none
Question about edge architecture with more than one external connections.

    Question

  • Hi,
    I am looking for solution for implement next:
    We have Lync 2013 Std server + Edge server.
    Edge server located in DMZ and have internal and three external interfaces.
    All working fine in communication between internal and internet users.

    Now, we have to connect to Lync another users from remote sites. These sites available only by another network - MPLS.
    My question is, how to configure topology for achieve our target?

    In short words:
    we have internal users
    we have external users (internet)
    we have external users (MPLS).

    We do not have full trust with MPLS network and for security reasons prefer to use Edge topology (same like with Internet connection).


    If you have any question/suggestion - you're welcome.
    Thank you in advance.

    Vladimir.
    Prague/Czech Republic

    Monday, October 14, 2013 3:53 PM

All replies

  • Either your MPLS users need to connect directly to the front-end servers and behave like "internal" users or you have to route the users to the external/internet addresses.

    Where do the users on the MPLS get their DNS resolution from?  They will need to resolve your external DNS records to the correct external IP's and you will need to ensure they can route there.

    What you cannot and should not do is deploy a second edge server for MPLS users.  I have seen a customer try this one and they quickly discovered that Internet people couldn't talk to MPLS users because the edges need to talk to one another.

    Thanks,

    Richard


    Richard Brynteson, Avtex, Lync MCM, Blog - www.masteringlync.com

    Monday, October 14, 2013 4:02 PM
  • Thanks for update.

    I will try to explain:

    for security reasons we would like to use edge for MPLS users. DNS resolution - not a problem, we can create special DNS zone for them.

    Mainly, where I can see a problem - it is A/V under NAT. in topology I specify external (public) IP address for A/V service, which would be not accessible from MPLS.

    So, I see only secondary EDGE as solution but not sure, it is right or not.

    And, as far as I know, one FE can have only one EDGE. if you apply another EDGE on same FE, old one would be detached.

    Sorry, for "mixed" mode of explanation. May be I will create a picture better during tomorrow with mapping diagram.

    Monday, October 14, 2013 4:12 PM
  • Yes, you can have multiple edge servers next hop into a single front-end but your problem will be MRAS/Media Pool. As you note, the front-end server can only have a single media pool.  And here lies the problem with the second edge on the MPLS. So let's walk through this. We will use the following names/IP's for an example:

    - Pool01
    - Edge01 (AV NAT is enabled - public IP is 214.214.x.3)
    - MplsEdge01 (AV NAT is disabled - IP is 172.15.x.3)

    If you associate the media edge pool for Pool01 to be Edge01, whenever a user makes any Audio/Video call the IP Address that will be included in the SDP with be 214.214.x.3 which means everyone on the MPLS network will not be able to resolve that and fail.

    If you associate the media edge pool for Pool01 to be MplsEdge01, whenever a user makes any Audio/Video call the IP Address that will be included in the SDP will be the private 172.15.x.3 address, which of course the internet users will not be able to resolve and fail.

    That is why a second edge never works in this scenario. We had a customer with a similar requirement and the "fix" was to make sure that the MPLS users were able to reach the public IP address of the edge. They were ok with this type of routing because technically the traffic never leaves your network.  The furthest it should reach is your router and than back into the network.  This of course required them to make some changes to their routers, etc, but for them it was acceptable.

    Thanks,

    Richard


    Richard Brynteson, Avtex, Lync MCM, Blog - www.masteringlync.com

    Monday, October 14, 2013 4:30 PM
  • Richard, thanks for letter.

    So, no any another way than:

    second FE pool + second Egde server (with allowed connectivity between both edges). right?

    thank you in advance.

    Vladimir.

    Monday, October 14, 2013 8:08 PM
  • You would run into problems even with two front-ends and two edge servers. The product isn't designed to do this. So let's say you did this:

    - Pool01 (for internet users)
    - Edge01 (internet side)
    - Pool02 (for MPLS users)
    - MplsEdge01 (MPLS side)

    So the problem would be in this scenario.  A user on Pool01 calls a user who is homed on Pool02 but they are external on the MPLS Edge network.  User A is going to include Edge01 public AV/IP for connectivity.  The UserB on Pool02 would include the MPLS AV edge IP.

    So you would need to have the Public AV IP on Edge01 be able to communicate directly to MplsEdge01 Private AV IP.  So you would still need that routing to happen.

    Thanks,

    Richard


    Richard Brynteson, Avtex, Lync MCM, Blog - www.masteringlync.com

    Monday, October 14, 2013 8:28 PM
  • Richard,

    Thanks for update.So, no any different way than use parallel in traffic flow (one way for data/chat and another for a/v conference).

    I do not like to create Lync branch office since only 2-4 peoples in few offices.


    Tuesday, October 15, 2013 8:27 AM
  • can't you just say that all dns record for the MPLS are pointing to the Public ip's, maybe you can test this by putting those public Ip's in the host file so av.domain.com goed to you public ip.
    Tuesday, October 15, 2013 8:57 AM
  • You have reading from beginning.

    I told, that I would like to avoid for usage public internet for MPLS users.

    Vladimir.

    Tuesday, October 15, 2013 11:51 AM
  • Just from theory - what would be in this case?

    As far as I know, traffic will be delivered directly - so, we have open many firewall ports between LAN and MPLS, right?

    Monday, October 21, 2013 11:25 AM