Lync 2013 – KEMP Appliance as a Reverse Proxy WITH HIGH AVAILABILITY – Configuration Guide

Morning All

Following on from the previous post on using a KEMP Appliance as a reverse proxy, for this post im going to continue and run through how you set up multiple KEMP appliances in a HA scenario for Reverse Proxy’ing for Lync 2013. <It will also work for Lync 2010 as well>

As usual in my lab i will be using Lync 2013 SE. I will also be using 2x KEMP VLM100 Virtual Appliances with thanks to KEMP for the Licensing.

***If you are looking on how to set up a single KEMP Appliance as a RP please revert back to my previous blog posting here

Ok to set the scene. As i have a stated a Lync 2013 SE running on windows 2012. My DC is 2008r2, My Lync client machine is Win7.
I have my single KEMP appliance running and moving forward im now going to add a second appliance into the mix for HA.


Spin up the VLM of the second appliance and provide another IP address


The above image is the appliance on start up of the VM. Using the IP address specified on the image, using Firefox, Safari or Other navigate to that IP address and login using the username bal and password 1fourall. Then if needed add you license.


you will then be prompted with the home page of the appliance


–field notes

IP address of KEMP1 is and KEMP2 is

Now lets jump back to the first KEMP1 appliance and select system configuration, miscellaneous then HA parameters


select single HA in the drop down option, then accept the OK, and all the messages including the reboot option.


on reboot re-log back in using the same ip address which you set before. (in my case 1928.168.1.223)

Once logged into you will see a couple of new symbols stating that the first server is primed as HA1 applicance


now selecting the eth1 again we will go ahead and select/add our Ip addresses for both the first and second KEMP applicance

in my lab case i have set my IP address to (think of this as a sudo IP address which you set to administrator your appliances as once they are completely set up in HA mode you never go back into a individual appliance you set them from the .240 IP and this replicates to both Appliances)


At this point im happy with the first KEMP1 appliance and also im happy with my sudo IP. so know its time to add the second KEMP2 appliance into the HA pairing.

again using IE or other, navigate to the IP address you have for the second appliance. (in my case its


now like we did with the first appliance we need to select system configuration, miscellaneous, HA perimeters.

Then using the drop down select seconds HA


accept the prompt to add the second appliance into HA


now lets jump back to our sudo IP address and once the second appliance is rebooted you will see two green symbols stating the HA is set up, configured and working.


thats it.. I must say its slick and simple to set up. Well done KEMP

My lab is fully HA for Lync Reverse Proxy

Thanks for looking

Iain Smith

Lync 2013 – Using a KEMP Appliance as a Reverse Proxy – Installation / Configuration Guide

Hello All.

Now with the disappearance of the TMG appliance that we all came to love and loath, there are only a few options out there for using as a reverse proxy for Lync. The few i think  are

  1. Windows Server using IIS AAR for Proxy’ing
  2. KEMP Appliance / Virtual Machine
  3. Citrix Netscaler

For me option 1 isnt an option as i personally think using a Windows Server then bending it to be a RP isnt viable and one i wouldn’t suggest to my clients. Option 3 is only a option if you have a citrix netscaler going spare. Again i wouldn’t be rushing out to buy a Citrix Netscaler if i had other options.

That leaves the second option which is my default option for my clients who are looking to purchase a RP. You heard it hear first KEMP will become the default mantra of Reverse Proxy for Lync going forward.

In this blog post Im going to detail how you go about setting up a KEMP Applicance as a reverse Proxy. (Note: The setup is the same for the Kemp Range, but today within this guide i will be using a KEMP VLM100)

To start with you need information from your Lync environment around the external Web services. ie: Name etc. For me, my labs external web service is called

Also i will be requiring a public certificate for the KEMP appliance. There are many public authorities out there which can provide this. <At the time of writing GoDaddy are the most competitive in pricing for UCC Certificates) NOTE: If you have a wildcard certificate this can be used on the RP as well.

If you need information on how to create the certificate request follow the link >

***Please be sure your public cert has the following on it.

Subject Name / Common Name = <Your Lync External Web name> – in my case

SAN Name = <Your Lync External Web name> – e.g. in my case YES Put it in as a SAN as well!!!

SAN Name = <Your Lync ‘meet’ service name – e.g.

SAN Name = <Your Lync ‘dialin’ service name – e.g.

SAN Name = lyncdiscover.<domain> – e.g.

So with our information at hand and our certificate provisioned lets move onto the steps required to setup out Kemp.

ALSO: Typically the KEMP appliance for Lync Reverse Proxy, requires be located within your DMZ and NOT on your internal domain.!

Step 1

The appliance will come with a default IP of .  If your running a virtual KEMP appliance then you will see on the black linux dialog the IP address to which is the node. If you are running a hardware appliance plug an ethernet cable into eth0 on the front of the appliance and navigate to the above IP via a web browser

Once youve select the IP with the browser you will be prompted for a username and password. by default this is

Username = bal

password 1fourall


Step 2 – Base Line configuration

Now we are on the console of the appliance lets start making the base line changes around the IP’s, local users and passwords etc.

From the Home screen, select on the left hand side to ‘System Configuration’


Now select Interfaces, then eth0 and add the IP address to which you will administer the appliance in the future. <for my lab the IP address ive selected is (/24 is the subnet range, so tweak this to suit your needs)


NOTE: once this is complete the appliance will reset itself onto that IP so be sure you can navigate to it.

Again from the Systems Configuration Menu we are now set give the appliance a name. To do this select local DNS Configuration, then hostname Configuration. Now add the hostname of your choice.

In my lab ive called in KEMPRP1


Next we will still using the Local DNS Configuration option – add out local DNS NameServer IP and also the DNS Search Domain name


Next we need to select the Route Management Option from the Menu and select default Gateway.


Jumping further down the left pane menu you need to select ‘system Administration’, then the user management option

At this point to can change the password for the bal account AND also create a new account with a new username. <I personally always create a username and password which only i know as a backup to loosing or someone changing the main account password>


So that is it for the step2 baseline config.

You can if you feel necessary add Logging Config etc. I wont go into enabling that as its simple and straight forward to setup.

Step 3 – Adding a Virtual Server

so jumping back up the menu tree to the top we are now going to create a virtual server. For understanding the virtual server is the DMZ IP address to which the appliance is listening on. e.g your public IP will come inbound to your Firewall, then the firewall should Nat this through to your DMZ on a natted IP address which will match the virtual server IP of your Kemp Appliance.!.

ok so the first step from selecting the virtual service menu is to select ‘Add New’

You will then be prompted for a Virtual Address, which needs to be the DMZ natted IP address! which for my lab is

The port you are attaching to this virtual address is 443 as all traffic bound for the Kemp RP will be routed through 443, Next add a service name as an identifier <LyncMobility>, then the last step the Protocol is TCP.

then click ‘Add this Virtual Service’


You will then automatically jump to the properties page for the Virtual Machine. This is where you do the main config and server creation.

by default you will have the name you gave the service, the service type of HTTP/HTTPS and activate/deactivate Server <Enabled by Default>

Now select to expand standard options.

Now remove the tick for > Transparency

Add put a tick in the > Use Address for Server Nat


Now select to expand the option for SSL Properties

then select the option for SSL Acceleration = Enabled ! NOTE: you will get a warning about no certificate being available for the appliance. just ok this.

Once in the SSL Properties select the reencrypt tick box

now add the public reverse proxy certificate we created earlier by selecting ‘add new’, Also don’t forget to add the intermediate certificate as well


— Ignore advanced Properties as nothing needs changing on this.

— If your appliance has the new ESP option, you can ignore this as well

Now select the expand the Real Server Option, and select Add New


Now dependant on you default gateway you might be required to select an option in the miscellaneous option under network options to allow you to add a Real Server which is not in the default gateway IP range.

once you placed a tick in the option \> Enable non local Real Servers you will then get an option on the real server creation to bypass the check

Back on the adding of the Real Server, ive ticked the option to add a non local server, then added the IP address of my Lync Frontend, then we need to change the port to be 4443 for the internal routing, then we can select add


then select back, once you’ve had acknowledgement of the creation of the real server

last steps now, still on the real server option area select the checked port as 4443 and hit set checked port, then change the HTTP Method from HEAD to GET


Thats it. the set up is complete.

Jump back to Virtual Servers and select View. you will see your service as UP and working.


can from your Lync Mobile client log in with your user credentials.

ALSO you can see from the Home Screen graph traffic routing through


thanks for looking, and i hope it helps some of you out there.

**Special thank you to Bhargav at Kemp for providing my Kemp Licence.!