So as TMG2 2010 is being taking out of the picture, some companies looking for 3rd party option to publish their Lync Services.
We are one of those companies, we still in decision making stage should we go with Hardware Load Balancer with publishing or is there is something cheaper.
So being an ex-Linux guy, I though why not Apache, so I start researching
- Is it possible?
- How to do it?
- What is the problems?
And I found out it can be done, and it’s not that hard, you can install Apache server in your Windows Server box (If you prefer, and have no experience with Linux) or you can install it on a Linux box.
I will show you in this article how to do that on a windows server box and will write another one on how to install it on a Linux box
You need two NICs for your box:
- NIC connected to your Internal VLAN which Lync is on it (Should have NO default gateway configured)
- Note that it’s more secure to have one NIC connected to internal DMZ VLAN and one connected to External DMZ VLAN.
- NIC connected to your external DMZ VLAN (Should have default gateway configured)
- Open cmd using administrator privileges and add Static routing rule using the following command line so that traffic on internal NIC (the one without gateway) know where to go and what gateway to use
- ROUTE ADD -p network-ip mask (subnet mask) gateway
Should be like this
- Route add -p 10.10.10.0 mask 255.255.255.0 10.10.10.1
- Using route print you should see your routing table and find this entry inside it
P.S. if you made a mistake in the route you can always delete it using route delete (the rule you mistakenly added)
- Route delete 10.10.10.0 mask 255.255.255.0 10.10.10.1
- Using your network router, map the Public IP to the ones in the DMZ
Downloading and installing Apache
- First you need to download Apache if you going to use windows box
- Download apache from http://httpd.apache.org/
- Installing Apache is a straight forward task, double click the .msi file you downloaded and next >> next >> next 😛
Configuring Apache Server
One thing to know , with open source applications, most configuration is done through files with the extension .conf , that being said let’s begin.
Most of our work will be done on the file httpd.conf located under “C:\Program Files (x86)\Apache Software Foundation\conf”
Add Firewall Exceptions
This should be done to allow public access to the URL, so we need to add firewall exceptions to the windows box
Using the netsh command this can be done
- Netsh advfirewall firewall add rule name=”Apache TLS port 443″ dir=in action=allow protocol=TCP localport=443
Configure SSL & install Certificate
To use Apache as a reverse proxy and to configure it to use TLS/SSL some editing need to be done to the httpd.conf file
- Open httpd.conf using Notepad or notepad++ (I’m going to use Notepad++ so I can tell you which line to edit to make it easier)
- Locate the following lines (modules) and uncomment them (uncomment = remove the # sign located before it), uncomment mean you making this module “on” while comment mean “off”
- Line-63 uncomment mod_auth_basic.so
- Line-64 comment mod_auth_digest.so
- Line-110 uncomment LoadModule proxy_module modules/mod_proxy.so
- Line-115 uncomment LoadModule proxy_http_module modules/mod_proxy_http.so
- Line-119 uncomment LoadModule ssl_module modules/mod_ssl.so
- Line-482 uncomment Include conf/extra/httpd-ssl.conf
- Save the file
- Now Apache service will throw errors and won’t work because it’s configured to use SSL but there is no SSL certificate associated to the server
- I’m considering you already have you Public Certificate ordered and have meet, dialin and lyncdiscover listed as certificate alternative names.
Certificate export and import
- So let’s say you already have the certificate installed and used as you are an ex-TMG user.
- Start mmc , add the certificate snap-in , and locate your public certificate and export it (With the Key)
- You will have a .pfx file exported , copy it to the Apache server and create a folder under C: for example and call it “Lync-Certificate”
- Now start a command prompt using administrative privileges .
- Navigate to C:Program Files (x86)Apache Software FoundationApache2.2bin
- Export the private key from the certificate using the following command line (apache doesn’t understand pfx)
- openssl pkcs12 -in c:Lync-Certificatelync_cert.pfx -nocerts -out c:Lync-Certificatelync_cert.key.pem
- Export the Public Key from the certificate using the following command line
- openssl pkcs12 -in c:Lync-Certificatelync_cert.pfx -clcerts -nokeys -out lync_cert.cert.pem
- Now converting the exported keys to a RCA format that Apache understand
- Openssl rsa -in C:Lync-Certificatelync_cert.key.pem -out c:Lync-CertificateLyncdude.key
- Now navigate to C:Program Files (x86)Apache Software FoundationApache2.2confextra
- Create new folder , let’s call it SSL
- Copy both following files to the SSL folder
Now open the file ssl.conf located under C:Program Files (x86)Apache Software FoundationApache2.2confextra using notepad
Locate line-60 and add the following line after it
- SSLProxyEnginge on
- Uncomment the line SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache
- COMMENT the line #SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)
- Locate the tag “” and make sure the line “SSLEngine on” is not commented
- Locate the line SSLCertificateFile and modify the location by adding the location of our exported certificate, in this case the C:Program Files (x86)Apache Software FoundationApache2.2confextrassllync_cert.cert.pem
- Locate the line SSLCertificateKeyFile and edit the location by adding location of the Key file, in this case the C:Program Files (x86)Apache Software FoundationApache2.2confextrassllyncdude.key
- Save the file and close it.
And now you can restart the Apache services, and if everything is done correctly it will restart with no errors.
Bend services and configure Apache to work as Reverse Proxy
Previous part was the hardest, now it’s easy, we need to configure the Apache to work as Reverse Proxy.
- Open the httpd.conf
- Locate part says # ‘Main’ server configuration should be line 146
- Add the following
Allow from all
ProxyPass / https://lync-pool.lynclog.com:4443/
ProxyPassReverse / https://lync-pool.lynclog.com:4443/
- Replace the “lync-pool” with name of your Lync pool
- Restart the Apache service
- If everything we did is correct you can now visit your dialin , meet and also test your Lync mobile connections.