Lync Mobile Issues ARR IIS Reverse proxy

Similar Messages

• IIS Reverse Proxy with URL rewrite.

  Hi all, hoping to leverage the wealth of knowledge contained here.
  Any assistance would be very welcome.
  I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
  I need to redirect all requests with a specific virtual directory suffix only.
  ie; https://domain.test.com/outbound/Content/query_etc
  With /Outbound/ being the trigger.
  This should be redirected to http://10.10.10.10/inbound/Content/query_etc
  While at the same time, requests without the /outbound/ suffix should be handled locally.
  I have configured the reverse proxy as described in a few articles, and have had no luck.
  Here's a snippet from my (sanitized) web.config at the site level.
  <rewrite>
  <outboundRules>
  <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
  <match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
  <action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
  </rule>
  <preConditions>
  <preCondition name="ResponseIsHtml1">
  <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
  </preCondition>
  </preConditions>
  </outboundRules>
  <rules>
  <rule name="ReverseProxyInboundRule1" stopProcessing="true">
  <match url="^outbound/(.*)" />
  <action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
  </rule>
  </rules>
  </rewrite>
  To me, this looks correct, yet it doesn't work.
  With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

  Hi Andrew,
  Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
  By using URL Rewrite Module together with
  Application Request Routing module you can have IIS 7 act as a
  reverse proxy.
  It seems like URL Rewrite can't re-route the request somewhere else out of the server.
  Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc  it will fail with 404.
  Hosting multiple domain names under a single account using URL Rewrite.
  It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
  References:
  How to create a url alias using IIS URL Rewrite:
  http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
  Reverse Proxy with URL Rewrite v2 and Application Request Routing:
  http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• How to configure ARR to Reverse Proxy to RD Gateway

  We have an ARR server in the DMZ working fine providing reverse proxy for our internal Exchange Server 2013 environment and I've tried to create rules to allow access to the internal RD Gateway as well but when testing from an external client it never connects.
  Does anyone have any configuration notes for how ARR should be configured to allow reverse proxy of RD Gateway?
  Cheers for now
  Russell

  Hi,
  I think you can refer this below article might get some insight from this case.
  RD Gateway/RD Web Access & IIS Reverse Proxy/ARR
  http://forums.iis.net/t/1210901.aspx?RD+Gateway+RD+Web+Access+IIS+Reverse+Proxy+ARR
  Apart seem this as the configurations need to be done in IIS side, I would like to suggest you post the question in our IIS forum for further assistance.
  http://forums.iis.net/
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• IIS Reverse Proxy and Basic Authentication

  Hi,
  we've currently put a WebAS 6.40 serving a BSP Application in our Appl-DMZ. For the access via Web the IIS Reverse Proxy is used, which works fine as long as you use a service for which a user is provided (in SICF). But if you don't provide a user in the service (in order to debug the BSP Application) you have to authenticate yourself using Basic Authentication (Browser Popup) which does not work (the popup returns and returns ...)
  I' ve browsed the forums and it seems that the IIS Reverse Proxy does not support (the forwarding) of Basic Authentication "requests".
  So my question, does someone exactly know if the IIS Reverse proxy supports Basic Authentication or not ?
  Thanks,
  Markus

  Hello Markus,
  1. have you checked out Alon Weinstein's Weblog <a href="/people/sap.user72/blog/2005/02/23/the-reverse-proxy-series--part-2-iis-as-a-reverse-proxy">The Reverse Proxy Series -- Part 2: IIS as a reverse-proxy</a>?
  2. Is the IIS a must? Can you give Apache or SAP Web Dispatcher a try. Prakash Singh wrote a Weblog <a href="/people/prakash.singh4/blog/2005/08/16/how-to-setup-webdispatcher-to-load-balance-portal-in-a-clustered-environment">How to setup webdispatcher to load balance portal in a clustered environment</a>.
  Regards
  Gregor

• Is it possible IIS reverse Proxy for WAS ( BSP) ?????

  Hi
  I am able to setup IIS reverse proxy for Portal and other some internal website and it works well from outside the firewall. But for WAS (for BSP application), it repeatly prompt login screen even after gave correct user ID and password when call through proxy. But it work inside firewall.
  So really wonder is it possible to use IIS reverse proxy for WAS?
  Thanks
  Raibin

  Hi Raja
  Thanks for your message. But I already read this same and many other BLOGs. Everything talk about manything. And nothing helped me to find the solution. But friday I found the solution myself and happy to share with you and all others.
  The problem was related to the extra string getting added with in url to replace /bsp/   to   /bsp(xxxxxxxxxxxxx)/ and finally when I put the entry as below in my IISProxy.xml file, everything became OK.
  And I saw so many question related to EP 7.0 for outside access. There is one extra entry we have to put for webdynpro to make EP 7.0 working outside specially for admin screens.
  In the below example 'sapep' is Portal and 'sapecc' is ECC 5.0 server.
  <ISAPI-config version="1.6">
       <filter name="IisProxy filter" />
       <extension name="IisProxy extension" />
       <mapping name="PORTAL">
            <source>
                 <protocol>http</protocol>
                 <prefix>/irj</prefix>
                 <new-prefix>/irj/</new-prefix>
            </source>
            <source>
                 <protocol>http</protocol>
                 <prefix>/logon/</prefix>
            </source>
            <source>
                 <protocol>http</protocol>
                 <prefix>/webdynpro/</prefix>
            </source>
            <target>
                 <protocol>http</protocol>
                 <host>sapep.domain.com</host>
                 <port>50000</port>
            </target>
       </mapping>
       <mapping name="BSP">
            <source>
                 <protocol>http</protocol>
                 <prefix>/sap/</prefix>
            </source>
            <source>
                 <protocol>http</protocol>
          <prefix>/sap(bD1lbiZjPTA5NiZkPW1pbg==)/</prefix>
            </source>
            <target>
                 <protocol>http</protocol>
                 <host>sapecc.domain.com</host>
                 <port>1080</port>
            </target>
       <compress-types>text/html, text/plain</compress-types>
       </mapping>
  </ISAPI-config>
  I hope this will many to solve their problems.
  Thanks
  Raibin

• Weblogic to IIS - reverse proxying - WL 7.0

  Hi All.
  Due to performance reasons, we cannot put IIS as a webserver proxy to weblogic
  anymore.
  Can anyone tell me if the built in webserver of weblogic can be configured to
  proxy ASP pages ?
  I know weblogic is an app server but is there a way we can add a handler in weblogic
  that will handle ASP pages by proxying the requests to an IIS server sitting behind
  it ?
  Thanks,
  Mallik

  You can use weblogic.servlet.proxy.HttpProxyServlet to achieve this.
  Heres the link for more info
  http://edocs.bea.com/wls/docs61/adminguide/http_proxy.html
  Nagesh
  "Mallik" <[email protected]> wrote in message
  news:3f00ece6$[email protected]..
  >
  Hi All.
  Due to performance reasons, we cannot put IIS as a webserver proxy toweblogic
  anymore.
  Can anyone tell me if the built in webserver of weblogic can be configuredto
  proxy ASP pages ?
  I know weblogic is an app server but is there a way we can add a handlerin weblogic
  that will handle ASP pages by proxying the requests to an IIS serversitting behind
  it ?
  Thanks,
  Mallik

• My environment is 99% of the way there, but my ARR reverse proxy doesnt seem to be forwarding lyncdiscover properly. Can someone help?

  I recently cut over from lync 2010 with an apache reverse proxy to a lync2013 deployment using microsoft ARR as the reverse proxy.
  Last night i cut over to the new ARR reverse proxy but our lync 2013 mobility tests didnt go well. I also cant get the DIALIN.CONTOSO.COM page to show up externally. Only the https://MEET.CONTOSTO.COM site shows up properly from an external browser. I have
  a feeling that the lync ARR server is only handling meet.contoso.com for some reason, although i followed the LYNC setup guides exactly. Please see the screenshots of my setup. Does anyone have an idea of why everything might be taken over by the MEET.CONTOSO.COM
  Server Farm in ARR?
  As you can see, the lyncdiscover.contoso.com server farm has no hits.
  When I fire up the lync mobility app, the MEET.CONTOSO.COM server farm in ARR receives the hits. (and failures)
  I followed the configuration exactly, here are my rewrite rules:
  Any Ideas?

  Hello All,
  I had a professional service with Microsoft to fix the many issues with my Lync environment. It turns out that there were 2 major causes of the problem i was having. For one, I DID have the wrong cert set on the lync2013 FE server's external web interface.
  I didn't realize this because there seems to be some sort of bug in the LYNC SERVER 2013 DEPLOYMENT WIZARD. 
  First, it is badly designed. There is actually a drop down that i didnt realize was a dropdown when deploying my environment that expands and shows the external web services certificate.
  After I found that, i tried updating it to my godaddy cert but it left a BLANK in the deployment wizard. So i had to go into the IIS management console to update the bindings.
  Once the FE server's external website certificate was installed properly, we moved on the the reverse proxy. We scrapped ALL of the ARR servers and rewrite rules and started from scratch. Instead of creating 4 server farms and using lync.contoso.com, meet.contoso.com
  etc... we created one server farm that points at the IP ADDRESS of the lync front end server. We changed the PATTERN to (.*) using regular expressions and the HTTP_HOST rule to (lync.contoso.com|lyncdiscover.contoso.com|meet.contoso.com|dialin.contoso.com)
  After this, we still had a problem with lync mobility for android 2013.
  Our public DNS has a record *.contoso.com to capture all traffic and route it to our website. This was capturing lyncdiscoverinternal.contoso.com and the android devices were getting a certificate error. We now have lyncdiscoverinternal.contoso.com pointed
  to the reverse proxy's external IP address to resolve that issue. The android lync mobility client also checks for an exchange record which isn't documented http://contoso.com/ews because of an autodiscover record, so our android clients still get a certificate
  error once during the initial setup of the application. Our IOS devices don't show this error so we called the issue resolved.
  Good luck all!

• Combining Lync Edge certificate of Reverse Proxy

  I wonder if the creation of a certificate from the combined Lync Edge server names and Reverse Proxy will work?
  Wants to create a certificate for Lync Edge with CN = sip.domain.com and add names required for the Edge and Reverse Proxy as an additional DNS:
  sip.domain.com 
  webconf.domain.com
  webext.domain.com
  meet.domain.com
  dialin.domain.com
  lyncdiscover.domain.com

  Hi,
  Yes, you can use the same certificate for both Edge Server (external interface) and Reverse Proxy, which SAN including all Edge Server and Reverse Proxy needed (such as: webcon.contoso.com, sip.contoso.com, webext.contoso.com, meet.contoso.com, dialin.contoso.com,
  lyncdiscover.contoso.com, and so on).
  More details:
  https://technet.microsoft.com/en-us/library/gg398519.aspx?f=255&MSPPError=-2147217396
  https://technet.microsoft.com/en-us/library/gg429704.aspx
  There is no special SAN for federate with Skype. However, the certificate must be the public SAN certificate.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Lync mobile - server settings have changes please restart

  Hi,
  I have an issue within my current deployment. Mobile clients keep getting the message "Your Server configuration has changed, please restart lync." every 5-15 mins. 
  From my reading so far its suggested that changing the TTL on the IIS reverse proxy from 200 to 600/960 solves the issue. This hasn't worked for me. 
  Has anyone else had a similar issue and know of another fix or change that may be required? 
  Thanks
  Joel
   

  Hi,
  Did this happen for all kind of mobiles?
  Please double check the configuration of IIS ARR with the help of the link below:
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  You can try to enable logging on mobile devices and Front End server for troubleshooting.
  If you get a 502.3 error in the log, please also troubleshooting with the help of the link below:
  http://blogs.iis.net/richma/archive/2010/07/03/502-3-bad-gateway-the-operation-timed-out-with-iis-application-request-routing-arr.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync Mobility, lyncdiscoverinternal or lyncdiscover

  Can someone make points, how does
  lyncdiscoverinternal make different?
  In situation, where lyncdiscover (external) is working, what would I get to setup lyncdiscoverinternal?
  Does ANYTHING changes?
  - Meitzi [MCITP]

  Firstly, I invite ANYONE who is not happy with our docs to provide feedback.  We invite it and encourage it. 
  [email protected] for Lync Server 2010,
  [email protected] for Lync Server 2013.
  Secondly, We intentionally don't go into gory details in the Planning and Deployment docs - not any more than is absolutely necessary.  The reason simply is we have a diverse audience and our goal with the Planning and Deployment docs is to
  help people PLAN and DEPLOY.  Technical depth is available by a number of means:  We have the Lync Server 2010 Resource Kit, the NextHop blog (multitudes of articles on in-depth Mobility is there) and a Troubleshooting Lync Mobility Issues white
  paper, among a whole bunch of MVPs.
  Now, the direct question:  Why NOT just avoid the whole lyncdiscoverinternal.<domain> record and just go to the Lyncdiscover.<domain> record for all internal and external users?  Three reasons:
  A) We have more information in the Autodiscover response than just "Hey! You're inside.  Go outside!"  "Hey, You're outside! It's all good!"  Check the traces....
  B) Newer clients that have been released since Cumulative Update for Lync Server 2010 : November 2011 (known affectionately to everyone else and their puppy as CU4) make use of BOTH records to know where they are and to use the correct internal or external
  Web services for their purposes.  Unless you want ALL clients to be hairpinning at your reverse proxy.....  Both records are really needed.
  C) We state that we only support DNS where BOTH lyncdiscover and lyncdiscoverinternal are implemented. Why? Refer to B)  
  Anyone that is questioning IF we want feedback - Drago Totev and Mr. Seeber can both tell you - we're serious when we say we want your feedback on our docs.
  Cheers!
  Rick Lync Server UA

• How to disable hostname verification on iplanet reverse proxy

  I am looking for a way to disable hostname verification of the application server url specified in teh reverse proxy setup.
  I am using the following setting in my Object definitions. It is failing due to the certificate CN is not matching the url I specified
  The error is :
  for host xx.yy.zz.ww trying to GET /uri/loginAction.do, service-http reports: HTTP7758: error sending request (SSL_ERROR_BAD_CERT_DOMAIN: Requested domain name does not match the server's certificate.)
  Route fn="set-origin-server" server="https://bbb.com:7002/" poll-timeout="20000" retries="2"
  My tomcat certificate CN has  aaa.com
  While I am using the tomcat on bbb.com.
  Is there any way to disable hostname verification on a reverproxy setup. I am unable to find any relevant documentation on this.
  The closest discussion I found was https://forums.oracle.com/thread/1943116 but it did not conclude anything.

  Found a solution from Oracle Knowledge base:
  This fixed our issue
  <Object name="reverse-proxy-/abc">
  ObjectType fn="ssl-client-config" validate-server-cert="false"
  Route fn="set-origin-server" server="https://server1.test.com:11011" server="https://server2.test.com:11011"
  </Object>

• Apache Reverse Proxy and Branding Image

  Hi,
  I just installed a Apache reverse proxy on solaris. Unfortunatly, the branding image on the EP logon screen is not displayed. Anyone who knows how I can fix that?
  I read some good post for the IIS reverse proxy. Is there a way to do the same on Apache?
  Thanks
  Elvez

  Thanks for the replies.
  However, I found the solutioin in an excellent document on the Web: http://www.apacheweek.com/features/reverseproxies. It would be worth reading for SAP. I'm especially referring to the document "Apache Configuration for J2EE Web Applications". The configuration described in the SAP document is strongly avoided by the author of apacheweek.
  Best regards,
  Elvez

• Issues using IIS 8.5 with ARR 3.0 as Reverse Proxy for Lync 2013

  Dear reader, after searching for a day without finding a solution to my problem I end up here ;-)
  Working Lync 2013 environment (gradually adding functionality) consisting of 2 FE servers, Persistent Chat Server, Web Apps server, Edge Server, Reverse Proxy Server (IIS 8.5/ARR 3.0), SQL Server.
  Set up a fresh Windows 2012 R2 with IIS 8.5, installed ARR 3.0 and followed along this
  TechNet article.
  So far so good, external clients (incl. mobile phone apps) can all connect.
  Now trying to add Web Apps to the reverse proxy, which is slightly different from the others by not forwarding 80/8080 and 443/4443, but just 80 and 443 to internal Web Apps server.
  After creating the server farm/URL rewrite, browsing to the webapps.FQDN/hosting/discovery ends up with a 404 error (instead of XML, which is shown when try from the LAN).
  After moving this rewrite rule to the top, it started working, but now my lyncdiscover.FQDN stops working.
  Ofcourse moving the webapps rule down restores the lyncdiscover.
  Any ideas? (everything setup as described in above mentioned TechNet article, so using wildcards. Tried fiddling around with webext.* and lyncdiscover.* and so, but no luck. (I'm completely new to ARR)
  Thanks,
  Barry

  Can you confirm that for each URL Rewrite Rule, you have an {http_host} record that matches something like webext.* as you referenced above and as seen in step 15 here:
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  It might help if you posted a screenshot of your URL rewrite rules.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Lync Mobile unable to sign in using IIS ARR

  We have a deployment which currently has no issues using an Apache reverse proxy running on Ubuntu. I am working on switching over to a supported reverse proxy, so IIS ARR is the obvious choice. I have configured IIS ARR by following the steps at:
  http://uclobby.com/2013/08/02/configuring-arr-for-lync-server/
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  When I try to sign on externally using Lync 2013 Mobile, I get a message saying "An unknown error occured". The Lync Mobile logs show the following error:
  Caused by: java.net.ConnectException: failed to connect to /xxx.xxx.xxx.xxx (port 443) after 60000ms: isConnected failed: ECONNREFUSED (Connection refused)
  I have even gone as far as opening all the ports to the IIS ARR server on the firewall and disabling Windows firewall on everything.

  To fix issue "502 - Web server received an invalid response while acting as a gateway or proxy server.", you can refer below link
  http://support.microsoft.com/kb/2455129/en-us
  it's assume reverse proxy configuration issue, please check the following things:
  Please make sure your internal web service url and external web service url are not pointed to the same FQDN.
  Verify you have update the public certifcates including lyncautodiscover URL in the SAN entries for your reverse proxy server
  Check the authenticated delegation is set to "No delegation, but clients may authenticate directly"
  Please try to enable internal access and see if it works
  If still no luck,please enable Lync server logging tool and reproduce the issues,then use snooper to analyze the log for more specific information
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• IIS ARR Lync Mobility failed

  Hello, in need of help, we're trying to find alternative to TMG, so we are trying to use ARR to publish but seem to be stuck
  when we do a lync we get the following error:
  Testing HTTP authentication methods for URL https://lyncdiscover.itt.com/Autodiscover/AutodiscoverService.svc/root/user.
    HTTP authentication test failed.
    Tell me more about this issue and how to resolve it
  Additional Details
  Initial anonymous HTTP(s) request didn't fail, but Anonymous isn't a supported Authentication Method for this scenario.
  HTTP Response Headers:
  Pragma: no-cache
  X-MS-Server-Fqdn: HS.itt.com
  X-Content-Type-Options: nosniff
  Content-Length: 203
  Cache-Control: no-cache
  Content-Type: application/json
  Expires: -1
  Server: Microsoft-IIS/8.5
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET,ARR/2.5
  Date: Tue, 10 Feb 2015 03:58:29 GMT
  Elapsed Time: 2107 ms.
  However when i put TMG back up it passes. The lyncdiscover rule in is identical to my rules , for meet, dial and lyncexternal and those work just fine, so i cant seem to figure out whats goin on. 
  Also if i visit the url .....https://lyncdiscover.itt.com/Autodiscover/AutodiscoverService.svc/root/user...... i get this 
  This XML file does not appear to have any style information associated with it. The document tree is shown below.
  <resource xmlns="http://schemas.microsoft.com/rtc/2012/03/ucwa" rel="user" href="https://lync.itt.com/Autodiscover/AutodiscoverService.svc/root/user">
  <link rel="xframe" href="https://lync.itt.com/Autodiscover/AutodiscoverService.svc/root/user/xframe"/>
  </resource>
  Any one have any ideas?

  Hi jumbi,
  Looks like the URL rewrite rule is incorrect, you can check it.
  And you can also have a look at the following article.
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  Best regards,
  Eric