Embed Size (px)
DESCRIPTION
Lync server 2013 step by step
Citation preview
1
Dean Suzuki Blog
Title: Building a Lync 2013 Edge Pool
Created: 3/3/2013
Description:
One of my teammates was asking how to build the Lync Edge infrastructure. In this post, we’ll
walkthrough the build of a Lync 2013 Edge Server. The Edge Server provides the following capabilities:
External access from the Internet to the Lync capabilities for your users.
Federation with other companies running Office Communications Server or Lync so that you can
do Lync capabilities with other companies running these technologies.
Federation with users on public IM clouds (e.g. AOL).
Federation with users on XMPP clouds (e.g. GoogleTalk).
Access to web conferences from external users. Lync provides web conferencing and allows
participants to join who aren’t even on Lync. They can join via a new Lync web access (LWA)
client.
Below is a diagram of a typical Lync environment with Lync Edge servers.
References:
http://www.microsoft.com/en-us/download/details.aspx?id=36823 ; Lync 2013 Planning Tool
http://technet.microsoft.com/en-us/library/gg398918.aspx ; Deploying External User Access
http://technet.microsoft.com/en-us/library/gg398447.aspx ; Lync 2013 Planning Documentation
2
http://technet.microsoft.com/en-us/library/gg412892.aspx ; Deploying Lync Server 2013
http://technet.microsoft.com/en-us/library/gg398205.aspx ; Preparing the Infrastructure and Systems
http://technet.microsoft.com/en-us/library/gg412883.aspx ; Server and Tools Operating System Support
http://technet.microsoft.com/en-us/library/jj721939.aspx ; Managing Lync Server 2013 Disaster
Recovery, High Availability, and Backup Service
http://technet.microsoft.com/en-us/library/gg398347.aspx ; Planning for Central Site Voice Resiliency
Disclaimer:
Contents of this blog and article represent the opinions of Dean Suzuki, and do not reflect the views of my employer. (C) 2012 Dean Suzuki, All Rights Reserved
Procedure:
Table of Contents 1 Planning Your Edge Architecture with the Lync Planning Tool ............................................................. 3
2 Build a VM for the Lync Edge server: .................................................................................................... 4
3 Name the Server and Set DNS Suffix..................................................................................................... 4
4 Setup Networking ................................................................................................................................. 5
4.1 Configure the Internal NIC ............................................................................................................ 6
4.2 Host File Or DNS ............................................................................................................................ 6
4.3 Creating Static Routes From Edge Server to Internal ................................................................... 6
4.4 Configure the External NIC ............................................................................................................ 8
5 Load Pre-requisites ............................................................................................................................... 9
6 Run Topology Builder .......................................................................................................................... 11
7 Take the Configuration to the Edge Server ......................................................................................... 16
8 Run Setup on Lync Edge Server ........................................................................................................... 17
9 Creating Certificates on Edge Server .................................................................................................. 19
10 Download the Internal Certificate Chain from the Internal Certificate Authority .......................... 24
11 Request Internal Certificate ............................................................................................................ 26
12 Request the External Certificate ..................................................................................................... 30
3
1 Planning Your Edge Architecture with the Lync Planning Tool
Microsoft has released a tool called the Lync Planning tool. In an earlier post, I describe how to get and
install the tool. I would highly recommend working through the tool and planning out the Lync Edge
architecture based upon your requirements. The Lync Edge architecture has many moving parts:
Lots of IP addresses, VLANs, and networking
Lots of DNS records
Lots of certificates
Lots of ports to open and secure
The Planning tool helps you understand what you need and simplifies the complexity.
Below is a sample picture of a Lync edge architecture:
mes
Note that there are 4 different subnets in the above picture
Internet (131.107.155.x)
External leg of Edge server (10.45.16.x)
Internal leg of Edge server (172.25.33.x)
Internal network (192.168.21.x)
This is the standard best practice layout. Note that you can double-click the IP addresses used by the
tool and enter your network subnets. You can also change the DNS FQDN hostnames to match your
design.
In addition, the tool outputs the DNS records, certificates, and firewall ports that need to be configured.
Go to the Edge Admin Report
Note that there are tabs covering certificates, firewall, and DNS records.
4
2 Build a VM for the Lync Edge server: Create a new virtual machine for Lync 2013 Edge Server.
See the earlier posts for building a base Windows 2012 VM.
Copy it and make a virtual machine for Lync 2013.
Lync 2013 supports Windows 2012. For a list of the supported operating systems for Lync 2013
are listed here: http://technet.microsoft.com/en-us/library/gg412883.aspx
3 Name the Server and Set DNS Suffix Set the hostname of the server.
The Edge server should not be joined to the internal AD forest. Some customers may have a DMZ AD
forest. If you don’t have a DMZ AD forest, then the edge server should stay in a workgroup.
5
Deploy edge server in a workgroup
Need to set the DNS suffix of the edge server. This is normally set when you join the machine to a
domain but this machine won’t be joined to the domain. The topology builder uses the FQDN of the
edge server so this FQDN must match the DNS suffix that you are setting here.
4 Setup Networking Edge server needs at least 2 physical NICs.
6
Rename the NIC’s so that its easy to identify the internal and external NIC
4.1 Configure the Internal NIC Set the IP address
Note: the internal NIC doesn’t have a default gateway set.
4.2 Host File Or DNS In my diagram, I am able to connect to my internal DNS servers. Some organizations don’t allow DMZ
resources to connect to internal DNS servers. If that is the case in your organization, then you will need
to leave the DNS servers field empty and create a HOST file on the edge server. In the Host file, you will
need to create DNS A records for each of the front end servers.
If you are using DNS load balancing for the internal front end pool, need to include a DNS A record for
each member of the front end pool.
Between the edge server and the internal network on the internal firewall, we recommend a route
configuration (not a NAT configuration).
Between the Internet and edge server on the Internet facing firewall, we support NAT’ing.
4.3 Creating Static Routes From Edge Server to Internal
7
To get communication from the Edge server back to the Internal front-end pool and UM servers, you
need to setup static routes on the Edge server since the edge server is not aware of the route to these
servers. Need to setup static routes to the internal networks that contains Lync 2013 servers and
Unified Messaging servers.
Open a command prompt:
Use Route print to see the routes
To set a static route, use the route command
In this above command, I am adding a route to 10.5.22.0 network (which is my internal network, inside
the firewall). The 10.5.21.1 is the external IP address of my internal firewall that protects my internal
network. The –p is important to make the route persistent so that it will continue to exist even after you
reboot the server. If you don’t do this –p, then you will lose this route once you reboot the server and
will be wondering why the edge server can’t communicate with your internal hosts.
8
4.4 Configure the External NIC
The external NIC needs to support 3 IP addresses for: access, web conferencing, and av conferencing.
These could be on the same NIC or you could use 3 separate NICs.
The Internal and External NICs should be on different VLANs. Although in my lab, I don’t have two
separate VLANs. In a production environment, you should setup the internal and external NICs on
separate VLANs for security.
For the default gateway in most cases, it will be the IP address of the internal leg of the
Internet/external firewall.
For DNS servers, it depends if you have connections to your internal DNS servers. In most companies,
they would restrict access from the DMZ to their internal DNS servers so the DNS servers would need to
be external DNS servers.
9
5 Load Pre-requisites The Edge server needs some pre-requisites on the server. Run Server Manager.
10
Need to load the Windows Identity Foundation 3.5
11
6 Run Topology Builder Create a new Edge Pool.
12
Need to define a FQDN for the Edge pool of servers if you have multiple edge servers. Create a DNS A
record for the Edge pool FQDN.
I
13
I made mistake on this screen and entered IP addresses versus FQDN. I had to go back and change.
This screen asks for fqdn’s not ip addresses.
The following is the screen in topology builder that I fixed later.
The next step is to add the Edge servers to the Edge Pool.
This internal FQDN must correspond to the hostname and DNS suffix that we set earlier on the edge
server. Need to create a DNS A record in your internal DNS for this internal FQDN as well.
This internal IPv4 address is the IP address that we set on the internal NIC.
14
These three external IPv4 address are the three IP addresses that we set on the external NIC.
This is the public IP address that we’ll use for the AV edge.
Each of the 3 external private IP addresses that we set earlier will have 3 public IP addresses. The
topology builder needs to know the public IP address that will correspond to the AV conferencing
connection.
Note; av edge service NAT is not supported by HW load balancing. If you want to NAT the AV edge
service, then you need to use DNS load balancing.
15
This is the edge server in the pool
The next hop should be set to the front-end pool.
16
7 Take the Configuration to the Edge Server
After you publish the configuration in topology builder, you need to export the configuration to a zip file
and copy it to the edge server. Since the edge server is not domain joined when you run setup on it, it
can’t contact the central management store initially. So for the initial load, it will get its configuration
from the zip file. After it is configured, it can talk to the CMS to get updates from it.
Export the config
Copy it to the edge server
17
8 Run Setup on Lync Edge Server
Select “Install or Update Lyc Server System”
Select “Install Local Configuration Store” and press Run.
18
Specify the file copied earlier.
Select “Setup or Remote Lync Server Components” and press Run.
19
9 Creating Certificates on Edge Server
For external interface,
Use Public certificate so that everyone trusts it.
Certificate must be exportable. Need to export it from edge and import it across all edge
servers so that the private key is the same across all the edge servers. The AV conferencing
service needs this requirement.
Certificate Subject Name = Access Edge FQDN (access2013.irvlab.mtcdemos.net) or if HW load
balancing is used, HW LB VIP FQDN (e.g. access.contoso.com)
Certificate Subject Alternative Name = contains
o Access Edge FQDN (access2013.irvlab.mtcdemos.net) or if HW load balancing is used,
HW LB VIP FQDN (e.g. access.contoso.com). Although this address is in the subject
name, this address is also needed in the SAN since TLS uses the SAN versus the Subject
Name.
o SIP domain FQDN’s (e.g. sip.irvlab.mtcdemos.net)
o Web conferencing edge FQDN (webcon2013.irvlab.mtcdemos.net)
20
For the internal interface, use
Can use public certificate or one that is generated on a private Certificate Authority.
Certificate Subject Name = Internal Edge FQDN or HW LB VIP FQDN. Can also use a wildcard
certificate on the Edge internal.
Certificate Subject Alternative Name = None needed
21
22
Make sure to mark the private key as exportable since you will need to export it out of the first Edge
server and import it onto all the other Edge servers.
23
Notice that the wizard is using the Edge pool FQDN (instead of the specific server FQDN,
edge2013.irvlab.mtcdemos.net). I can’t even change this value in the wizard.
24
10 Download the Internal Certificate Chain from the Internal Certificate
Authority
If you are using an internal CA, download its Certificate Chain to the Edge server.
Download the certificate chain
In certificates snap-in. Import the certificate chain.
25
Select “Download a CA Certificate ….”
After downloading the certificate chain, import it into Certificates snap-in.
26
11 Request Internal Certificate
27
Import certificate
28
Needed to import through Certificates snap-in.
The Lync import tool didn’t work.
29
Select Assign
30
12 Request the External Certificate
Select Request
31
32
Again, remember to mark the private key as exportable. The private key on the edge external leg needs
to be the same across all the Edge servers for the AV conferencing service.
33
I added the FQDN of the other edge servers that will be deployed.
34
35
Import the certificate from Lync Deployment Wizard.
36
Import from the Lync Wizard failed. Although the wizard said it was successful, I looked at the
Certificates snap-in and didn’t see it. So, I used the Certificates snap-in to import the certificate.
37
38
After importing, need to assign the certificate to Lync. Press Assign
39
40
Check Lync Services
Check Windows Updates
