Lync Server Edge Server’s role is to provide access to the users who are connecting via the internet. Edge server usually deployed in DMZ (perimeter zone) of the network with dual NIC and having one leg (NIC) in external network while the other one in internal network.

below is a typical topology set up for an Edge Server.

Internal interface for the Edge Server uses a certificate from Private CA while the External interface of the Edge Server use public Certificates. There are 3 services that run in Edge server which requires a Public Certificate. this will be coved later in the deployment process. let’s divide this guide in to two segments.

1. Infrastructure configuration to support Edge Server

2. Application Server deployment

Infrastructure configuration to support Edge Server

unlike the Front End server, Edge server doesn’t have much in internal infrastructure. there are several SRV records and A records that need to be created in the public domain for clients to discover the Lync Server and for the federation with partners.

• sip.uctest.com
• media.uctest.com
• webcon.uctest.com
• _sip._tls.ustest.com:443 resolve against sip.uctest.com
• _sipfederationtls._tcp:5061 resolve against sip.uctest.com

_sip record is the record that assist clients to discover the domain and the Edge Server to connect to. if this record was not set, clients need to be configured manually to point to the correct Edge Server

_sipfederationtls record is configured to allow partners to discover Lync server platform and get connected via federation. This method is called open Federation. There are some organizations that doesn’t like this method. in that case, allowed domain and access edge server record need to be configured in Lync Server control panel to allow federation with that domain.

Unlike any other Lync Server application servers, Edge server is not recommended to join to Domain due to it’s security vulnerability. for this, the domain suffix will be configured as mentioned below

Now to the second step

Application Server deployment

 Check http://technet.microsoft.com/en-us/library/gg398835.aspx to get an idea of the Hardware requirement for Edge Server. Check http://technet.microsoft.com/en-us/library/gg412883.aspx to understand the OS and additional software requirement.

prerequisites required to deploy lync Server 2010 Edge Server

• Dot NET 3.5.1 features
• Desktop Experience
• Quality Windows Audio Video Experience

Now to configure the Lync Server topology with new server role. open the topology builder and save a copy of the topology as a backup

 Navigate to the “Edge pools” and select to define a new Edge Pool

This deployment is Single Edge server deployment. Select the Single computer pool and specify the server FQDN

Select to enable Federation on port 5061 and leave the rest of the options as unchecked.

Configure the public FQDN records for SIP, Web Conferencing and A/V. leave the default port configuration as it is.

Configure the Internal IP address. this is the IP address that configured in the internal Interface

Configure External IP addresses. these are the IP addresses that configured in the external interface. this can be natted IP addresses from Firewall.

Select the next hop to the Edge server. in this scenario, it’s the Front End Server

Associate the Front End pool to the Edge Server

Now, Publish the topology and jump in to the Front End server

Since the Edge server is not joined to the domain, it cannot retrieve the Central Management Store automatically. Export the Configuration store from the Front End server as shown below.

export-csconfiguration “c:\config\config.zip”

Copy the “config.zip” file from Front End server to the Edge Server. Run the Lync Server 2010 installation media and install the core components. run the deployment wizard and select to Add or Remove Lync Server Components

Select to install the Local Configuration store. Specify the config.zip file to get the configuration information and complete the step

Now, go to the next step to Configure Lync server components

Complete the step. All checks looks green and ready to move ahead.

Now to assign certificates. request the internal certificate first

Since the server’s not join in to the Domain, the certificate request has to be done manually. select to prepare the request now, but send it later

Specify a friendly name and Mark the certificate as Exportable. notice the SAN records. it’s normal that media.domain.com record doesn’t include as a SAN record.

Select the SIP domain and save the request as a local file.

Make sure to import the Internal Root CA’s self sign certificate in to the Trusted Root Certification Authorities container. else the communication between the Edge server and the Lync Server will fail.

Request a WEB SERVER certificate from the internal CA based on the request file. Import the certificate in to Personal certificate container and go back in to Certificate configuration wizard. select to assign certificate and select the newly imported certificate. assign in to the internal interface

Now go through the same steps for the External certificate. request this certificate from public certification Authority. Import the certificate in to personal certificate store and assign the certificate in to external interface

Certificate assignment is completed.

Now, start the services and check on Windows services whether all the Lync Server related services are started.

Enable External user access from the lync Server control panel External Access policy.

Now clients should be able to login from the internet.