This is a step-by-step on configuring ForeFront UAG to work with Lync Server 2010.  This does not include the configuration of the Edge server or other Lync components. These steps were used in my test environment, they may not necessary be right for your right environment (i.e. security policies and naming conventions, but the steps should provide a good overview for getting it working). Hopefully it helps you out if you are having issues.

Overview

  • Get Certificate
  • Create DNS entries
  • Create UAG Trunk
  • Create UAG Application for Lync Web Services
  • Create UAG Application for LyncDiscovery

This has been tested with

  • Lync 2010 Client
  • Lync 2010 Client for iPhone/iPad
  • Lync 2010 Client for Windows Mobile

Certificate Requirements (Public Certificate for UAG)

Primary Name: lync.<your domain FQDN>
Subject Alternate Name(s) SAN
lyncuag.<your domain FQDN>
lync.<your domain FQDN>
dialin.<your domain FQDN>
meet.<your domain FQDN>
lyncdiscover.<your domain FQDN>
lyncweb.<your domain FQDN>

External DNS Requirements (including Edge entries)
lyncuag.<your domain FQDN> (A record) – UAG External IP
lyncweb.<your domain FQDN> (A record) – UAG External IP
lyncdiscover.<your domain FQDN> (CNAME) – (lyncweb.<your domain FQDN>)
sip.<your domain FQDN> (A record) – Edge External IP (used for Edge deployment separate to UAG)
sipexternal.<your domain FQDN> (CNAME) – (sip.<your domain FQDN>) (used for Edge deployment separate to UAG)
_sip_tls.<your domain FQDN> (SRV) record Port 5061 (used for Edge deployment separate to UAG)

Software Requirements

Microsoft® ForeFront Unified Access Gateway 2010 SP2 (TMG SP2)
Windows Server 2008 R2 Standard Edition
Lync Server 2010 with CU4
Lync Server Mobility installed

Configuration Steps

Create Lync Web Services Trunk

1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e. lyncuag.<your domain FQDN>) – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use ForeFront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.

Click Lync Web Services Application 

1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter lyncweb.<your domain FQDN> under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.

Create LyncDiscovery Application


1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter lyncweb.<your domain FQDN> as the IP/Host and lyncdiscover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.

The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.

Additional Trunk Configuration

1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.

Additional Registry Entry

(Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.)

1. Open Registry Editor
2. Navigate to HKLM\Software\WhaleCom\e-Gap\von\UrlFilter
3. Right-Click and add a DWORD 32-bit registry  KeepClientAuthHeader and set the value to 1.
4. Close the registry editor.

Save and Activate the Configuration

1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as Administrator.
5. Perform an IISRESET.

Lync Client for iPhone

In order for the Lync iPhone Login to work the following change may also need to occur within the Lync configuration using the Lync Powershell:

Set-CsWebServiceConfiguration –UseWindowsAuth Negotiate

I've also blogged these instructions with screenshot at http://blog.georgt.com/2012/10/publishing-lync-server-with-forefront.html