Publish Lync Services in TMG

In an earlier blog post I explained how to setup a Lync Server 2010 in your Lync organization. Using a Lync Server you can give access to external users and implement federation services. You also might want to implement publishing rules on your Threat Management Server (TMG) 2010 to implement the following additional services:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.

In our environment, the Lync clients connect directly to the Lync Edge Server. This Edge Server is also used for federation services with other partners. The TMG Server is a different server with a different external IP address. The FQDN for this server is defined in the External Web Services FQDN in the Topology Builder:


So, the FQDN will point to the TMG Server, while the will point to the Lync Edge Server. As you can see in the picture above, the webservice is published on port 4443, so after initial creation of the rule it needs to be changed to reflect this port setting.

To configure a Web Publishing Rule in TMG2010 use the following steps:

  1. On the TMG Server, start the Management Console and create a new Web Site Publishing Rule:image
  2. Follow the wizard, set the rule to Allow and select Publish a single Web site or load balancer;
  3. On the Internal Publishing Details page, type the fully qualified domain name (FQDN) of the internal web farm that hosts your meeting content and Address Book content in the Internal Site name box. This is the Front-End server, or the Front-End pool (in case of Enterprise deployment);image
  4. On the Internal Publishing Details page, in the Path (optional) box, type /* as the path of the folder to be published.
  5. On the Public Name Details page, confirm that This domain name is selected under Accept Requests for, type the external Web Services FQDN, in the Public Name box;image
  6. On Select Web Listener page, click New to open the New Web Listener Definition Wizard;
  7. On the Web Listener IP Address page, select External, and then click Select IP Addresses. ;image
  8. Again, follow the wizard, Assign a certificate and on the Authentication Setting page, select No Authentication;image
  9. Finish the Web Listener wizard;
  10. On the Authentication Delegation page, select No delegation, but client may authenticate directly;image
  11. Now finish the wizard and click Apply in the details pane to save the changes and update the configuration.

Now that the basic rule is created it can be changed to publish the Lync port, i.e. 4443. To do this follow these steps:

  1. On the TMG Server, open the Management Console and open the properties of the Lync Services rule that was created in the previous step;
  2. On the Properties page, on the From tab, do the following:
    • In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove;
    • Click Add;
    • In Add Network Entities, expand Networks, click External, click Add, and then click Close;


  3. On the To tab, ensure that the Forward the original host header instead of the actual one check box is selected;image
  4. On the Bridging tab, select the Redirect request to SSL port check box, and then specify port 4443;image
  5. On the Public Name tab, add the simple URLs (for example, and Make sure these FQDNs are entered in the public DNS as well so that they point to the correct IP address on the TMG Server;image
  6. Click Apply to save changes and click Apply in the details pane to save the changes and update the configuration.

Note: For more information or more detailed steps go to the Microsoft Technet Website: – Configure Web Publishing Rules for a Single Internal Pool

To test the web publishing rules in OWA you can navigate to the published web server, i.e. You should see the meeting landing page, but can ignore the meeting URL error at this point of course:


Or the dialin page:


It is possible to test the group expansion service since this is published as a webservice, although it won’t reveal too much information:


The last step in deploying a Lync Server 2010 is implementing a SIP trunk to offer an Enterprise Voice environment. This will next blog’s topic.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s