A Unified Communication Blog
Get Adobe Flash player

Windows Server 2012 R2 contains a new feature called Web Application Proxy. WAP is a very simple reverse proxy which can be used to publish the Simple URLs in Lync Server 2013.

In this post, I will guide you through how to setup and use it as a reverse proxy for Lync and the Office Web Apps Server.


I have in my setup defined these public DNS names:

  • Csweb.exchangepro.dk (Frontend Server external name)
  • Cswebapp.exchangepro.dk (Office Web App External name)
  • Cswebdir.exchangepro.dk (Director Server external name)
  • Lyncdiscover.exchangepro.dk (Lync Discover url)
  • Meet.exchangepro.dk (Meeting url)
  • Dialin.exchangepro.dk (Dial in url)


My internal server names is:

  • Fe01.exchangepro.local (Frontend Server)
  • Dir01.exchangepro.local (Director Server)
  • Wac01.exchangepro.local (Office Web Apps Server)


I will use a public certificate on the WAP server which contains all the public names.

On the internal servers I will be using certificates from my internal certificate authority.


To use the Web Application Proxy you will need two servers – an ADFS server on the internal network and the WAP server in the DMZ. (same zone as the Access Edge Internal NIC).

Both Servers has these specs:

  • 2 vCPU
  • 4 GB RAM
  • 100 Disk space (less is okay)
  • 1 Nic
  • Windows Server 2012 R2

The server will be named:

  • ADFS1.exchangepro.local
  • WAP1.exchangepro.local


For the ADFS I will be using fs.exchangepro.dk which is also part of the public certificate I use.

I’m using split DNS so I will create this record in the internal DNS (domain: exchangepro.dk):

Lets start by the internal ADFS Server which is member of the local domain.

Open Powershell as an Administrator and install this prerequisites:

Install-WindowsFeature ADFS-Federation, Windows-Identity-Foundation


Open Server Manager and in the top click on “Configure the federation…”

Click on Import

Browse to the Public Certificate which contains the fs.exchangepro.dk domain name (or in your case your own domain)

Type the Password for the certificate file

Select the federation service name in the certificate and type a name for the federation service.

By default you can choose to use an AD user for the federation service by clicking on Select

You can also choose to use a managed service account which require that you configure a KDS root key.

The way to add this is by running the powershell cmdlet:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

When that is added an replicated in AD you can select the “Create a Group Managed Service Account” and type a name for it.

Click Next

Click Next

Click on Configure


You could also make all the configuration from powershell

Import-Module ADFS

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

Install-AdfsFarm -CertificateThumbprint:”3ADC75B5A2255A892E869C429C6710206430986D” -FederationServiceDisplayName:”Exchangepro” -FederationServiceName:”fs.exchangepro.dk” -GroupServiceAccountIdentifier:”EXCHANGEPROADFS-Service`$”


Now the ADFS is up a running, and for Lync there is no need for configuring anything more in the ADFS, because we will not be using authentication.


Next we will install the WAP Server which is placed in the DMZ zone.

First give the computer a FQDN name

On the WAP server you should use either an internal DNS or configure the IP addresses and names in a hostfile

Import the internal root certificate into the Trusted Root Certification Authority

Import you public certificate into the Personal certificate store

Next open Powershell as an Administrator and run this cmdlet

Install-WindowsFeature Web-Application-Proxy,RSAT-RemoteAccess-Mgmt, RSAT-RemoteAccess-PowerShell, GPMC, CMAK


In Server Manager open the Web Application Proxy Configuration Wizard

Type the name for the internal ADFS server and an account which has access to ADFS.

Select the public certificate that you imported (my certificate contains the fs.exchangepro.dk name)

Click on Configure

Click Close

Or you could have used this powershell cmdlet


$Credential = Get-Credential
Install-WebApplicationProxy -FederationServiceTrustCredential $Credential -CertificateThumbprint ’3ADC75B5A2255A892E869C429C6710206430986D’ -FederationServiceName ‘fs.exchangepro.dk’ 

Now open the Remote Access Management Console and click Publish

Click Next

Select Pass-through and click Next

Type a Name for the Lync Web Services, and the external URL.

On the internal URL I will use the Public name as well, because Lync expects that name, and I will point it to the External Web Site – which is on port 4443.

Click Publish

Click Close

The first url is now published

Continue add the rest of use these powershell cmdlets (the first line is already added):

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://csweb.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://csweb.exchangepro.dk/’ -Name ‘Lync Web Services’ -ExternalPreAuthentication PassThrough


Add-WebApplicationProxyApplication -BackendServerUrl ‘https://meet.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://meet.exchangepro.dk/’ -Name ‘Lync Meeting URL’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://dialin.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://dialin.exchangepro.dk/’ -Name ‘Lync Dialin URL’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://lyncdiscover.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://lyncdiscover.exchangepro.dk/’ -Name ‘Lync Discover URL’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://cswebapp.exchangepro.local/m/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://cswebapp.exchangepro.dk/m/’ -Name ‘Office Web Apps’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://cswebdir.exchangepro.dk/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://cswebdir.exchangepro.dk/’ -Name ‘Lync Director Server’ -ExternalPreAuthentication PassThrough

Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$false

The last command tells the WAP server that it should translate the headers for the services (primarily used for the Office Web Apps server which I have defined with the internal FQDN)


Next because Lync mobile on windows phone don’t support Server Name Indication (SNI) you will need to add the certificate to WAP server, so that it returns it to the Lync mobile client on WP8.

Use this command.

netsh http add sslcert ipport= certhash=3adc75b5a2255a892e869c429c6710206430986d appid={f955c070-e044-456c-ac00-e9e4275b3f04}


You should use the certhash and appid from the Lync Web Services, which you can find with this command:

netsh http show sslcert

Now you a finished and ready to use your new web application proxy on Windows Server 2012 R2.


If you have any problems with the WAP, you might find clue to what is wrong in the Event Viewer:

5 Responses to Use Web Application Proxy to publish Lync Server 2013

  • Hi Joachim,
    Thanks for the great post. I have one question. You have 1 x nic for your wap server. Is it possible to set this up the same way that Edge is setup i.e. 2 x nics (one in external dmz and one in internal dmz, or in some cases of small companies one in dmz and one on lan)
    Also is your WAP server in a workgroup?
    Thanks in advance

    • Hi UCWarrior

      Yes I have one nic in the WAP server, and yes it is in a workgroup.
      I haven’t tried it in other configurations, but I can’t see that it shouldn’t Work. You will properly need to to do some configuration on the listner IP with the
      netsh command – like I do in the end of the post:
      netsh http add sslcert ipport= certhash=3adc75b5a2255a892e869c429c6710206430986d appid={f955c070-e044-456c-ac00-e9e4275b3f04}

      And then the routing should take care of the rest – if you speficy that the “external” nic has the default gateway and the “internal” nic has manual routes to the internal ip segments with “route add x.x.x.x….”


  • Thank you very much for the excellent post on this subject. With the help of your post, I have just deployed this in my lab. Cheers!

  • Exchangepro.dk: Use Web Application Proxy to publish Lync Server 2013 http://t.co/v617cYJv77 #Lync

  • RT @LyncNewsTweets: Exchangepro.dk: Use Web Application Proxy to publish Lync Server 2013 http://t.co/v617cYJv77 #Lync

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 77 other subscribers

Follow me on Twitter