Lync Edge server is what you need to give your Lync Infrastructure external access, unless you one of those guys or companies that prefer using VPN, Lync Edge is designed to provide the following features:
- Lync Access for Remote users
- Connection with Federated companies
- Connection with Public IM
Prerequisites & Considerations:
There are a number of things you need to consider and do on the machine that will be running the Lync Edge role:
- Lync Edge machine should not be joined to the Domain.
- Lync Edge machine should have two network cards, external NIC (eNIC) that is connected to the internet, and an internal NIC (iNIC) that is connected to the Internal network.
- eNIC should have a gateway and DNS configured on it.
- iNIC should NOT have gateway configured on it.
- Add your Domain Controller and Lync Front ends FQDN and IP-addresses to the host file in the Lync Edge machine.
- Your DNS suffix should be added to you Lync Edge machine.
This part depend on your infrastructure, so most common two scenarios most secure one and recommended one is where you have eDMZ and iDMZ then your internal network, so in my lab I have 3 subnets
- Internal Server VLAN 192.168.1.0/24
- Internal DMZ (iDMZ) 172.16.1.0/24
- External DMZ (eDMZ) 10.10.1.0/24
So I have my DC and Lync Front end in the 192.168.1.0 subnet isolated from the DMZ by the firewall, and I will deploy the Lync edge in the DMZ so that the iNIC is connected to the iDMZ and the eNIC is connected to the eDMZ.
I will have on the eNIC that is connected to the eDMZ 3 IP-addresses on the 10.10.1.0 subnet, and will NAT them to 3 Public IP-addresses, also on iNIC that is connected to the iDMZ, I have 1 IP-address on the 172.16.1.0 subnet.:
|Service||iDMZ IP-address||eDMZ IP-address||Public IP-address|
And this is a diagram for more understanding about my deployment
On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.
Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.
Number of things to consider when ordering your Public Certificate:
- Subject name of the certificate need to be the name of the Access edge service e.g. access.lyncdude.net or sip.lyncdude.net
- The first SAN should be also the name of the Access Edge service, then the other services follows.
- Create the certificate with Exportable private Key
- Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment
The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.
I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.
Your certificates should be something similar to those two 🙂
so my lab crashed 🙂 I’m rebuilding it to take the required screenshots, so we have to wait for part 2