Configuring the SFB 2015 Reverse Proxy Server for Express for Lync 3.0 Overview A reverse proxy server is required by Express for SFB is a required component of Express for SFB if you plan on deploying external access to the SFB environment. It can provide access to the following SFB components: SFB Server mobility SFB meetings SFB Dial-in conferencing information Office web apps Without a reverse proxy server, SFB mobility WILL NOT function. All other components will only function from within the LAN. It is important to note, like the SFB Edge Server, the reverse proxy server MUST NOT be a domain joined computer. This will protect the Active Directory (AD) domain from any unwanted activity or access. You require 2 SSL certificates for the operation of the Reverse Proxy Server: Internal Active Directory generated certificate which was covered while setting up Active Directory Certificate Services External SSL Unified Communications certificate. Can be purchased online through various different certificate authorities The external certificate is used to authenticate any requests coming into the reverse proxy server, and the internal certificate is used to authenticate the request after the reverse proxy server modifies the initial web request sent to it. The reverse proxy role will be configured by using Internet Information Services Application Request Routing (IIS ARR). Several methods exist in creating a reverse proxy server. The most prominent way was using Microsoft Forfront Threat Management Gateway (TMG), however, Microsoft has since discontinued the product. The Reverse proxy server MUST sit in a De-militerized Zone (DMZ) of any network with a persistant static route to the internal network. Activate the Reverse Proxy Server In order to begin using the Reverse Proxy role you must turn on the Reverse Proxy server. Follow the steps below to gain access to the server. 1. Launch the Hyper-V manager from the windows Start Screen. 2. In the Windows Hyper-V Manager window, select the Virtual Machine labelled "SFBReverseProxy". Right click on it, and select "Settings...".
3. In the settings window, on the left hand side you will notice configuration options. Scroll down to "Automatic Start Action" and select "Always Start the Virtual Machine automatically". This will always start the domain controller when the Express for SFB appliance boots up. Click OK to accept the changes. 4. 5. Double click on the virtual machine labelled "SFBReverseProxy" to launch the Remote Terminal Window. Click on the start button to start the virtual machine. The start button is the Green icon at the top of the virtual machine connection window. At the virtual machine welcome screen, go to the action menu, and click on the menu item "Ctrl+Alt+Delete" to bring up the login screen. Enter the following credentials to login: username: administrator password: sangoma1! Configure the SFB Reverse Proxy Server After the LAN interfaces have been configured, you must add the edge server FQDN (Fully Qualified Domain Name) to the internal and external DNS servers. For example on the internal DNS Server add "rproxy.sfbsangoma.local" and have it point to your LAN interface IP 10.10.32.112
For example on the external DNS Server add " rproxy.sfbsangoma.com" and have it point to your LAN interface IP 104.145.6.20 SSL Certificates The following steps here will show you how to install the root CA certificate and generate both internal and external certificates. Installing the Internal CA Certificates 1. Log into the Certificate services server. The URL will be http://<ip-of-certificate-server>/certsrv/. Once here click Download a CA Certificate, certificate chain or CRL. 2. On the download page click Download CA certificate. As well download the CA certificate chain. 3. Once the certificates are downloaded right click on them and then click Install Certificate.
4. When the Certificate Import Wizard starts select Local Machine and then click Next. 5. On the Certificate Store sceen select Place all Certificates in the Following Store and then click Browse.
6. Select the Trusted Root Certification Authorities. 7. Once done click Next.
8. On the Summary screen click Finish. 9. Repeat these steps for both the CA certificate and the CA certificate chain.
Generate the Internal Certificate Request and Install the Internal Certificate 1. On the Reverse Proxy Server search for certificate. Then click on the Manage computer certificates. 2. Once the certificate management interface right click on Personal and then go to All Tasks -> Advanced Operations -> Create Custom Request.
3. On the Before You Begin screen click Next. 4. On the Select Certificate Enrollment Policy click Next.
5. Next select Template "(No Template) Legacy Key" and ensure supress default extensions is unchecked. Then verify the format is PKCS#10. At this point click Next. 6. On the Certificate Information screen click Details.
7. Once the details of the request appear click Properties. 8. Fill out the Friendly name and the description.
9. Set the Common name to rproxy.sfb.sangoma.local. Once done click Ok and then Next. 10. At the next screen provide the location and file name to save the request to. Also ensure the format is Base 64.
11. Now go to the internal CA website http://<ip-of-certificate-server>/certsrv/. Then click request a certificate. 12. On the Request a Certificate page click Advanced Certificate Request.
13. On the Advanced Certificate Request page click Submit a certifcate request by using a base 64... 14. At this point open the Certificate Request saved in step 10 above. Press CTRL + A to select all the text and then copy this to the clipboard. 15. At this point paste the certificate into the Certificate Server. Select the Web Server template and then click Submit.
16. Select the DER format and then click Download certificate. 17. Next right click on the Internal Certificate and click Install Certificate.
18. On the Certificate Import Wizard select Local Machine and then click Next. 19. On the Certificate Store page click browse and then select Personal and click Next.
20. On the Summary page click Finish. Generate the External Certificate Request and Install the External Certificate Follow the exact same steps for the External Certificate Request and Installation as done previously for the Interal Certificate Request and Installation. Ensure you use the public FQDN and a public CA as shown below.
The External Certificate MUST be a Unified Communications (UC) Subject Alternate Name (SAN) based SSL certificate. These types of certificates are generally sold online through various different certificate authorities. You may visit some of the websites below in order to purchase a UC SAN certificate: GoDaddy Entrust Symantec Digicert You would require at least 5 DNS names within your SSL Certificate. By default, we use the names below: lyncdiscover.<domain> - Autodiscover for SFB Mobility meet.<domain> - For meetings dialin.<domain> - For dial-in conferencing webapps.<domain> - for Office Web Apps rproxy.<domain> - Server name (Should be certificate name not a SAN) Configure IIS ARR Now that the server certificates have been installed, you can configure IIS ARR. Follow the instructions below to configure IIS ARR. 1. Within IIS, right click on "Server Farms" and select "Create Server Farm". 2. Provide a name for the Server farm and click "Next".
3. In the next screen, enter in a server address and click Add. You will then have the option of entering advanced settings. Change the httpport to 8080 and the httpsport to 4443. Click "Finish" to close the wizard. 4. You will then get a popup asking if you would like to create a URL Rewrite Rule. Click "Yes" to proceed.
5. Once done, click on the new server farm created. This will display a list of options for this particular server farm. Double click on "Proxy" to open the proxy options. 6. Within the Proxy options, change the timeout option to 3600 s. This will help with SFB mobility as lower timeout values cause the SFB Mobile client to disconnect. Change this value appropriately if you find users are getting disconnected from their mobile clients. Click "Apply" to accept the changes and to go back to the Server Farm options. 7. Double click on the "Routing Rules" option in the server farm options. De-select the "Enable SSL Offloading" option and click "Apply".
Click on "URL Rewrite" to modify the rules within the rewrite module in IIS. 8. Double click on the first Rewrite rule in order to modify its contents. 9. Within the rule make the following changes: Within the matching condition, change the using dropdown to "Regular Expressions" and change the pattern to (.*). In the conditions section, change the logical grouping to "Match Any" and then add a new condition as per the screenshot below. The string to be entered in the Pattern is "lyncdiscover.<domain> webapps.<domain> rproxy.<domain> meet.<domain> dialin.<domain>". Click OK to continue. Click "Apply" to accept the changes.
10. When returned to the "URL Rewrite" options, select the second rule and click "Disable Rule" from the actions menu as it is not used. Now that you have followed all the steps above, the reverse proxy server is setup.