• Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
  • Home
  • About
  • Imprint
Toggle navigation
Admin Enclave
  • Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
Home
/
Articles
/
Skype for Business (Lync)
/
Use MS Web Application Proxy as reverse proxy (and ADFS) with Skype for business

Use MS Web Application Proxy as reverse proxy (and ADFS) with Skype for business

Bastian W.May 18, 2016Articles \ Skype for Business

Abstract: If you wish to setup a fully supported Skype for business (=SfB) environment you could use a hardware loadbalancer (for example Kemp or F5) or use the Microsoft Web Application Proxy [=WAP] (which is part from Windows Server 2012 R2).

This short howto will explain the steps which must be taken in order to replace a former hardware loadbalancer (used for the Lync Webservices) with the Microsoft Web Application Proxy (which is now supported) for the SfB Webservices.

Note: We will use the Web Application Proxy for SfB, however you might use it later one also for MS Exchange or Office Web Apps / Office Online Server. But this config isn´t covered in this howto.

Preparation:

- Setup a ADFS as mentioned (Install ADFS Server on Windows 2012 R2). Note: For SfB we do not need any authentication configurations.

- Setup a server in the DMZ (our Web Application Proxy server) based on Windows 2012 R2. On that Server:

* block the .net 4.6.1 Framework installation as mentioned here for Exchange until MS fully support that with SfB

* Assign one external IP Address (we use the internal DNS server in that howto) [If you wish to replace a old hardware loadbalancer you can assign the IP here]

* A public trusted certificate (e.g. from Comodo, Verisign, ...) [If you wish to replace a old hardware loadbalancer you can export it from there and reuse it here]

* The server does need to be domain joined, but if you want to publish non-claims aware applications using KCD (Kerberos Constrained Delegation) it need to be domain joined

- For the LAB configuration here, you need to be a domain administrator

- Configure the proxy (as mentioned here) on the server correctly, so that the server is able to reach the internal server

 

Firewall:

- allow https traffic to and from the Web Application Proxy server

- the Web Application Proxy should have access to the internal DNS server

- the Web Application Proxy server must reach the SfB Frontend Server / the Hardware LoadbLanancer via 4443

 

Implementation steps:

1.) If you didn´t use Split DNS, then you might need to adjust the host file on the WAP server and point the ADFS DNS name to the internal server

2.) On the Microsoft Web Application Proxy [=WAP] Server import the public SSL certificate at first via MMC (into the Personal certificate store)

3.) start a powershell (run as admin) and enter:

Install-WindowsFeature Web-Application-Proxy,RSAT-RemoteAccess-Mgmt, RSAT-RemoteAccess-PowerShell, GPMC, CMAK

4.) After the installation finished, open the Web Application Proxy Configuration Wizard in the Server Manager

5.) Click on next

6.) Enter the federation service name you defined when you setup the ADFS Server. Enter also a username and password. Then press next.

7.) Select now the certificate which should be used. Then press next.

8.) In the confirmation make sure the info´s are correct, then click on configure

9.) If you see the screen below the web application proxy was configured successfully.

10.) Your Microsoft Web Application Proxy [=WAP] is now ready to be used. So we can now start to publish our web applications.

11.) Now open the Remote Access Management Console and click Publish

12.) Press next in the following screen

13.) As PreAuthentication we need to use "Pass-Trough"

14.) Inside the Publishing settings, enter a useful name (A), choose the external URL which you entered in the topology (B), choose the certificate you imported (C), and define the backed URL (D) this is normally your internal Frontend pool which is listening here on 4443. So make sure you use the correct hostname and port.

You can also check on the WAP server via telnet if the port from there to the internal server is open.

15.) If you are fine with the summary seen there, press on "publish"

16.) Once successfully published click on "close"

17.) Now you need to disable the DisableTranslateUrlInRequestHeaders to avoid issues mentioned here.

17a.) At first we need the Application ID, so run the following comand and make a note from the ID.

Get-WebApplicationProxyApplication | Format-Table ID, Name, ExternalURL

17b.) Once done and once you have the ID check the configuration via:

get-WebApplicationProxyApplication –ID <application_ID> | fl

this should show something like (DisableTranslateUrlInRequestHeaders is currently on false):

ADFSRelyingPartyID                           :
ADFSRelyingPartyName                         :
BackendServerAuthenticationMode              : NoAuthentication
BackendServerAuthenticationSPN               :
BackendServerCertificateValidation           : None
BackendServerUrl                             : https://yncpool.int.contoso.com:4443/
ClientCertificateAuthenticationBindingMode   : None
ClientCertificatePreauthenticationThumbprint :
DisableHttpOnlyCookieProtection              : False
DisableTranslateUrlInRequestHeaders          : False
DisableTranslateUrlInResponseHeaders         : False
ExternalCertificateThumbprint                : F2A2340D3783803F827155F14147042343B105A23A
ExternalPreauthentication                    : PassThrough
ExternalUrl                                  : https://lyncweb.contoso.com/
ID                                           : 4f8906D6-XXXX-XXXX-XXXX-8A753845d5672
InactiveTransactionsTimeoutSec               : 300
Name                                         : Skype for Business - Web Services
UseOAuthAuthentication                       : False
PSComputerName                               :

17c.) To fix that we need now to set the DisableTranslateUrlInRequestHeaders to true via:

Set-WebApplicationProxyApplication -id <application_ID> -DisableTranslateUrlInRequestHeaders:$true

18.) If you wish to use the web application proxy for other services, then you need to repeat the steps. You can refer to the Official Microsoft howto here. Or check the "Configuring Office Online Server with Skype for Business" article here.

For the troubleshooting you could start with the eventlog.

 

Useful links:
https://blog.kloud.com.au/2013/07/15/publish-lync-2013-with-2012-r2-preview-web-application-proxy/
http://exchangepro.dk/2013/11/15/use-web-application-proxy-to-publish-lync-server-2013/
https://technet.microsoft.com/en-us/office/dn947483

Comments (2)

Gerrard
Gerrard
  1. about 2 years ago
  2. #464
This comment was minimized by the moderator on the site

step 17b), should be Get-WebApplicationProxyApplication –ID <application_ID> | fl

  1. Reply
Bastian W.
Bastian W.    Gerrard
  1. about 2 years ago
  2. #465
This comment was minimized by the moderator on the site

oh yes great fix, I will update that. Thanks for the headup! Appreciated!

  1. Reply
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Attachments (0 / 3)
Share Your Location

2016 - MS Skype for Business Server Server 2015

Follow me on Twitter

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Tags

Exchange 20162016 - MS ExchangeServer 2015Hardening2016 - MS Skype for Business Server 2017 - MS WindowsWindows Server 2012Windows2017 - MS ExchangeExchange 20132016 - MS Windows2013Exchange2017 - MS Skype for Business Server 2016 - MS SharepointRaspberry PiMicrosoftOpenHABHomeMatic2017 - MS Sharepoint

Archive

      • How to connect a Osram On/Off Plug with Phoscon/deCONZ
      • Update TPM Firmware on Windows 10 1909
      • Upgrade the BIOS from an ReadyNAS device
      • Switch your PC from BIOS to UEFI
      • WLAN 6 (AX) released
      • [ReSolved] Get-MailboxRestoreRequest matches multiple entries and couldn´t be performed
      • Use deCONZ to perform an OTA firmware update of OSRAM devices
      • Remove the Transparent Data Encryption (TDE) from a SQL DB
      • Install OpenHAB 2.4.x on Raspberry Pi (on Debian 9 - Stretch)
      • Windows 10 Driver for HP EliteBook 2570p Notebook-PC
      • Windows 10 Driver for HP EliteBook 850 G1 Notebook
      • Windows 10 Driver for HP EliteBook 8570p Notebook
      • Windows 10 Driver for IBM Thinkpad T560 Notebook
      • Windows 10 Driver for HP EliteBook 850 G5 Notebook
      • Windows 10 Driver for Lenovo T560 Notebook
      • Add an additional Sharepoint Admin to every Site Collection via Powershell
      • Do not install .NET Framework 4.7.2 on Exchange Servers yet
      • [Resolved] Unable to Migrate User to O365 due to "Target user 'XYZ' already has a primary mailbox"
      • Migrate SharePoint Elements to SharePoint Online
      • Microsoft Exchange OU picker is empty when creating new user or group
      • Exchange Online Powershell failed to connect when using MFA
      • Move-DatabasePath caused a "WMI exception occurred on server XY: Quota violation"
      • Privacy Policy
      • D:\AdvancedDataGovernanceLogs created on Exchange 2016
      • After May 2018 security update "An authentication error occurred" using RDP
      • Find out which .NET Framework version is installed
      • Install OpenHAB 2.0.x on Raspberry Pi (on Debian 9 - Stretch)
      • Convert a *.pfx certificate into *.pem
      • Changing last modified and creation date or time via PowerShell
      • Multidimensional arrays in Powershell
      • HowTo create an Enterprise Wiki on SharePoint Online
      • Attention: Microsoft Office 365 will disable support for TLS 1.0 and 1.1
      • [RESOLVED] Graphics Card issue when installing BlueStacks inside VMWare
      • How to create a pkcs12 file with a ordered certificate chain?
      • Publish an S/Mime certificate to AD via Powershell
      • [RESOLVED] iOS accounts needs permission to access resources in your organization that only an admin can grant
      • [RESOLVED] Exchange 2016 CU X failed to install error 1619
      • Headless Raspberry Pi WLAN Configuration
      • How to remove all partitions on an USB stick / SD card
      • How to generate a notifications once Handbreak finished its current work?
      • Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP
      • Security Hardening: Upgrade Diffie-Hellman Prime to 2048 bit on Windows Server
      • Change a SSL Certificate on Windows Server 2012 R2 Web Application Proxy
      • Add Windows Updates to a Windows 7 SP1 image
      • When using Import-Module you got an unblock file error
      • [Resolved] Exchange admin got the error "User profile cannot be loaded" when using RDP
      • Google Chrome browser to deprecate trust in existing Symantec-issued certificates
      • [RESOLVED] Error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY when using Google Chome and OWA
      • Cumulative Update 6 for Exchange Server 2016 released
      • Windows Phone 8.1 will reach EOL on the 2017-07-11
      • .NET Framework 4.7.* and Microsoft Exchange Server
      • Disable weak cipher (e.g. 3DES, SSLv3, MD5, ...) suites in Java
      • [RESOLVED] "Could not find stored procedure" after installing SfB Server Updates
      • [RESOLVED] None of the network adapters are bound to the netmon driver.
      • [Resolved] No connectivity with any of Web Conferencing Edge Servers - Event 41026
      • Raspberry Pi - Connect to multiple wireless networks (WLAN) automatically
      • From 0 to Raspberry Pi (start with Raspberry Pi)
      • [RESOLVED] Exchange 2016 IIS not usable after installation from CU5
      • Microsoft Exchange 2007 reached end of life today
      • .NET Framework 4.7 released but not yet supported on Exchange 2016
      • .NET Framework 4.7 released but not yet supported on Skype for Business
      • Using Quest ActiveRoles Management Shell to add/update all users from a OU inside an AD group
      • [RESOLVED] Can´t install Office Web Apps Server because it requires .NET 4.5
      • Cumulative Update 5 for Exchange Server 2016 released
      • Using the Skype for Business device update service
      • Enable XA transactions on Microsoft SQL 2012
      • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code
      • WES7 is crashing on VMWare Workstation
      • WES7 / WES8 OS deployment issue on VMWare Workstation
      • [RESOLVED] Growing amount of missing disk space on Microsoft Exchange
      • Disabling TLS 1.0 on Microsoft Sharepoint
      • Reset the content index on an MS Exchange DAG environment
      • Deploy the Statistics Manager for Skype for Business Server
      • HowTo add own formats to the TinyMCE Editor in Joomla?
      • Create a Kerberos authentication account in Skype for Business
      • Hardening Microsoft Exchange 2016 Server
      • Hardening Microsoft SharePoint 2016 Server
      • Hardening Microsoft Skype for Business Server
      • [Workaround] "Screen presenting isn't supported with this contact" with SfB MAC
      • [RESOLVED] Black or frozen screen during screensharing in Skype for Business 2016
      • Exchange Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SfB Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SharePoint Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Hardening Skype for Business Server
      • [RESOLVED] You do not have the permission to send the message on behalf of the specified user
      • Copy Windows Installation DVD to ISO
      • [RESOLVED] The remote certificate is invalid according to the validation procedure.
      • Prevent that the Skype for Business client will open when the user click on an meeting URL
      • Test GroupPolicy (*.admx templates) locally without AD
      • Implementing the Skype for Business Call Quality Dashboard
      • Configure / Finetune the Microsoft Exchange search / indexing feature
      • Disable content indexing on all DBs on an Exchange DAG
      • HowTo: create Search Sharepoint 2013 Foundation Application via Powershell
      • Migrate from Exchange 2010 to Exchange 2016
      • Enable TLS 1.2 on Windows 2012 R2
      • Download Skype for Business for MAC
      • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size
      • How to get only a subset from a 2 GB big logfile?
      • Add the Internet Explorer 11 and Updates to a Windows 7 SP1 image
      • [RESOLVED] MSExchange Mailbox Replication error 1006 (database doesn't exist)
      • Nagios Core 3.x installation guide on Debian 8.x (Jessie)
      • Move Exchange 2010/2013 user to Exchange 2016
      • [RESOLVED]: "Whole calendar" greyed out when publishing a calendar via Outlook on a webdav server
      • SfB Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Exchange Windows OS Hardening: Disable the "X-AspNet-Version" header
      • SharePoint Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Powershell: Clean (Remove) all completed Exchange Mailbox move requests
      • HP Data Protector isn´t able to browse an Exchange 2016 DAG
      • Powershell: Get a list from all Exchange users, where the latest logon time is older then 270 days
      • Usefull links
      • Hardening Microsoft Exchange 2013 Server
      • [Solution] Skype for Business Error: This message wan´t send to Firstname LastName
      • Step-By-Step: Configuring Office Online Server with Skype for Business
      • Troubleshooting connection issues from users migrated from Exchange 2010 to Exchange 2013/2016
      • Skype for Business Server DB update needed after patch management
      • How to check the progress of the ‘Shrink Database’ task in SQL Server 2012
      • Build an MS Exchange Throttling Policy to remove inactive mobile device partnerships
      • Exchange Windows OS Hardening: Disable NTFS 8 Dot 3
      • SfB Windows OS Hardening: Disable NTFS 8 Dot 3
      • SharePoint Windows OS Hardening: Disable NTFS 8 Dot 3
      • Windows OS Hardening: Disable NTFS 8 Dot 3
      • [RESOLVED] Centralized Logging Service Agent Error while moving cache files to network share.
      • [RESOLVED] MS Web Application Proxy used with SfB caused a Error 502
      • Manage the SSL certificate on Exchange 2016 via Powershell
      • [RESOLVED] How to fix damaged or corrupt Health Mailbox on Exchange 2016
      • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"
      • Homematic IP Schalt und Steckdose mit CCU 2 verbinden / anlernen
      • Exchange 2010 to Exchange 2016 Co-Existence migration OWA redirect not working
      • Factory reset HomeMatic IP devices
      • Factory reset / Werksreset von HomeMatic IP Geräten
      • Pairing / Using Homematic IP Pluggable Switch and Meter with an CCU2
      • [Resolved] A Skype for business user isn´t able to join meeting via invitation link
      • Installation von BluePy auf dem Raspberry Pi
      • Install BluePy on Raspberry Pi
      • Released: Microsoft Exchange 2016 CU 2
      • Install OpenHAB 1.x on Raspberry Pi
      • Installieren von OpenHAB 1.x auf dem Raspberry Pi
      • Rebalance Mailbox Databases in an Exchange Server DAG via TaskManager
      • Fix a failed and suspended content index state on MS Exchange
      • Howto send an email using telnet
      • Hardening Windows Server (Basic Steps)
      • [RESOLVED] No DNS servers could be retrieved from network adapter 00000000-0000-0000-0000-000000000000
      • [RESOLVED] Setup can't use the domain controller because it belongs to Active Directory site
      • Use MS Web Application Proxy as reverse proxy (and ADFS) with Skype for business
      • [RESOLVED] Error message 0x80094004 when completing a certification request on IIS
      • [RESOLVED] Unable to collect NUMA physical memory utilization data. The first four bytes (DWORD) of the Data section contains the status code.
      • Get all Exchange user inclusive details from a list of AD groups
Admin Enclave

The Admin enclave delivers the latest news, quick tips, useful tricks, and in-depth tutorials for IT pros working with IT solutions (e.g. Microsoft Sharepoint, Microsoft Exchange, Microsoft Skype for Business, Joomla, ...).

Follow Us

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Popular Posts

  • How to fix “The program can’t start because MSVCR110.dll is missing from your computer.” error on Windows

    Sunday, 07 April 2013
  • [RESOLVED] You do not have the permission to send the message on behalf of the specified user

    Wednesday, 16 November 2016
  • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size

    Thursday, 13 October 2016
  • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code

    Wednesday, 08 March 2017
  • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"

    Wednesday, 13 July 2016
© 2012 - 2021 admin-enclave.com | Disclaimer | Privacy Policy | Imprint | Articles by year