locked
lync reverse proxy in TMG RRS feed

  • Question

  • I have my TMG in my DMZ with a hardware firewall that separates the LAN from the DMZ and the DMZ from the WAN.  My TMG has one nic and does the reverse proxy for my outlook and activesync just fine.  i want to setup my internal lync server that sits on my lan for access by remote corporate users.  I would prefer to run just one nic and one external IP for both lync and Outlook remote and Exchange activesync.  So when i go to create the rule for my external lync server it says that TMG has detected a singlle network adapter and that server publishing rules are not supported in this mode.  So why won't this work?  isn't lync just another app that needs to be proxied to my lan?  all items are version  2010 for your reference.

      
    Friday, March 2, 2012 4:55 PM

Answers

  • Hi,

    The lync edge server and reverse proxy server both need two Network Adapter. Lync reverse proxy External interface listens the access from internet and transfer the acess to Lync internal FE server throught internal interface.

    About Edge/Reverse Proxy Network Adapter Requirements: http://technet.microsoft.com/en-us/library/gg412787.aspx

    About Set Up Reverse Proxy Servers: http://technet.microsoft.com/en-us/library/gg398069.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Sean_Xiao Tuesday, March 13, 2012 7:49 AM
    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 9, 2012 3:20 AM
  • Hi ,

    When you say "remote corporate users" , did you mean users connected via WAN or internet/home users ?

    For internet/home or remote lync access (outside office network) required Lync edge server role.

    Thanks

    Saleesh

    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 2, 2012 5:23 PM
  • I second that with saleesh, Lync remote users require Edge server which will be placed in DMZ to sign in. how ever TMG requires to publish Lync services ie. Meet.company.com dialin.company.com address book download and lyncmbolity services. For more information http://technet.microsoft.com/en-us/library/gg399048.aspx hope above helps.

    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 2, 2012 8:59 PM
  • Hi,

    Exchange Edge and the Lync Edge is completely two different things and does different things. The best practice and the recommendation is to have 2 NICs or more (Depending on the traffic) on the Edge server. one interface connecting to WAN side from the DMZ and the other one connecting to the LAN side.


    Thamara. MCTS, MCITP Ent Admin, Specialized in U.C Voice OCS 2007 R2 Z-Hire -- Automate IT Account creation process ( AD / Exchange / Lync )

    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 9, 2012 2:24 AM

All replies

  • Hi ,

    When you say "remote corporate users" , did you mean users connected via WAN or internet/home users ?

    For internet/home or remote lync access (outside office network) required Lync edge server role.

    Thanks

    Saleesh

    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 2, 2012 5:23 PM
  • I second that with saleesh, Lync remote users require Edge server which will be placed in DMZ to sign in. how ever TMG requires to publish Lync services ie. Meet.company.com dialin.company.com address book download and lyncmbolity services. For more information http://technet.microsoft.com/en-us/library/gg399048.aspx hope above helps.

    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 2, 2012 8:59 PM
  • HI,

    The TMG works for lync web App and mobility discover service to external users. If you want the remote user login with lync client, you need to deploy Edge Server. When you deploy Lync Web App in TMG, two interfaces required on the TMG server. One for internal network and another for external network.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, March 6, 2012 6:19 AM
  • so why does lync work the opposite of Exchange server?  EX2010 edge is for external clients not on the same domain while TMG with reverse proxy is for domain clients.  Also why the two NICs?  TMG with reverse proxy works with one just fine.  This all seems strange that they would do them completely opposite.   
    Friday, March 9, 2012 2:18 AM
  • Hi,

    Exchange Edge and the Lync Edge is completely two different things and does different things. The best practice and the recommendation is to have 2 NICs or more (Depending on the traffic) on the Edge server. one interface connecting to WAN side from the DMZ and the other one connecting to the LAN side.


    Thamara. MCTS, MCITP Ent Admin, Specialized in U.C Voice OCS 2007 R2 Z-Hire -- Automate IT Account creation process ( AD / Exchange / Lync )

    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 9, 2012 2:24 AM
  • Hi,

    The lync edge server and reverse proxy server both need two Network Adapter. Lync reverse proxy External interface listens the access from internet and transfer the acess to Lync internal FE server throught internal interface.

    About Edge/Reverse Proxy Network Adapter Requirements: http://technet.microsoft.com/en-us/library/gg412787.aspx

    About Set Up Reverse Proxy Servers: http://technet.microsoft.com/en-us/library/gg398069.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Sean_Xiao Tuesday, March 13, 2012 7:49 AM
    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 2:59 AM
    Friday, March 9, 2012 3:20 AM
  • Hi,

    I need some help in setting up of reverse proxy to allow simple meeting url access from outside for LYNC 2010. I have followed lots of set up documentaion to set it up but now every time I try to access a meeting request from outside I get an error:

    "The policy rules do not allow the user request 

      Rule: Default rule "

    Here is my set up:

    Two interfaces. One facing internal and the other external. Public ip has been NATed to the external interface. Certificate from godaddy is in place and has been applied on the external interface. Traffice from port 443 is forwarded to 4443. I see the request come to TMG on the logs but I see the Default rule at this point blocking it. On the browser I get Error 403, server not found.

    Do I need to create any outbound rule allowing traffic leaving from inside the network to Internet? Not sure.

    Any help will be appreciated.

    Thanks, Pankaj.

    Friday, March 9, 2012 5:30 PM
  • There are a couple of good resources around this subject that you may like to take a look:

    Remote Conferencing with Lync Web App with Forefront Threat Management Gateway 2010 Reverse Proxy: Part 1, Part 2

    Set Up Reverse Proxy Servers

    Can TMG be use to FULLY publish Lync Edge2010

    Hope this helps!


    TechNet Forum Moderator (Unified Communications) - http://www.leedesmond.com

    Saturday, March 10, 2012 9:47 AM
  • Hi,

    Thanks for your response, really appreciate it. When I click on the Test rule button it does show all success. I also created access rule and now I dont get any error message but I am still getting the Error code: 403 Forbidden from outsided. When I look into the logs of TMG I see this two entries:

    Initiated Connection

    Status: The operation completed successfully

    --

    Closed Connection

    Status:  The connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake

    I installed wireshark on my front end server and dont see any traffic coming from the proxy.

    Thanks, Pankaj.

    Monday, March 12, 2012 4:39 PM