ARR: how to setup and use with multiple Lync/SfB SIP domains

Hi All,
in this article I’ll show you how to setup ARR as a Reverse Proxy for Lync / Skype for Business / Office Web App / Office Online Server (and if you want for Exchange, SharePoint, ADFS…..) and, more important, how to use a very simple but useful trick to publish many lyncdiscover.<SIPDomain> with a simple 5 Domains SAN Certificate or a Wildcard certificate.

 

Scenario

arr_2

Let’s assume that you have the following public DNS A Records for your SfB deployment:

Record Type Value Note
meet.uclab.com A 1.2.3.4 Meet Simple URL
Only 1 for deployment
dialin.uclab.com A 1.2.3.4 Dialin Simple URL
Only 1 for deployment
uc.uclab.com A 1.2.3.4 External Web Service URL
1 for each Front-End Pool
lyncdiscover.uclab.com A 1.2.3.4 lyncdiscover.
1 for each SIP Domain
officewebapp.uclab.com A 1.2.3.4 Office Web App URL
normally 1 for deployment
  • The Public IP is 1.2.3.4 and there is a NAT to 192.168.1.10
  • Only HTTPS traffic is allowed.
  • On ARR we will use a SAN (5 domains) or Wildcard SSL Certificate from a Public CA (Digicert for example).

Step 1: ARR Setup
On a Windows Server 2012 R2 or 2016 server install:

  • .NET Framework 3.5
  • IIS with following components
    arr_1
  • Download Microsoft Web Platform Installer http://www.microsoft.com/web/downloads/platform.aspx and install it
  • Search ARR and install Application Routing Request 3.0
  • Install in the Certificate Store the CA Chain of the internal PKI

Step 2: ARR Customization
Set the Worker Process to Always Run:

  • Launch IIS Manager
  • Select Application Pools (by default, DefaultAppPool is the corresponding application pool for the Default Web Site)
    • Right-click on DefaultAppPool in the right-hand side and then click on Advanced Settings: change the Idle Time-out (minutes) value from 20 to 0 (zero) to disable the setting and then click OK to save the changes
    • Right-click on DefaultAppPool in the right-hand side and then click on Recycling: clear the Regular time intervals (in minutes) checkbox so that it is blank
  • Under the IIS root, open Request Filtering.
    • Click Edit Feature settings on the right and change the Maximum allowed content length to 2147483648 (this is mandatory for Exchange Publishing)

Step 3: ARR Network Settings
In our example ARR NIC is configured with a DMZ IP 192.168.1.10.
For improved security it is recommended to use external DNS + hosts file and to remove bindings on “File and Printer Sharing” and “Client for Microsoft Networks”
arr_5arr_6
arr_3arr_4

Step 4: obtain Public SSL Certificate and use it on ARR
To create CSR I always suggest to use DigiCert Certificate Utility for Windows (https://www.digicert.com/util/).
Follow instructions on this page CSR Creation Instructions for Microsoft Servers https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm

Here you can find two examples with a 5 Domains SAN and a Wildcard request.
arr_7arr_8
Once you have obtained the public key, load it on the server following on of these instructions:

In this article I will use the SAN certificate
arr_9

It is better to remove binding on http
arr_10

Step 5: configure standard SfB and Office Web App Farms
Now that ARR is ready, we can create standard Lync / Skype for Business and Office Web App / Office Online Server Farms.

Open IIS Manager -> Server Farms -> Create Server Farm….
Start with “SfB Front-End”
arr_10b arr_11

In Server address enter the FQDN of your SfB Front-End Standard Pool.
Be careful to expand Advanced Settings and enter httpPort 8080 and httpsPort 4443 because this traffic needs to go to the External Web Service Virtual Site on the Front-End, then clicc Add
arr_12

Note: the port reset after you click Add is a normal behaviour, don’t worry about that.
Click Finish.
Remember to add IP and FQDN to the hosts file.
arr_13

Repeat the process for Office Web App Farm.
Note: you have to use standard ports 80 and 443.
arr_14 arr_15

At the end you will have two new Farms, like the image below.
arr_16

For each Farm, select it and set the Caching and Proxy value as suggested.
arr_19

Caching
SfB Front-End Farm: Disable disk cache
Office Web App Farm: Disable disk cache
arr_18

Proxy
SfB Front-End Farm: Time-out to 1200 and Response Buffer Threshold to 0
Office Web App Farm: Time-out to 300 and Response Buffer Threshold to 0
arr_17

Step 6: configure URL Rewrite Rules
Before we can correctly setup Rewrite Rules, it is important to understand how ARR “think”. Incoming request could be described by these basic components:
{HTTPS}://{HTTP_HOST}/{URL}?{QUERY_STRING}

So an incoming request for https://meet.uclab.com/Meet?key=A1B2C3D4 correspond to:
{HTTPS} = on
{HTTP_HOST} = meet.uclab.com
{URL} = Meet
{QUERY_STRING} = key=A1B2C3D4

Select the ARR Server itself in the left tree -> URL Rewritearr_20

Double click on the firts rule “ARR_SfB_Front-End_loadbalance”
arr_21

Match URL
Set Regular Expression and (.*) as Pattern
Note: this is not mandatory, you can leave Wildcard and * as the default settings, but I prefer to use RegEx in my rules
arr_22

Conditions
Add these two conditions:
{HTTPS} = on
{HTTP_HOST} = (meet|dialin|uc|lyncdiscover).uclab.com

arr_23 arr_24

Set Action Scheme on https://
arr_25

Now open the “ARR_Office Web App_loadbalance”
Repeat same process for Office Web App, with Conditions
{HTTPS} = on
{HTTP_HOST} = officewebapp.uclab.com

Step 7: Reverse Proxy test

Test the Reverse Proxy, trying to open some pages on SfB and Office Web App from Internet, like
https://dialin.uclab.com
https://officewebapp.uclab.com/hosting/discovery

Remember to add your CA Chain to Certificate Store on ARR Server!


 

Evolution of the scenario: add more SIP domains

Now that everything is working with your Primary SIP domain (uclab.com in this example), your Company/Customer ask you to add other SIP domains to SfB deployment, for example ucdev.net, uc4u.biz, ucme2.it and (many) others.

What you cannot avoid: to buy more “lines” in the SAN certificate used on EDGE server. You NEED one line sip.<domain> for each domain plus one for Webconf EDGE Service. Period.

What you CAN avoid: to buy more SAN “lines” for Reverse Proxy SSL certificate!
On your Reverse Proxy, ARR or other brand, you can use existing certificate (SAN or Wildcard) without the need to expand it, you only need a new Public IP.
Let’s see how.

As explained at the beginning of the article, for every SIP domain added to the deployment, the only mandatory Reverse Proxy related FQDN is lyncdiscover.<domain>.

In this example there is a lyncdiscover.uclab.com (present in certificate), and we have to manage also
lyncdiscover.ucdev.net
lyncdiscover.uc4u.biz
lyncdiscover.ucme2.it

These records are used by clients as primary registration lookup method.

It is important to remember two info:

A. Protocol and search order:

  1. https://lyncdiscoverinternal.<SIPDomain&gt;
  2. http://lyncdiscoverinternal.<SIPDomain&gt;
  3. https://lyncdiscover.<SIPDomain&gt;
  4. http://lyncdiscover.<SIPDomain&gt;

B. It is possible to redirect incoming HTTP traffic to a different HTTPS URL

If you merge info A and info B, you have the solution for our task:

  1. client of ucdev.net will search for https://lyncdiscover.ucdev.net, but Lyncdiscover HTTP Web Site do not listen for HTTPS traffic, so client do not get any answer but not even Certificate mismatch errors.
  2. Then client try to use http://lyncdiscover.ucdev.net
  3. ARR redirect HTTP traffic to https://lyncdiscover.uclab.com
  4. Client access the SfB External Web Service via https correctly
    arr_30

Step 8: configure ARR for lyncdiscover redirect

  1. Assign a new DMZ IP and a new Public IP to ARR. NAT the Public IP to DMZ IP and allow http traffic only, not https (see example below)
    arr_26
  2. Add a new Website with these settings (ok, you can change the name if you want) 🙂arr_27
  3. Check the binding on Default Site, be sure it listen the primary IP only
    arr_28
  4.  You will obtain something like this
    arr_29
  5. ARR Root -> URL Rewrite -> Add Rule(s) -> Blank rule -> OKarr_31
  6.   Configure the new rule as image below
    Take care on Conditions
    {HTTPS} = off
    {HTTP_HOST} = lyncdiscover.(ucdev.net|uc4u.biz|ucme2.it)
    you have to replace these additional example SIP domains with yours 🙂arr_32
  7. Test it and enjoy this simple but useful rule!

As always, I hope this page could help some of you.
Best Regards
Luca

Advertisements

One thought on “ARR: how to setup and use with multiple Lync/SfB SIP domains

Leave a Reply to ARR: how to setup and use with multiple Lync/SfB SIP domains – Luca Vitali – JC's Blog-O-Gibberish Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s