Upload
angelina-gardner
View
213
Download
0
Embed Size (px)
Citation preview
Microsoft® Lync™ Server 2010Edge Server/Remote AccessModule 16
Microsoft Corporation
Session ObjectivesAt the end of this session, you will be able to:
2
• Describe Edge Server scenarios• Plan for Edge installation• Verify Edge installations• Manage Edge Server
Agenda
• Edge Scenarios• Interoperability Federation• Plan for Edge• Manage Edge• Architecture
3
Architecture Overview
4
Edge Scenarios
5
Scenario Remote user
Federated
Anonymous
PIC/Interop
Presence ü ü ü
IM 1:1 ü ü ü
IM conferencing ü ü ü
Collaboration ü ü ü
A/V 1:1 ü ü ü (MSN)
A/V conferencing ü ü ü
File transfer ü ü
Lync Attendee
• Attendees without Lync Server 2010• With legacy clients• Without a Lync Server 2010 client
• Enables full meeting experience• IM• Audio/Video• Collaboration
• Whiteboard• Desktop Sharing
6
Interoperability Federation Partners• Public IM Connectivity (PIC)
• MSN• AOL• Yahoo!
• IBM Lotus Sametime• Cisco Presence• Extensible Messaging and Presence Protocol (XMPP)
• Jabber• Google Talk
7
Interoperability Features
• Basic Presence• 1:1 IM• AV with MSN
8
Interoperability: How to• All scenarios require Edge Server• PIC
• Licenses• AOL certificate
• XMPP• XMPP Gateway
• Cisco Unified Presence• Unified Presence Server 8.5 and above and Adaptive Security
Appliance 8.3.X or above• IBM Lotus Sametime
• Sametime Gateway 8.0.2 with Hot-Fix Nine (HF9) or above
9
Simple Uniform Resource Locators
• One “meet” simple URL per domain• Single “dialin” simple URL per deployment• “Admin” not used externally• Published by Reverse Proxy
10
Simple URL
Option 1 Option 2
Meet https://meet.contoso.com
https://cs.contoso.com/meet
Dial-in https://dialin.contoso.com
https://cs.contoso.com/dialin
Simple Uniform Resource Locators Impacts• Option 1
• Requires additional SANs
• Meet.<SIP domain>
• Dialin.<default domain>
• Per additional SIP domain
• Meet.<additional SIP domain>
• Option 2
• Longer Simple URLs
• No additional SANs required
11
Simple URL: Split Brain DNS
• Split brain DNS• Single FQDN• Internally resolved differently than externally
• Required for Simple URLs• Internally points to Pool• Externally points to Reverse Proxy
12
Certificates Simplified
• Single public certificate• Access Edge Server
• Web Conferencing Edge Server
• A/V Edge Server
• Private certificates• Internal Edge Interface
13
14
14
15
15
Ports 50,000-59,999
• Required for federated media traffic
• Federation with OCS 2007• Open UDP and TCP in- and out-bound
• Federation with OCS 2007 R2/Lync Server 2010• Open TCP outbound
16
Edge Server and NAT• Internal Edge Interface
• No NAT supported
• External Interface
• Single Edge Server• Routable IPs or 1:1 NAT
• Hardware Load Balanced• Routable IPs
• DNS Load Balanced• Routable IPs or 1:1 NAT
17
Load Balancing External Servers
• Edge Server Roles• Hardware Load Balancing (HLB)
• Domain Name Service Load Balancing (DNS LB)
• Reverse Proxy• HLB
18
Hardware Load Balancer
• All IPs must be public routable• Three IPs per server
• Three virtual IPs required
• HLB must be configured for• Destination network address translation (DNAT):
traffic from internet to server
• Source network address translation (SNAT): traffic from server to internet
19
Domain Name Service Load Balancer• IP addresses can be 1:1 NATed
• Three IP addresses per server
• No virtual IPs required
• NAT must be configured for• DNAT: traffic from internet to server
• SNAT: traffic from server to internet
• Does not work with legacy endpoints• PIC, XMPP gateway, legacy clients, down level Federation, Exchange
UM 2007/2010 SP0
• Exchange UM 2010 SP1 does not support DNS LB for Media over Edge
20
Domain Name Service Load Balancer + Host File• A host file is often used for resolving internal
server names (next hop) on the Edge Server
• Host file can include multiple IP addresses for one FQDN
21
DNS LB vs. HLB
22
DNS LB HLB
IP addresses required
Server x 3 (Server+1) x 3
Compatibility Not compatible with• Exchange UM• PIC• XMPP gateway• Down level Federation
Compatible with all components/scenarios
NATing of IP addresses
Recommended Not supported
Server draining Possible Not possible
Reverse Proxy Not supported With or without NAT
Install Edge
• Topology builder
• Export topology file: PowerShell
• Server prerequisites• Add DNS suffix: Computer name must match FQDN in
topology builder
• Static routes
• Start installation
• Certificates23
Managing Edge
• SQL Express on Edge• Advantages: Central management with Lync
Server Control Panel or Windows PowerShell™• No need to add internal SIP domains• Trusted server list• Same configuration on all Edge servers• No local configuration on Edge
24
What to Manage• All management done internally via Lync Server
Control Panel• User policies
• Remote Access• Federation communication• PIC communication
• Federation
25
Recap: Federation Types
• Direct Federation• Configure trusted SIP domain and Access Edge Server
• Enhanced Federation• Configure trusted SIP domain
• Open Federation• Discover Federation partners automatically
• In combination with block list
26
Open Federation Security• Limits
• Request only 1,000 SIP URIs• 20 messages per second
• Event viewer on Edge Server• Too many SIP URIs
• Block requests for additional SIP URI request
• Bad ratio valid/invalid SIP messages• Limited to 1 message per second
• Too many messages• Warning only, recommendation to add to allow list
• Open Federation partners27
Architecture Considerations• (Scaled) consolidated Edge only
• Multiple Access Edge (pools) for remote users• SRV record points to only one Edge Server (pool)
• Single Access Edge Server (pool) for Federation
• Used Edge Server• SIP traffic
• Federation traffic: Federation Route
• Remote users: Edge server used for sign in
• A/V traffic• AV Edge assigned to pool
• Use localized Edge Servers to optimize media path28
Verify Edge Deployment
• Get-CsManagementStoreReplicationStatus
• https://www.testocsconnectivity.com
• Test with external and federated users
29
Photos and Federation
Photos will only be shown to Federated users, if uploaded to the web
30
31
Q&A
Resources
32
XMPP Gatewayhttp://www.microsoft.com/downloads/details.aspx?FamilyID=aa560bfe-9960-473a-bfb8-53bff678cec4&displaylang=en
Lotus Notes Sametimehttp://www-10.lotus.com/ldd/stwiki.nsf/dx/Connecting_to_a_Microsoft_Office_Communications_Server_community_st852ifr1
Cisco Unified Presencehttp://www.cisco.com/en/US/docs/voice_ip_comm/cups/8_0/english/integration_notes/Federation/Federation_Nov17.pdf
PIC Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyID=9ccaac38-2da8-4a76-8193-96f4bbf04678&displaylang=en
Tested Load Balancershttp://technet.microsoft.com/en-us/office/ocs/cc843611.aspx
Appendix
33
Terms and AcronymsCMS: Central Management Store
SN: Subject Name of a certificate
SAN: Subject Alternate Name of a certificate
NAT: Network Address Translation
DNAT: Destination NAT, also called half NAT
SNAT: Source NAT, also called full NAT
HLB: Hardware Load Balancing
DNS LB: Domain Name Service Load Balancing
34
Examples
• Situation• Two SIP domains
• Contoso.com• Litwareinc.com
• Simple URLs• Option 1
• Automatic configuration: yes• Discoverable for Federation: yes
35
DNS SRV Records
36
DNS record Target Purpose
SRV: _sip._tls.contoso.com Access Edge Server: sip.contoso.com port:443
Automatic configuration for contoso.com users
SRV: _sip._tls.litwareinc.com Access Edge Server: sip.litwareinc.com port:443
Automatic configuration for litwareinc.com users
SRV: _sipfederationtls._tcp.contoso.com
Access Edge Server: sip.contoso.com port:5061
Discoverable for Federation for contoso.com domain
SRV: _sipfederationtls._tcp.litwareinc.com
Access Edge Server: sip.litwareinc.com port:5061
Discoverable for Federation for litwareinc.com domain
DNS A Records
37
DNS record Target Purpose
A: sip.contoso.com IP of Access Edge Server Access Edge Server IP
A: sip.litwareinc.com IP of Access Edge Server Access Edge Server IP
A: webconf.contoso.com IP of Web Conferencing Edge Web Conferencing Edge, does not have to match the domain
A: av.contoso.com IP of AV Edge AV Edge, does not have to match the domain
A: rp.contoso.com IP of Reverse Proxy ABS, Meeting content, Distribution group expansion
A: dialin.contoso.com IP of Reverse Proxy Simple URL for Dialin
A: meet.contoso.com IP of Reverse Proxy Simple URL for meetings for contoso.com hosted meetings
A: meet.litwareinc.com IP of Reverse Proxy Simple URL for meetings for litwareinc.com hosted meetings
Certificates
38
Purpose Public/private certificate SN/SAN
External Edge Certificate/Reverse
Public SN: sip.contoso.comSAN: sip.contoso.comSAN: sip.litwareinc.comSAN: webcof.contoso.comSAN: rp.contoso.comSAN: dialin.contoso.comSAN: meet.contoso.comSAN: meet.litwareinc.com
Internal Edge Certificate Private SN: internal Edge interface FQDN
39
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. This document may contain information related to pre-release software, which may be substantially modified before its first commercial release. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.