For this article and the next I am going to add an Edge server and an XMPP gateway to an existing Lync environment. All articles moving forward will be built on the RTM bits of Lync, but to build the Front End server for this environment I followed the original article here, the only difference is the name of the server and the domain. The lab has the following servers and IPs:
|Server Name||Role||IP Address|
|LyncFE.lyncguy.local||Lync Standard Edition Front End||10.255.106.161|
|Lyncedge.lyncguy.local||Lync Edge server – not domain joined||10.255.106.162 (internal NIC)|
The active directory domain name for this lab is LyncGuy.local, with the public sip domain LyncGuy.com. I prefer to do these labs with different name spaces for AD and the public domain because that is the most common scenario I’ve run into in the real world. To make this work you have to have an internal copy of the public zone and an external copy; this is commonly referred to as “split brain DNS”.
To start with I have to create a copy of my public zone on my internal DNS server so internal clients can reach the Lync server directly. To accomplish this I’ve created the following records in DNS:
|Record Type||DNS Entry||IP Address|
We also need to create an SRV record for client automatic sign-in. The new record will be for “_sipinternaltls._tcp.lyncguy.com” and will point to sip.lyncguy.com on port 5061.
***Note – you can utilize another name here such as the Front End servers name, however the domain must match the sip domain. You also must have a SAN entry on the front end certificate to match this entry***
Now that our DNS zone is in order we can plan for our edge server. In this example I will be using 1 internal IP, 3 DMZ IPs and 3 Public IPs. Instead of placing the public IPs directly on the edge servers public NIC, I will NAT the public IPs to the private IPs with my lab ASA. I’ve also matched the last octet of the address to make it easier to manage at a glance.
|Public Name||Public IP||DMZ IP|
Here is what the design looks like:
To start we need to add an edge to our topology, on the front end server (lyncfe) open “Lync Server Topology Builder”. Then we to expand our topology, right click “Edge Pools” and choose “New Edge Pool”
Click “Next” on the “Define Edge Pool” page
Enter the FQDN you will be using for your edge and select “Single Computer Pool”
Next we have a screen offering 3 options:
- “Use a Single FQDN & IP Address” – this option will not be selected because we have plenty of public IPs to use. If you only have 1 IP this is a good option – however this will force you to use ports other than 443 which aren’t always open outbound from corporate networks and may cause usability issues on networks you cannot control.
- “Enable Federation (port 5061) – this option will configure the edge server to listen on port 5061 of the access edge IP for inbound federation traffic from other Lync and OCS environments
- “The external IP address of this edge pool is translated by NAT” – this option tells Lync the IP addresses on the outside interface of the edge are not the actual public IP addresses. Putting the edge behind another firewall can give an extra layer of security and help prevent the server from being compromised.
For this scenario we have selected “Enable Federation (port 5061)” and “The external IP address of this edge pools is translated by NAT”
Next we define our public names for the edge roles, notice all roles use port 443. I would highly recommend using this method if possible.
Now we set the IP address for the internal network of our edge server. In this scenario I have placed the internal NIC on the same subnet as the domain controller and front end server. Because of limited resources in my lab I have configured the environment this way, whenever possible I recommend placing this NIC in another DMZ that has a higher security level than the DMZ for the outside interfaces.
At this point we specify the DMZ IP addresses of our edge server
In the next box we will enter the Public IP address of the A/V edge services (av.lyncguy.com). In OCS 2007 R2 we had to make sure the edge server could resolve the public name to the public IP, however, this box allows that requirement to be removed and we can just enter the IP here.
Next we select our next hop server (the front end server)
Next we click “Finish” and the wizard completes, we can now see our newly defined edge server in the Topology.
Now we can publish our topology.
Before we move on to working on the edge server we need to open the Lync Server Control Panel and configure our External User Access policies.
Under External Access Policy>Global Policy: Modify the existing policy to allow remote user access, federation and public IM connectivity (all of these are optional). Click “Commit” when you have selected the options that are right for your environment
Now under Access Edge Configuration>Global Policy: Modify the existing policy to Enable Federation, remote user access and anonymous access to meetings. I’ve also enabled dynamic domain discovery. This allows our Lync users to automatically add Lync/OCS users from other environments without requiring administrative configuration. This option may not be right for all environments, if it isn’t right for your environment you’ll want to use the “Federated Domains” tab to define the allowed domains and uncheck this option. Next click “Commit”
Now that our environment is ready, we need to export the topologies configuration to a file which we we’ll import during the Edge install. On the front end server open “Lync Server Management Shell” and run the command:
Export-csconfiguration –filename c:\topology_export.zip
The file “topology_export.zip” will now be on the C drive of your front end server. This file will need to be copied to the edge server.
Now that the topology has been updated we need to log into our edge server and configure it.
First we need to make sure that all the IP Addresses get assigned to the appropriate NIC.
On the internal NIC we will use only an IP Address and subnet mask, we cannot put a default gateway on this interface.
Next, on the external NIC we will fill in an IP address, subnet mask, default gateway and DNS, do not click “OK” yet
We also need to bind our other 2 IP addresses to the external NIC, to do this click the “Advanced” button and then click “Add” under “IP Addresses” and add each IP address
Because the edge server may attempt to register the other IP addresses in DNS, I typically uncheck the
At this point we’ll want to add a route back to any internal networks the internal NIC. For this example I will be adding a route back to an internal network of 10.255.200.0/24, this could be another client or server subnet that the edge server will need to know how to route to. The edge’s internal interface must be able to route to all internal networks via a gateway on the same network as its internal NIC, so if you have multiple networks you will have to add them all. To do this we will use the route add command from a command prompt (Run As Administrator):
Route add –p 10.255.200.0 mask 255.255.255.0 10.255.106.1
The “-p” portion of this command makes the route persistent, “10.255.106.1” is the next hop router to reach the other internal networks.
Next we need to configure hostname of our edge server. When we configure this value we must also add a primary DNS suffix. This is different than adding the computer to the domain, but it does tell the computer it’s full name (i.e. LyncEdge.lyncguy.local).
Once you have update the name and primary DNS suffix and you click “OK” you will be prompted to reboot the edge server.
While the edge server is rebooting we can add a DNS entry on the domain controller so all internal resources know how to reach the server by its “FQDN” – it’s not actually an FQDN because it isn’t domain joined, but the rest of the systems will need to be able to route to it like it is.
Once the edge has rebooted we will need to add the feature “Microsoft .NET Framework 3.5”, to do this open Server Manager, go to Features, click “Add Features” and choose “Microsoft .NET Framework 3.5”.
You can click “next” through all other screens and then click “Install”. Once the install completes we can move on to starting the Lync install. First we need to copy the topology_export.zip file created above to the C drive of the edge server.
Now we can run the CD, we will immediately be prompted to install the “Microsoft Visual C++ 2008 Redistributable”, click OK here:
The install window for Lync will pop up when the C++ install completes
Click “Install” and then accept the terms and click “OK”
Now we are back in the familiar Lync Server Deployment Wizard
Click on “Install or Update Lync Server System”
Under Step 1 we click “Run”
Select the topology_export.zip file from the C drive and click “Next”. This will allow the edge server to gather its settings from the export file.
A number of pre-requisites are installed at this point. When this completes click “Finish”
Now click “Run” under Step 2
Click “Next” and a number of pre-requisites are installed
Once the install completes we can open up the Services snap-in and see the Lync Services are now present
Before we can move on to Step 3 (Requesting Certificates), we need to make it possible for the edge server to resolve names of the internal servers it will talk to. This will include the CA because we will need to request the certificate for the internal interface from the internal CA. Also, we will need to trust the internal CA so we will need to export its certificate and install it on the edge server.
To allow the edge server to resolve some internal names but not all we have a few options, a DNS server in the DMZ is one, but for this article we will be editing the host file. The reason I’ve chosen not to utilize the internal DNS servers is to limit the number of servers the edge server can look up in case it is compromised.
The host file is located at “C:\windows\system32\drivers\etc”, the best method of editing this file is to run Notepad as administrator and then open this file (You’ll have to switch to “All Files” in the file type selection box)
For this scenario I will add entries for the CA and the Front End server:
Now that we can resolve the CA, we’ll use the web enrollment page to download the Root CA chain.
Open IE and go to https://lyncdc.lyncguy.local/certsrv, you may have to authenticate, if you do use your domain account. Click on “Download a CA Certificate, Certificate Chain, or CRL”
Click on “Download CA Certificate”
Save the file to the desktop or another location on the edge server.
Open the certificates snap-in for the local computer, expand “Trusted Root Certificate Authorites”, right click “Certificates” and choose “Import”
Browse to the file you download in the last step and click “Open”
This will import the certificate into the trusted store for the local computer.
Now we move on to Step 3 in the Deployment Wizard, requesting and installing certificates
Highlight “Edge Internal” and click “Request” – this will allow us to request the certificate for our internal communications between the edge server and the front end.
I won’t cover every step in this wizard; you should be using all defaults here other than information specific to your environment. I will however strongly suggest you do not add any SANs to this certificate. One other thing of note, you will want to do this certificate request online, specifying your internal CA as show below
You will also have to provide domain credentials to request the certificate
Once the request is completed the wizard will automatically take you to the next wizard to assign the certificate. Again, this is a next-next-finish scenario.
Because this is a lab scenario and I will not be requesting public certificates I will just re-run this wizard select “External Edge Certificate” for the second certificate. If you are using public certificates you will want to choose “Prepare Request now but send later (offline request)” for your request.
***One important difference between OCS 2007 R2 and Lync is the edge roles can now all share one certificate with a subject (CN) of only the access edge, you no longer need to re-generate the certificate for each rule, utilizing that roles FQDN as the subject name. For information on how that worked in OCS 2007 R2 please see this article***
The new certificate will have the following fields automatically, unless you are configuring multiple sip domains there is no need to modify this or add additional SANs.
|Subject (Common Name)||Sip.lyncguy.com|
Now we can run Step 4 to start the services and our edge server should be up and running.
Once this process is complete the NATs and access lists must be created on the firewall to allow the appropriate traffic in and out. I have only covered the inbound rules in the table below, please see the edge server documentation or the Lync Server Planning Tool for more detail.
|Rule 1||Public IP||Private IP||Allowed Protocol – Port|
|Access Edge (client access)||XX.102.182.163||10.255.110.163||TCP – 443|
|Access Edge (federation)||XX.102.182.163||10.255.110.163||TCP – 5061|
|Web Conferencing Edge||XX.102.182.164||10.255.110.164||TCP – 443|
|A/V Edge||XX.102.182.165||10.255.110.165||TCP – 443|
|A/V Edge||XX.102.182.165||10.255.110.165||UDP – 3478|
|A/V Edge||XX.102.182.165||10.255.110.165||TCP – 50,000 through 59,999|
|A/V Edge||XX.102.182.165||10.255.110.165||UDP – 50,000 through 59,999|
After the firewall changes are made we need to create the A records for each of our services on the public DNS server
|Record Type||Name||IP Address|
You will also need to create an SRV record for the domain, for that you can create a record for _sip._tls.lyncguy.com pointing to your access edge server (sip.lyncguy.com) on port 443.