How to deploy reverse proxy in a Skype for Business environment



Introduction

A reverse proxy (RP) server has no Skype for Business Server role, but is an essential component of an Edge Server deployment. It lets you publish internal web services to internet to enable following features for an external user.

  • Meeting join & PIN Reset
  • Address book download
  • Share PowerPoint presentation in a meeting
  • download meeting content
  • expand distribution groups
  • get user-based certificates for client certificate based authentication
  • obtain updates to client and device software
  • Enable login for mobile devices

You can use any of the devices (software or hardware based) to publish these internal web services. In this article, I explain some of the fundamentals of how to use Microsoft Application Request Routing (ARR) to configure reverse proxy for Skype for Business\Microsoft Lync.

Reference Diagram

Firewall & Network Requirement of Reverse Proxy Servers

Servers\clients from the internal network must not reach IP addresses configured on the external interfaces of the reverse proxy servers & Vice Versa.

Static routes to be used to enable communication from internal interfaces of the reverse proxy servers to the internal servers\clients.

Internal interfaces of the reverse proxy servers to not have the gateway configured over it.

Reverse proxy servers communicate office web apps server at 443 TCP port instead of 4443.

Add following static routes on the reverse proxy servers.

Make sure that internal network is unable to reach ip addresses configured on the external interface. External interface should have the gateway and dns configured on it. You need to add persistent routes to allow traffic between internal interface and internal network.

route add -p x.x.x.0 mask 255.255.255.0 a.a.a.a

route add -p y.y.y.0 mask 255.255.255.0 a.a.a.a

Flow of Installation & Configuration

Installation of IIS

You can install IIS using either PowerShell or GUI. In this example, we have used windows PowerShell to install IIS.

Launch PowerShell in elevated mode.

Run following command in PowerShell.

Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools

As you can see in output, restart is not required.

Install URL Rewrite

Download URL re-write from this location and install it.

https://www.iis.net/downloads/microsoft/url-rewrite

Using IIS ARR as a Reverse Proxy for Lync Server\Skype for Business can be found at

https://blogs.technet.microsoft.com/nexthop/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013/

Host File on Reverse Proxy Server

Edit the HOST file on each Reverse Proxy Server to contain a record for the Director, Standard Edition server, or a Front End pool. If you are using DNS load balancing, include a line for each member of the next hop pool.

Test the External Web Services URL

Accessing https://externalwebfarmFQDN/abs should throw an HTTP challenge.

Accessing https://externalwebfarmFQDN/meet should display the troubleshooting page for conferencing.

Accessing https://externalwebfarmFQDN/GroupExpansion/service.svc should throw an HTTP challenge.

Accessing https://externalwebfarmFQDN/dialin should be directed to the dial-in page.

Accessing https://lyncdiscover.domain.com should prompt you to open a file.

Accessing https://officewebapps/hosting/discovery should display the xml page.



0 Comment