Configuring TMG to Support Lync Server

Forefront TMG is the logical successor of ISA 2006 SP1 and is the other primary choice for use as a reverse proxy with Lync Server. The high-level steps for publishing Lync Server with Forefront TMG are the same as those for ISA 2006 SP1. The specific steps that vary due to the slightly different interface are detailed in the following sections.

Configure Web Publishing Rules

Web publishing rules are used by Forefront TMG Server to securely publish internal resources over the Internet. In addition to providing web service URLs for the various Lync Server virtual IIS directories, it is also necessary to create publishing rules for simple URLs. For each simple URL, it is necessary to create an individual rule on the reverse proxy that references that URL. The following procedures can be used to create web publishing rules:

1. Log on to the Forefront TMG Server.

2. Click Start, All Programs, Microsoft Forefront TMG, and Forefront TMG Management.

3. In the left pane, expand the name of the TMG Server.

4. Right-click Firewall Policy, click New, and click Web Site Publishing Rule, as shown in Figure 12.10.

Figure 12.10 Creating a New Website Publishing Rule

5. On the Welcome to the New Web Publishing Rule page, enter a name for the publishing rule that will be easy to reference in the future. Click Next.

6. On the Select Rule Action page, choose Allow. Click Next.

7. On the Publishing Type page, select Publish a single Web site or load balancer and click Next.

8. On the Server Connection Security page, choose Use SSL to connect to the published Web server or server farm. Click Next.

9. On the internal Publishing Details page, enter the FQDN of the internal web farm where meeting content and the Address Book are hosted in the internal Site name box.

10. On the internal Publishing Details page, enter /* as the path of the published folder. Click Next.

11. On the Publish Name Details page, verify that This domain name is selected under Accept Requests for. Type the FQDN of the external web farm into the Public Name box. Click Next.

12. On the Select Web Listener page, click New.

13. On the Welcome to the New Web Listener Wizard page, enter a name for the new web listener in the Web listener name box. Click Next.

14. On the Client Connection Security page, choose Require SSL secured connections with clients. Click Next.

15. On the Web Listener IP address page, select external, and click Select IP Addresses.

16. On the external Listener IP selection page, select Specified IP address on the TMG Server computer in the selected network, select an IP address, and click Add. Click Next.

17. On the Listener SSL Certificates page, click Assign a certificate for each IP address, and select the IP address that was added in step 16. Click Select Certificate.

18. On the Select Certificate page, select the certificate matching the public name selected in step 11, as shown in Figure 12.12 and click Select. Click Next.

Figure 12.12 Selecting the Certificate

19. On the Authentication Settings page, select No Authentication. Click Next.

20. On the Single Sign On Settings page, click Next.

21. On the Complete the New Web Listener Wizard page, click Finish.

22. Returning to the Select Web Listener page, select the listener that was just created and click Next.

23. On the Authentication Delegation page, select No delegation but the client may authenticate directly. Click Next.

24. On the User Sets page, click Next.

25. On the Completing the New Web Publishing Rule Wizard page, verify the rule settings and click Finish.

26. Click Apply to save the changes, as shown in Figure 12.13 and update the configuration.

Figure 12.13 Applying the Firewall Policy