I have reliably been using IIS ARR as a low cost replacement for ISA/TMG (Free with Windows Server!) for some time now however I recently had a customer that had provisioned Windows Server 2012R2 so I decided to use IIS ARR 3.0 instead of 2.5 which is what I have always used for previous installations.
There is some good information online and I have always followed this NextHop post which has served me well.
On the surface, IIS ARR 3.0 looks identical to 2.5 however, I ran into many challenges with rules not processing as you might expect under 2.5. After much trial and tribulation I ended up deleting all my rules and starting from scratch and coming up with a different configuration combining some lessons learned from Lync MVP Richard Brynteson and his post.
I thought I would share this here so I can reference it and perhaps help a few folks along the way.
Start with a fresh installation of Windows Server 2012 R2 and install IIS from Server Manager. In this case I had a single NIC server that was both domain joined and on the corporate network. Windows Firewall is enabled and the External Firewall was configured to allow both ports TCP 80 and 443 inbound in a 1:1 NAT configuration.
Download the Microsoft Web Platform Installer (currently 5.0) and search for IIS ARR 3.0. Select it and install it.
The open IIS Manager and the fun begins!
Initial Setup
You will need to make the following modification to the IIS Application Pool for the default web site which will force the application pool not to shut down after idle minutes. Change the highlighted value to 0 shown below.
You will need to provision an SSL certificate from a public provider that will contain all the URLs required for Lync, Office Web App and potentially Exchange Server OWA if required. I will assume that readers understand what these URLs are and will not get into those into too much detail nor the process of provisioning the certificate here.
Bind this certificate in IIS like you would any other secure website. Choose the Default Web Site and select Bindings in the action tab on the right. Click on Add and add a binding for Port 443. Select the certificate you provisioned and installed on this server.
Next we can start building out the Server Farms. In the IIS manager if you installed IIS ARR correctly you will see “Server Farms” as a new option in the left pane.
You want to highlight it and right click and select New Server Farm.
Lets start with creating the Lync Autodiscover farm that will handle requests for Lync Autodiscovery to work.
Click next and configure the settings as follows adding in the FQDN of the internal Lync Front End Server or Enterprise FE Pool that will handle this request. Be sure to change the options as shown below as required by Lync.
Click Finish. You will be prompted to create IIS re-write rules which you want to say Yes to. We will address these a bit later.
Create another Server Farm for each External Web Service you need to publish. If you have two pools you are publishing for you will need to create two farms in the same way as above.
Create a Server Farm for Office Web Apps in the same way as above except we use the default Port 80 and 443 for the Office Web App server. If you have a pool of Office Web App Servers you can add each server in a single farm.
The results will look something like this when done.
Server Farm Settings
For each server farm you created click on the server farm and make the following changes to highlighted items:
1. Disable Caching for each farm.
2. Change the timeout values to 600 seconds in the Proxy settings. (This alleviates sign outs on the mobile clients especially with Android devices.
3. Lastly under Routing rules deselect the Use SSL Offloading option. If you fail to do this you will not see the URL Rewrite rules created.
URL re-write rules
Select the IIS Server name and double click the URL Rewrite option highlighted.
You will be presented with a total of two rules for every server farm you created. So if you created 4 server farms, you will see 8 rules created. Delete all the rules that do NOT end in _SSL.
Office Web App URL Rewrite
Open the Office Web App rule that was created. The names will match the server farm names. Configure it in the following way:
Use the regular expression pattern ((?:^en-us/|^hosting/|^m/|^o/|^oh/|^op/|^p/|^we/|^wv/|^x/).*) where shown.
Lync AutoDiscover
Configure the autodiscover rule, you are using the regular expression pattern of (.*) but then adding the condition {HTTP_HOST} matches the pattern of all the sip domains Lync Server is responsible for. So if you had three domains, called contoso.com, acme.com and tailspin.com you can list them in separate lines or simply create them in one rule as follows:
lyncdiscover.contoso.com|lyncdiscover.acme.com|lyncdiscover.tailspin.com
Lync External Web Services
For each front end pool you must create a URL rewrite that corresponds to the server farm created in the first part of this setup.
This time you will need to add two conditions
{HTTPS} matches the pattern ON since we want to support HTTPS only in the Lync Web Service requests
and
{HTTPS_HOST} matches the pattern of your external web service URL along with all the other Lync Simple URLS required for your Front-End Pool. In this case I have:
LyncWebExt01.contoso.com|meet.contoso.com|dialin.contoso.com|
meet.acme.com|dialin.acme.com|meet.tailspin.com|dialin.tailspin.com
Repeat this for all other farms substituting the main web service URL for the unique URL for each pool. You can leave the other names in the list as they would only trigger if the previous rule is skipped in the event the first server pool is down for example.
Some Notes:
1. IIS ARR rules are order dependent and will run from top down until a condition is met. By default once a rule is triggered the execution of rules will cease.
2. I find after making changes I do an IIS RESET /restart to speed up the process of changes taking effect.
3. You can turn off Server Farms or disable servers within a farm if you are testing rules out and need to troubleshoot your settings. This helps the second guessing on which rule is doing the processing.
4. If you use a multi NIC server you will still need to designate the NIC facing the Public internet as the default gateway and use Persistent Routes to the internally connected NIC.
5. This can be done to a domain joined machine or a non-domain joined machine. If using a non-domain joined machine you will need to use a host file to resolve the names of the servers in each of the farms you create. You will likely need to do this for a multi-NIC machine that uses DNS configuration pointing to Public DNS.
I was getting a 503 error after following this guide and after trying different things I ended up finding out you need to import your Root CA certificate into the ARR server for some reason. I even went as far as configuring the external web site on the FE to use our *.domain.com wildcard certificate and it didn't work. The only thing that resolved the issue was importing the domain's Root CA that generated the "internal" FE certificate. Thank you for writing this up!
Posted by: Michael Gossett | March 19, 2015 at 04:54 PM
Also just to clarify I still needed to use my wildcard certificate it just wouldn't communicate without the RootCA cert installed. I have no idea why.
Posted by: Michael Gossett | March 19, 2015 at 04:58 PM
Thanks for the comment Michael. If your IIS ARR server is NOT domain joined then you would need to import the internal CA's Root certificate so that it can properly establish TLS with the Lync Front-End Server. A domain joined ISS ARR machine would already have and trust the Internal CA Root cert.
If you use Public Certs everywhere then this is not required assuming that IIS ARR server is getting the appropriate windows updates to update its Public Root Certificates.
Posted by: Dino Caputo | March 19, 2015 at 05:00 PM
Hi guys should I use *.domain.com wildcard certificate on my lync setup when the customer doesn't have a public certificate yet ?(is it supported according to what you have written here - A domain joined IIS ARR machine)
To finish the project and show them working fine.
Posted by: Thiago Beier | July 10, 2015 at 01:20 PM
Lync does not support wildcard certificate .Did it work for you
Posted by: bharani | July 14, 2015 at 12:56 PM
Dino Capitol I have question can we use single instance of IIS ARR for multiple Lync instances.I mean if I have one instance of Lync Lync.domain1.com and another instance as lync2.domain2.com can I use single instance of IIS ARR.please clarify me.
Posted by: bharani | July 14, 2015 at 01:09 PM
Hi,
Is it possible to publish two web sites at the same port (80)? I have a customer that wants to publish through ARR 3, two sites siteA.test.gr and siteB.test.gr. The first will publish a site from internal server, server1.test.gr and the second URL will publish site from server2.test.gr.
You can see exactly what I am trying to do here http://i132.photobucket.com/albums/q11/argi6argi/Public/RProxy_1.png
The problem is that only the first http site responds. for the second one, there are not even incoming requests in Monitoring and Management within the farm.
Thanks in advance,
Argiris
Posted by: plus.google.com/110684649119273802637 | September 29, 2015 at 08:05 AM
Thank you all, I have found it. I should create a condition within URL rewrites regarding HTTP_HOST.
Thanks again,
Regards,
Argiris
Posted by: plus.google.com/110684649119273802637 | September 29, 2015 at 08:40 AM
As we know that wildcard certification is most important things when we talk about lync sever 2013. It is not support for me. How to resolve this issue?
Posted by: gloriawalton | June 04, 2017 at 11:48 AM