Issue with X-Frame-Options and Lync Server 2013 Simple URLs

I had a customer recently that started getting the following when external users tried to join a Lync meeting they were hosting:

This content cannot be displayed in a frame

To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.

What you can try:

Open this content in a new window


We took a look at the traffic with Fiddler and noticed that in the 200, multiple X-Frame-Options were being returned:

Note: You may need to click on the image above in order to read the text.

I have seen this issue before with some Reverse Proxies that inserted X-Frame-Options and caused the same issue. Barracuda has some information listed here for their Reverse Proxy product. In this case, it wasn't the Reverse Proxy, but instead a configuration change that was made to IIS:

It turns out that their security team recommended that this be added to the external website on all of the Front End Servers. You can find some more information on X-Frame-Options here and here. We did try using ALLOW-FROM instead of SAMEORIGIN, but the same issue still occurred. Once we removed this setting, everything started working again:

Looking at the traffic again in Fiddler, you can see that only one X-Frame-Options is now listed:

Note: You may need to click on the image above in order to read the text.

As you can see, Lync Server 2013 inserts it's own X-Frame-Options headers, and manually configuring some in IIS actually causes issues.