Publish Lync 2013 Webservices with Web Application Proxy

An interesting scenario at a customer site, where they wish to publish the Lync External Webservices using Web Application Proxy on a Windows Server 2012 R2.

Web Application Proxy is a service of the Remote Access feature build into any Windows Server 2012 R2, which by total coincident is what we were doing here. Other options include the Kemp Loadmaster series, but that is a different story. For in-depth about the Web Application Proxy service, check this technet article.

This is the setup we were doing at this customer.

The WAP server is a workgroup (non-domain) server placed in DMZ with 2 NIC, 1 towards the Internet and 1 towards the LAN. A persistant route is added to the WAP so all traffic towards the LAN uses the second NIC using this DOS command in an elevated prompt: Route add <NetworkAddress> Mask <SubnetMask> <Gateway> IF <IPofNIC> -p e.g.: 
Route add 10.1.0.0 Mask 255.255.0.0 172.16.1.1 IF 172.16.1.3 -p

To be able to route to the LAN based Lync Frontend server, the Reverse Proxy server should know the inside destination of th simple URLs, so either host this in a local DMZ based DNS server og put the following lines into the hosts file of the server. Remember the IP address (10.1.0.5 in this example) should be the web service load balancer (or single Lync Frontend server).
10.1.0.5 dialin.domain
10.1.0.5 meet.domain
10.1.0.5 lyncweb.domain
10.1.0.5 lyncdiscover.domain

Make sure the WAP server should have 1 (no more or no less) default gateway, placed on the first (Internet facing) NIC.

Make sure you have a certificate issued by a public trusted CA. You also need to have installed and configured Active Directory Federation Services (AD FS) in your domain. The Lync External Webservice does not make use of AD FS, but it is a requirement for WAP.

To import the certificate on the server, open IIS Manager from Server Manager, go to the Server Home and click Server Certificates.

Click Import.

Browse to .pfx file containing the certificate (and private key), enter the password for the file and click OK.

To install the WAP service on the server, start the Add Roles and Features Wizard from Server Manager, click Next.

Click Next.

Click Next.

Select Remote Access server role, click Next.

Click Next.

Click Next.

Check Web Application Proxy.

The wizard wishes to add additional features, click Add Features.

Click Next.

Click Install.

Service are installing. Time for coffee.

When the installation is finished, click Open The Web Application Proxy Wizard.

Now we should configure the AD FS connection. 
Click Next

Enter the name of the internal AD FS service, credentials for a user who has admin rights on the AD FS server (e.g. Domain Admin). Click Next.

Select the certificate you imported in the beginning. Click Next.

Click Configure.

Service is being configured, time for a quick cup of coffee.

Done. Click Close

Now it is time to publish the web service, so go to Remote Access Management Console. Click Publish

The Publish New Application Wizard opens, click Next

As the Lync webservices does not use AD FS for authentication, select Pass-through and click Next.

Fill in the fields, do not forget to add :4443 to the Backend Server URL, click Next.

Click Publish

Repeat the above, untill you have all the URLs filled out. Please note this deployment did not contain an Office Web App Server, otherwise that should be published as well.

Web Application Proxy coming soon to a server near you...