I’ve been busy building a lab recently to test a number of different scenarios in Skype for Business on premises, including external sign in.
This means that I need to deploy a reverse proxy to publish my SfB external URLS:
- Lyncdiscover
- Meet
- Dialin
- SfbWeb01 (external address of my SfB front end server).
I’ve chosen to go a little oldschool, and install IIS ARR 2.5 on Windows Server 2008r2 (because, why not).
Installing the required components was a little tricky as some of them are now hard to find.
Here’s a list if you get stuck:
- Microsoft External Cache
- IIS URL Rewrite Module 2
- Web Platform Installer 5.1
- Visual Studio C++ Redistributable 2015 64bit (This partially fixes the 503 error)
After installing these components, and then installing IIS ARR 2.5 using the Web Platform Installer, I launched IIS and configured my server farms like normal:
Configure a server farm for each URL:
Add your internal server details, remembering to send the traffic towards 8080 and 4443:
Then, for each server farm:
Turn off disk caching
Change the Proxy timeout value to 600: 
Un-check Enable SSL Offloading under Routing Rules:
Remove the non-SSL rewrite rules, so you’re left with just the SSL rules:
Configure your {HTTP_HOST} rules for each URL:
Ensure your hosts file has been configured correctly to send traffic towards your front end server for each URL you’ve configured as well as your internal CA:
Also ensure too that you’ve added static (and persistent) routes to your internal servers if you’re using two NICS on your reverse proxy, and that your external facing NIC is the only one configured with DNS pointing externally (normally to google dns 8.8.8.8) and a default gateway.
Lastly, ensure you’ve installed your internal root CA certificate on your reverse proxy server so that your non-domain joined proxy can verify the certificate it receives from the SfB front end server. You can easily do this by browsing to the URL of your certificate services:
http://cert01.contoso.com/certsrv
Log in with your domain credentials, then click Download A CA
Then click Download CA Certificate
Be sure to install this on your reverse proxy machine under Computer Certificates > Trusted Root Certificates
Not placing your internal root CA in Trusted Root Certificates (Local computer, NOT user) is often the cause of the 503 error in ISS.
Once configured, open Powershell and run iisreset /restart
then try to browse to your meet URL from external (after ensuring you’ve port forwarded port 443 to the external IP of your reverse proxy server on your router/firewall).
https://dialin.contoso.com
You should see the dial in page!
