Deploy & Configure Lync Edge Server – Part2 Installation

In Part-1 I talked about the preparations and requirements for installing Microsoft Lync 2013 Edge server. In this part-2 of the series I’ll write a step-by-step guide on installing Lync Edge role.

10.04.2014 Updated the software prerequisites section

Add Edge server to the topology

So now log-in to your Lync Front End and start the “Lync Topology Builder”.

1. Select “Download Topology from existing deployment”

2. Save it to a file

3. Expand the topology tree and click on “Edge Pools”

4. Right Click “Edge Pools” then select “New Edge Pool”

5.

6. In “Define the New Edge Pool” page click next

7.

8. In “Define the Edge Pool FQDN” page, in the FQDN field write the FQDN of the Edge server.

9. Select “Single computer Pool” then click “Next”

10.

11. In “Select Features” page select the features you want to deploy and click next.

  • most of the times I select “Enable Federation” & “Enable XMPP Federation”

12.

13. In the “Select IP Options” page, as I mentioned in part-1, my External face of the Edge server is NAT-ed to the public IP-addresses, so select the following

NOTE: if you going to use 3 public IP-address and dedicate each IP to a service, then do not select this option.

14.

15. In “External FQDNs” page, for each Edge services put the external URL of it as in the screenshot below.

16.

17. In “Define the Internal IP address” page, put the IP-address of the internal NIC “iNIC”.

18.

19. In “Define the external IP address” page, put for each service the correct eDMZ IP-address you planned for it and click next

NTOE: Put here the public IP-address of the services directly if you not using NAT-ing

20.

21. In “Define the Public IP address” page, put the Public IP-address that will be used for the AV services.

22.

23. In “Define the next hop server” page, select from the list the next hop after edge, it should be your Front-end server ONLY IF you don’t have a Lync Director in your deployment.

24. In “Associate Front end or Mediation Pools” page, select the front end server and click “Finish”

25. Now Publish the topology.

Export the Central Management store Configurations

Now that we published the new changes to the CMS database, we need to export those configurations to a file that we will be using on the Lync Edge server to install the edge role.

So still on the Lync Front-end, start a Lync Management Shell and using the following command line export the CS-Configuration to a ZIP file

>> Export-CSConfiguration c:tempedge.zip

Copy the file to the Edge server.

Installing Lync Edge

Create a routing rule

Now log-in to the Lync Edge server and start a command prompt using Administrative privileges.

Because Lync Edge is in a DMZ network and only one card have a default gateway you need to add a route rule to your edge box so that it can transfer the data from and to the front end server that is on a totally different subnet.

Identify the NIC that will be used for routing the traffic to internal corporate network by using ipconfig /all and taking a note of the “Physical Address” of the iNIC (the one connected to the internal DMZ, in another word the one without default gateway).

>> ipconfig /all

Then run the route print command line to get the routing table on the edge server and then in the beginning of the table you see the “Interface list”, this is a list of the NIC connected to your machine, look for the one with the same Physical Address that you took a note of. There will be an identification number before it take a note of it as this is the one we will be using for creating route rule.

>> route print

Now create the rout rule using the following syntax.

>> route add <corporate network ip> mask <subnet mask> <default gateway of your NIC> if <ID of the Interface> -p

So in my case

>> route add 192.168.1.0 mask 255.255.255.0 172.16.1.167 if 12 -p

Now you are ready to install the Edge role.

Software requirements

Make sure you have installed:

1. .NET Framework 4.5

2. Windows identity foundation

>>Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, NET-HTTP-Activation, Web-Asp-Net, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Telnet-Client, BITS

Installations

Now run the Lync Deployment wizard from the Installation media

1. Click “Yes” when prompt for installation of C++ Minimum runtime package.

2. Click install

3.

4. Read and understand the agreement and then click OK

5.

6. Click Install Administrative Tools and wait till it finish installation

7. Click on “Install or update Lync server system”

8. Run Step one by click on “Install Local Configuration Store”

9.

10. In “Configure Local Replica of Central Management Store” page, select the option “Import from a file….”

11.

12. Browse to the location of the ZIP file you exported from the Lync Front End and copied it to the Edge in pervious step.

13. Click Next

14. After Importing is finished, click Finish.

15.

16. Now run Step 2, “Setup or remove Lync server component”

17.

18. In Setup Lync Server Component page, click Next

19. Wait for it to finish installing then click Finish

20.

21. Now Run Step 3 “Request, Install or Assign Certificates”.

22.

23. Select the “Edge Internal” and click Request

24.

25. Click Next

26.

27. In “Delayed or Immediate Requests” page, select “Prepare the request now…” and click Next

28.

29. In “Certificate Request File” page, select the file and path you want to save the request file to it.

30.

31. Click Next

32. In “Specify Alternative Certificate Template” page, if you have a custom template created for your use, then write the name of it, otherwise just click next.

33.

34. In “Name and Security Settings” page, choose a friendly name for your certificate and select “Mark the Certificate private key as exportable”

35.

36. Click Next

37. In the next two pages fill the required information about your organization

38. In “Subject Name / Subject alternative names” page, click Next.

39.

40. In “Configure Additional Subject Alternative names” page, click next or add the SANs you need in case you have multiple domains.

41.

42. Check the setting of your request and if correct click “Next”

43.

44. After the request is created with no errors click “Next”

45.

46. In “Certificate Request File” page, click Finish.

Now you should have a request file for certificate created for you that you can use to submit a request to your CA.

Same to do with the External Edge services. But with the following differences:

1. Select the “External Edge Certificates” and click on “Request”

2. Follow the wizard same like before but with giving this certificate a different Friendly Name “Edge public Cert”.

3. In “Subject Name / Subject Alternative Names” page, make sure that the services are listed.

4.

5. Click Next

6. Select the SIP domain of your deployment

7.

8. Click Next

9. Review the configuration of your request and hit “Next” if all correct.

10.

11. Follow same as above (step 44 – 46)

Now using this request file, submit the request to your CA for the certificate, then import the new two certificate you will get to your Edge server.

· Run step-3 again of the Lync Deployment wizard “Request, Install Assign Certificates”.

· Select the Edge Internal, then click on Assign and assign to it the certificate you got for Edge Internal and do the same with External Edge Services assign the certificate you got for it.

· Once finished you can run step-4 “Start Services”.

And by this you are done my friend.

Author: Lyncdude

A Senior Microsoft Unified Communications Consultant with more than 9 years of experience in Microsoft Exchange and Microsoft Lync Server / Skype for Business. Egyptian guy lives and works in Frankfurt - Germany. Worked Closely with Microsoft Dubai for 3 years designing , building and supporting Exchange and Lync Infrastructures. A Microsoft Certified ITP in Lync, Exchange and also attended Microsoft Partner Primer Filed Support Engineer T1 Training for Microsoft Lync 2010.

48 thoughts on “Deploy & Configure Lync Edge Server – Part2 Installation”

  1. I ran this cmdlet line Export-CsConfiguration -FileName “C:\Config.zip”
    I got the error where the term Export-CsConfiguration is not recognize as the name of a cmdlet, function, script file… so I dont know if there is a way to export my new updated topology to import to my Lync Edge server? Any help will be appreciated…thx Paul

    1. Hi Paul,

      did you run “install administrative tools” step ?
      if yes, did you run this command using Microsoft Lync Management Shell” ? you need to load the “lync” module to the powershell before using this command line,
      this can be done by simply start a normal PowerShell session, and run “Import-module Lync”

      Note: you must have Lync administrative tools” to be installed to use this command

      Tohamey

  2. Hi, Its very nice guide i have successfully configured lync with edge but when i m going to sign in from externally i m getting error , can’t sign into lync we’re having trouble connecting to the server, any suggestion,

  3. When i try to install Lync Component on Edge Server it says “WARNING! Host not found in topology. All roles will be uninstalled.”

    So when the loading its done i can’t get my Certs and been stuck there for a while.

    I am not using NAT… This is just a test server lab to see if we will use Lync for AV conversations for the Skype SDK application replacement since Lync is the best alternative.

    Thank you

    1. Hi Antonie,

      Did you publish the topology after you have added the Lync Edge to it?

      Then export the topology as a zip file with the command line I mentioned in the guide and copy the zip file to the Edge server.
      And follow the steps and make sure when in “install local configuration store” you select “import from file” and browse to where the zip file is.

      I think this should solve the problem 🙂

      1. Yes it’s done. I made a mistake first and then redid it. Can this be a problem actually ?

        is my FDNQ the domain i want to use ? “potatoes.com” ? Or is it my Lync FE ? “FE01.Lync.Lan” ? Or else ?

      2. i’m not sure i’m understanding your question completely, but you need to add to the Edge DNS suffix of the FQDN of your Lync FE, without adding the Edge to the domain.

  4. We want to remove our lync edge server from our deployment. We turned off the edge server and removed the association to the edge server in the topology builder and republished the topology. After doing this our clients see the error “limited external calling”. Is there any way to fix this?

  5. Hello Lyncdude

    Wonder if you can help? what sort of external certificates do I need for Edge server? I mean I’m buying it from godaddy, what sort of certificates should I ask for?

    Sorry to be a dumb.

    Thanks
    Grenald

  6. Hello Mostafa – Thank you for the awesome write up.
    Is it possible to run an edge server with self-assigned certificates so not to have to purchase one from a CA?

    Regards,
    Rod

    1. Hi Rod,
      it is possible but you won’t be trusted by other organizations for federation and/or public IM, I don’t recommend that in an organization

  7. Thanks for the great docu! My S4B and edge Server is working well for internal. Now I want to Login with my Windows Phones, Androids and iPhones. But users cant login from inside and outside: You cannot Login. Check your Login Information…
    Login with Lync 2013 and Skype for Business Application works great from inside and outside.

    1. I assume you have deployed Reverse proxy and published your SFB mobile services online using it? And the reverse proxy is configured to forward traffic to Frontends using 4443

  8. Hello,

    I’m setting a 3-node edge pool with the ff config:

    -Each node will have 2 NICS: 1 for internal, 1 for external
    -external IP is NAT’ed to a public address
    -only 1 external IP for each node for the 3 external services so only 1 SIP.domain.com record for these services

    Now my question is: for each node in the topology builder is it possible to enter only 1 same NAT public ip address for all or how should i go through this?

    or should i assign different public IPs for each node and then make like a “DNS load balancing” setup in the external DNS server?
    eg.

    sip.domain.com = 202.x.x.1
    sip.domain.com = 202.x.x.2
    sip.domain.com = 202.x.x.3

    Please assist.. Thank you

  9. Hi,

    Very nice article. but as I finished deploying lync edge. I cannot connect to lync externally. Microsoft connectivity analyzer says “Testing the SSL certificate to make sure it’s valid.
    The SSL certificate failed one or more certificate validation checks.
    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server access.domain.com on port 443. The Microsoft Connectivity Analyzer wasn’t able to obtain the remote SSL certificate.

    Additional Details

    The certificate couldn’t be validated because SSL negotiation wasn’t successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.”

    Any idea… badly need help

    1. Is your certificate obtained by a public Certificate authority like godaddy or digicert…etc? Also just to be sure your formal allowing port 443 to your access.domian.com IP address?

      1. Yes.. I had obtained it from digicert with CN=access.domain.com, SAN=sip.domain.com, webcon.domain.com.

        and also able to telnet access.domain.com 443.

      2. ok i guess this is your problem, you have the SN as Access.domain.com but your SAN is SIP.domain.com, you should use one of them not both, so if you defined it as access.domain.com in your topology then you should only use access.domain.com in your SSL certificate replace the SIP.domain.com with Access.domain.com or the opposite if you defined it as sip.domain.com in the topology

      3. Well then all things are properly in place but still no clue what’s wrong. Do I had to add FQDN of lync edge machine in certificate I-e lyncedge.domain.local?

      4. sip.domain.com was added automatically in CSR. I just added friendly name =access.domain.com, and SAN = webcon.domain.com.

      5. that’s good, then make sure your SSL certificate using SN = access.domain.com and that in the SAN it has access.domain.com again and webconf.domain.com, assign it to the services and restart the edge server and it should work

      6. Already did that… My Cert Friendly name is access.domain.com then SANs are access.domain.com, sip.domain.com, webcon.domain.com, lyncdiscover.domain.com

        should I try replacing access with SIP ? in services and then get net certificate with friendly name as sip.domain.com?

      7. haven’t tried replacing access with sip as SN yet. Should I ? did it will make some difference?

      8. because in your topology defined as Access.domain.com then you should not replace it with SIP in the certificate, so I understand that you still having the problem

      9. Hi.. Issue seems getting resolved with arising another one as below…. can idea?

        Testing remote connectivity for user tayyab.hamid@domain.com to the Microsoft Lync server.
        Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
        Additional Details
        Elapsed Time: 101383 ms.
        Test Steps
        Attempting to resolve the host name sip.domain.com in DNS.
        The host name resolved successfully.
        Additional Details
        Testing TCP port 443 on host sip.domain.com to ensure it’s listening and open.
        The port was opened successfully.
        Additional Details
        Testing the SSL certificate to make sure it’s valid.
        The certificate passed all validation requirements.
        Additional Details
        Elapsed Time: 839 ms.
        Test Steps
        The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.domain.com on port 443.
        The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
        Additional Details
        Validating the certificate name.
        The certificate name was validated successfully.
        Additional Details
        Certificate trust is being validated.
        The certificate is trusted and all certificates are present in the chain.
        Test Steps
        Testing the certificate date to confirm the certificate is valid.
        Date validation passed. The certificate hasn’t expired.
        Additional Details
        Testing remote connectivity for user tayyab.hamid@domain.com to the Microsoft Lync server.
        Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
        Tell me more about this issue and how to resolve it
        Additional Details
        Couldn’t sign in. Error: Error Message: Unable to establish a connection..Error Type: ConnectionFailureException.
        .
        Elapsed Time: 99994 ms

      10. Hi,
        that can be caused by a lot of reasons, I will recommend you connect to an external network and try to login while collecting SIP stack logs on your client and Edge server.
        check the logs for errors should give you more details, also check the Lync event logs on the Edge server and frontend for related errors, let me know if I can help

      11. drilling down the issue and find out that port 25 is filtered on edge server. Any idea?

        Starting portqry.exe -n sip.domain.com -e 25,80,443 -p TCP …

        Querying target system called:

        sip.domain.com

        Attempting to resolve name to IP address…

        Name resolved to 122.xxx.xxx.xxx

        querying…

        TCP port 25 (smtp service): FILTERED

        TCP port 80 (http service): LISTENING

        TCP port 443 (https service): LISTENING
        portqry.exe -n sip.sscbrands.com -e 25,80,443 -p TCP exits with return code 0x00000000.

      12. did you collect SIP-stack logs from Edge, Frontend and the SkypeFB client while trying to connect from an external Network? if yes feel free to email them to me i’ll be happy to take a look

      13. Thanks for the reply and help.. I don’t know how to collect SIP stack logs actually.. can you share any guide or material to do so?

      14. No Problem, always glad to help
        you can always use TechNet to understand more how Centralized logging works https://technet.microsoft.com/en-us/library/jj688145.aspx?f=255&MSPPError=-2147217396
        or use this article for server side logging: http://flinchbot.com/2015/06/24/skype-for-business-debugging-tools/
        and this for Client side logging: https://support.office.com/en-us/article/Turn-on-error-logs-in-Skype-for-Business-Lync-eaf6602b-95e0-4c27-869f-36017475806c

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s