none
Lync Reverse Proxy Alternatives

    General discussion

  •  

    When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services.  TMG is way too expensive and complex for such a limited, simple use case.

    I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.

    We decided to use Apache 2.2 on Windows Server 2008 R2.  Here's how we configured it:

     

    1. Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy.  http://technet.microsoft.com/en-us/library/gg398069.aspx
    2. Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server.  http://httpd.apache.org/download.cgi
    3. We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
      1. Use the Certificates MMC on your front end server to export the certificate and include the private key.
      2. Transfer the resultant .pfx file to your reverse proxy server.
      3. Use OpenSSL to convert your .pfx file to PEM:
        1. openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes 
      4. Separate the private key from the certificate using notepad: 
        1. Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag. 
        2. Save that text to a new file named yourcert.key. 
        3. Save yourcert.pem, which should now only include the certificate.
      5. Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl for storing the certificates.
    4. Edit httpd.conf (typically in C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
      (See
       http://httpd.apache.org/docs/2.2/mod/mod_proxy.html  for more information on each directive)
      1. Uncomment the following lines, which will enable proxy and SSL:

        LoadModule proxy_module modules/mod_proxy.so
        LoadModule proxy_http_module modules/mod_proxy_http.so
        LoadModule ssl_module modules/mod_ssl.so
        Include conf/extra/httpd-ssl.conf

      2. Add the following lines to configure reverse proxy behavior:

        #Be a reverse proxy, not a forward proxy
        ProxyRequests Off

        #Accept requests from any client to any URL
        <Proxy *>
        Order Deny,Allow
        Allow from all
        </Proxy>

        #Set the network buffer to improve throughput
        ProxyReceiveBufferSize 4096

        #Configure the Reverse Proxy to forward all requests to your front end server on 4443
        ProxyPass / https://yourfrontend.domain.com:4443/
        ProxyPassReverse / https://yourfrontend.domain.com:4443/

        #Preserve Host Headers for Lync
        ProxyPreserveHost On
      3. Optionally, configure logging directives, bindings and server name.
      4. Save and close httpd.conf
    5. Edit httpd-ssl.conf (typically in conf\extra):
      1. Configure the session cache:
        1. Uncomment:
          SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
        2. Comment out:
          SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
      2. Locate the <VirtualHost _default_:443> tag and configure the following:
        1. Add the following directive:
          SSLProxyEngine On
        2. Configure the path to your SSL Certificate saved in step 3-5 above:
          SSLCertificateFile “
          C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
        3. Configure the path to your private key saved in step 3-5 above:
          SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
        4. Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
      3. Optionally, configure logging directives.
      4. Save and close httpd-ssl.conf
    6. Restart the Apache2.2 service
    7. Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of the reverse proxy to talk to the front end Lync server on 8080 and 4443.
    8. From an external connection, test connectivity through the reverse proxy:
      1. Test https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
      2. Test the Lync Web App by setting up an online meeting and following the URL to join the meeting.  You can force the use of the web app by appending ?sl= to the end of the meet.company.com link.  See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx

     

    Hope this information is helpful and saves some of you some money and trouble.

    Please contact me if you need further clarification or see any mistakes in my notes.

    Best regards,

    Kenneth Walden

    Enterprise Systems Supervisor

    GSD&M

    Austin, TX

     

     


    Friday, July 15, 2011 4:50 PM

All replies

  • Hello Kenneth,

    Excellent details.

    Thanks,

    Ketan Shah

    Friday, July 15, 2011 5:01 PM
  • We are doing the exact same thing to proxy OWA and Activesync/external autodiscover/Outlook anywhere for Exchange...

    By doing this, I assume you are not even using lync edge server right? You are using your frontEnd server as that function?


    Wednesday, July 20, 2011 9:33 PM
  • The Reverse Proxy is actually just for the following purposes (all served over HTTP/S):

    • Enabling external users to download meeting content for your meetings.
    • Enabling external users to expand distribution groups.
    • Enabling remote users to download files from the Address Book service.
    • Accessing the Microsoft Lync Web App client.
    • Accessing the Dial-in Conferencing Settings webpage.
    • Accessing the Location Information service.
    • Enabling external devices to connect to Device Update web service and obtain updates.

    We do have an Edge server because it is required for SIP connectivity (both remote access and federation) as well as AV and web conferencing.  Take a look at this reference architecture diagram for an idea of what we have deployed:

    http://technet.microsoft.com/en-us/library/gg399001.aspx

     

    --Kenneth

    Wednesday, July 20, 2011 9:50 PM
  • If you are using hardware load balancing, you can use the loadbalancer as your "proxy".  You don't even necessarily need to put the certificate on the reverse proxy, just port forward 443 and use source IP address session affinity.
    Monday, July 25, 2011 6:43 PM
  • Kenneth-

     

    Thanks! Works as advertized. In my situation, I had an intermediate cert chain (entrust) so there was a little extra in the pem file, but I cut from the tags you described (leaving the preceding info) and had no issue.

    First reverse proxy I got to actially work, so again big thanks.

    -stereomck

    Thursday, August 4, 2011 12:07 AM
  • Did you manage to publish external web services with apache reverse proxy?

    How do you handle authentication over reverse proxy? Are you using basic auth?

    Monday, August 15, 2011 4:17 PM
  • Did you use a Public certificate on both the external interface AND the Front End Pool server on your intranet?

    Will this work for those of us that have a private certificate issued by our internal Windows 2008 R2 CA for the internal access and a public certificate for the external access?

    Wednesday, October 12, 2011 3:44 PM
  • I followed the instructions however I can't start Apache due to the following error:

    [Wed Oct 19 10:32:58 2011] [error] Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/ssl/rpsrv.pem)

    I'm running Windows Server 2008 R2 SP1 Standard and using a GoDaddy wildcard certificate.

    Any ideas on how to resolve this?


    Update:

    I found that another SSLCertificateFile line was not commented out, so the 2nd line overwrote the first one and it was looking for the wrong thing.  Correcting this and a typo in the path of the correct line resolved everything.  I tested it and can now host an outside meeting via Lync.

    • Edited by Craig.B Friday, October 21, 2011 4:03 PM
    Wednesday, October 19, 2011 2:52 PM
  • I'd like to thank you for this article.  We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product.  Anyways, your blog saved me a LOT of headache.  I owe you big time. 

    AWESOME JOB. 

    -Greg

    *****EDIT***
    Decided to come back in there and post good information.  We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting.  The "DIALUP" url was working fine but the "MEETING" url was broken.  On our WFE servers we were getting the event error as below.   Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON".  Once we put that in there ALL was good.

    Notice that the MEET portion was the only thing that was really broken.  So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER.  Look for http://10.x.x.x/meet/ or soemthing in the event logs. 


    Log Name:      Application
    Source:        ASP.NET 2.0.50727.0
    Date:          11/16/2011 1:26:35 PM
    Event ID:      1309
    Task Category: Web Event
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      OneofMyInternalWFEservers.local

    Description:
    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 11/16/2011 1:26:35 PM
    Event time (UTC): 11/16/2011 6:26:35 PM
    Event ID: b2039ecd0a62482284030f62e1e639d8
    Event sequence: 129
    Event occurrence: 28
    Event detail code: 0
     
    Application information:
        Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
        Trust level: Full
        Application Virtual Path: /meet
        Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
        Machine name: MYWFE.local
     
    Process information:
        Process ID: 14204
        Process name: w3wp.exe
        Account name: NT AUTHORITY\NETWORK SERVICE
     
    Exception information:
        Exception type: HttpException
        Exception message: Server cannot append header after HTTP headers have been sent. 
     
    Request information:
        Request URL: https://FQDN:4443/meet/MyName/456456

        User host address: gatewayIP
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: NT AUTHORITY\NETWORK SERVICE
     
    Thread information:
        Thread ID: 7
        Thread account name: NT AUTHORITY\NETWORK SERVICE
        Is impersonating: False
        Stack trace:    at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
       at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
     
     
    Custom event details:

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="ASP.NET 2.0.50727.0" />
        <EventID Qualifiers="32768">1309</EventID>
        <Level>3</Level>
        <Task>3</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
        <EventRecordID>4483</EventRecordID>
        <Channel>Application</Channel>
        <Computer>XXXXXXXXXXXXXXXXXX</Computer>
        <Security />
      </System>
      <EventData>
        <Data>3005</Data>
        <Data>An unhandled exception has occurred.</Data>
        <Data>11/16/2011 1:26:35 PM</Data>
        <Data>11/16/2011 6:26:35 PM</Data>
        <Data>b2039ecd0a62482284030f62e1e639d8</Data>
        <Data>129</Data>
        <Data>28</Data>
        <Data>0</Data>
        <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
        <Data>Full</Data>
        <Data>/meet</Data>
        <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
        <Data>SNKXS300</Data>
        <Data>
        </Data>
        <Data>14204</Data>
        <Data>w3wp.exe</Data>
        <Data>NT AUTHORITY\NETWORK SERVICE</Data>
        <Data>HttpException</Data>
        <Data>Server cannot append header after HTTP headers have been sent.</Data>
        <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
        <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
        <Data>10.71.1.1</Data>
        <Data>
        </Data>
        <Data>False</Data>
        <Data>
        </Data>
        <Data>NT AUTHORITY\NETWORK SERVICE</Data>
        <Data>7</Data>
        <Data>NT AUTHORITY\NETWORK SERVICE</Data>
        <Data>False</Data>
        <Data>   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
       at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
    </Data>
      </EventData>
    </Event>

    • Edited by Greg Seeber Thursday, November 17, 2011 6:22 PM put some additional tech info in here
    Thursday, November 17, 2011 4:26 PM
  • All we did was to point meet.xxx.xx to a different external IP address and forward port 443 > 4443 on our firewall to the frontend server. instead of putting the public "reverse proxy" certificate on the TMG server we just assigned it to our frontend server.

    isnt that just what the TMG does? Exept you put the certificate on the TMG server..

    I might get spanked for this but it works great.

    Thursday, December 22, 2011 10:03 AM
  • have you done the mobility upgrade yet?  Any new configs that you did to get mobility running on apache?
    Thursday, January 26, 2012 7:58 PM
  • No, we haven't done the mobility upgrade yet, but would like to tackle that in the next month.  If I have to change anything with regard to Apache, I'll certainly post it here.
    Thursday, January 26, 2012 8:22 PM
  • please do.  I am really having some issues getting certain clients to work via mobility ...  btw, here is my config.  Any pointers?  Lync is wokring via meet and dialin ... but, I am having trouble with IOS devices (android works) but I am about to start blaming the reverse proxy. (the certificate was updated and seems to be right)   Please DO post here.  LOTS of people are getting info from your post.

     

     

    -bash-3.2# more lync.conf 

    Listen 10.51.8.42:443

    <VirtualHost 10.51.8.42:443>

      DocumentRoot "/var/www/html2"

      ServerName lyncextws.mysipdomain.com

      ServerAdmin root@localhost.com

      ErrorLog "/var/log/httpd/lync_error.log"

      TransferLog "/var/log/httpd/lync_access.log"

     

      SSLEngine On

      SSLProxyEngine On

     

      SSLCertificateFile "/etc/httpd/conf.proxy/sslcert/lync-server.crt"

      SSLCertificateKeyFile "/etc/httpd/conf.proxy/sslcert/lync-server.key"

     

      BrowserMatch ".*MSIE.*" \

             nokeepalive ssl-unclean-shutdown \

             downgrade-1.0 force-response-1.0

      

      #ProxyPass / https://lync.sipdomain.com/

      #ProxyPassReverse / https://lync.sipdomain.com/

      ProxyPass / https://10.IP.INTERNAL.VIP:4443/

      ProxyPassReverse / https://10.IP.INTERNAL.VIP:4443/


      ProxyPreserveHost On

    </VirtualHost>

    -bash-3.2# 

     


    • Edited by Greg Seeber Thursday, January 26, 2012 8:31 PM update
    Thursday, January 26, 2012 8:27 PM
  • Interesting thread.

    I had everything with Lync working great using squid as my reverse proxy.  I then set things up for Lync Mobile and things were working A1 from Windows Phone and Android clients.  Then we realized iOS devices weren't working.  Noticed constant -401 errors in the client logs.  It didn't make sense why this single client type would fail while others worked flawlessly (isn't the whole point of web services their ubiquity?)

    Not understanding what could explain this behavior, I swapped out squid for TMG to test, and everything started working fine.

    So I can't nail it down, but either TMG is doing something special, or squid and apache are exhitibing a similar incorrect behavior, or something funky is happening with iOS...

    I would try to use nginx, but unfortunately it doesn't support Outlook Anywhere's RPC_IN and RPC_Out methods correctly, whereas squid and TMG do.

    Again, it makes no sense to me, but until there is a clear solution TMG may be your quickest path to making your users happy.

     

    Saturday, January 28, 2012 1:21 AM
  • We have been trying over and over again to get TMG to work for reverse proxy. We have followed all directions and when you follow a meeting link it takes you to forefront authentication page. we did state no authentication but it still requires us t oauthenticate. once it passes the creentials it gives us a page that states the url is denied. thoughts?

    we had TMG already in place to offer OWA and sharepoint access to users from home.

    Thursday, February 2, 2012 2:15 PM
  • I'm BACK.  This time with an update for MOBILITY clients that are using APACHE reverse proxy.

    So, my android clients were able to log in BUT my IOS and my WINDOWS phones were unable to log in.

    I was missing a SINGLE setting in my reverse proxy config.  that setting is as follows:

    #
    # KeepAlive: Whether or not to allow persistent connections (more than
    # one request per connection). Set to "Off" to deactivate.
    #
    KeepAlive On
    

    There were NTLM authentication errors that were in the log files .. and they seemed to get reset.  Microsoft stated that there were some issues with affinity and persistence so GOOGLE-ing the error I found that command today.  Added it into the reverse proxy and bounced apache... for the first time - my clients could connect.

    -Greg

    Thursday, February 9, 2012 10:04 PM
  • I have followed the above steps, and we are having issue's logging in externally.  Meet and Dialin url work perfectly.  When trying to sign in using the lync client we receive an error stating "The server is temporarily unavailable.  If the problem continues, please contact your support team."  We have the appropriate DNS and SRV records in place.  This following is the error we receive in Apache."Hostname lync.domain.com provided via SNI, but no hostname provided in HTTP request."  any help is greatly appreciated.  Thanks.
    Tuesday, February 28, 2012 10:52 PM
  • are you saying that you have the following configuration item in your .config?

    ProxyPreserveHost On

    that is supposed to address the header issue.  can you confirm?

    Thursday, March 22, 2012 12:10 PM
  • So you use the certificate the internal Front End server uses? The one issued by the internal, private CA?

    We are using a private CA on our internal network to issue the certificate for our Lync 2010 Standard server installation.

    For our external access we have a Lync 2010 Edge Server using a GoDaddy public certifcate in the firewall "sandbox" with the Apache reverse proxy server.

    Which certificate do we use?


    David W. Mitchell Systems & Network Manager Pace International, LLC

    Friday, March 23, 2012 4:52 PM
  • I have followed your tutorial with partial success.

    I can externally access https://meet.mydomain.com but https://dialin.mydomain.com does not work.

    I suspect is has something to do with the SSL certificates.

    Questions:

    1) Which SSL certificate do i need to use on the reverse proxy?

    2) My Front End server's certificates are from my own CA. Do i need to change the external services SSL certificate on my Front End? I have tried several certificates without success.

    Please help!!!!!! I dont want to purchase a TMG license

    From the error log:

    [Tue Apr 03 13:16:03 2012] [warn] RSA server certificate wildcard CommonName (CN) `*.MYDOMAIN.net' does NOT match server name!?
    httpd.exe: Could not reliably determine the server's fully qualified domain name, using 192.168.168.198 for ServerName
    [Tue Apr 03 13:16:03 2012] [warn] RSA server certificate wildcard CommonName (CN) `*.MYDOMAIN.net' does NOT match server name!?
    [Tue Apr 03 13:16:03 2012] [notice] Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t configured -- resuming normal operations
    [Tue Apr 03 13:16:03 2012] [notice] Server built: Jan 28 2012 11:16:39
    [Tue Apr 03 13:16:03 2012] [notice] Parent: Created child process 3188
    httpd.exe: Could not reliably determine the server's fully qualified domain name, using 192.168.168.198 for ServerName
    [Tue Apr 03 13:16:03 2012] [warn] RSA server certificate wildcard CommonName (CN) `*.MYDOMAIN.net' does NOT match server name!?
    httpd.exe: Could not reliably determine the server's fully qualified domain name, using 192.168.168.198 for ServerName
    [Tue Apr 03 13:16:03 2012] [warn] RSA server certificate wildcard CommonName (CN) `*.MYDOMAIN.net' does NOT match server name!?
    [Tue Apr 03 13:16:03 2012] [notice] Child 3188: Child process is running
    [Tue Apr 03 13:16:03 2012] [notice] Child 3188: Acquired the start mutex.
    [Tue Apr 03 13:16:03 2012] [notice] Child 3188: Starting 64 worker threads.
    [Tue Apr 03 13:16:03 2012] [notice] Child 3188: Starting thread to listen on port 443.
    [Tue Apr 03 13:16:03 2012] [notice] Child 3188: Starting thread to listen on port 80.

    Tuesday, April 3, 2012 11:29 AM
  • Would this senerio work with SLES 11 instead of Windows 2008 R2?  Any ideas?

    Tuesday, April 3, 2012 7:27 PM
  • @BlackShadowRider

    You use the PUBLICLY SIGNED certificate.  Here is the doc:  http://technet.microsoft.com/en-ca/library/gg429704.aspx.  You need to ensure that your EXTERNAL WEBSITE URL (for example, LyncExtWebSite.domain is SN as well as SAN) along with lync.domain.com as well as lyncdiscover.domain.com (with mobilty) as SAN.  I think that meet.domain.com and dialin.domain.com need to be there too ... in SANs.  Just check that doc link.

    @Michael_CY 

    Don't use any self-signed certs on the RP.  It just won't work without the public certs. 

    Also, honestly - I am not using "meet.domain.com" and "dialin.domain.com" as I am able to use "lync.domain.com/meet" and "lync.domain.com/dialin" and it works just fine without those additional SANs and redirects.  So, not sure what you are doing on that one.  I don't recollect those 2 DNS names being required.  But, I'm probably wrong.  It's all good.


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

    Tuesday, April 3, 2012 8:11 PM
  • @Challegem,

    I'm pretty convinced that it will ... we're running Apache on redhat and that's the config that i posted is the config that i'm using.  So, should work, eh?


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

    Tuesday, April 3, 2012 8:12 PM
  • @Greg

    I have configured Apache with the same public wildcard SSL used on my edge server and also configured the public CA cert.

    My logs do show these errors only when i try to access (without the "s") http://meet.mydomain.net which i find completely notmal:

    [Wed Apr 04 14:13:44 2012] [error] [client 192.168.168.2] SSL Proxy requested for rp.mydomain.net:80 but not enabled [Hint: SSLProxyEngine]
    [Wed Apr 04 14:13:44 2012] [error] proxy: HTTPS: failed to enable ssl support for 192.168.168.2:4443 (lyncserver.internaldomain)

    Otherwise no other errors are displayed.

    192.168.168.2 is my front end server and has all certificates configured from my internal CA.

    I cant access https://dialin.mydomain.net (firefox shows the following error: Firefox can't find the server at lyncserver.internaldomain.

    but https://meet.mydomain.net works just fine.

    Internally i can access:

    https://meet.mydomain.net

    https://dialin.mydomain.net

    https://lyncserver.internaldomain:4443/dialin/

    https://lyncserver.internaldomain:4443/meet/

    This reverse proxy stuff is driving me crazy. I have been trying to configure it for 1 week straight.

    my httpd.conf

    ServerRoot "C:/Program Files/Apache Software Foundation/Apache2.2"
    Listen 192.168.168.198:80
    LoadModule actions_module modules/mod_actions.so
    LoadModule alias_module modules/mod_alias.so
    LoadModule asis_module modules/mod_asis.so
    LoadModule auth_basic_module modules/mod_auth_basic.so
    LoadModule authn_default_module modules/mod_authn_default.so
    LoadModule authn_file_module modules/mod_authn_file.so
    LoadModule authz_default_module modules/mod_authz_default.so
    LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
    LoadModule authz_host_module modules/mod_authz_host.so
    LoadModule authz_user_module modules/mod_authz_user.so
    LoadModule autoindex_module modules/mod_autoindex.so
    LoadModule cgi_module modules/mod_cgi.so
    LoadModule dir_module modules/mod_dir.so
    LoadModule env_module modules/mod_env.so
    LoadModule include_module modules/mod_include.so
    LoadModule isapi_module modules/mod_isapi.so
    LoadModule log_config_module modules/mod_log_config.so
    LoadModule mime_module modules/mod_mime.so
    LoadModule negotiation_module modules/mod_negotiation.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule ssl_module modules/mod_ssl.so
    
    <IfModule !mpm_netware_module>
    <IfModule !mpm_winnt_module>
    User daemon
    Group daemon
    </IfModule>
    </IfModule>
    
    ServerAdmin michael@mydomain.com
    ServerName rp.mydomain.net:80
    DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
    
    <Directory />
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
    </Directory>
    
    <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs">
       
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    
    </Directory>
    
    
    <IfModule dir_module>
        DirectoryIndex index.html
    </IfModule>
    <FilesMatch "^\.ht">
        Order allow,deny
        Deny from all
        Satisfy All
    </FilesMatch>
    
    ErrorLog "logs/error.log"
    
    LogLevel warn
    
    <IfModule log_config_module>
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
    
        <IfModule logio_module>
          LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
        </IfModule>
    
        CustomLog "logs/access.log" common
    </IfModule>
    
    <IfModule alias_module>
        ScriptAlias /cgi-bin/ "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin/"
    
    </IfModule>
    
    <IfModule cgid_module>
    </IfModule>
    
    <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>
    
    DefaultType text/plain
    
    <IfModule mime_module>
       
        TypesConfig conf/mime.types
    
       
        AddType application/x-compress .Z
        AddType application/x-gzip .gz .tgz
    
    </IfModule>
    
    
    ProxyRequests Off
    
    
    <Proxy *>
    Order Deny,Allow
    Allow from all
    </Proxy>
    
    
    ProxyReceiveBufferSize 4096
    
    
    ProxyPass / https://lyncserver.intenaldomain:4443/
    ProxyPassReverse / https://lyncserver.internaldomain:4443/
    
    
    
    ProxyPreserveHost On
    
    
    
    Include conf/extra/httpd-ssl.conf
    
    
    <IfModule ssl_module>
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    </IfModule>
    
    
    

    my httpd-ssl.conf

    Listen 192.168.168.198:443
    
    
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    
    
    SSLPassPhraseDialog  builtin
    
    
    SSLSessionCache         "dbm:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache"
    
    SSLSessionCacheTimeout  300
    
     
    SSLMutex default
    
    
    
    <VirtualHost _default_:443>
    SSLProxyEngine On
    
    DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
    ServerName rp.centaurtrust.net:443
    ServerAdmin michael@centaurtrust.com
    ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"
    TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"
    
    
    SSLEngine on
    
    
    SSLProtocol all -SSLv2
    
    
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    
    
    SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/mycert.pem"
    
    
    SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/mycert.key"
    
    
    SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ca.pem"
    
    
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    
    
    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
    
    CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    </VirtualHost>                                  
    

    I would be really grateful if someone can help me with this issue!!!!!!!!!!!!!! im going crazy i tell you!!!!!!!!

    Wednesday, April 4, 2012 12:30 PM
  • I have finally solved the issue! The configuration i posted above works just fine!

    I had to change a stupid setting on my Front End through topology builder. My External services url was pointing to an internal FQDN as per the Front End tutorial i had followed. Changing it to the public FQDN and adding the required A records solved the issue. I am working on the Mobility now.

    Thank you all

    Thursday, April 5, 2012 6:54 AM
  • I am with some of you folks who have issue with using Lync Mobile on Iphone.

    So when u say External services URL was pointing to INternal FQDN and you pointed it to Public FQDN what are u referring to here.

    when u install the cert that is the only place we add the FQDN. I dont remember any step in the documentation where u add this. SO please could u clarify?

    Thanks

    Sunita

    Thursday, April 19, 2012 2:24 PM
  • Hi,

    I dont understand why you used  the same certificate on the reverse proxy that the front end server certificat? it should be a public certificat!

    I thought we should publish the front end external url and the director external url. and in this case we needs two IP address, one address for front end server and one address for director server, I have not seen it on your article. can explain to me please?

    Thank you
    Saturday, April 21, 2012 11:40 PM
  • Greg,

    Nice work here....  Excellent!  Contact me at LyncDoc@Microsoft.com  Would like to discuss an article for the NextHop blog on the work that you accomplished here.


    Rick OCS UA

    Wednesday, May 9, 2012 8:41 PM
  • kswail -

    Contact me at lyncdoc@microsoft.com.  I'd like to discuss your Squid configuration and see if between the two of us (plus a few more internal folks!) that we can get it working for iOS.  And, as I suggested to Greg Seeber - we then could do an article on how to configure Squid as a reverse proxy for Lync Server and Lync Mobility.


    Rick OCS UA

    Wednesday, May 9, 2012 8:45 PM
  • Michael

    U there?  Hey, are you having ANY flakyness on your mobility clients?  Can you email me @ gregory15@hotmail.com?  I need to trade notes with you if possible.  Thanks.

    Greg


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

    Wednesday, July 25, 2012 5:40 PM
  • Kenneth, are you perhaps still lurking around this thread?  Need to discuss a few things with you in regards to the Apache RP configuration plus get some OK's to use some of your material, if I could.

    Nothing much required on your end, really.  Need a second set of eyes and a technical reviewer for the article that I'm writing in regards to this.  I can get you a byline and mention as a teachnical reviewer for the article, if that's any kind of carrot.  :-)

    Contact me at rick.kingslan@microsoft.com  I'm a member of the Technical Writing team for Lync Server.

    Rick


    Rick OCS UA

    Friday, July 27, 2012 1:38 PM
  • Anyone find a solution for iOS devices? I get the first 401 for webticketservice.svc and the client doesnt try again. What is really odd is that if I turn on Lync Logging and then log into the iOS Lync Client it works! Thanks!

    Mark

    Thursday, August 23, 2012 1:18 PM
  • If you turn on Lync Logging with WebInfrastructure selected you will then be able to log in with a Lync Mobile client on an iOS device. I dont know what the Lync Logging does to make this work but its definately weird. This is with an Apache Reverse Proxy. I have tested this in two different environments with the same setup and get the same result. Any ideas?

    Mark

    Thursday, August 23, 2012 1:50 PM
  • Ur telling me that your logging settings play a role in your login success?  haha.  

    So, my thing is this - I got Apache to work - and it was ok.  My issue is that sometimes "presence" was a little laggy through it - although Lync is assumed to be RP agnostic - I recently switched over to TMG - and I can honestly say that mobility is working about 30% better than it was.  I'm just picky.  Like, sometimes I'd have to toggle a little - and maybe logout/login to get the presence to fully update.  And, yes, i blame a LOT of that on my crappy 3g w/ Sprint - but it was even fairly present internally as well on our corp WIFI.  So, I blame persistence on the reverse proxy or a timeout setting somewhere that I simply don't know about.

    I'd like for people to let me know if they are getting SOLID performance through the Apache RP or if their experience is the same as mine.  Like, what should our expectations be?  :)

    My hope - is that people will take MY CONFIG above - and use it - and if they have success - or make a change that look positive - that they would POST THAT CONFIG here so that we can have a master APACHE CONFIG on this thread that we can all use and just plug our company specific settings in there.  

    Know what I mean?


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

    Friday, August 24, 2012 8:12 PM
  • Hello,

    I am trying to use this same setup for our reverse proxy.  However, I am still a tad confused on the whole SSL certificate.  Between the external client and the reverse proxy, what SSL certificate do I use?  I feel the one being used on my front end would be a terrible idea as it contains SANs for internal URLs.  Can I simply generate a certificate request on the reverse proxy with autodiscover as the main common name, and then meet and dialin as my SANs?  From what I understand, the Apache box would forward the request to the internal server using the front end's public key, and external traffic would use the SSL cert on the reverse proxy for its traffic...  Kind of like 2 hops.

    Could you please explain what the best practice would be for this?

    Thanks!
    Wednesday, October 17, 2012 2:02 PM
  • Thank you for the great details.

    Simple question: Is it possible to collocate this with the Edge?

    My Edge is able to use separate NIC with internal LAN addressing and separate NIC with some intermediate (other LAN subnet) addressing OR DMZ-style WAN addresses. Also it will be able to use more than one public static IP adresses if needed.

    So can I do this? Edge + Apache as reverse proxy on same OS?

    Thanks.


    NLS

    Thursday, November 1, 2012 9:28 PM
  • Hi, yes you can install Lync EDGE and Apache on the same machine. I've done it on Windows Server 2008R2 SP1. It works but is not supported.

    On the DMZ facing NIC configure 4 IP (3 for the EDGE service, 1 for Apache). You 've to NAT these 4 DMZ IP with 4 Public IP one to one.
    Make sure to bind Apache only to it's own IP, otherwise it start to use every IP and Lync EDGE service cannot start.

    Regards

    Luca

    Tuesday, May 28, 2013 1:51 PM
  • Hi, i have nearly the same config as posted above but getting 401 error on WP8 with Lync Mobile 2013. iOS and Android working as well as Lync MX. RP is Apache 2.2.x on CentOS.

    Anyone knows which modules are needed for NTLM Auth?

    BR

    Timeout 920
    KeepAlive Off
    MaxKeepAliveRequests 100
    KeepAliveTimeout 15
    
    AddType application/vnd.microsoft.com.ucwa+xml .xml
    AddType application/vnd.microsoft.com.ucwa+json .json
    AddType application/vnd.microsoft.rtc.autodiscover+xml;v=1 .xml
    
    <IfModule mod_proxy.c>
    ProxyRequests Off
    
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    
    ProxyReceiveBufferSize 4096
    ProxyPass		/		https://lsfe01.contoso.local:4443/
    ProxyPassReverse	/		https://lsfe01.contoso.local:4443/
    ProxyPreserveHost On
    KeepAlive On


    Friday, November 8, 2013 3:44 PM
  • HI i do the same setting on a deny all apache proxy. it works fine expect with IOS . i ve got this :

    http://unifiedit.wordpress.com/2014/10/21/lync-2013-ios-client-unhandled-alert-type-302-is-raised-with-error-code-e_ressourceconflict-e2-3-33-pending/

    searching ......

    laurent Teruin


    lteruin@hotmail.com http://unifiedit.wordpress.com/

    Monday, October 27, 2014 12:33 PM