none
Lync server in different internal and external domains !!!

    Question

  • Hi

    For example, our internal domain name is test.local and our external domain name is test.com.

    I want to allow our users to use Lync from the outside of the organization (internet). 

    How can I setup lync and DNS server to accomplish that ?

    Friday, August 23, 2013 7:47 PM

Answers

  • Use Split-DNS with the External name space. The internal domain name will be tied to server FQDNs, but everything else will use the external domain (pools, simple urls, sip addresses, lyncdiscover).

    Take a look at: http://technet.microsoft.com/en-us/library/gg398758.aspx

    Saturday, August 24, 2013 1:31 AM
  • 9 (Public IPs)

    • SIP/Access Public 1.12.123.2
    • WC Public 1.12.123.3
    • AV Public 1.12.123.4
    • Webext 1.12.123.5

    8 (External DMZ)

    • DMZ 192.168.220.X

    7 (Bidirectional NAT to matching Public Edge IPs)

    • SIP/Access NAT 192.168.220.2
    • WC NAT 192.168.220.3
    • AV NAT 192.168.220.4

    6 (Bidirectional NAT to matching Public RP IP)

    • webext 192.168.220.5

    • Edge Internal NIC 172.16.1.2 (lyncedge.test.local)

    4

    • RP Internal NIC 172.16.1.3

    3 (Internal DMZ, can be on LAN network but don't recommend it)

    • DMZ 172.16.1.X

    2 (LAN)

    • LAN 172.16.0.X

    1

    • Front End 172.16.0.10 (lync.test.local)


    Sunday, August 25, 2013 2:59 PM
  • TMG publishes Meet, Dialin, webext, lyncdiscover on 80 443, and proxies to the Front End on 8080/4443

    Edge hosts sip/access, wc, av.

    The following link shows what to ports to allow: http://technet.microsoft.com/en-us/library/gg425891(v=ocs.14).aspx

    Monday, August 26, 2013 1:40 PM
  • Hi,

    The SIP.Test.com, WC.Test.com and AV.Test.com should be accessed by NAT or you can assign public IP to them directly. It means the client connect edge external interface with defined ports directly.

    For Meet, Dialin, webext, lyncdiscover, the features are provided by front end services so they should be published by reverse proxy. All request connect revere proxy on 80/443 and are proxied to the Front End on 8080/4443

    The external DNS records should include the following entries:

    SIP/Access.test.com (A record and two SRV record: automatic configuration and federeation)

    WC.Test.com

    AV.Test.com

    Webext.Test.com

    Meet.test.com

    Dialin.test.com

    Lyncdiscover.Test.com

    Another optional record is for XMPP: _xmpp-server._tcp.test.com and xmpp.test.com

    For details:

    http://technet.microsoft.com/en-us/library/gg412787.aspx

    I recommended you refer to Jeff's blog.

    Lync Edge Server Best Practices

    http://blog.schertz.name/2012/07/lync-edge-server-best-practices/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.<//span>


    Kent Huang
    TechNet Community Support



    Friday, August 30, 2013 3:32 PM

All replies

  • Use Split-DNS with the External name space. The internal domain name will be tied to server FQDNs, but everything else will use the external domain (pools, simple urls, sip addresses, lyncdiscover).

    Take a look at: http://technet.microsoft.com/en-us/library/gg398758.aspx

    Saturday, August 24, 2013 1:31 AM
  • OK, My FEpool name is FE.test.local.

    Should I change it to FE.test.com ?

    If yes, how can I change it ?

    Saturday, August 24, 2013 10:47 AM
  • If you are deploying standard edition (SQL express) then the pool name will be the server FQDN (on test.local). If deploying Enterprise edition (remote sql server) I would recommend the pool name to use the primary sip (test.com) to prevent the trusted model prompt: http://support.microsoft.com/kb/2833618

    You can't change the pool name if already deployed: http://social.technet.microsoft.com/Forums/lync/en-US/df66bb45-8383-4fa2-b18f-fdd3b4dfeb0f/chnaging-the-frontend-pool-name-in-lync-server-standard-edition-

    Saturday, August 24, 2013 2:38 PM
  • I have this topology in my network.

    can I use edge server to allow external user to use internal lync?

    Are these configurations true?


    Sunday, August 25, 2013 6:06 AM
  • Your edge server and Front End can't have the same FQDN. 

    Lyncdiscover can't run on the Edge.

    You are missing the reverse proxy (simple urls: meet, dialin, lync external web services and lyncdiscover). This is where 80/443 from the internet hits the proxy and then 4443/8080 is sent to the Front End.

    Ports are incorrect for the Edge services.

    Take a look at: http://technet.microsoft.com/en-us/library/gg425891.aspx

    Sunday, August 25, 2013 6:40 AM
  • TNX Michael,

    I read all of those link that you posted but I'm so confused.

    Can you determine the IP address configuration for each NIC (Server or Firewall)?

    Sunday, August 25, 2013 11:57 AM
  • 9 (Public IPs)

    • SIP/Access Public 1.12.123.2
    • WC Public 1.12.123.3
    • AV Public 1.12.123.4
    • Webext 1.12.123.5

    8 (External DMZ)

    • DMZ 192.168.220.X

    7 (Bidirectional NAT to matching Public Edge IPs)

    • SIP/Access NAT 192.168.220.2
    • WC NAT 192.168.220.3
    • AV NAT 192.168.220.4

    6 (Bidirectional NAT to matching Public RP IP)

    • webext 192.168.220.5

    • Edge Internal NIC 172.16.1.2 (lyncedge.test.local)

    4

    • RP Internal NIC 172.16.1.3

    3 (Internal DMZ, can be on LAN network but don't recommend it)

    • DMZ 172.16.1.X

    2 (LAN)

    • LAN 172.16.0.X

    1

    • Front End 172.16.0.10 (lync.test.local)


    Sunday, August 25, 2013 2:59 PM
  • Thank's a lot Michael,

    I got it.

    But 1 more question, Should I write static route on LyncEdge.test.local and Reverse Proxy to communicate whit LAN ?

    Sunday, August 25, 2013 5:46 PM
  • Reverse Proxy and Edge don't need to talk. You will need Static routes for the Edge internal NIC to get to the server and client LANs, as the gateway is only set on the external NIC
    Sunday, August 25, 2013 7:23 PM
  • OK

    So TMG publishes the SIP.Test.com , WC.Test.com and AV.Test.com over 80 and 443 and the DNS external records are :

    ------------------------

    SIP/Access.test.com

    1.12.123.2

    ------------------------

    WC.Test.com 

    1.12.123.3

    ------------------------

    AV.Test.com

    1.12.123.4

    ------------------------

    Webext.Test.com

    1.12.123.5

    ------------------------

    And on the external NIC of firewall2 I should allow incoming connections through 80 and 443.




    Monday, August 26, 2013 9:02 AM
  • TMG publishes Meet, Dialin, webext, lyncdiscover on 80 443, and proxies to the Front End on 8080/4443

    Edge hosts sip/access, wc, av.

    The following link shows what to ports to allow: http://technet.microsoft.com/en-us/library/gg425891(v=ocs.14).aspx

    Monday, August 26, 2013 1:40 PM
  • You mean my external DNS records are true ?
    Tuesday, August 27, 2013 12:39 PM
  • Hi,

    The SIP.Test.com, WC.Test.com and AV.Test.com should be accessed by NAT or you can assign public IP to them directly. It means the client connect edge external interface with defined ports directly.

    For Meet, Dialin, webext, lyncdiscover, the features are provided by front end services so they should be published by reverse proxy. All request connect revere proxy on 80/443 and are proxied to the Front End on 8080/4443

    The external DNS records should include the following entries:

    SIP/Access.test.com (A record and two SRV record: automatic configuration and federeation)

    WC.Test.com

    AV.Test.com

    Webext.Test.com

    Meet.test.com

    Dialin.test.com

    Lyncdiscover.Test.com

    Another optional record is for XMPP: _xmpp-server._tcp.test.com and xmpp.test.com

    For details:

    http://technet.microsoft.com/en-us/library/gg412787.aspx

    I recommended you refer to Jeff's blog.

    Lync Edge Server Best Practices

    http://blog.schertz.name/2012/07/lync-edge-server-best-practices/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.<//span>


    Kent Huang
    TechNet Community Support



    Friday, August 30, 2013 3:32 PM
  • Hi Kent   . . .  

    Your last post solved some of the problems but I have 4 more question.

    I use another TMG as external firewall with 4 public IP addresses.

    1) Should the external DNS records point to these IPs. (SIP, WC, AV and Webext)

    2) In TMG firewall I just allow the required ports from internet to LAN and vise versa . Should I set extra configuration on TMG firewall for communicating external user whit reverse proxy server and edge server ?

    3) My external DNS panel does not support SRV records and I can't create SRV records in my zone. Are the SRV records necessary for external users ? 

    4) In corporate network I can use lync services using lync client installed on my PC but I can't connect to lync server by lync mobile app (I installed certificate from internal CA on our mobile). I want to know can we use lync mobile app in corporate network (using wifi)? Should I configure extra setting on my servers or clients ?

    Friday, September 06, 2013 8:49 AM
  • Hi Kent   . . .  

    Your last post solved some of the problems but I have 4 more question.

    I use another TMG as external firewall with 4 public IP addresses.

    1) Should the external DNS records point to these IPs. (SIP, WC, AV and Webext)

    2) In TMG firewall I just allow the required ports from internet to LAN and vise versa . Should I set extra configuration on TMG firewall for communicating external user whit reverse proxy server and edge server ?

    3) My external DNS panel does not support SRV records and I can't create SRV records in my zone. Are the SRV records necessary for external users ? 

    4) In corporate network I can use lync services using lync client installed on my PC but I can't connect to lync server by lync mobile app (I installed certificate from internal CA on our mobile). I want to know can we use lync mobile app in corporate network (using wifi)? Should I configure extra setting on my servers or clients ?

    Hi,

    1,2;

    Please read this link and advise which architecture you are using: http://technet.microsoft.com/en-us/library/gg412898(v=ocs.14).aspx

    You will also find the firewall requirements and DNS requirements at that URL.

    3:

    Please read this How Lync Clients Locate Services from: http://technet.microsoft.com/en-us/library/gg398758.aspx

    SRV records aren't mandatory although it is recommended. Have you contacted your DNS provider and requested manual entry creation? Often they can create more than what is in the portal.

    4:

    This is how you publish Lync Server 2010 http://social.technet.microsoft.com/wiki/contents/articles/9807.how-to-configure-forefront-tmg-2010-as-reverse-proxy-for-lync-server-2010.aspx

    I have replied to your post on LinkedIn. If you have further issues, please reply there.

    If this post is helpful, be sure to mark as answer.

    Cheers,

    Ryan.


    • Edited by Ryan-Campbell Sunday, September 15, 2013 12:17 AM fixed a link
    Sunday, September 15, 2013 12:16 AM
  • OK Ryan, Thank you.

    I studied first link before and I flowed it's instructions.

    I'm contacting my DNS provider about SRV record.

    Please considred this Scenario :


    And Suppose that we have test.local as internal domain and test.com as external domain (Internet).

    I use split-brain DNS solution and create test.com zone beside the test.local zone in the Internal DNS server. 
    I add test.com as default SIP domain for all users. In internal network users can login to their lync clients using test.com (because of split-brain DNS configs. In internal test.com zone, Lync.test.com points to local IP address of Lync server (FEPool)) And in the external DNS, we have test.com zone and I create these records :

    FQDN IP Address 

    Meet.Test.com 1.1.1.5 
    Dialin.Test.com 1.1.1.5 
    Lync.Test.com 1.1.1.5 
    Lyncdiscover.Test.com 1.1.1.5

    SIP.Test.com 1.1.1.2 
    WC.Test.com 1.1.1.3 
    AV.Test.com 1.1.1.4

    My external DNS console does not support SRV records and I can't create SRV records in the Test.com zone. 
    I use my internal CA (ADCS) for both internal and external clients. I installed certificate manually in trusted root node for all clients.

    Now my questions are : 
    1) If I want to set manually, which A records or IP should be the Intrenal and External Server address ?

    2) I use another TMG as edge firewall, I set 4 NAT rule for one-by-one NAT :

    Source:192.168.220.2 --> NAT --> Destination:1.1.1.2 
    Source:192.168.220.3 --> NAT --> Destination:1.1.1.3 
    Source:192.168.220.4 --> NAT --> Destination:1.1.1.4 
    Source:192.168.220.5 --> NAT --> Destination:1.1.1.5 
    and temporary allow all incoming and outgoing traffic from Internet. 
    Are these configurations true?

    For edge server I use this articles :

    http://www.zegeger.net/2011/01/16/installing-microsoft-lync-2010-deploying-edge-server/

    http://ucken.blogspot.nl/2011/07/configuring-lync-for-external-access.html

    Sunday, September 15, 2013 10:40 AM
  • OK Ryan, Thank you.

    I studied first link before and I flowed it's instructions.

    I'm contacting my DNS provider about SRV record.

    Please considred this Scenario :


    And Suppose that we have test.local as internal domain and test.com as external domain (Internet).

    I use split-brain DNS solution and create test.com zone beside the test.local zone in the Internal DNS server. 
    I add test.com as default SIP domain for all users. In internal network users can login to their lync clients using test.com (because of split-brain DNS configs. In internal test.com zone, Lync.test.com points to local IP address of Lync server (FEPool)) And in the external DNS, we have test.com zone and I create these records :

    FQDN IP Address 

    Meet.Test.com 1.1.1.5 
    Dialin.Test.com 1.1.1.5 
    Lync.Test.com 1.1.1.5 
    Lyncdiscover.Test.com 1.1.1.5

    SIP.Test.com 1.1.1.2 
    WC.Test.com 1.1.1.3 
    AV.Test.com 1.1.1.4

    My external DNS console does not support SRV records and I can't create SRV records in the Test.com zone. 
    I use my internal CA (ADCS) for both internal and external clients. I installed certificate manually in trusted root node for all clients.

    Now my questions are : 
    1) If I want to set manually, which A records or IP should be the Intrenal and External Server address ?

    2) I use another TMG as edge firewall, I set 4 NAT rule for one-by-one NAT :

    Source:192.168.220.2 --> NAT --> Destination:1.1.1.2 
    Source:192.168.220.3 --> NAT --> Destination:1.1.1.3 
    Source:192.168.220.4 --> NAT --> Destination:1.1.1.4 
    Source:192.168.220.5 --> NAT --> Destination:1.1.1.5 
    and temporary allow all incoming and outgoing traffic from Internet. 
    Are these configurations true?

    For edge server I use this articles :

    http://www.zegeger.net/2011/01/16/installing-microsoft-lync-2010-deploying-edge-server/

    http://ucken.blogspot.nl/2011/07/configuring-lync-for-external-access.html

    From memory, the Edge server cannot use TMG as a FW when you use NAT for A/V (found a ref here for OCS: http://technet.microsoft.com/en-us/library/dd441361(office.13).aspx ). Have you confirmed support?

    1: The DNS requirements are in the links already provided to you, can you perhaps be more specific in your question? It might help you if grab the table from TechNet, work on filling it in, and then post the table back here with the cells in question highlighted.

    Monday, September 16, 2013 2:23 AM
  • Monday, September 16, 2013 9:03 AM