none
Use Microsoft TMG Weblistener on av.domain.com ip?

    Question

  • 1 DC server
    1 TMG server
    1 Lync Front End server
    1 Lync Edge server (3 IP in DMZ and 1 IP in Internal)
    4 external IP (1 for TMG, 1 for sip.domain.com, 1 for webconf.domain.com and 1 for av.domain.com)

    We have an Exchange OWA weblistener on our primary IP, and cannot have multiple web listeners on the same IP address.
    Since we have 3 external IP for sip, webconf and av for our Edge server, can I use my external IP for av.domain.com to set up web listener for meet.domain.com?

    Can we have any security risk or network issus, if we do this?

    Can we get problems with 443 traffic to av.domain.com?

    Friday, May 25, 2012 9:04 AM

Answers

  • Hi,

    You can't use AV external IP address to proxy meet URL. AV traffic has to route via AV edge server role.

    There are two options available ;

    1. Buy a new public IP for reverse proxy server. (meet/dialin/mobility services)
    2. Change the existing edge topology and use single public IP for all edge services. In this scenario , you can use remaining IP address for reverse proxy.

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    Friday, May 25, 2012 9:33 AM
  • Hi,

    Saleesh is right. You can not use public IP address which for av.domain.com to set up web listener for meet.domain.com. You can not assign the same IP address for two server. It will cause IP conflict. And the network flow will be transfered to wrong destination, if the their A record use the same IP address.

    A new Public IP address is required for TMG web listener of meet.domain.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Sunday, May 27, 2012 7:45 AM
    Moderator

All replies

  • Hi,

    You can't use AV external IP address to proxy meet URL. AV traffic has to route via AV edge server role.

    There are two options available ;

    1. Buy a new public IP for reverse proxy server. (meet/dialin/mobility services)
    2. Change the existing edge topology and use single public IP for all edge services. In this scenario , you can use remaining IP address for reverse proxy.

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    Friday, May 25, 2012 9:33 AM
  • But doesn't the web listener just route traffic on port 443 with header meet.domain.com and lyncdiscover.domain.com to Lync Front End server?

    All other traffic should just follow the normal route to AV Edge on port 443?

    I have got the web listener to work on av.domain.com external IP, but only with Lync to Lync clients. When i use 3 or more clients it does not work (i am kicked out from Lync Conferense and needs to rejoin), probably becouse all traffic are going to the Lync site.

    Friday, May 25, 2012 10:24 AM
  • If you look at your Lync topology , you would have asscoiated av.domain.com FQDN/IP address on AV edge server configuration. So Lync client would get these information via inband provisioning. Same time you are pointing av.domain.com IP address to reverse proxy server.

    TMG weblistener can route the traffic based on the request. TMG cann't proxy av media/signaling to pool as it doesn't AV edge component/DLL to understand the requests/protocol. So you should point av.domain.com record to AV edge , otherwise you will face issues on external audio/video.

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    Friday, May 25, 2012 10:42 AM
  • My external DNS records point

    meet.domain.com to x.x.x.213
    lyncdiscover.domain.com to x.x.x213
    av.domain.com to x.x.x.213
    lyncfe.domain.com to x.x.x.213
    webconf.domain.com to x.x.x.212
    sip.domain.com to x.x.x.211

    All rules and policy are set up on TMG server for Access Edge, Webconf Edge and A/V Edge

    I'm new to TMG, and i thought it was possible to spilt TCP/HTTPS packet to meet.domain.com and LyncDiscover, and let all other TCP/HTTPS everything else go to A/V Edge in DMZ zone.

    If it cannot be done to use reverse proxy on one of the three external IP adresses for Edge server, we need to get the 5th IP address.

    Friday, May 25, 2012 1:57 PM
  • You are right.

    av.domain.com require a new public IP address and it can't be routed via TMG.

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    Friday, May 25, 2012 2:04 PM
  • Hi,

    Saleesh is right. You can not use public IP address which for av.domain.com to set up web listener for meet.domain.com. You can not assign the same IP address for two server. It will cause IP conflict. And the network flow will be transfered to wrong destination, if the their A record use the same IP address.

    A new Public IP address is required for TMG web listener of meet.domain.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Sunday, May 27, 2012 7:45 AM
    Moderator