Complete Lync 2013 Installation Guide including – Edge Server installation PART 5 of 6

Hello All

Part 4 of the 6 part series on how to install and configure a fully functional Lync 2013 enterprise edition deployment.

Please check out the other parts at the links below

Part 1 Complete Lync 2013 Installation Guide including – Pre Reqs, Enterprise Edition Pool, SQL Mirroring and Witness, Archiving/Monitoring, Persistent Chat, Edge Setup and XMPP integration PART 1 of 6

Part 2 Complete Lync 2013 Installation Guide including – Pre Reqs, Enterprise Edition Pool, SQL Mirroring and Witness, Archiving/Monitoring, Persistent Chat, Edge Setup and XMPP integration PART 2 of 6

Part 3 Complete Lync 2013 Installation Guide including – Web Access WAC, Archiving and Monitoring Server and Reports PART 3 of 6

Part 4 Complete Lync 2013 Installation Guide including – Persistent Chat Installation and configuration PART 4 of 6

Following on from the above links to my complete Lync 2013 installation guide, below are the details on how to set up a Lync 2013 edge server for federation and remote access. PART 5

Info for your understanding

– My edge server is built on Windows 2012 and will be called Lync2013edge

– I WONT be using NAT’ing in this Lab.

Internal server IP address 10.37.129.4

– I will be using 3 External IP addresses

89.114.67.110

89.114.67.111

89.114.67.112

Externals Names

– sip.northernlync.co.uk

– wc.northernlync.co.uk

– av.northernlync.co.uk

Edge Server PreReqs

– .Net 4.5 for from the Windows 2012 Roles and Features

– Powershell 3.0 (Part of Windows 2012 Server)

– Windows Foundation Feature http://go.microsoft.com/fwlink/p/?linkId=204657

– Copy of the Lync 2013 installation files locally to the edge server.

So to note: As part of the installation, the edge server is within my DMZ and not attached to the northernlync.local internal domain. We need to do a few things to prep the server ready for the edge install.

Prep 1

Adding the DNS suffix to the edge server even though its part of a workgroup.

goto the server properties and add the name of your server, then select ‘more’ and add the DNS suffix of your internal domain. In this lab case thats northernlync.local

NewImage

Once you’ve rebooted your server, and also copied over the Lync 2013 media locally you are set to start the installation.

What we will do next is add the information into the Lync 2013 topology

————————————————————————————————————————————————————————————————————————————————————————

Lync 2013 Topology Update

Ok so lets move onto the update requirements within the topology

Firstly open up your topology on your Lync 2013 frontend. (I won’t screenshot how to open up the topology then download/save as i would expect you to know this by now)

Adding your edge server to your topology

Firstly navigate down your topology site and right click on the ‘new edge pool’ option

NewImage

 

 

 

 

 

 

 

Once you’ve right click, next through the first welcome page until you get to add the information about your edge server.

NewImage

 

 

 

 

 

 

 

 

 

 

 

On the next page you have a few options.

  • Use a single FQDN and IP address
  • Enable Federation 5061
  • Enable XMPP Federation

For this lab and i guess for the majority of Lync installations you would only have to select one option which would be ‘Enable Federation 5061’

NewImage

 

 

 

 

 

 

 

On the next dialog page,  you have the option for NAT’ing and also for using IPV6.

For this lab we won’t be using NAT’ing or IPV6. Therefore i will be accepting the defaults.

NewImage

 

 

 

 

 

 

 

Next is to add information about your external FQDN names

(to recap my internal domain is northernlync.local and my external domain name in northernlync.co.uk)

Once you’ve added your names, press next

NewImage

If you are NAT’ing at the next screen you will be asked to add the internal NAT’d IP address.

In our case as we will not be NAT’d we are prompt to add the Internal IP address. Once you’ve done this press next

Now add your external IP addresses for each area required, then press next

NewImage

Select your next hop Lync 2013 pool from the drop down and press next

Then select the pool to associate with the edge server for connectivity. this is usually the same pool as your next hop pool from the previous page.

Then click finish.

Then publish your topology

NewImage

NewImage

Now we are almost finished on the Lync Frontend.. the last item we need to do i copy over the cms configuration to the edge server for population.

Using the below command export a copy and move it over to your edge server

Export-csconfiguration –filename c:\topology_export.zip

NewImage

Now copy that .zip file to edge server

We are now finished on the Frontend topology.

While we are still on the FE01 lets add the required permissions to the control panel groups for edge enablement

————————————————————————————————————————————————————————————————————————————————————————

Adding permissions into the Lync Control Panel

Once your in the control panel, select the option ‘federation and external access’ tab on the left pane

Double click or select the global option, then select the options you want.

In our lab demo I’m select federation, remote access and PIC

NewImage

 

 

 

 

 

 

 

 

Also based on the information your require i.e.: open federation etc, you will need to configure the other tabs within the control panel.

for this demo we are going to go open federation.

NewImage

 

 

 

 

 

 

 

 

We are finished now on this we are allowing open federation throughout our demo lab edge setup

————————————————————————————————————————————————————————————————————————————————————————

Running the installation on the Lync Edge server to add the required components 

Run the setup and you would normally do and get to the point of the deployment wizard panel

then select ‘Install or Update Lync Server system’ option

Then select and complete step 1, and select the .zip file for the csconfiguration when prompted.

NewImage

NewImage

Now that this has finished with success, run step 2, click next

NewImage

Now run step 3 and arrange for your internal certificate to be prepared offline as we don’t have access to the internal CA as we are not within that domain on our edge server

prove a location for the .txt file

NewImage

Next through the next screen, then give your vert a friendly name.. in our case I’m going to call it Lync2013Edge. (there is no need to mark it exportable, as we are using a single edge server)

now give it your company name, and location, then next

Ensure you subject name is your Lync server name, then select next

Next page we don’t require any additional subject names, proceed to select next

then next, check your information then again select next

you will then get a txt file like the below.

NewImage

 

 

 

 

 

 

 

 

 

 

 

 

At this point run this through your CA web portal. then assign the certificate

—– Public Cert

Now do the same with the public cert, then pass this to your public CA ie: go daddy, comoro etc.

then assign to the public certificate

Now start the services and test.!

Useful tips and tools for edge

check the replication status – you can validate the replication of configuration information to the edge by running the Windows PowerShell Get-CsManagementStoreReplicationStatus cmdlet on the internal computer on which the Central Management store is located

Remote Connectivity analyser https://www.testexchangeconnectivity.com

Thank you for looking. and i hope the above makes sense and provides you with a functional edge topology.

Regards

Iain Smith

Advertisements

30 thoughts on “Complete Lync 2013 Installation Guide including – Edge Server installation PART 5 of 6

  1. Hi Ian,

    I encountered a rather disturbing behaviour from the moment I enabled the Remote Call Control on Lync 2013 Server and users.
    When I create an ad-hoc meeting and invite someone, the invited user gets (after accepting) the message : “We couldn’t reach …”
    After the user hits retry and selects Lync Call everything it’s fine and he can join the meeting.
    If the user change in the Call Forwarding (which is OFF) at My preferred calling device from Phone to Computer this behaviour is no longer there.
    If I create a meeting from Outlook and insert a Lync Online link this does not happened no matter what setting is selected.
    My question is: shouldn’t Lync Client know that it has to use computer to join others in meetings?
    In Phone area is already selected at Join meeting audio from: Lync.
    I really hope you can shed some light in this for me … it’s starting to get to me
    Also is there a registry key that I can modify through GPO so I can get that setting to Computer if nothing else can be done?
    Thank you for your time.

    All the best,
    Sorin

  2. In regards to the Edge server, Would having a server that sits completely behind a firewall not in a DMZ, with ports forwarded still work in your opinion?

    • you edge server has to have 2 nics and has to have the capability to communicate both between your internal and external firewalls. (you need to be able to route to your internal Lync frontend server/s.

      you should always ensure your edge server is not on your internal network.
      Regards
      Iain Smith

  3. Have you encountered the issue where you cant start the Lync Server Access Edge Service? I already have the root certificate from the CA server in truster certificates on the local computer.

  4. Hi,

    Can you explain what configuration you did on the edge server with regards to the network interfaces. Also what are you using as a reverse proxy?

    Thanks,

    • Morning Greg

      For the edge network config I have two nice by design, one inter and one external.

      I then used batting on the external IP addresses pointing to my internal IP.

      As for the lync reverse proxy. I’m using a KEMP virtual load master 100 appliance which I have located within my dmz. These devices are excellent for lync proxying

      Regards
      IainSmith

    • Hello Ash
      i did publish the XMPP, but was finding issues with others deploying it. Im in the process of rewriting the page 6 blog and it will be online in the next couple of days.
      Regards
      Iain Smith

      • Hello Ian,
        I am new to Lync but I believe I am fast catching on. I have a couple of questions though.
        You mentioned using 2 Nic for the edge server ( missing steps/screen shot) and I get the fact that they have to be on 2 separate subnets or networks but how do they communicate with each other.
        Also what is the big deal about NATTING especially if you can afford to lease 3 public Ip address for each of the service.
        Natting as I understand allows internal services to share 1 public facing Ip address – correct

      • Hello Richard

        These are good questions. !!

        So to communicate between the nics (internal and external) you set up persistent static routes with only the gateway associated with the external nic.

        As for natting, it’s not a big deal and you can configure edge to be direct. Also you can configure edge to use a single IP and port range if you require.

        I hope this helps
        Regards
        Iain Smith

  5. Hey Iain,

    Thanks for your reply.

    I have the edge server setup with 3 IPs for sip, av and webconf. Is the reverse proxy necessary for Desktop clients who are outside the network?

    At the moment I dont have any reverse proxy setup and I am not able to sign in from my home machine. I had a look at my edge server event logs and I can see my request is hitting the edge server but not allowing me to authenticate.

  6. Hi Northernlync

    Can you share PART 6 link with me, currently I am planning to deploy Lync2013 ENT on my Domain.

  7. Hi Ian,
    Thanks for your prompt response
    Let say that my Internal nic is 172.16.1.5 and my external nic is 172.16.2.5
    Dns server 172.16.1.20
    Gateway is 172.16.1.1
    Public Ip addresses 209.5.2.36-38
    How do I create Persistent Static Routes ?

    • Same issue here. I could do with some assistance.

      This is a test lab though.

      Internal NIC is 10.44.78.20
      Subnet 255.255.255.0
      DNS is 10.44.78.1
      Gateway is 10.44.78.1

      External NIC is 10.44.140.12, 10.44.140.14 and 10.44.140.16
      Subnet 255.255.255.0
      No DNS
      Gateway 10.44.140.254 (router)

      For the lab, I’ve used the host file to point a non domain joined Win 7 client to 10.44.140.71. The router forwards that to 10.44.140.12

      No joy (basically 10.44.140.12, etc doesn’t seem pingable….

      Hello Mark

      I think you have your setup incorrect

      To confirm..
      Your internal NIC needs an internal IP and subnet but NO DNS or gateway

      Your external NIC needs an external IP and subnet, DNS and default gateway.

      Don’t forget to add the required persistent static routes which allows the routing from external to internal and vice versa.

      And lastly don’t forget your host files additions

      Regards
      Iain Smith

  8. Hi Ian,

    I have my edge server running and people can connect externally, I have even managed to federate with Lync online.

    I do notice a few oddities though and was wondering if you could share how you would go about diagnosing and fing them.

    1. We can do a multi-party audio / video call and internally people can share screen / whiteboarding, however the external party cannot see these. If I do a point to point call with an external then I do believe screen sharing is working.

    2. If I have a non-domain joined PC (like a Mac) on the internal subnet and given an IP / DNS from dhcp, it cannot connect. As soon as it is not part of the internal network, it connect fine.

    Thanks,

    Greg

  9. Hey Lain,

    Excellent series on the deployment of Lync 2013. I have enjoyed the detail in your documentation and to this point have found the articles to be incredibly helpful. Is there any chance you could post part 6?

    Thanks, and keep up the excellent work.

    Bill

  10. Hello Ian, Many Thanks for your excellent blog and extremely valuable support! I was looking for part Complete Lync 2013 Installation Guide including -PART 6 of 6 but could not find it – Please let me know whether it just has a different tile?
    Many Thanks and Best Regards
    Sam

  11. Hello,

    For a deployment on an enterprise hosting environment, it’s not a standard design from security view to have a nic on external dmz and the 2nd on internal dmz, as it bypassed a firewall level (2 levels of firewall in a standard design with external and internal dmz). what are the arguments you can suggest to accept this risk ?

    Thank you in advance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s