Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
The following features are available for external access through a UAG reverse proxy:
- Enabling external users to download meeting content for your meetings.
- Enabling external users to expand distribution groups.
- Enabling remote users to download files from the Address Book service.
- Accessing the Microsoft Lync Web App client.
- Accessing the Dial-in Conferencing Settings webpage.
- Accessing the Location Information service.
- Enabling external devices to connect to Device Update web service and obtain updates.
- Enabling mobile applications to automatically discover mobility URLs from the Internet.
Prerequisites:
- Lync Frontend, Lync Director and Lync Edge are configured and optional for internal users
- Lync External Access Topology is published using Topology Builder
- Lync Server is configured for External user Access
- UAG server installed and initial configuration is completed
- All Service pack and hot fixes installed in UAG and Lync Server.
Network Configuration:
Forefront UAG and Lync Edge must be assigned two NICs with external network adapter and the internal network adapter.
DNS Configuration
The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.
| DNS Name | Record Type | IP address | Purpose |
| sip.xman.com.au | HOST (A) | Internal IP | Sip domain |
| _sip_tls.xman.com.au | SRV record Port 5061 | Internal IP | used for Edge deployment separate to UAG |
| meet.xman.com.au | HOST (A) | Internal IP | Meeting |
| dialin.xman.com.au | HOST (A) | Internal IP | Dial-in |
| discover.xman.com.au | HOST (A) | Internal IP | Discover |
| webext.xman.com.au | HOST (A) | Internal IP | Common external Lync access |
| UAGSRV.xman.com.au | HOST (A) | Internal IP | UAG server internal DNS |
To create Public DNS record, request your ISP to route these public FQDN to your premises i.e. to the external NIC of UAG server if there is no frontend firewall or route to your external router if UAG is behind frontend router and placed in perimeter.
| DNS Name | Record Type | IP address | Purpose |
| webext.xman.com.au | HOST (A) | Publicly routable
UAG External NIC IP IP should resolve Front Edge or Director |
Lync external access |
| meet.xman.com.au | CNAME | webext.xman.com.au | Lync meeting |
| dialin.xman.com.au | CNAME | webext.xman.com.au | Lync Dial-in |
| discover.xman.com.au | CNAME | webext.xman.com.au | Lync discover |
| LyncUAG. xman.com.au | HOST (A) | Publicly routable
UAG External IP Address |
UAG external FQDN |
| sip.xman.com.au | HOST (A) | Publicly routable
Lync Edge External NIC IP separate to UAG |
Lync External SIP domain |
| Sipexternal.xman.com.au | CNAME | sip.xman.com.au
used for Lync Edge deployment separate to UAG |
CNAME of external SIP domain |
| Common Name | Subject alternative name | Purpose | Issuer |
| webext.xman.com.au | webext.xman.com.au | Pool FQDN | Public CA |
| meet.xman.com.au | Meeting simple URL | ||
| dialin.xman.com.au | Dial-in simple URL | ||
| discover.xman.com.au | External Autodiscover Service URL |
NAT Requirements:
This topic describes the required NAT behaviour of UAG deployment if UAG server is placed after frontend firewall.
| NAT Rule | Source IP | Public IP | NATed Destination | Port |
| 1 | Any | Public IP of Lync web | UAG External NIC IP | 4443, 3478 |
| 2 | Edge External NIC | – | Internet/Extranet | 3478 |
| 3 | Internal Network | – | UAG Internal NIC IP | 4443,3478 |
Create a Lync Trunk
1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e LyncUAG.xman.com.au – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use Forefront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.
Create Lync Web Services Application
1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter webext.xman.com.au under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.
Create LyncDiscovery Application
1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter webext.xman.com.au as the IP/Host and Discover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.
The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.
Additional Trunk Configuration
1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.
Additional Registry Entry
Important! Modify the registry at your own risk.
1. Open Registry Editor
2. Navigate to HKLMSoftwareWhaleCome-GapvonUrlFilter
3. Right-Click and add a DWORD 32-bit registry KeepClientAuthHeader and FullAuthPassthru, set the value to 1.
4. Close the registry editor.
Save and Activate the Configuration
1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as an Administrator.
5. Perform an IISRESET.
Verify Website Access through the Internet
Open a web browser, type the URLs in the Address bar that clients use to access the Address Book files and the website for conferencing as follows:
- For Address Book Server, type a URL similar to the following: https://webext.xman.com.au/abs
- For conferencing, type a URL similar to the following: https://webext.xman.com.au /meet
- For distribution group expansion, type a URL similar to the following:
- https://webext.xman.com.au/GroupExpansion/service.svc.
- For dial-in, type the simple URL for dial-in conferencing. The user should be directed to the dial-in page. https://webext.xman.com.au/dialin
References:
Blog by Raihan Al-Beruni 