Windows Server 2012 R2 contains a new feature called Web Application Proxy. WAP is a very simple reverse proxy which can be used to publish the Simple URLs in Lync Server 2013.
In this post, I will guide you through how to setup and use it as a reverse proxy for Lync and the Office Web Apps Server.
I have in my setup defined these public DNS names:
- Csweb.exchangepro.dk (Frontend Server external name)
- Cswebapp.exchangepro.dk (Office Web App External name)
- Cswebdir.exchangepro.dk (Director Server external name)
- Lyncdiscover.exchangepro.dk (Lync Discover url)
- Meet.exchangepro.dk (Meeting url)
- Dialin.exchangepro.dk (Dial in url)
My internal server names is:
- Fe01.exchangepro.local (Frontend Server)
- Dir01.exchangepro.local (Director Server)
- Wac01.exchangepro.local (Office Web Apps Server)
I will use a public certificate on the WAP server which contains all the public names.
On the internal servers I will be using certificates from my internal certificate authority.
To use the Web Application Proxy you will need two servers – an ADFS server on the internal network and the WAP server in the DMZ. (same zone as the Access Edge Internal NIC).
Both Servers has these specs:
- 2 vCPU
- 4 GB RAM
- 100 Disk space (less is okay)
- 1 Nic
- Windows Server 2012 R2
The server will be named:
- ADFS1.exchangepro.local
- WAP1.exchangepro.local
For the ADFS I will be using fs.exchangepro.dk which is also part of the public certificate I use.
I’m using split DNS so I will create this record in the internal DNS (domain: exchangepro.dk):
Lets start by the internal ADFS Server which is member of the local domain.
Open Powershell as an Administrator and install this prerequisites:
Install-WindowsFeature ADFS-Federation, Windows-Identity-Foundation
Open Server Manager and in the top click on “Configure the federation…”
Click on Import
Browse to the Public Certificate which contains the fs.exchangepro.dk domain name (or in your case your own domain)
Type the Password for the certificate file
Select the federation service name in the certificate and type a name for the federation service.
By default you can choose to use an AD user for the federation service by clicking on Select
You can also choose to use a managed service account which require that you configure a KDS root key.
The way to add this is by running the powershell cmdlet:
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
When that is added an replicated in AD you can select the “Create a Group Managed Service Account” and type a name for it.
Click Next
Click Next
Click on Configure
You could also make all the configuration from powershell
Import-Module ADFS
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
Install-AdfsFarm -CertificateThumbprint:”3ADC75B5A2255A892E869C429C6710206430986D” -FederationServiceDisplayName:”Exchangepro” -FederationServiceName:”fs.exchangepro.dk” -GroupServiceAccountIdentifier:”EXCHANGEPROADFS-Service`$”
Now the ADFS is up a running, and for Lync there is no need for configuring anything more in the ADFS, because we will not be using authentication.
Next we will install the WAP Server which is placed in the DMZ zone.
First give the computer a FQDN name
On the WAP server you should use either an internal DNS or configure the IP addresses and names in a hostfile
Import the internal root certificate into the Trusted Root Certification Authority
Import you public certificate into the Personal certificate store
Next open Powershell as an Administrator and run this cmdlet
Install-WindowsFeature Web-Application-Proxy,RSAT-RemoteAccess-Mgmt, RSAT-RemoteAccess-PowerShell, GPMC, CMAK
In Server Manager open the Web Application Proxy Configuration Wizard
Type the name for the internal ADFS server and an account which has access to ADFS.
Select the public certificate that you imported (my certificate contains the fs.exchangepro.dk name)
Click on Configure
Click Close
Or you could have used this powershell cmdlet
$Credential = Get-Credential
Install-WebApplicationProxy -FederationServiceTrustCredential $Credential -CertificateThumbprint ’3ADC75B5A2255A892E869C429C6710206430986D’ -FederationServiceName ‘fs.exchangepro.dk’
Now open the Remote Access Management Console and click Publish
Click Next
Select Pass-through and click Next
Type a Name for the Lync Web Services, and the external URL.
On the internal URL I will use the Public name as well, because Lync expects that name, and I will point it to the External Web Site – which is on port 4443.
Click Publish
Click Close
The first url is now published
Continue add the rest of use these powershell cmdlets (the first line is already added):
Add-WebApplicationProxyApplication -BackendServerUrl ‘https://csweb.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://csweb.exchangepro.dk/’ -Name ‘Lync Web Services’ -ExternalPreAuthentication PassThrough
Add-WebApplicationProxyApplication -BackendServerUrl ‘https://meet.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://meet.exchangepro.dk/’ -Name ‘Lync Meeting URL’ -ExternalPreAuthentication PassThrough
Add-WebApplicationProxyApplication -BackendServerUrl ‘https://dialin.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://dialin.exchangepro.dk/’ -Name ‘Lync Dialin URL’ -ExternalPreAuthentication PassThrough
Add-WebApplicationProxyApplication -BackendServerUrl ‘https://lyncdiscover.exchangepro.dk:4443/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://lyncdiscover.exchangepro.dk/’ -Name ‘Lync Discover URL’ -ExternalPreAuthentication PassThrough
Add-WebApplicationProxyApplication -BackendServerUrl ‘https://cswebapp.exchangepro.local/m/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://cswebapp.exchangepro.dk/m/’ -Name ‘Office Web Apps’ -ExternalPreAuthentication PassThrough
Add-WebApplicationProxyApplication -BackendServerUrl ‘https://cswebdir.exchangepro.dk/’ -ExternalCertificateThumbprint ‘3ADC75B5A2255A892E869C429C6710206430986D’ -ExternalUrl ‘https://cswebdir.exchangepro.dk/’ -Name ‘Lync Director Server’ -ExternalPreAuthentication PassThrough
Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$false
The last command tells the WAP server that it should translate the headers for the services (primarily used for the Office Web Apps server which I have defined with the internal FQDN)
Next because Lync mobile on windows phone don’t support Server Name Indication (SNI) you will need to add the certificate to WAP server, so that it returns it to the Lync mobile client on WP8.
Use this command.
netsh http add sslcert ipport=0.0.0.0:443 certhash=3adc75b5a2255a892e869c429c6710206430986d appid={f955c070-e044-456c-ac00-e9e4275b3f04}
You should use the certhash and appid from the Lync Web Services, which you can find with this command:
netsh http show sslcert
Now you a finished and ready to use your new web application proxy on Windows Server 2012 R2.
If you have any problems with the WAP, you might find clue to what is wrong in the Event Viewer:
Hi Joachim,
Thanks for the great post. I have one question. You have 1 x nic for your wap server. Is it possible to set this up the same way that Edge is setup i.e. 2 x nics (one in external dmz and one in internal dmz, or in some cases of small companies one in dmz and one on lan)
Also is your WAP server in a workgroup?
Thanks in advance
Hi UCWarrior
Yes I have one nic in the WAP server, and yes it is in a workgroup.
I haven’t tried it in other configurations, but I can’t see that it shouldn’t Work. You will properly need to to do some configuration on the listner IP with the
netsh command – like I do in the end of the post:
netsh http add sslcert ipport=0.0.0.0:443 certhash=3adc75b5a2255a892e869c429c6710206430986d appid={f955c070-e044-456c-ac00-e9e4275b3f04}
And then the routing should take care of the rest – if you speficy that the “external” nic has the default gateway and the “internal” nic has manual routes to the internal ip segments with “route add x.x.x.x….”
/Joachim
Thank you very much for the excellent post on this subject. With the help of your post, I have just deployed this in my lab. Cheers!
Exchangepro.dk: Use Web Application Proxy to publish Lync Server 2013 http://t.co/v617cYJv77 #Lync
RT @LyncNewsTweets: Exchangepro.dk: Use Web Application Proxy to publish Lync Server 2013 http://t.co/v617cYJv77 #Lync