People Communicate

Microsoft Unified Communications Blog

Deploying an Edge Server with Lync 2010

For this article I am going to add an Edge server and an XMPP gateway to an existing Lync environment. All articles moving forward will be built on the RTM bits of Lync, but to build the Front End server for this environment I followed the original article here, the only difference is the name of the server and the domain. The lab has the following servers and IPs:

Server Name

Role

IP Address

LyncDC.lyncguy.local

Domain Controller/DNS/CA

10.255.106.160

LyncFE.lyncguy.local

Lync Standard Edition Front End

10.255.106.161

Lyncedge.lyncguy.local

Lync Edge server – not domain joined

10.255.106.162 (internal NIC)

The active directory domain name for this lab is LyncGuy.local, with the public sip domain LyncGuy.com. I prefer to do these labs with different name spaces for AD and the public domain because that is the most common scenario I’ve run into in the real world. To make this work you have to have an internal copy of the public zone and an external copy; this is commonly referred to as “split brain DNS”.

To start with I have to create a copy of my public zone on my internal DNS server so internal clients can reach the Lync server directly. To accomplish this I’ve created the following records in DNS:

Record Type

DNS Entry

IP Address

A

meet.lyncguy.com

10.255.106.161

A

dialin.lyncguy.com

10.255.106.161

A

sip.lyncguy.com

10.255.106.161

We also need to create an SRV record for client automatic sign-in. The new record will be for “_sipinternaltls._tcp.lyncguy.com” and will point to sip.lyncguy.com on port 5061.

clip_image001

***Note – you can utilize another name here such as the Front End servers name, however the domain must match the sip domain. You also must have a SAN entry on the front end certificate to match this entry***

clip_image002

Now that our DNS zone is in order we can plan for our edge server. In this example I will be using 1 internal IP, 3 DMZ IPs and 3 Public IPs. Instead of placing the public IPs directly on the edge servers public NIC, I will NAT the public IPs to the private IPs with my lab ASA. I’ve also matched the last octet of the address to make it easier to manage at a glance.

Public Name

Public IP

DMZ IP

Sip.lyncguy.com

XX.102.182.163

10.255.110.163

Webconf.lyncguy.com

XX.102.182.164

10.255.110.164

Av.lyncguy.com

XX.102.182.165

10.255.110.165

Here is what the design looks like:

clip_image003

To start we need to add an edge to our topology, on the front end server (lyncfe) open “Lync Server Topology Builder”. Then we need to expand our topology, right click “Edge Pools” and choose “New Edge Pool”

clip_image004

Click “Next” on the “Define Edge Pool” page

clip_image005

Enter the FQDN you will be using for your edge and select “Single Computer Pool”

clip_image006

Next we have a screen offering 3 options:

§ “Use a Single FQDN & IP Address” – this option will not be selected because we have plenty of public IPs to use. If you only have 1 IP this is a good option – however this will force you to use ports other than 443 which aren’t always open outbound from corporate networks and may cause usability issues on networks you cannot control.

§ “Enable Federation (port 5061) – this option will configure the edge server to listen on port 5061 of the access edge IP for inbound federation traffic from other Lync and OCS environments

§ “The external IP address of this edge pool is translated by NAT” – this option tells Lync the IP addresses on the outside interface of the edge are not the actual public IP addresses. Putting the edge behind another firewall can give an extra layer of security and help prevent the server from being compromised.

For this scenario we have selected “Enable Federation (port 5061)” and “The external IP address of this edge pools is translated by NAT”

clip_image007

Next we define our public names for the edge roles, notice all roles use port 443. I would highly recommend using this method if possible.

clip_image008

Now we set the IP address for the internal network of our edge server. In this scenario I have placed the internal NIC on the same subnet as the domain controller and front end server. Because of limited resources in my lab I have configured the environment this way, whenever possible I recommend placing this NIC in another DMZ that has a higher security level than the DMZ for the outside interfaces.

clip_image009

At this point we specify the DMZ IP addresses of our edge server

clip_image010

In the next box we will enter the Public IP address of the A/V edge services (av.lyncguy.com). In OCS 2007 R2 we had to make sure the edge server could resolve the public name to the public IP, however, this box allows that requirement to be removed and we can just enter the IP here.

clip_image011

Next we select our next hop server (the front end server)

clip_image012

clip_image013

Next we click “Finish” and the wizard completes, we can now see our newly defined edge server in the Topology.

clip_image014

Now we can publish our topology.

clip_image015

clip_image016

clip_image017

Before we move on to working on the edge server we need to open the Lync Server Control Panel and configure our External User Access policies.

Under External Access Policy>Global Policy: Modify the existing policy to allow remote user access, federation and public IM connectivity (all of these are optional). Click “Commit” when you have selected the options that are right for your environment

clip_image018

Now under Access Edge Configuration>Global Policy: Modify the existing policy to Enable Federation, remote user access and anonymous access to meetings. I’ve also enabled dynamic domain discovery. This allows our Lync users to automatically add Lync/OCS users from other environments without requiring administrative configuration. This option may not be right for all environments, if it isn’t right for your environment you’ll want to use the “Federated Domains” tab to define the allowed domains and uncheck this option. Next click “Commit”

clip_image019

Now that our environment is ready, we need to export the topologies configuration to a file which we we’ll import during the Edge install. On the front end server open “Lync Server Management Shell” and run the command:

Export-csconfiguration –filename c:\topology_export.zip

clip_image020

The file “topology_export.zip” will now be on the C drive of your front end server. This file will need to be copied to the edge server.

clip_image021

Now that the topology has been updated we need to log into our edge server and configure it.

First we need to make sure that all the IP Addresses get assigned to the appropriate NIC.

On the internal NIC we will use only an IP Address and subnet mask, we cannot put a default gateway on this interface.

clip_image022

Next, on the external NIC we will fill in an IP address, subnet mask, default gateway and DNS, do not click “OK” yet

clip_image023

We also need to bind our other 2 IP addresses to the external NIC, to do this click the “Advanced” button and then click “Add” under “IP Addresses” and add each IP address

clip_image024

At this point we’ll want to add a route back to any internal networks the internal NIC. For this example I will be adding a route back to an internal network of 10.255.200.0/24, this could be another client or server subnet that the edge server will need to know how to route to. The edge’s internal interface must be able to route to all internal networks via a gateway on the same network as its internal NIC, so if you have multiple networks you will have to add them all. To do this we will use the route add command from a command prompt (Run As Administrator):

Route add –p 10.255.200.0 mask 255.255.255.0 10.255.106.1

The “-p” portion of this command makes the route persistent, “10.255.106.1” is the next hop router to reach the other internal networks.

clip_image025

Next we need to configure hostname of our edge server. When we configure this value we must also add a primary DNS suffix. This is different than adding the computer to the domain, but it does tell the computer it’s full name (i.e. LyncEdge.lyncguy.local).

clip_image026

clip_image027

Once you have updated the name and primary DNS suffix and you click “OK” you will be prompted to reboot the edge server.

While the edge server is rebooting we can add a DNS entry on the domain controller so all internal resources know how to reach the server by its “FQDN” – it’s not actually an FQDN because it isn’t domain joined, but the rest of the systems will need to be able to route to it like it is.

clip_image028

Once the edge has rebooted we will need to add the feature “Microsoft .NET Framework 3.5”, to do this open Server Manager, go to Features, click “Add Features” and choose “Microsoft .NET Framework 3.5”.

clip_image029

You can click “next” through all other screens and then click “Install”. Once the install completes we can move on to starting the Lync install. First we need to copy the topology_export.zip file created above to the C drive of the edge server.

Now we can run the CD, we will immediately be prompted to install the “Microsoft Visual C++ 2008 Redistributable”, click OK here:

clip_image030

The install window for Lync will pop up when the C++ install completes

clip_image031

Click “Install” and then accept the terms and click “OK”

Now we are back in the familiar Lync Server Deployment Wizard

clip_image032

Click on “Install or Update Lync Server System”

Under Step 1 we click “Run”

clip_image033

Select the topology_export.zip file from the C drive and click “Next”. This will allow the edge server to gather its settings from the export file.

clip_image034

A number of pre-requisites are installed at this point. When this completes click “Finish”

clip_image035

Now click “Run” under Step 2

clip_image036

Click “Next” and a number of pre-requisites are installed

clip_image037

Once the install completes we can open up the Services snap-in and see the Lync Services are now present

clip_image038

Before we can move on to Step 3 (Requesting Certificates), we need to make it possible for the edge server to resolve names of the internal servers it will talk to. This will include the CA because we will need to request the certificate for the internal interface from the internal CA. Also, we will need to trust the internal CA so we will need to export its certificate and install it on the edge server.

To allow the edge server to resolve some internal names but not all we have a few options, a DNS server in the DMZ is one, but for this article we will be editing the host file. The reason I’ve chosen not to utilize the internal DNS servers is to limit the number of servers the edge server can look up in case it is compromised.

The host file is located at “C:\windows\system32\drivers\etc”, the best method of editing this file is to run Notepad as administrator and then open this file (You’ll have to switch to “All Files” in the file type selection box)

clip_image039

For this scenario I will add entries for the CA and the Front End server:

clip_image040

Now that we can resolve the CA, we’ll use the web enrollment page to download the Root CA chain.

Open IE and go to https://lyncdc.lyncguy.local/certsrv, you may have to authenticate, if you do use your domain account. Click on “Download a CA Certificate, Certificate Chain, or CRL”

clip_image041

Click on “Download CA Certificate”

clip_image042

Save the file to the desktop or another location on the edge server.

Open the certificates snap-in for the local computer, expand “Trusted Root Certificate Authorites”, right click “Certificates” and choose “Import”

clip_image043

Browse to the file you download in the last step and click “Open”

clip_image044

This will import the certificate into the trusted store for the local computer.

Now we move on to Step 3 in the Deployment Wizard, requesting and installing certificates

Highlight “Edge Internal” and click “Request” – this will allow us to request the certificate for our internal communications between the edge server and the front end.

clip_image045

I won’t cover every step in this wizard; you should be using all defaults here other than information specific to your environment. I will however strongly suggest you do not add any SANs to this certificate. One other thing of note, you will want to do this certificate request online, specifying your internal CA as show below

clip_image046

You will also have to provide domain credentials to request the certificate

clip_image047

Once the request is completed the wizard will automatically take you to the next wizard to assign the certificate. Again, this is a next-next-finish scenario.

Because this is a lab scenario and I will not be requesting public certificates I will just re-run this wizard select “External Edge Certificate” for the second certificate. If you are using public certificates you will want to choose “Prepare Request now but send later (offline request)” for your request.

clip_image048

***One important difference between OCS 2007 R2 and Lync is the edge roles can now all share one certificate with a subject (CN) of only the access edge, you no longer need to re-generate the certificate for each role, utilizing that roles FQDN as the subject name. For information on how that worked in OCS 2007 R2 please see this article***

The new certificate will have the following fields automatically, unless you are configuring multiple sip domains there is no need to modify this or add additional SANs.

Subject (Common Name)

Sip.lyncguy.com

SAN 1

Webconf.lyncguy.com

SAN2

Sip.lyncguy.com

Now we can run Step 4 to start the services and our edge server should be up and running.

Once this process is complete the NATs and access lists must be created on the firewall to allow the appropriate traffic in and out. I have only covered the inbound rules in the table below, please see the edge server documentation or the Lync Server Planning Tool for more detail.

Rule 1

Public IP

Private IP

Allowed Protocol – Port

Access Edge (client access)

XX.102.182.163

10.255.110.163

TCP – 443

Access Edge (federation)

XX.102.182.163

10.255.110.163

TCP – 5061

Web Conferencing Edge

XX.102.182.164

10.255.110.164

TCP – 443

A/V Edge

XX.102.182.165

10.255.110.165

TCP – 443

A/V Edge

XX.102.182.165

10.255.110.165

UDP – 3478

A/V Edge

XX.102.182.165

10.255.110.165

TCP – 50,000 through 59,999

A/V Edge

XX.102.182.165

10.255.110.165

UDP – 50,000 through 59,999

After the firewall changes are made we need to create the A records for each of our services on the public DNS server

Record Type

Name

IP Address

A

Sip.lyncguy.com

XX.102.182.163

A

Webconf.lyncguy.com

XX.102.182.164

A

Av.lyncguy.com

XX.102.182.165

You will also need to create an SRV record for auto sign-in on the domain and federation. For automatic sign-in you can create an SRV record for _sip._tls.lyncguy.com pointing to your access edge server (sip.lyncguy.com) on port 443. For federation you will need to createn an SRV record for _sipfederationtls._tcp.lyncguy.com pointing to your access edge server on port 5061.

Now we can test the server using https://www.testocsconnectivity.com/ and get ready to deploy reverse proxy. For that I’m going to point you to Randy Wintle’s article on the subject.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: