Publish Lync Server 2013 using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

The following features are available for external access through a UAG reverse proxy:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.
  • Enabling mobile applications to automatically discover mobility URLs from the Internet.


  • Lync Frontend, Lync Director and Lync Edge are configured and optional for internal users
  • Lync External Access Topology is published using Topology Builder
  • Lync Server is configured for External user Access
  • UAG server installed and initial configuration is completed
  • All Service pack and hot fixes installed in UAG and Lync Server.

Network Configuration:

Forefront UAG and Lync Edge must be assigned two NICs with external network adapter and the internal network adapter.

DNS Configuration

The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.

DNS Name Record Type IP address Purpose HOST (A) Internal IP Sip domain SRV record Port 5061 Internal IP used for Edge deployment separate to UAG HOST (A) Internal IP Meeting HOST (A) Internal IP Dial-in HOST (A) Internal IP Discover HOST (A) Internal IP Common external Lync access HOST (A) Internal IP UAG server internal DNS

To create Public DNS record, request your ISP to route these public FQDN to your premises i.e. to the external NIC of UAG server if there is no frontend firewall or route to your external router if UAG is behind frontend router and placed in perimeter.

DNS Name Record Type IP address Purpose HOST (A) Publicly routable

UAG External NIC IP IP should resolve Front Edge or Director

Lync external access CNAME Lync meeting CNAME Lync Dial-in CNAME Lync discover
LyncUAG. HOST (A) Publicly routable

UAG External IP Address

UAG external FQDN HOST (A) Publicly routable

Lync Edge External NIC IP separate to UAG

Lync External SIP domain CNAME

used for Lync Edge deployment separate to UAG

CNAME of external SIP domain

Certificates Requirements

Common Name Subject alternative name Purpose Issuer Pool FQDN Public CA Meeting simple URL Dial-in simple URL External Autodiscover Service URL

NAT Requirements:

This topic describes the required NAT behaviour of UAG deployment if UAG server is placed after frontend firewall.

NAT Rule Source IP Public IP NATed Destination Port
1 Any Public IP of Lync web UAG External NIC IP 4443, 3478
2 Edge External NIC Internet/Extranet 3478
3 Internal Network UAG Internal NIC IP 4443,3478
Create a Lync Trunk

1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use Forefront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.

Create Lync Web Services Application

1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.

Create LyncDiscovery Application

1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter as the IP/Host and Discover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.
The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.

Additional Trunk Configuration

1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.

Additional Registry Entry

Important! Modify the registry at your own risk.
1. Open Registry Editor
2. Navigate to HKLMSoftwareWhaleCome-GapvonUrlFilter
3. Right-Click and add a DWORD 32-bit registry  KeepClientAuthHeader and FullAuthPassthru, set the value to 1.
4. Close the registry editor.

Save and Activate the Configuration

1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as an Administrator.
5. Perform an IISRESET.

Verify Website Access through the Internet

Open a web browser, type the URLs in the Address bar that clients use to access the Address Book files and the website for conferencing as follows:


Publish Lync 2010 with ForeFront Unified Access Gateway 2010 (UAG)

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s