Microsoft® Lync™ Server 2010Edge Server/Remote AccessModule 16

Microsoft Corporation

Session ObjectivesAt the end of this session, you will be able to:

2

• Describe Edge Server scenarios• Plan for Edge installation• Verify Edge installations• Manage Edge Server

Agenda

• Edge Scenarios• Interoperability Federation• Plan for Edge• Manage Edge• Architecture

3

Architecture Overview

4

Edge Scenarios

5

Scenario Remote user

Federated

Anonymous

PIC/Interop

Presence ü ü ü

IM 1:1 ü ü ü

IM conferencing ü ü ü

Collaboration ü ü ü

A/V 1:1 ü ü ü (MSN)

A/V conferencing ü ü ü

File transfer ü ü

Lync Attendee

• Attendees without Lync Server 2010• With legacy clients• Without a Lync Server 2010 client

• Enables full meeting experience• IM• Audio/Video• Collaboration

• Whiteboard• Desktop Sharing

6

Interoperability Federation Partners• Public IM Connectivity (PIC)

• MSN• AOL• Yahoo!

• IBM Lotus Sametime• Cisco Presence• Extensible Messaging and Presence Protocol (XMPP)

• Jabber• Google Talk

7

Interoperability Features

• Basic Presence• 1:1 IM• AV with MSN

8

Interoperability: How to• All scenarios require Edge Server• PIC

• Licenses• AOL certificate

• XMPP• XMPP Gateway

• Cisco Unified Presence• Unified Presence Server 8.5 and above and Adaptive Security

Appliance 8.3.X or above• IBM Lotus Sametime

• Sametime Gateway 8.0.2 with Hot-Fix Nine (HF9) or above

9

Simple Uniform Resource Locators

• One “meet” simple URL per domain• Single “dialin” simple URL per deployment• “Admin” not used externally• Published by Reverse Proxy

10

Simple URL

Option 1 Option 2

Meet https://meet.contoso.com

https://cs.contoso.com/meet

Dial-in https://dialin.contoso.com

https://cs.contoso.com/dialin

Simple Uniform Resource Locators Impacts• Option 1

• Requires additional SANs

• Meet.<SIP domain>

• Dialin.<default domain>

• Per additional SIP domain

• Meet.<additional SIP domain>

• Option 2

• Longer Simple URLs

• No additional SANs required

11

Simple URL: Split Brain DNS

• Split brain DNS• Single FQDN• Internally resolved differently than externally

• Required for Simple URLs• Internally points to Pool• Externally points to Reverse Proxy

12

Certificates Simplified

• Single public certificate• Access Edge Server

• Web Conferencing Edge Server

• A/V Edge Server

• Private certificates• Internal Edge Interface

13

14

14

15

15

Ports 50,000-59,999

• Required for federated media traffic

• Federation with OCS 2007• Open UDP and TCP in- and out-bound

• Federation with OCS 2007 R2/Lync Server 2010• Open TCP outbound

16

Edge Server and NAT• Internal Edge Interface

• No NAT supported

• External Interface

• Single Edge Server• Routable IPs or 1:1 NAT

• Hardware Load Balanced• Routable IPs

• DNS Load Balanced• Routable IPs or 1:1 NAT

17

Load Balancing External Servers

• Edge Server Roles• Hardware Load Balancing (HLB)

• Domain Name Service Load Balancing (DNS LB)

• Reverse Proxy• HLB

18

Hardware Load Balancer

• All IPs must be public routable• Three IPs per server

• Three virtual IPs required

• HLB must be configured for• Destination network address translation (DNAT):

traffic from internet to server

• Source network address translation (SNAT): traffic from server to internet

19

Domain Name Service Load Balancer• IP addresses can be 1:1 NATed

• Three IP addresses per server

• No virtual IPs required

• NAT must be configured for• DNAT: traffic from internet to server

• SNAT: traffic from server to internet

• Does not work with legacy endpoints• PIC, XMPP gateway, legacy clients, down level Federation, Exchange

UM 2007/2010 SP0

• Exchange UM 2010 SP1 does not support DNS LB for Media over Edge

20

Domain Name Service Load Balancer + Host File• A host file is often used for resolving internal

server names (next hop) on the Edge Server

• Host file can include multiple IP addresses for one FQDN

21

DNS LB vs. HLB

22

DNS LB HLB

IP addresses required

Server x 3 (Server+1) x 3

Compatibility Not compatible with• Exchange UM• PIC• XMPP gateway• Down level Federation

Compatible with all components/scenarios

NATing of IP addresses

Recommended Not supported

Server draining Possible Not possible

Reverse Proxy Not supported With or without NAT

Install Edge

• Topology builder

• Export topology file: PowerShell

• Server prerequisites• Add DNS suffix: Computer name must match FQDN in

topology builder

• Static routes

• Start installation

• Certificates23

Managing Edge

• SQL Express on Edge• Advantages: Central management with Lync

Server Control Panel or Windows PowerShell™• No need to add internal SIP domains• Trusted server list• Same configuration on all Edge servers• No local configuration on Edge

24

What to Manage• All management done internally via Lync Server

Control Panel• User policies

• Remote Access• Federation communication• PIC communication

• Federation

25

Recap: Federation Types

• Direct Federation• Configure trusted SIP domain and Access Edge Server

• Enhanced Federation• Configure trusted SIP domain

• Open Federation• Discover Federation partners automatically

• In combination with block list

26

Open Federation Security• Limits

• Request only 1,000 SIP URIs• 20 messages per second

• Event viewer on Edge Server• Too many SIP URIs

• Block requests for additional SIP URI request

• Bad ratio valid/invalid SIP messages• Limited to 1 message per second

• Too many messages• Warning only, recommendation to add to allow list

• Open Federation partners27

Architecture Considerations• (Scaled) consolidated Edge only

• Multiple Access Edge (pools) for remote users• SRV record points to only one Edge Server (pool)

• Single Access Edge Server (pool) for Federation

• Used Edge Server• SIP traffic

• Federation traffic: Federation Route

• Remote users: Edge server used for sign in

• A/V traffic• AV Edge assigned to pool

• Use localized Edge Servers to optimize media path28

Verify Edge Deployment

• Get-CsManagementStoreReplicationStatus

• https://www.testocsconnectivity.com

• Test with external and federated users

29

Photos and Federation

Photos will only be shown to Federated users, if uploaded to the web

30

31

Q&A

Resources

32

XMPP Gatewayhttp://www.microsoft.com/downloads/details.aspx?FamilyID=aa560bfe-9960-473a-bfb8-53bff678cec4&displaylang=en

Lotus Notes Sametimehttp://www-10.lotus.com/ldd/stwiki.nsf/dx/Connecting_to_a_Microsoft_Office_Communications_Server_community_st852ifr1

Cisco Unified Presencehttp://www.cisco.com/en/US/docs/voice_ip_comm/cups/8_0/english/integration_notes/Federation/Federation_Nov17.pdf

PIC Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyID=9ccaac38-2da8-4a76-8193-96f4bbf04678&displaylang=en

Tested Load Balancershttp://technet.microsoft.com/en-us/office/ocs/cc843611.aspx

Appendix

33

Terms and AcronymsCMS: Central Management Store

SN: Subject Name of a certificate

SAN: Subject Alternate Name of a certificate

NAT: Network Address Translation

DNAT: Destination NAT, also called half NAT

SNAT: Source NAT, also called full NAT

HLB: Hardware Load Balancing

DNS LB: Domain Name Service Load Balancing

34

Examples

• Situation• Two SIP domains

• Contoso.com• Litwareinc.com

• Simple URLs• Option 1

• Automatic configuration: yes• Discoverable for Federation: yes

35

DNS SRV Records

36

DNS record Target Purpose

SRV: _sip._tls.contoso.com Access Edge Server: sip.contoso.com port:443

Automatic configuration for contoso.com users

SRV: _sip._tls.litwareinc.com Access Edge Server: sip.litwareinc.com port:443

Automatic configuration for litwareinc.com users

SRV: _sipfederationtls._tcp.contoso.com

Access Edge Server: sip.contoso.com port:5061

Discoverable for Federation for contoso.com domain

SRV: _sipfederationtls._tcp.litwareinc.com

Access Edge Server: sip.litwareinc.com port:5061

Discoverable for Federation for litwareinc.com domain

DNS A Records

37

DNS record Target Purpose

A: sip.contoso.com IP of Access Edge Server Access Edge Server IP

A: sip.litwareinc.com IP of Access Edge Server Access Edge Server IP

A: webconf.contoso.com IP of Web Conferencing Edge Web Conferencing Edge, does not have to match the domain

A: av.contoso.com IP of AV Edge AV Edge, does not have to match the domain

A: rp.contoso.com IP of Reverse Proxy ABS, Meeting content, Distribution group expansion

A: dialin.contoso.com IP of Reverse Proxy Simple URL for Dialin

A: meet.contoso.com IP of Reverse Proxy Simple URL for meetings for contoso.com hosted meetings

A: meet.litwareinc.com IP of Reverse Proxy Simple URL for meetings for litwareinc.com hosted meetings

Certificates

38

Purpose Public/private certificate SN/SAN

External Edge Certificate/Reverse

Public SN: sip.contoso.comSAN: sip.contoso.comSAN: sip.litwareinc.comSAN: webcof.contoso.comSAN: rp.contoso.comSAN: dialin.contoso.comSAN: meet.contoso.comSAN: meet.litwareinc.com

Internal Edge Certificate Private SN: internal Edge interface FQDN

39

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

© 2011 Microsoft Corporation.  All rights reserved.  Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.  Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.  This document may contain information related to pre-release software, which may be substantially modified before its first commercial release. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED  OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.