Deploy & Configure Lync Edge Server – Part1 Preparation


Lync Edge server is what you need to give your Lync Infrastructure external access, unless you one of those guys or companies that prefer using VPN, Lync Edge is designed to provide the following features:

  • Lync Access for Remote users
  • Connection with Federated companies
  • Connection with Public IM

Prerequisites & Considerations:

There are a number of things you need to consider and do on the machine that will be running the Lync Edge role:

  1. Lync Edge machine should not be joined to the Domain.
  2. Lync Edge machine should have two network cards, external NIC (eNIC) that is connected to the internet, and an internal NIC (iNIC) that is connected to the Internal network.
  3. eNIC should have a gateway and DNS configured on it.
  4. iNIC should NOT have gateway configured on it.
  5. Add your Domain Controller and Lync Front ends FQDN and IP-addresses to the host file in the Lync Edge machine.
  6. Your DNS suffix should be added to you Lync Edge machine.

IP Requirements:

This part depend on your infrastructure, so most common two scenarios most secure one and recommended one is where you have eDMZ and iDMZ then your internal network, so in my lab I have 3 subnets

  • Internal Server VLAN
  • Internal DMZ (iDMZ)
  • External DMZ (eDMZ)

So I have my DC and Lync Front end in the subnet isolated from the DMZ by the firewall, and I will deploy the Lync edge in the DMZ so that the iNIC is connected to the iDMZ and the eNIC is connected to the eDMZ.

I will have on the eNIC that is connected to the eDMZ 3 IP-addresses on the subnet, and will NAT them to 3 Public IP-addresses, also on iNIC that is connected to the iDMZ, I have 1 IP-address on the subnet.:

Service iDMZ IP-address eDMZ IP-address Public IP-address XX.171.195.167 XX.171.195.168 XX.171.195.169

And this is a diagram for more understanding about my deployment


Certificate Requirements:

On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.

Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.

Number of things to consider when ordering your Public Certificate:

  • Subject name of the certificate need to be the name of the Access edge service e.g. or
  • The first SAN  should be also the name of the Access Edge service, then the other services follows.
  • Create the certificate with Exportable private Key
  • Make sure to include each to the certificate for each SIP domain you have in your deployment

The following photo is taken from my Lab, I have an Edge Pool called with two Edge servers deployed in it.

I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.

Internal Certificate:


External Certificate


Your certificates should be something similar to those two 🙂

so my lab crashed 🙂 I’m rebuilding it to take the required screenshots, so we have to wait for part 2

Author: Lyncdude

A Senior Service Engineer with more than 9 years of experience in Microsoft Exchange and Microsoft Lync Server / Skype for Business. Egyptian guy lives and works in Frankfurt - Germany. what is written in this blog is my own opinion and thoughts, not my employer and does not reflect their opinion

3 thoughts on “Deploy & Configure Lync Edge Server – Part1 Preparation”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: