To recap, in Lync Server Edge Server deployments, an HTTPS reverse proxy in the perimeter network is required for external clients to access the Lync Server Web Services on the Director and the user's home pool. Some of the features that require external access through a reverse proxy include the following:
Enabling external users to download meeting content for your meetings.
Enabling external users to expand distribution groups.
Enabling remote users to download files from the Address Book service.
Accessing the Microsoft Lync Web App client.
Accessing the Dial-in Conferencing Settings webpage.
Accessing the Location Information service.
Enabling external devices to connect to Device
Update web service and obtain updates.
There's not much documentation on how to create and install the proper certficates on the Reverse Proxy so I'd like to share the steps that I took for setting up a Lync Reverse Proxy using Forefront Threat Management Gateway (TMG) 2010. The technet documentation at http://technet.microsoft.com/en-us/library/gg429704.aspx explains what the subject name and SAN's need to be for the certificate, but
does not actually tell you how to request and install the certificate in order to get it working. So here goes:
1. First and foremost, after installing TMG2010, if you are not using a public CA then you need to import the Root CA Certificate into the TMG Server's Trusted Root Certificate Authorities. This is because the TMG Server is not joined to the AD Domain since it sits in the perimeter network. To do this, navigate to http://<CAServerFQDN>/certsrv and click on Download a "CA Certificate, Certificate Chain or CRL" and then click on "Download CA
Certificate". Save the file with a .cer extension on the Reverse Proxy server then open it. Click on "Install Certificate" and follow the wizard, making sure you put the certificate into the "Trusted Root Certificate Authorities" Certificate Store.
2. Since there's no certificate wizard in TMG, you have to use Lync server to create the certificate on behalf of the Reverse Proxy. On the Lync Management Powershell, type the following:
> Request-CsCertificate -New -Type WebServicesExternal -PrivateKeyExportable $True -FriendlyName "RP Cert" -Organization "Polycom" -OU "APAC" -KeySize 2048 -City "SG" -State "SG" -Country "SG" -Output c:\rpcert.req
The parameters I used are for my environment so you have to substitute them with your own. Note we have to specify that the private key must be exportable. The advantage of using Lync is that it also generates the necessary SANs in the CSR for the certificate to work properly with all the Lync web services. You also need to make sure the External Web Services FQDN for the Lync Pool is defined as this
will be included in the SAN. If you have not yet defined this, open the Lync Topology builder and define it, then publish the topology before running this command.
3. Next, copy the rpcert.req to the CA and start the Certification Authority mmc from the adminstrative tools. Right-Click on the CA
server and choose "All Tasks" and then "Submit New Request". Choose the rpcert.req file and then select a location to save the cert, for eg. c:\rpcert.cer
4. With the rpcert.cer issued by the CA, you now need to copy this file back to the Lync server for import. Why not just import it into
the Reverse proxy server? Because the CSR was generated by Lync server which means the Private Key only resides there. By importing the certificate back into Lync, you can then export the entire certificate along with the Public and Private keys. On the Lync Management Shell, type the following:
> Import-CsCertificate -Path c:\rpcert.cer -PrivateKeyExportable %True
This will put the certificate into the Lync servers certificate store.
5. Now, start the Certificates MMC on the Lync server. To do this, run mmc from the Start menu and then click on File->Add Remove Snapin and choose Certificates and select the Local Computer Account. Expand Certificates->Personal->Certificates on the left navigation pane and you should see the newly imported cert, with the SN being the FQDN of the Reverse Proxy server. Right-Click on the certificate, select All Tasks and then Export. In the Export wizard, select "Yes, Export the Private Key" and you will be forced to export as a PKCS #12 .pfx file. Select "Include all certificates in the certification path if possible" and "Export all extended properties". Next you will be prompted to enter a password twice, and the complete the wizard by saving the file to a location you specify.
6. Finally, copy the newly exported .pfx file back to the Reverse Proxy server. Then start the Certificates MMC and choose the Computer Account. Expand Personal->Certificates and then Right-Click and choose All Tasks->Import. In the wizard, select the .pfx file and then enter the password in step 5. The certificate is now stored in the Reverse Proxy server's certificate store and ready for use.
As you configure TMG2010 to create the web publishing rule for Lync web services, follow the instructions given in the documentation and when creating a web listener, you can now select the imported certificate.
That's all for this post and hope this has been useful for you.
Enabling external users to download meeting content for your meetings.
Enabling external users to expand distribution groups.
Enabling remote users to download files from the Address Book service.
Accessing the Microsoft Lync Web App client.
Accessing the Dial-in Conferencing Settings webpage.
Accessing the Location Information service.
Enabling external devices to connect to Device
Update web service and obtain updates.
There's not much documentation on how to create and install the proper certficates on the Reverse Proxy so I'd like to share the steps that I took for setting up a Lync Reverse Proxy using Forefront Threat Management Gateway (TMG) 2010. The technet documentation at http://technet.microsoft.com/en-us/library/gg429704.aspx explains what the subject name and SAN's need to be for the certificate, but
does not actually tell you how to request and install the certificate in order to get it working. So here goes:
1. First and foremost, after installing TMG2010, if you are not using a public CA then you need to import the Root CA Certificate into the TMG Server's Trusted Root Certificate Authorities. This is because the TMG Server is not joined to the AD Domain since it sits in the perimeter network. To do this, navigate to http://<CAServerFQDN>/certsrv and click on Download a "CA Certificate, Certificate Chain or CRL" and then click on "Download CA
Certificate". Save the file with a .cer extension on the Reverse Proxy server then open it. Click on "Install Certificate" and follow the wizard, making sure you put the certificate into the "Trusted Root Certificate Authorities" Certificate Store.
2. Since there's no certificate wizard in TMG, you have to use Lync server to create the certificate on behalf of the Reverse Proxy. On the Lync Management Powershell, type the following:
> Request-CsCertificate -New -Type WebServicesExternal -PrivateKeyExportable $True -FriendlyName "RP Cert" -Organization "Polycom" -OU "APAC" -KeySize 2048 -City "SG" -State "SG" -Country "SG" -Output c:\rpcert.req
The parameters I used are for my environment so you have to substitute them with your own. Note we have to specify that the private key must be exportable. The advantage of using Lync is that it also generates the necessary SANs in the CSR for the certificate to work properly with all the Lync web services. You also need to make sure the External Web Services FQDN for the Lync Pool is defined as this
will be included in the SAN. If you have not yet defined this, open the Lync Topology builder and define it, then publish the topology before running this command.
3. Next, copy the rpcert.req to the CA and start the Certification Authority mmc from the adminstrative tools. Right-Click on the CA
server and choose "All Tasks" and then "Submit New Request". Choose the rpcert.req file and then select a location to save the cert, for eg. c:\rpcert.cer
4. With the rpcert.cer issued by the CA, you now need to copy this file back to the Lync server for import. Why not just import it into
the Reverse proxy server? Because the CSR was generated by Lync server which means the Private Key only resides there. By importing the certificate back into Lync, you can then export the entire certificate along with the Public and Private keys. On the Lync Management Shell, type the following:
> Import-CsCertificate -Path c:\rpcert.cer -PrivateKeyExportable %True
This will put the certificate into the Lync servers certificate store.
5. Now, start the Certificates MMC on the Lync server. To do this, run mmc from the Start menu and then click on File->Add Remove Snapin and choose Certificates and select the Local Computer Account. Expand Certificates->Personal->Certificates on the left navigation pane and you should see the newly imported cert, with the SN being the FQDN of the Reverse Proxy server. Right-Click on the certificate, select All Tasks and then Export. In the Export wizard, select "Yes, Export the Private Key" and you will be forced to export as a PKCS #12 .pfx file. Select "Include all certificates in the certification path if possible" and "Export all extended properties". Next you will be prompted to enter a password twice, and the complete the wizard by saving the file to a location you specify.
6. Finally, copy the newly exported .pfx file back to the Reverse Proxy server. Then start the Certificates MMC and choose the Computer Account. Expand Personal->Certificates and then Right-Click and choose All Tasks->Import. In the wizard, select the .pfx file and then enter the password in step 5. The certificate is now stored in the Reverse Proxy server's certificate store and ready for use.
As you configure TMG2010 to create the web publishing rule for Lync web services, follow the instructions given in the documentation and when creating a web listener, you can now select the imported certificate.
That's all for this post and hope this has been useful for you.
RSS Feed