Lync Reverse Proxy Host Header Forwarding

by Jamie Schwinn on February 21, 2011

A new post on the DrRez blog outlines the configuration of Microsoft Forefront Threat Management Gateway 2010 for Lync Reverse Proxy. This article does a good job of explaining the steps required to publish the Lync Server web services to conference attendees but does not include some important settings for remote users.

To be fair, the article does indicate that there is another installment to the series. But, I thought I would publish a quick note regarding an issue that crops up when publishing the Meeting Join or Dial-in Conferencing Settings page. If configured incorrectly, the Meeting Join or Dial-in Conferencing Settings page will not load for external users and only a blank page is displayed. This issue occurs when the Reverse Proxy Web Publishing rule for Lync does not forward the original host header from the client.

When publishing the Lync Server web services, you must select the option to “Forward the original host header instead of the actual one specified in the Internal site name field on the previous page”.

If this option was not selected when the publishing rule was created, then the option can be changed on the “To” tab of the Rule Properties. Select “Forward the original host header instead of the actual one (specified in the Internal site name field)”

The IIS URL Rewrite rules configured on the Lync IIS web site looks for Simple URLs and redirects them to the appropriate virtual directory. By default, IIS URL Rewrite rules redirect to the following paths for external users: redirects to redirects to

In these examples, is the configured External Web Services URL in the Lync topology. The Admin Simple URL follows the same principle but is not exposed to external users and is not published by the Reverse Proxy. If the original host header is not forwarded to the Lync Server by the Reverse Proxy, the IIS URL Rewrite rules do not work properly and results in a blank page displayed to users.

The article also fails to include the Dial-in Simple URL in the Publishing Rule Public Name list, on the SSL Certificate Subject Alternate Name attribute, and in public DNS. Perhaps the author of the post intended to include this information in Part 2.

Be Sociable, Share!

{ 3 comments… read them below or add one }

soder September 29, 2011 at 1:05 pm

I simply dont understand, if this is an essential configuration mistake, how the hell it has not yet been corrected in the lync documentation?

Its already a year since this bug is in the guide, if every engineer configures TMG according this mistakr, no one in the world should have a working lync deplyoment, right?

DrRez February 9, 2012 at 7:12 pm

Thanks folks.

I will make sure Mike Atkins, author of Remote Conferencing with Lync Web App with Forefront Threat Management Gateway 2010 Reverse Proxy: Part 1 and Part 2 on the DrRez blog sees your concerns.

Soder, you mention a “guide.” Can you give me a pointer? I’ll make sure the Lync Documentation Team sees this as well.

DrRez February 9, 2012 at 7:17 pm

Previous post:

Next post: