none
Lync Server Control Panel browsing issue RRS feed

  • Question

  • Hi,

    I have my lync server deployed, and here is my issue:

    the control pannel is accessable only from inside domain only. with both Lync Control Panel and IE by https://lync-front.mydomain.local/cscp

    However, it is not accessable from outside by https://lync-front.mydomain.com/cscp

    when accessed by this external domain it asks for username and passowrd but then it fails to login keeps saying username and pass is incorrect while from inside it is working just fine. bellow is a detailed info of my infrastracture setup:

    I have internal domain is mydomain.local and external domain is mydomain.com.

    Front end server pool is lync-front.mydomain.local ( Which cant be changed )

    internal web services lync-front.mydomain.local

    external Web services is lync-front.mydomain.com

    My DNS is setup as i have created each zone for each of the external domain record. for example for dialin record in my internal DNS i have created a DNS zone as dialin.mydomain.com ( which is the external domain ) and have created blank A record within pointing to the front end server. same with other records including lync-front.

    External DNS on godaddy.com all the records is pointed to my public facing router.

    I also gotta mention that I have exchange 2013 infrastacture as well. and ports 443 and 80 of my router is port forwarded to exchange server for OWA access from outside.


    • Edited by Riaz Ansary Wednesday, May 27, 2015 7:56 PM
    Wednesday, May 27, 2015 7:41 PM

Answers

  • Wait a tick (as Austin Powers would say). CSCP was never meant to be accessible from outside (public internet). Been exposed on Internet is huge security risk. Am I understanding correctly that you want to manage your environment from Public Internet?!?

    If you look in IIS Manager, the External Web Site does not have CSCP virtual site (for the reason stated above).

    Drago


    http://www.lynclog.com


    Wednesday, May 27, 2015 8:18 PM
  • First of all, I have to say your determination to make this work with one single IP address is admirable :-)

    Now, as for Reverse Proxy - the name says all. This is a method where we take request on one end (Public) and "proxy" it back to a server/service on internal network. One can immediately ask - what is the meaning of all this - I can just map public IP to internal and my router will do the Proxy stuff. True, indeed, but a "real" reverse proxy does a lot more than "mapping" and "port flipping" (as Lync requires). A good RP provides additional layer of inspection and protection...

    Any how, back to Lync - we already discussed that Lync has two web sites, Internal and External. Internal works on port 443, external on port 4443. This is how the server "KNOWS" where the request is coming from. Then, of course, the server will respond accordingly.

    Here is one very simplified example - when you are internal, and you visit https://meet.contoso.com, the request goes to port 443, Lync server thinks "user is inside" and replies with URL of the internal web services to join the meeting. When you are External, the request goes to the external leg of RP on port 443, RP "proxy" the request to Lync server on port 4443. Now the server thinks "ah, the user is external" and replies with the external web service FQDN (which client can resolve when on public internet).

    As I mention in another post, look for KEMP free load balancer, then read about KEMP and content switching and you will see how you can server multiple services with one single IP address.

    Drago


    http://www.lynclog.com

    • Marked as answer by Riaz Ansary Thursday, June 4, 2015 7:19 PM
    Friday, May 29, 2015 12:59 PM

All replies

  • Wait a tick (as Austin Powers would say). CSCP was never meant to be accessible from outside (public internet). Been exposed on Internet is huge security risk. Am I understanding correctly that you want to manage your environment from Public Internet?!?

    If you look in IIS Manager, the External Web Site does not have CSCP virtual site (for the reason stated above).

    Drago


    http://www.lynclog.com


    Wednesday, May 27, 2015 8:18 PM
  • Hi Riaz Ansary,

    Drago is right. You only can access the Lync Server Control Panel from any computer inside your organization’s firewall.

    From https://technet.microsoft.com/en-us/library/gg425874(v=ocs.15).aspx

    "The Admin simple URL is internal only."

     

    Best regards,

    Eric

     


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, May 28, 2015 8:11 AM
    Moderator
  • HAHA nice Cant wait for the new Austin Powers :).

    ok i noticed that too now that there is no CSCP for the external site in IIS. thanks guys how about other links like

    meet.mydomain.com and dialin and all they give 403 - Forbidden: Access is denied. why is that?

    Thursday, May 28, 2015 11:57 AM
  • "...I also gotta mention that I have exchange 2013 infrastacture as well. and ports 443 and 80 of my router is port forwarded to exchange server for OWA access from outside..."

    So, how exactly you do the Reverse Proxy, out of curiosity?

    Drago


    http://www.lynclog.com

    Thursday, May 28, 2015 12:42 PM
  • I dont have any reverse proxy. what do you mean by that? you can walk me through that as well. :) we can always be in contact directly as well whatever is easier for you. you have been very helpful with my questions and I appreaciate that a lot.

    this has been one of my biggest questions on how to deal with ports and all this sine my infrastracture keeps growing

    Thursday, May 28, 2015 1:15 PM
  • First of all, I have to say your determination to make this work with one single IP address is admirable :-)

    Now, as for Reverse Proxy - the name says all. This is a method where we take request on one end (Public) and "proxy" it back to a server/service on internal network. One can immediately ask - what is the meaning of all this - I can just map public IP to internal and my router will do the Proxy stuff. True, indeed, but a "real" reverse proxy does a lot more than "mapping" and "port flipping" (as Lync requires). A good RP provides additional layer of inspection and protection...

    Any how, back to Lync - we already discussed that Lync has two web sites, Internal and External. Internal works on port 443, external on port 4443. This is how the server "KNOWS" where the request is coming from. Then, of course, the server will respond accordingly.

    Here is one very simplified example - when you are internal, and you visit https://meet.contoso.com, the request goes to port 443, Lync server thinks "user is inside" and replies with URL of the internal web services to join the meeting. When you are External, the request goes to the external leg of RP on port 443, RP "proxy" the request to Lync server on port 4443. Now the server thinks "ah, the user is external" and replies with the external web service FQDN (which client can resolve when on public internet).

    As I mention in another post, look for KEMP free load balancer, then read about KEMP and content switching and you will see how you can server multiple services with one single IP address.

    Drago


    http://www.lynclog.com

    • Marked as answer by Riaz Ansary Thursday, June 4, 2015 7:19 PM
    Friday, May 29, 2015 12:59 PM
  • Haha YES i wana do this with one SINGLE IP address. :) its for my own home data center so I dont have much budgect to pay for additional IPS and all i have already spent so much on building a full scale data center :).

    ANyways: do you have any good resources on learning about Reverse Proxy setup and load balancing???

    Thursday, June 4, 2015 7:19 PM
  • Unfortunately, as everything else, the information is all over the place. You know how this goes. I was considering writing a blog post for KEMP and singe IP address, but did not see any real value since such article will not be applicable to REAL production environment. No one in the right state of mind :-) will do this in Prod.

    Drago


    http://www.lynclog.com

    Thursday, June 4, 2015 7:54 PM
  • Tuesday, June 16, 2015 4:09 PM
  • Drop me a note

    Drago


    http://www.lynclog.com

    Tuesday, June 16, 2015 4:33 PM