Publish Lync Server 2013 using Forefront UAG 2010 Step by Step

The following features are available for external access through a UAG reverse proxy:

Enabling external users to download meeting content for your meetings.
Enabling external users to expand distribution groups.
Enabling remote users to download files from the Address Book service.
Accessing the Microsoft Lync Web App client.
Accessing the Dial-in Conferencing Settings webpage.
Accessing the Location Information service.
Enabling external devices to connect to Device Update web service and obtain updates.
Enabling mobile applications to automatically discover mobility URLs from the Internet.

Prerequisites:

Lync Frontend, Lync Director and Lync Edge are configured and optional for internal users
Lync External Access Topology is published using Topology Builder
Lync Server is configured for External user Access
UAG server installed and initial configuration is completed
All Service pack and hot fixes installed in UAG and Lync Server.

Network Configuration:

Forefront UAG and Lync Edge must be assigned two NICs with external network adapter and the internal network adapter.

DNS Configuration

The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.

DNS Name	Record Type	IP address	Purpose
sip.xman.com.au	HOST (A)	Internal IP	Sip domain
_sip_tls.xman.com.au	SRV record Port 5061	Internal IP	used for Edge deployment separate to UAG
meet.xman.com.au	HOST (A)	Internal IP	Meeting
dialin.xman.com.au	HOST (A)	Internal IP	Dial-in
discover.xman.com.au	HOST (A)	Internal IP	Discover
webext.xman.com.au	HOST (A)	Internal IP	Common external Lync access
UAGSRV.xman.com.au	HOST (A)	Internal IP	UAG server internal DNS

To create Public DNS record, request your ISP to route these public FQDN to your premises i.e. to the external NIC of UAG server if there is no frontend firewall or route to your external router if UAG is behind frontend router and placed in perimeter.

DNS Name	Record Type	IP address	Purpose
webext.xman.com.au	HOST (A)	Publicly routable UAG External NIC IP IP should resolve Front Edge or Director	Lync external access
meet.xman.com.au	CNAME	webext.xman.com.au	Lync meeting
dialin.xman.com.au	CNAME	webext.xman.com.au	Lync Dial-in
discover.xman.com.au	CNAME	webext.xman.com.au	Lync discover
LyncUAG. xman.com.au	HOST (A)	Publicly routable UAG External IP Address	UAG external FQDN
sip.xman.com.au	HOST (A)	Publicly routable Lync Edge External NIC IP separate to UAG	Lync External SIP domain
Sipexternal.xman.com.au	CNAME	sip.xman.com.au used for Lync Edge deployment separate to UAG	CNAME of external SIP domain

Certificates Requirements

Common Name	Subject alternative name	Purpose	Issuer
webext.xman.com.au	webext.xman.com.au	Pool FQDN	Public CA
meet.xman.com.au	Meeting simple URL
dialin.xman.com.au	Dial-in simple URL
discover.xman.com.au	External Autodiscover Service URL

NAT Requirements:

This topic describes the required NAT behaviour of UAG deployment if UAG server is placed after frontend firewall.

NAT Rule	Source IP	Public IP	NATed Destination	Port
1	Any	Public IP of Lync web	UAG External NIC IP	4443, 3478
2	Edge External NIC	–	Internet/Extranet	3478
3	Internal Network	–	UAG Internal NIC IP	4443,3478

Create a Lync Trunk

1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e LyncUAG.xman.com.au – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use Forefront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.

Create Lync Web Services Application

1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter webext.xman.com.au under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.

Create LyncDiscovery Application

1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter webext.xman.com.au as the IP/Host and Discover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.
The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.

Additional Trunk Configuration

1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.

Additional Registry Entry

Important! Modify the registry at your own risk.
1. Open Registry Editor
2. Navigate to HKLMSoftwareWhaleCome-GapvonUrlFilter
3. Right-Click and add a DWORD 32-bit registry KeepClientAuthHeader and FullAuthPassthru, set the value to 1.
4. Close the registry editor.

Save and Activate the Configuration

1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as an Administrator.
5. Perform an IISRESET.

Verify Website Access through the Internet

Open a web browser, type the URLs in the Address bar that clients use to access the Address Book files and the website for conferencing as follows:

For Address Book Server, type a URL similar to the following: https://webext.xman.com.au/abs
For conferencing, type a URL similar to the following: https://webext.xman.com.au /meet
For distribution group expansion, type a URL similar to the following:
https://webext.xman.com.au/GroupExpansion/service.svc.
For dial-in, type the simple URL for dial-in conferencing. The user should be directed to the dial-in page. https://webext.xman.com.au/dialin

References:

Publish Lync 2010 with ForeFront Unified Access Gateway 2010 (UAG)

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.

View all posts by Raihan Al-Beruni →