Active Directory and Lync Standard

In this article I set the Edge server role in a DMZ separated by firewalls between the Front End All servers are installed with Windows Server 2008 R2 Service Pack 1, Lync Standard Server was configured with the domain sip home.com.br domain and Active Directory  is named fqdn home.intranet


The servers were configured as follows


Server Name


IP Address


Domain Controller and Certificate Authority


Lync Server Standard Edition

Hm10.home.intranet TMG 2010 / filter packets between the internal network and a DMZ IP1: / DMZ1:
HmRV.home.dmz 2010 TMG configured with Reverse Proxy / filter packet between a DMZ and DMZ 2 DMZ11: / DMZ2: 


Lync Server Edge Server - not part of the field

DMZ 1: / DMZ 2:,,

Internet firewall Firewall with NAT active DMZ 2 Internet:,,, 

The pool Lync Server has been updated with the Cumulative Pack 4 using the procedure of Article  Update Lync Server Pool with Cumulative Update 4
On the domain controller was created a zone called home.com.br with records 

Type of Record


IP Address










Service: _sipinternaltls

Protocol: tcp

Port: 5061


In the area of Active Directory home.intranet was created a record for the Edge server. 

The record type Address resolves the FQDN HmEdge.home.intranet to set ip on the board inside the server In the Internet DNS records were created to serve the Edge Server:


Public URL


 Type of Record






_sip._tls.home.com.br sip.home.com.br: 443 SRV
_sipfederationtls._tcp.home.com.br sip.home.com.br: 5061  SRV

Internal Firewall 

The internal firewall Hm10.home.intranet are running Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 .  
The following protocols and ports must be freed from the internal network and internal network adapter of the Edge server.


Source Network

Destination Network  Finalizadade 


Back End Server Role

Edge Server Role Port replication of Central Management Store for the Edge Server Local Store


Front End Server Role

Edge Server  Role 
Traffic authentication session


Fron End Server Role /  
Edge Server Role / 
Internal Network

Fron End Server Role /  
Edge Server Role 
HTTPS traffic to be released in both directions between the Front End Server and Edge. 

3478/UDP Fron End Server Role /  
Edge Server Role /
Internal Network 
Fron End Server Role /  
Edge Server Role 
Port used by the Web Conference service. The traffic of this port should be released in both directions between the Front End Server and Edge.  sessions Used for Audio and Video 
5061/TCP Fron End Server Role /  
Edge Server Role  
Fron End Server Role /  
Edge Server Role  
Sip traffic safe,   port should be released in both directions between the Front End Server and Edge  
8057/TCP Front End Server Edge Server Port of customer sessions

For this article I will demonstrate the rules that I set for release in TMG, I will demonstrate step by step each rule. I set up two network entities to the firewall.

Internal  - represents all the network's internal ip to 
Network DM | 1  -  represents all ip's network   a DMZ to

Between the two there is a network interface Route, this means that I have active NAT between the DMZ and internal network!
The ip's are configured on ethernet of the firewall, the internal network card was not configured gateway address and network card connected to a DMZ was configured with the gateway which is the second TMG configured as Reverse Proxy and performs routing and filter between the DMZ 1 and DMZ 2

It was created two network objects:
Front End / Back End

Edge Server

This object will be used to release the rules of doors between Lync Server Standard and the Edge Server.
Then were created the protocols, the TMG console tab Toolbox create a new protocol.

We created three   different protocols: 
MRAS Authentication
Port: 5062 
Protocol: TCP 

CMS Replica:
Port: 4443 
Protocol: TCP 
Direction: Outgoing

WebConf Traffic
Port: 8057 
Protocol: TCP 

AV Traffic
Port: 3478 
Protocol: UDP 

The protocols and objects created missing only create rules for releasing traffic. Access the guide Tasks in TMG management console and create a Create Access Rule.

We created three access rules:
Rule 1: Access to the Internal Network Edge releasing the protocols HTTPS and AV Traffic to internal network clients to the server Edge Server

Rule 2: Communication Front End Edge Server releasing protocols HTTPS and SIPS AV Traffic in both directions of communication between the Standard and Lync Edge Server

Rule 3: Access Front End  releasing protocols   CMS Replica, MRAS WebConf Authentication and Traffic originating from the  Lync Standard for Edge Server 

To facilitate testing of routing between the DMZ and an Internal Network created a rule allowing ping. 

Configuring   External Access Policy

To allow users to connect to the Edge Server need to change the policy for external access. 
Log in Lync Management Console on page External User Access tab, click the Access Edge Configuration. Edit Default Policy and Global

Select Enable remote user access and save the changes

Creation of Pool Edge

To create the Edge Pool start the Topology Builder and select Download Topology from existing deployment.

Select the folder Edge Pool and click New Edge pool ....

The setup wizard Edge Pool starts, proceed to configure the service

Select Single Computer pool and set the internal fqdn Edge Server in this case the name fqdn HmEdge.home.intranet  (this record must be created manually in the DNS Active Directory Domain )

I set the Edge through a NAT, so I selected The external IP address of Edge this pool is translated by NAT

Set up fqdn's will be used and the doors of each service
Sip.home.com.br  443 
WebConf.home.com.br  443 
AV.home.com.br  443

Set the IP address configured on the internal network card of the Edge

Configure the IP addresses of the network card's external Edge server

Enter the valid ip firewall configured in Internet

Join the new service to existing pool

Select the Front End's pool and finish the wizard.

Back in the Topology Builder publish the changes in the topology.


With the pool set up and created the Central Store Management changes to export a file to be used in the service installation on the target server. Start Lync Server Management Shelland run the cmdlet
Export-CsConfiguration <file path>

Access the portal server certificate and export the root certificate to a file.

I saved the two files in the folder location C: \ InstallEdge. Copy this folder to the server where you install the Edge server services;

Configuring the Edge Server

The server that services will be installed Edge Server was installed with two network cards, one card configured in the network a DMZ and a second DMZ

The internal network card was configured with the ip network a DMZ, was not configured any gateway or DNS server on this board.

On board  configured with the ip network  DMZ 2,  the address has been configured firewall gateway that connects to the Internet and an external DNS server. 

The Edge server server need to access corporate network resources, with the network configuration server is unable to route requests to the network

This is because the server has no route to the corporate network, 
route print

To allow communication server to the corporate network you need to add an exit route for the network for internal network adapter of the Edge Server. To identify which interface will be used in the command route add run the ipconfig / all and note the physical address of the internal network card.

Identify the route print which is the interface number of the recorded physical address. In this case the internal network card has the ID IF 12

Use the command route add to add the route, use the option -p to make the route persistent and it will not be lost when the server restarts
route add mask <rede destino> <mascara of identificação> <IP gateway> if <identificação card <Network-p

Set the suffix Edge dns server, dns suffix should be identical to the dns suffix of the Active Directory Domain . 
tab for the computed mudaça name, click More

In the dialog box set the Primary DNS suffix of this computer to add the same suffix of the Active Directory Domain . Do not forget to create a record in dns zone home.intranet pointing to the ip of Edge server, you need to set this manually input the DNS server for the Lync Edge is not part of the domain Active Directory .

Configure the file hosts server and add the name and address ip fqdn of the domain controller and Lync Server Standard
C: \ Windows \ System32 \ drivers \ etc \ hosts

Copy the folder to the root certificate of the certification and configuration file generated in the Front End server to the root;

Start an administration console by running mmc in the run, and select the Certificates Snap-In

Manages the Select Computer account 

Select Local Computer

In the console right-click on Trusted Root Certification Authorities select All Tasks and click Import

Select the root certificate and end the console

With the change of route in the hosts file and ping by fqdn name of Lync Standard is successfully completed.

Before proceeding with the installation of the Edge Server service is recommended to restart the server to apply all changes made.

Installation Services Edge Server

Creation of Local Configuration Store

To start the service installation mount the Edge Server installation media Lync server and start the installation wizard. The wizard installs the Visual C + + 2008 

Then install the core components of the Lync Server

In the installation wizard click Install or Update Lync Server System

Start the first step Install Configuration Local Store 

Select the file created with the Export-CsConfiguration

Verify that no error occurred and complete the first step

Start the second step Lync Server Setup or Remove Components 

Installation Services and Components

Proceed to begin installation

Verify that no errors were logged in and complete the second step

Creation of Digital Certificates

The third step, the wizard configures the digital certificates used in communicating with clients and other servers in the pool. 
Click Run To start Request, Install or Assing Certificates 

Select the Internal Edge to issue the certificate used in the internal network card. Click Request

Go to start the wizard of the certificate

Select Prepare the request now, but send it later (offline certificate request). This option generates a file to be imported into the certificate

Select the file path
Do not change any setting in Certificate Template

Set Friendly Name for the certificate and check the Mark the certificate's private key exportable. The Friendly Name of the certificate can be configured with any name, this value does not change any functionality of the certificate

Configure the organization's information in the certificate

Configure geographic information

In the Subject Name must be configured with the name created in the fqdn DNS Active Directory Domain

It is not necessary to add any Subject Alternative Names

Make sure all information is correct and finish the wizard

Finish the wizard.

Back to the Certificate Wizard select External Edge certificate and click Request

The process is done the same for the internal certificate, change only the filename from the request 

And the names that will be configured the certificate, the wizard adds the names configured for services in the Standard Pool

At the end of the process we have two files to generate digital certificates, copy both to some server on the internal network.

The contents of the files is similar

Visit the Web Certificate Enrrolement this structure the domain controller has the certificate installed enterprise. Click Request a certificate 

Select Advanced certificate request

Click  Submit a certificate by using a base-64 encoded CMC or PKCS # 10 file, or submit a renewal request by using the base 64-encoded PKCS # 7 Faithful

In the Saved Request Copy the contents of a file request and paste this location. In the Certificate Template select Web Server and click Submit

The certificate is generated by the portal save to a file and repeat the process for certification of external network

In the destination folder have the two certificates issued 

Copy the folder to the Edge server, access the management console with the Snap-In Certificate computed in local and import the two certificates

Select the file path

The imported certificates should be listed as follows, private keys must be part of the certificate so they can be used by the Edge Server services

Return to the installation wizard Lync, the tab of the Certificate Wizard. Select the Edge Internal and click Assign

Proceed to begin installation of the certificate

Select the certificate generated for the internal network card

 Verify the certificate information and the name fqdn is correct and go start importing

Verify that no errors occurred and finish the wizard

Back to the Assistant certificate perform the same procedure, only this time select the External Edge Certificate

And check the generated certificate to the external network

Start Services Lync Edge

Perform step Start Service to start all services on Edge;

 Start the management console services and make sure that all services have been created

Replication Between Edge and Back End Server

Edge Server on the server the wizard created a shared folder called replica-xds. Changes in the topology and replication necessary for the Edge will be saved in this folder by Replication Service Back End and services installed on the Edge apply the necessary changes.

To start the replication process of the Back End for Local Store in Edge server run the cmdlet

This forces the entire topology check for updates in the Back End, after the execution of the command.  
Use the cmdlet:

Depending on the size of the structure and the link between the available server roles, the status of the servers can take a while to upgrade to a simple environment with a Standard Pool and Edge Server update takes less than a minute. If all settings have been placed successfully the status should be updated to:

Publication of the Edge Server 

The publication of services to customers using the Internet is necessary to release the following firewall ports for internet ip's network cards outside of the Edge server.

Doors 50000 - 59999/TCP 50000-59999/UDP and are necessary only if the federation with Office Communicator 2007 and Live Messeger is configured.


This article was originally written by: 
Fernando Lugão Veltem
@ flugaoveltem