Use Web Application Proxy to publish Lync Server 2013

Windows Server 2012 R2 contains a new feature called Web Application Proxy. WAP is a very simple reverse proxy which can be used to publish the Simple URLs in Lync Server 2013.

In this post, I will guide you through how to setup and use it as a reverse proxy for Lync and the Office Web Apps Server.

 

I have in my setup defined these public DNS names:

• Csweb.exchangepro.dk (Frontend Server external name)
• Cswebapp.exchangepro.dk (Office Web App External name)
• Cswebdir.exchangepro.dk (Director Server external name)
• Lyncdiscover.exchangepro.dk (Lync Discover url)
• Meet.exchangepro.dk (Meeting url)
• Dialin.exchangepro.dk (Dial in url)

 

My internal server names is:

• Fe01.exchangepro.local (Frontend Server)
• Dir01.exchangepro.local (Director Server)
• Wac01.exchangepro.local (Office Web Apps Server)

 

I will use a public certificate on the WAP server which contains all the public names.

On the internal servers I will be using certificates from my internal certificate authority.

 

To use the Web Application Proxy you will need two servers – an ADFS server on the internal network and the WAP server in the DMZ. (same zone as the Access Edge Internal NIC).

Both Servers has these specs:

• 2 vCPU
• 4 GB RAM
• 100 Disk space (less is okay)
• 1 Nic
• Windows Server 2012 R2

The server will be named:

• ADFS1.exchangepro.local
• WAP1.exchangepro.local

 

For the ADFS I will be using fs.exchangepro.dk which is also part of the public certificate I use.

I’m using split DNS so I will create this record in the internal DNS (domain: exchangepro.dk):

Lets start by the internal ADFS Server which is member of the local domain.

Open Powershell as an Administrator and install this prerequisites:

Install-WindowsFeature ADFS-Federation, Windows-Identity-Foundation

 

Open Server Manager and in the top click on “Configure the federation…”

Click on Import

Browse to the Public Certificate which contains the fs.exchangepro.dk domain name (or in your case your own domain)

Type the Password for the certificate file

Select the federation service name in the certificate and type a name for the federation service.

By default you can choose to use an AD user for the federation service by clicking on Select

You can also choose to use a managed service account which require that you configure a KDS root key.

The way to add this is by running the powershell cmdlet:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

When that is added an replicated in AD you can select the “Create a Group Managed Service Account” and type a name for it.

Click Next

Click Next

Click on Configure

 

You could also make all the configuration from powershell

Import-Module ADFS

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

Install-AdfsFarm -CertificateThumbprint:”3ADC75B5A2255A892E869C429C6710206430986D” -FederationServiceDisplayName:”Exchangepro” -FederationServiceName:”fs.exchangepro.dk” -GroupServiceAccountIdentifier:”EXCHANGEPROADFS-Service`$”

 

Now the ADFS is up a running, and for Lync there is no need for configuring anything more in the ADFS, because we will not be using authentication.

 

Next we will install the WAP Server which is placed in the DMZ zone.

First give the computer a FQDN name

On the WAP server you should use either an internal DNS or configure the IP addresses and names in a hostfile

Import the internal root certificate into the Trusted Root Certification Authority

Import you public certificate into the Personal certificate store

Next open Powershell as an Administrator and run this cmdlet

Install-WindowsFeature Web-Application-Proxy,RSAT-RemoteAccess-Mgmt, RSAT-RemoteAccess-PowerShell, GPMC, CMAK

 

In Server Manager open the Web Application Proxy Configuration Wizard

Type the name for the internal ADFS server and an account which has access to ADFS.

Select the public certificate that you imported (my certificate contains the fs.exchangepro.dk name)

Click on Configure

Click Close

Or you could have used this powershell cmdlet

 

$Credential = Get-Credential
Install-WebApplicationProxy -FederationServiceTrustCredential $Credential -CertificateThumbprint ’3ADC75B5A2255A892E869C429C6710206430986D’ -FederationServiceName ‘fs.exchangepro.dk’ 

Now open the Remote Access Management Console and click Publish

Click Next

Select Pass-through and click Next

Type a Name for the Lync Web Services, and the external URL.

On the internal URL I will use the Public name as well, because Lync expects that name, and I will point it to the External Web Site – which is on port 4443.

Click Publish

Click Close

The first url is now published

Continue add the rest of use these powershell cmdlets (the first line is already added):

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://csweb.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://csweb.exchangepro.dk/’ -Name ‘Lync Web Services’ -ExternalPreAuthentication PassThrough

 

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://meet.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://meet.exchangepro.dk/’ -Name ‘Lync Meeting URL’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://dialin.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://dialin.exchangepro.dk/’ -Name ‘Lync Dialin URL’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://lyncdiscover.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://lyncdiscover.exchangepro.dk/’ -Name ‘Lync Discover URL’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://cswebapp.exchangepro.local/m/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://cswebapp.exchangepro.dk/m/’ -Name ‘Office Web Apps’ -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://cswebdir.exchangepro.dk/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://cswebdir.exchangepro.dk/’ -Name ‘Lync Director Server’ -ExternalPreAuthentication PassThrough

Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$false

The last command tells the WAP server that it should translate the headers for the services (primarily used for the Office Web Apps server which I have defined with the internal FQDN)

 

Next because Lync mobile on windows phone don’t support Server Name Indication (SNI) you will need to add the certificate to WAP server, so that it returns it to the Lync mobile client on WP8.

Use this command.

netsh http add sslcert ipport=0.0.0.0:443 certhash=3adc75b5a2255a892e869c429c6710206430986d appid={f955c070-e044-456c-ac00-e9e4275b3f04}

 

You should use the certhash and appid from the Lync Web Services, which you can find with this command:

netsh http show sslcert

Now you a finished and ready to use your new web application proxy on Windows Server 2012 R2.

 

If you have any problems with the WAP, you might find clue to what is wrong in the Event Viewer: