Configuring The Windows Server 2012 Web Application Proxy As A Reverse Proxy For Lync Server

Configuring the Windows Server
2012 Web Application Proxy as a

Reverse Proxy for Lync Server
Lync Server 2013
Published: November 2014

Author: Dave Howe, Eric Curtis
Abstract: This whitepaper describes how to configure the Windows Server 2012 R2 Web Application
Proxy as a reverse proxy for Lync Server. The service allows internal applications such as Microsoft Lync
and Exchange to be published for external access. The Web Application Proxy service functions as both
a reverse proxy and an Active Directory Federation Services (AD FS) proxy.
This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
Copyright © 2014 Microsoft Corporation. All rights reserved.
Contents
1 Introduction.............................................................................................................................. 1
2 Requirements........................................................................................................................... 1
2.1 Hardware requirements..................................................................................................... 1
2.2 Software requirements...................................................................................................... 1
3 Planning................................................................................................................................... 2
3.1 Architectural Components................................................................................................. 2
3.2 Firewall Considerations..................................................................................................... 3
3.3 Load Balancing.................................................................................................................. 3
3.4 Name resolution................................................................................................................ 3
3.5 Certificates........................................................................................................................ 3
3.6 Authentication.................................................................................................................... 5
4 Installation and Configuration................................................................................................... 5
4.1 Networking configuration................................................................................................... 5
4.2 DNS Suffix......................................................................................................................... 5
4.3 Internal Name Resolution.................................................................................................. 6
4.4 Importing Certificates......................................................................................................... 6
4.5 Installing the Web Application Proxy feature.....................................................................7
4.6 Configure the Web Application Proxy feature....................................................................7
4.7 Launch the Remote Access Management Console.........................................................11
4.8 Create a Publishing Rule for Lync Autodiscover..............................................................11
4.9 Create Publishing Rules for Lync Simple URLs...............................................................15
4.10 Create Publishing Rules for External Lync Web Services............................................19
4.11 Create Publishing Rule for Office Web Apps................................................................24
4.12 Summary List of Publishing Rules................................................................................30
5 Lync Phone Edition Devices................................................................................................... 30
5.1 Configure a Fallback Certificate......................................................................................31
Configuring the Windows Server 2012 Web Application Proxy as a Reverse Proxy for Lync Server
1 Introduction
Windows Server 2012 R2 includes a new service called the Web Application Proxy as part of the Remote
Access role. The service allows internal applications such as Microsoft Lync and Exchange to be
published for external access. The Web Application Proxy service functions as both a reverse proxy and
an Active Directory Federation Services (AD FS) proxy.
Note: The Web Application Proxy service does not provide firewall capabilities, nor does it function as an
authenticating proxy for outbound internet connections.
2 Requirements
The following table lists the roles and features that are required for Web Application Proxy and describes
how they support it.
Services required to support the Web Application proxy
Role / feature How it supports this scenario
Active Directory Domain Services Active Directory® Domain Services is required as a prerequisite before
(AD DS) you can deploy AD FS. It is also required for Web Application Proxy
deployments that use Kerberos constrained delegation.
Active Directory Federation Services AD FS is required to provide authentication and authorization services
(AD FS) to Web Application Proxy and to store the Web Application Proxy
configuration
Remote Access (DirectAccess, Remote Access is the role containing the Web Application Proxy role
Routing and Remote Access) service
2.1 Hardware requirements

Hardware requirements for this scenario include the following:
 A computer that meets the hardware requirements for Windows Server 2012 R2 running one of
the following server editions: Essentials, Standard, or Datacenter.
 The server must have at least one network adapter installed, enabled, and connected to the
internal network either directly, or through a firewall or NAT device. When two adapters are used,
there should be one adapter connected to the internal corporate network, and one connected to
the external network (Internet, or private network).
2.2 Software requirements

Software requirements for this scenario include the following:
 The Web Application Proxy server is located behind an edge firewall or NAT device and it is
typically in the DMZ, the device must be configured to allow traffic to and from the Web
Application Proxy server.
1
 Deploying Web Application Proxy on the server requires local administrator permissions on the
server. In addition, when you connect the Web Application Proxy server to the AD FS server, you
require the credentials of the local administrator on the AD FS servers.
 You must deploy AD FS on a server running Windows Server 2012 R2 in your organization
before you can deploy Web Application Proxy.
 If you want to remotely manage Web Application Proxy servers, you must enable remote
PowerShell management on the Web Application Proxy servers. See Running Remote
Commands.
3 Planning
Deploying Web Application Proxy as a reverse proxy for Lync Server 2013 requires detailed planning.
This section describes several of the deployment considerations that are associated with using Web
Application Proxy as a reverse proxy for Lync Server 2013. The following image shows a high-level
network diagram including the Web Application proxy.
High Level Diagram of Web Application Proxy Deployment
3.1 Architectural Components

The following is a list of architectural components that are required for deploying Web Application Proxy
as a reverse proxy for Lync Server 2013.
 Active Directory Domain Services
 Active Directory Federation Proxy Server
 Active Directory Federation Server
 Microsoft Internal Certificate server
 Web Application Proxy Server
2
 Public Key Infrastructure

 Back End Application server (Exchange/ Lync)
3.2 Firewall Considerations

Web Application Proxy can be deployed behind a front end firewall to separate it from the Internet, or
between two firewalls; a front end firewall to separate it from the Internet, and a backend firewall to
separate it from the corporate network.
Deploying Web Application Proxy behind a firewall adds network level protection and reduces the attack
surface of the Web Application Proxy servers. If the Web Application Proxy server is located in front of a
firewall that separates it from the corporate network, you must make sure that the firewall does not block
traffic to URLs configured for the backend servers. This could be over HTTP or HTTPS and on any
specified port.
3.3 Load Balancing

Web Application Proxy does not include integrated load-balancing functionality. If you plan to deploy
multiple Web Application Proxy servers, you should consider deploying a load-balancer to ensure that the
external traffic is distributed evenly between Web Application Proxy servers. You can use any hardware
or software load-balancer that supports HTTP and HTTPS, including Windows Network Load Balancing.
You can also configure a load-balancer for published web applications. That is, you can deploy a load-
balancer between the Web Application Proxy servers and the published web application. You can use any
hardware or software load-balancer that supports HTTP and HTTPS, including Windows Network Load
Balancing.
3.4 Name resolution

DNS planning requirements for Web Application Proxy include the following:
 Web Application Proxy requires internal name resolution through your internal DNS infrastructure
to resolve the names of backend servers, and of infrastructure servers such as the AD FS server.
Using hosts file entries to provide name resolution of internal servers is also possible, although it
is not recommended from a manageability perspective.
 When publishing web applications via Web Application Proxy, every web application you publish
requires an external URL. For clients to reach these web applications, a public DNS server must
be able to resolve each external URL that you configure. Note that the external URL must resolve
to the external IP address of the Web Application Proxy server, or the external IP address of a
firewall or load-balancer placed in front of the Web Application Proxy server.
3.5 Certificates
To successfully publish AD FS services and establish SSL connectivity with Active Directory Federation
Services, the Web Application Proxy must be configured with a public certificate that contains the FQDN
of the AD FS service. If you plan to publish web service URLs for other applications such as Lync and
Exchange, the Web Application Proxy must be configured with a public certificate that contains the web
service FQDNs of those applications.
It is possible to use a single certificate to publish all web services via the Web Application Proxy.
However, for the purposes of this document, the Web Application Proxy server will be configured with two
public certificates. One certificate will be used for the ADFS Proxy service certificate, while the other
3
certificate will be used to publish web services for Lync, Exchange, and Office Web Apps. For more
information, see Planning to Publish Applications Using Web Application Proxy.
To successfully publish Lync Web Services URLs for external access, a public web server certificate must
be installed on the Web Application Proxy server. This certificate should be configured with the published
external web service fully qualified domain names (FQDNs) of each pool that is home to users that are
enabled for remote access. The subject alternative name value from this certificate must also contain the
meeting simple URL, the dial-in simple URL, the web scheduler simple URL, and external Autodiscover
Service URL.
The root certification authority certificate and any intermediate certification authority certificates from the
CA that issued the public certificate must be installed on the Web Application Proxy server. Likewise,
certificates from internal Enterprise or Standalone certificate authorities should be installed on the Web
Application Proxy server.
The following table describes how the public certificate should be configured for publishing the various
web services that are consumed by the Lync 2013 client:
Certificate values required for this scenario
Web Application Proxy Certificate
Subject Name (CN) meet.fabrikam.com Meet Simple URL
meet.fabrikam.com Meet Simple URL
dial-in.fabrikam.com Dial-In Simple URL
scheduler.fabrikam.com Web Scheduler Simple URL
Lyncdiscover.fabrikam.com External Lync Autodiscover URL

Subject Alternative
lyncweb01.fabrikam.com External Lync Web Services FQDN
Name (SAN)
wacweb01.fabrikam.com External Office Web Apps URL
autodiscover.fabrikam.com Exchange Autodiscover URL
mail.fabrikam.com External Exchange Web Services FQDN
*.fabrikam.com Wildcard for fabrikam.com URLs (optional)
For more details on Lync Server 2013 specific certificate requirements for reverse proxy servers, please
see Request and configure a certificate for your reverse HTTP proxy in Lync Server 2013.
Note: It is not supported to use a certificate with a wildcard entry as the subject name (also referred to as
the common name or CN) in Lync Server 2013. If you need to use wildcard values on your reverse proxy
certificate, the wildcard values must appear in the list of subject alternative names on the certificate
assigned to the Web Application Proxy server.
For more information about using wildcard certificates in Lync Server 2013, please see Wildcard
certificate support in Lync Server 2013.
4
3.6 Authentication
Although Web Application Proxy supports several authentication methods, pass-through authentication
should be used for publishing any web service URL that is used by the Lync client. In environments
where both Lync Server and Exchange Server are deployed, Web Application Proxy should be configured
to use pass-through authentication for both Lync and Exchange web services URLs.
4 Installation and Configuration

The following section describes how to install and configure the Web Application Proxy feature.
4.1 Networking configuration

The Web Application Proxy server should be configured with two network adapters:
 External (Internet facing network adapter)
 Internal (Corporate Network facing network adapter)
Note: The external network adapter should be configured with a default gateway value and external DNS
server values. The Internal network adapter should be configured only with an internal DNS server. The
internal network adapter should not be configured with a default gateway value, but rather connectivity to
internal subnets should be provided through the use of persistent routes.
4.2 DNS Suffix

The DNS suffix value on the Web Application Proxy server should be configured to match the internal
DNS name from Active Directory, as shown in the following image.
DNS Suffix and NetBIOS Computer Name dialog
5
4.3 Internal Name Resolution

To provide name resolution for internal servers, the internal network adapter on the Web Application
Proxy should be configured with the IP address of an internal DNS server. Alternatively, the Web
Application Proxy server can be configured with a hosts file that contains the fully qualified domain name
(FQDN) of all Lync simple URLs, the Lync autodiscover FQDN, and the internal Lync Web Services
FQDN of each pool that will be published for external access.
An example Hosts file
4.4 Importing Certificates

The public certificate that will used for the ADFS Proxy service must be imported with the private key to
the Personal Store on the Web Application Proxy server. Import the issuing root CA certificate into the
Trusted Root Certification Authorities container and any intermediate CA certificates into the Intermediate
Certification Authorities container.
The public certificate that will be used to publish Lync Web Services must be imported with the private
key to the Personal Store on the Web Application Proxy server. Import the issuing root CA certificate into
the Trusted Root Certification Authorities container and any intermediate CA certificates into the
Intermediate Certification Authorities container.
Lastly, import the internal Enterprise or Standalone CA certificates into the Trusted Root Certification
Authorities container and any internal intermediate CA certificates into the Intermediate Certification
Authorities container.
6
4.5 Installing the Web Application Proxy feature

To install the Web Application Proxy feature, open a Windows PowerShell console, and then run the
following cmdlet:
Install-WindowsFeature Web-Application-Proxy,RSAT-RemoteAccess-Mgmt, RSAT-
RemoteAccess-PowerShell, GPMC, CMAK
4.6 Configure the Web Application Proxy feature

After the cmdlet to install the feature finishes, perform the following steps to complete the configuration of
the Web Application Proxy feature.
 To configure the Web Appllication Proxy
1. Launch the Server Manager Console and open the Web Application Proxy Wizard to complete
the configuration of the Web Application Proxy server.
Post-deployment configuration message
7
2. At the Welcome screen, click Next.
Web Application Proxy Configuration Wizard Welcome page
8
3. Enter the federation service name that you specified in the AD FS configuration as well as
credentials for accessing AD FS.
Web Application Proxy Configuration Wizard Federation Server page
9
4. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web
Application Proxy server, select a certificate to be used for the AD FS Proxy service, and then
click Next.
Web Application Proxy Configuration Wizard AD FS Proxy Certificate page
5. Confirm your settings, and then click Configure.
10
Web Application Proxy Configuration Wizard AD FS Proxy Confirmation page
4.7 Launch the Remote Access Management Console

After installing the Web Application Proxy feature, launch the Remote Access Management console and
connect to the Web Application Proxy service.
 To connect to the Web Application Proxy service
1. Open the Administrative Tools menu.
2. Launch the Remote Access Management console.
3. Select Manage a Remote Server from the Tasks pane.
4. Enter the name of the server where the Web Application Proxy feature was installed, or select
Browse and search Active Directory for the server name.
5. Select Web Application Proxy from the Configuration pane.
4.8 Create a Publishing Rule for Lync Autodiscover

Having successfully deployed and configured the Web Application Proxy feature, you are now ready to
create publishing rules for Lync Autodiscover.
11
Note: External Lync clients send requests to Lync Web Services over TCP/443, however, external Lync
Web Services listens for client requests on TCP/4443. This means that a reverse proxy must bridge the
client request to the Lync server from TCP/443 to TCP/4443.
 To create a Publishing rule for Lync autodiscover
1. Open the Remote Access Management Console and select Publish.
Remote Access Management Console
2. At the Welcome screen click Next.
Publish New Application Wizard – Welcome screen
12
3. On the Preauthentication page, click Pass-through and then click Next.
Publsih New Application Wizard – Preauthentication Settings page
4. On the Publishing Settings page, do the following, and then click Next:
o In the Name box, enter a friendly name for the application
o In the External URL box, enter the external URL for the application
o In the External certificate list, select a certificate that contains the external URL
o In the Backend server URL field, enter the URL, port, and path of the target backend server
13
Publsih New Application Wizard – Publishing Settings page
Note: After appending :4443 to the external Lync Web Services URL, the Web Application Proxy
server will display a warning that the published internal and external URLs do not match. As long as
both the internal and external fully qualified domain name (FQDN) and path values are the same, you
can safely ignore this warning.
5. Confirm the settings you entered, and then click Publish to create the new publishing rule.
14
Publsih New Application Wizard – Confirmation page
4.9 Create Publishing Rules for Lync Simple URLs

The following steps describe how to create publishing rules for the Lync Meet, Dial-in, and Web
Scheduler Simple URLs.
15
 To create a Publishing rule for Lync Simple URLs

16
Publsih New Application Wizard – Preauthentication Settings page
(for example, Lync Dial-in Simple URL)
(for example, http://dialin.fabrikam.com)
o In the Backend server URL field, enter the URL, port, and path of the target backend server
(for example, https://dialin.fabrikam.com:4443)
Note: After appending :4443 to the external Lync Web Services URL, the Web Application Proxy
server will display a warning that the published internal and external URLs do not match. As long as
both the internal and external fully qualified domain name (FQDN) and path values are the same, you
can safely ignore this warning.
17
Publsih New Application Wizard – Publishing Settings page
18
5. Confirm the values you entered, and then click Publish to create the new publishing rule.
6. Repeat these steps to create additional publishing rules for the Meet and Web Scheduler Simple
URLs.
4.10 Create Publishing Rules for External Lync Web Services

The following steps describe how to create publishing rules for the External Lync Web Services FQDN for
each Lync Enterprise Edition pool and Standard Edition server.
19
 To create a publishing rule for external Lync web services

20
Publish New Application Wizard – Preauthentication page
(for example, External Lync Web Services – Bostom Pool)
(for example, https://lyncweb01.fabrikam.com)
o In the Backend server URL box, enter the URL, port, and path of the target backend server
(for example, https://lyncweb01.contoso.com:4443)
21
Publish New Application Wizard – Publishing Settigns page
Note: Since the A (host) record for the External Lync Web Services FQDN on the internal DNS
server will resolve to the external IP address of the reverse proxy server, the Backend server URL for
External Lync Web Services publishing rules should be populated with the Internal Lync Web Services
FQDN for each Enterprise Edition pool or the FQDN of each Standard Edition server. Additionally, the
Backend server URL value must be appended with :4443 so that the request will be bridged correctly
to the backend server.
22
5. After reviewing your settings for accuracy, click Publish to create the new publishing rule.
Publish New Application Wizard – Confirmation page
6. Since this publishing rule contains a discrepancy in the External URL and Backend server URL
values, the publishing rule must be configured to disable translation of URL values in request
headers. This setting can be disabled by running the following cmdlets using Windows
PowerShell:
$Rule = (Get-WebApplicationProxyApplication “External Lync Web Services
– Boston Pool”).ID
Set-WebApplicationProxyApplication –ID $Rule –

DisableTranslateUrlInRequestHeaders:$True
23
Results of running the cmdlets
7. Repeat these steps to create additional publishing rules for the External Lync Web Services
FQDN of each Lync Enterprise Edition pool and Standard Edition server.
4.11 Create Publishing Rule for Office Web Apps

The following steps describe how to create publishing rules for Office Web Apps, which is used to display
PowerPoint presentations during Lync meetings.
Note: Office Web Apps listens for client requests on TCP/443. As such, it is not necessary for a reverse
proxy to bridge connections to Office Web Apps to a different port.
 To create a Publsihing rule for Office Web Apps
24
25
Publish New Application Wizard – Preauthentication page
(for example, Office Web Apps – Boston Pool)
(for example, https://wacweb01.fabrikam.com)
o In the Backend server URL box, enter the URL, port, and path of the target backend server
(for example, https://naboswac01.contoso.com)
26
Publish New Application Wizard – Publishing Settings page
Note: The Backend server URL for External Lync Web Services publishing rules should be
populated with the FQDN of the Office Web Apps server. Also, it is not necessary to bridge the
connection to a different port since the Office Web Apps server listens for client connections on
TCP/443.
27
5. After reviewing your settings for accuracy, click Publish to create the new publishing rule.
Publish New Application Wizard – Confirmation page
6. Since this publishing rule contains a discrepancy in the External URL and Backend server URL
values, the publishing rule must be configured to disable translation of URL values in request
headers. This setting can be disabled by running the following cmdlets using Windows
PowerShell:
$Rule = (Get-WebApplicationProxyApplication "Office Web Apps - Boston
Pool").ID
Set-WebApplicationProxyApplication -ID $Rule

-DisableTranslateUrlInRequestHeaders:$True
28
Results of running the cmdlets

7. Repeat these steps to create additional publishing rules for each Office Web Apps server.
29
4.12 Summary List of Publishing Rules

The following table describes the summary list of publishing rules that are required for publishing the
various web services that are consumed by the Lync 2013 client:
Name External URL Backend Server URL Disable Request

Header
Translation
Meet Simple https://meet.fabrikam.com https://meet.fabrikam.com:4443 No

URL
Dial-in https://dialin.fabrikam.com https://dialin.fabrikam.com:4443 No

Simple URL
Web https://scheduler.fabrikam.com https://scheduler.fabrikam.com:4443 No

Scheduler
Simple URL
Lync https://lyncdiscover.fabrikam.co https://lyncdiscover.fabrikam.com:444 No

Autodiscove m 3
r
Lync Web https://lyncweb01.fabrikam.com https://lyncweb01.contoso.com:4443 Yes

Services
Office Web https://wacweb01.fabrikam.com https://naboswac01.contoso.com Yes

Apps
Exchange https://autodiscover.fabrikam.co https://nabosemail01.contoso.com Yes

Autodiscove m
r
Exchange https://mail.fabrikam.com http://nabosemail01.contoso.com Yes

Web
Services
5 Lync Phone Edition Devices

SNI is an extension to the TLS SSL protocol that allows the client to include the Hostname the client is
connecting to in the SSL Client Hello. A server can then use the SNI header to determine which certificate
30
to serve to the client. A key benefit of SNI is that is allows a server to host multiple certificates on the
same IP/port pair instead of needing a different IP per certificate (assuming you are using port 443).
SNI relies on the client supporting SNI and sending the Server Name extension in the SSL Client Hello. If
the SSL Client Hello does not contain the SNI header then http.sys is unable to determine which
certificate to serve and will reset the connection.
While most clients do support SNI, Lync Phone Edition devices do not support SNI. As such, Lync Phone
Edition devices will fail to sign in externally unless a fallback certificate is configured for http.sys on the
Office Web Apps server.
5.1 Configure a Fallback Certificate

To support non-SNI capable clients, a manual https.sys certificate binding should be enabled for
0.0.0.0:443 on the Web Application Proxy server. Since only one certificate can be configured as the
fallback certificate for http.sys, it is important that the fallback certificate contains all of the FQDNs
necessary to support non-SNI capable clients.
 To configure a fallback certificate
1. Find the thumbprint of the Fallback Certificate by running the following cmdlet from Windows
PowerShell on the Web Application Proxy server:
dir Cert:\LocalMachine\My
Which returns something similar to the following:
Thumbprint Subject
---------- -------
3B54587B12613DA3BAE18E90D1CCC2ADAF324370 CN=sts.fabrikam.com
EE960110E205158355DD388147677A1748212634 CN=ADFS ProxyTrust - WEBPROXY
2. Note the Application ID of the Web Application Proxy feature:
{f955c070-e044-456c-ac00-e9e4275b3f04} – Web Application Proxy AppID
3. Create a manual https.sys certificate binding for 0.0.0.0:443 using the certificate thumbprint and
application id by entering the following command:
netsh http add sslcert ipport=0.0.0.0:443
certhash=3B54587B12613DA3BAE18E90D1CCC2ADAF324370 appid={f955c070-e044-
456c-ac00-e9e4275b3f04}
31

Configuring The Windows Server 2012 Web Application Proxy As A Reverse Proxy For Lync Server

Uploaded by

Copyright:

Available Formats

Configuring The Windows Server 2012 Web Application Proxy As A Reverse Proxy For Lync Server

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring The Windows Server 2012 Web Application Proxy As A Reverse Proxy For Lync Server

Uploaded by

Copyright:

Available Formats

Configuring the Windows Server

2012 Web Application Proxy as a

Published: November 2014

Services required to support the Web Application proxy

Role / feature How it supports this scenario

2.1 Hardware requirements

2.2 Software requirements

High Level Diagram of Web Application Proxy Deployment

3.1 Architectural Components

 Public Key Infrastructure

3.2 Firewall Considerations

3.3 Load Balancing

3.4 Name resolution

Web Application Proxy Certificate

Subject Name (CN) meet.fabrikam.com Meet Simple URL

meet.fabrikam.com Meet Simple URL

dial-in.fabrikam.com Dial-In Simple URL

scheduler.fabrikam.com Web Scheduler Simple URL

Lyncdiscover.fabrikam.com External Lync Autodiscover URL

autodiscover.fabrikam.com Exchange Autodiscover URL

mail.fabrikam.com External Exchange Web Services FQDN

*.fabrikam.com Wildcard for fabrikam.com URLs (optional)

4 Installation and Configuration

4.1 Networking configuration

4.2 DNS Suffix

DNS Suffix and NetBIOS Computer Name dialog

4.3 Internal Name Resolution

An example Hosts file

4.4 Importing Certificates

4.5 Installing the Web Application Proxy feature

4.6 Configure the Web Application Proxy feature

Post-deployment configuration message

2. At the Welcome screen, click Next.

Web Application Proxy Configuration Wizard Welcome page

Web Application Proxy Configuration Wizard Federation Server page

Web Application Proxy Configuration Wizard AD FS Proxy Certificate page

5. Confirm your settings, and then click Configure.

Web Application Proxy Configuration Wizard AD FS Proxy Confirmation page

4.7 Launch the Remote Access Management Console

4.8 Create a Publishing Rule for Lync Autodiscover

Remote Access Management Console

2. At the Welcome screen click Next.

Publish New Application Wizard – Welcome screen

3. On the Preauthentication page, click Pass-through and then click Next.

Publsih New Application Wizard – Preauthentication Settings page

Publsih New Application Wizard – Publishing Settings page

Publsih New Application Wizard – Confirmation page

4.9 Create Publishing Rules for Lync Simple URLs

 To create a Publishing rule for Lync Simple URLs

Remote Access Management Console

2. At the Welcome screen click Next.

Publish New Application Wizard – Welcome screen

3. On the Preauthentication page, click Pass-through and then click Next.

Publsih New Application Wizard – Preauthentication Settings page

Publsih New Application Wizard – Publishing Settings page

4.10 Create Publishing Rules for External Lync Web Services

 To create a publishing rule for external Lync web services

Remote Access Management Console

2. At the Welcome screen click Next.