Configuring Windows 2012 R2 Web Application Proxy to publish Lync 2013



Web Application Proxy is a new feature in Windows Server 2012 R2

It is part of the Remote Access role service in and provides reverse proxy functionality to publish web applications inside the corporate network and make them available to users outside our internal deployment. Lync 2013 requires a reverse proxy to publish resources that are deployed on the Front End including the dialin and meet pages (for more details please read my post Understanding Simple URLs In Lync )
Web Application Proxy (from now on, WAPX) can replace existing solutions for reverse proxying Lync like UAG and TMG. An important limit of WAPX is that it requires a working Active Directory Federation Services (AD FS) server inside our network.

It is a pre-requirement and the configuration of WAPX will not accomplish if the connection with AD FS is not running in the right manner. During this webcast I will show how to configure AD FS server, the WAPX server and how to set publishing rules for Lync 2013.


A short Explanation of the outline of the test lab

The test deployment is made up by a Domain Controller (Aphrodite) a Certification Authority (Artemis) and a Lync 2013 S.E. Front End (Apollo). The internal domain name is Lync2013.Dom

We will configure the AD FS server (Eleos) and the WAPX server (Hephaestus) during this webcast


Configuring AD FS server

The configuration of AD FS and WAPX requires a digital certificate (for SSL). The certificate can be the same, created on AD FS and then exported to the server WAPX, or you can create a certificate on the AD FS (containing the FQDN of the server as Common Name) and a second certificate (type wildcard or *) for the Web Application Proxy.

We will use the second solution (the type of certificate that I used on AD FS, “computer” does not have and exportable private key).

I have used the certificates Snap-in on the Eleos server to require a certificate of the “Computer” type and the utility from DigiCert to require the * certificate.

We have to create a domain user (in our scenario Lync2013ServicesADFS) that will be used as a service user for AD FS and for the WAPX. This user is a local administrator in both the servers.

During the configuration we have installed the Web Server (IIS) role and then the Federation Server role on Eleos. The installation does not require special attention. At the end of this phase, we will be prompted to configure the role. The error associated with the SPN always occurs, but does not affect our configuration.


Configuring WAPX server

Installing the Web Application Proxy feature requires the Remote Access role (selecting the Web Application Proxy feature). The configuration wizard will require the name of the federation service (in our scenario, the FQDN of the AD FS server) and the service account to use (as in the previous step, we will use Lync2013ServicesADFS)

Note: The procedure is often subject to errors, whose diagnosis requires also to read the log of both servers. In case of problems, I suggest to use the PowerShell cmdlets that provide a first diagnostic screen.


Configuring Publishing Rules for Lync 2013

Once the configuration is complete, we can use the Publish option (task pane). For Lync the rules require that the public name is redirected to the Front End server on port 4443 (in a standard configuration).

Marc Terblanche has published a good blog post that includes a sample publishing script ( )