locked
external NIC RRS feed

  • Question

  • We are in the middle of deploying our edge server. I have some questions about the External NIC

    my understanding is the External NIC is an additional NIC assigned to the particualr edge server. hence my edge server will have 2 NICs, one internal & one external? please correct me if i am wrong.

    Does the External NIC have any implications with our Public Certificates?

    Thank You in advance.

    Philip

    Sunday, November 13, 2011 1:14 PM

Answers

  • I have to respectfully disagree with the recommendations above. You do not have to have 3 separate NICs on the Edge server.  The supported requirements is to have two interfaces: one internal and one external.  Deploying an Edge Server with a single interface is not really supported (see the articles linked in the next paragraph) and is never recommended.  Additionally 3 or 4 interfaces can be used but is rare as depending on the deployment and the network it may be overkill. 

    Look at the various blog articles on this page which discuss in detail Edge Server deployment best practices and supported configuration in OCS.  There are few changes to this in Lync Server so the NIC recommendations still hold true:
    http://blog.schertz.name/2010/06/pointbridge-posts-ocs-edge-server/


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP
    • Proposed as answer by Noya Lau Wednesday, November 16, 2011 10:50 AM
    • Marked as answer by Noya Lau Wednesday, November 23, 2011 12:38 PM
    Sunday, November 13, 2011 2:13 PM

All replies

  • Hi,

    you need to have seperate 3 NIC s for 3 FQDN's if you going to deploy it with recommended setup. When you deploying the edge server, it'll ask you to specify the FQDN agains the IP and the port. The public certificate is getting assigned against the external intafaces.

    There's a nother method that's available that you can use single NIC for external connect. this is single IP with different ports but you have to configure NAT from firewall to route traffic from WAN. Please go throug the Edge server deployment document for more information.

    Thamara.

    Sunday, November 13, 2011 1:45 PM
  • I have to respectfully disagree with the recommendations above. You do not have to have 3 separate NICs on the Edge server.  The supported requirements is to have two interfaces: one internal and one external.  Deploying an Edge Server with a single interface is not really supported (see the articles linked in the next paragraph) and is never recommended.  Additionally 3 or 4 interfaces can be used but is rare as depending on the deployment and the network it may be overkill. 

    Look at the various blog articles on this page which discuss in detail Edge Server deployment best practices and supported configuration in OCS.  There are few changes to this in Lync Server so the NIC recommendations still hold true:
    http://blog.schertz.name/2010/06/pointbridge-posts-ocs-edge-server/


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP
    • Proposed as answer by Noya Lau Wednesday, November 16, 2011 10:50 AM
    • Marked as answer by Noya Lau Wednesday, November 23, 2011 12:38 PM
    Sunday, November 13, 2011 2:13 PM
  • @Jeff,

    when i meant single NIC for External access is, you can select "Use a single FQDN & IP Address" option in topology when you deploying the Edge server which was not there in OCS 2007 R2.

    Thamara.

    Sunday, November 13, 2011 7:37 PM
  • My Edge servers have 2 nics.   One externaly facing (where my default gateway is configured) that I refer to as "pubic_edge" and one internal facing NIC (lync_internal_edge) that has static a static route back to my internal pool.

    The pubic certificates will be installed on the edge server(s) (access, av, wc, lync, etc) as documented in the documentation requirements.  There's nifty tool in the Lync installer that does a half-way good job with that stuff (you'll still have to be versed in working with the CA snapin cause sometimes you have to stand on your head the get the certs imported in my experience.)   Either way, you'll END the process with the Lync cert tool.

    The "external nic" or whatever you were referring to doesn't affect your "public certs" as per my understanding of your question.

    Just, for the love of God, make sure that all of your internal certs are from the SAME CA if you're faced with that decision ... it just really makes things simpler.  In our case, we generated offline certicicate requests from our edge (dmz) servers to our internal CA (fqdn of the edge servers that's on your topology in the cert req.)

    Monday, November 14, 2011 9:39 PM
  • Hi Philip,

    You’re right. Two interfaces required, either one 2-port 1 Gbps NIC or two 1-port 1 Gbps NICs.

    Microsoft Lync Server 2010 communications software supports the use of a single public certificate for access and web conferencing Edge external interfaces, plus the A/V Authentication service. The Edge internal interface typically uses a private certificate issued by an internal certification authority (CA), but can also use a public certificate, provided that it is from a trusted public CA. The reverse proxy in your deployment uses a public certificate and encrypts the communication from the reverse proxy to clients and the reverse proxy to internal servers by using HTTP (that is, Transport Layer Security over HTTP). Please also refer to this document, hope it’s useful.

    Tuesday, November 15, 2011 2:29 AM