Issue with X-Frame-Options and Lync Server 2013 Simple URLs
I had a customer recently that started getting the following when external users tried to join a Lync meeting they were hosting:
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
What you can try:
Open this content in a new window
We took a look at the traffic with Fiddler and noticed that in the 200, multiple X-Frame-Options were being returned:
I have seen this issue before with some Reverse Proxies that inserted X-Frame-Options and caused the same issue. Barracuda has some information listed here for their Reverse Proxy product. In this case, it wasn't the Reverse Proxy, but instead a configuration change that was made to IIS:
It turns out that their security team recommended that this be added to the external website on all of the Front End Servers. You can find some more information on X-Frame-Options here and here. We did try using ALLOW-FROM instead of SAMEORIGIN, but the same issue still occurred. Once we removed this setting, everything started working again:
Looking at the traffic again in Fiddler, you can see that only one X-Frame-Options is now listed:
As you can see, Lync Server 2013 inserts it's own X-Frame-Options headers, and manually configuring some in IIS actually causes issues.