Hello All
Part 4 of the 6 part series on how to install and configure a fully functional Lync 2013 enterprise edition deployment.
Please check out the other parts at the links below
Following on from the above links to my complete Lync 2013 installation guide, below are the details on how to set up a Lync 2013 edge server for federation and remote access. PART 5
Info for your understanding
– My edge server is built on Windows 2012 and will be called Lync2013edge
– I WONT be using NAT’ing in this Lab.
Internal server IP address 10.37.129.4
– I will be using 3 External IP addresses
89.114.67.110
89.114.67.111
89.114.67.112
Externals Names
– sip.northernlync.co.uk
– wc.northernlync.co.uk
– av.northernlync.co.uk
Edge Server PreReqs
– .Net 4.5 for from the Windows 2012 Roles and Features
– Powershell 3.0 (Part of Windows 2012 Server)
– Windows Foundation Feature http://go.microsoft.com/fwlink/p/?linkId=204657
– Copy of the Lync 2013 installation files locally to the edge server.
So to note: As part of the installation, the edge server is within my DMZ and not attached to the northernlync.local internal domain. We need to do a few things to prep the server ready for the edge install.
Prep 1
Adding the DNS suffix to the edge server even though its part of a workgroup.
goto the server properties and add the name of your server, then select ‘more’ and add the DNS suffix of your internal domain. In this lab case thats northernlync.local
Once you’ve rebooted your server, and also copied over the Lync 2013 media locally you are set to start the installation.
What we will do next is add the information into the Lync 2013 topology
————————————————————————————————————————————————————————————————————————————————————————
Lync 2013 Topology Update
Ok so lets move onto the update requirements within the topology
Firstly open up your topology on your Lync 2013 frontend. (I won’t screenshot how to open up the topology then download/save as i would expect you to know this by now)
Adding your edge server to your topology
Firstly navigate down your topology site and right click on the ‘new edge pool’ option
Once you’ve right click, next through the first welcome page until you get to add the information about your edge server.
On the next page you have a few options.
- Use a single FQDN and IP address
- Enable Federation 5061
- Enable XMPP Federation
For this lab and i guess for the majority of Lync installations you would only have to select one option which would be ‘Enable Federation 5061’
On the next dialog page, you have the option for NAT’ing and also for using IPV6.
For this lab we won’t be using NAT’ing or IPV6. Therefore i will be accepting the defaults.
Next is to add information about your external FQDN names
(to recap my internal domain is northernlync.local and my external domain name in northernlync.co.uk)
Once you’ve added your names, press next
If you are NAT’ing at the next screen you will be asked to add the internal NAT’d IP address.
In our case as we will not be NAT’d we are prompt to add the Internal IP address. Once you’ve done this press next
Now add your external IP addresses for each area required, then press next
Select your next hop Lync 2013 pool from the drop down and press next
Then select the pool to associate with the edge server for connectivity. this is usually the same pool as your next hop pool from the previous page.
Then click finish.
Then publish your topology
Now we are almost finished on the Lync Frontend.. the last item we need to do i copy over the cms configuration to the edge server for population.
Using the below command export a copy and move it over to your edge server
Export-csconfiguration –filename c:\topology_export.zip
Now copy that .zip file to edge server
We are now finished on the Frontend topology.
While we are still on the FE01 lets add the required permissions to the control panel groups for edge enablement
————————————————————————————————————————————————————————————————————————————————————————
Adding permissions into the Lync Control Panel
Once your in the control panel, select the option ‘federation and external access’ tab on the left pane
Double click or select the global option, then select the options you want.
In our lab demo I’m select federation, remote access and PIC
Also based on the information your require i.e.: open federation etc, you will need to configure the other tabs within the control panel.
for this demo we are going to go open federation.
We are finished now on this we are allowing open federation throughout our demo lab edge setup
————————————————————————————————————————————————————————————————————————————————————————
Running the installation on the Lync Edge server to add the required components
Run the setup and you would normally do and get to the point of the deployment wizard panel
then select ‘Install or Update Lync Server system’ option
Then select and complete step 1, and select the .zip file for the csconfiguration when prompted.
Now that this has finished with success, run step 2, click next
Now run step 3 and arrange for your internal certificate to be prepared offline as we don’t have access to the internal CA as we are not within that domain on our edge server
prove a location for the .txt file
Next through the next screen, then give your vert a friendly name.. in our case I’m going to call it Lync2013Edge. (there is no need to mark it exportable, as we are using a single edge server)
now give it your company name, and location, then next
Ensure you subject name is your Lync server name, then select next
Next page we don’t require any additional subject names, proceed to select next
then next, check your information then again select next
you will then get a txt file like the below.
At this point run this through your CA web portal. then assign the certificate
—– Public Cert
Now do the same with the public cert, then pass this to your public CA ie: go daddy, comoro etc.
then assign to the public certificate
Now start the services and test.!
Useful tips and tools for edge
check the replication status – you can validate the replication of configuration information to the edge by running the Windows PowerShell Get-CsManagementStoreReplicationStatus cmdlet on the internal computer on which the Central Management store is located
Remote Connectivity analyser https://www.testexchangeconnectivity.com
Thank you for looking. and i hope the above makes sense and provides you with a functional edge topology.
Regards
Iain Smith
Reblogged this on Northern Lync and commented:
Lync 2013 Installation Guide Part 5 – Reposted with Format fixed
Hi Ian,
I encountered a rather disturbing behaviour from the moment I enabled the Remote Call Control on Lync 2013 Server and users.
When I create an ad-hoc meeting and invite someone, the invited user gets (after accepting) the message : “We couldn’t reach …”
After the user hits retry and selects Lync Call everything it’s fine and he can join the meeting.
If the user change in the Call Forwarding (which is OFF) at My preferred calling device from Phone to Computer this behaviour is no longer there.
If I create a meeting from Outlook and insert a Lync Online link this does not happened no matter what setting is selected.
My question is: shouldn’t Lync Client know that it has to use computer to join others in meetings?
In Phone area is already selected at Join meeting audio from: Lync.
I really hope you can shed some light in this for me … it’s starting to get to me
Also is there a registry key that I can modify through GPO so I can get that setting to Computer if nothing else can be done?
Thank you for your time.
All the best,
Sorin
In regards to the Edge server, Would having a server that sits completely behind a firewall not in a DMZ, with ports forwarded still work in your opinion?
you edge server has to have 2 nics and has to have the capability to communicate both between your internal and external firewalls. (you need to be able to route to your internal Lync frontend server/s.
you should always ensure your edge server is not on your internal network.
Regards
Iain Smith
Im wondering about the “export cs configuration” part. What will happen if i just copy/paste/share the savefile from the top.builder?
That won’t work as you need to select the path of the export.xml as part of the installation .
Complete the export by using the power shell command
I tried using that command but it failed several times, im not 100 % sure in which folder i need to be in when executing the command.
Nevermind, confusion struck me. It´s all good now.
it’s can run in dedicated server ?
Yes the edge server requires to be implemented in a dedicated server
Have you encountered the issue where you cant start the Lync Server Access Edge Service? I already have the root certificate from the CA server in truster certificates on the local computer.
Hi,
Can you explain what configuration you did on the edge server with regards to the network interfaces. Also what are you using as a reverse proxy?
Thanks,
Morning Greg
For the edge network config I have two nice by design, one inter and one external.
I then used batting on the external IP addresses pointing to my internal IP.
As for the lync reverse proxy. I’m using a KEMP virtual load master 100 appliance which I have located within my dmz. These devices are excellent for lync proxying
Regards
IainSmith
Do you have part 6? I only see the part 5 posted. Thanks
Hi Ian,
Thanks for the article. I am unable to find part 6? Can you please let me know where I can find part 6?
Thanks.
Ash
Hello Ash
i did publish the XMPP, but was finding issues with others deploying it. Im in the process of rewriting the page 6 blog and it will be online in the next couple of days.
Regards
Iain Smith
Hello Ian,
I am new to Lync but I believe I am fast catching on. I have a couple of questions though.
You mentioned using 2 Nic for the edge server ( missing steps/screen shot) and I get the fact that they have to be on 2 separate subnets or networks but how do they communicate with each other.
Also what is the big deal about NATTING especially if you can afford to lease 3 public Ip address for each of the service.
Natting as I understand allows internal services to share 1 public facing Ip address – correct
Hello Richard
These are good questions. !!
So to communicate between the nics (internal and external) you set up persistent static routes with only the gateway associated with the external nic.
As for natting, it’s not a big deal and you can configure edge to be direct. Also you can configure edge to use a single IP and port range if you require.
I hope this helps
Regards
Iain Smith
Hello,
Is Edge server is a must in a “Stand-Alone environment” or can I use TMG only?
Thanks,
Hello Eilon
To have external federation access you do require the edge server for external connectivity.
Regards
Iain Smith
Hey Iain,
Thanks for your reply.
I have the edge server setup with 3 IPs for sip, av and webconf. Is the reverse proxy necessary for Desktop clients who are outside the network?
At the moment I dont have any reverse proxy setup and I am not able to sign in from my home machine. I had a look at my edge server event logs and I can see my request is hitting the edge server but not allowing me to authenticate.
Hi Northernlync
Can you share PART 6 link with me, currently I am planning to deploy Lync2013 ENT on my Domain.
Hi Ian,
Thanks for your prompt response
Let say that my Internal nic is 172.16.1.5 and my external nic is 172.16.2.5
Dns server 172.16.1.20
Gateway is 172.16.1.1
Public Ip addresses 209.5.2.36-38
How do I create Persistent Static Routes ?
Same issue here. I could do with some assistance.
This is a test lab though.
Internal NIC is 10.44.78.20
Subnet 255.255.255.0
DNS is 10.44.78.1
Gateway is 10.44.78.1
External NIC is 10.44.140.12, 10.44.140.14 and 10.44.140.16
Subnet 255.255.255.0
No DNS
Gateway 10.44.140.254 (router)
For the lab, I’ve used the host file to point a non domain joined Win 7 client to 10.44.140.71. The router forwards that to 10.44.140.12
No joy (basically 10.44.140.12, etc doesn’t seem pingable….
Hello Mark
I think you have your setup incorrect
To confirm..
Your internal NIC needs an internal IP and subnet but NO DNS or gateway
Your external NIC needs an external IP and subnet, DNS and default gateway.
Don’t forget to add the required persistent static routes which allows the routing from external to internal and vice versa.
And lastly don’t forget your host files additions
Regards
Iain Smith
Hi Ian,
I have my edge server running and people can connect externally, I have even managed to federate with Lync online.
I do notice a few oddities though and was wondering if you could share how you would go about diagnosing and fing them.
1. We can do a multi-party audio / video call and internally people can share screen / whiteboarding, however the external party cannot see these. If I do a point to point call with an external then I do believe screen sharing is working.
2. If I have a non-domain joined PC (like a Mac) on the internal subnet and given an IP / DNS from dhcp, it cannot connect. As soon as it is not part of the internal network, it connect fine.
Thanks,
Greg
Hey Lain,
Excellent series on the deployment of Lync 2013. I have enjoyed the detail in your documentation and to this point have found the articles to be incredibly helpful. Is there any chance you could post part 6?
Thanks, and keep up the excellent work.
Bill
Hello Ian, Many Thanks for your excellent blog and extremely valuable support! I was looking for part Complete Lync 2013 Installation Guide including -PART 6 of 6 but could not find it – Please let me know whether it just has a different tile?
Many Thanks and Best Regards
Sam
Morning Sam
a few people have had trouble finding part 6.. Let me locate it and reply back to you.
IainSmith
Hello,
For a deployment on an enterprise hosting environment, it’s not a standard design from security view to have a nic on external dmz and the 2nd on internal dmz, as it bypassed a firewall level (2 levels of firewall in a standard design with external and internal dmz). what are the arguments you can suggest to accept this risk ?
Thank you in advance.
Hello Lain,
Really nice guide! but i also have trouble finding part 6. Can you tell me where to locate it?
Thanks!
Michael