In this final post on Lync, I will walk you through how to setup a Lync 2013 Edge Server that will extend Lync’s functionality and allow users to connect to their environment externally. The Edge Server is a bit different as it acts as an application gateway that sits on the companies perimeter network. If you read the specifications for the Edge Server on Microsoft’s site, you will see that they do not want this server joined to the domain. This is not an option for the company that I work for so this Edge Server will be joined to a domain. Screenshots are included to make certain steps easier.
Note: previous posts on Lync 2013:
- Two Network Interfaces; one connected to your internal network, the other connected to the external network
- The External Interface will have 3 NAT’d IP addresses that coorelate to 3 public-facing IP addresses. These 3 IP addresses will be used for 3 various Lync services and will be discussed later on.
- Windows Server 2008 R2 Enterprise/Standard w/ SP1
- Windows Server 2012 Standard or Datacenter (this is what we will be using)
- Windows Identity Foundation (can be installed from Add/Remove Server Roles and Features in Server Manager)
On your Front-End server, open the Topology Builder and open your existing Topology that we have been building in. Expand your Topology and right-click Edge pools and click New Edge Pool. (screenshot below)
Click “Next” and enter the FQDN of your Edge pool and select the radio button, Single computer pool.
Here we want to select our features. You can use a single FQDN and IP address if you are limited in available public IP addresses, but for this deployment, we are not going to select that check box and only select the middle checkbox, Enable federation (port 5061). (screenshot below)
Enable IPv4 on Internal and External interfaces and click “Next”
Input the FQDN’s of Access, Web Conferencing, and Audio/Video. These DNS entries should point to your external IP addresses. (screenshot below)
Enter your Internal IP address of your Edge Server (not your Front-End Server) and make sure that DNS can resolve this address. (all Internal IP address should resolve via DNS)
Enter your External IPv4 addresses. I am inputting my NAT’d IP addresses since our firewall does the NAT. (screenshot below)
Define your next hop server which by default, should already be your Front-End server.
Select the checkbox to associate the Front-End pool with the Edge pool and click “Finish”
As always, when changes are made to the topology, we need to publish it for them to take effect. Click “Action”–>”Publish Topology
Now we are going to Export the Configuration to a file and import it into your Edge Server. To export the configuration, we will accomplish this through Lync Server Management Shell. Enter this command in the Lync Management Shell, replacing the path if you wish:
Export-CsConfiguration -File C:\temp\export.zip
Copy the exported file to your Edge Server.
On your Edge server we need to run setup.exe from your Lync install source. Once that is done, open the Deployment Wizard and click on Install or Update Lync Server System and run Step 1: Install Local Configuration Store.
Select “Import from a file (recommended for Edge Servers) and Browse to the location. (screenshot below)
Click “Next” and it will install all necessary information including SQL Express and the necessary instances pulled from the imported file. When it finishes (it takes some time), continue to Step 2: Setup or Remove Lync Server Components. This installs the necessary server components and is read from the SQL Express instance that was just installed in Step 1.
This is probably the most important step in setting up an Edge Server. Here we will need two certs, one internal and one external.
- Edge Internal: issued from your internal CA
- Edge External: issued by a Microsoft Certified CA
Internal Cert steps:
Request–>Next–>Send the request immediately to an online certification authority–>Select your CA–>Next–>Next–>Enter a Friendly name–>Fill out Organization Information–>Next–>No Additional SAN’s needed–>Next–>Finish and Assign the Cert to Edge Internal (these are the same steps when setting up the Front-End server, FYI)
External Cert steps:
Request a Cert: (screenshot below)
Enter the file path & name where you want the certificate to go to.
Enter a friendly name and fill out the Organizational Information.
Here you will want to enter the additional SAN (Subject Alernative Names) unless you want to use three seperate certs: (screenshot below)
Click “Next” and “Finish”
Take the created .req file to a Microsoft Certifited CA like DigiCert and request a SSL. Once the cert is issued, go back into the Certification Wizard and Import Certificate. Once you import the cert, assign it to the Edge External.
*Note: For the external cert I used a wildcard cert. Essentially *.yourdomain.com and I assigned that to the Edge External and it works beautifully. So just a thought if you want to go this path as well.
Start Services (screenshot below)
We need to create two service records (SRV) for the external DNS addresses so when users try to logon to the Lync environment, they will be able to reach the appropriate Edge Server.
Two SRV records:
- _sip._tls.<domain> on port 443; used for external TLS connection
- _sipfederationtls._tcp.<domain> on port 5061; used for potential federation partners
Finally the last step! We have to enable external access in the control panel as this is turned off by default.
Logon to your Front-End server and open the Lync Server 2013 Control Panel.
Click on Federation and External Access–>External Access Policy–>double-click your Global Policy (screenshot below)
- Enable communications with federated users
- Enable communications with remote users
- Enable communications with public users
Everything is now up and running. You can attempt to log on externally via the Internet. Your Lync Client should automatically retrieve the correct server address and if federation is enabled on 5061 (optional), that should work as well.
Please leave your questions and comments below.