1.11k likes | 1.24k Views
Secure Remote Access & Lync. Ilse Van Criekinge http://blogs.technet.com/ilvancri @ivcrieki. Session Objectives and Takeaways. Session Objectives Overview of typical Lync Server Edge configurations DNS Load Balancing and Hardware Load Balancing NAT support for Edge Deployment
E N D
Secure Remote Access & Lync Ilse Van Criekinge http://blogs.technet.com/ilvancri @ivcrieki
Session Objectives and Takeaways • Session Objectives • Overview of typical Lync Server Edge configurations • DNS Load Balancing and Hardware Load Balancing • NAT support for Edge Deployment • Reverse Proxy • ICE • Takeaways • Understand typical Edge planning and deployment process • Understand certificate requirements for Edge and Reverse Proxy
Simple URLs • Lync Server 2010 • Meet • Dial-in • Admin • Scope = Global & Site • Created using PowerShell or Topology Builder
Lync Server Edge scenarios • External User Access • Lync clients can transparently connect to the Lync Server deployment over the public Internet • PIC • Connecting with public IM providers • Federation • Federation with other Enterprises • IM&P only, or • All modalities A/V and Application Sharing
Edge Server Role Requirements • General Requirements • 64-bit Windows 2008, Windows 2008 R2 • Microsoft .NET Framework 3.5 SP1 • Windows PowerShell v2 • Cannot be collocated with any other Microsoft Lync Server role • Virtualization is supported (Windows 2008 R2 OS!)
Edge Server Roles • Access Edge = handles all SIP traffic crossing the corporate firewall • Web Conferencing Edge = proxies PSOM (Persistant Shared Object Model) traffic between the Web Conferencing Server and external clients • Audio/Video Edge = provides a single trusted connection point through which audio and video traffic enters and exits your network
Edge Server Role 1 IP, 2 IP, 3 IP, 4 IP, ... ?
A Few Networking Lync Facts • Lync Server 2010 supports only IPv4 • It does niet support IPv6 • Can function in a network with dual IP stack enabled • Two network adapters for each Edge Server are required: • one for the internal-facing interface • one for the external-facing interface • Important: The internal and external subnets must not be routable to each other.
Single IP address Edge Edge Server edge-int.contoso.com 172.25.33.10 SIP: 5061 Web Conf: 8057 A/V Conf: 443, 3478 edge.contoso.com 131.107.155.10 SIP: 5061 Web Conf: 444 A/V Conf: 443, 3478 Internal External
Multiple IP address Edge access.contoso.com 131.107.155.10 443, 5061 Edge Server External SIP edge-int.contoso.com 172.25.33.10 SIP: 5061 Web Conf: 8057 A/V Conf: 443, 3478 webcon.contoso.com 131.107.155.20 443 Internal External Web Conf av.contoso.com 131.107.155.30 443, 3478 External AV
Edge using NAT IP addresses Public IP space NAT Edge Server IP1 IP1’ External SIP Lync Server does not need to know translated SIP and Web Conf IP IP2’ IP2 Client External Web Conf Int Clients connect to IP for A/V traffic Translated AV IP must be configured in Lync Server IP3’ IP3 External AV
DNS Load Balanced Edge Public IP space Edge Server 1 IP1 DNS A records access.contoso.com IP1 and IP4 webcon.contoso.com IP2 and IP5 av.contoso.com IP3 and IP6 IP2 Int IP3 Edge Server 2 IP4 Client IP5 Int Client can retrieve and handle multiple IP addresses and can fail over DNS server returns randomized IP address IP6
DNS Load Balanced Edge using NAT NAT Public IP space Edge Server 1 IP1’ IP1 DNS A records access.contoso.com IP1’ and IP4’ webcon.contoso.com IP2’ and IP5’ av.contoso.com IP3’ and IP6’ IP2’ IP2 Int IP3’ IP3 Translated AV IP addresses must be configured in Lync Server individually IP3 to IP3’ IP6 to IP6’ Edge Server 2 IP4’ IP4 IP5’ IP5 Int IP6’ IP6
Hardware Load Balanced Edge HLB Public IP space Edge Server 1 IP1 DNS A records access.contoso.com VIP1 webcon.contoso.com VIP2 av.contoso.com VIP3 IP2 Int IP3 VIP1 VIP2 Initial AV connection requires will land on VIP and gets forwarded. However clients will connect to Edge directly (UDP) TCP traffic continues to use VIP NAT and HLB is not possible Edge Server 2 VIP3 IP4 IP5 Int IP6
Edge Server Role installation