TMG is dead, now which Reverse Proxy?

Hi, now that Forefront TMG is discontinued, what is the Microsoft recommended reverse proxy to use for Lync 2010 and 2013?
Is MS going to create a guide for this?

Hi,
There is no hard requirement to use TMG or ISA for Lync. Any reverse proxy that can meet the requirements for publishing the necessary resource locations can be used. TMG just as one of the possible options.
Kent Huang
TechNet Community Support

Similar Messages

CSS11506 Reverse Proxy

Currently CSS terminates SSL connections for 2 backend web servers. Do these web servers need to be physically connected the CSS switch module ? Or can I move them to another segment of the network ?
Right now the reverse proxy function stops working if I move those web servers off the switch module of the CSS
Thanks
Dave

if the CSS is on another segment
different than the servers and there is a firewall in between then you must allow the keepalives to traverse through the firewall between the CSS and the servers. In case of either a router/firewall between two segments ,you need to make sure that return traffic doesnt bypass CSS.You can achieve this by using source natting.
Syed

What is the alternative to TMG/ISA For SSL-Bridging-Capable Reverse Proxy For System Center 2012 R2 IBCM?

When I look up alternatives to TMG many other answers say something like "Don't worry about it. TMG 2010 is under support until 2020."
Well, we don't have TMG and can't buy it since it is off the market. Can it still be legitimately purchased through any resellers?
We need a reverse proxy that specifically supports SSL-Bridging so that device certificate authentication is not broken when the connection passes through the proxy.
Which reverse proxies that are currently on the market are known to work successfully with System Center Config Manager Internet-Based Client Management and also with other Microsoft products such as Lync 2010 and RD Gateway 2012 R2?
Do any Cisco ASA or ACE models support the required functionality for machine certificate authentication?
We have ISA 2006 licenses available, but I would hate to roll that out and then have to replace it in only 2 years rather than using something that can stay in place long term. Maybe we could use ISA 2006 temporarily as a stopgap if the next version
released of Windows Server Web Application Proxy would meet the requirements and can be deployed in production before ISA 2006 is completely EOL.
I hate that Microsoft keeps discontinuing all the related products to this before they have their replacements ready.

Hi,
You are correct, all TMG product sales officially ended in December 2012.
In addition, an ISA Server and a TS Gateway server can be used together to enhance security for remote connections to internal network resources. However, it
seems that ISA 2006 cannot support that on Windows Server 2012 R2. For more detailed information:
Configuring the TS Gateway ISA Server Scenario
Personally, Web application proxy would be an alternate. In addition, for the question related to Cisco product, you can contact Cisco for assistance.
Best regards,
Susie

Issue in configuring TMG as Forward/Reverse Proxy

I am trying to setup reverse and forward proxy using TMG 2010. I have following networks:
Internal Networks:
10.2.1.0/24
10.3.1.0/24
DMZ (Perimeter) Network:
10.7.1.0/24   NAT relationship with external network e.g. Public IPs
I've setup one TMG node and selected "Back Firewall" as topology.
NIC 1 Config: (Internal)
IP:   10.2.1.20
Subnet: 255.255.255.0
DW:    Not defined
DNS:   10.2.1.5
NIC 2 Config: (Perimeter)
IP:   10.7.1.20
Subnet: 255.255.255.0
DW:    10.7.1.5
DNS:   Not Defined
During setup when wizard asked me to define internal IP ranges, I defined 10.2.1.1 - 10.2.1.255 instead of selecting Adaptor.
Setup Completed successfully.
I created Allow rule from internal to local host.
From Client-end:
From client machines i can not access TMG internal interface IP (because gateway is not defined on TMG internal interface i guess)
while i can access DMZ interface IP i.e. 10.7.1.20 and can telnet port 8080.
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in client-side browser, that throws an error "10061 no connection could be made because the target machine actively refused it"
Failed Connection Attempt
Log Type: Web Proxy (Forward)
Status:10061 No connection could be made because the target machine actively refused it.
Rule: Allow
Source: Internal (10.2.1.39)
Destination:LocalHost (10.7.1.20:8080)
Request:Get http://www.google.com
Protocol:http
On TMG server:
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in browser that still throws an error "10061 no connection could be made because the target machine actively refused it"
But when i define internal interface IP as proxy in browser i.e. 10.2.1.20:8080 it works.
Allowed Connection
Log Type: Web Proxy (Forward)
Status:303 Not Modified
Rule: [System] Allow all HTTP traffic from forefront TMG to all networks (for CRL downloads)
Source: LocalHost (10.7.1.20:10082)
Destination: External (94.245.34.74:80)
Request:Get http://someurl
Protocol:http
What am i missing please advise and what could be the work around to get this work from internal network.
Regards,

Hello Quan,
Thanks for your reply..
No it didn't work. I'm still using that as reverse proxy and unable to configure that as forward. :-)
Regards,
Farrukh

Allowed Public Key Parameters for TMG reverse proxy HTTPS

Hi!
Is there any document where I can find what Public key parameters are allowed in the certificates that are used for reverse proxy HTTPS publishing in TMG?
Is it always mandatory to have SHA1 / RSA or can I use SHA1 / ECDH_P256? Or even something else than SHA1?
I tried but I get a message that keys are not allowed...
I'm asking just to be sure that it's a software restriction, and not my lacking know-how. :)
Antti
Antti Laatikainen IT Security Manager Santen Europe

Hi,
no, Forefront TMG doesn't support CNG:
http://blogs.technet.com/b/yuridiogenes/archive/2010/07/20/incorrect-key-type-when-creating-a-web-lister-on-tmg-using-v3-certificate.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

Lync Reverse Proxy Alternatives

When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services.
TMG is way too expensive and complex for such a limited, simple use case.
I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
We decided to use Apache 2.2 on Windows Server 2008 R2.
Here's how we configured it:
Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy.
http://technet.microsoft.com/en-us/library/gg398069.aspx
Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server.
http://httpd.apache.org/download.cgi
We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
Use the Certificates MMC on your front end server to export the certificate and include the private key.
Transfer the resultant .pfx file to your reverse proxy server.
Use OpenSSL to convert your .pfx file to PEM:
openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes
Separate the private key from the certificate using notepad:
Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag.
Save that text to a new file named
yourcert.key.
Save
yourcert.pem, which should now only include the certificate.
Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
for storing the certificates.
Edit httpd.conf (typically in
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
(See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
for more information on each directive)
Uncomment the following lines, which will enable proxy and SSL:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Add the following lines to configure reverse proxy behavior:
#Be a reverse proxy, not a forward proxy
ProxyRequests Off
#Accept requests from any client to any URL
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
#Set the network buffer to improve throughput
ProxyReceiveBufferSize 4096
#Configure the Reverse Proxy to forward all requests to your front end server on 4443
ProxyPass / https://yourfrontend.domain.com:4443/
ProxyPassReverse / https://yourfrontend.domain.com:4443/
#Preserve Host Headers for Lync
ProxyPreserveHost On
Optionally, configure logging directives, bindings and server name.
Save and close httpd.conf
Edit httpd-ssl.conf (typically in conf\extra):
Configure the session cache:
Uncomment:
SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
Comment out:
SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
Locate the <VirtualHost _default_:443> tag and configure the following:
Add the following directive:
SSLProxyEngine On
Configure the path to your SSL Certificate saved in step 3-5 above:
SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
Configure the path to your private key saved in step 3-5 above:
SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
Optionally, configure logging directives.
Save and close httpd-ssl.conf
Restart the Apache2.2 service
Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
the reverse proxy to talk to the front end Lync server on 8080 and 4443.
From an external connection, test connectivity through the reverse proxy:
Test
https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
Test the Lync Web App by setting up an online meeting and following the URL to join the meeting.
You can force the use of the web app by appending ?sl= to the end of the meet.company.com link.
See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
Hope this information is helpful and saves some of you some money and trouble.
Please contact me if you need further clarification or see any mistakes in my notes.
Best regards,
Kenneth Walden
Enterprise Systems Supervisor
GSD&M
Austin, TX

I'd like to thank you for this article. We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product. Anyways, your
blog saved me a LOT of headache. I owe you big time.
AWESOME JOB.
-Greg
*****EDIT***
Decided to come back in there and post good information. We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting. The "DIALUP" url was working fine but the "MEETING" url was broken. On our WFE servers we were getting
the event error as below.   Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON". Once we put that in there ALL was good.
Notice that the MEET portion was the only thing that was really broken. So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER. Look for
http://10.x.x.x/meet/ or soemthing in the event logs.
Log Name:      Application
Source:        ASP.NET 2.0.50727.0
Date:          11/16/2011 1:26:35 PM
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      OneofMyInternalWFEservers.local
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/16/2011 1:26:35 PM
Event time (UTC): 11/16/2011 6:26:35 PM
Event ID: b2039ecd0a62482284030f62e1e639d8
Event sequence: 129
Event occurrence: 28
Event detail code: 0
Application information:
    Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
    Trust level: Full
    Application Virtual Path: /meet
    Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
    Machine name: MYWFE.local
Process information:
    Process ID: 14204
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
    Exception type: HttpException
    Exception message: Server cannot append header after HTTP headers have been sent.
Request information:
    Request URL:
https://FQDN:4443/meet/MyName/456456
    User host address: gatewayIP
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
    Thread ID: 7
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace:    at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="ASP.NET 2.0.50727.0" />
    <EventID Qualifiers="32768">1309</EventID>
    <Level>3</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
    <EventRecordID>4483</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXXXXXXXXXXXXXXXX</Computer>
    <Security />
</System>
<EventData>
    <Data>3005</Data>
    <Data>An unhandled exception has occurred.</Data>
    <Data>11/16/2011 1:26:35 PM</Data>
    <Data>11/16/2011 6:26:35 PM</Data>
    <Data>b2039ecd0a62482284030f62e1e639d8</Data>
    <Data>129</Data>
    <Data>28</Data>
    <Data>0</Data>
    <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
    <Data>Full</Data>
    <Data>/meet</Data>
    <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
    <Data>SNKXS300</Data>
    <Data>
    </Data>
    <Data>14204</Data>
    <Data>w3wp.exe</Data>
    <Data>NT AUTHORITY\NETWORK SERVICE</Data>
    <Data>HttpException</Data>
    <Data>Server cannot append header after HTTP headers have been sent.</Data>
    <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
    <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
    <Data>10.71.1.1</Data>
    <Data>
    </Data>
    <Data>False</Data>
    <Data>
    </Data>
    <Data>NT AUTHORITY\NETWORK SERVICE</Data>
    <Data>7</Data>
    <Data>NT AUTHORITY\NETWORK SERVICE</Data>
    <Data>False</Data>
    <Data>   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
</Data>
</EventData>
</Event>

How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

Some of our installations use the Sun Web Server 7.0 (update 1, usually)
for hosting some of the public resource and reverse-proxying other parts
of the URI namespace from other backend servers (content, application
and other types of servers).
So far every type of backend server served a unique part of the namespace
and there was no collision of names, and the backend resources were
published in a one-to-one manner. That is, a backend resource like, say,
http://appserver:8080/content/page.html would be published in the internet
as http://www.publicsite.com/content/page.html
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.
Another quest, possibly related in solution, was to make a tidy url for the
first page the user opens of the site. That is, in the current solution when
a visitor types the url "www.publicsite.com" in his or her browser, our web
server returns an HTTP-302 redirect to the actual first page URL, so the
browser sends a second request (and changes the URL in its location bar).
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
So far I found that I can't solve these problems. I believe these problems
share a solution because it relies on ability to control the actual URI strings
requested by Sun Web Server from backend servers.
Some details follow, now:
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
[04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
fn="service-passthrough" rewrite-host="true" rewrite-location="true"
servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
# this causes /content/* to be taken from another (backend) server
NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
# this causes requests to site root to be HTTP-redirected to a certain page URI
<If $uri =~ '^/$'>
    NameTrans fn="redirect"
        url="http://www.publicsite.com/content/MainPage.html"
</If>
<Object name="content-test">
### This maps http://public/content/* to http://10.16.2.127:8080/content/*
### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
    Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
    Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
</Object>
I have also tried "restart"ing the request like this:
    NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
    Service fn="set-variable" uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
//Jim

Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
yes, you could do something like
- edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
<Object name=¨default¨>
<If $uri = ¨/page/¨>
#move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
NameTrans.. fn=map
</If
</Object>
and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
<install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
>
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
please check out the rewrite / restart SAF. this should help you.
http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
feel free to post to us if you need any futher help
you are probably better off - starting fresh
- install ws7u4
- use gui or CLI to create a reverse proxy and map one on one - say content
http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
<install-root>/bin/wadm disable-java user=admin config=<hostname>
<install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
>
I have also tried "restart"ing the request like this:
NameTrans fn="restart" uri="/data"
ordering is very important here... you need to do this some thing like
<Object name=default>
<If not $restarted>
NameTrans fn=restart uri from=/¨ uri=/foo.
</If>

Sharepoint 2013 + Windows Server 2012 as reverse proxy

Hello All -
I'd like to ask if anyone has any experience with the new Windows Server 2012 (reverse) proxy, in providing a single sign-on service to Sharepoint 2013.
Scenario:
My client has a Sharepoint 2013 with 3 web applications (portal, teamsites, mysites). All three URLs are available externally via HTTPS only. All clients have AD credentials (no requirement for claims based authentication), although this includes 3 domains
in two different forests (trusts exist). Everything is already configured to allow clients access from domain-joined devices.
My client would like mobile devices (not domain-joined) to be able to access the three web applications without repeated logon prompts. Browser default settings must be used, they do not want to instruct people to perform any configuration on their mobile
device - it all has to work "out of the box" from the client side. Clients will be using iPads and iPhones with Safari, Windows Phones, Androids etc.
I'm considering proposing the use of a reverse-proxy, and rather than using the now depracated Forefront TMG or probably soon-to-be depracated UAG, I would like to jump straight in to the new and very cool looking Windows 2012 proxy server.
It's my understanding that this will provide a single sign-on service in this scenario. I'm unsure whether an ADFS server is also required even for pass-through, the information available is unclear, and also whether any special configuration is required
to a domain controller (DCs in the environment are all 2008R2, with 2008R2 functional level).
I would appreciate it if anyone could give an overview or point me in the direction of some accurate documentation regarding all of the above. Most importantly, if any of my assumptions above seem incorrect, please let me know.
Thank you!
sysadmin

I've heard no supportability statement with SharePoint and the Web Application Proxy (likely because it isn't GA yet). However, it does use ADFS for SSO, so you'll have to SAML-enable your Web Applications. The only downside to this is if you
use anything that is SAML-unfriendly, like PowerPivot [Data Refresh] and at least in 2010, Visio Services and InfoPath Forms Services.
Trevor Seward, MCC
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

O-Portal behind reverse proxy, aliasing of o-portal url to generic url.

I'd like to setup o-Portal behind a reverse proxy. This is a proxy service which accepts connections on http://a.b.com/ and gets the content from internal webservers based on the url. For example http://a.b.com/pls/DAD1 comes from an o-Portal server but http://a.b.com/depts/ comes from a webserver. The problem with o-Portal is now, that it creates pages with its servername and port in the URL of the pages it serves out. For example, if it runs on server x.b.com on the port 7777 the links on all pages are http://x.b.com:7777/pls/DAD1. To get it to work correctly with my proxy, all these links should be http://a.b.com/pls/DAD1 and then the proxy gets the pages from http://x.b.com:77777/pls/DAD1.
How do I tell o-Portal to create this different URL in its pages? You could also say, I'd like to alias http://a.b.com/pls/DAD1 to http://x.b.com:77777/pls/DAD1
I'm sure there is a configuration setting to change this. We had the same problem with Oracle HR11i and there we got it solved.
Web Single Sign On applications like IBM WebSeal or Netegrity Siteminder use these kind of proxies to protect the intranet and to create a Single Sign On domain for all web servers.
Thanks,
Rainer

I also would like overcome this issue. I could not find an answer anywhere on Metalink or OTN.
Can a reverse-proxy (i.e. using ProxyPass & Reverse) be used with and internal Portal?
John Z
Butler Mfg. Co.
[email protected]

My environment is 99% of the way there, but my ARR reverse proxy doesnt seem to be forwarding lyncdiscover properly. Can someone help?

I recently cut over from lync 2010 with an apache reverse proxy to a lync2013 deployment using microsoft ARR as the reverse proxy.
Last night i cut over to the new ARR reverse proxy but our lync 2013 mobility tests didnt go well. I also cant get the DIALIN.CONTOSO.COM page to show up externally. Only the https://MEET.CONTOSTO.COM site shows up properly from an external browser. I have
a feeling that the lync ARR server is only handling meet.contoso.com for some reason, although i followed the LYNC setup guides exactly. Please see the screenshots of my setup. Does anyone have an idea of why everything might be taken over by the MEET.CONTOSO.COM
Server Farm in ARR?
As you can see, the lyncdiscover.contoso.com server farm has no hits.
When I fire up the lync mobility app, the MEET.CONTOSO.COM server farm in ARR receives the hits. (and failures)
I followed the configuration exactly, here are my rewrite rules:
Any Ideas?

Hello All,
I had a professional service with Microsoft to fix the many issues with my Lync environment. It turns out that there were 2 major causes of the problem i was having. For one, I DID have the wrong cert set on the lync2013 FE server's external web interface.
I didn't realize this because there seems to be some sort of bug in the LYNC SERVER 2013 DEPLOYMENT WIZARD.
First, it is badly designed. There is actually a drop down that i didnt realize was a dropdown when deploying my environment that expands and shows the external web services certificate.
After I found that, i tried updating it to my godaddy cert but it left a BLANK in the deployment wizard. So i had to go into the IIS management console to update the bindings.
Once the FE server's external website certificate was installed properly, we moved on the the reverse proxy. We scrapped ALL of the ARR servers and rewrite rules and started from scratch. Instead of creating 4 server farms and using lync.contoso.com, meet.contoso.com
etc... we created one server farm that points at the IP ADDRESS of the lync front end server. We changed the PATTERN to (.*) using regular expressions and the HTTP_HOST rule to (lync.contoso.com|lyncdiscover.contoso.com|meet.contoso.com|dialin.contoso.com)
After this, we still had a problem with lync mobility for android 2013.
Our public DNS has a record *.contoso.com to capture all traffic and route it to our website. This was capturing lyncdiscoverinternal.contoso.com and the android devices were getting a certificate error. We now have lyncdiscoverinternal.contoso.com pointed
to the reverse proxy's external IP address to resolve that issue. The android lync mobility client also checks for an exchange record which isn't documented http://contoso.com/ews because of an autodiscover record, so our android clients still get a certificate
error once during the initial setup of the application. Our IOS devices don't show this error so we called the issue resolved.
Good luck all!

Issues using IIS 8.5 with ARR 3.0 as Reverse Proxy for Lync 2013

Dear reader, after searching for a day without finding a solution to my problem I end up here ;-)
Working Lync 2013 environment (gradually adding functionality) consisting of 2 FE servers, Persistent Chat Server, Web Apps server, Edge Server, Reverse Proxy Server (IIS 8.5/ARR 3.0), SQL Server.
Set up a fresh Windows 2012 R2 with IIS 8.5, installed ARR 3.0 and followed along this
TechNet article.
So far so good, external clients (incl. mobile phone apps) can all connect.
Now trying to add Web Apps to the reverse proxy, which is slightly different from the others by not forwarding 80/8080 and 443/4443, but just 80 and 443 to internal Web Apps server.
After creating the server farm/URL rewrite, browsing to the webapps.FQDN/hosting/discovery ends up with a 404 error (instead of XML, which is shown when try from the LAN).
After moving this rewrite rule to the top, it started working, but now my lyncdiscover.FQDN stops working.
Ofcourse moving the webapps rule down restores the lyncdiscover.
Any ideas? (everything setup as described in above mentioned TechNet article, so using wildcards. Tried fiddling around with webext.* and lyncdiscover.* and so, but no luck. (I'm completely new to ARR)
Thanks,
Barry

Can you confirm that for each URL Rewrite Rule, you have an {http_host} record that matches something like webext.* as you referenced above and as seen in step 15 here:
http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
It might help if you posted a screenshot of your URL rewrite rules.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

Exchange 2013 using ARR reverse proxy OWA options won't open

Hi,
I've been using the exchange team's blog post (http://blogs.technet.com/b/exchange/archive/2013/08/05/part-3-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx)
as a guidelin on configuring my ARR deployment in my lab.
Everything was working perfectly right until i got the last part of the blog on restricting the pattern matches.
The rewrite rules all work fine and everything is working as expected with the excpetion of the fact that i cannot access the options in OWA. ECP itself works great if i access it via the
https://ecp.domain.com/ecp url, but as soon as i use the https//mail.domain.com/ecp it just wont display anything.
Looking at the failed request logs it just shows that it executes a 302 rewrite to ecp.domain.com, which is what i would expect it to base done rewrite rule matching
https://mail.domain.com/ecp to the ecp.domain.com server farm.
If i look at the iis logs it looks like it's getting into some sort of loop (the section below is about a 10% of a single attempt to access the options pages:
2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp/ rfr=owa&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6983c585-b0ea-4fd0-9bb1-fc747ee8e992 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
- 302 0 0 15
2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa/&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=d32a3a4f-d8a6-4712-91d4-56360be33793 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
- 302 0 0 0
2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa//&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=14797897-f1ad-454a-b73c-fde041a43d2b 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
- 302 0 0 0
Did anyone ever run into something like this? Or have an idea where i may have made a mistake? I've tried everything i could think of.
The rewrite rules i have in place are basically exactly the same as the exchange team's blog but just in case i overlooked somehthing, please se the image below.
thanks in advance for your time

Hello,
I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
along with Exchange 2010.
I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
Nicholas,
How about IIS ARR?
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

HTTP tunneling and reverse proxy server

We're currently using Windows Media Services (WMS) to stream
video on our website. There is an option WMS to use the HTTP
protocol and to specify the port you'd like to use. This has
allowed us to stream video through our external firewall, through
our reverse proxy server, and through our internal firewall to our
media server. I've been trying for two days now to get Flash Media
Server (FMS) to do the same thing. For some reason the HTTP
tunneling (RTMPT) protocol doesn't appear to be acting like the
HTTP protocol that WMS is using. Anyone have some tips on this
configuration. I've scoured web resources and documentation as best
I could. Any help would be greatly appreciated.
Thanks.

To give a better picture, here's a more complete description of set up and goals
Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
DMZ server is running IIS 8. Here are what some of the sites look like.
jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
other stuff like this -> 10.1.10.x port 80 or others
All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server.
What do I need to do in IIS to have those sites get directed to the proper internal locations?
Thanks!!

Reverse Proxy Planning for Exchange 2013

Hi,
We are planning Exchange 2010 to Exchange 2013 datacentre migration for 18000 users and all the Exchange planning is done. Now we are looking at planning of Reverse Proxy solution. We will be publishing different URLs for OWA, ActiveSync and Outlook Anywhere.
UAG has been finalized by the organization. I don't find any document or links which suggests the planning of Reverse proxy for Exchange. Can you please let us know the sizing of UAG with respect to Exchange 2013. Thanks.

Hi
Sizing as far i know there is no sizing document for UAG
But Minimum you need to have UAG 2010 SP3 to work with Exchange 2013
You can see the support boundaries for UAG below technet
http://technet.microsoft.com/en-us/library/ee522953.aspx
Note : UAG requires each user to have a CAL
You can also try 2012 R2 web application proxy . This does reverse proxy without the need of CAL's.
You can give it a try if you wish to go with web app proxy and you can see below
http://technet.microsoft.com/en-us/library/dn383650.aspx
Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
(MVP)

Sophos Firewall\Reverse Proxy With Lync 2013

We currently have Lync 2013 deployed internally and working like a champ for about 5 months now. We are in the process of trying to get this rolled out externally and running into issues.
It seems we have the ports opened up properly but the MS remote connectivity analyzer comes back with certificate error "The certificate couldn't be validated because SSL negotiation wasn't successful.
I'm pretty certain our certificates are correct for the external edge server and the external firewall\Reverse proxy. From the Lync planning tool we have been following it and so far successful until the certificates. The certificates tool shows we should
have the following certs assigned: (keep in mind we have 2 separate certificates assigned)
Edge Server External
Subject name: lyncaccess.domain.com
SAN:webcon.domain.com and sip.domain.com
Reverse Proxy:
rp0100.domain.com (reverse proxy FQDN does resolve)
SAN: dialin.domain.com, meet.domain.com, and temwac.domain.com (office web apps server)
We requested the certificates from Go daddy and have them installed and the SANs are in there correct. The connectivity analyzer is able to get to our server using autodiscover over port 443, we see the traffic come in through the firewall and nothing is
blocked just the certificate could not be validated.
Has anyone deployed Lync using the Sophos UTM as a reverse Proxy any other ideas as to what we are missing with these certificates?
The certificate couldn't be validated because SSL negotiation wasn't successful.
The certificate couldn't be validated because SSL negotiation wasn't successful.

lyncdiscover.domain.com does not resolve. Discovery is working fine through the connectivity analyzer. We actually figured that part out about the SSL. It seems we had the firewall and Reverse proxy rules in place on the Sophos appliance but the firewall
rules leaving the edge server were being blocked. It took us about 1.5 days to figure that part out.
The connectivity analyzer now is able to authenticate the certificates successfully. Of course it wouldn't be a Lync roll out without the next issue coming up.
The next issue we have is the connectivity analyzer reaching the AV service. Which we are going to assume is a routing issue as well and are currently troubleshooting it:
Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
Error Type: RegisterException.
Deregister Reason: None.
Response Code: 504.
Response Text: Server time-out.
http://social.technet.microsoft.com/Forums/lync/en-US/f95c47cc-f8eb-4646-bdac-6c7244b26ff1/couldnt-sign-in-error-error-message-the-endpoint-was-unable-to-register-new-deployment?forum=ocsplanningdeployment
Wish me luck.

TMG is dead, now which Reverse Proxy?

Similar Messages

Maybe you are looking for