Step by Step guide to deploy Lync Server 2010 Edge Server


Lync Server Edge Server’s role is to provide access to the users who are connecting via the internet. Edge server usually deployed in DMZ (perimeter zone) of the network with dual NIC and having one leg (NIC) in external network while the other one in internal network.

below is a typical topology set up for an Edge Server.

Capture0

Internal interface for the Edge Server uses a certificate from Private CA while the External interface of the Edge Server use public Certificates. There are 3 services that run in Edge server which requires a Public Certificate. this will be coved later in the deployment process. let’s divide this guide in to two segments.

1. Infrastructure configuration to support Edge Server

2. Application Server deployment

Infrastructure configuration to support Edge Server

unlike the Front End server, Edge server doesn’t have much in internal infrastructure. there are several SRV records and A records that need to be created in the public domain for clients to discover the Lync Server and for the federation with partners.

  • sip.uctest.com
  • media.uctest.com
  • webcon.uctest.com
  • _sip._tls.ustest.com:443 resolve against sip.uctest.com
  • _sipfederationtls._tcp:5061 resolve against sip.uctest.com

_sip record is the record that assist clients to discover the domain and the Edge Server to connect to. if this record was not set, clients need to be configured manually to point to the correct Edge Server

_sipfederationtls record is configured to allow partners to discover Lync server platform and get connected via federation. This method is called open Federation. There are some organizations that doesn’t like this method. in that case, allowed domain and access edge server record need to be configured in Lync Server control panel to allow federation with that domain.

Unlike any other Lync Server application servers, Edge server is not recommended to join to Domain due to it’s security vulnerability. for this, the domain suffix will be configured as mentioned below

Capture6

Now to the second step

Application Server deployment

 Check http://technet.microsoft.com/en-us/library/gg398835.aspx to get an idea of the Hardware requirement for Edge Server. Check http://technet.microsoft.com/en-us/library/gg412883.aspx to understand the OS and additional software requirement.

prerequisites required to deploy lync Server 2010 Edge Server

  • Dot NET 3.5.1 features
  • Desktop Experience
  • Quality Windows Audio Video Experience

Now to configure the Lync Server topology with new server role. open the topology builder and save a copy of the topology as a backup

Capture10

 Navigate to the “Edge pools” and select to define a new Edge Pool

Capture11

This deployment is Single Edge server deployment. Select the Single computer pool and specify the server FQDN

Capture12

Select to enable Federation on port 5061 and leave the rest of the options as unchecked.

Capture13

Configure the public FQDN records for SIP, Web Conferencing and A/V. leave the default port configuration as it is.

Capture14

Configure the Internal IP address. this is the IP address that configured in the internal Interface

Capture15

Configure External IP addresses. these are the IP addresses that configured in the external interface. this can be natted IP addresses from Firewall.

Capture16

Select the next hop to the Edge server. in this scenario, it’s the Front End Server

Capture 17

Associate the Front End pool to the Edge Server

Capture18

Now, Publish the topology and jump in to the Front End server

Capture19

Since the Edge server is not joined to the domain, it cannot retrieve the Central Management Store automatically. Export the Configuration store from the Front End server as shown below.

export-csconfiguration “c:\config\config.zip”

Capture9

Copy the “config.zip” file from Front End server to the Edge Server. Run the Lync Server 2010 installation media and install the core components. run the deployment wizard and select to Add or Remove Lync Server Components

Capture20

Select to install the Local Configuration store. Specify the config.zip file to get the configuration information and complete the step

Capture21

Now, go to the next step to Configure Lync server components

Capture23

Complete the step. All checks looks green and ready to move ahead.

Capture24

Now to assign certificates. request the internal certificate first

Capture25

Since the server’s not join in to the Domain, the certificate request has to be done manually. select to prepare the request now, but send it later

Capture26

Specify a friendly name and Mark the certificate as Exportable. notice the SAN records. it’s normal that media.domain.com record doesn’t include as a SAN record.

Capture28

Select the SIP domain and save the request as a local file.

Capture32

Make sure to import the Internal Root CA’s self sign certificate in to the Trusted Root Certification Authorities container. else the communication between the Edge server and the Lync Server will fail.

Capture30

Request a WEB SERVER certificate from the internal CA based on the request file. Import the certificate in to Personal certificate container and go back in to Certificate configuration wizard. select to assign certificate and select the newly imported certificate. assign in to the internal interface

Capture33

Now go through the same steps for the External certificate. request this certificate from public certification Authority. Import the certificate in to personal certificate store and assign the certificate in to external interface

Capture36

Certificate assignment is completed.

Capture37

Now, start the services and check on Windows services whether all the Lync Server related services are started.

Capture39

Enable External user access from the lync Server control panel External Access policy.

Capture41

Now clients should be able to login from the internet.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s