locked
Skype for Business Reverse Proxy via Cloud WAF RRS feed

  • Question

  • Have any SfB admins out there tried running the RP via a cloud based WAF like CloudFlare or Incapsula. Traffic is all HTTP(S) and there are no protocols like SIP audio or UDP across the RP so is seems it should work. I am hoping to hear back from one or more people who have done this before making changes to my prod environment.

    Thanks in advance for any info.

    WP


    Will Perry

    Monday, March 5, 2018 9:59 PM

Answers

  • Hi Will,

    Reverse proxy is not your internal server ,it is put in the DMZ like the edge server, not your internal Network.Yes,reverse Proxy that  handles all incoming HTTP(S) traffic(The simple URLs (lyncdiscover, meet and dialin) are accessed anonymous where as external traffic to the Front End Pool External Web Services handles authentication and is authenticated). If you want to protect the internal servers, Microsoft solution is to deploy a Director Pool to handle anonymous traffic and authentication.  However, Director Pools are domain joined and would usually be deployed on the inside of your Firewalls like the following screenshot. I have not tried these settings :Internet -> WAF -> RP -> SFB,so I cannot give you result about the feasibility of this settings.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, March 14, 2018 2:08 AM

All replies

  • Hey Will,

    The role of the RP is to forward 443 traffic from external to 4443 listening on the front end servers. You typically use either IIS ARR, WAP or something like an F5 LTM to do this for you.

    In terms of using a cloud based service, you'd be exposing your internal front end pool to the internet, which is definitely a security risk. I'd advise against this.

    - Craig

    blog.chiffers.com


    Tuesday, March 6, 2018 3:25 AM
  • That is correct, but what I’m looking at is placing the WAF in front of the RP. Essentially, adding an additional layer of protection.

    Functionaly, I believe it should work but I don’t see any documentation or other people doing it.

    One possible issue I see is the WAF cert, as the CN on the WAF cert is usually the WAF provider and they use SNs for all the hosts on that cert.

    I’m hoping there is someone out there who has tried this, successfully or not, that I can learn from. If I can find time, I’ll try setting this up in a lab environment in the next few weeks.


    Will Perry


    • Edited by wperry1 Tuesday, March 6, 2018 4:20 PM Restored Line Breaks lost on mobile
    Tuesday, March 6, 2018 3:53 AM
  • Hi Will Perry,

    Agree with Craig,I am recommand you not to use RP via a cloud based WAF like CloudFlare or Incapsula. Please use the below reverse proxy servers

    Vendor

    Product

    Software Version

    Documentation

    Citrix

    Netscaler

    10.5 Build 56.22.nc

    Deploying Skype for Business 2015 with Netscaler(PDF)

    F5

    BIG-IP

    11.6.0 Build 0.0.401

    Technical documentation from F5

    Kemp Technologies

    Kemp LoadMaster

    7.1-30

    Kemp LoadMaster family of products

    Microsoft

    Web Application Proxy

    Windows Server 2012 R2

    Configuring the Windows Server 2012 Web Application Proxy as a Reverse Proxy for Lync Server(and Skype for Business)

    If you want to know more details about the RP,you could refer to the following link.

    https://technet.microsoft.com/en-us/office/dn947483


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, March 7, 2018 6:37 AM
  • What is the reason for this? Is there any documentation from MS stating that you should not use a WAF in front of the RP? Is there something other than standard https traffic that won't work properly through the WAF?

    My Concern is that the RP is essentially exposing one of my internal servers to the Internet. Even if it is doing some port translation (443 -> 4443), that server is receiving traffic directly from the Internet and forwarding it, unscanned and unmodified, to my FE.

    To be absolutely clear, I am NOT proposing a WAF in place of the RP. I am only looking to add a layer of security.

    It would look something like this.

    Internet -> WAF -> RP -> SFB


    Will Perry

    Wednesday, March 7, 2018 6:32 PM
  • Hi Will,

    Reverse proxy is not your internal server ,it is put in the DMZ like the edge server, not your internal Network.Yes,reverse Proxy that  handles all incoming HTTP(S) traffic(The simple URLs (lyncdiscover, meet and dialin) are accessed anonymous where as external traffic to the Front End Pool External Web Services handles authentication and is authenticated). If you want to protect the internal servers, Microsoft solution is to deploy a Director Pool to handle anonymous traffic and authentication.  However, Director Pools are domain joined and would usually be deployed on the inside of your Firewalls like the following screenshot. I have not tried these settings :Internet -> WAF -> RP -> SFB,so I cannot give you result about the feasibility of this settings.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, March 14, 2018 2:08 AM
  • Hi ,

     

    Do you have some updates?if the reply help to you ,please mark the reply as answer.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, March 15, 2018 10:37 AM
  • Hi,

     

    Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, March 19, 2018 8:32 AM
  • Hi Will,

    Internet -> WAF -> RP -> SFB

    I saw this working for SFB, but there is an issue when user signed in from external network unable to search internal company contacts by name. However, Lync client (15.0.4420.1017) doesn't have this issue.

    Interesting thing is for SFB client version 16, it doesn't get the certificate but Lync client version 15 does.

    This has been escalated to MS and MS suspect it's because of WAF settings relates to the cookies but we still awaiting MS to explain why it only impact SFB client version 16 not Lync client version 15.

    Note: Android SFB mobile client sign in from external network can search internal company contacts by name without issue.

    Also, the link below might help.

    https://www.ssl247.com/kb/ssl-certificates/troubleshooting/general/How-to-configure-the-UTM-Web-Application-Firewall-for-Microsoft-Lync-Web-Services-connectivity

    Alex Yang

    Saturday, August 24, 2019 1:35 PM
  • Hi Will,

    There is no issue for our customer by putting the WAF in front of Reverse Proxy.

    Internet -> WAF -> RP -> SFB

    The issue that our customer experienced in my previous post was due to the cookies setting in WAF and it is resolved by disabling some cookies settings.

    Hope this helps.

    Monday, September 23, 2019 4:49 AM