Deploy & Configure Lync Edge Server – Part1 Preparation

Overview

Lync Edge server is what you need to give your Lync Infrastructure external access, unless you one of those guys or companies that prefer using VPN, Lync Edge is designed to provide the following features:

  • Lync Access for Remote users
  • Connection with Federated companies
  • Connection with Public IM

Prerequisites & Considerations:

There are a number of things you need to consider and do on the machine that will be running the Lync Edge role:

  1. Lync Edge machine should not be joined to the Domain.
  2. Lync Edge machine should have two network cards, external NIC (eNIC) that is connected to the internet, and an internal NIC (iNIC) that is connected to the Internal network.
  3. eNIC should have a gateway and DNS configured on it.
  4. iNIC should NOT have gateway configured on it.
  5. Add your Domain Controller and Lync Front ends FQDN and IP-addresses to the host file in the Lync Edge machine.
  6. Your DNS suffix should be added to you Lync Edge machine.

IP Requirements:

This part depend on your infrastructure, so most common two scenarios most secure one and recommended one is where you have eDMZ and iDMZ then your internal network, so in my lab I have 3 subnets

  • Internal Server VLAN      192.168.1.0/24
  • Internal DMZ (iDMZ)      172.16.1.0/24
  • External DMZ (eDMZ)      10.10.1.0/24

So I have my DC and Lync Front end in the 192.168.1.0 subnet isolated from the DMZ by the firewall, and I will deploy the Lync edge in the DMZ so that the iNIC is connected to the iDMZ and the eNIC is connected to the eDMZ.

I will have on the eNIC that is connected to the eDMZ 3 IP-addresses on the 10.10.1.0 subnet, and will NAT them to 3 Public IP-addresses, also on iNIC that is connected to the iDMZ, I have 1 IP-address on the 172.16.1.0 subnet.:

Service iDMZ IP-address eDMZ IP-address Public IP-address
Access.lyncdude.net 172.16.1.167 10.10.1.167 XX.171.195.167
Av.lyncdude.net 10.10.1.168 XX.171.195.168
Webconf.lyncdude.net 10.10.1.169 XX.171.195.169

And this is a diagram for more understanding about my deployment

edge

Certificate Requirements:

On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.

Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.

Number of things to consider when ordering your Public Certificate:

  • Subject name of the certificate need to be the name of the Access edge service e.g.  access.lyncdude.net or sip.lyncdude.net
  • The first SAN  should be also the name of the Access Edge service, then the other services follows.
  • Create the certificate with Exportable private Key
  • Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment

The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.

I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.

Internal Certificate:

edge-int

External Certificate

edge-ext

Your certificates should be something similar to those two 🙂

so my lab crashed 🙂 I’m rebuilding it to take the required screenshots, so we have to wait for part 2

Advertisements

Author: Lyncdude

A Senior Microsoft Unified Communications Consultant with more than 9 years of experience in Microsoft Exchange and Microsoft Lync Server / Skype for Business. Egyptian guy lives and works in Frankfurt - Germany. Worked Closely with Microsoft Dubai for 3 years designing , building and supporting Exchange and Lync Infrastructures. A Microsoft Certified ITP in Lync, Exchange and also attended Microsoft Partner Primer Filed Support Engineer T1 Training for Microsoft Lync 2010.

3 thoughts on “Deploy & Configure Lync Edge Server – Part1 Preparation”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s