Beruflich Dokumente
Kultur Dokumente
Title: Building a Lync 2013 Edge Pool Created: 3/3/2013 Description: One of my teammates was asking how to build the Lync Edge infrastructure. In this post, well walkthrough the build of a Lync 2013 Edge Server. The Edge Server provides the following capabilities: External access from the Internet to the Lync capabilities for your users. Federation with other companies running Office Communications Server or Lync so that you can do Lync capabilities with other companies running these technologies. Federation with users on public IM clouds (e.g. AOL). Federation with users on XMPP clouds (e.g. GoogleTalk). Access to web conferences from external users. Lync provides web conferencing and allows participants to join who arent even on Lync. They can join via a new Lync web access (LWA) client. Below is a diagram of a typical Lync environment with Lync Edge servers.
References: http://www.microsoft.com/en-us/download/details.aspx?id=36823 ; Lync 2013 Planning Tool http://technet.microsoft.com/en-us/library/gg398918.aspx ; Deploying External User Access http://technet.microsoft.com/en-us/library/gg398447.aspx ; Lync 2013 Planning Documentation 1
http://technet.microsoft.com/en-us/library/gg412892.aspx ; Deploying Lync Server 2013 http://technet.microsoft.com/en-us/library/gg398205.aspx ; Preparing the Infrastructure and Systems http://technet.microsoft.com/en-us/library/gg412883.aspx ; Server and Tools Operating System Support http://technet.microsoft.com/en-us/library/jj721939.aspx ; Managing Lync Server 2013 Disaster Recovery, High Availability, and Backup Service http://technet.microsoft.com/en-us/library/gg398347.aspx ; Planning for Central Site Voice Resiliency
Disclaimer: Contents of this blog and article represent the opinions of Dean Suzuki, and do not reflect the views of my employer. (C) 2012 Dean Suzuki, All Rights Reserved
Procedure:
Table of Contents
1 2 3 4 Planning Your Edge Architecture with the Lync Planning Tool ............................................................. 3 Build a VM for the Lync Edge server: .................................................................................................... 4 Name the Server and Set DNS Suffix..................................................................................................... 4 Setup Networking ................................................................................................................................. 5 4.1 4.2 4.3 4.4 5 6 7 8 9 10 11 12 Configure the Internal NIC ............................................................................................................ 6 Host File Or DNS ............................................................................................................................ 6 Creating Static Routes From Edge Server to Internal ................................................................... 6 Configure the External NIC............................................................................................................ 8
Load Pre-requisites ............................................................................................................................... 9 Run Topology Builder .......................................................................................................................... 11 Take the Configuration to the Edge Server ......................................................................................... 16 Run Setup on Lync Edge Server........................................................................................................... 17 Creating Certificates on Edge Server .................................................................................................. 19 Download the Internal Certificate Chain from the Internal Certificate Authority.......................... 24 Request Internal Certificate ............................................................................................................ 26 Request the External Certificate ..................................................................................................... 30
The Planning tool helps you understand what you need and simplifies the complexity. Below is a sample picture of a Lync edge architecture: mes
Note that there are 4 different subnets in the above picture Internet (131.107.155.x) External leg of Edge server (10.45.16.x) Internal leg of Edge server (172.25.33.x) Internal network (192.168.21.x)
This is the standard best practice layout. Note that you can double-click the IP addresses used by the tool and enter your network subnets. You can also change the DNS FQDN hostnames to match your design. In addition, the tool outputs the DNS records, certificates, and firewall ports that need to be configured. Go to the Edge Admin Report
Note that there are tabs covering certificates, firewall, and DNS records.
Deploy edge server in a workgroup Need to set the DNS suffix of the edge server. This is normally set when you join the machine to a domain but this machine wont be joined to the domain. The topology builder uses the FQDN of the edge server so this FQDN must match the DNS suffix that you are setting here.
4 Setup Networking
Edge server needs at least 2 physical NICs.
Rename the NICs so that its easy to identify the internal and external NIC
To get communication from the Edge server back to the Internal front-end pool and UM servers, you need to setup static routes on the Edge server since the edge server is not aware of the route to these servers. Need to setup static routes to the internal networks that contains Lync 2013 servers and Unified Messaging servers. Open a command prompt: Use Route print to see the routes
In this above command, I am adding a route to 10.5.22.0 network (which is my internal network, inside the firewall). The 10.5.21.1 is the external IP address of my internal firewall that protects my internal network. The p is important to make the route persistent so that it will continue to exist even after you reboot the server. If you dont do this p, then you will lose this route once you reboot the server and will be wondering why the edge server cant communicate with your internal hosts.
The external NIC needs to support 3 IP addresses for: access, web conferencing, and av conferencing. These could be on the same NIC or you could use 3 separate NICs.
The Internal and External NICs should be on different VLANs. Although in my lab, I dont have two separate VLANs. In a production environment, you should setup the internal and external NICs on separate VLANs for security. For the default gateway in most cases, it will be the IP address of the internal leg of the Internet/external firewall. For DNS servers, it depends if you have connections to your internal DNS servers. In most companies, they would restrict access from the DMZ to their internal DNS servers so the DNS servers would need to be external DNS servers.
5 Load Pre-requisites
The Edge server needs some pre-requisites on the server. Run Server Manager.
10
11
Need to define a FQDN for the Edge pool of servers if you have multiple edge servers. Create a DNS A record for the Edge pool FQDN.
12
I made mistake on this screen and entered IP addresses versus FQDN. I had to go back and change. This screen asks for fqdns not ip addresses. The following is the screen in topology builder that I fixed later.
The next step is to add the Edge servers to the Edge Pool.
This internal FQDN must correspond to the hostname and DNS suffix that we set earlier on the edge server. Need to create a DNS A record in your internal DNS for this internal FQDN as well. This internal IPv4 address is the IP address that we set on the internal NIC.
13
These three external IPv4 address are the three IP addresses that we set on the external NIC.
This is the public IP address that well use for the AV edge. Each of the 3 external private IP addresses that we set earlier will have 3 public IP addresses. The topology builder needs to know the public IP address that will correspond to the AV conferencing connection. Note; av edge service NAT is not supported by HW load balancing. If you want to NAT the AV edge service, then you need to use DNS load balancing.
14
15
16
17
Specify the file copied earlier. Select Setup or Remote Lync Server Components and press Run.
18
19
For the internal interface, use Can use public certificate or one that is generated on a private Certificate Authority. Certificate Subject Name = Internal Edge FQDN or HW LB VIP FQDN. Can also use a wildcard certificate on the Edge internal. Certificate Subject Alternative Name = None needed
20
21
Make sure to mark the private key as exportable since you will need to export it out of the first Edge server and import it onto all the other Edge servers.
22
Notice that the wizard is using the Edge pool FQDN (instead of the specific server FQDN, edge2013.irvlab.mtcdemos.net). I cant even change this value in the wizard.
23
10 Download the Internal Certificate Chain from the Internal Certificate Authority
If you are using an internal CA, download its Certificate Chain to the Edge server. Download the certificate chain In certificates snap-in. Import the certificate chain.
24
Select Download a CA Certificate . After downloading the certificate chain, import it into Certificates snap-in.
25
26
Import certificate
27
Needed to import through Certificates snap-in. The Lync import tool didnt work. 28
Select Assign
29
Select Request
30
31
Again, remember to mark the private key as exportable. The private key on the edge external leg needs to be the same across all the Edge servers for the AV conferencing service.
32
I added the FQDN of the other edge servers that will be deployed. 33
34
35
Import from the Lync Wizard failed. Although the wizard said it was successful, I looked at the Certificates snap-in and didnt see it. So, I used the Certificates snap-in to import the certificate.
36
37
38
39
40