Step by Step deployment of reverse proxy for Skype For Business
A reverse proxy (RP) server has no Skype for Business Server role, but is an essential component of an Edge Server deployment. It lets you publish internal web services to internet to enable following features for an external user;
- Meeting join & PIN Reset
- Address book download
- Share PowerPoint presentation in a meeting
- Download meeting content
- Expand distribution groups
- Get user-based certificates for client certificate based authentication
- Obtain updates to client and device software
- Enable login for mobile devices
You can use any of the devices (software or hardware based) to publish these internal web services. In this article, I explain how to use Microsoft Application Request Routing (ARR) to configure reverse proxy for Skype for Business\Microsoft Lync.
Servers\clients from the network addresses x.x.x.0\24 & y.y.y.0\24 must not reach external interfaces (m.m.m.m & n.n.n.n) of the reverse proxy servers & Vice Versa.
Static routes to be used to enable communication from internal interfaces of the reverse proxy servers to the servers\clients in network addresses a.a.a.0\24 & b.b.b.0\24.
Internal interfaces of the reverse proxy servers to not have the gateway configured over it.
Add following static routes on the reverse proxy servers.
route add -p x.x.x.0 mask 255.255.255.0 a.a.a.a
route add -p y.y.y.0 mask 255.255.255.0 a.a.a.a
You can install IIS using either PowerShell or GUI. In this example, we have used windows PowerShell to install IIS.
Launch PowerShell in elevated mode.
Run following command in PowerShell.
Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools
As you can see in output, restart is not required.
Install URL Rewrite
Download URL re-write from this location and install it: https://www.iis.net/downloads/microsoft/url-rewrite
Download ARR from https://www.microsoft.com/en-us/download/details.aspx?id=47333
Launch install using elevated permission.
Accept the agreement and click "Install"
When installed, click "Finish"
|Subject Name||Subject Alternate Name||Remarks|
|webext.contoso.com||webext.contoso.com||External Web Services FQDN|
|dialin.contoso.com||Dial-in conferencing (Unique for every domain if dedicated)|
|meet.contoso.com||Online meeting publishing rule (Unique for every domain if dedicated)|
|officewebapps01.contoso.com||Office Web Apps URL|
|lyncdiscover.contoso.com||Auto Discover URL (unique for every SIP domain)|
Tips You need to add additional external web services URL For director (if any)
Log into your Windows server running IIS (ARR).
Launch the Microsoft Management Console (mmc.exe).
Select File menu > Add/Remove Snap-in
Choose Certificates from Available Snap-ins and click Add
Choose Computer account for snap-in management and click Next
Choose Local computer to use the snap-in on the current computer and click Finish
When back at the Add or Remove Snap-ins click OK
Navigate to Certificates (Local Computer) -> Personal -> Certificates
Right click Certificates and navigate to All tasks > Advanced options and select Create custom request
The Certificate Enrollment Wizard will open. Review the Before You Begin section and click Next
Leave the default "No template" option for Custom request and click Next
On Certificate Information, expand Details then click the Properties button.
On the General tab, fill in the Friendly name and Description values
Select the Subject tab, Add values to the Subject name and Alternative name attributes. To add the attributes, select an attribute Type from the drop down, enter the correct Value and then click Add.
Information to be filled:
- Subject name
- Common name: Per previous section. This is the subject name.
- Organizational Unit: Anything relevant.
- Organization: Anything relevant
- Locality: Anything relevant
- State: Anything relevant
- Country: Anything relevant
- Alternative name:
- DNS: Fully Qualified Domain Names as per previous section.
Select the Extensions tab, expand Key usage, select Digital signature and Key encipherment from the Available options
On the Extensions tab, expand Extended Key Usage (application policies), select Server Authentication from the Available options and click Add to place in Selected options.
Select the Private Key tab, Expand Cryptographic Service Provider Make sure RSA, Microsoft Software Key Storage Provider is the only boxed checked. Expand Key options and select 2048 in the Key size drop down.
On the Private Key tab, expand Select Hash Algorithm. For the Hash Algorithm drop down, select sha1 which is the only e hashing compatible dynamic keying and then click OK.
On the "Where do you want to save the offline request?", give your certificate request file a name and save it to a location on your computer.
Also, select "mark the key exportable" if you have another server where the same certificate needs to be configured.
Use this saved file to generate the certificate by a Public CA.
Launch Internet Information Services (IIS) Manager.
Select the server in left pane and select Server Certificates in the right pane.
On the right most side, click on import to import the public certificate. This is the certificate you have already requested and obtained from public CA.
After importing the certificate successfully, you can see it in the IIS Console as below.