Step by Step deployment of reverse proxy for Skype For Business


A reverse proxy (RP) server has no Skype for Business Server role, but is an essential component of an Edge Server deployment. It lets you publish internal web services to internet to enable following features for an external user;

  • Meeting join & PIN Reset
  • Address book download
  • Share PowerPoint presentation in a meeting
  • Download meeting content
  • Expand distribution groups
  • Get user-based certificates for client certificate based authentication
  • Obtain updates to client and device software
  • Enable login for mobile devices

You can use any of the devices (software or hardware based) to publish these internal web services. In this article, I explain how to use Microsoft Application Request Routing (ARR) to configure reverse proxy for Skype for Business\Microsoft Lync.

Reference Diagram

Firewall & Network Requirement of Reverse Proxy Servers

Servers\clients from the network addresses x.x.x.0\24 & y.y.y.0\24 must not reach external interfaces (m.m.m.m & n.n.n.n) of the reverse proxy servers & Vice Versa.

Static routes to be used to enable communication from internal interfaces of the reverse proxy servers to the servers\clients in network addresses a.a.a.0\24 & b.b.b.0\24.

Internal interfaces of the reverse proxy servers to not have the gateway configured over it.

Add following static routes on the reverse proxy servers.

route add -p x.x.x.0 mask a.a.a.a

route add -p y.y.y.0 mask a.a.a.a

Flow of Installation & Configuration

Installation of IIS

You can install IIS using either PowerShell or GUI. In this example, we have used windows PowerShell to install IIS.

Launch PowerShell in elevated mode.

Run following command in PowerShell.

Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools

As you can see in output, restart is not required.

Install URL Rewrite

Download URL re-write from this location and install it:

Install ARR

Download ARR from

Launch install using elevated permission.

Accept the agreement and click "Install"

When installed, click "Finish"

Certificate Requirement of Reverse Proxy

Subject Name Subject Alternate Name Remarks External Web Services FQDN Dial-in conferencing (Unique for every domain if dedicated) Online meeting publishing rule (Unique for every domain if dedicated) Office Web Apps URL Auto Discover URL (unique for every SIP domain)

Tips You need to add additional external web services URL For director (if any)

Steps to Create an Offline Certificate Request

Log into your Windows server running IIS (ARR).

Launch the Microsoft Management Console (mmc.exe).

Select File menu > Add/Remove Snap-in

Choose Certificates from Available Snap-ins and click Add

Choose Computer account for snap-in management and click Next

Choose Local computer to use the snap-in on the current computer and click Finish

When back at the Add or Remove Snap-ins click OK

Navigate to Certificates (Local Computer) -> Personal -> Certificates

Right click Certificates and navigate to All tasks > Advanced options and select Create custom request

The Certificate Enrollment Wizard will open. Review the Before You Begin section and click Next

Leave the default "No template" option for Custom request and click Next

On Certificate Information, expand Details then click the Properties button.

On the General tab, fill in the Friendly name and Description values

Select the Subject tab, Add values to the Subject name and Alternative name attributes. To add the attributes, select an attribute Type from the drop down, enter the correct Value and then click Add.

Information to be filled:

  • Subject name
    • Common name: Per previous section. This is the subject name.
    • Organizational Unit: Anything relevant.
    • Organization: Anything relevant
    • Locality: Anything relevant
    • State: Anything relevant
    • Country: Anything relevant
  • Alternative name:
    • DNS: Fully Qualified Domain Names as per previous section.

Select the Extensions tab, expand Key usage, select Digital signature and Key encipherment from the Available options

On the Extensions tab, expand Extended Key Usage (application policies), select Server Authentication from the Available options and click Add to place in Selected options.

Select the Private Key tab, Expand Cryptographic Service Provider Make sure RSA, Microsoft Software Key Storage Provider is the only boxed checked. Expand Key options and select 2048 in the Key size drop down.

On the Private Key tab, expand Select Hash Algorithm. For the Hash Algorithm drop down, select sha1 which is the only e hashing compatible dynamic keying and then click OK.

On the "Where do you want to save the offline request?", give your certificate request file a name and save it to a location on your computer.

Also, select "mark the key exportable" if you have another server where the same certificate needs to be configured.

Use this saved file to generate the certificate by a Public CA.

Configure IIS for SSL

Launch Internet Information Services (IIS) Manager.

Select the server in left pane and select Server Certificates in the right pane.

On the right most side, click on import to import the public certificate. This is the certificate you have already requested and obtained from public CA.

After importing the certificate successfully, you can see it in the IIS Console as below.

0 Comment