TechEd 2013 11/30/2018 7:07 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Planning and Deployment for Edge Server with Lync 2013 11/30/2018 7:07 AM OUC-B328 Planning and Deployment for Edge Server with Lync 2013 Bryan Nyce © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session Objectives And Takeaways Tech Ready 15 11/30/2018 Session Objectives And Takeaways Session Objective(s): Explain Edge Server architecture Highlight common misunderstandings Address best practices Understand Edge Server requirements Deploy best possible design © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Why Edge? Edge Components Client sign-in Signaling vs. Media Reverse Proxy DNS & Certificates Networking Load Balancing HA/DR Sizing & Placement Validate deployment

About me bryanyce @microsoft.com Mission Viejo, CA Since 2011 MCS Voice CoE UC Voice Architect Since 2011 MCSM: Communications MCM

Why Edge

Edge Scenarios * Skype will replace MSN *soon* Scenario Remote user Federated Anonymous PIC/XMPP Presence ü IM 1:1 IM conferencing Collaboration Audio 1:1 ü (Skype/MSN)* Video 1:1 ü (MSN)* A/V Conferencing File Transfer/File Upload * Skype will replace MSN *soon*

What about VPN instead of Edge? Edge Scenarios Scenarios relying on Edge Server Remote users, Federation, anonymous users, PIC Mobility client Push notifications Lync Web App Hosted Exchange UM O365 integration What about VPN instead of Edge?

Public Internet Connectivity TechReady 16 11/30/2018 Public Internet Connectivity MSN Allows 1:1 Audio and Video MSN will be retired *soon* Skype Allows 1:1 Audio – June 2013 Video planned for future AOL Certificate requires client EKU Yahoo! Not available for purchase as of September 1st 2012 Active licenses will continue to work until June 1, 2014 http://technet.microsoft.com/en-us/library/jj204672.aspx XMPP GoogleTalk* New in 2013 New in 2013 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Edge Components

Edge Components Access Edge Web Conferencing Edge Server TechReady 16 11/30/2018 Edge Components Access Edge SIP – Session Initiation Protocol Signaling, Presence, IM Web Conferencing Edge Server PSOM – Persistent Shared Object Model PowerPoint Sharing, whiteboard, annotations, polls AV Edge Server SRTP – Secure Real Time Protocol Audio, Video, File Transfer, AppSharing Reverse Proxy HTTP(s) traffic Address book, Lyncdiscover, Meeting content, Lync Web App, Office Web App (WAC), … © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client Sign-in

Client sign-in Lync 2010 SRV record _sip._tls.<sipdomain> TechReady 16 11/30/2018 Client sign-in Lync 2010 SRV record _sip._tls.<sipdomain> Front End Director Reverse Proxy Edge Server Data center 1 4. Director proxies to home Pool 3. Client connects to Edge Server, proxies to Director Lync client 1. Query for _sip._tls_. <sipdomain> 2. DNS points to Edge Server Front End Reverse Proxy Edge Server Data center 2 DNS Server © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client sign-in Lync 2013 A record Lyncdiscover.<sipdomain> TechReady 16 11/30/2018 Client sign-in Lync 2013 A record Lyncdiscover.<sipdomain> 5. Client directly connects to local Edge Server Front End 3. Client connects to Reverse Proxy Lync client 4. Returns local Access Edge Reverse Proxy Data center 1 1. Query for Lyncdiscover. <sipdomain> 2. DNS points to Reverse Proxy Edge Server Front End DNS Server Reverse Proxy Data center 2 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client Sign in Lyncdiscover Fallback TechReady 16 11/30/2018 Client Sign in Lyncdiscover Lyncdiscoverinternal.<sipdomain> and Lyncdiscover.<sipdomain> Preferred sign-in method Points to Reverse Proxy Web Service will point user to local Access Edge Server Use GeoDNS for Disaster Recovery scenarios Fallback _sipinternaltls._tcp.<sipdomain> _sip._tls.<sipdomain> Sipinternal.<sipdomain> Sip.<sipdomain> Sipexternal.<sipdomain> Mobile clients, Lync Windows Store app always rely on Lyncdiscover.<sipdomain> © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Value of Director Redirecting traffic Security Not required anymore TechReady 16 11/30/2018 Value of Director Redirecting traffic Not required anymore Security Next hop for SIP traffic from Edge Server Next hop from Reverse Proxy for Simple URLs and Lyncdiscover © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Signaling vs. Media

Signaling independent of media User homed in EU User will always use this pool for AV Edge Also for meetings created by user US EU Contoso

Federation flows User homed in EU Edge Pool used for Federation User will always use this pool for AV Edge US EU EU Contoso Litwareinc

Reverse Proxy

Reverse Proxy Requirements Support SSL/TLS to publish internal websites Publish internal websites with as well as without encryption Publish internal websites using FQDN Ability to handle certificates with Subject Alternate Names Must be able to sent original host header Bridging of some ports

Reverse Proxy settings Published FQDNs Lyncdiscover.<sipdomain> External WebFarm FQDN Simple URLs Office Web App (WAC) Server Bridge port 443 to port 4443 For all FQDNs except Office Web App (WAC) Optionally bridge port 80 to port 8080

DNS & Certificates

Certificates requirements Reverse Proxy Use public certificate Lyncdiscover.<sipdomain> Simple URLs FQDN External Webfarm FQDN Office Web App (WAC) Edge Server external interfaces Access Edge Server FQDN Web Conferencing Edge Server FQDN <hostname>.<sipdomain> Edge Server internal interface Use private certificate Internal Edge Server FQDN Private certificate will cause problems if CRL cannot be accessed Please note that AV Edge Server FQDN is not part of the certificate

Rolling AV Authentication Certificate New in 2013 Purpose of AV Authentication certificate Creates token to allow clients to use AV Edge Server Token acquired at sign in or after 8 hours By internal users as well by external user If certificate is renewed… Clients have still tokes However tokens can not be validated by new certificate Media endpoints unable to use AV Edge Server up to 8 hours Rolling AV Certificate Allows to stage new certificate while old one is still in place Edge Server will issue tokens based on new certificate, but be able to validate all tokens Set-CsCertificate –Type –Roll –Thumbprint –EffectiveDate

DNS requirements Lyncdiscover.<sipdomain> Simple URLs SRV records need to point to A records in same domain A lot of SIP domains means a lot of SANs in the certificate Lyncdiscover.<sipdomain> Use GeoDNS for Disaster Recovery Simple URLs External WebFarm FQDN Office Web App (WAC) Access Edge <hostname>.<sipdomain> Web Conf Edge AV Edge _sip._tls.<sipdomain> Point to Access Edge Server on port TCP:443 Point to A record in same domain _sipfederationtls._tcp.<sipdomain> Point to Access Edge Server on port TCP:5061 _xmpp-server._tcp.<sipdomain> Point to Access Edge TCP: 5269 New in 2013 New in 2013

Network

Number of IPs per Edge Two supported scenarios Single external IP for Access Edge, Web Conferencing Edge and AV Edge Server Dedicated external IP for Access Edge, Web Conferencing Edge and AV Edge Server Firewall on client location might block ports other than 443 TCP. SIP (TCP: 5061) PSOM (TCP: 444) SRTP (TCP: 443) SIP (TCP: 443) PSOM (TCP: 443) SRTP (TCP: 443) Even if 443 TCP is the only open port, all features will work.

Number of IPs per Edge Single external IP per Edge Will not require as many public IP addresses Might limit connectivity Dedicated IP per Edge Role Will require 3 external IP addresses per Edge Server Will provide best connectivity

Subnets Subnet requirements External interfaces and internal interface on different subnets Must not be routable to each other

Firewall

Firewall: Edge

50,000 requirements OCS 2007 OCS 2007 R2, Lync 2010, Lync 2013 Requires 50,000-59,999 TCP/UDP outbound and inbound OCS 2007 R2, Lync 2010, Lync 2013 Requires “50,000-59,999 TCP outbound” Source IP Destination IP A/V Edge service interface Any Source Port Destination Port TCP 50,000-59,999 TCP 443 UDP 3478 Any

IPv6 support Requires February 2013 CU Bridging between IPv4 and IPv6 New in 2013 Requires February 2013 CU Bridging between IPv4 and IPv6 Edge Server can bridge between IPv4 networks and IPv6 networks Edge Pool (External Edge) : IPv4 Edge Pool (External Edge): Dual Stack Edge Pool (External Edge): IPv6 Edge Pool (Internal Edge): IPv4 Yes No Edge Pool (Internal Edge): Dual Stack Edge Pool (Internal Edge): IPv6 Yes* * Use this combination only in a lab environment.

Load Balancing

What is DNS Load Balancing? Multiple A records Each with the same Pool FQDN Each with the IP address of a single server Logic in server/client Will connect to on IP If attempts fail, next IP will be used Not possible for http(s) traffic Browser not aware of DNS LB Hardware Load Balancer always required Not working for legacy communication partner PIC: MSN, AOL; MOC 2007 R2, Federation with OCS 2007/OCS 2007 R2; Lync for Mac 2011 Exchange 2007, Exchange 2010 Exchange 2010 support DNS LB only for signaling against the Front End Pool

Hardware Load Balancing Additional Virtual IP to point to HLB per service All external IPs (VIPs and IPs on servers) must be public routable HLB must not be configured for SNAT for AV Edge Server Scenarios Will work in all scenarios Edge Server need to see client IP address

DNS LB vs. HLB DNS LB HLB IP addresses required Server x 3 TechReady 16 11/30/2018 DNS LB vs. HLB DNS LB HLB IP addresses required Server x 3 Server x 3 + 3 VIPs Scenarios No high availability for Exchange 2007/2010 UM AOL, MSN Down level Federation Legacy client All scenarios Use of NATed IPs Possible Not supported Server draining Supported Configuration Simple Complex © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

HA/DR

High Availability Ability to recover from losing a component within a datacenter Deploy Edge Servers as pool Deploy Reverse Proxy in array Use an n+1 model Avoid any single point of failure

Disaster Recovery Ability to recovery from losing complete data center New in 2013 Disaster Recovery Ability to recovery from losing complete data center Deploy paired Front End pools in different Data Centers Deploy Edge pools corresponding to each Front End Pool Use GeoDNS for lyncdiscover.<sipdomain> and Simple URLs Datacenter failover per Lync Management Shell

Outage; administrator initializes failover Disaster Recovery User homed in Vienna Paired pool Vienna Munich Outage; administrator initializes failover

Disaster Recovery Federation Will not fail over as part of pool failover Manually change external SRV record and internal Federation route

Sizing and placement

Sizing Standard user model Servers per pool Your mileage may vary 12,000 concurrent remote users per Edge Server Servers per pool Up to 12 Your mileage may vary Depending on usage Always monitor resources on servers

Placement considerations Edge Server In every datacenter with FE pool vs. centralized Edge Servers Assign centralized pool to multiple Front End Pools Centralize Reverse Proxy Next to each Edge pool vs. centralized reverse Proxy Use centralized reverse Proxy to publish multiple internal pools Technically possible, but… This will affect the call flows Impacting user experience and bandwidth What about Disaster Recovery?

Validate Edge deployment

Validate Edge deployment Eventvwr Check for errors and warnings Validate replication to Edge Server Get-CsManagementStoreReplicationStatus Remote Connectivity Analyzer https://testconnectivity.microsoft.com/ Lync Connectivity Analyzer http://blogs.technet.com/b/nexthop/archive/2013/02/08/the-new-lync-connectivity-analyzer.aspx

Session Objectives And Takeaways Tech Ready 15 11/30/2018 Session Objectives And Takeaways Session Objective(s): Explain Edge Server Architecture Highlight common misunderstandings Address best practices Understand Edge Server requirements Deploy best possible design Edge is awesome! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources TechNet Documentation Tech Ready 15 11/30/2018 Resources TechNet Documentation http://technet.microsoft.com/en-us/library/gg399048.aspx Lync Deep Dive: Edge Media Connectivity with ICE http://aka.ms/LyncEdge NextHop: Rolling AV Certificate http://blogs.technet.com/b/nexthop/archive/2012/10/09/lync-server-2013-preview-using-set- cscertificate-for-audio-video-edge-and-oauthtokenissuer-certificate-maintenance.aspx Bryan Nyce bryanyce@microsoft.com © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/30/2018 7:07 AM Related content OUC-B303: Designing for High Availability and Disaster Recovery in Microsoft Lync Server 2013 OUC-B334: Migration and Coexistence with Microsoft Lync Server 2013 Exam 70-336: Core Solutions of Microsoft Lync Server 2013 Exam 70-337: Enterprise Voice & Online Services with Microsoft Lync Server 2013 Find Me Later At the Lync 2013 Booth and ATE © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd 11/30/2018 7:07 AM Resources Learning Sessions on Demand http://channel9.msdn.com/Events/TechEd Microsoft Certification & Training Resources www.microsoft.com/learning TechNet msdn Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Complete an evaluation on CommNet and enter to win! 11/30/2018 7:07 AM Complete an evaluation on CommNet and enter to win! © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/30/2018 7:07 AM Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/30/2018 7:07 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.