locked
Reverse Proxy Changes (TMG) for changing FE pool RRS feed

  • Question

  • In transition from Lync 2013 Enterprise to SFB SE. Old env: 1 back end sql, 2 fe servers (I know, not supported), 1 forefront tmg. New env: 1 sfb se and the same tmg. Status: all users migrated onto SFB server. Mobile phone access from outside network is no go, but fine on network wifi. SFB Client access outside network is fine. I updated the web publishing rule on tmg server to point to fqdn of new sfb server. rule 'tests' o.k. from test button inside gui config. but no mobile access. there are two dns records for meet (internal) one for old pool, one for new 'pool' (for SE the pool IS the fqdn). Thinking it might be a NAT rule on external firewall, but need to exhaust other possibilities before I can get authorized to get that checked.

    Wednesday, August 17, 2016 12:12 PM

Answers

  • Edge is the protector, but so is your reverse proxy.  Web services such as the scheduler, meet URL, dialin URL, address book pulls, are all hosted on the front end and do not travel through the edge.  It is expected the Reverse Proxy will protect this.  So https://new_skype_fe_external_web_fqdn will need to work through your reverse proxy for mobile to work externally.  It's also necessary for web conferencing and other items to work.


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Wednesday, August 17, 2016 5:00 PM
  • It turns out that the reverse-proxy was configured fine. And that the idea to configure the second site the same as the first was correct, but I missed a critical detail- external DNS did not have an entry to match the configuration of the second site. I added a name with the same information as the second site (i.e. [secondsitepool.domain.com]- BUT I pointed it to the same IP as the external IP  for the first site's pool. This effectively routes traffic in to where Skype knows how to proxy the connections. Users homed on second site's F/E now function with their iPhones.

    still mulling another task... to pool or not to pool my edge servers (across sites)...

    Monday, August 22, 2016 2:17 PM

All replies

  • The mobile will get the configuration information through the https://lyncdiscover.yousipdomain.com

    The Mobile will also connect through the Edge server. You should check the Edge ports for external an internal connection.

    Desktopsharing, Audio/Video is working from internal to external clients?


    regards Holger Technical Specialist UC

    Wednesday, August 17, 2016 1:16 PM
  • Adding that the mobile app will do a large portion of it's work direct with the external web services FQDN of the new pool.  Make sure that it's published properly and that 443 redirects to 4443 of the front end server.

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Wednesday, August 17, 2016 3:43 PM
  • laptop clients connect from outside the network and work fine; shouldn't they be using the Edge server also?

    I do find that two services are stopped. SFB A/V Authentication and SFB A/V Edge. Won't start.

    Wednesday, August 17, 2016 3:47 PM
  • No, the mobile client is pretty much just a web front end.  A/V traffic flows through the edge for mobile however.

    Can you reach https://new_skype_fe_external_web_fqdn/scheduler from the outside without any errors?



    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Wednesday, August 17, 2016 3:51 PM
  •  https://new_skype_fe_external_web_fqdn/scheduler --no

     https://old_skype_fe_external_web_fqdn/scheduler --yes

    so then this bypasses edge and should be natted to FE ? I thought Edge was supposed to be a protector of sorts.(?) I appreciate your patience with me. Things would go faster if I could log into the ASA and check out existing config myself.

    Wednesday, August 17, 2016 4:55 PM
  • Edge is the protector, but so is your reverse proxy.  Web services such as the scheduler, meet URL, dialin URL, address book pulls, are all hosted on the front end and do not travel through the edge.  It is expected the Reverse Proxy will protect this.  So https://new_skype_fe_external_web_fqdn will need to work through your reverse proxy for mobile to work externally.  It's also necessary for web conferencing and other items to work.


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Wednesday, August 17, 2016 5:00 PM
  • an earlier comment about mobile will connect through edge server threw me. checking stuff now
    Wednesday, August 17, 2016 5:23 PM
  • Hi Daniel Kemper TFE,

    Would you please tell us if that all mobile clients access from outside network have the issue ?

    Are there any error message ?

    If it is the specified user has the issue, it may be something wrong with client, so you could try to reinstall the client with the latest update and test again.

    If all the users have the issue, it may be something wrong with the server side, you could use Microsoft Lync Connectivity Analyzer to find where the issue is.

    Edge server is the required component for external access.

    For details, please refer to

    https://technet.microsoft.com/en-us/library/gg425779(v=ocs.15).aspx

    For Lync mobility, as Anthony said, you need a reverse proxy.

    Please check the configuration for TMG

    https://social.technet.microsoft.com/wiki/contents/articles/9807.how-to-configure-forefront-tmg-2010-as-reverse-proxy-for-lync-server-2010.aspx

    Moreover, here is a good blog about troubleshooting Lync mobility for your reference

    https://blogs.technet.microsoft.com/nexthop/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step/

    Hope the information helpful to you.

    Best regards,

    Alice Wang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Alice Wang
    TechNet Community Support

    Thursday, August 18, 2016 7:26 AM
  • OK - two days to check. sheesh!

    In brief: I found that the external web url on my first site's f/e was not right. Given the existing, but hopefully-soon-to-be-decommissioned lync servers, I chose to correct it by entering the URL that they used, change internal DNS so that the pool name (to which the link referred) pointed to new SE f/e and adjust the host files on my reverse proxy and edge server accordingly.

    1/2 success: mobile users homed in main site now work. mobile users in second site do not.

    I tried setting second site in similar fashion. the old site was configured with different poolname etc. Changing it in parallel fashion to the first did not work. I think what I need to do is actually set the identical settings as the first site and add a DNS record for the second f/e server to the pool in internal dns.

    I'm mulling that while I'm mulling the edge servers - setting the two (in 2 diff sites) into a single edge pool. (Connectivity is fast and reliable.)

    Thursday, August 18, 2016 9:27 PM
  • The primary issue continues to be that users in the second site rely on the first site's connection for external DNS settings. e.g. dialin.domain.com can only point to one IP, which sends traffic in through the first site. the two sits are connected over a high speed, very reliable link and the second site has it's own internet connection, however, DNS can only point to one IP and the NAT rule fwd's traffic to the first site's edge server and has no way to know to go to the second edge server for accounts on the Skype FE server in the second site.

    The thing I can't figure is why this only impacts mobile; that is, accounts on the second site's FE server work fine externally for the "normal" Skype client. Just not mobile.

    Note: Our exchange has similar issue.

    Friday, August 19, 2016 12:27 PM
  • Hi Daniel Kemper TFE,

    Would you please tell us if there is any error message ?

    In addition to make sure port redirect for port 443 to 4443, please check if the port 80 redirect to 8080.

    Moreover, make sure the autodiscover service is open in IIS on the FE server.

    Best regards,

    Alice Wang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Alice Wang
    TechNet Community Support

    Sunday, August 21, 2016 8:05 AM
  • It turns out that the reverse-proxy was configured fine. And that the idea to configure the second site the same as the first was correct, but I missed a critical detail- external DNS did not have an entry to match the configuration of the second site. I added a name with the same information as the second site (i.e. [secondsitepool.domain.com]- BUT I pointed it to the same IP as the external IP  for the first site's pool. This effectively routes traffic in to where Skype knows how to proxy the connections. Users homed on second site's F/E now function with their iPhones.

    still mulling another task... to pool or not to pool my edge servers (across sites)...

    Monday, August 22, 2016 2:17 PM