Reverse Proxy Publishing

 

Topic Last Modified: 2012-07-22

With Microsoft Office Communications Server 2007 R2, you were required to publish up to five websites using a reverse proxy server:

  1. Address book files

  2. Distribution group expansion

  3. Meeting content

  4. Phone Edition upgrade files

  5. Communicator Web Access

To publish all five websites with Office Communications Server 2007 R2, typically you were required to use two Reverse Proxy certificates:

  • Subject Name = ExternalWebFarmFQDN (for example, webext.contoso.com)

  • Subject Name = CWAExternalFQDN (for example, cwa.contoso.com)

Microsoft Lync Server 2010 communications software supports publishing the same information and now supports external publishing of simple URLs for online meetings. Also, Communicator Web Access functionality still exists but has been renamed Microsoft Lync Web App and is now available as a service on a Standard Edition Front End Server or on each Front End Server in a Front End pool, rather than a dedicated physical server. The client is now referred to as the Lync Web App client instead of the Communicator Web Access client and supports reduced functionality (for example, there is no Contacts list or A/V capability).

Depending on how you configured Office Communications Server 2007 R2 reverse proxy publishing, the changes in Lync Server 2010 publishing requirements can increase the number of public certificates or subject alternative name entries required, as well as the number of domain name system (DNS) records. For example, if the simple URL format chosen is dialin. <SIP domain name> and meet.<SIP domain name> you require two DNS A records – one for dialin.<SIP domain name> and one for meet.<SIP domain name>. This is in addition to other DNS records required for the reverse proxy.

An optional format for simple URLs is the use of a common base domain entry, such as join.<SIP domain name>/dialin and join.<SIP domain name>/meet. The advantage to this simple URL format is that you need only one DNS A record for both the meet and dialin simple URLs. Additionally, you use only one wildcard SAN entry - *.<SIP domain name>.

Lync Server 2010 Reverse Proxy Certificate Requirements

Role/Subject name Subject alternative name Used to publish Subject name syntax example

externalWebServicesFQDN

N/A

Address Book files

Distribution Group Expansion

Conference content

Device update files

webext.contoso.com

webdirext.contoso.com

Note

Typically, ExternalWebServicesFQDN = the FrontEndWebExternalFQDN, and – if used - DirectorWebExternalFQDN

Simple URL/AdminFQDN

N/A

AdminFQDN is not published externally. It is only used internally.

N/A

Simple URL/DialinFQDN

N/A

Dial-in Conferencing information

dialin.contoso.com

Simple URL/MeetFQDN

N/A

Meeting URL

meet.contoso.com

Alternate Simple URL for Dialin

Dial-in Conferencing information

Join.contoso.com/dialin

Alternate Simple URL for Dialin

Meeting URL

Join.contoso.com/meet

Wildcard Entries for Simple URLs (optional)

Meeting and Dial-in

*.contoso.com

Note

  • The externalWebServicesFQDN value is used for Lync Server 2010 users. In coexistence scenarios it is likely there will already be an externalWebFarmFQDN value for existing Office Communications Server 2007 R2 or Office Communications Server 2007 pools, but the FQDN values are independent of each other.

  • AdminFQDN is blocked from external publication for security reasons.

  • DialinFQDN, MeetFQDN and AdminFQDN are referred to as simple URLs in Lync Server 2010 and it is possible to save a certificate depending on how they are defined. This table assumes you have chosen dedicated simple URLs for each role. For details about selecting a simple URL format, see Simple URL Options.

Important

If you create and publish dedicated simple URLs (for example, one for each role) and then set up a pool of Front End Servers based on that configuration, you cannot change to using a single simple URL for all roles (for example, join.contoso.com/meet), unless you run setup again on each Front End Server in the pool. The same requirement applies if converting from a single simple URL format to using dedicated simple URLs.