002012-02-28T12:37:41.297-05:00Hi Dug,
It sounds like you're trying to use a ...Hi Dug,<br />It sounds like you're trying to use a single external IP address to route to multiple servers/services. Sorry, but that's not going to work very well without a reverse proxy solution. A reverse proxy solution like TMG will be able to route 443 requests to different servers based on the target host name. Most firewalls won't be able to do that.<br /><br />KenKen Laskohttps://www.blogger.com/profile/14298995806059683301noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-75432250753464223922012-02-28T09:46:13.569-05:002012-02-28T09:46:13.569-05:00Hi Ken.
i've followed your article to work ar...Hi Ken.<br /><br />i've followed your article to work around the reverse proxy issue, and so now have one nic with two ips, for the internal and external iis websites on 80/443. however, the only way that i can successfully create an "external" meeting is when i forward port 443 from the router, direct to my lync front end server. unfortunately this is not a long term solution for me as our DC needs port 443 going to it for owa etc...<br /><br />I've briefly messed about with url rewrites on the iis of our DC, but i kinda feel that i'm barking up the wrong tree. could you point me in the right direction? do i need/should i have 443 going directly to the front end server for external meetings to work? do i need a router that can port forward to multiple LAN ips?<br /><br />thanks in advance,<br /><br />dug.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-87008768154950793432012-02-10T02:30:10.004-05:002012-02-10T02:30:10.004-05:00Hi Ken,
I have tried so manny attempt anot not ab...Hi Ken,<br /><br />I have tried so manny attempt anot not able to install 3rd party certificate in Lync External Web Services.<br /><br />Please advice me how i can install 3rd party certificate in Lync.<br /><br />Thanks<br />AmitAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-14276928776550602272012-02-08T17:21:33.685-05:002012-02-08T17:21:33.685-05:00Robert, you are correct the example that I provide...Robert, you are correct the example that I provided was for the ASA pre-8.3 <br /><br />Thanks for providing the 8.3 example! <br />BrentBrent Mammenhttps://www.blogger.com/profile/14934096603769793119noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-51364383388149750492012-02-06T16:07:03.258-05:002012-02-06T16:07:03.258-05:00Ken regarding your statement about Mobility. I am...Ken regarding your statement about Mobility. I am in then design phase and have a single FE standard with single IP and port forwarding on the firewall. Seems like from MS docs the mobility URL always resolves to the external web services. Presumably because our phones are not domain joined and most internal services utilize domain CA. My question is how do I ensure that I get my mobile devices to resolve to the external domain without hairpinning through the firewall. It seems like it may be necessary to setup the external services on a second IP since they are hosted on 8080 and 4443 by default. Without going through the firewall I dont see a way of translating those.Anonymoushttps://www.blogger.com/profile/00625962927813981588noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-81003496213792578822012-02-06T13:56:17.138-05:002012-02-06T13:56:17.138-05:00Brent,
Keep in mind your configuration is ASA ver...Brent,<br /><br />Keep in mind your configuration is ASA version dependent. 8.3 and beyond have a different NAT command set and reference the real IP in ACL's. Using your information the config would look something like this.<br /><br />object network obj-192.168.1.100-HTTP<br /> host 192.168.1.100<br />object network obj-192.168.1.100-SSL<br /> host 192.168.1.100<br /><br />object network obj-192.168.1.100-HTTP<br /> nat (inside,outside) static 66.77.88.100 service tcp 8080 www<br />object network obj-192.168.1.100-SSL<br /> nat (inside,outside) static 66.77.88.100 service tcp 4443 https<br /><br />access-list acl-outside extended permit tcp any host 192.168.1.100 eq 8080<br />access-list acl-outside extended permit tcp any host 192.168.1.100 eq 4443<br /><br />access-group outside_acl in interface outsideAnonymoushttps://www.blogger.com/profile/00625962927813981588noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-61674881631714539022012-02-06T11:17:33.231-05:002012-02-06T11:17:33.231-05:00For anyone who might be interested, here's an ...For anyone who might be interested, here's an example of how I've setup Lync Web Services through a Cisco ASA without a reverse proxy server, using the default 8080 & 4443 ports on a Lync Standard Edition Front-End server.<br /><br />In this example we will use the following IP addresses:<br /><br />Lync Standard Edition Front-End: 192.168.1.100<br />External Public IP address to be translated to the Front End Server: 66.77.88.100<br /><br />The commands would look like this:<br /><br />static (inside,outside) tcp 66.77.88.100 www 192.168.1.100 8080 netmask 255.255.255.255 <br /><br />static (inside,outside) tcp 66.77.88.100 https 192.168.1.100 4443 netmask 255.255.255.255<br /><br />access-list outside_acl extended permit tcp any host 66.77.88.100 eq https<br /> <br />access-list outside_acl extended permit tcp any host 66.77.88.100 eq www <br /><br />access-group outside_acl in interface outside<br /><br />This configuration seems to work fine, and allows the Web Services (including the address book) to be pulled directly from the Front-End server, however it is suggested that you use a Reverse Proxy like TMG. Also, be sure and have the Web Services URL in the SAN list on your Front-End certificate.<br /><br />Hope this helps.<br />Brent<br />Penton MediaBrent Mammenhttps://www.blogger.com/profile/14934096603769793119noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-45627748567745657342012-02-06T09:29:52.443-05:002012-02-06T09:29:52.443-05:00Hi Robert,
Yes, setting it up the way you describe...Hi Robert,<br />Yes, setting it up the way you describe will work.....for IM. However, all other modes (desktop sharing/audio/video) won't work, and that's why you need an edge server. There are lots of good reasons for this (mostly around networking and NAT), but there isn't any way of getting Lync working properly externally without an edge.<br /><br />Also, Mobility works because it doesn't actually use the edge for anything. It's all http/https and goes either via a reverse proxy or direct to the front-end.<br /><br />KenKen Laskohttps://www.blogger.com/profile/14298995806059683301noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-21043892286387441852012-02-03T16:22:51.568-05:002012-02-03T16:22:51.568-05:00Link Mobility is working with our current setup as...Link Mobility is working with our current setup as well.Roberthttps://www.blogger.com/profile/00685950297646579501noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-77613753640813146992012-02-03T15:25:39.431-05:002012-02-03T15:25:39.431-05:00Hi Ken,
Can you tell me why the Edge server is a r...Hi Ken,<br />Can you tell me why the Edge server is a requirement for external conferencing? We have firewall rules for NAT and port access and all the necessary ports are open. The server should end up seeing the external clients as internal, correct? I know it's not recommended, but it seems that it should be possible to do a Standard single server deployment with a single server and get internal/external access. Our certificates are set up for all names. IM works externally but desktop sharing does not.<br /><br />Thanks,<br />RobertRoberthttps://www.blogger.com/profile/00685950297646579501noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-11952671847154643022012-02-02T14:23:38.889-05:002012-02-02T14:23:38.889-05:00Ugh!! I feel stupid! Sure enough, that's what ...Ugh!! I feel stupid! Sure enough, that's what it was. Also, realized that my tests may not have actually been from the outside, though I thought I was connected externally. Thanks for your help again. You at least got me thinking.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-4579666852671486962012-02-02T14:14:00.076-05:002012-02-02T14:14:00.076-05:00Hey Ken,
Just checked the Ext Web Serv FQDN and i...Hey Ken,<br /><br />Just checked the Ext Web Serv FQDN and it's pointing to LyncWeb.domain.com and listening on ports 8080/4443; forwarded on the firewall as stated before. <br /><br />I did notice that I don't have an external DNS record for it. Could that be it? Sounds like it should; some IT guy I am, huh?!?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-69905666042524114772012-02-02T12:28:23.400-05:002012-02-02T12:28:23.400-05:00Hey Manny,
I suspect that the cause might be your ...Hey Manny,<br />I suspect that the cause might be your external web services FQDN is set incorrectly. Use the Topology Builder to check what it says. You'll see it in the properties of the front-end server. The External Web Services FQDN should be an externally accessible FQDN. I suspect you'll see that its pointing to your front-end's internal FQDN.<br /><br />KenKen Laskohttps://www.blogger.com/profile/14298995806059683301noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-89589982496508692792012-02-02T10:03:59.554-05:002012-02-02T10:03:59.554-05:00hello Ken
i want to setup lync mobility feature in...hello Ken<br />i want to setup lync mobility feature in my environment which is as follow <br />Hello Friends,<br /><br />First here is a little information about my environment I have.<br /><br />A: i have 1 Frontend Lync server with 1 NIC<br /><br />B: i have 1 Edge server with 2 NIC configured<br /><br />i have plan to setup Lync Mobility and also I have checked all the prerequisites in documentation because but a little confused about DNS Autodiscover record i know need to 2 create DNS new record internal and external for Autodiscover.<br /><br />My main Questions is here<br /><br />1- Internal Autodiscover Record should point to internal IP of Lync server.<br /><br />2- And there are have 3 IPs mapped publicly for Edge server like webconf,av and sip so to which of A record/IP Public of edge server should point the External Autodiscover record of mobility in order to work fine??<br /><br />3- since i am using Public CA and Local CA for both Lync and Edge server do i need to edit any public CA either for Lync or Edge?<br /><br />do you THINK i can setup lync mobility without configuring any reverse proxy ???<br />your cooperation will be appreciated<br /><br />thanks<br /><br />GreenmanK Hamidhttps://www.blogger.com/profile/14064129715416136646noreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-38050053011601078932012-02-01T15:17:14.559-05:002012-02-01T15:17:14.559-05:00Thanks for replying, Ken. I have double-checked wh...Thanks for replying, Ken. I have double-checked what you suggested and they are all in place. I even went to IIS7 to check the Lync Server External Web Site and made sure it had the 3rd party cert bound to it as well (aside from checking in the Deployment Wizard Certificate Wizard).<br /><br />Everything is working, including application sharing. What happens is that I would click the meeting link (https://lync.domain.com/meet/user/T5SRB78J) in an email so browser opens to that page as normal, then the Lync Web App opens on a separate window and HERE is where the issue comes up.<br /><br />The URL is now changed to something along the lines of https://lyncFEserver.domain.local/Reach/Client/WebPages/ReachClient.aspx.../. So naturally that domain isn't trusted outside as it's internal. How come the URL got switched? I guess I don't know where to go from here and hoped that you did, you being a Jedi and all. :-)<br /><br />Thanks, <br />MannyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-64816151401664561962012-02-01T01:15:07.810-05:002012-02-01T01:15:07.810-05:00hi ken, hi people!
i have a problem with our lync-...hi ken, hi people!<br />i have a problem with our lync-configuration and external user access. <br />external user access is all ok - except desktop sharing.<br />desktop sharing is ok, if i go online over an usb-internet-stick connection. so i get a public ip directly on my laptop.<br />but if i go online over a lan connection (eg: at home or wifi tethering over my mobile) and i get an internal ip from my private lan, desktop sharing does not function anymore.<br />if i try to establish a desktop sharing session from my private lan, i get the notification on my laptop inside our company lan. i confirm the request, but after i few seconds i get an error: failed to connect due to network issues. try again later.<br />does anyone has a hint for me?<br />thanks!<br />zepzepnoreply@blogger.comtag:blogger.com,1999:blog-2156539095375223979.post-41503597717269310062012-01-31T13:30:40.386-05:002012-01-31T13:30:40.386-05:00Hey Anonymous,
Yes the edge gets topology updates ...Hey Anonymous,<br />Yes the edge gets topology updates via 4443. The edge doesn't have to talk to the front-end over that same port. All replication is triggered by the front-end. So, any changes to the web services port won't affect edge communication.<br /><br />KenKen Laskohttps://www.blogger.com/profile/14298995806059683301noreply@blogger.com