Overview

Active Directory and Lync Standard

In this article I set the Edge server role in a DMZ separated by firewalls between the Front End All servers are installed with Windows Server 2008 R2 Service Pack 1, Lync Standard Server was configured with the domain sip home.com.br domain and Active Directory  is named fqdn home.intranet


 
 


The servers were configured as follows

 

Server Name

Role

IP Address

hm01.home.intranet

Domain Controller and Certificate Authority

192.168.1.200

Hm02.home.intranet

Lync Server Standard Edition

192.168.1.201
Hm10.home.intranet TMG 2010 / filter packets between the internal network and a DMZ IP1: 192.168.1.250 / DMZ1: 172.16.0.250
HmRV.home.dmz 2010 TMG configured with Reverse Proxy / filter packet between a DMZ and DMZ 2 DMZ11: 172.16.0.254 / DMZ2: 10.0.0.251 

hmEdge.home.dmz

Lync Server Edge Server - not part of the field

DMZ 1: 172.16.0.200 / DMZ 2: 10.0.0.200, 10.0.0.201, 10.0.0.202
Internet firewall Firewall with NAT active DMZ 2 10.0.0.254 Internet: 223.0.0.1, 223.0.0.2, 223.0.0.3, 223.0.0.4 

The pool Lync Server has been updated with the Cumulative Pack 4 using the procedure of Article  Update Lync Server Pool with Cumulative Update 4
On the domain controller was created a zone called home.com.br with records 

Type of Record

FQDN

IP Address

The

admin.home.com.br

192.168.1.201

The

dialin.home.com.br

192.168.1.201

The

meet.home.com.br

192.168.1.201

The

Sip.home.com.br

192.168.1.201

SRV

Service: _sipinternaltls

Protocol: tcp

Port: 5061

Sip.home.com.br

In the area of Active Directory home.intranet was created a record for the Edge server. 
   

The record type Address resolves the FQDN HmEdge.home.intranet to set ip on the board inside the server 172.16.0.200. In the Internet DNS records were created to serve the Edge Server:


 

Public URL

IP

  Type of Record

sip.home.com.br

223.0.0.1

 The

WebConf.home.com.br

223.0.0.2

 The

AV.home.com.br

223.0.0.3

 The
_sip._tls.home.com.br sip.home.com.br: 443 SRV
_sipfederationtls._tcp.home.com.br sip.home.com.br: 5061  SRV


Internal Firewall 

The internal firewall Hm10.home.intranet are running Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 .  
The following protocols and ports must be freed from the internal network and internal network adapter of the Edge server.
 
 



Port

Source Network

 Destination Network  Finalizadade 

4443/TCP

Back End Server Role

 Edge Server Role Port replication of Central Management Store for the Edge Server Local Store

5062/TCP

Front End Server Role

 Edge Server  Role 
 Traffic authentication session

443/TCP

Fron End Server Role /  
Edge Server Role / 
Internal Network

 Fron End Server Role /  
Edge Server Role 
 HTTPS traffic to be released in both directions between the Front End Server and Edge. 
3478/UDP Fron End Server Role /  
Edge Server Role /
Internal Network 
 Fron End Server Role /  
Edge Server Role 
 Port used by the Web Conference service. The traffic of this port should be released in both directions between the Front End Server and Edge.  sessions Used for Audio and Video 
5061/TCP Fron End Server Role /  
Edge Server Role  
 Fron End Server Role /  
Edge Server Role  
 Sip traffic safe,   port should be released in both directions between the Front End Server and Edge  
8057/TCP Front End Server Edge Server Port of customer sessions

For this article I will demonstrate the rules that I set for release in TMG, I will demonstrate step by step each rule. I set up two network entities to the firewall.


Internal  - represents all the network's internal ip 192.168.1.0 to 192.168.1.255 
Network DM | 1  -  represents all ip's network   a DMZ 172.16.0.0 to 172.16.0.255
 

Between the two there is a network interface Route, this means that I have active NAT between the DMZ and internal network!
 
 
The ip's are configured on ethernet of the firewall, the internal network card was not configured gateway address and network card connected to a DMZ was configured with the gateway 172.16.0.254 which is the second TMG configured as Reverse Proxy and performs routing and filter between the DMZ 1 and DMZ 2
 

It was created two network objects:
Front End / Back End
 

Edge Server
             

This object will be used to release the rules of doors between Lync Server Standard and the Edge Server.
Then were created the protocols, the TMG console tab Toolbox create a new protocol.
 


We created three   different protocols: 
MRAS Authentication
Port: 5062 
Protocol: TCP 
Direction:
 

CMS Replica:
Port: 4443 
Protocol: TCP 
Direction: Outgoing
 
 

WebConf Traffic
Port: 8057 
Protocol: TCP 
Direction:
 

AV Traffic
Port: 3478 
Protocol: UDP 
Direction
 

The protocols and objects created missing only create rules for releasing traffic. Access the guide Tasks in TMG management console and create a Create Access Rule.
 


We created three access rules:
Rule 1: Access to the Internal Network Edge releasing the protocols HTTPS and AV Traffic to internal network clients to the server Edge Server
 


Rule 2: Communication Front End Edge Server releasing protocols HTTPS and SIPS AV Traffic in both directions of communication between the Standard and Lync Edge Server
 
 

Rule 3: Access Front End  releasing protocols   CMS Replica, MRAS WebConf Authentication and Traffic originating from the  Lync Standard for Edge Server 
 
 

To facilitate testing of routing between the DMZ and an Internal Network created a rule allowing ping. 
 
 

Configuring   External Access Policy

To allow users to connect to the Edge Server need to change the policy for external access. 
Log in Lync Management Console on page External User Access tab, click the Access Edge Configuration. Edit Default Policy and Global
 


Select Enable remote user access and save the changes
 


Creation of Pool Edge

To create the Edge Pool start the Topology Builder and select Download Topology from existing deployment.


Select the folder Edge Pool and click New Edge pool ....
 

The setup wizard Edge Pool starts, proceed to configure the service
 

Select Single Computer pool and set the internal fqdn Edge Server in this case the name fqdn HmEdge.home.intranet  (this record must be created manually in the DNS Active Directory Domain )
 

I set the Edge through a NAT, so I selected The external IP address of Edge this pool is translated by NAT
 

Set up fqdn's will be used and the doors of each service
Sip.home.com.br  443 
WebConf.home.com.br  443 
AV.home.com.br  443
 

Set the IP address configured on the internal network card of the Edge
172.16.0.200
 

Configure the IP addresses of the network card's external Edge server
10.0.0.200 
10.0.0.201 
10.0.0.202
 

Enter the valid ip firewall configured in Internet
 

Join the new service to existing pool
 

Select the Front End's pool and finish the wizard.
 

Back in the Topology Builder publish the changes in the topology.
 

 
 

With the pool set up and created the Central Store Management changes to export a file to be used in the service installation on the target server. Start Lync Server Management Shelland run the cmdlet
Export-CsConfiguration <file path>
 

Access the portal server certificate and export the root certificate to a file.
 

I saved the two files in the folder location C: \ InstallEdge. Copy this folder to the server where you install the Edge server services;
 

Configuring the Edge Server

The server that services will be installed Edge Server was installed with two network cards, one card configured in the network a DMZ and a second DMZ
 

The internal network card was configured with the ip network a DMZ, was not configured any gateway or DNS server on this board.
Ip: 172.16.0.200/24
 

On board  configured with the ip network  DMZ 2,  the address has been configured firewall gateway that connects to the Internet and an external DNS server. 
 

The Edge server server need to access corporate network resources, with the network configuration server is unable to route requests to the network 192.168.1.0/24
 

This is because the server has no route to the corporate network, 
route print
 

To allow communication server to the corporate network you need to add an exit route for the 192.168.1.0/24 network for internal network adapter of the Edge Server. To identify which interface will be used in the command route add run the ipconfig / all and note the physical address of the internal network card.
 

Identify the route print which is the interface number of the recorded physical address. In this case the internal network card has the ID IF 12
 

Use the command route add to add the route, use the option -p to make the route persistent and it will not be lost when the server restarts
route add mask <rede destino> <mascara of identificação> <IP gateway> if <identificação card <Network-p
  

Set the suffix Edge dns server, dns suffix should be identical to the dns suffix of the Active Directory Domain . 
tab for the computed mudaça name, click More
 

In the dialog box set the Primary DNS suffix of this computer to add the same suffix of the Active Directory Domain . Do not forget to create a record in dns zone home.intranet pointing to the ip of Edge server, you need to set this manually input the DNS server for the Lync Edge is not part of the domain Active Directory .
 

Configure the file hosts server and add the name and address ip fqdn of the domain controller and Lync Server Standard
C: \ Windows \ System32 \ drivers \ etc \ hosts
 

Copy the folder to the root certificate of the certification and configuration file generated in the Front End server to the root;
 

Start an administration console by running mmc in the run, and select the Certificates Snap-In
 

Manages the Select Computer account 
 

Select Local Computer
 

In the console right-click on Trusted Root Certification Authorities select All Tasks and click Import
 

Select the root certificate and end the console
 

With the change of route in the hosts file and ping by fqdn name of Lync Standard is successfully completed.
 

Before proceeding with the installation of the Edge Server service is recommended to restart the server to apply all changes made.


Installation Services Edge Server


Creation of Local Configuration Store

To start the service installation mount the Edge Server installation media Lync server and start the installation wizard. The wizard installs the Visual C + + 2008 
 

Then install the core components of the Lync Server
 
 

In the installation wizard click Install or Update Lync Server System
 

Start the first step Install Configuration Local Store 
 

Select the file created with the Export-CsConfiguration
 

Verify that no error occurred and complete the first step
 

Start the second step Lync Server Setup or Remove Components 
 

Installation Services and Components

Proceed to begin installation
 

Verify that no errors were logged in and complete the second step
 

Creation of Digital Certificates

The third step, the wizard configures the digital certificates used in communicating with clients and other servers in the pool. 
Click Run To start Request, Install or Assing Certificates 
 

Select the Internal Edge to issue the certificate used in the internal network card. Click Request
 

Go to start the wizard of the certificate
 

Select Prepare the request now, but send it later (offline certificate request). This option generates a file to be imported into the certificate
 

Select the file path
 
 
Do not change any setting in Certificate Template
 

Set Friendly Name for the certificate and check the Mark the certificate's private key exportable. The Friendly Name of the certificate can be configured with any name, this value does not change any functionality of the certificate
 

Configure the organization's information in the certificate
 

Configure geographic information
 

In the Subject Name must be configured with the name created in the fqdn DNS Active Directory Domain
 

It is not necessary to add any Subject Alternative Names
 

Make sure all information is correct and finish the wizard
 
 

Finish the wizard.
 

Back to the Certificate Wizard select External Edge certificate and click Request
 

The process is done the same for the internal certificate, change only the filename from the request 
 

And the names that will be configured the certificate, the wizard adds the names configured for services in the Standard Pool
 

At the end of the process we have two files to generate digital certificates, copy both to some server on the internal network.
 

The contents of the files is similar
 

Visit the Web Certificate Enrrolement this structure the domain controller has the certificate installed enterprise. Click Request a certificate 
 

Select Advanced certificate request
 

Click  Submit a certificate by using a base-64 encoded CMC or PKCS # 10 file, or submit a renewal request by using the base 64-encoded PKCS # 7 Faithful
 

In the Saved Request Copy the contents of a file request and paste this location. In the Certificate Template select Web Server and click Submit
 

The certificate is generated by the portal save to a file and repeat the process for certification of external network
 

In the destination folder have the two certificates issued 
 

Copy the folder to the Edge server, access the management console with the Snap-In Certificate computed in local and import the two certificates
 

Select the file path
 

The imported certificates should be listed as follows, private keys must be part of the certificate so they can be used by the Edge Server services
 

Return to the installation wizard Lync, the tab of the Certificate Wizard. Select the Edge Internal and click Assign
 

Proceed to begin installation of the certificate
 

Select the certificate generated for the internal network card
 

 Verify the certificate information and the name fqdn is correct and go start importing

Verify that no errors occurred and finish the wizard

Back to the Assistant certificate perform the same procedure, only this time select the External Edge Certificate

And check the generated certificate to the external network

Start Services Lync Edge

Perform step Start Service to start all services on Edge;
 
 


 Start the management console services and make sure that all services have been created
 

Replication Between Edge and Back End Server

Edge Server on the server the wizard created a shared folder called replica-xds. Changes in the topology and replication necessary for the Edge will be saved in this folder by Replication Service Back End and services installed on the Edge apply the necessary changes.
 

To start the replication process of the Back End for Local Store in Edge server run the cmdlet
Invoke-CsManagementStoreReplication
 

This forces the entire topology check for updates in the Back End, after the execution of the command.  
Use the cmdlet:
Get-CsManagementStoreReplication
 

Depending on the size of the structure and the link between the available server roles, the status of the servers can take a while to upgrade to a simple environment with a Standard Pool and Edge Server update takes less than a minute. If all settings have been placed successfully the status should be updated to:
 


Publication of the Edge Server 

The publication of services to customers using the Internet is necessary to release the following firewall ports for internet ip's network cards outside of the Edge server.
 

Doors 50000 - 59999/TCP 50000-59999/UDP and are necessary only if the federation with Office Communicator 2007 and Live Messeger is configured.





Reference

This article was originally written by: 
Fernando Lugão Veltem
blog:  http://flugaoveltem.blogspot.com  
twitter:  @ flugaoveltem