Lync publishing on UAG

Following SP1 Update 1, UAG now supports publishing of Lync. This, however, has some important considerations that need to be followed, with regards to the trunk configuration and the certificates used.

Even though the Lync application can be added to ANY trunk, a common scenario is the need to invite guests to a meeting. Naturally, few organizations can provision a login to each guest, so in such a case, it may be beneficial to create an unauthenticated trunk for the Lync application. Since you typically would have other apps (like SharePoint or Exchange) only for corporate users, you would want these on a regular, authenticated trunk, and publish the Lync application on a separate trunk, which has been set to be unauthenticated:


If you indeed proceed with an unauthenticated trunk, keep in mind that you need to set two registry keys to enable a pass through authentication:



Set both keys to 1, and then activate your configuration, and perform an IISRESET.

Another consideration is the certificate. Most organizations prefer to use wildcard certificates, as they are a more economic solution when there’s a need for multiple public hostnames. However, Lync publishing has some limitations regarding wildcard certificates. To publish Lync to the internet, the organization would require a SAN certificate (a single certificate which has multiple hostnames embedded into it). The SAN certificate would have to accommodate for the following 4 URLs:

1. UAG’s trunk URL

2. Lync’s primary publishing URL

3. Lync’s meet URL

4. Lync’s dialin URL

In addition, you may want to include additional names, if the UAG trunk will be used for additional applications like SharePoint. However, when purchasing the certificate, it’s important to make sure the primary URL in the certificate, which appears in the certificate’s subject field, is the Lync’s URL (2 above) and not any of the other URLs. For example, here’s a certificate that has been configured correctly:


Above, “” is the primary public URL for Lync (left) and “”, “” and “” are the UAG public hostname and the secondary URLs for Lync (right), respectively. Here they are in the UAG configuration:


Naturally, if you use two trunks on the UAG, you can have a regular wildcard certificate for the trnuk that does not publish Lync, and the specially-created SAN certificate for the Lync trunk.

For more information, the following link discusses the certificate fields for Lync publishing:

Blog post written by Erez Ben Ari

Props to Yan Mintz and Robby C. for their help with this guide!