Solved: Re: Configuring SSL VPN as Reverse Proxy for Lync - Page 2

dsatkhan_ · ‎01-17-2012

when intranet user creates online meeting, the external user can access it via url

https://meet.domain.com/user.name/meeting-code-random (send by email to external user)

this Url should be accessible via reverse proxy and ideally without login prompt.

So what is the equivalent of Microsoft's "Forward the original host header instead of the actual one" in "authorisation only" config - ref as example here http://waveformation.com/2011/02/21/lync-host-header-forwarding/

Would be nice to have screens or description of a working Juniper config of Lync.

zanyterp_ · ‎01-17-2012

Ah; ok, thank you for the information.

I believe that is "host header forwarding" and there is no option to do that with the authorization only URL. You may be able to configure an anonymous server realm with passthrough proxy that does that?

Sorry, I can't help with the working config information; I do not have access to a server to do testing with.

mcaulifn_ · ‎01-17-2012

I have this set up and working. I will recreate on my lab box so I can upload some pictures. The one caveat is that there has to be internal DNS entries that match what the external users are actually hitting.

mcaulifn_ · ‎01-18-2012

I created this example on my lab box using meet.example.com.

Internal DNS has to match external DNS. Because we don't have the same DNS servers for both servers, we used a GTM WideIP to answer the SA's internal DNS request.
I created a new external Virtal Port specifically for all Lync traffic. This is optional.
Create a new role. Role should only have "Web" selected. Do not create bookmarks now, that will be addressed later.
Create a new URL. See attached picture for options. Select new role created in step 3.
Create new Web Resource Profile. See attached picture for settings. To access the "Autopolicy: Rewriting Options", click "Show ALL autopolicy types". After saving the main screen, the SA will move to the Role tab. Select the role created in step 3.

That should be it.

zanyterp_ · ‎01-18-2012

Thanks, mcaulfin!

mcaulifn_ · ‎01-18-2012

YW!

Let me know if you run in to any problems.

dsatkhan_ · ‎01-18-2012

Thanks! It works ok! Actually, it worked also without step 5.

mcaulifn_ · ‎01-18-2012

OK. You probably had a Web Resource policy that already permitted that traffic. We have specific web resources defined so a new one was needed.

ssybert_ · ‎04-03-2012

Hi,

I have setup my Juniper device the same way you have it and have been unsuccessful in getting this to work.

Is your configuration still working? Also, I'm confused into why you have the backend URL set to https://meet.domain.com:4443, however in your web profile configuration you have the web access control pointing to the standard 443 port. I have tried the configuraion both ways, however am unsuccessful in getting this to work this way.

With the help of support, we were able to get it to proxy through on the same port (443), however have been unsuccessful in getting traffic over to the external site on port 4443. What version of SW are you running on your juniper device? Thanks

-Scott