locked
Remote Access and Reverse Proxy RRS feed

  • Question

  • So, here's my thing. I am in charge of developing and deploying an entire SfB infrastructure to a corporate environment for over a thousand users. I have full functionality INTERNALLY. The Issue is the external portion. Here is the layout:

    1 Edge, with single public IP ( all traffic from that IP NAT to Edge pool)
    Public Addy is skype.domain.com (which is also the name of the FE pool)

    Everything else is standard fare deployment structure - BE pool, file share, etc.

    With this setup, I was able to get, at ONE point, remote access from the PC client. (It's not working now, after a rebuild of the Edge Pool due to an unrelated virtualization problem)

    Can I achieve remote access WITHOUT deploying a Reverse Proxy? I just want our users to be able to do standard AD passthrough authentication. I want the traffic to hit the Edge, authenticate via the Registrar on the FE, and just WORK. It seems adding all these different servers, is creating more points of articulation and potential failure, and I've had to deploy far too many servers as it is. And if achieving this is possible, I'm not certain where the issue is. There isn't much reason I can think of that this project has to be so convoluted. But, I'm also accustomed to working within the pre-conditioned confines of a hosted Lync 365 flavor where I don't mess with all the soilwork. 

    Any insight is greatly appreciated!

    Monday, August 8, 2016 7:41 PM

Answers

  • Hi Bengeirr,

    Thank you for your post.

    Regarding your question, I will answer 2 points:

    [Point 1] Some of the features that require external access through a Reverse Proxy include the following:

    • Enabling external users to download meeting content for your meetings.
    • Enabling external users to expand distribution groups.
    • Enabling remote users to download files from the Address Book service.
    • Accessing the Lync Web App client.
    • Accessing the Dial-in Conferencing Settings webpage.
    • Enabling external devices to connect to Device Update web service and obtain updates.
    • Enabling mobile applications to automatically discover and use the mobility (Mcx) URLs from the Internet.
    • Enabling the Lync 2013 client, Lync Windows Store app and Lync 2013 Mobile client to locate the Lync Discover (autodiscover) URLs and use Unified Communications Web API (UCWA).

    Pleases note, all the descriptions above are suitable for Skype for Business Server 2015. So Reverse Proxy is necessary for your scenario.

    [Point 2]

    We can use Microsoft Forefront Threat Management Gateway 2010, Microsoft Internet Security and Acceleration (ISA) Server 2006 SP1, or Internet Information Server 7.0, 7.5 or 8.0 with Application Request Routing (IIS ARR) as a Reverse Proxy.

    Note: Internet Information Server Application Request Routing (IIS ARR) is a fully tested and supported option for implementing a reverse proxy for Lync Server 2010 and Lync Server 2013(Also for Skype for Business Server 2015). In November, 2012, Microsoft ceased license sales of ForeFront Threat Management Gateway 2010, or TMG. TMG is still a fully supported product, and is still available for sale on appliances sold by third parties. Also, many third party hardware load balancers and firewalls provide reverse proxy support. For hardware load balancers and firewalls that provide reverse proxy features, check with your vendor for specific instructions on how to configure their product to provide reverse proxy support for Lync Server. You can also view third parties that have submitted documentation for their product to Microsoft. Support is provided by the third party for their solution. To see third parties that are active in providing solutions, see Infrastructure qualified for Microsoft Lync.

    Hope the reply helpful to you. 


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Bengeirr Tuesday, August 9, 2016 2:23 PM
    Tuesday, August 9, 2016 8:55 AM

All replies

  • Hello,

    https://technet.microsoft.com/en-us/library/dn594589.aspx check the Skype for Business Server 2015 Protocol Workloads PDF (http://go.microsoft.com/fwlink/p/?LinkId=550989) or Visio. it will explain you alot why you need a reverse proxy. It is also used for autodiscover.

    Sincerly,

    Erdem


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, August 8, 2016 7:58 PM
  • Hi Bengeirr,

    Thank you for your post.

    Regarding your question, I will answer 2 points:

    [Point 1] Some of the features that require external access through a Reverse Proxy include the following:

    • Enabling external users to download meeting content for your meetings.
    • Enabling external users to expand distribution groups.
    • Enabling remote users to download files from the Address Book service.
    • Accessing the Lync Web App client.
    • Accessing the Dial-in Conferencing Settings webpage.
    • Enabling external devices to connect to Device Update web service and obtain updates.
    • Enabling mobile applications to automatically discover and use the mobility (Mcx) URLs from the Internet.
    • Enabling the Lync 2013 client, Lync Windows Store app and Lync 2013 Mobile client to locate the Lync Discover (autodiscover) URLs and use Unified Communications Web API (UCWA).

    Pleases note, all the descriptions above are suitable for Skype for Business Server 2015. So Reverse Proxy is necessary for your scenario.

    [Point 2]

    We can use Microsoft Forefront Threat Management Gateway 2010, Microsoft Internet Security and Acceleration (ISA) Server 2006 SP1, or Internet Information Server 7.0, 7.5 or 8.0 with Application Request Routing (IIS ARR) as a Reverse Proxy.

    Note: Internet Information Server Application Request Routing (IIS ARR) is a fully tested and supported option for implementing a reverse proxy for Lync Server 2010 and Lync Server 2013(Also for Skype for Business Server 2015). In November, 2012, Microsoft ceased license sales of ForeFront Threat Management Gateway 2010, or TMG. TMG is still a fully supported product, and is still available for sale on appliances sold by third parties. Also, many third party hardware load balancers and firewalls provide reverse proxy support. For hardware load balancers and firewalls that provide reverse proxy features, check with your vendor for specific instructions on how to configure their product to provide reverse proxy support for Lync Server. You can also view third parties that have submitted documentation for their product to Microsoft. Support is provided by the third party for their solution. To see third parties that are active in providing solutions, see Infrastructure qualified for Microsoft Lync.

    Hope the reply helpful to you. 


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Bengeirr Tuesday, August 9, 2016 2:23 PM
    Tuesday, August 9, 2016 8:55 AM
  • That's helpful. But, the MS White Paper for configuring a RevProxy also mentions requiring yet ANOTHER server for AD FS. If I have to have it, so be it. But it's getting ludicrous the number of machines it requires to deploy the application. 

    So, I guess then, I HAVE TO HAVE an AD FS server as well in order for the RevProxy to work??

    Tuesday, August 9, 2016 7:15 PM