publishing rules on your Threat Management Server (TMG) 2010 to implement the following additional services:
- Enabling external users to download meeting content for your meetings.
- Enabling external users to expand distribution groups.
- Enabling remote users to download files from the Address Book service.
- Accessing the Microsoft Lync Web App client.
- Accessing the Dial-in Conferencing Settings webpage.
- Accessing the Location Information service.
- Enabling external devices to connect to Device Update web service and obtain updates.
In our environment, the external Lync clients connect directly to the Lync Edge Server. This Edge Server is also used for federation services with other partners. The TMG Server is a different server with a different external IP address.
The FQDN for this server is defined in the External Web Services FQDN in the Topology Builder:
So, the lyncpool.exchangelabs.nl FQDN will point to the TMG Server, while the edgepool.exchangelabs.nlwill point to the Lync 2013 Edge Server. As you can see in the picture above, the web service is listening on port 4443 and published on port 443. This should also be configured in the TMG rule later on.
To configure a Web Publishing Rule in TMG2010 use the following steps:
1. On the TMG Server, start the Management Console and create a new Web Site Publishing Rule:
2. Follow the wizard, set the rule to Allow and select Publish a single Web site or load balancer;
3. On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm;
4. On the Internal Publishing Details page, type the fully qualified domain name (FQDN) of the internal web farm that hosts your meeting content and Address Book content in the Internal Site name box. This is the Front-End pool, or the Front-End server (in case of Standard deployment);
5. On the Internal Publishing Details page, in the Path (optional) box, type /* as the path of the folder to be published.
6. On the Public Name Details page, confirm that This domain name is selected under Accept Requests for, type the external Web Services FQDN, in the Public Name box;
7. On Select Web Listener page, click New to open the New Web Listener Definition Wizard;
8. On the Web Listener IP Address page, select External, and then click Select IP Addresses. ;
9. Again, follow the wizard and assign a certificate. Besides the FQDN lynpool.exchangelabs.nl it also needs meet.exchangelabs.nl and dialin.exchangelabs.nl configured in the Subject Alternative Names field.
10. On the Authentication Settings page, select No Authentication;
11. Finish the Web Listener wizard;
12. On the Authentication Delegation page, select No delegation, but client may authenticate directly;
13. Now finish the wizard and click Apply in the details pane to save the changes and update the configuration.
The basic TMG rule is now created it can be changed to redirect to the Lync port, i.e. 4443. To do this follow these steps:
1. On the TMG Server, open the Management Console and open the properties of the Lync Services rulethat was created in the previous step;
2. On the Properties page, on the Fromtab, do the following:
- In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove;
- Click Add;
- In Add Network Entities, expand Networks, click External, click Add, and then click Close;
3. On the To tab, ensure that the Forward the original host header instead of the actual onecheck box is selected;
4. On the Bridging tab, select the Redirect request to SSL portcheck box, and then specify port 4443;
5. On the Public Name tab, add the additional simple URLs (for example, meet.exchangelabs.nl and dialin.exchangelabs.nl). Make sure these FQDNs are entered in the public DNS as well so that they point to the correct IP address on the TMG Server;
6. Click Apply to save changes and click Apply in the details pane to save the changesand update the configuration.
Note: For more information or more detailed steps go to the Microsoft Technet Website: http://technet.microsoft.com/en-us/library/gg429712.aspx – Configure Web Publishing Rules for a Single Internal Pool
To test the web publishing rules in OWA you can navigate to the published web server, i.e. https://lyncpool.exchangelabs.nl/meet. You should see the meeting landing page, but can ignore the meeting URL error at this point of course:
Or you can navigate to the dialin page https://dialin.exchangelabs.nl:
It is possible to test the group expansion service (https://lyncpool.exchangelabs.nl/groupexpansion/service.svc) since this is published as a web service, although it won’t reveal too much information:
The Lync 2013 Front-End now works correctly and for external connectivity and federation with other parties the Lync 2013 Edge server can ben used. The TMG server in this blog will publish additional web services that are used in a Lync environment via the Internet.
Since TMG 2010 is basically end-of-life this reverse proxy can be configured using an F5 load balancer, I’ll get back on this in a future blog.