locked
UAG and Lync certificate question and trunk creation? RRS feed

  • Question

  • I will be using UAG for my reverse proxy instead of TMG. There is a plethora of TMG and Lync "how to" information out there, but UAG...not so much. My question is in regards to trunk creation and SAN certificate that I will enable for my LyncTrunk I am creating. When I create the trunk, it asks for a public host name which I initially labled my lync external website FQDN (lyncweb.domain.com), but when I went to create my application and use that same name, I got an error saying that

    "AAM applications cannot be published when the host name matches the trunk host name, and the application path contains a forward /"

    I changed the trunk's public host name to portal.domain.com and made my way in creating the application with the lyncweb.domain.com settings just fine. So is that the normal methodolgy in UAG? Are my users going to have to go to portal.domain.com or will it still work for them going to lyncweb.domain.com?

    This brings up my second part of the question. If I do have to enable something like portal.domain.com for my public hostname, do I need to include it in the SAN certificate for Lync that I assign to the Trunk?

    Monday, May 21, 2012 4:31 PM

Answers

  • I had looked at Ben's post several times already before and I guess due to my non-experience with UAG, and my newness to Lync, I was missing a key and vital step that I think I just got resolved. I have not fully tested this yet, so take this for what it's worth.

    I had my external web services in Lync thought process wrong and had my internal DNS for that FQDN pointing to my UAG.
    Once I fixed my DNS record to resolve to my HLB VIP for the Front End servers, I also noticed that my HLB had no definition for ports 4443 and 8080. The HLB manufacturer's documentation did not mention 8080, and 4443 only if I needed HLB for multiple Edge servers which I do not have. I created these two services on the HLB and tied them to my Front End IP addresses. After that, I was able to access my Lync page from the outside world...sort of. I can type in the lyncweb.domain.com and it get's me to the same page that I would get if I typed that inside my network. I have to add the /dialin at the end of the URL to get me to the correct page; which it does now...Yay!

    When I look at the Lync Web App that it created with me using the Lync 2010 template, unders the Applicaton Properties, then Portal Link tab, it shows the correct URL with the /dialin at the end (so https://lyncweb.domain.com/dialin), but it does not redirect me there as stated above, so I'll be researching that now.

    Anyone have any ideas on the URL issue?

    Thanks.

    • Marked as answer by Tankster Thursday, May 24, 2012 1:48 AM
    Wednesday, May 23, 2012 5:55 AM

All replies

  • Hi,

    See Ben Ari's blog for guidance on this topic: http://blogs.technet.com/b/ben/archive/2012/02/13/lync-publishing-on-uag.aspx


    Dirk Van den Berghe

    Tuesday, May 22, 2012 8:19 AM
  • I had looked at Ben's post several times already before and I guess due to my non-experience with UAG, and my newness to Lync, I was missing a key and vital step that I think I just got resolved. I have not fully tested this yet, so take this for what it's worth.

    I had my external web services in Lync thought process wrong and had my internal DNS for that FQDN pointing to my UAG.
    Once I fixed my DNS record to resolve to my HLB VIP for the Front End servers, I also noticed that my HLB had no definition for ports 4443 and 8080. The HLB manufacturer's documentation did not mention 8080, and 4443 only if I needed HLB for multiple Edge servers which I do not have. I created these two services on the HLB and tied them to my Front End IP addresses. After that, I was able to access my Lync page from the outside world...sort of. I can type in the lyncweb.domain.com and it get's me to the same page that I would get if I typed that inside my network. I have to add the /dialin at the end of the URL to get me to the correct page; which it does now...Yay!

    When I look at the Lync Web App that it created with me using the Lync 2010 template, unders the Applicaton Properties, then Portal Link tab, it shows the correct URL with the /dialin at the end (so https://lyncweb.domain.com/dialin), but it does not redirect me there as stated above, so I'll be researching that now.

    Anyone have any ideas on the URL issue?

    Thanks.

    • Marked as answer by Tankster Thursday, May 24, 2012 1:48 AM
    Wednesday, May 23, 2012 5:55 AM
  • Ben Ari replied to me on his blog posting concerning the URL redirect issue.

    "I'm afraid UAG does not have the ability to do this when connecting to the URL directly." -Ben

    So I'm considering this issue for me resolved.

    On a side note, in case someone else runs into a simular issue. I tested a calendar meet to an external user today and when the external user clicked on the link provided in email, the UAG screen bombed with error could not communicate with back end server (or something like that). To resolve, I added internal IP address and hostname to the host file on the UAG. My UAG is domain joined (so LAN and WAN setup) and I'm using a split DNS setup domain.local and domain.com . I guess since it could resolve it externally, it was not trying to hit it internally. Still learning about this UAG beast :-)

    Thursday, May 24, 2012 1:47 AM