IIS ARR Reverse Proxy on Edge server supported? I don't think so.
-
Wednesday, February 27, 2013 3:43 PM
I'm trying to use IIS with ARR as a reverse proxy co hosted on the Edge server.
First issue I ran into was that after I setup IIS the Edge server service (configured to use its own public IP with Port 443) wasn't able to start anymore. Event ID 14346 "Unable to bind for socket."
IIS will default listen to 0.0.0.0:443 regardless what you set as binding in your Web site settings.
You could fix this by using
netsh http add iplisten ipaddress=<externalipofreverseproxy>
But you will get into another issue.
The File transfer Agent Service on your Frontend Server that wants to transfer files for replica cannot connect to the Edge server on <internalip> Port 4443 anymore (EventID 1017, File transfer failed for some replica machines).
After you change something in the central management store (Topology Builder, Publish Topology) and wait some time, you can see this in the lync control panel under topology, replication status on the edge server would get red. And "Get-CSManagementStoreReplicationStatus" will show a old "LastStatusReport" Value for your Edge server, and "UpToDate" is "False".That service on the edge uses the http service in netsh and the fix broke this.
If you now try to add the internal IP with netsh, your av edge server would not start anymore because he have to listen on <internalip> Port 443 for audio/video transfer.
I don't know if you need this when you did not change anything.
If you just didn't want that trouble, use another server for your Reverse Proxy with IIS (or don't use IIS :( ).
You could try to forward 80/443 in your router/firewall to 8080/4443 on the Frontend, but this isn't best practice and could lead into security holes.If anyone have a solution for this replica issue with still running Reverse Proxy on the Edge, please tell...
- Edited by brotbuexe Wednesday, February 27, 2013 3:43 PM
All Replies
-
Wednesday, February 27, 2013 4:46 PMThanks for sharing your test-info.
-
Tuesday, March 05, 2013 9:42 AM
As I don't have the time to move the reverse proxy from the edge server, a little workaround.
As far as I understand, the problem is only with replication of central management store, which means for me that this are only settings I make in the topology builder or global changes.
Another thing I found that when you run "Get-CSManagementStoreReplicationStatus" there are 2 date values per server, one for "LastStatusReport" and one for "LastUpdateCreation". Only the "LastStatusReport" value isn't updated anymore after removing the ip adress from http listener.
It could be that the replication is still working and that this connection is only for status reporting.
I've decided to use a workaround to manually update the value, or replicate the settings:
On the Edge Server:
netsh http add iplisten ipaddress=<yourinternaledgeinterfaceip>
net stop RTCMEDIARELAY
Get-CsManagementStoreReplicationStatus
check the LastStatusReport of the edge server
Invoke-CsManagementStoreReplication
wait 5 minutes
Get-CsManagementStoreReplicationStatus
check the LastStatusReport of the edge server (should be updated, and "UpToDate" should be true for all servers, if not, wait again for 5-10 minutes)
netsh http delete iplisten ipaddress=<yourinternaledgeinterfaceip>
net start RTCMEDIARELAYKeep in mind that stopping the media relay would kill the external audio/video sessions.
-
Tuesday, March 26, 2013 2:22 PM
So with this fix you think ARR CAN be collocated with Edge or we run into other issues?
NLS
-
Tuesday, March 26, 2013 4:10 PM
Its only a workaround.
You have at least run this workaround every time you change something in the control panel that affects the edge server.
For example if you use federation and only adds a new federation partner domain, you have to go through the workaround. And when you run "net stop RTCMEDIARELAY" you kill all av connections that goes through the edge server.
I consider to move my reverse proxy off the edge because of this issue...
-
Tuesday, March 26, 2013 5:05 PM
clear, thanks
NLS
.png)
