Publish Lync with UAG

Add a comment May 24th, 2012

Do you use Microsoft Forefront UAG 2010 to publish Lync and having problems to get it to work?

My co-worker Robert had struggeled with this for some time, but finally he managed to get Lync and mobility to work over UAG.

First we tried using the TMG part of the UAG and it worked, but I could not restart the server after the configuration. If I restarted the server the HTTP and HTTPS traffic was blocked by the default rule of the TMG. Other weirdo’s did also happened if we changed the UAG config.

We started a SR with Microsoft and they told us that using the TMG part of the UAG was not supported. It can work in some cases but if you do some configuration changes in UAG it can be broken. MS says that you should never touch the TMG settings on a UAG server.

So here is what we did on the UAG:

We added one more public IP address to the External leg of the UAG, so we have two IP addresses for Lync. One IP for lyncweb, meet and dialin. The second IP was dedicated for lyncdiscover.

We created a new HTTPS trunk for lyncweb, meet and dialin and changed the Session settings like this:

Important: The “Disable scripting for portal application” have to be ticked on the Lync trunk. This cannot be ticked on a trunk for i.e. Exchange or SharePoint. Therefor you have to create a new dedicated trunk for Lync.

We created a new http trunk for lyncdiscover and changed the Session settings like this:

Our uag console now looks like this:

The https Lync looks like this:

The http lyncdiscover looks like this:

Update:

Mobile clients will get logon servers unencrypted if you configuring the lyncdiscover on a HTTP trunk. You can skip the extra IP and configure the lyncdiscover on the Lync HTTPS trunk by doing:

Credit to Robert for getting this to work. Hope it will work for you too 🙂

 

  1. May 26th, 2012 at 06:37 | #1
    Cajuntank

    This worked out great for me. I have been struggling with this for over a week. Thanks a bunch. Just have a quick follow up question, though…
    Was there a reason that HTTP was used instead of HTTPS?

  2. May 26th, 2012 at 09:51 | #2
    Rune

    It looked like iPhone used http in the initial connection on the lyncdiscover. That’s why we made the lyncdiscover http.

  3. May 26th, 2012 at 18:27 | #3
    Cajuntank

    Just for sake of argument, I disabled the HTTP trunk and created a new HTTPS trunk with the same configuration you mention except, of course, using port 4443. Activated the config and tested and now get a “Failed to process the server response. Please try again….”

    When I run a test from the testocsconnectivity.com website, I get:
    Testing Http Authentication Methods for URL https://lyncdiscover.domain.com:443/Autodiscover/AutodiscoverService.svc/root/user
    Http Authentication Test failed
    Additional Details
    A Web Exception occured because an HTTP 404 – NotFound response was received

    Any ideas or thoughts?

  4. May 26th, 2012 at 20:17 | #4
    Cajuntank

    Ok, so here’s where I stand. Like mentioned before, I created the HTTPS trunk, but this time, I changed the application port from 4443 back to 8080 even though I’m on a HTTPS trunk over 443. This works. The ocsconnectivity.com tests work.

    So based on this, is it my understanding that I am going over a secure https connection to that link, but the UAG is talking to the mobility service on 8080 on the backend? This is still secure, I’m not sending anything over the Internet unencrypted, am I?

  5. May 29th, 2012 at 11:00 | #5
    Rune

    That sounds a little fishy. To be sure your server don’t sends unencrypted, you could start a network trace and filter on the 8080 port. You’ll then see if it’s encrypted. We changed our lyncdiscover to listen on 4443. I updated the post with that.

  6. May 29th, 2012 at 19:49 | #6
    Cajuntank

    I will give it a shot. How about where the documentation for Mobility service tells you to set your internal DNS host for lyncdiscover.domain.com to the public IP of the reverse proxy to force inside users to go through it?
    I have not had success with that either, but don’t know if that’s some setting that needs to be tweaked to allow that loopback to happen.

  7. May 29th, 2012 at 20:29 | #7
    Rune

    It dosn’t make sence to route LAN users through the UAG. Internaly you should use lyncdiscoverinternal.domain.com and point it to your Front End pool. This blog entry talks about it: http://blogs.technet.com/b/nexthop/archive/2012/04/25/lync-server-2010-mobility-deep-dive-autodiscover-service.aspx

  8. May 30th, 2012 at 01:05 | #8
    Cajuntank

    Gotcha. It tries the lyncdiscoverinternal record first, then if it does not find it, will try the lyncdiscover record. Was wondering about that.
    Thanks.

  9. June 28th, 2012 at 19:55 | #9

    What about Edge? Are you able to publish Lync Edge on UAG? I have managed to get it working for me on TMG but would try on UAG as well since Microsoft will stop supporting TMG.

    Thanks

  10. August 15th, 2012 at 19:20 | #10

    This worked for me but Im seeing some exchange web services errors…

  11. November 23rd, 2012 at 12:41 | #11
    Nolan

    I have UAG 2010 updated to SP2 but I do not have a Lync 2010 option in the drop down list when I go to add an application. Am I missing something?

  1. No trackbacks yet.
Comments feed


+ 5 = nine