[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-07-16

For Communications Server Edge Server deployments, an HTTPS reverse proxy in the perimeter network is required for external clients to access the Communications Server 2010 Web Services (called “Web Components” in prior versions) on the Director and the user’s home pool. Some of the features that require external access through a reverse proxy include the following:

Enabling external users to download meeting content for your meetings.
Enabling external users to expand distribution groups.
Enabling remote users to download files from the Address Book Service.
Accessing the Reach client
Accessing the dial-in Web page
Accessing the Location Information Service
Enabling external devices to connect to Device Update Service and obtain updates.

We recommend that you configure your HTTP reverse proxy to publish all Web Services in all pools. Publishing https:// ExternalFQDN/* publishes all IIS Virtual Directories for a pool. You will need one publishing rule for each Standard Edition server, Enterprise Pool, or Director/Director pool in your organization.

In addition, the Simple URLs must also be published. If the organization has a Director or Director pool, then proxy requests to these URLs to the External Web Services virtual directory on the Director. If you haven’t deployed a Director, you will need to designate one pool to handle requests to the Simple URLs. (If this isn’t the user’s home pool, it will redirect them onward to the Web Services on the user’s home pool). The Simple URLs can be handled by a dedicated Web Publishing rule, or can be added onto the Public names of the Web Publishing rule for the Director.

You can use Microsoft Forefront Threat Management Gateway 2010 (TMG 2010) or Microsoft Internet Security and Acceleration (ISA) Server 2006 SP1 as a reverse proxy; the detailed steps in this section describe how to configure TMG 2010 , and the steps for configuring ISA Server 2006 are almost identical. If you are using a different reverse proxy, consult the documentation for that product.

You can use the information in this section to set up a TMG 2010 reverse proxy, which requires completing the following procedures:

Configure the external Web Farm FQDNs.
Configure the network adapter cards.
Install and configure TMG 2010.
Request and configure a digital certificate for SSL.
Create a Web server publishing rule and verify that the Web server publishing rule properties are correct.
Verify or configure authentication and certification on Internet Information Services (IIS) virtual directories.
Create external Domain Name System (DNS) entries for each external FQDN
Verify that you can access the Web Services in each pool using the Internet.

Before You Begin

Set up the system you use for your reverse proxy before continuing with the configuration for reverse proxy

Configure Web Farm FQDNs

When you set up Topology Builder, you had the option to configure an External Web Services fully qualified domain name (FQDN) on each Standard Edition server, Enterprise Pool, and Director or Director pool. These names will be sent to the clients in that pool when they log on and will be used to make an HTTPS connection back to the reverse proxy when connecting remotely. If you did not configure these URLs during the initial Topology Builder configuration, you need to configure Communications Server 2010 using the following procedure:

To configure an external pool FQDN for Web services

In Topology Builder, in the console tree under Standard Edition Front Ends, Enterprise Edition Front Ends, and Directors, select the pool name you need to edit. Right-click on the name and choose Edit Properties. In the Web Services section, add or edit the External Web Services FQDN and then click .OK.
Right-click Communications Server 2010, and then click Publish
Repeat these steps for all Standard Edition servers, Enterprise Pools, and Directors/Director Pools in the organization.

Configure Network Adapters

You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter.

In the following procedures, the TMG Server computer has two network adapters:

A public, or external, network adapter, which is exposed to the clients that will attempt to connect to your Web site (usually over the Internet).
A private, or internal, network interface, which is exposed to the internal Communications Server 2010servers that are hosting Web Services.

To configure the network adapter cards on the reverse proxy computer

On the Windows Server 2008 or Windows Server 2008 R2 server running TMG 2010, open Change Adapter Settings by clicking Start, pointing to Control Panel, clicking Network and Sharing Center, and then click Change Adapter Settings.
Right-click the external network connection that you want to use for the external interface, and then click Properties.
On the Properties page, click the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) in the This connection uses the following items list, and then click Properties.
On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses as appropriate for the network subnet to which the network adapter is attached. If the Reverse Proxy is already being used for other applications that use HTTPS/443, such as for publishing Outlook Web Access, you will either need to add another IP address so that you can publish the Communications Server 2010 Web Services on HTTPS/443 without interfering with the existing rules and Web Listeners, or you will need to replace the existing certificate with one that adds the new external FQDN names to the SAN.
Click OK, and then click OK.
In Network Connections, right-click the internal network connection that you want to use for the internal interface, and then click Properties.
Repeat steps 3 through 5 to configure the internal network connection.

Warning:
In a manner similar to the Edge Servers, you will need to set the Default Gateway on the external-facing adapter to the internal address of the external firewall, and will need to create persistent static routes in the internal-facing interface for all subnets containing servers referenced by the Web Publishing rules.

Warning:
The Reverse Proxy must be able to resolve the internal Director and Pool next-hop FQDNs used in the Web Publishing rules to IP addresses. As with the Edge Servers, for security reasons, it is not recommended that you have Edge Servers access a DNS Server located in the internal network. This means you will either need DNS servers in the perimeter, or you will need HOST file entries on the Reverse Proxy that resolves each of these FQDNs to the internal IP address of the servers.

Warning:

The Reverse Proxy must be able to resolve the internal Director and Pool next-hop FQDNs used in the Web Publishing rules to IP addresses. As with the Edge Servers, for security reasons, it is not recommended that you have Edge Servers access a DNS Server located in the internal network. This means you will either need DNS servers in the perimeter, or you will need HOST file entries on the Reverse Proxy that resolves each of these FQDNs to the internal IP address of the servers.

Install Forefront Threat Management Gateway 2010

If this is a new installation, install TMG 2010 according to the setup instructions included with the product.

Request and Configure a Certificate for Your Reverse HTTP Proxy

You need to install the root certification authority (CA) certificate on the server running TMG 2010 for the CA infrastructure that issued the server certificates to the internal Communications Server 2010servers

You also must install a public Web server certificate on your reverse proxy server. This certificate’s Subject Alternate Names should contain the published external FQDNs of each pool that is home to users enabled for remote access, and the external FQDNs of all Directors or Director pools that will be used via that Edge infrastructure. The SAN must also contain the meeting simple URL, and the dial-in simple URL as shown in the following table.

Value

Example

Comments

Pool FQDN

Webext.contoso.com

SAN

Pool FQDN

Webext.contoso.com

Warning:
The Subject Name MUST also be present in the SAN.

SAN

Meeting Simple URL

meet.contoso.com

All meeting simple URLs must be in the SAN. Each SIP domain must have at least one active meeting simple URL.

SAN

Dial-in Simple URL

dialin.contoso.com

Note:
If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN and you will either need a certificate and Web Listener for each, or you must obtain a certificate whose SAN contains the names used by all of the pools, assign it to a Web Listener, and share it among multiple Web Publishing Rules.

Note:

If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN and you will either need a certificate and Web Listener for each, or you must obtain a certificate whose SAN contains the names used by all of the pools, assign it to a Web Listener, and share it among multiple Web Publishing Rules.

Configure Web Publishing Rules for a Single Internal Pool

TMG 2010 uses Web publishing rules to publish internal resources, such as a meeting URL, to users on the Internet.

In addition to the Web service URLs for the virtual directories, you must also create publishing rules for simple URLs. For each simple URL, you must create an individual rule on the reverse proxy that points to that simple URL.

Use the following procedure to create Web publishing rules.

Note:
This procedure assumes that you have installed the Standard Edition of TMG 2010 .

To create a Web server publishing rule on the computer running TMG 2010

Click Start, point to Programs, point to Microsoft Forefront TMG, and then click Forefront TMG Management.
In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.
On the Welcome to the New Web Publishing Rule page, type a friendly name for the publishing rule (for example, CommunicationsServerWebDownloadsRule).
On the Select Rule Action page, select Allow.
On the Publishing Type page, select Publish a single Web site or load balancer.
On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm.

On the Internal Publishing Details page, type the FQDN of the internal Web farm that hosts your meeting content and Address Book content in the Internal Site name box.

Note:
If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is a hardware load balancer VIP that load balances the internal Web farm servers. The TMG Server must be able to resolve the FQDN to the IP address of the internal Web server. If the TMG Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the TMG Server and that it can reach an internal DNS server or a DNS server that resides in the perimeter network.

Note:

If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is a hardware load balancer VIP that load balances the internal Web farm servers. The TMG Server must be able to resolve the FQDN to the IP address of the internal Web server. If the TMG Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the TMG Server and that it can reach an internal DNS server or a DNS server that resides in the perimeter network.

On the Internal Publishing Details page, in the Path (optional) box, type /* as the path of the folder to be published.

Note:

In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.
On the Public Name Details page, confirm that This domain name is selected under Accept Requests for, type the External Web Services FQDN, in the Public Name box.
On Select Web Listener page, click New (this opens the New Web Listener Definition Wizard).
On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in the Web listener name box (for example, Communications Server Web Servers).
On the Client Connection Security page, select Require SSL secured connections with clients.
On the Web Listener IP Address page, select External, and then click Select IP Addresses.
On the External Listener IP selection page, select Specified IP address on the Forefront TMG computer in the selected network, select the appropriate IP address, click Add.
On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address that is associated with the External FQDN, and then click Select Certificate.
On the Select Certificate page, select the certificate that matches the public names specified in step 9, click Select.
On the Authentication Setting page, select No Authentication.
On the Single Sign On Setting page, click Next.
On the Completing the Web Listener Wizard page, verify that the Web listener settings are correct, and then click Finish.
On the Authentication Delegation page, select No delegation, but client may authenticate directly.
On the User Set page, click Next.
On the Completing the New Web Publishing Rule Wizard page, verify that the Web publishing rule settings are correct, and then click Finish.
Click Apply in the details pane to save the changes and update the configuration.

Note:
In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.

To modify the properties of the Web publishing rule

Click Start, point to Programs, point to Microsoft Forefront TMG, and then click Forefront TMG Management.
In the left pane, expand ServerName, and then click Firewall Policy.
In the details pane, right-click the Web server publishing rule that you created in the previous procedure (for example, CommunicationsServerExternal Rule), and then click Properties.
On the Properties page, on the From tab, do the following:
- In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove.
- Click Add.
- In the Add Network Entities dialog box, expand Networks, click External, click Add, and then click Close.
On the To tab, ensure that the Forward the original host header instead of the actual one check box is checked.
On the Bridging tab, select the Redirect request to SSL port check box, and then specify port 4443.
On the Public Name tab, add the Simple URLs (such as meet.contoso.com and dialin.contoso.com).
Click Apply to save changes, and then click OK.
Click the Apply button in the details pane to save the changes and update the configuration.

Verify or Configure Authentication and Certification on IIS Virtual Directories

Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly. Perform the following procedure on each IIS Server in your internal Communications Server pool.

Note:
The following procedure is for the Communications Server External Web Site in IIS.

To verify or configure authentication and certification on IIS virtual directories

Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In Internet Information Services (IIS) Manager, expand ServerName, and then expand Sites.
Right-click Communications Server External Web Site, and select Edit Bindings…
Verify that https is associated with port 4443, and then click https.
Select the HTTPS entry and click Edit. Verify that Communications Server WebServicesExternalCertificate is bound to this protocol.

Create DNS Records

Create external DNS A records pointing to the public external interface of your ISA Server, as described in Configure DNS Records for Edge Support. You will need DNS records for the external Web Service FQDNs for each pool, the Director (or Director pool), and each Simple URL.

Verify Access through Your Reverse Proxy

Use the following procedure to verify that your users can access information on the reverse proxy. You may need to complete the firewall configuration and DNS configuration before access will work correctly.

To verify that you can access the Web site through the Internet

Open a Web browser, type the URLs in the Address bar that clients use to access the Address Book files and the Web site for Web conferencing as follows:
- For Address Book Server, type a URL similar to the following: https://externalwebfarmFQDN/abs/ where externalwebfarmFQDN is the external FQDN of the Web farm that hosts Address Book server files. The user should receive an HTTP challenge, because directory security on the Address Book Server folder is configured to Microsoft Windows authentication by default.
- For Web conferencing, type a URL similar to the following: https://externalwebfarmFQDN/conf/Tshoot.html where externalwebfarmFQDN is the external FQDN of the Web farm that hosts meeting content. This URL should display the troubleshooting page for Web conferencing.
- For distribution group expansion, type a URL similar to the following: https://ExternalwebfarmFQDN/GroupExpansion/service.asmx. The user should receive an HTTP challenge, because directory security on the distribution group expansion service is configured to Microsoft Windows authentication by default.
- For dial-in, type the simple URL for dial-in. The user should be directed to the dial-in page.