none
IIS reverse proxy RRS feed

  • Question

  • With TMG going away, I started checking my options for reverse proxy.  IIS reverse proxy using URL Rewrite looks good, but there is no clear documentation how to set it up.

    I am reading articles and got confused.  Do I set the server the same way I setup TMG? One NIC connected to LAN and another one to DMZ?  Setup reverse proxy that points to internalservername.domain.local?

    Reading articles, it looks like I have to install URL Rewrite on the Lync server and not on another server that is located on DMZ, but I refuse to believe that this is true.

    Anyone installed it successfully?  Can you explain how to do this?

    Thank you.


    Thank you. Eric.

    Monday, January 28, 2013 10:50 PM

All replies

  • Hi,

    For Lync Server 2013,  any reverse proxy that can meet the requirements for publishing the necessary resource locations can be used. TMG is used as an example for the purposes of illustrating the publishing rules necessary, but Forefront TMG 2010 is not required. Any third-party solution, be it software or a hardware appliance, which has the capacity to publish the internal IIS HTTP/HTTPS services can typically be used.


    Kent Huang
    TechNet Community Support

    Wednesday, January 30, 2013 2:13 AM
  • Thank you for your reply.  I understand everything you said, but at this time I am having issues implementing the IIS Reverse Proxy and hope that someone could help me.

    I am checking IIS solution using the following article: http://blog.unifythis.com/2010/12/lync-reverse-proxy-using-iis-arr.html.  I am reading some other articles too, but cannot understand how to do it.  I hope someone could help me with my questions.
    • The TMG Reverse Proxy required to have two NICs. One of them is connected to LAN and another one is connected to DMZ.  Is it the same with this Reverse Proxy?
    • If I am checking the article above, it seems that I can have Reverse Proxy for multiple servers on the same box.  The article above shows how to setup Farms, but does not explain how the Reverse Proxy will understand the incoming request.  For example, I need to have Lync, Exchange, and SharePoint proxy setup.  It means that any requests that come for the Lync server should be forwarded to the Lync Server(s) and port 80 should be forwarded to the port 8080, port 443 should be forwarded to the port 4443.  Requests for Exchange should be forwarded to port 443 and should be forwarded to /owa or /autodiscovery directories.  SharePoint all requests should be forwarded to the port 443.  How does the Farm do it?  How does it know which Farm to use if all incoming requests are coming to port 80? Those are different URLs, but I cannot find how to set it up.
    • And I am not sure how to setup it all up.
    • Do I join domain with this Reverse Proxy Server?

    Any help with this would be appreciated.

    Thank you.


    Thank you. Eric.


    • Edited by KPABA Wednesday, January 30, 2013 2:27 PM
    Wednesday, January 30, 2013 2:21 PM
  • sounds like you're a good candidate to open up your firewall to FW external port 443 -> 4443 and 80-> 8080.  I wouldn't do it in Enterprise environment  - but, you don't sound like that's your case.

    Google around "using Lync edge without reverse proxy" and there are several people on this forum who help users get by the 'requirement' of the reverse proxy.  

    You'll have to dance around certificate challenges ... and it's not supported, but it works.

    _G


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)


    • Edited by Greg Seeber Wednesday, January 30, 2013 6:51 PM cert
    Wednesday, January 30, 2013 6:50 PM
  • Sorry, but no. 

    This is not for us.  This is for our clients.  We have a couple of new clients that we are planning new Lync installation.  We cannot offer them to buy TMG and we are looking for another solution.

    Thank you.


    Thank you. Eric.

    Wednesday, January 30, 2013 7:17 PM
  • use apache. it works. had another user using squid.

    http://social.technet.microsoft.com/Forums/en-US/ocsedge/thread/77752c28-15f0-40b8-b1e0-78c79805239b/

    it's 'free' ... and it kinda works.  lol.   don't give up on the 'reverse proxy not required' scenario so quickly though.

    -g


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

    Wednesday, January 30, 2013 7:26 PM
  • Thank you Greg,

    I kinda want to stick with Microsoft Solution.  It would be much easier in case if we have problems and if we need Microsoft support to work with us.

    Thank you.


    Thank you. Eric.

    Wednesday, January 30, 2013 7:29 PM
  • Lync is reverse proxy agnostic, per Microsoft.  I have had several conversations with Rick Kingslan of Microsoft.  

    Nevertheless, have you checked out this guy who did it and documented it?  http://blog.unifythis.com/2010/12/lync-reverse-proxy-using-iis-arr.html

    Looks pretty easy. Thoughts?


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

    Wednesday, January 30, 2013 7:37 PM
  • Thank you for your reply.

    This is the document that I am using.  I did not test it with Lync, but OWA part does not work.  It gives me

    502 - Web server received an invalid response while acting as a gateway or proxy server.

    There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

    If OWA does not work, I am sure that Lync will not work either.

    Thank you.


    Thank you. Eric.

    • Proposed as answer by nicholasdallas Friday, February 15, 2013 2:54 AM
    • Unproposed as answer by nicholasdallas Friday, February 15, 2013 2:54 AM
    Wednesday, January 30, 2013 7:41 PM
  • Hi,

    The next best option would be go for a publishing capable Hardware Firewall..


    Thamara. MCTS, MCITP Ent Admin, Specialized in U.C Voice OCS 2007 R2 Z-Hire -- Automate IT Account creation process ( AD / Exchange / Lync )

    Saturday, February 9, 2013 2:50 AM
  • Make sure that your certificates are correct on your upstream servers.
    Friday, February 15, 2013 2:56 AM