Embed Size (px)
Citation preview
Publishing Lync to the Internet“..taking you over the Edge”Steve MooreMarc Dudok
EXL333
Session Objective(s):
Take you on a journey “Over the Edge!”
Understand what it takes to publish Lync 2013 to the Internet, and show you that it is easy!
Highlight common misunderstandings
Demonstrate what it means to deploy an Edge Service
Provide a PFE/Support perspective to Edge Server Deployments
Session Objectives And Takeaways
AgendaKey Concepts
Deployment Steps
Setting up your Edge
Servers
Setting up your Reverse
Proxies
Remote User Access Policies
Managing your Edge
Service
We will have to try and keep questions to just a few, and will stay after the session for further
discussion
Lync Edge Scenarios Demo
Marc Dudok
Why Edge?Remote Users- IM&P, Conferencing, Audio & Video (AV)- It doesn’t matter whether you work internally or externally
the experience is the same!
Federated Users- IM&P, Conferencing, Audio & Video (AV)- AV Conferencing- Ability to control Federated access- Federated contacts look and feel just like other staff
Why Edge?Anonymous Users- IM Conferencing- Collaboration- AV Conferencing
Public IM Connectivity- Skype
Key Concepts
Key ConceptsEdge ComponentsLync DNS NamesClient Sign In – Simplified Lync 2013 Sign In processHardware Load BalancingDNS Load Balancing
What are the Edge Components?Access EdgeSIP – Session Initiation ProtocolSignaling, Presence, IM
Web Conferencing Edge ServerPSOM – Persistent Shared Object ModelPowerPoint Sharing*, whiteboard, annotations, polls
AV Edge ServerSRTP – Secure Real Time ProtocolMedia - Audio, Video, File Transfer, AppSharing
Reverse ProxyHTTP(s) trafficAddress book, Lyncdiscover, Meeting content, Lync Web App, Office Web App (WAC), …
AE
WC
AV
ExternalInternal
RP
Key ConceptsDNS NamesEdge Servers;av.contoso.com. - Audio/Video + File Sharing + App Sharingsip.contoso.com. - Session Initiation (Sign In + IM&P + Federation) webconf.contoso.com. – Web Conferencing (Polls + Whiteboard)
Web Services via Reverse Proxy;lyncdiscover.contoso.com.* – Sign In, discovering your Edge Poolmeet.contoso.com. – Meeting place launcher + Lync Web App (Simple URL)dialin.contoso.com. – Hosts dialin phone numbers (Simple URL)lyncws.contoso.com. – Lync Front End web serviceswac.contoso.com. - Office Web App servers
Client sign-in Lync 2013Simplified
Lync client
DNS Server
Front End
Reverse Proxy
Edge Server
Front End
Reverse Proxy
Edge Server
1. Query for Lyncdiscover. contoso.com
2. DNS points to Reverse Proxy
3. Client connects to Reverse Proxy
5. Client directly connects to local
4. Returns local Access Edge
VIC Data Centre
QLD Data Centre
DNS Load BalancingMultiple A recordsEach with the same Pool FQDNEach with the IP address of a single server
Logic built in to server and clientNot just DNS round robin
Not possible for http(s) trafficHLB for http(s) traffic
Not supported for legacy communications (Use HLB)PIC: MSN, AOL; MOC 2007 R2, Federation with OCS 2007/OCS 2007 R2; Lync for Mac 2011Exchange 2007, Exchange 2010
DNS LB of Edge ServicesAV.CONTOSO.COM.A 203.0.33.30A 203.0.33.31A 203.0.33.32
LYNC-EDGE.CONTOSO.ORG.A 10.0.0.30A 10.0.0.31A 10.0.0.32
Requestsav.contoso.com.
Client
Edge Servers
DNS
Client
Front End Servers
203.0.33.30 .31 .32
10.0.0.30 .31 .32
DNS Load BalancingSimple to configure
Only way to do NAT’ing of an Edge Server’s external IP AddressMust be configured in Topology Builder for AV Edge Service per Edge Server1:1 NAT of External IP to internal IP (Relevant during Media Establishment)
203.0.33.30 10.0.0.3010.0.0.254
External
DMZ
HLB for Edge Services
HLB
HLB
Edge Servers
Client
Client
Connecting to av.contoso.com.
Connecting to lync-edge.contoso.org.
Front End Servers
LYNC-EDGE.CONTOSO.ORG.A 10.0.0.30
AV.CONTOSO.COM.A 203.0.33.30
DNS
DNS
Hardware Load Balancing
Additional Virtual IP to point to HLB per service
All external IPs (VIPs and IPs on servers) must be public routable
HLB must not be configured for SNAT for AV Edge Server
Will work for all scenariosEdge Server needs to see client IP
address in order to determine STUN address
DNS vs HLB for Edge trafficMultiple High Availability Options
What is connecting to Edge? Legacy Clients? Legacy Federated Partners
If no legacy requirements, DNS LB much easier to configure
If Legacy, HLB all the way baby!
HLB of Web ServicesExternal Web traffic is load balanced to Reverse Proxies
Traffic from Reverse Proxies to Internal Web Services is also load balanced
Reverse Proxies might be HLB too! (Same device)
HLB of Web Services (RP)
Reverse Proxies
Office Web AppLync Front End
Client
Connecting to meet.contoso.com.
HLB
HLB
Contoso Lync Edge Service Deployment
Contoso’s Edge Service Requirements• ~30% of Contoso’s staff are regularly on the road
(Total staff 2000)• High Availability of the Remote User Access
solution is required, Site Resiliency is not required• Staff should be able to connect with Full Lync clients
over the Internet• Staff should be able to connect via a range of Mobile
clients• Customers and partners should be able to attend
conferences without having access to their own Lync system
• Persistent Chat should be made available externally to staff
• Contoso do business with Litware and hence would like to Federate their organisation’s
Deployment StepsWhat are the high level things I need to do?
High Level Deployment Steps• Design the “Over the Edge” Lync Edge Service
Solution• Test the solution (Test, Test and do some more
Testing)• Deploy Lync Front End Servers• Configure the Edge Topology• Set up your Network• Set up your Edge Servers• Set up your Reverse Proxy• Configure Lync policies to allow Remote User Access
and Federation• Validating the Lync Edge Service deployment
Design the “Over the Edge” Lync Edge Service Solution• Review the Scenarios for External User Access
http://technet.microsoft.com/en-us/library/gg425727.aspx. Focuses on Networking, Port, Certificate, and DNS requirements.Scenarios included for:
• Single Consolidated Edge with Private IPs / NAT’d• Single Consolidated Edge with Public IPs• Scaled Consolidated Edge (2 or more) with Private Ips/NAT
or Public IPs• Scaled Consolidated Edge Servers with Hardware Load
Balancers• Scenarios for Reverse Proxies• Review the Technet Planning Documentation for
Remote User Access http://technet.microsoft.com/en-us/library/gg399048.aspx
For your use after TechEd
Design the “Over the Edge” Lync Edge Service Solution (continued)
Split Brain DNS (Split DNS, Split Horizon DNS)
Host a copy of your SIP domain DNS zone on your Domain Controllers- Allows for different answers to be provided when
Lync clients connect internally versus when connecting externally
- Information about the internal environment does not need to be made available externally
……You can also leverage pinpoint DNS zones!
Split Brain DNS
Internet DNS
Internal DNS
Client asks forLyncdiscover.contoso.com.
andLyncdiscover.internal.contoso.com.
Client asks forLyncdiscover.contoso.com
andLyncdiscoverinternal.contoso.
com.
Internet Client. Internal Client.
Test in a Test LabThey are great resources out their to virtualise each of the key components for testing- Hardware Load Balancers- Reverse Proxies- Virtual Audio and Video Devices (to do
testing of traffic/connectivity/functionality within virtual machines)
- Firewalls- Soft PABX’s
Deploy your Lync Front End Servers
Build your Lync Server 2013 servers.
Remember it is at this point that you define your external Web URLs (*both URLs will point at a HLB VIP*)Relationship between Front End Pool and Edge Pools….
Are you migrating from Lync Server 2010?- What is the typical upgrade approach?- The migration/upgrade approach is well documented in the Migration documentation at Technet http://technet.microsoft.com/en-us/library/jj205369.aspx
Build the Edge Topology• Associate your Edge Pools with your Front
End Pools• Important for Media Relay• When to do this will depend on whether you have Lync
Server 2010 Edge Servers.• Discussed in next slide
• Decide upon which Edge Pool will be used for Federation
• DNS names for the core Lync Edge services
• To NAT or not to NAT, this is the question!
Edge Media Relay
Signalling
Media
Edge/FErelationshipdefined in TopologyBuilder
Network Address Translation (NAT)• Client address must get to Lync Edge.
10.0.0.1
203.13.45.83
For more information please refer to “Edge Media Connectivity with ICE” TechEd session in resources section
Set up your NetworkDeployed in a DMZ, if using DNS Load Balancing- Need to know AV IP address for 1:1 NAT
If using Hardware Load Balancing will need Public IPs
1 vs 3 Public Ips
Don’t forget you will need two subnets
Discussed in Edge Server section
Set up your….Edge ServersReverse Proxies – Performed in parallel with Edge Servers
Configure Remote User Access PoliciesVerify Edge Deployment
Discussed in detail in subsequent sections.
Contoso Edge Service Design
The Contoso Edge Service Design
DMZ Servers
Edge Servers Reverse Proxies
Internal Servers
Load Balancers
Load Balancers
Internet Clients
Persistent Chat Servers
File Servers
Office Web App Servers
Lync Web App
Full Lync Client
Internal Clients
Lync Web App
Full Lync Client
Report Server
Legend
Lync HTTPS Traffic (Int)
Lync HTTPS Traffic
SQL Traffic
Lync SIP & MediaInternet
Front End Servers
Voice GWY
PSTN
Primary
SQL Server(s) Mirrored
Secondary
Witness
Mobility Clients
Mobility Clients
Litware.com
Setting up your Edge Servers
Set up your Edge Servers• Networking• Number of IPs per Edge• DNS Load Balancing vs HLB
• Server Hardware• Operating System Configuration• DNS Client• Workgroup• Gateway Configuration• Trusted Root Certificate
• Patching• Certificates• Port Requirements
Number of IPs per EdgeTwo supported scenariosSingle external IP for Access Edge, Web Conferencing Edge and AV Edge ServerDedicated external IP for Access Edge, Web Conferencing Edge and AV Edge Server
SRTP (TCP: 443)
SIP (TCP: 5061)
PSOM (TCP: 444)
SRTP (TCP: 443)
SIP (TCP: 443)
PSOM (TCP: 443)
Firewall on client location might block ports other
than 443 TCP.
Even if 443 TCP is the only open port, all features will work.
Recommended!
Server Hardware - Physical versus VirtualDo you have virtualised infrastructure in the DMZ?CPU64-bit dual processor, quad-core, 2.0 gigahertz (GHz) or higher OR64-bit 4-way processor, dual-core, 2.0 GHz or higher
Memory - 16GB
NIC - 2x Network adapter, 1Gbps or higher.
Disk4 or more 10,000 RPM hard disk drives with at least 72 GB free disk space ORSolid state drives (SSDs) which provide performance similar to 4 10,000-RPM mechanical disk driveshttp://technet.microsoft.com/en-us/library/gg398835.aspx
For your use after TechEd
DNS requirements
Access EdgeFor e.g. sip.contoso.com
Web Conf EdgeFor e.g. webconf.contoso.com
AV EdgeFor e.g. av.contoso.com
_sip._tls.<sipdomain>Point to Access Edge Service on port TCP:443Point to A record in same domain
_sipfederationtls._tcp.<sipdomain>Point to Access Edge Service on port TCP:5061
Point to A record in same domain
_xmpp-server._tcp.<sipdomain>Point to Access Edge Service on port TCP: 5269Point to A record in same domain
SRV records need to point to A records in
same domain
A lot of SIP domains means a lot of SANs
in the certificate
Plus ***Internal DNS records***
Lyncdiscover.<sipdomain>Point to Reverse Proxy Service
Certificate RequirementsTwo certificates required for each Edge ServerInternal Certificate- Is typically issued by an internal Certificate
Authority- Has the Internal Edge Pool FQDN as subject
name.External Certificate - Issued by a Public Certificate Authority- Has Access Edge and Web Conferencing FQDNs- Private Key Exportable- Same cert used across all Edge Servers!
*
*
Edge Server ConfigurationDemoSteve Moore
NOTE: The configurations discussed in this Demo are also included as hidden slides
Port Requirements
AE
WC
AV
XMPP TCP:5269
HTTP CRL Check TCP:80
SIP/MTLS (TCP:443 or 5061)
DNS UDP/TCP 53
PSOM/TLS (TCP:443 or 444)
SIP/MTLS (TCP:5061)
STUN (UDP:3478)
STUN (TCP:443)
**RTP (UDP/TCP:50,000-59,999)
**OCS 2007 Requires 50,000-59,999 TCP/UDP outbound and inbound**
HTTPS (TCP:4443)
CLS TCP:50001
CLS TCP:50002
CLS TCP:50003
XMPP TCP:23456
SIP/MTLS (TCP:5061)
PSOM/MTLS (TCP:8057)
SIP/MTLS (TCP:5062)
SIP/MTLS (UDP:3478)
STUN (TCP:443)Exte
rnal
Inte
rnal
Well documented here http://technet.microsoft.com/en-us/library/gg3987
98.aspx
Setting up your Reverse Proxies
Reverse Proxy RequirementsWhat does it need to be able to do?Support SSL/TLS to publish internal websitesPublish internal websites with as well as without encryptionPublish internal websites using FQDNAbility to handle certificates with Subject Alternate NamesMust be able to send original host headerBridging of some ports
Keep an eye on the ‘Infrastructure qualified for Microsoft Lync’ article.http://technet.microsoft.com/en-us/lync/gg131938
Reverse Proxy settingsPublished FQDNs in DNS Lyncdiscover.<sipdomain>External WebFarm FQDNSimple URLsOffice Web App Server
Bridge port 443 to port 4443For all FQDNs except Office Web App (WAC) Optionally bridge port 80 to port 8080
Office Web App (WAC) Server443 to 443
:443
:4443 :443
Certificate RequirementsWhat to include in your certificateMatch your DNS namesLyncdiscover.<sipdomain> (eg. lyncdiscover.contoso.com)Simple URLs FQDN (eg. meet.contoso.com)External Webfarm FQDN (eg. lyncws.contoso.com)Office Web App (eg. wac.contoso.com)
Use public certificateWildcard Certs are OK only in Subject Alternative Name (SAN)
Contoso Environment
DMZ Servers
Reverse Proxies
Internal Servers
Load Balancers
Load Balancers
Internet Clients
Office Web App Servers
Lync Web App
Full Lync Client
Internal Clients
Lync Web App
Full Lync Client
Legend
Lync HTTPS Traffic (Int)
Lync HTTPS Traffic
SQL Traffic
Lync SIP & Media
Front End Servers
Mobility Clients
Mobility Clients
lyncdiscover.contoso.com:4443lyncws.contoso.com:4443meet.contoso.com:4443dialin.contoso.com:4443
wac.contoso.com:443
Internet
Remote User Access Policies
Federation3 Different Models- Direct Federation- FQDNs don’t have to match SIP domain, no SRV records, smaller
certificate requirements, *more administrative requirements*
- Enhanced Federation- Access Edge FQDN discovered by SRV record lookup, less
administrative overhead, cert requirements are back in
- Open Federation- Need to monitor as throttling can take place
Creation of the _sipfederationtls._tcp.<sipdomain>
Discussed further in our
Troubleshooting Presentation
Federation/Remote User Access Policies DemoSteve Moore
Managing your Lync Edge
Management considerationsDon’t leave edge servers behind
MonitoringPatching, Patching, PatchingAntivirus Certificate MaintenanceSecurity Baseline
Disaster Recovery PlanPerformance Password ManagementNTP Time Source
Operations Manager for Edge ServerDeployment Steps1. Create certificate template in CA for Client and Server
Authentication2. Create certificate for Management Server using new
template3. Import certificate into Management Server using
MOMCertImport.exe4. Create certificate for Edge Server using new Certificate
Template5. Install OpsMgr agent on Edge Server6. Import certificate into Edge Server using
MOMCertImport.exe7. Configure Local groups for Network Service access8. Once Lync discovery has completed, remove Network
Service access
For your use after TechEd
Rolling AV Authentication CertificatePurpose of AV Authentication certificateCreates token to allow clients to use AV Edge ServerToken acquired at sign in or after 8 hoursBy internal users as well by external user
If certificate is renewed…Clients have still tokensHowever tokens can not be validated by new certificateMedia endpoints unable to use AV Edge Server for up to 8 hours
Rolling AV CertificateAllows to stage new certificate while old one is still in placeEdge Server will issue tokens based on new certificate, but be able to validate all tokensSet-CsCertificate –Type –Roll –Thumbprint –EffectiveDate
Validate Edge deploymentEvent Viewer & CLS LoggingCheck for errors and warnings
Validate replication to Edge ServerGet-CsManagementStoreReplicationStatus
Remote Connectivity Analyzerhttps://testconnectivity.microsoft.com/
Lync Connectivity Analyzerhttp://blogs.technet.com/b/nexthop/archive/2013/02/08/the-new-lync-connectivity-analyzer.aspx
Lync Best Practice Analyzerhttp://technet.microsoft.com/en-us/library/gg558584.aspx
Monitor, Monitor, Monitor!
Resources
Session Objective(s):
Take you on a journey “Over the Edge!”
Understand what it takes to publish Lync 2013 to the Internet, and show you that it is easy!
Highlight common misunderstandings
Demonstrate what it means to deploy an Edge Service
Provide a PFE/Support perspective to Edge Server Deployments
Session Objectives And Takeaways
Edge is awesom
e!
ResourcesTechNet Documentationhttp://technet.microsoft.com/en-us/library/gg399048.aspx
Lync Deep Dive: Edge Media Connectivity with ICEhttp://aka.ms/LyncEdge
Lync Deep Dive: Edge Media Connectivity with ICE with Thomas Binder
http://channel9.msdn.com/Events/TechEd/Europe/2012/EXL412
NextHop: Rolling AV Certificatehttp://
blogs.technet.com/b/nexthop/archive/2012/10/09/lync-server-2013-preview-using-set-cscertificate-for-audio-video-edge-and-oauthtokenissuer-certificate-maintenance.aspx
Lync Online Labs – Has a great Edge Lab!http://lynclabs.vlabcenter.com/Main
Contact InformationSteve MooreEmail: [email protected] (SIP): [email protected]
Marc DudokEmail: [email protected] (SIP): [email protected]
Related contentLync Enterprise Voice Architecture EXL314Lync Conferencing EXL311How to Fix Lync when it breaks? EXL331Lync Virtualisation EXL321AContact Centres for Lync 2013 EXL323Design your Lync 2013 Deployment to be Disaster Proof! EXL325How to Fix Lync when it Breaks EXL331Deploying and Configuring Microsoft Lync Edge Server 2013 ILL-EXL204Deploying Lync Server 2013 Persistent Chat ILL-EXL203
Check out the recordings after the event at msteched.com
Track resourcesExchange Server Documentation – http://aka.ms/E15DocsExchange Team Blog – http://aka.ms/EHLOLync Server Documentation - http://aka.ms/Lync15DocsLync Server Team Blog – http://aka.ms/LyncBlogDownload Exchange and Lync Today!Contact your Microsoft or Partner Account Manager to arrange a time test drive Exchange and Lync at the Office Showcase
Keep Learning1. Download both Exchange Server 2013 and Lync Server 2013 and try in
your own environment
2. Trial Exchange and Lync Online
3. Contact your Microsoft or Partner Account Manager to arrange a time test drive Exchange and Lync in one of our Customer Immersion Experience Centres
4. Contact your Microsoft or Partner Account Manager to get a Lync business value assessment or an Exchange and Lync technical briefing
Developer Network
Resources for Developers
http://msdn.microsoft.com/en-au/
Learning
Virtual Academy
http://www.microsoftvirtualacademy.com/
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd/Australia/2013
Resources for IT Professionals
http://technet.microsoft.com/en-au/
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
