Lync Server 2013 中的反向 proxy 案例Scenarios for reverse proxy in Lync Server 2013

 

主題上次修改日期: 2013-01-21Topic Last Modified: 2013-01-21

Lync Server 2013 需要反向 proxy,以提供對服務和資源的存取,例如會議和電話撥入式的簡易 URLs、通訊錄、會議內容、通訊群組清單展開、行動服務等等。Reverse proxies are required in Lync Server 2013 for providing access to services and resources such as the meeting and dial-in Simple URLs, address book, meeting content, distribution list expansion, mobility services, and others. Lync Server 2013 中的一般反向 proxy 案例是允許外部用戶端 (例如,桌面用戶端或 Lync Web App 用戶端) 存取 Director 或前端伺服器的外部 Web 服務。The typical reverse proxy scenario in Lync Server 2013 is to allow external clients (for example, the desktop client or Lync Web App client) access to the Director or Front End Server external Web Services.

反向 proxy 和外部 web 服務Reverse proxy and external web services

13142405-d5c9-45b7-a8b7-a8c89f09c97c13142405-d5c9-45b7-a8b7-a8c89f09c97c

在規劃階段期間,您可以在 Lync Server 2013 部署中定義反向 proxy 的需求。During the planning phase, you define the requirements for the reverse proxy in a Lync Server 2013 deployment. 反向 proxy 啟用下列外部用戶端的功能存取:The reverse proxy enables access to features for the following external clients:

  • Microsoft Lync 2013 桌面用戶端Microsoft Lync 2013 desktop client

  • Microsoft Lync Web AppMicrosoft Lync Web App

  • Microsoft Lync MobileMicrosoft Lync Mobile

  • Lync Windows Store 應用程式Lync Windows Store app

規劃 Lync Server 2013 部署時,會將 Lync Server 2013 的實際需求對應至反向 proxy 功能。When planning your Lync Server 2013 deployment, you map the actual requirements for Lync Server 2013 to the reverse proxy features.

  1. 外部用戶端會連接到埠 TCP 443 上的反向 proxy,並使用安全通訊端層 (SSL) 或傳輸層安全性 (TLS) 。External clients will connect to the reverse proxy on port TCP 443 and will use secure socket layer (SSL) or transport layer security (TLS). Microsoft Lync Mobile 用戶端可以在埠 TCP 80 上進行連線,但只有在執行 Lync 探索服務的初始連線時,系統會將正確的網域名稱系統設定 (DNS) CNAME (或別名) 記錄,並接受此通訊不會加密。Microsoft Lync Mobile clients can connect on port TCP 80, but only when performing the initial connection to the Lync discover services and the administrator has configured the proper domain name system (DNS) CNAME (or alias) records, and accepts that this communication will not be encrypted.

  2. Lync Server 2013 在前端伺服器及(或) Director) 上部署的外部 web 服務 (會期望從埠 TCP 4443 上的反向 proxy 進行連線,並且預期會 SSL/TLS 該連線。Lync Server 2013 external web services (deployed on the Front End Server and/or the Director) expect a connection from a reverse proxy on port TCP 4443, and it expects that the connection will be SSL/TLS.

    重要

    建議的外部 web 服務預設收聽埠為 TCP 8080,用於 HTTP 流量,TCP 4443 用於 HTTPS 流量。The suggested default listening ports for the external web services are TCP 8080 for HTTP traffic, and TCP 4443 for HTTPS traffic. 拓撲產生器提供的機會可以覆寫預設值,並定義您自己的外部 web 服務偵聽埠。Topology Builder provides an opportunity to override the defaults and define your own listening ports for the external web services. 請務必注意,反向 proxy 會與外部 web 服務進行通訊,而外部用戶端則會與反向 proxy 進行通訊。It’s important to note that the reverse proxy communicates with the external web services, and the external clients communicate with the reverse proxy. 外部用戶端與埠 TCP 443 上的反向 proxy 進行通訊,但您可以重新定義反向 proxy 與上的外部 web 服務進行通訊的埠。The external client communicates with the reverse proxy on port TCP 443, but you can redefine what port the reverse proxy communicates with the external web services on. 拓撲產生器中的選項可覆寫 web 服務的預設聆聽埠,可讓您解決基礎結構中可能發生的偵聽埠衝突。The options in Topology Builder to override the default listening ports for the web services allows you to resolve listening port conflicts that may arise in your infrastructure.

  3. Lync Server 2013 外部 web 服務期望來自用戶端的未修改主機標頭,以識別用戶端嘗試使用的服務和網頁伺服器目錄。Lync Server 2013 external web services expect an unmodified Host Header from the client to identify what service and web server directory the client is attempting to use. 要求應顯示為來自反向 proxyRequests should appear as if they came from the reverse proxy

  4. [外部 web 服務] 使用定義的網頁伺服器虛擬目錄 (vDir) ,提供提供給用戶端的服務。The external web services use defined web server virtual directories (vDir) that provide the services offered to clients. 特定的外部可識別 web 服務如下:Specific externally identifiable web services are:

    • Web 會議會議的「開會」 vDirThe “Meet” vDir for web conference meetings

    • 用於電話存取及電話會議的「撥入」 vDirThe “Dialin” vDir for phone access and phone conferencing

    • Lync Windows Store 應用程式、Lync Mobile 和桌面用戶端 Lync 2013 的「自動探索」 vDir。The “Autodiscover” vDir for Lync Windows Store app, Lync Mobile, and the desktop client Lync 2013. Lync Server 2013 中的自動探索是由 DNS 名稱 "lyncdiscover" 所知道Autodiscover in Lync Server 2013 is known by the DNS name “lyncdiscover”

    • 未定義的服務會透過直接呼叫外部 web 服務的方式來存取外部用戶端。Services not defined are accessed by the external client by direct calls to the external web services. 例如,通訊群組擴充 (DLX) 和通訊錄服務 (ABS) 是透過直接呼叫外部 web 服務及關聯的 vDirs 來存取。For example, distribution group expansion (DLX) and the address book service (ABS) are accessed by direct calls to the external web services and associated vDirs. 用戶端知道 vDir 的實際路徑,並根據此資訊建立統一記錄定位器 (URL) 。The client knows the actual path to the vDir and constructs a uniform record locator (URL) based on this information. 用戶端會使用類似于的 URL 來存取通訊錄服務。 https://externalweb.contoso.com/abs/handlerThe client would access the address book service using a URL similar to https://externalweb.contoso.com/abs/handler

    • 當會議已定義並設定為 Lync Server 拓撲的一部分時,Office Web Apps ServerThe Office Web Apps Server when conferencing is defined and configured as part of the Lync Server topology

      注意

      Office Web Apps Server 是個別的角色服務器,未設定為外部 Web 服務的一部分。The Office Web Apps Server is a separate role server and is not configured as part of the external web services. 此伺服器會另行發佈,以供用戶端存取使用。This server is separately published for client access.

  5. 定義每個服務的 SSL 橋接。Define SSL bridging for each service. 外部埠 TCP 443 會對應至 TCP 4443 的外部 web 服務埠。The external port TCP 443 is mapped to the external web services port of TCP 4443. 如果是未加密的 HTTP,埠 TCP 80 會對應至外部 web 服務埠 TCP 8080For unencrypted HTTP, port TCP 80 is mapped to the external web services port TCP 8080

  6. 規劃反向 proxy 攔截器以發佈網頁伺服器資源Plan for reverse proxy listeners to publish web server resources

  7. 根據所提供的服務,要求並設定反向 proxy 的憑證。Request and configure the certificate for the reverse proxy based on the services that will be offered. 如果使用正確的主體替代名稱加以設定,則反向 proxy 伺服器上的所有已設定監聽器都可以共用此憑證If configured with the correct subject alternative names, this certificate can be shared by all configured listeners on the reverse proxy server

可用來規劃反向 Proxy 部署的資源:Resources available for planning your reverse proxy deployment: