Saturday, 18 February 2012

Configure Lync Web Services with a Fortigate

I have had alot of requests by other partners and Lync integrators on how to configure a Fortigate for use with Lync. Microsoft recommends to use a reverse proxy like TMG when publishing Lync web services. I have used Fortigate devices for this in multiple deployments with no issues. If you haven't read the Lync Open Interoperability Program (OIP) list you can read on it here http://technet.microsoft.com/en-us/lync/gg131938
.
Lets get started on the setup.

Lync uses port 8080 and 4443 for external web services, all we need to do is do a port forward on the Fortigate.

For this we are going to create a new "Virtual IP"

Create New VIP



The External IP Address will be the public IP Address you plan to use to publish your Lync web services on the Internet.
The Internal IP Address will be the internal IP Address of your Lync Front End Server

As a best practice for myself I create another VIP for port 80/8080. so if any user just types dialin.domain.com they will be automatically redirected to the https.




Once you have your 2 VIPs created now to publish them in the Fortigate Policy.




Create New.



Source Interface: WAN1 or WAN2 depending on which interface you are using to publish Lync.
Destination Interface: Depending on how you have your Fortigate configured. if its in Interface mode you will only have "Internal". If in "Switch" mode you will have Internal1-> 4-6
Destination Address: choose both your VIPs you created above.
Service: as for the service, alot of people choose HTTP and HTTPS, but there is no need to as you already selected your forwarding ports when you created the VIPs. so choose ANY

Once you have applied your firewall policy, try it out!

http://dialin.domain.com/, http://meet.domain.com/

Also confirm you have created public DNS entries for dialin and meet to point to the public IP Address you used in your VIPs.
Posted by at

9 comments:

  1. Calle22 October 2012 at 03:15

    In the MS documentation it says that the "reverse proxy" should also be a ssl-proxy, to ease off the ssl load off the lync edge server. Can the FG handle that?

    ReplyDelete
  2. Tim Day - MCP, MCITP, MCSE, FCNSA29 October 2012 at 20:04

    The Fortigate can handle SSL offloading using the hardware load balancer functions. I have not tested using HLB of a FortiGate with Lync 2010.

    ReplyDelete
  3. Thomas Poett20 August 2013 at 11:09

    Hi,
    well Tim is right it will work as SSL offloading.
    Just for Lync 2010/2013 make also sure you redirect the LyncWebService to FortiGate.
    In sum: Proxy the Simple URL and WebServices.
    I will try blogging the necessary updates for complex scenario

    ReplyDelete
    Replies
    1. Anonymous17 November 2013 at 18:57

      how do you redirect the LyncWebservice to the fortigate

      Delete
  4. Leleti17 October 2013 at 11:01

    Hi,
    wich model of fortigate is that? Not all of them offers this functionality...

    Tks!

    ReplyDelete
  5. leithmagon5 November 2013 at 17:54

    does this not defeat the purpose of a reverse proxy? you are exposing your FE to the internet ...

    ReplyDelete
    Replies
    1. Tim Day - MCP, MCITP, MCSE, FCNSA5 November 2013 at 19:08

      this does defeat the purpose of a reverse proxy, and what this post is about. It is not recommended or supported by Microsoft to configure this way, but it does work and if your willing to support it yourself your good to go.

      Thanks for reading

      Delete
  6. Anonymous11 October 2024 at 23:05

    Respect and that i have a dandy present: Whole House Reno remodeling old homes

    ReplyDelete

Subscribe to: Post Comments (Atom)