Configure IIS ARR as a reverse-proxy replacement for TMG

From time to time Microsoft tells us to adapt to new technology when old is being de-commissioned. We know that TGM is put to the rest after a long life and that UAG (based on TGM) will continue.

Many of US IT-Pros where trying to find a replacement and that fast. Myself tried to Squid path and found it working really well until I had to get Lync 2013 mobile clients working. At that time there where not much on the big naughty internet about ARR together with Exchange nor Lync, the articles that were out there were not 100% accurate or correct so I’m writing an article here.

What you need
First off – I did not have a great success running AAR on Windows Server 2008 R2. The IIS worker processes just crashed and I couldn’t figure out what was wrong. I had better luck with Windows 2012 and AAR (2.5). Please not that you should not join the server to your domain. The server should be a member server following good “edge” server practice for Lync or Exchange.

First you need to install the pre-requirements.

  • Net Framework 3.51 (Windows Feature)
  • Install your public cert in IIS (We do not cover this as we expect you already know how IIS works or can find that from your SSL provider, your cert should be bound to your default website)
  • IIS Server (Windows Role)
  • IIS AAR (

Note that the ARR extension will install the Microsoft Web Platform from where you will add the IIS ARR extension.

Launch “Web platform installer” and search for the Application Request routing 2.5″:


After installing launch your IIS Manager, if ARR where successfully installed you will find a new section called “Server Farms” in your three view:

(Your server farm will be empty on a clean installation)

Setting up a new server farm.
A first action will be to add your Lync server to the farm. You need to add your FE server(s) to the Server farm by right-click and select “Create Server Farm”. Give the server farm a friendly name to identify the farm in your IIS admin panel:

My server farm is just called Lync FrontEnd farm to describe the servers in the farm in a friendly way.

Add servers to your farm.
Next you need to add your server(s) to your farm. As this is in my lab I only have one FE server to add. In the example below I have used the IP-address but a hostname would also work.

Make sure you change the ports to 8080 and 4443 as these are the ports the FE servers use for external access. On the last step you will be asked to create a default rule, select “Yes” here if you don’t know what the option will do for you.

Now let’s create a new pool to give access to Office Web Apps (If you have not installed office web app and do not need that in your Lync environment you can skip this step)

Your office web app server farm does not require you to change any ports.

Create your rewrite rules.
You need to create rewrite rules in IIS to forward the traffic to your ARR installation. Rewrite rules are created in the root of your IIS installation not In the Sites-Default Site.

Navigate to the URL Rewrite section at the root level:


When you launched the URL Rewrite section you could edit the default rules if you answered “Yes” to the question to pre-create rules when you created your pool. The name if the rules folder would be “ARR_[Friendly name of the farm]”. You only need to double-click on the folder name to open the Edit Inbound Rule panel. Change the rules according to his:

As you can see we will use a rule for our Web service URL (In this case it’s called “Lync”) and for our meet and dial in URLs. Your action need to be “Route to Server Farm”. If you do not have this option you have selected the URL Rewrite on your default site and therefore not followed our guide (Bad, bad!)

Make sure proxy is enabled.
I agree that this could have been one of the first steps but I’d wanted to show the action first. Now you need to browse to your server farm you just created and look at the root level:

Here you need to configure the following sections:


Make sure all settings are off.


Configure your settings as above.

Routing rules

Configure your settings as above.

Reset your IIS config.
This would be described as “best practice” with IIS and I have done this for several years just to be on the “safe side”, run iisreset from the command prompt to reset IIS to load your changes in AAR. If you need to change settings in AAR specifically you do not need to reset iis but the first time it is a good thing to do.

Test your config.
You can now start testing your dial in and meet URLs to see if they work. Your dial in URL do not require any auth and will be available even if you have not configured any dial in numbers. Your meet url will not work if you have not any conferences running so create a “Meet now” conference and test if your URL works. Of course you need to add your hostnames to you dns server(Externally) depending on your DNS setup and is outside the scope of this article.

Direktorn Comments


Pin It

Leave a Reply