Embed Size (px)
Citation preview
Secure Remote Access & LyncIlse Van Criekingehttp://blogs.technet.com/ilvancri@ivcrieki
Session Objectives and Takeaways
• Session Objectives • Overview of typical Lync Server Edge configurations• DNS Load Balancing and Hardware Load Balancing• NAT support for Edge Deployment• Reverse Proxy• ICE
• Takeaways• Understand typical Edge planning and deployment process• Understand certificate requirements for Edge and Reverse
Proxy
2
Introduction
3
Conferencing Capabilities of Lync
Web Conferencing
Audio Conferencing
Video Conferencing
Instant Messaging
Conferencing
PSTN Conferencing
ACP Integration
Integration with third-
party A/V SIP endpoints and MCUs
Dial-In Conferencing
Conferencing Attendant
Application
Conferencing Announcing Application
Dial-in Conferencing
Web Page
Mediation Servers and Gateways or
PBX
Simple URLs
• Lync Server 2010• Meet• Dial-in• Admin
• Scope = Global & Site• Created using PowerShell or Topology Builder
Edge Server Role
Lync Server Edge scenarios
• External User Access• Lync clients can transparently connect to the Lync Server
deployment over the public Internet• PIC• Connecting with public IM providers
• Federation• Federation with other Enterprises• IM&P only, or• All modalities A/V and Application Sharing
Edge Server Role Requirements
• General Requirements• 64-bit Windows 2008, Windows 2008 R2• Microsoft .NET Framework 3.5 SP1• Windows PowerShell v2
• Cannot be collocated with any other Microsoft Lync Server role• Virtualization is supported (Windows 2008 R2 OS!)
Server role Physical Virtual
CPU Memory Number of users supported
CPU Memory Number of users supported
Edge Server
8 cores 16 GB 15,000 4 cores 5 GB 7,500
Edge Server Roles
• Access Edge = handles all SIP traffic crossing the corporate firewall
• Web Conferencing Edge = proxies PSOM (Persistant Shared Object Model) traffic between the Web Conferencing Server and external clients
• Audio/Video Edge = provides a single trusted connection point through which audio and video traffic enters and exits your network
1 IP, 2 IP, 3 IP, 4 IP, ... ?Edge Server Role
A Few Networking Lync Facts
• Lync Server 2010 supports only IPv4• It does niet support IPv6• Can function in a network with dual IP stack enabled
• Two network adapters for each Edge Server are required:• one for the internal-facing interface • one for the external-facing interface
• Important: The internal and external subnets must not be routable to each other.
Single IP address Edge
Edge ServerExternal
edge.contoso.com131.107.155.10
SIP: 5061 Web Conf: 444A/V Conf: 443, 3478
Internal
edge-int.contoso.com172.25.33.10
SIP: 5061 Web Conf: 8057A/V Conf: 443, 3478
Multiple IP address Edge
Edge Server
External SIP
access.contoso.com131.107.155.10 443, 5061
Internal
edge-int.contoso.com172.25.33.10
SIP: 5061 Web Conf: 8057A/V Conf: 443, 3478
External Web Conf
External AV
webcon.contoso.com131.107.155.20 443
av.contoso.com131.107.155.30 443, 3478
Edge using NAT IP addresses
Edge Server
External SIP
IP1
IntExternal Web Conf
External AV
NATIP2
IP3
Public IP space
IP2’
IP1’
IP3’
Client
Clients connect to IP for A/V traffic
Translated AV IP mustbe configured in LyncServer
Lync Server does not needto know translated SIP andWeb Conf IP
DNS Load Balanced Edge
Edge Server 1
IP1
IntIP2
IP3
Public IP space
Client
Client can retrieve and handle multiple IPaddresses and can fail overDNS server returns randomized IP address
DNS A records access.contoso.com IP1 and IP4webcon.contoso.com IP2 and IP5av.contoso.com IP3 and IP6
Edge Server 2
IP4
IntIP5
IP6
DNS Load Balanced Edge using NAT
Edge Server 1
IP1
IntIP2
IP3
Public IP spaceDNS A records access.contoso.com IP1’ and IP4’webcon.contoso.com IP2’ and IP5’av.contoso.com IP3’ and IP6’
Edge Server 2
IP4
IntIP5
IP6
NAT
IP1’
IP2’
IP3’
IP4’
IP5’
IP6’
Translated AV IP addresses mustbe configured in Lync Server individuallyIP3 to IP3’IP6 to IP6’
Hardware Load Balanced Edge
Edge Server 1
IP1
IntIP2
IP3
Public IP spaceDNS A records access.contoso.com VIP1webcon.contoso.com VIP2av.contoso.com VIP3
Edge Server 2
IP4
IntIP5
IP6
HLB
VIP1
VIP2
VIP3Initial AV connection requires will land on VIP and gets forwarded. However clients will connect to Edge directly (UDP)TCP traffic continues to use VIP
NAT and HLB is not possible
INSTALLATIONEdge Server Role
CERTIFICATE REQUIREMENTSEdge Server Role
Certificate Requirements Edge Server Role
• A single public certificate is supported in Lync for• Access Edge external interface• Web conferencing Edge external interface• A/V Authentication Edge internal interface
• Edge internal interface • Can be issued by an internal CA• Subject name is typically the Edge internal interface FQDN or
HWLB VIP• No subject alternative names required
Requirements External Certificate
• Issued by an approved public CA (http://go.microsoft.com/fwlink/?LinkId=202834)
• If Edge pool, same cert on every Edge, must be exportable• Subject Name = Access Edge FQDN or HWLB VIP(Not required,
but recommended (previous versions) )• Subject Alternative Names• Access Edge external interface or HWLB VIP• Web Conferencing Edge external interface or HWLB VIP• Any SIP doman FQDN (for auto-discovery, federation)
DNS REQUIREMENTSEdge Server Role
DNS Requirements
• DNS Entries• External DNS lookups by remote users and federated
partners• Entries for DNS lookups for use by the Edge Servers within
the perimeter network• Internal DNS entries for lookups by the internal clients and
servers running Lync Server 2010• Edge Server requires DNS Suffix
Need client auto
configuration?
Default SIP domain FQDN = AD domain
FQDN
Use GPOs or configure clients manually
You are not using split-brain DNSInternal DNS
_sipinternaltls._tcp.<sip domain> sip. <sip domain>
External DNS_sip._tls. <sip domain>
You are using split-brain DNSInternal DNS
_sipinternaltls._tcp.<sip domain>External DNS
_sip._tls. <sip domain>
YES
YES
NO
NO
Is Federation required?
Internal DNSA Record internal interface
External DNSA Record external interfaces
External DNS_sipfederationtls._tcp.<sip domain>
NO
YES
DNS Records for External Devices
Type Value Note
SRVEdge Server:_sipexternal._tls.<SIP domain>, and _sipexternaltls.<SIP domain>
Allows external devices to connect by using SIP over TLS to the Registrar internally.
A Reverse proxy FQDN:<server name>.<SIP domain>
Allows external devices to connect by using TLS over HTTP to the Device Update Web service.
REVERSE PROXY & DIRECTOREdge Server Role
Reverse Proxy and Director
Internal Network
Director
Remote ClientsFederated ClientsAnonymous Clients
Front End
Perimeter NetworkInternet
Edge Server
Reverse Proxy
Reverse Proxy and external access (1)
• Forwards External HTTPS and HTTP traffic to Front End and Director Pool
• External user access to:• Meeting content for meetings (HTTPS)• Expand and display of distribution groups (HTTPS)• Downloadable files from the Address Book Service (HTTPS)• The Lync Web App client (HTTPS)• The Dial-In Conferencing Settings web page (HTTPS)• Location Information Service (HTTPS)• Device Update Service and obtain updates (HTTP)
Reverse Proxy and external access (2)
• Simple URL forward to Director (recommended)• Forwarding rule for Simple URL to a single Director (or Pool); port 443• Reverse Proxy certificate’s SAN to contain base FQDN of each Simple
URL
• Web External Pool traffic forwarded to pools by Reverse Proxy• Reverse Proxy requires a forwarding rule each Web External FQDN
(Front End Pool and Director); port 443• If external Phone Devices are implemented, Reverse Proxy rule for
port 80 is required • Reverse Proxy certificate’s SAN to contain base FQDN of all configured
Web external Pools (Front End Pool and Director)
RECAP DNS VS HW LOAD BALANCINGEdge Server Role
DNS vs. Hardware Load Balancing
DNS LB HLB
Public IP addresses required
Each Server x 3 (Each Server+1 VIP) x 3
Failover Support No, Delayed Failover* for:• Exchange UM (remote
user)• PIC• Federation of older
version of OCS
Yes, instant Failover for:• Exchange UM (remote
user)• PIC• Federation of older
version of OCS
NATing of IP addresses (Edge Server)
Supported Not supported
* Delayed Failover: DNS TTL period
XMPPEdge Server Role
Extensible Messaging and Presence Protocol (XMPP) Gateway
• Features provided• Add and delete each other as contacts• Publish Presence and subscribe for each other’s Presence• Engage in one-to-one conversations
• Three scenarios• Public federation with hosted network• Federation between two organizations• On-premises deployment with Jabber
SIP/MTLS:5061
XMPP Gateway
MANAGE & CONTROL REMOTE ACCESSEdge Server Role
Manage & Control Remote Access
• To support external user access, you must do both of the following:• Enable support for external user access to your organization• Configure and assign one or more policies to support
external user access• Policies• External user access policies• Conferencing policies
CLIENT COMMUNICATIONSEdge Server Role
IM And Presence Workload
Step 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server
Access Edge – SIP/TLS: 443
Step 2. Client connects to Edge Server
Access Edge – SIP/TLS: 443
Step 3. . Edge Server proxies connection to Director
SIP/MTLS:5061
Access Edge – SIP/TLS: 443
Step 4. Director authenticates user and proxies connection to user’s home pool
SIP/MTLS:5061 SIP/MTLS:5061
HTTPS: 443
HTTPS: 443
Access Edge: SIP/TLS: 443 SIP/MTLS:5061 SIP/MTLS:5061
HTTPS: 443
HTTPS: 443
SIP/MTLS: 5061
Federated IM & Presence Workloads
ESTABLISHING MEDIA PATHICE
SDP, STUN, TURN, ICE
• Lync uses SDP to provide initialization parameters for media stream
• Add a Media Relay (aka A/V Edge Server)• STUN reflects NAT addresses • TURN relays media packets
• ICE exchanges candidates (cand) and determines optimal media path to assist media in traversing NATs without requiring the endpoints to be aware of their network topologies
• All three protocols based IETF standards
ICE Details
• There are five phases for establishing a media path• During login• TURN Provisioning and Credentials
(MRAS – Media Relay Authentication Service)• When establishing a call• Address Discovery (Allocation) (Obtain Candidate List)• Address Exchange (SIP Invite/200 OK)• Connectivity Checks• Candidate Promotion
In summary, to send media into the enterprise, the external user must be authenticated and have an authenticated internal user explicitly agree to
exchange media streams. Lync Server 2010 uses TCP 50,000-59,999 outbound. Lync Server 2010 federating with Office Communications Server 2007 partners continues to use the port range of 50,000 – 59,999 UDP/TCP. Federation involving Lync Server 2010 partners or Office Communications Server 2007 R2 partners will use 3478/UDP and 443/TCP, and TCP 50,000-
59,999 outbound
Step 1. Inband Provisioning Process duing Lync Sign-In
Step 2. Obtain Candidate List
Step 3. Connectivity Checks
Step 4. Candidate Promotion
Stay up to date with TechNet Belux
Register for our newsletters and stay up to date:http://www.technet-newsletters.be
• Technical updates• Event announcements and registration• Top downloads
Join us on Facebookhttp://www.facebook.com/technetbehttp://www.facebook.com/technetbelux
LinkedIn: http://linkd.in/technetbelux/
Twitter: @technetbelux
Download MSDN/TechNet Desktop Gadget
http://bit.ly/msdntngadget
TechDays 2011 On-Demand
• Watch this session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/
http://technet.microsoft.com/nl-be/edge/
• Download to your favorite MP3 or video player• Get access to slides and recommended resources by the speakers
THANK [email protected]
