As stated in this blog: http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx, a number of Forefront-branded solutions are discontinued from further releases.
For us, as Lync administrators, including TMG 2010 in this group is extremely painful, having in mind the ease of which Lync external web services were published. This is not the end of the road, however. There are third party software which can be sucessfuly utilized for web publishing.
Today I will install and configure Apache 2.2 in my lab as Reverse Proxy for Lync 2013.
I will be using Windows Server 2008 R2 for this exercise.The server where I will install Apache is not member of domain,
because it will be exposed on internet and I want to enhance the security. OS was patched with the latest Windows updates prior to Apache
installation.
I will use two virtual network interfaces:
“LAN” – 10.255.2.52/24 and “DMZ” – 192.168.1.52/24
Only DMZ interface have Default Gateway. Routing to the internal subnets
via LAN interface was added manually. I will use the same procedure used when configured the Edge server.
LAN interface:
DMZ interface:
Current routing table:
***In this case, Reverse Proxy's LAN interface is on the same subnet where Lync servers are. I can afford it, because this is lab. In production, however, I would consider placing the LAN interface on "internal DMZ subnet" in order to have a phisical separation.
To add static route to internal subnet, ROUTE command was used:
ROUTE ADD -p 10.255.1.0 MASK 255.255.255.0 10.255.2.1
Now my routing table looks like this:
The DMZ IP address was mapped to Public IP address and the
External Firewall was configured with ACL to allow connections from any source
to this IP address on port TCP/443. Visit to http://www.whatsmyip.info
confirmed my configuration
The first step is to download Apache Win32 Binary including
OpenSSL from this link: http://httpd.apache.org/download.cgi
where I will download httpd-2.2.22-win32-x86-openssl-0.9.8t.msi. ***See Aditional Resourses at the end of this article.
The installation of Apache is pretty straightforward. Run the .msi
and follow the screens…
I did not change the default installation path and so, the bits
were installed to “C:\Program Files (x86)\Apache Software Foundation”.
Before I test my installation, I want to make sure the service
will bind to the correct (DMZ) IP address. To do so, I will modify “httpd.conf”
file located in “C:\Program Files (x86)\Apache Software
Foundation\Apache2.2\conf” directory. Actually, most of the configuration is
done in this file and so, I created shortcut on my desktop for easy access.
Once the file open in Notepad, locate the line “#Listen
12.34.56.78:80” and add below:
Listen 192.168.1.52:80
***Note that at this point I am configuring Apache to serve requests
for HTTP traffic only. This is because I want to test the general functionality.
Also, I have not deployed certificate yet, thus HTTPS protocol will not
work at this point. Because Reverse Proxy will be used to serve requsts from Public Internet, I bound the service to the DMZ interface only.
Once the file is modified and saved, restart Apache service.
From within the Apache server, open Internet Explorer and navigate to http://192.168.1.52 (the IP address we
configured Apache to listen to).
Before test from Public internet, we must add Firewall exception
for the desired ports and protocols in the Windows Firewall (local machine). I
will use PowerShell to do so.
netsh advfirewall firewall add rule name="Apache Port 80" dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="Apache Port 443" dir=in action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name="Apache Port 443" dir=in action=allow protocol=TCP localport=443
Quick test from a computer on Public Internet shows that my
configuration is now operational. At this point, we've accomplished a couple of very important tasks:
- Our Apache server is listening on the internal interface and is responding to simple HTTP queries
- Our Apache server is also listening and responding to queries for the Internet.
Because we will be using Apache as Reverse Proxy and will serve
SSL requests, the corresponding modules must be allowed to load at startup. To
do so, some lines in “httpd.conf” file must be uncommented.
***Unix folks are familiar with text file configuration. For those who come from Windows world - Apache for Windows is basically a "port" of Unix binaries to Windows. The text file configuration structiure is preserved thus we do configuration by "uncommenting" (allowing), or "commenting" (disallowing) modules to be loaded and run. For example:
Here "mod_auth_basic.so" will be loaded, and "mod_auth_digest.so" will not be loaded.
***Unix folks are familiar with text file configuration. For those who come from Windows world - Apache for Windows is basically a "port" of Unix binaries to Windows. The text file configuration structiure is preserved thus we do configuration by "uncommenting" (allowing), or "commenting" (disallowing) modules to be loaded and run. For example:
Here "mod_auth_basic.so" will be loaded, and "mod_auth_digest.so" will not be loaded.
- Locate and uncomment “LoadModule proxy_module modules/mod_proxy.so” line.
- Locate and uncomment “LoadModule proxy_http_module modules/mod_proxy_http.so” line.
- Locate and uncomment “LoadModule ssl_module modules/mod_ssl.so” line.
- Locate and uncomment “Include conf/extra/httpd-ssl.conf” line.
- Save the file.
***If you bounce Apache at this point, the service will not
start. This is because we configured Apache in SSL mode, but no certificate was
assigned yet.
I have already requested and received certificate from DigiCert,
which I will use with my test setup. The certificate have CN=webext.lynclog.com
and includes meet.lynclog.com, dialin.lynclog.com and lyncdiscover.lynclog.com
in the list of Certificate Alternative Name list.
***The above certificate was requested during deployment of my Lync 2010 lab. There are, however, new certificate requirements for Lync 2013 publishing listed here http://technet.microsoft.com/en-us/library/jj205381(v=ocs.15).aspx and, as usual, it is highly recomended to follow Microsoft's best practices to assure sucessful deploiment.
***The above certificate was requested during deployment of my Lync 2010 lab. There are, however, new certificate requirements for Lync 2013 publishing listed here http://technet.microsoft.com/en-us/library/jj205381(v=ocs.15).aspx and, as usual, it is highly recomended to follow Microsoft's best practices to assure sucessful deploiment.
The first step is to export the certificate with the private key
to .pfx file.
Locate the certificate, right click and go to All Tasks,
Export
We have to use OpenSSL to convert our .pfx file two files in format Apache can interpret.
***In the steps below I will use some custom folders for file location. Those folders are not mandatory and you can use any location.
Create folder “Certificates” on C:\ and move the exported
(.pfx) certificate there.
Run Command Prompt as Administrator, and navigate to “C:\Program
Files (x86)\Apache Software Foundation\Apache2.2\bin” (OpenSSL executable is
located there).
First, use this command to extract the Private Ket from the certificate:
openssl pkcs12 -in c:\Certificates\rp_cert.pfx -nocerts -out c:\Certificates\encr_lynclog.key.pem
IMPORTANT: Always type the commands and not copy and paste. Web browsers tend to replace characters and you might run to problems.
Use this command to extract the certificate from the .pfx file:
openssl pkcs12 -in c:\Certificates\rp_cert.pfx -clcerts -nokeys -out lynclog.cert.pem
Lastly, use this command to convert your key file in RCA format:
openssl rsa -in c:\Certificates\encr_lynclog.key.pem -out c:\Certificates\lynclog.key
Navigate to “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra” and create new folder named “ssl”. Copy the files "lynclog.cert.pem" and "lynclog.key" from "Certificates" to "ssl" folder.
Next step is to configure the SSL properties of Apache.
Navigate to “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra”, locate “httpd-ssl.conf” file and open it with Notepad.
Locate the line "" and add the following line below:
SSLProxyEngine On
Navigate to “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra”, locate “httpd-ssl.conf” file and open it with Notepad.
Locate the line "
SSLProxyEngine On
Uncomment the line “SSLSessionCache "dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache"
Comment out the line “#SSLSessionCache "shmcb:C:/Program Files
(x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
Locate the tag “” and make sure
the line “SSLEngine on” is not commented.
Now we will specify the location of our certificate and key
files. Locate the line “SSLCertificateFile” and modify the path accordingly.
Locate the line “SSLCertificateKeyFile” and modify the path accordingly.
Save httpd-ssl.conf (the file we were working on) and restart
Apache service.
From public Internet, visit the url (https://meet.lynclog.com in this case) and
make sure our server work via SSL.
The last step is configure our Apache server to act as Reverse
Proxy.
Open file httpd.conf with Notepad. Locate the line “# 'Main'
server configuration” and add bellow the following:
ProxyRequests Off
Order Deny,AllowAllow from all
ProxyReceiveBufferSize 4096
ProxyPassReverse / https://uspool.lynclog.com:4443/
ProxyPreserveHost On
KeepAlive On
...where uspool.lynclog.com resolves to the VIP of my HLB handling the web services of my EE pool.
***Above we instructed Apache to proxy the requests arriving on port 443 from internet to port 4443 on our Lync server. This is equal to "Bridging" term in TMG:
Restart the service again. If everything was configured correctly, we should now see our Dialin and meet pages:
Restart the service again. If everything was configured correctly, we should now see our Dialin and meet pages:
The above configuration was tested with Lync Mobile support
(iPhone) and worked as well.
Summary:
This article describes how to install and configure Apache 2.2 to act as Reverse Proxy for Lync 2010 and Lync 2013 web services publishing. Summary:
Additional resources:
Apache direct download link: http://mirror.metrocast.net/apache//httpd/binaries/win32/httpd-2.2.22-win32-x86-openssl-0.9.8t.msi
***As of this moment, the donload link to the latest (2.2.23) bunaries is broken. You can, however, check here: http://mirror.metrocast.net/apache//httpd/binaries/win32/ for availability. Always use "Latest stable" version. Beta builds should not be used in Production.
Apache WIKI: http://wiki.apache.org/httpd/
Reverse Proxy Publishing (Lync 2010): http://technet.microsoft.com/en-us/library/gg398872.aspx
Certificate Summary for Reverse Proxy (lync 2013): http://technet.microsoft.com/en-us/library/jj205381(v=ocs.15).aspx
