How to Publish Lync Server 2013 Web Services with Windows Server 2012 R2 Web Application Proxy

Update 5/12/15 - Added information about disabling translation of URL values in request headers.
Update 11/12/14 - Added information about white paper published for Web Application Proxy for use with Lync Server 2013.
Update 8/30/14 - Added information about Lync 2013 mobility and multiple SIP domains.

With the discontinuation of TMG and with UAG not supporting all of the functionality of Lync, the choices for the Reverse Proxy role have been slimmed down a bit.  Utilizing an existing TMG environment, choosing to setup IIS ARR, or go with a third party product are the options available. Each has its pros and cons. With the release of Windows Server 2012 R2, another option for the Reverse Proxy role for Lync Server 2013 Web Services is possible. Included in Windows Server 2012 R2 is the Web Application Proxy role.  The Web Application Proxy Overview TechNet article provides high level information on the role and it's uses.  You can use the Web Application Proxy role to publish many different types of applications.  This blog post only focuses on publishing Lync Server 2013 Web Services.  One prerequisite for the Web Application Proxy that we won't discuss in this blog post is that you will need AD FS running on Windows Server 2012 R2 already installed and working in your environment.  For environments that aren't using AD FS currently, this may make using the Web Application Proxy role as the Reverse Proxy for Lync Server 2013 Web Services less appealing that another Reverse Proxy solution, but for environments that do leverage AD FS, the ability to combine services might make sense.

A white paper has been published that describes the requirements, planning and configuration of Web Application Proxy for use with Lync Server 2013.  You can download it here.

 

Installing the Windows Server 2012 R2 Web Application Proxy Role

In Server Manager, open the Add Roles and Features Wizard.  On the Select server roles screen, select Remote Access and click Next:

On the Select features screen, no additional features are needed, click Next

On the Remote Access screen, click Next

On the Select role services screen, select Web Application Proxy and click Next:

When the Add features that are required for Web Application Proxy? box pops up, select Add Features and then click Next:

On the Confirm installation selections screen, click Install:

When the installation is complete, click Open the Web Application Proxy Wizard:

On the Welcome screen, click Next

On the Federation Server screen, enter the appropriate information and then click Next:

Note: The rules we're going to publish for Lync Server 2013 aren't going to use AD FS, but the configuration for the Web Application Proxy requires that AD FS be setup and configured during installation of the role.

On the AD FS Proxy Certificate, select the certificate to be used by the AD FS proxy and then click Next:

Note: The certificate needs to be the AD FS certificate with the private key.

On the Confirmation screen, click Configure:

On the Results screen, make sure that the Web Application Proxy was configured successfully and then click Close:

 

Publishing Web Applications

Now that the Web Application Proxy has been installed and configured, you need to publish rules for the URLs that you want to pass through the proxy.

Open the Remote Access Management Console

In the Tasks section click Publish:

On the Welcome screen, click Next

On the Preauthentication screen, select Pass-through and click Next:

On the Publishing Settings screen, fill out the fields with the appropriate information and then click Next:

Note: For the Backend server URL field, remember to append ":4443" to the external web services URL and simple URLs.

On the Confirmation screen, click Publish:

Note: You can also use PowerShell to create the published web applications:

Add-WebApplicationProxyApplication -BackendServerUrl 'https://test-ls15-se.test.deitterick.com:4443/' -ExternalCertificateThumbprint 'F689AA0EF22532B560C9DA09B9C15CD8190E26EA' -ExternalUrl 'https://test-ls15-se.test.deitterick.com/' -Name 'TEST-LS15-SE.test.deitterick.com External Web Services' -ExternalPreAuthentication PassThrough

On the Results screen, ensure that the web application was published successfully and then click Close:

Repeat the steps in this section for the remaining Lync URLs that you want to publish:

For some rules you may want the ExternalUrl and the BackendServerUrl to be different.  If this is the case you will need to disable translation of URL values in request headers for that rule.  This setting can be disabled by running the following cmdlets using PowerShell:

$Rule = (Get-WebApplicationProxyApplication "TEST-LS15-SE.test.deitterick.com External Web Services").ID

Set-WebApplicationProxyApplication –ID $Rule –DisableTranslateUrlInRequestHeaders:$True

Since some of the Lync 2013 mobile clients don't yet support Server Name Indication (SNI), you'll need to apply a default SSL certificate for the Web Application Proxy to use.  In the How to: Configure a Port with an SSL Certificate MSDN article, you can use a command similar to:

netsh http add sslcert ipport=0.0.0.0:443 certhash=f689aa0ef22532b560c9da09b9c15cd8190e26ea appid={f955c070-e044-456c-ac00-e9e4275b3f04}

In order to get the correct certhash and appid values, you can run the following command:

netsh http show sslcert

The results will be similar to below:

Find one of the web applications that you published and copy the Certificate Hash and Application ID fields to use in the netsh command above.  This will ensure that clients that don't support SNI are returned a certificate.  If you choose to bind to all IPs (0.0.0.0), you'll need to make sure that all names for all the published web applications are listed on the certificate.  Once all of the web applications are published, you can test them to make sure everything is working correctly.

 

Lync 2013 Mobility and Multiple SIP Domains

I get asked occasionally whether or not Windows Server 2012 R2 Web Application Proxy will work when you're using the Lync 2013 mobile clients and have multiple SIP domains in your environment.  When I originally wrote this blog post I only had one SIP domain configured in my lab, so I never tested this.  I decided to add another SIP domain and test it out to see whether or not it would work.  The short answer from my quick testing in my lab is that, yes, you can use Windows Server 2012 R2 Web Application Proxy for mobility with multiple SIP domains.  Just keep in mind that you may need to fill out some additional fields in the Lync 2013 mobile client.  In my lab, when trying to sign in with a user provisioned with a SIP URI from the second SIP domain:

Unfortunately, the sign in failed with "We can't sign you in. Please check your account info and try again.":

All I needed to do to resolve this error was to fill out the User Name field under Advanced Options:

This isn't an issue with the way Windows Server 2012 R2 Web Application Proxy works.  It is because my sign-in address doesn't match my UPN in AD.  This causes an issue when trying to authenticate with the WebTicket service.  With the User Name field filled out correctly, this time the sign in completed successfully:

This was a quick test with the Windows Phone version of the Lync 2013 mobile client.  As I get time to test the other version of the Lync 2013 mobile client, I will post any interesting findings.  Make sure that if you are going to be using Windows Server 2012 R2 Web Application Proxy and you have multiple SIP domains you thoroughly test the different Lync 2013 mobile clients for all of the mobile OS versions you will be supporting.

 

Monitoring

You can use the Operations Status section of the Remote Access Management Console to monitor the Web Application Proxy:

From there you can open the Event Viewer and look at the Admin event log or view the Performance Monitor counters:

 

While the Web Application Proxy role in Windows Server 2012 R2 may not be as feature rich as a traditional Reverse Proxy, if you're using AD FS today and want an easy way to publish Lync Server 2013 Web Services, it's worth a look.