Publish Lync 2013 Services in TMG 2010

In an earlier blog post I explained how to setup a Lync 2013 environment with a Front-End server and an Edge Server. This way you can use Lync 2013 internally and externally, including federation with other Lync 2010/2013 or OCS 2007 R2 organizations. You also might want to implement publishing rules on your Threat Management Server (TMG) 2010 to implement the following additional services:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.

In our environment, the external Lync clients connect directly to the Lync Edge Server. This Edge Server is also used for federation services with other partners. The TMG Server is a different server with a different external IP address.


The FQDN for this server is defined in the External Web Services FQDN in the Topology Builder:


So, the FQDN will point to the TMG Server, while the will point to the Lync 2013 Edge Server. As you can see in the picture above, the web service is listening on port 4443 and published on port 443. This should also be configured in the TMG rule later on.

To configure a Web Publishing Rule in TMG2010 use the following steps:

  1. On the TMG Server, start the Management Console and create a new Web Site Publishing Rule:image
  2. Follow the wizard, set the rule to Allow and select Publish a single Web site or load balancer;
  3. On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm;
  4. On the Internal Publishing Details page, type the fully qualified domain name (FQDN) of the internal web farm that hosts your meeting content and Address Book content in the Internal Site name box. This is the Front-End pool, or the Front-End server (in case of Standard deployment);image
  5. On the Internal Publishing Details page, in the Path (optional) box, type /* as the path of the folder to be published.
  6. On the Public Name Details page, confirm that This domain name is selected under Accept Requests for, type the external Web Services FQDN, in the Public Name box;image
  7. On Select Web Listener page, click New to open the New Web Listener Definition Wizard;
  8. On the Web Listener IP Address page, select External, and then click Select IP Addresses. ;image
  9. Again, follow the wizard and assign a certificate. Besides the FQDN it also needs and configured in the Subject Alternative Names field.image
  10. On the Authentication Settings page, select No Authentication;image
  11. Finish the Web Listener wizard;
  12. On the Authentication Delegation page, select No delegation, but client may authenticate directly;image
  13. Now finish the wizard and click Apply in the details pane to save the changes and update the configuration.

Now that the basic rule is created it can be changed to redirect to the Lync port, i.e. 4443. To do this follow these steps:

  1. On the TMG Server, open the Management Console and open the properties of the Lync Services rule that was created in the previous step;
  2. On the Properties page, on the From tab, do the following:
    • In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove;
    • Click Add;
    • In Add Network Entities, expand Networks, click External, click Add, and then click Close;


  3. On the To tab, ensure that the Forward the original host header instead of the actual one check box is selected;image
  4. On the Bridging tab, select the Redirect request to SSL port check box, and then specify port 4443;image
  5. On the Public Name tab, add the additional simple URLs (for example, and Make sure these FQDNs are entered in the public DNS as well so that they point to the correct IP address on the TMG Server;image
  6. Click Apply to save changes and click Apply in the details pane to save the changes and update the configuration.

Note: For more information or more detailed steps go to the Microsoft Technet Website: – Configure Web Publishing Rules for a Single Internal Pool

To test the web publishing rules in OWA you can navigate to the published web server, i.e. You should see the meeting landing page, but can ignore the meeting URL error at this point of course:


Or you can navigate to the dialin page


It is possible to test the group expansion service ( since this is published as a web service, although it won’t reveal too much information:



The Lync 2013 Front-End now works correctly and for external connectivity and federation with other parties the Lync 2013 Edge server can ben used. The TMG server in this blog will publish additional web services that are used in a Lync environment via the Internet.

Since TMG 2010 is basically end-of-life this reverse proxy can be configured using an F5 load balancer, I’ll get back on this in a future blog.

The next step is to configure a SIP trunk with a Lync 2013 mediation server. Stay tuned!

2 thoughts on “Publish Lync 2013 Services in TMG 2010”

  1. I have Lync 2010 system that uses TMG to publish to the outside, and I renewed a certificate last year, and TMG didn’t take the certificate. I ahave been trying to get it to work but no luck. do you have any suggestions? The external access worked for 4 years before this.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s