Monday, January 24, 2011

Lync External Web Services without Reverse Proxy

PLEASE NOTE:  While the procedures below has worked in a Lync 2010 environment, it may not work in Lync 2013 or Skype for Business.  It is HIGHLY recommended to employ a reverse-proxy solution.  Opening up an internal domain-joined computer to the Internet can be a recipe for disaster. I myself, have only done this procedure once, and have since made a reverse-proxy mandatory for customers looking for help from me. Not only that, but I've heard from some that the mobility features do not work using the alternate IP method.  If you find yourself in that situation, please be aware that Microsoft (and any consulting company worth their salt) WILL NOT support this method.  Also, this is not a substitute for deploying an edge server.  If you want external connectivity to work, you MUST deploy an edge server.  There is no other way, supported or not.  Caveat emptor.

And now on with the show....

While working on a Lync deployment for a small customer, it came up during the planning stages that they didn't have a reverse proxy server (like ISA/TMG) to publish the Meet/Dialin simple URLs and web components URL, nor were they planning to. In the past, I had tried to make OCS work without a reverse proxy, but some things just didn't work right. After advising them about the risks involved with opening up an internal domain-joined computer to the Internet, I told them I would try to make Lync work without a reverse proxy, but cautioned that it may not work.

During Lync installation, it creates two web sites: Lync Server Internal Web Site and Lync Server External Web Site. As the names suggest, each website is configured for either internal or external access.  The internal site is published on ports 80/443, while the external site is published on 8080/4443.  Microsoft's documentation says you should use a reverse proxy server to publish the external simple URLs and web components URL and redirect ports 80/443 from the web to the internal Lync server over 8080/4443.

After a few unsuccessful tries at making their firewall proxy 80/443 to 8080/4443, I thought I would try to configure their front-end server with an additional IP address, and setup the Lync Server External Web Site with 80/443 on the new IP address. We updated the firewall rules to redirect 80/443 from the simple URL and web components URL external IP addresses to the new internal IP address over 80/443.  We tested external client address book downloading, meeting/dialin URL access, and meeting content downloading. All worked without issue.

Before going the route of adding a new IP address, try to make your firewall redirect 80/443 to 8080/4443. If it works, then you don't have to create the new IP.  Please note, if you add any additional components, like the Lync Mobility Service, you may have to reset the ports because it seems that the setup process resets the ports back to 8080/4443.  Thanks to Coupon Flea Market for mentioning this in the comments.

One other thing to consider with this method is certificates.  Since external users will be connecting directly to your front-end, you will need a 3rd party trusted certificate installed for the External Web Services. Start the Certificate Wizard from the Lync Deployment Wizard, and put a checkbox beside ONLY Web services external (as shown below).  Go through the wizard, making sure you have the right names selected for Meet/Dialin (should pick them up from the topology).  Obtain the cert and install it. Everything should work fine after that.

So, while a reverse proxy solution is still highly recommended for its ability to block malicious attacks, you can make Lync work for external access by adding a new IP address to your internal Lync server and setting the bindings of the Lync Server External Web Site to use the new IP address over 80/443. 

For a more general overview on how to configure Lync for external connectivity, see this post.