Microsoft ® Lync™ Server 2010 Edge Server/Remote Access Module 16 Microsoft Corporation
Session Objectives At the end of this session, you will be able to: 2 Describe Edge Server scenarios Plan for Edge installation Verify Edge installations Manage Edge Server
Agenda Edge Scenarios Interoperability Federation Plan for Edge Manage Edge Architecture 3
Architecture Overview 4
Edge Scenarios 5 ScenarioRemote userFederatedAnonymousPIC/Interop Presence IM 1:1 IM conferencing Collaboration A/V 1:1 (MSN) A/V conferencing File transfer
Lync Attendee Attendees without Lync Server 2010 With legacy clients Without a Lync Server 2010 client Enables full meeting experience IM Audio/Video Collaboration Whiteboard Desktop Sharing 6
Interoperability Federation Partners Public IM Connectivity (PIC) MSN AOL Yahoo! IBM Lotus Sametime Cisco Presence Extensible Messaging and Presence Protocol (XMPP) Jabber Google Talk 7
Interoperability Features Basic Presence 1:1 IM AV with MSN 8
Interoperability: How to All scenarios require Edge Server PIC Licenses AOL certificate XMPP XMPP Gateway Cisco Unified Presence Unified Presence Server 8.5 and above and Adaptive Security Appliance 8.3.X or above IBM Lotus Sametime Sametime Gateway with Hot-Fix Nine (HF9) or above 9
Simple Uniform Resource Locators One “meet” simple URL per domain Single “dialin” simple URL per deployment “Admin” not used externally Published by Reverse Proxy 10 Simple URLOption 1Option 2 Meethttps://meet.contoso.comhttps://cs.contoso.com/meet Dial-inhttps://dialin.contoso.comhttps://cs.contoso.com/dialin
Simple Uniform Resource Locators Impacts Option 1 Requires additional SANs Meet. Dialin. Per additional SIP domain Meet. Option 2 Longer Simple URLs No additional SANs required 11
Simple URL: Split Brain DNS Split brain DNS Single FQDN Internally resolved differently than externally Required for Simple URLs Internally points to Pool Externally points to Reverse Proxy 12
Certificates Simplified Single public certificate Access Edge Server Web Conferencing Edge Server A/V Edge Server Private certificates Internal Edge Interface 13
14
15
Ports 50,000-59,999 Required for federated media traffic Federation with OCS 2007 Open UDP and TCP in- and out-bound Federation with OCS 2007 R2/Lync Server 2010 Open TCP outbound 16
Edge Server and NAT Internal Edge Interface No NAT supported External Interface Single Edge Server Routable IPs or 1:1 NAT Hardware Load Balanced Routable IPs DNS Load Balanced Routable IPs or 1:1 NAT 17
Load Balancing External Servers Edge Server Roles Hardware Load Balancing (HLB) Domain Name Service Load Balancing (DNS LB) Reverse Proxy HLB 18
Hardware Load Balancer All IPs must be public routable Three IPs per server Three virtual IPs required HLB must be configured for Destination network address translation (DNAT): traffic from internet to server Source network address translation (SNAT): traffic from server to internet 19
Domain Name Service Load Balancer IP addresses can be 1:1 NATed Three IP addresses per server No virtual IPs required NAT must be configured for DNAT: traffic from internet to server SNAT: traffic from server to internet Does not work with legacy endpoints PIC, XMPP gateway, legacy clients, down level Federation, Exchange UM 2007/2010 SP0 Exchange UM 2010 SP1 does not support DNS LB for Media over Edge 20
Domain Name Service Load Balancer + Host File A host file is often used for resolving internal server names (next hop) on the Edge Server Host file can include multiple IP addresses for one FQDN 21
DNS LB vs. HLB 22 DNS LBHLB IP addresses requiredServer x 3(Server+1) x 3 CompatibilityNot compatible with Exchange UM PIC XMPP gateway Down level Federation Compatible with all components/scenarios NATing of IP addresses RecommendedNot supported Server drainingPossibleNot possible Reverse ProxyNot supportedWith or without NAT
Install Edge Topology builder Export topology file: PowerShell Server prerequisites Add DNS suffix: Computer name must match FQDN in topology builder Static routes Start installation Certificates 23
Managing Edge SQL Express on Edge Advantages: Central management with Lync Server Control Panel or Windows PowerShell™ No need to add internal SIP domains Trusted server list Same configuration on all Edge servers No local configuration on Edge 24
What to Manage All management done internally via Lync Server Control Panel User policies Remote Access Federation communication PIC communication Federation 25
Recap: Federation Types Direct Federation Configure trusted SIP domain and Access Edge Server Enhanced Federation Configure trusted SIP domain Open Federation Discover Federation partners automatically In combination with block list 26
Open Federation Security Limits Request only 1,000 SIP URIs 20 messages per second Event viewer on Edge Server Too many SIP URIs Block requests for additional SIP URI request Bad ratio valid/invalid SIP messages Limited to 1 message per second Too many messages Warning only, recommendation to add to allow list Open Federation partners 27
Architecture Considerations (Scaled) consolidated Edge only Multiple Access Edge (pools) for remote users SRV record points to only one Edge Server (pool) Single Access Edge Server (pool) for Federation Used Edge Server SIP traffic Federation traffic: Federation Route Remote users: Edge server used for sign in A/V traffic AV Edge assigned to pool Use localized Edge Servers to optimize media path 28
Verify Edge Deployment Get-CsManagementStoreReplicationStatus Test with external and federated users 29
Photos and Federation Photos will only be shown to Federated users, if uploaded to the web 30
31 Q&A
Resources 32 XMPP Gateway 53bff678cec4&displaylang=en 53bff678cec4&displaylang=en Lotus Notes Sametime 10.lotus.com/ldd/stwiki.nsf/dx/Connecting_to_a_Microsoft_Office_Communications_Server_community_st852i fr1 Cisco Unified Presence Nov17.pdf PIC Guide 96f4bbf04678&displaylang=en 96f4bbf04678&displaylang=en Tested Load Balancers
Appendix 33
Terms and Acronyms CMS: Central Management Store SN: Subject Name of a certificate SAN: Subject Alternate Name of a certificate NAT: Network Address Translation DNAT: Destination NAT, also called half NAT SNAT: Source NAT, also called full NAT HLB: Hardware Load Balancing DNS LB: Domain Name Service Load Balancing 34
Examples Situation Two SIP domains Contoso.com Litwareinc.com Simple URLs Option 1 Automatic configuration: yes Discoverable for Federation: yes 35
DNS SRV Records 36 DNS recordTargetPurpose SRV: _sip._tls.contoso.comAccess Edge Server: sip.contoso.com port:443 Automatic configuration for contoso.com users SRV: _sip._tls.litwareinc.comAccess Edge Server: sip.litwareinc.com port:443 Automatic configuration for litwareinc.com users SRV: _sipfederationtls._tcp.contoso.com Access Edge Server: sip.contoso.com port:5061 Discoverable for Federation for contoso.com domain SRV: _sipfederationtls._tcp.litwareinc.com Access Edge Server: sip.litwareinc.com port:5061 Discoverable for Federation for litwareinc.com domain
DNS A Records 37 DNS recordTargetPurpose A: sip.contoso.comIP of Access Edge ServerAccess Edge Server IP A: sip.litwareinc.comIP of Access Edge ServerAccess Edge Server IP A: webconf.contoso.comIP of Web Conferencing EdgeWeb Conferencing Edge, does not have to match the domain A: av.contoso.comIP of AV EdgeAV Edge, does not have to match the domain A: rp.contoso.comIP of Reverse ProxyABS, Meeting content, Distribution group expansion A: dialin.contoso.comIP of Reverse ProxySimple URL for Dialin A: meet.contoso.comIP of Reverse ProxySimple URL for meetings for contoso.com hosted meetings A: meet.litwareinc.comIP of Reverse ProxySimple URL for meetings for litwareinc.com hosted meetings
Certificates 38 PurposePublic/private certificateSN/SAN External Edge Certificate/ReversePublicSN: sip.contoso.com SAN: sip.contoso.com SAN: sip.litwareinc.com SAN: webcof.contoso.com SAN: rp.contoso.com SAN: dialin.contoso.com SAN: meet.contoso.com SAN: meet.litwareinc.com Internal Edge CertificatePrivateSN: internal Edge interface FQDN
39 © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. This document may contain information related to pre-release software, which may be substantially modified before its first commercial release. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred.