Beruflich Dokumente
Kultur Dokumente
- part I)
Now we will go a step further and prepare to deploy an Edge server in our lab. To me, in complexity, Edge
is no more complicated than any other role, but looks like many folks are having troubles.
Perhaps the most important (and often omitted) step is to relax, pull back for a moment and think
What is that I want to achieve and what resources I have on hand.
All right, what do we have?
I will deploy my Edge in DMZ. While I dont really have DMZ in my lab and dont have time to build one, I
will place the Edge on the same subnet where the Lync server is, but the presumption is that you will
definitely separate your internal resources from the Big, bad Internet.
I will use two different FQDNs sipint.drago.local for the machine name (SIPINT with domain suffix
applied) and sip.drago.ws for external access.
Because I have only one public IP address available, this is what I will use when configuring the
topology.
edgein.drago.local
sip.drago.ws
sip.drago.ws
sip.drago.ws
10.20.50.5
10.20.50.50 (mapped to xxx.xxx.xxx.xxx); port 5061
10.20.50.50 (mapped to xxx.xxx.xxx.xxx); port 444
10.20.50.50 (mapped to xxx.xxx.xxx.xxx); port 443
***Note that I will use the same Public IP address for all Edge Interfaces, and so, I must be sure the ports
are not overlapping.
Upon completion, I expect to have:
- External access for my users
- Federation with other domains
- IM, Video, Audio and desktop sharing with federated domain uses
Because this is a lab, I do not expect to complete PIC federation (IM and A/V session with MSN network
users).
Preparing the server to host Edge Role
My server is already named EDGEINT.
However, I MUST apply the domain suffix or later the MTLS will fail.
and restart when done. Now the Full Computer Name is FQDN.
Next I will provision the IP addresses on my server, where I will use a public DNS server and add my Lync
FE to the hosts file.
TechNet talks about this update: http://go.microsoft.com/fwlink/?LinkId=205459, but since I user Windows
2008 R2 SP1, the presumption is that the fix have been incorporated in the SP1 and I will sclip this step.
Next we will add our Edge server to the Topology.
Here we use the DMZ IP address which we will later map to Public IP address on our firewall
Lets recap what we have done so far, because this is VERY important and misunderstanding this
ultimately will lead to problems later!
1.
2.
4. ***ALERT*** this is the IP address of the A/V service, where the media will flow later. This is
the major pain point of every deployment where voice problems via the edge are observed.
5.
This is the port via which the Edge will receive Configuration update
6. The next hope for this Edge server. If this server is not functional, our Edge will be pretty
much useless
7. The external FQDN used for External access (port 5061) and Federation (port 5061). This is
my first deployment with single IP address, so we will see how it goes later.
8.
9.
The Edge Access Port (will be used from external Lync clients to sign-in)
This will make all other servers (besides the Edge) aware of the change (new server added).
On the previous step, we added the new Edge to the topology and published it. The assumption is that
our Edge server is on the perimeter network and so, we must export the topology from our FE and
transfer the file to the edge somehow.
Because our Edge is not a member of Domain (i.e. CMS cannot be read, we must point to the .zip file
moved to this server on the previous step.
Have patience SQLExpress installation takes time (good time for trip to the fridge).
Edge server must have two certificates one with the CN = FQDN of the machine, assigned to the
internal interface (edgeint.drago.ws in our example), and one with the FQDN we entered earlier in
topology builder (sip.drago.ws in this case). Note that because we are building our Edge server with ONE
Public IP address only, all three roles will use sip.drago.ws and so, I need certificate for CN =
sip.drago.ws i.e. no SAN is needed.
First, I will create CSR (Certificate Signing Request) for the internal interface. Later I will use it to sign it
from my internal Domain Certificate Authority.
Paste our request in the Saved Request field and select Web Server from Certificate Template list.
***Note that I have already save the Domain Root Certificate. Edge is not a member of domain and so,
the Root CA must be imported manually.
***Note that because we created the CSR, the Private Key is stored locally (we just asked to be signed).
Perform the steps above to generate CSR, have it signed and assign it to the Public interface.
***This certificate must be signed from Public CA in order to have fully functional federation capabilities.
In Lync Control Panel, we will modify the Global External Access Policy:
***Since this is a Lab, I will not enable Communications with Public Users.
Next, I will modify the Access Edge Configuration to enable Federation and Remote
user Access.
Because I modified the Global policies, my two test users are now automatically enabled for External
access and Federation.
I will not cover the networking side this is job for the network admin. However, there are few things to
remember:
1.
We elected to use single public IP address. Because of this, our SRV records must be as follow:
a.
b.
At this point, our external clients will now how to discover our edge and sign in and our partners how to
discover and federate.
Because this all test were successful, lets try to establish IM session with federated partner:
All basic functions on our Edge are now verified and I have to think what would be
the next post...