Archive: Posts Tagged ‘UAG’

IP-HTTPS certificate

No comments October 3rd, 2012

If you use DirectAccess (DA), should you use a certificate on the IP-HTTPS listener from your internal CA or from a third party CA?

If you use a certificate from your internal CA, you’ll have to publish the CRL so it can be reached from the outside. If you don’t do it, external DA clients will remove the CRL from the cache after 24 hours and they will not be able to check if the certificate has been revoked or similar. DA will not work for them until they put their laptop in the internal network, and are able to reach the CRL.

The default time for the cache is 24 hours.

So I would not bother publishing the CRL, but instead use a third party certificate on the IP-HPPS listener.

If you use or consider using DA without UAG, Win8 has a lot of improvements regarding DA (features you only found in UAG).

For a complete list check out

Publish Lync with UAG

11 comments May 24th, 2012

Do you use Microsoft Forefront UAG 2010 to publish Lync and having problems to get it to work?

My co-worker Robert had struggeled with this for some time, but finally he managed to get Lync and mobility to work over UAG.

First we tried using the TMG part of the UAG and it worked, but I could not restart the server after the configuration. If I restarted the server the HTTP and HTTPS traffic was blocked by the default rule of the TMG. Other weirdo’s did also happened if we changed the UAG config.

We started a SR with Microsoft and they told us that using the TMG part of the UAG was not supported. It can work in some cases but if you do some configuration changes in UAG it can be broken. MS says that you should never touch the TMG settings on a UAG server.

So here is what we did on the UAG:

We added one more public IP address to the External leg of the UAG, so we have two IP addresses for Lync. One IP for lyncweb, meet and dialin. The second IP was dedicated for lyncdiscover.

We created a new HTTPS trunk for lyncweb, meet and dialin and changed the Session settings like this:

Important: The “Disable scripting for portal application” have to be ticked on the Lync trunk. This cannot be ticked on a trunk for i.e. Exchange or SharePoint. Therefor you have to create a new dedicated trunk for Lync.

We created a new http trunk for lyncdiscover and changed the Session settings like this:

Our uag console now looks like this:

The https Lync looks like this:

The http lyncdiscover looks like this:


Mobile clients will get logon servers unencrypted if you configuring the lyncdiscover on a HTTP trunk. You can skip the extra IP and configure the lyncdiscover on the Lync HTTPS trunk by doing:

Credit to Robert for getting this to work. Hope it will work for you too 🙂