Saturday 18 February 2012

Configure Lync Web Services with a Fortigate

I have had alot of requests by other partners and Lync integrators on how to configure a Fortigate for use with Lync. Microsoft recommends to use a reverse proxy like TMG when publishing Lync web services. I have used Fortigate devices for this in multiple deployments with no issues. If you haven't read the Lync Open Interoperability Program (OIP) list you can read on it here http://technet.microsoft.com/en-us/lync/gg131938
.
Lets get started on the setup.

Lync uses port 8080 and 4443 for external web services, all we need to do is do a port forward on the Fortigate.

For this we are going to create a new "Virtual IP"

Create New VIP



The External IP Address will be the public IP Address you plan to use to publish your Lync web services on the Internet.
The Internal IP Address will be the internal IP Address of your Lync Front End Server

As a best practice for myself I create another VIP for port 80/8080. so if any user just types dialin.domain.com they will be automatically redirected to the https.




Once you have your 2 VIPs created now to publish them in the Fortigate Policy.




Create New.



Source Interface: WAN1 or WAN2 depending on which interface you are using to publish Lync.
Destination Interface: Depending on how you have your Fortigate configured. if its in Interface mode you will only have "Internal". If in "Switch" mode you will have Internal1-> 4-6
Destination Address: choose both your VIPs you created above.
Service: as for the service, alot of people choose HTTP and HTTPS, but there is no need to as you already selected your forwarding ports when you created the VIPs. so choose ANY

Once you have applied your firewall policy, try it out!

http://dialin.domain.com/, http://meet.domain.com/

Also confirm you have created public DNS entries for dialin and meet to point to the public IP Address you used in your VIPs.

8 comments:

  1. In the MS documentation it says that the "reverse proxy" should also be a ssl-proxy, to ease off the ssl load off the lync edge server. Can the FG handle that?

    ReplyDelete
  2. The Fortigate can handle SSL offloading using the hardware load balancer functions. I have not tested using HLB of a FortiGate with Lync 2010.

    ReplyDelete
  3. Hi,
    well Tim is right it will work as SSL offloading.
    Just for Lync 2010/2013 make also sure you redirect the LyncWebService to FortiGate.
    In sum: Proxy the Simple URL and WebServices.
    I will try blogging the necessary updates for complex scenario

    ReplyDelete
    Replies
    1. how do you redirect the LyncWebservice to the fortigate

      Delete
  4. Hi,
    wich model of fortigate is that? Not all of them offers this functionality...

    Tks!

    ReplyDelete
  5. does this not defeat the purpose of a reverse proxy? you are exposing your FE to the internet ...

    ReplyDelete
    Replies
    1. this does defeat the purpose of a reverse proxy, and what this post is about. It is not recommended or supported by Microsoft to configure this way, but it does work and if your willing to support it yourself your good to go.

      Thanks for reading

      Delete