This article provides information on how to Setup Reverse Proxy for Lync 2013 using Windows 2012 R2 Active Directory Federation Proxy.

This article provides information on how to Setup Reverse Proxy for Lync 2013 using Windows 2012 R2 Active Directory  Federation Proxy.

Lync 2013 PROXY

Hello, I wanted to send you my early results  on setting up the Lync Proxy using Active Directory Federation Services for Windows 2012 R2. I have discussed writhing about this, so here is my first analysis on the new proxy method. Please let me know your feedback as you come across this beast in setup form.

First I must say Writhing was not a mis-print. There were some difficulties getting this completely working and I’m not holding back here. If you have an F5 Device or something of that nature, It should be your first line of use. I’m including the F5 Documentation as an aid to illustrate to what degree some of the UTM folks are going to support Lync. F5 has full whitepaper, setup guides, and templates that distill the setup to answering some questions- In honor of My Friend James Nelson who is a scholar of Lync and Exchange, who taught me a few things about F5:

If you must use a a non UTM device, the IISARR and ADFS methods work and are simpler then TMG to setup. Before you start reading, I’m going to say I think ISS ARR may be the same function with less effort. However from the support stand point, the more moving parts becomes the most popular in our world. Below depicts my best effort to make your experience much simpler then mine was.

Step 1 Plan – Needed Items

1. Adfs server on 2012 R2, domain joined named (x)
2.  Remote access (Rev Proxy) installed on 2012 R2 (non domain joined) named (y)
3. Federation services name (z) (step 7)
4. Federation services certificate which includes the federation name (z) step 7
5. I will concede my cert was internal CA and had all names for Lync web services and the FQDN of both 2012 boxes. This was overkill (thank you Hugh for helping me simplify my thinking). You only need the Federation Proxy name on the certificate
6. The public cert for Lync which should include all your published names like dialin, meet, lyncdiscover, wac, and lyncextwebservices. (a)
7. Z will be used to Lync x to y.  (A) is not part of the equation and only comes into play when you define your external connection on (y)
8. The federation service name is the same as the certificate name but the service acount is a unique name and cannot be the host name or the federation service name.

Step 2 Setup your ADFS server.

1. Install 2012 R2 Server and Join to domain- (x)
2. Add ADDS tools (x)
3. Install SQL or the Windows internal database. if you Install the Windows internal database, follow TechNet 2832204
3. import-module active directory (x)
4. Add-KDSRootKey –EffectiveImmediately (x)
5. Wait 10 hours – seriously
6. Install Federation services Role on X. Once installed, Please stop and make sure you have the right Managed Services Account folder in your Forrest. See- Lync ADFS issues Accounts Group
7. Once your Managed Service Accounts group is functional, Go ahead and run this to create your Managed Service account

New-ADServiceAccount adfstest -DNSHostName -ServicePrincipalNames http/ -Path “CN=Managed Service Accounts, DC=1reeves,DC=com”
Ideally you run thought the configuration wizard and all completes well –


Now we have the ADFS server complete.

Step 3. Setup the Remote Proxy Server connection

1. Go to the Proxy server y

2 Install the Remote Access role- choose reverse proxy.



3. Post configuration job will exist to enter the federation certificate and federation service name (they should match), however, the name should be different then the host name. Do not make the federation service name the same as any server. The federation service gets a DNS A record, point to the ADFS server. Clear Screen shots are available at The MS blog site

4. Once the Remote proxy service is set up, it only took 10 minutes to get the URL’s working for Lync. However, when I manually added them, they didn’t work for some reason. I’m leaning on this script to make the entire setup in one PS1 script:

Replace your domain name and your external web services name and save the file as a .ps1. Set-executionpolicy -executionpolicy unrestricted and run as needed- This script came from so thank you for helping me get this working- on (y)

$domain = “”
$webServices = “webext.”
$certificate = “84a5950fb7cd71d3bb59ad9aa0ce26badb23b124”

Add-WebApplicationProxyApplication -Name ‘Lync Web Services’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://$webServices$domain/” -BackendServerUrl (“https://”+$webServices+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Lync Lyncdiscover’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://lyncdiscover.$domain/” -BackendServerUrl (“https://lyncdiscover.”+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Lync Dialin’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://dialin.$domain/” -BackendServerUrl (“https://dialin.”+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Lync Meet’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://meet.$domain/” -BackendServerUrl (“https://meet.”+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Office Web Apps Server’ -ExternalPreAuthentication PassThrough -ExternalUrl ‘’ -BackendServerUrl ‘’ -ExternalCertificateThumbprint $certificate

You should now wee something like this-




5. Once I ran this I found the web services still did not work. an additional script is required to make the mobile devices work- Once again thank you to for this help. Distilling his steps down to the basics of what I ran (still recommend you read his very detailed post) (on y):

1. netsh http show sslcert ( this will give you the hash and ID you need for step 2)

2. netsh http add sslcert ipport= certhash=f7f6b300fe4d569fd598e1c9722571cf9ad780dd appid={f955c070-e044-456c-ac00-e9e4275b3f04}

3. TO delete this run netsh http delete sslcert ipport=

4.  Also has a script to automate this if you are doing multiple IP URL combinations.

That It. In conclusion, This is how you would set your Reverse proxy for Lync 2013 and External Web Services, Sadly at this writing, the Lync Mobility client is not working for sign in. Since everything else works, Including connections to port 4443 and 443, I conceder this solution successful. At the time of this writing, Lync, Exchange, and Remote Gateway can all work through this proxy connection. I will update this post once I determine why mobility is not working.

Final Thoughts

1. Do not use SQL 2014 Beta version. I don’t know why at this point but I had no luck
2. If you have no Managed service account folder in ADUC, Do not create an OU. I did this and suffered for days. The object you need to create is a Group container. This is documented in this post I contributed to-Technet
3. I didn’t go into to it, but I also had trouble using the Windows Internal Database, I actually reinstalled the 2012 R2 OS at one point, and just decided to go with a named instance of 2012 SQL. It was successful on the install, as long as you install .net 3.5 role feature before you make your SQL install. (this was apparently the Internal database issue-


Group Managed Service Accounts

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s