You asked for more “How It Fits” posts last year, and I’m happy to oblige. Today we’re discussing…the Reverse Proxy server!
Reverse Proxy is also part of the Skype for Business perimeter network, like Edge Server. The two act in concert, in fact, which made it an easy second choice for this series.
Now, one important thing: Reverse Proxy is NOT an official Skype for Business Server Role. You’ll need another device/appliance to serve as your Reverse Proxy. Fortunately, many good options exist; Microsoft has provided a list of reverse proxy servers to help. We’ve tried the MS Web Application Proxy and F5’s BIG-IP. Both worked very well for our purposes.
The Reverse Proxy’s Primary Role
A Reverse Proxy server facilitates external user access to some Skype4B tools. Like the Edge Server, it aids users outside the internal network: mobile users, federated users (e.g. partners, vendors), and customers.
How? It works by publishing some Skype for Business services to the public Internet, and regulating access to them from outside the perimeter network. I’ve listed which services in the next section.
Main Functions of a Reverse Proxy Server
Here’s the list of Reverse Proxy functions in a Skype for Business Server deployment. You’ll see that they all deal with external users, be they permanently remote or a standard user out of the office.
- Connect to meetings or dial-in conferences using simple URLs (e.g., “meet.yourdomain.com”).
- Download meeting content.
- Expand distribution groups.
- Get user-based certificates for client certificate based authentication. In other words, authorize some mobile clients to access the Skype for Business Server.
- Download files from the Address Book Server, or to submit queries to the Address Book Web Query service.
- Obtain updates to client and device software.
- Allows mobile devices to automatically discover the Front End Servers offering mobility services (e.g., “lyncdiscover.yourdomain.com”).
- Enables push notifications from Office 365 to mobile devices.
Some IT admins would argue that a Reverse Proxy’s final function is to frustrate them! That’s because it handles switching between ports on the same IP address, when traffic moves from the public Internet to the internal network. Here’s an example image.
You see the Reverse Proxy translating from TCP port 80 facing external, to TCP port 8080 facing internal. Same IP, different ports. Helps with security…but it’s a pain on a certification exam!
Other Servers Reverse Proxy Communicates With
Front End Server/Front End Pool. The Reverse Proxy communicates primarily with your Front End Server. It is publishing some of the Front End’s services out to the public Internet, and funneling in requests from external users to use those services.
Director/Director Pool. If your Skype for Business topology has a Director, the Reverse Proxy will publish its external Web services (e.g. Autodiscover) as well.
Edge Server. The Reverse Proxy also sits in the perimeter network, between the external and internal DMZs. It and the Edge Server have distinct roles, but the two must act in concert.
Without the Edge Server authenticating some external users, the Reverse Proxy could accidentally provide a Skype4B mobile service to the wrong user (or not at all!).
Load Balancer. Depending on where you use load balancing, the Reverse Proxy may need to talk to yours. Otherwise it could deprive some external users of the access they need. I’ll address this in the Load Balancers post.
Firewall. Since the Reverse Proxy uses two sets of ports matched to IP addresses, your firewall needs to play nice with it. Otherwise you’ll have some very locked-out (and upset) users outside the office!
Is One Reverse Proxy Server Enough?
In most cases, one Reverse Proxy per Skype for Business topology is enough. I checked with a co-worker regarding one hybrid deployment we did early last year. This customer has satellite offices and job site trailers…their external users easily outnumber internal users about 4 to 1. Yet they only have one Reverse Proxy, and report no bandwidth issues or delays.
That said, I can think of two situations where two or more Reverse Proxies may make sense:
- A high-availability global on-prem deployment.
- More than one perimeter network exists in your organization.
Reverse Proxy is What Makes Skype Meetings Happen Anywhere
Since the Reverse Proxy is not a Skype4B Server Role, I’m not sure what will happen to it with the Teams merger. It could continue to provide the same external publishing & regulation function as it does now. Teams would certainly need such services for guest users and remote workers. I’ll keep it in mind as we hear more about Teams.
Additional Reverse Proxy Resources:
Reverse Proxy 101 – Perficient Blogs
Edge Server System Requirements in Skype for Business Server 2015 – TechNet
Plan for Mobility for Skype for Business Server 2015 – TechNet
In the next “How it Fits” post I’ll address Load Balancers. What Skype for Business/Teams tool should I do after that? Please comment your choice!