locked
Lync external web services without reverse proxy RRS feed

  • Question

  • Hi Everyone,

    I appreciate the security concerns for not using a reverse proxy, but I'm hoping someone could give me some advice with regards to setting this up.

    I have read a blog about how to configure this, but I am not entirely clear about parts of the setup. We already have the edge server in place and it works for external user access. At this stage we are not using public certificates (although going forward we will). The internally published certificate on the FE server already has an entry for the external website - do I therefore need to create a seperate certificate and will it work if it's not from a trusted public CA? 

    The other confusion I have is regarding DNS for the dialin, meet and webservices urls. Our internal domain doesn't match our sip domain - we can't add internal dns entries for these urls. During internal testing for dialin and meet functionality we just added these as external dns entries, but obviously in reality this won't work. Externally I guess we need a dns entry for the external webservices url (which will point to our front end?), but how will Lync resolve dialin and meet? Can we use hosts entries for these and if so where?

    I apologise if any of the above isn't clear and will gladly offer any further details that might help. This is all very new to me, so any help would be much appreciated!

    Many thanks

    Matt

    Tuesday, March 6, 2012 12:01 PM

Answers

  • Hi,

    If your internal domain doesn't match your sip domain, you should create sip domain zone in you DNS server. In external network, you just need to release the sip domain in public DNS server. If you assign a public IP address to your lync FE server, the external web service URL need to point to the FE server.

    But it is not recommended that the external URL point to Lync FE server. You'd better deploy the reverse proxy server. Someone uses the enterprise external firewall to NAT the port(80--8080,443--4443) to listen the external URL access, you aslo can have a try.

    You also refer this article about Lync External Web Services without Reverse Proxy.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    • Edited by Sean_Xiao Friday, March 9, 2012 5:04 AM
    • Proposed as answer by Sean_Xiao Tuesday, March 13, 2012 9:10 AM
    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 3:01 AM
    Thursday, March 8, 2012 6:34 AM

All replies

  • Hi Matt,

    For the fist question about the Certificate, please note that you can use private certificate but will need to trust it manual for non-domain computers or end points like mobiles. however for Edge, Reverse Proxy or Front End.

    The other question about the simple URLs, please clarify your question.


    Best Regards,
    Hany Taha | UC/Voice Infrastructure Consultant | Technical Consultancy Services | Nile.Com | Mobile: +20 (10) 01686836

    Tuesday, March 6, 2012 1:48 PM
  • Hi,

    If your internal domain doesn't match your sip domain, you should create sip domain zone in you DNS server. In external network, you just need to release the sip domain in public DNS server. If you assign a public IP address to your lync FE server, the external web service URL need to point to the FE server.

    But it is not recommended that the external URL point to Lync FE server. You'd better deploy the reverse proxy server. Someone uses the enterprise external firewall to NAT the port(80--8080,443--4443) to listen the external URL access, you aslo can have a try.

    You also refer this article about Lync External Web Services without Reverse Proxy.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    • Edited by Sean_Xiao Friday, March 9, 2012 5:04 AM
    • Proposed as answer by Sean_Xiao Tuesday, March 13, 2012 9:10 AM
    • Marked as answer by Sean_Xiao Wednesday, March 14, 2012 3:01 AM
    Thursday, March 8, 2012 6:34 AM