Dean Suzuki Blog

Title: Building a Lync 2013 Edge Pool Created: 3/3/2013 Description: One of my teammates was asking how to build the Lync Edge infrastructure. In this post, well walkthrough the build of a Lync 2013 Edge Server. The Edge Server provides the following capabilities: External access from the Internet to the Lync capabilities for your users. Federation with other companies running Office Communications Server or Lync so that you can do Lync capabilities with other companies running these technologies. Federation with users on public IM clouds (e.g. AOL). Federation with users on XMPP clouds (e.g. GoogleTalk). Access to web conferences from external users. Lync provides web conferencing and allows participants to join who arent even on Lync. They can join via a new Lync web access (LWA) client. Below is a diagram of a typical Lync environment with Lync Edge servers.

References: http://www.microsoft.com/en-us/download/details.aspx?id=36823 ; Lync 2013 Planning Tool http://technet.microsoft.com/en-us/library/gg398918.aspx ; Deploying External User Access http://technet.microsoft.com/en-us/library/gg398447.aspx ; Lync 2013 Planning Documentation 1

http://technet.microsoft.com/en-us/library/gg412892.aspx ; Deploying Lync Server 2013 http://technet.microsoft.com/en-us/library/gg398205.aspx ; Preparing the Infrastructure and Systems http://technet.microsoft.com/en-us/library/gg412883.aspx ; Server and Tools Operating System Support http://technet.microsoft.com/en-us/library/jj721939.aspx ; Managing Lync Server 2013 Disaster Recovery, High Availability, and Backup Service http://technet.microsoft.com/en-us/library/gg398347.aspx ; Planning for Central Site Voice Resiliency

Disclaimer: Contents of this blog and article represent the opinions of Dean Suzuki, and do not reflect the views of my employer. (C) 2012 Dean Suzuki, All Rights Reserved

Procedure:

Table of Contents
1 2 3 4 Planning Your Edge Architecture with the Lync Planning Tool ............................................................. 3 Build a VM for the Lync Edge server: .................................................................................................... 4 Name the Server and Set DNS Suffix..................................................................................................... 4 Setup Networking ................................................................................................................................. 5 4.1 4.2 4.3 4.4 5 6 7 8 9 10 11 12 Configure the Internal NIC ............................................................................................................ 6 Host File Or DNS ............................................................................................................................ 6 Creating Static Routes From Edge Server to Internal ................................................................... 6 Configure the External NIC............................................................................................................ 8

Load Pre-requisites ............................................................................................................................... 9 Run Topology Builder .......................................................................................................................... 11 Take the Configuration to the Edge Server ......................................................................................... 16 Run Setup on Lync Edge Server........................................................................................................... 17 Creating Certificates on Edge Server .................................................................................................. 19 Download the Internal Certificate Chain from the Internal Certificate Authority.......................... 24 Request Internal Certificate ............................................................................................................ 26 Request the External Certificate ..................................................................................................... 30

1 Planning Your Edge Architecture with the Lync Planning Tool

Microsoft has released a tool called the Lync Planning tool. In an earlier post, I describe how to get and install the tool. I would highly recommend working through the tool and planning out the Lync Edge architecture based upon your requirements. The Lync Edge architecture has many moving parts: Lots of IP addresses, VLANs, and networking Lots of DNS records Lots of certificates Lots of ports to open and secure

The Planning tool helps you understand what you need and simplifies the complexity. Below is a sample picture of a Lync edge architecture: mes

Note that there are 4 different subnets in the above picture Internet (131.107.155.x) External leg of Edge server (10.45.16.x) Internal leg of Edge server (172.25.33.x) Internal network (192.168.21.x)

This is the standard best practice layout. Note that you can double-click the IP addresses used by the tool and enter your network subnets. You can also change the DNS FQDN hostnames to match your design. In addition, the tool outputs the DNS records, certificates, and firewall ports that need to be configured. Go to the Edge Admin Report

Note that there are tabs covering certificates, firewall, and DNS records.

2 Build a VM for the Lync Edge server:

Create a new virtual machine for Lync 2013 Edge Server. See the earlier posts for building a base Windows 2012 VM. Copy it and make a virtual machine for Lync 2013. Lync 2013 supports Windows 2012. For a list of the supported operating systems for Lync 2013 are listed here: http://technet.microsoft.com/en-us/library/gg412883.aspx

3 Name the Server and Set DNS Suffix

Set the hostname of the server. The Edge server should not be joined to the internal AD forest. Some customers may have a DMZ AD forest. If you dont have a DMZ AD forest, then the edge server should stay in a workgroup.

Deploy edge server in a workgroup Need to set the DNS suffix of the edge server. This is normally set when you join the machine to a domain but this machine wont be joined to the domain. The topology builder uses the FQDN of the edge server so this FQDN must match the DNS suffix that you are setting here.

4 Setup Networking
Edge server needs at least 2 physical NICs.

Rename the NICs so that its easy to identify the internal and external NIC

4.1 Configure the Internal NIC

Set the IP address

Note: the internal NIC doesnt have a default gateway set.

4.2 Host File Or DNS

In my diagram, I am able to connect to my internal DNS servers. Some organizations dont allow DMZ resources to connect to internal DNS servers. If that is the case in your organization, then you will need to leave the DNS servers field empty and create a HOST file on the edge server. In the Host file, you will need to create DNS A records for each of the front end servers. If you are using DNS load balancing for the internal front end pool, need to include a DNS A record for each member of the front end pool. Between the edge server and the internal network on the internal firewall, we recommend a route configuration (not a NAT configuration). Between the Internet and edge server on the Internet facing firewall, we support NATing.

4.3 Creating Static Routes From Edge Server to Internal

To get communication from the Edge server back to the Internal front-end pool and UM servers, you need to setup static routes on the Edge server since the edge server is not aware of the route to these servers. Need to setup static routes to the internal networks that contains Lync 2013 servers and Unified Messaging servers. Open a command prompt: Use Route print to see the routes

To set a static route, use the route command

In this above command, I am adding a route to 10.5.22.0 network (which is my internal network, inside the firewall). The 10.5.21.1 is the external IP address of my internal firewall that protects my internal network. The p is important to make the route persistent so that it will continue to exist even after you reboot the server. If you dont do this p, then you will lose this route once you reboot the server and will be wondering why the edge server cant communicate with your internal hosts.

4.4 Configure the External NIC

The external NIC needs to support 3 IP addresses for: access, web conferencing, and av conferencing. These could be on the same NIC or you could use 3 separate NICs.

The Internal and External NICs should be on different VLANs. Although in my lab, I dont have two separate VLANs. In a production environment, you should setup the internal and external NICs on separate VLANs for security. For the default gateway in most cases, it will be the IP address of the internal leg of the Internet/external firewall. For DNS servers, it depends if you have connections to your internal DNS servers. In most companies, they would restrict access from the DMZ to their internal DNS servers so the DNS servers would need to be external DNS servers.

5 Load Pre-requisites
The Edge server needs some pre-requisites on the server. Run Server Manager.

Need to load the Windows Identity Foundation 3.5

10

6 Run Topology Builder

Create a new Edge Pool.

11

Need to define a FQDN for the Edge pool of servers if you have multiple edge servers. Create a DNS A record for the Edge pool FQDN.

12

I made mistake on this screen and entered IP addresses versus FQDN. I had to go back and change. This screen asks for fqdns not ip addresses. The following is the screen in topology builder that I fixed later.

The next step is to add the Edge servers to the Edge Pool.

This internal FQDN must correspond to the hostname and DNS suffix that we set earlier on the edge server. Need to create a DNS A record in your internal DNS for this internal FQDN as well. This internal IPv4 address is the IP address that we set on the internal NIC.

13

These three external IPv4 address are the three IP addresses that we set on the external NIC.

This is the public IP address that well use for the AV edge. Each of the 3 external private IP addresses that we set earlier will have 3 public IP addresses. The topology builder needs to know the public IP address that will correspond to the AV conferencing connection. Note; av edge service NAT is not supported by HW load balancing. If you want to NAT the AV edge service, then you need to use DNS load balancing.

14

This is the edge server in the pool

The next hop should be set to the front-end pool.

15

7 Take the Configuration to the Edge Server

After you publish the configuration in topology builder, you need to export the configuration to a zip file and copy it to the edge server. Since the edge server is not domain joined when you run setup on it, it cant contact the central management store initially. So for the initial load, it will get its configuration from the zip file. After it is configured, it can talk to the CMS to get updates from it.

Export the config Copy it to the edge server

16

8 Run Setup on Lync Edge Server

Select Install or Update Lyc Server System

Select Install Local Configuration Store and press Run.

17

Specify the file copied earlier. Select Setup or Remote Lync Server Components and press Run.

18

9 Creating Certificates on Edge Server

For external interface, Use Public certificate so that everyone trusts it. Certificate must be exportable. Need to export it from edge and import it across all edge servers so that the private key is the same across all the edge servers. The AV conferencing service needs this requirement. Certificate Subject Name = Access Edge FQDN (access2013.irvlab.mtcdemos.net) or if HW load balancing is used, HW LB VIP FQDN (e.g. access.contoso.com) Certificate Subject Alternative Name = contains o Access Edge FQDN (access2013.irvlab.mtcdemos.net) or if HW load balancing is used, HW LB VIP FQDN (e.g. access.contoso.com). Although this address is in the subject name, this address is also needed in the SAN since TLS uses the SAN versus the Subject Name. o SIP domain FQDNs (e.g. sip.irvlab.mtcdemos.net) o Web conferencing edge FQDN (webcon2013.irvlab.mtcdemos.net)

19

For the internal interface, use Can use public certificate or one that is generated on a private Certificate Authority. Certificate Subject Name = Internal Edge FQDN or HW LB VIP FQDN. Can also use a wildcard certificate on the Edge internal. Certificate Subject Alternative Name = None needed

20

21

Make sure to mark the private key as exportable since you will need to export it out of the first Edge server and import it onto all the other Edge servers.

22

Notice that the wizard is using the Edge pool FQDN (instead of the specific server FQDN, edge2013.irvlab.mtcdemos.net). I cant even change this value in the wizard.

23

10 Download the Internal Certificate Chain from the Internal Certificate Authority
If you are using an internal CA, download its Certificate Chain to the Edge server. Download the certificate chain In certificates snap-in. Import the certificate chain.

24

Select Download a CA Certificate . After downloading the certificate chain, import it into Certificates snap-in.

25

11 Request Internal Certificate

26

Import certificate

27

Needed to import through Certificates snap-in. The Lync import tool didnt work. 28

Select Assign

29

12 Request the External Certificate

Select Request

30

31

Again, remember to mark the private key as exportable. The private key on the edge external leg needs to be the same across all the Edge servers for the AV conferencing service.

32

I added the FQDN of the other edge servers that will be deployed. 33

34

Import the certificate from Lync Deployment Wizard.

35

Import from the Lync Wizard failed. Although the wizard said it was successful, I looked at the Certificates snap-in and didnt see it. So, I used the Certificates snap-in to import the certificate.

36

37

After importing, need to assign the certificate to Lync. Press Assign

38

39

Check Lync Services

Check Windows Updates

40