The baseline for this deployment is a new Windows Server 2012 R2 installation that is not joined

to any Active Directory domain and is connected to two separate IPv4 networks. These are basic
requirements for an Edge Server and must be met in order to move forward with a successful
deployment.

The network topology of the lab environment used for all the articles in this deployment series
simply consistent of two physically separated network segments.

A single firewall with separate network interfaces provides connectivity for each network
segment to the Internet. The two networks do not have access to each other except for any
explicitly defined firewall rules. The rules required to allow communications to and from the
Edge Server across either network are covered in the Edge Pool article which can be used as a
reference. Make sure to open and test the required ports and protocols before attempting to
deploy and start the Edge Server services.

Configure Network Interfaces

The existing server has been prepared with two network interfaces connected to two separate
IPv4 networks.

In order to allow normal communications typically the internal interface would have been
configured with the default gateway set to the routers IP address for that segment and the
external interface would not yet have a default gateway set.

The server cannot have multiple default gateways defined yet moving the servers default
gateway to the external interface might break communications with hosts on other routed internal
networks than the one it is directly connected to. To prevent this problem then some persistent
static routes are required. This topic is covered in more detail in the Edge Pool deployment
article which outlines creating up to three new persistent static routes to tell the server to use the
internal router to locate hosts on any of these reserved IP address ranges. This is a normal
practice in environments with multiple routed internal networks but unnecessary in a standalone
lab environment like what is used in this example.

Review the current IPv4 configuration on both the Internal and External interfaces and
configure the default gateways as appropriate.

If Remote Desktop connectivity is lost after moving the default gateways as shown above then
connect to the server console and either define a required static route to back to the network
where the remote console is, or if that console is actually in the External network then check
the firewall configuration to allow remote desktop connections to the external interface. Clearly
this is safe in a lab environment but if the Edge servers external interface is to be routed to the
Internet than a different approach may be advisable.

Configure Computer Name

As covered in the other article it is critical to set the proper Fully Qualified Domain Name
(FQDN) on this server so that the server component installation will function correctly. This is a
commonly missed step that leads to troubleshooting installation issues further down the line.

View the servers System Properties and use the More button under Computer name field
to access the following window. Enter the same DNS domain and suffix used by the
internal SfB Front End server so that the Edge Server is configured with an FQDN.
 Reboot the server to apply the new computer name.

Add Server Features

The Windows 2012 R2 operating system used on these servers already includes some of the
require components by default (like PowerShell 3.0) and as the Edge server does not contain any
web service components then IIS subcomponents will also not be installed on these servers.

If the server does not have Internet connectivity then mount the Windows Server 2012
installation media on the server to an available drive letter as some of the components to
be installed will need to be read from the installation media as provided by the Source
parameter in the following cmdlet (e.g. D:\sources\sxs).

Launch Windows PowerShell by selecting Run As Administrator and enter the

following cmdlet to quickly install the .NET Framework package, the Remote Server
Administrative Tools, and all additional prerequisites followed immediately by a required
server reboot. (The Telnet client is also installed as it helpful for testing/troubleshooting
port connectivity issues with the Edge server.)

Add-WindowsFeature RSAT-ADDS, NET-Framework-Core, NET-Framework-

45-Core, NET-Framework-45-ASPNET, Web-Net-Ext45, NET-WCF-HTTP-
Activation45, Windows-Identity-Foundation, Telnet-Client Source
D:\sources\sxs

Once the installation is complete a restart will not typically be required, but if prompted
to do so then reboot before moving on to the next step.

Windows Updates
Before installation any SfB components make sure to apply the most recent Windows Updates,
with one notable exception: do not install the Microsoft .NET Framework 4.6.1 package as this is
not currently supported by Microsoft.

o Run Windows Update and hide the package for Microsoft .NET Framework
4.6.1 for Windows Server 2012 R2 for x64 (KB3102467). Install any other
pending recommended updates.

Configuration

This section covers updating the SfB Topology and access policies to enable both the
deployment of the Edge Server and enable its functionality.

Define Edge Pool

Open the Skype for Business Server Topology Builder tool on the existing SfB Front End
server, then download and save the current topology to a text file.

Navigate to the desired site, expand the Skype for Business 2015 container, highlight
Edge Pools and then select the New Edge Pool action.

Enter the desired Pool FQDN (e.g. edge.jdskype.net) and then select the option
for This pool has one server.
 On the Enable Federation window select the desired options, in this case only the Enable
Federation option is addressed. The Skype Search and XMPP options can be enabled
now or later if so desired.

Select the option to Use a single FQDN and IP address.

 For this deployment only IPv4 addresses will be utilized, and for any Internet access then
Network Address Translation (NAT) will need to be used as the Edge servers external
interface has a private IP address bound directly to it.

In the External FQDNs window the wizard will populate the suggested ports due to
selecting the single FQDN and IP address option earlier.

Leave the suggested ports as these are typically the best options available. The Access Edge
service will collocate external client and federation traffic on the same port (5061) and it is
recommended to leave 443 assigned to the critical A/V Edge role to provide the best chance of
successfully negotiating media sessions. The assigned FQDN is typically
sip.<sipdomain> but in this lab environment a different FQDN is used to avoid potential
overlap with the internal sip record. While any name can be used the sipexternal FQDN is one
of the legacy Host (A) look records used by many clients and IP phones, so it was selected for
that reason primarily.
 At the Define the computers in this pool window click Add to launch the Add server to
Edge pool wizard.

Enter the Internal IPv4 address that is assigned to the internal interface.

Enter the External IPv4 address in the proper field for each service and then click
Finish.

Enter the Public IPv4 address for the A/V Edge service which will be translated to the
servers actual external IP address. This NAT configuration would be handled by the
firewall depicted in the original diagram and is not addressed in this article.

Select the desired Next hop pool from the drop-down menu (e.g. fe.jdskype.net).
 At the Associate Front End or Mediation Pools step select the desired Front End server or
pool, which in most cases is the same as what was just selected in the previous step (e.g.
fe.jdskype.net).

Publish Topology

Now that the new pool has been created the next step is to save and publish these changes to the
Central Management Store.

In Topology Builder expand the newly created Edge Pool and double-check the
configuration on the pool and each computer object to make sure there are no mistakes.

From the Action menu select Topology > Publish to launch the Publish Topology
wizard. If all goes as planned then the result should be reported as successful on all
steps.
Enable External Access

While the majority of the environment preparation is handled in the topology this is a critical
step which must be performed before any external communications will be allowed. The three
major types of communications supported by the Access Edge service are Remote User Access,
Federated User Access, and Public Provider Access. To enable one or more of these feature
follow these example steps.

Only remote user access will be enabled in this article. For reference the Edge Pool deployment
article discusses the other external communication types.

Using the Skype for Business Server Control Panel browse to the Federation and
External Access section

Under the External Access Policy page open the default Global policy and check the
Enable communications with remote users option and save the changes to the policy.
 Under the Access Edge Configuration page open the default Global configuration and
check the Enable remote user access option and save the changes to the configuration.

Export Topology

As briefly discussed earlier the Edge server deployment will require that the SfB topology data is
manually exported and imported on the Edge servers which do not have the ability to locate and
download this configuration information automatically.

Using the Skype for Business Management Shell run the following Export-
CsConfiguration cmdlet to export. (This file will be retrieved in a later deployment
step.)

Export-CsConfiguration -FileName c:\temp\topo.zip

Install Server Components

The steps in this section address the installation of the actual SfB Server components using the
deployment wizard. These steps can be performed on both servers simultaneously or one after
another.

Mount the Skype for Business Server 2015 installation media on the first Edge server and
then open the mounted drive to trigger autoplay of the deployment wizard.

The deployment wizard will automatically (if needed) install Visual C++ 2013.
 When that package installation is complete then select the option at the next window to
skip checking for any updates. Leave the default Installation Location. Click Install to
advance.

Accept the licensing agreement and then wait while the deployment wizard automatically
installs the Core Components.

Once the main screen appears select the option to Install or Update Skype for Business
Server System.

On the Install or update member system window click Run on Step 1: Install Local
Configuration Store.
 The next window will be limited to a single option because this server is not a member of
any Active Directory domain. Browse to the location where the exported topology file
(e.g. topo.zip) was copied to in the previous section and click Next.

The local configuration store installation process will begin immediately by loading the local
installation files and then performing a check against the various prerequisite components
currently installed on the server. Assuming none of the prerequisites are missing and no
problems occur with the installation of the SQL Express components then after some time that
Task Status should be reported as Completed.

Return to the Install or update member system window and click Run on Step 2: Setup
or Remove for Business Server Components.
This concludes the server components installation process and all that remains is to import and
assign the SSL certificates before the individual services can be started and tested.

Assign Certificates

The separate internal and external certificates that were created earlier in this article can now
easily be imported into the server and assigned to the proper roles.

Click Run on Step 3: Request, Install, or Assign Certificates to launch the Certificate
Wizard.

Click the Import Certificate button and then enter the location of and the password for
the export file which was already copied to the Edge server in an earlier section.

On the Import Certificate Summary page confirm that the Contains Private Key value is
displayed as True, indicating that the import file is a complete certificate, and then click
Next to complete the process.

On the Certificate Wizard home page highlight the Edge internal row and click Assign.
 Select the desired certificate (e.g. Edge Internal Cert) and click Next.

On the summary page verify that the desired Certificate Use matches up with the correct
certificate as identified by the Friendly Name and Subject Name fields.

Finish the wizard to assign the certificate to the internal Edge service.

Repeat all steps above in this section, but this time select the External Edge certificate.

The Certificate Wizard should now indicate that the chosen certificates have been assigned to the
appropriate roles, as indicated by the green checkmarks.

Start Services
The final step is to start the SfB Edge Server services. The new Start-CsPool cmdlet provided in
SfB Server 2015 only applies to Front End pools and cannot be used with Edge Servers. Thus
the services can either be started manually or the server can be rebooted to leverage the
automatic startup procedure.

Restart the Edge server and when it comes back online monitor the status of the
individual services to validate that all have started successfully.