Deploying an Edge Server with Lync

Posted on November 21, 2010 by Kevin Peters

For this article and the next I am going to add an Edge server and an XMPP gateway to an existing Lync environment. All articles moving forward will be built on the RTM bits of Lync, but to build the Front End server for this environment I followed the original article here, the only difference is the name of the server and the domain. The lab has the following servers and IPs:

Server Name	Role	IP Address
LyncDC.lyncguy.local	Domain Controller/DNS/CA	10.255.106.160
LyncFE.lyncguy.local	Lync Standard Edition Front End	10.255.106.161
Lyncedge.lyncguy.local	Lync Edge server – not domain joined	10.255.106.162 (internal NIC)

The active directory domain name for this lab is LyncGuy.local, with the public sip domain LyncGuy.com. I prefer to do these labs with different name spaces for AD and the public domain because that is the most common scenario I’ve run into in the real world. To make this work you have to have an internal copy of the public zone and an external copy; this is commonly referred to as “split brain DNS”.

To start with I have to create a copy of my public zone on my internal DNS server so internal clients can reach the Lync server directly. To accomplish this I’ve created the following records in DNS:

Record Type	DNS Entry	IP Address
A	meet.lyncguy.com	10.255.106.161
A	dialin.lyncguy.com	10.255.106.161
A	sip.lyncguy.com	10.255.106.161

We also need to create an SRV record for client automatic sign-in. The new record will be for “_sipinternaltls._tcp.lyncguy.com” and will point to sip.lyncguy.com on port 5061.

***Note – you can utilize another name here such as the Front End servers name, however the domain must match the sip domain. You also must have a SAN entry on the front end certificate to match this entry***

Now that our DNS zone is in order we can plan for our edge server. In this example I will be using 1 internal IP, 3 DMZ IPs and 3 Public IPs. Instead of placing the public IPs directly on the edge servers public NIC, I will NAT the public IPs to the private IPs with my lab ASA. I’ve also matched the last octet of the address to make it easier to manage at a glance.

Public Name	Public IP	DMZ IP
Sip.lyncguy.com	XX.102.182.163	10.255.110.163
Webconf.lyncguy.com	XX.102.182.164	10.255.110.164
Av.lyncguy.com	XX.102.182.165	10.255.110.165

Here is what the design looks like:

To start we need to add an edge to our topology, on the front end server (lyncfe) open “Lync Server Topology Builder”. Then we need to expand our topology, right click “Edge Pools” and choose “New Edge Pool”

Click “Next” on the “Define Edge Pool” page

Enter the FQDN you will be using for your edge and select “Single Computer Pool”

Next we have a screen offering 3 options:

“Use a Single FQDN & IP Address” – this option will not be selected because we have plenty of public IPs to use. If you only have 1 IP this is a good option – however this will force you to use ports other than 443 which aren’t always open outbound from corporate networks and may cause usability issues on networks you cannot control.
“Enable Federation (port 5061) – this option will configure the edge server to listen on port 5061 of the access edge IP for inbound federation traffic from other Lync and OCS environments
“The external IP address of this edge pool is translated by NAT” – this option tells Lync the IP addresses on the outside interface of the edge are not the actual public IP addresses. Putting the edge behind another firewall can give an extra layer of security and help prevent the server from being compromised.

For this scenario we have selected “Enable Federation (port 5061)” and “The external IP address of this edge pools is translated by NAT”

Next we define our public names for the edge roles, notice all roles use port 443. I would highly recommend using this method if possible.

Now we set the IP address for the internal network of our edge server. In this scenario I have placed the internal NIC on the same subnet as the domain controller and front end server. Because of limited resources in my lab I have configured the environment this way, whenever possible I recommend placing this NIC in another DMZ that has a higher security level than the DMZ for the outside interfaces.

At this point we specify the DMZ IP addresses of our edge server

In the next box we will enter the Public IP address of the A/V edge services (av.lyncguy.com). In OCS 2007 R2 we had to make sure the edge server could resolve the public name to the public IP, however, this box allows that requirement to be removed and we can just enter the IP here.

Next we select our next hop server (the front end server)

Next we click “Finish” and the wizard completes, we can now see our newly defined edge server in the Topology.

Now we can publish our topology.

Before we move on to working on the edge server we need to open the Lync Server Control Panel and configure our External User Access policies.

Under External Access Policy>Global Policy: Modify the existing policy to allow remote user access, federation and public IM connectivity (all of these are optional). Click “Commit” when you have selected the options that are right for your environment

Now under Access Edge Configuration>Global Policy: Modify the existing policy to Enable Federation, remote user access and anonymous access to meetings. I’ve also enabled dynamic domain discovery. This allows our Lync users to automatically add Lync/OCS users from other environments without requiring administrative configuration. This option may not be right for all environments, if it isn’t right for your environment you’ll want to use the “Federated Domains” tab to define the allowed domains and uncheck this option. Next click “Commit”

Now that our environment is ready, we need to export the topologies configuration to a file which we we’ll import during the Edge install. On the front end server open “Lync Server Management Shell” and run the command:

Export-csconfiguration –filename c:\topology_export.zip

The file “topology_export.zip” will now be on the C drive of your front end server. This file will need to be copied to the edge server.

Now that the topology has been updated we need to log into our edge server and configure it.

First we need to make sure that all the IP Addresses get assigned to the appropriate NIC.

On the internal NIC we will use only an IP Address and subnet mask, we cannot put a default gateway on this interface.

Next, on the external NIC we will fill in an IP address, subnet mask, default gateway and DNS, do not click “OK” yet

We also need to bind our other 2 IP addresses to the external NIC, to do this click the “Advanced” button and then click “Add” under “IP Addresses” and add each IP address

At this point we’ll want to add a route back to any internal networks the internal NIC. For this example I will be adding a route back to an internal network of 10.255.200.0/24, this could be another client or server subnet that the edge server will need to know how to route to. The edge’s internal interface must be able to route to all internal networks via a gateway on the same network as its internal NIC, so if you have multiple networks you will have to add them all. To do this we will use the route add command from a command prompt (Run As Administrator):

Route add –p 10.255.200.0 mask 255.255.255.0 10.255.106.1

The “-p” portion of this command makes the route persistent, “10.255.106.1” is the next hop router to reach the other internal networks.

Next we need to configure hostname of our edge server. When we configure this value we must also add a primary DNS suffix. This is different than adding the computer to the domain, but it does tell the computer it’s full name (i.e. LyncEdge.lyncguy.local).

Once you have updated the name and primary DNS suffix and you click “OK” you will be prompted to reboot the edge server.

While the edge server is rebooting we can add a DNS entry on the domain controller so all internal resources know how to reach the server by its “FQDN” – it’s not actually an FQDN because it isn’t domain joined, but the rest of the systems will need to be able to route to it like it is.

Once the edge has rebooted we will need to add the feature “Microsoft .NET Framework 3.5”, to do this open Server Manager, go to Features, click “Add Features” and choose “Microsoft .NET Framework 3.5”.

You can click “next” through all other screens and then click “Install”. Once the install completes we can move on to starting the Lync install. First we need to copy the topology_export.zip file created above to the C drive of the edge server.

Now we can run the CD, we will immediately be prompted to install the “Microsoft Visual C++ 2008 Redistributable”, click OK here:

The install window for Lync will pop up when the C++ install completes

Click “Install” and then accept the terms and click “OK”

Now we are back in the familiar Lync Server Deployment Wizard

Click on “Install or Update Lync Server System”

Under Step 1 we click “Run”

Select the topology_export.zip file from the C drive and click “Next”. This will allow the edge server to gather its settings from the export file.

A number of pre-requisites are installed at this point. When this completes click “Finish”

Now click “Run” under Step 2

Click “Next” and a number of pre-requisites are installed

Once the install completes we can open up the Services snap-in and see the Lync Services are now present

Before we can move on to Step 3 (Requesting Certificates), we need to make it possible for the edge server to resolve names of the internal servers it will talk to. This will include the CA because we will need to request the certificate for the internal interface from the internal CA. Also, we will need to trust the internal CA so we will need to export its certificate and install it on the edge server.

To allow the edge server to resolve some internal names but not all we have a few options, a DNS server in the DMZ is one, but for this article we will be editing the host file. The reason I’ve chosen not to utilize the internal DNS servers is to limit the number of servers the edge server can look up in case it is compromised.

The host file is located at “C:\windows\system32\drivers\etc”, the best method of editing this file is to run Notepad as administrator and then open this file (You’ll have to switch to “All Files” in the file type selection box)

For this scenario I will add entries for the CA and the Front End server:

Now that we can resolve the CA, we’ll use the web enrollment page to download the Root CA chain.

Open IE and go to https://lyncdc.lyncguy.local/certsrv, you may have to authenticate, if you do use your domain account. Click on “Download a CA Certificate, Certificate Chain, or CRL”

Click on “Download CA Certificate”

Save the file to the desktop or another location on the edge server.

Open the certificates snap-in for the local computer, expand “Trusted Root Certificate Authorites”, right click “Certificates” and choose “Import”

Browse to the file you download in the last step and click “Open”

This will import the certificate into the trusted store for the local computer.

Now we move on to Step 3 in the Deployment Wizard, requesting and installing certificates

Highlight “Edge Internal” and click “Request” – this will allow us to request the certificate for our internal communications between the edge server and the front end.

I won’t cover every step in this wizard; you should be using all defaults here other than information specific to your environment. I will however strongly suggest you do not add any SANs to this certificate. One other thing of note, you will want to do this certificate request online, specifying your internal CA as show below

You will also have to provide domain credentials to request the certificate

Once the request is completed the wizard will automatically take you to the next wizard to assign the certificate. Again, this is a next-next-finish scenario.

Because this is a lab scenario and I will not be requesting public certificates I will just re-run this wizard select “External Edge Certificate” for the second certificate. If you are using public certificates you will want to choose “Prepare Request now but send later (offline request)” for your request.

***One important difference between OCS 2007 R2 and Lync is the edge roles can now all share one certificate with a subject (CN) of only the access edge, you no longer need to re-generate the certificate for each role, utilizing that roles FQDN as the subject name. For information on how that worked in OCS 2007 R2 please see this article***

The new certificate will have the following fields automatically, unless you are configuring multiple sip domains there is no need to modify this or add additional SANs.

Subject (Common Name)	Sip.lyncguy.com
SAN 1	Webconf.lyncguy.com
SAN2	Sip.lyncguy.com

Now we can run Step 4 to start the services and our edge server should be up and running.

Once this process is complete the NATs and access lists must be created on the firewall to allow the appropriate traffic in and out. I have only covered the inbound rules in the table below, please see the edge server documentation or the Lync Server Planning Tool for more detail.

Rule 1	Public IP	Private IP	Allowed Protocol – Port
Access Edge (client access)	XX.102.182.163	10.255.110.163	TCP – 443
Access Edge (federation)	XX.102.182.163	10.255.110.163	TCP – 5061
Web Conferencing Edge	XX.102.182.164	10.255.110.164	TCP – 443
A/V Edge	XX.102.182.165	10.255.110.165	TCP – 443
A/V Edge	XX.102.182.165	10.255.110.165	UDP – 3478
A/V Edge	XX.102.182.165	10.255.110.165	TCP – 50,000 through 59,999
A/V Edge	XX.102.182.165	10.255.110.165	UDP – 50,000 through 59,999

After the firewall changes are made we need to create the A records for each of our services on the public DNS server

Record Type	Name	IP Address
A	Sip.lyncguy.com	XX.102.182.163
A	Webconf.lyncguy.com	XX.102.182.164
A	Av.lyncguy.com	XX.102.182.165

You will also need to create an SRV record for auto sign-in on the domain and federation. For automatic sign-in you can create an SRV record for _sip._tls.lyncguy.com pointing to your access edge server (sip.lyncguy.com) on port 443. For federation you will need to createn an SRV record for _sipfederationtls._tcp.lyncguy.com pointing to your access edge server on port 5061.

Now we can test the server using https://www.testocsconnectivity.com/ and get ready to deploy reverse proxy. For that I’m going to point you to Randy Wintle’s article on the subject.

For the next article I will go through configuring XMPP for Lync using the OCS 2007 R2 XMPP gateway.

About Kevin Peters

My name is Kevin Peters.

View all posts by Kevin Peters →

This entry was posted in Uncategorized and tagged Edge Certificates, Edge Server, Install Lync Edge, Lync 2010, Lync Edge. Bookmark the permalink.

431 Responses to Deploying an Edge Server with Lync

Pingback: Lync Server 2010 features and how to configure them « msunified.net
Pingback: Deploying Lync for XMPP « The OCS Guy's Blog
Deon says:

December 10, 2010 at 7:51 am

Hi,

I cannot export the topology using the command above.

please see error below;
Export-CsConfiguration : Cannot open database “xds” requested by the login. The login failed.
Login failed for use ‘domain\xxxx’
At line:1 char:23

Reply
- Kevin Peters says:
  
  December 12, 2010 at 9:45 pm
  
  Hi Deon,
  
  Can you verify you are running as an account with all the permissions you need (please see this screenshot: https://kptheocsguy.files.wordpress.com/2010/09/permissions.jpg). Also, make sure you are running the Topology Builder from the front end server, not the edge.
  
  Hope this helps!
  -kp
  
  Reply
  - Deon says:
    
    December 13, 2010 at 3:30 am
    
    Hi Kevin,
    
    Thanks for the reply.
    OK, my mistake.
    Simply running the “Lync Management Shell” as Administrator sorted this out.
  - Kevin Peters says:
    
    December 13, 2010 at 11:55 am
    
    Deon,
    
    Glad you got it worked out, thanks for sharing!
    
    -kp
Deon says:

December 29, 2010 at 7:02 am

Hi, any ideas why federation will not work but remote user access works. Ports 443 and 5061 are open.

Reply
Kevin Peters says:

December 29, 2010 at 9:57 am

Deon,

Please make sure you have your public federation record created (_sipfederationtls._tcp.domain.com), make sure the federation is allowed in the Control Panel, and in topology builder make sure to set the “Site Federation Route” to be your edge server for your newly created site (properties of the site). It looks like I forgot this step in the article, I will have to go back and update it.

Hope this helps and thanks for reading!
-kp

Reply
- Deon says:
  
  January 5, 2011 at 9:08 am
  
  Hi Kevin,
  
  Thanks for your help. Issue finally resolved, set the site federation route, but some reason it still didn’t work. Deleted all DNS related records and recreated them and that sorted it out. Wierd.
  
  Reply
Bernd Lambrecht says:

January 14, 2011 at 12:23 pm

Hi, I’ve made the Lync 2010 Enterprise installation in the same way you did, but I can connect from outside over the edge-server. Internal everything is running well. I’ve looked on the internet during the last days for a solution. With the test tool http://www.testocsconnectivity.com I still get the following mistake. ,,….Subscription for provisioning data did not return a valid MRAS URI.” I still have the same problem with a client logon at the external side of the edge without the firewall. Would you help me the find the solution? You also can call me by phone +49 151 14641462, best regards Bernd

Reply
- Kevin Peters says:
  
  January 21, 2011 at 11:34 am
  
  Bernd,
  Have you created the public SRV record for your SIP domain?
  
  It should be _sip._tls.domain.com pointing to your edge servers public name (i.e. sip.domain.com) on port 443. Without that record things will not connect.
  
  Hope this helps!
  -kp
  
  Reply
Bernd Lambrecht says:

January 21, 2011 at 1:13 pm

Hi Kevin, I’ve solved my problem. In one installation were the edge has got three external IP addresses the access name needs the port information 443 -> sip.domain.de:443 In an other installation with only one external IP address the client is starting the access with the standard port 5061 -> sip.domain.de
The srv function for internal autologon is working, from external I’ll test next week. The provider was today able to configure the srv function in the public DNS. You can close this ticket, because it’s solved for me. Thanks for your response

Reply
- Nick says:
  
  November 23, 2011 at 7:23 am
  
  I have the same exact issue. Can you tell me the exact steps taken to resolve?
  
  Reply
Artem says:

January 25, 2011 at 7:22 am

Hi, Kevin!
In the begining of the article you wrote that you will use one public IP with NAT. And in the last table you have 3 different public IP for each name. You didn’t use NAT?

Reply
Jafaruddin Lie says:

February 3, 2011 at 12:36 am

Hi Kevin
Thank you for your execellent guide, has been using it to get my Lync server up and running!

Got a question about my test setup. Currently, the internal CA is also the internal Lync server. I have a frontend server called Lync-FE. No NAT, no federation, just a straight forward install.

Whenever I start the services, I get ‘Warning: Cannot start service RTCMEDIARELAY on computer’.

Tracing it further, I found that when I imported the certificate for the internal interface (the external interface is using cert from GoDaddy, no issue there), I get “Warning: Revocation status unknown. Cannot contact the revocation server specified in certificate “C4A3F8B6C6ABDE26D160975B4E6C19B2C1C973BA” for the issuer “CN=LYNC,…”

I tried to manually start the service, I get this error on the Event Viewer log: “The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.”

Now, since the web interface for CA is not available, I have manually imported the cert file from %system32%\certserv\certenroll\lync-ca of the CA to the Trusted Root CA certificate store in the Edge server.

Am I right in thinking that the service won’t start because of the certificate trust issue, or am I looking at the wrong direction here? I have tried deleting and importing the CA into the Edge server a few times now.

Reply
- Kevin Peters says:
  
  February 3, 2011 at 9:31 pm
  
  Hi Jafaruddin, if you are using a GoDaddy Cert and have assigned it via the deployment wizard than everything should be ok. However, if you are running into issues try downloading the Cert Check and Repair Utility from Digicert, it can fix errors with any public certs, not just DigiCert. It is a great util:
  http://digicert.com/util
  
  Hope this helps!
  -kp
  
  Reply
  - Jafaruddin Lie says:
    
    February 3, 2011 at 9:37 pm
    
    Thanks for that, Kevin.
    I think I didn’t write it clear the first time, but it is not the external interface that is having issue, it is the internal interface (which is self-signed using a CA that I setup) that is playing up.
    
    The external interface with GoDaddy cert all works well, it’s the internal cert that’s playing up 🙂
    
    Would cert error stop RTCMEDIARELAY service from starting?
    Is there a way to just tell Lync to ignore all SSL cert trust errors?
- richard says:
  
  July 20, 2011 at 10:57 pm
  
  I read in your following posts that you got pass the revocation error problem, can you share how you did it?
  
  Reply
Ellis says:

February 3, 2011 at 6:51 pm

i have an issue. When a remote user tries to do a pc to pc call to another remote user its fails but IM works. Error message says there is a network error. Everything works fine internally. I have McAfee installed on the Edge Servers. Could they be blocking ports?

Reply
- Kevin Peters says:
  
  February 3, 2011 at 9:28 pm
  
  Hi Ellis, do you have an A/V edge defined? Also, is it behind nat, and if so is the public IP identified in the topology builder? Typically, for 2 external clients they are only going to signal through the edge and media will go straight from client to client, so that may not be related. McAfee could certainly be part of the issue as well, have you tried to disable it and see if it works?
  
  -Kevin
  
  Reply
Ken Stieers says:

February 10, 2011 at 9:35 pm

Hey Kevin,

Does the route on the internal nic have to be able to get to all internal IPs, or just the FrontEnd pool?

Ken

Reply
- Kevin Peters says:
  
  February 10, 2011 at 9:40 pm
  
  Hi Ken,
  
  It needs to be able to get to all internal networks with clients, and any VPN subnets that your users may use. If it can’t you will have media issues on those networks.
  
  Hope this helps!
  -kp
  
  Reply
Carlos Melo says:

February 22, 2011 at 8:08 am

Hi Kevin,

Very Good walkthrough to deploy a Edge Lync Server.
I Have one question also: If I have only one public IP and one Internel IP. How can I setup this edge server?

Tanks
Carlos

Reply
Kevin Peters says:

February 22, 2011 at 4:31 pm

Hi Carlos,

If you only have a single IP you would select the following during the install:
“Use a Single FQDN & IP Address”

This means each service will be using different ports than 443 but really doesn’t cause any issues unless you are dealing with other corporate firewalls for your users.

Hope this helps!
-kp

Reply
mirda says:

February 23, 2011 at 2:46 pm

Dear kevin,
first many thanks for this useful document
second i have a problem and need your urgent help please
i have run MY edge server with a single IP
“Use a Single FQDN & IP Address”
so it’s set 3 ports for me : 5061,444and443
when I try telnet to this ports on edge locally just i could connect to port 444 , two other port doesn’t connect. also i have disabled edge windows firewall and remove antivurus but still i couldn’t telnet locally to 5061 and 443 !!!
so the srv record on public dns set for 5061 and everything goes fail 😦
what could be the problem ? and in your opinion if i change 5061 and 443 to only 444 on topology builder and set public srv record to 444 my problem will be solved ?
any recommendation pleasseeee

Reply
- Kevin Peters says:
  
  February 23, 2011 at 3:10 pm
  
  Hi Mirda,
  
  Can you please email me your topology file at kevin @ this domain.com
  
  Thanks for reading!
  
  -kp
  
  Reply
Bernd Lambrecht says:

February 24, 2011 at 2:49 am

Hi Mirda, please also check in the Lync Management Panel under ,,external user access” -> ,,external access policy” the option ,,federated user access” is deactivated and the same under ,,access edge configuration” -> the point ,,federated user access”. The federation function works also with the port 5061. For federation you need an edge with three IP addresses and a reverse proxy server, where the clients works with 443 and federation with 5061. The second point is to activate the NTLM function in the Management Panel under ,,Security” -> Registrar and also on the PC of the user. gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> local policies -> security options -> a) network security: LAN Manager authentication level Properties = Send LM & NTLM responses b) Network Security Settings: Allow Local System to use computer identity for NTLM = enable c)Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients = Require 128-bit encryption = yes d) Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers = Require 128-bit encryption = yes

Reply
TO says:

February 24, 2011 at 3:55 pm

My PIC service for my organization have been provisioned successfully with Microsoft, but i don’t’ seem to be able to see the status of Microsoft Live users ex. @hotmail.com. i’m able to IM from lync to hotmail.com, but not see the status or IM from hotmail.com to Lync. when i checked S4 and SIPStack log i’m seeing this warning
Exit – message domain [hotmail.com] and server [federation.messenger.msn.com] domain are not the same. Returns FALSE

Reply
Jafaruddin Lie says:

February 24, 2011 at 6:16 pm

Hi Kevin

Quick one here:

After quite an ordeal to get Lync Edge server up and running, I am happy to say that at least now all the services are started!

From “external” (the server is not available to the Internet yet, currently testing it from different parts of our DMZ, close enough to be considered external access), the client can login and chat (IM) to other users.

However, video and audio calls are dropped with the message “Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote” logged in the Edge server. There is no firewall between the client and the edge server. From the edge server to the internal Lync server, IP-IP connection is allowed (for testing). There is a firewall between the internal client to the internal Lync server, but audio and video calls are working between internal users anyway.

Any ideas? *_*

Reply
tyler says:

February 28, 2011 at 1:26 am

Are there any additional ports whether it be inbound or outbound that need to be opened? Everything seems to work great except that web conferencing doesn’t work for edge users. Whiteboard, polls and powerpoint do not work. Client says there is a server connectivity problem, references error 141. Looking at firewall logs the client makes the connection to webconf.domain.com and immediately terminates the connection. What other logs should I check?

Reply
- Kevin Peters says:
  
  February 28, 2011 at 8:57 am
  
  Tyler,
  
  Have you deployed a reverse proxy yet? That will be required for the features you are using.
  
  Hope this helps!
  -kp
  
  Reply
  - tyler says:
    
    February 28, 2011 at 1:13 pm
    
    I am using TMG as my reverse proxy. So I set up simple “Publish Non-Web Server Protocol” rules for my edge services (SIP, AV, Webconf). And then “Publish Web Site” for my front end server to publish meet, dialin, address book. External meeting and dialin URL’s work fine. I followed this and Randy’s guide on reverse proxy.
    
    Is there something I could have missed that would cause Web Conferencing to not work?
Peter says:

March 7, 2011 at 8:37 am

Hi Kevin,

I have got the edge server running with a few changes (Ip’s etc) but internal to external and external to internal voice does not work.

“Meet now” works fine and so does internal to internal and external to external.

But as soon as it uses internal and external then i get “call failed due to network issues”

BTW, the audio test works fine.

Any help would be great.

Thanks
Peter

Reply
- Martin says:
  
  November 4, 2011 at 4:06 pm
  
  Hi Peter & Kevin,
  
  Have you ever resolved this issue? I am experiencing the exact same thing.
  (Meet Now is working well, internal-to-internal = OK, external to external = OK, Internal to External = Fail)
  
  In response to Kevin’s questions:
  – My A/V IP seems to be correctly defined in the topology
  – I can telnet from the outside to the port 443 at the A/V address
  
  I am quite puzzled.
  
  Any help will be much appreciated,
  
  Martin
  
  Reply
Kevin Peters says:

March 9, 2011 at 6:13 pm

Hi Peter,

Are you NAT’ing the A/V IP address? If so, do you have the actual public IP specified in the topology? Also, can you telnet from the outside to the public IP of the AV role on port 443?

Hope this helps!

-kp

Reply
- BP says:
  
  October 28, 2011 at 3:15 pm
  
  Hi Kevin,
  
  In your example you have the external IP in the DMZ not the Public IP. Which IP should be place in the External IP for A/V, Webcon, and SIP?
  
  Thanks,
  
  Brian
  
  Reply
  - Kevin Peters says:
    
    October 31, 2011 at 10:00 am
    
    Hi Brian,
    
    The IP placed in the external IP for AV, Webconf and SIP should be the DMZ IP (If that IP is assigned directly to the external interface of the Lync edge). You will only put the public IP in the “NAT enabled public IP address used” field for the edge properties.
    
    HTH
    
    -kp
Jafaruddin Lie says:

March 9, 2011 at 9:42 pm

Hi Kevin
Almost there.. *_*
Edge now up and running.
Can connect and IM works fine, but AV always fails with Network Connection issue.
Wireshark showed that for AV, the external client would try to connect directly to the internal client’s IP address. Is this right? I have no idea how STUN works, so this could be indeed expected behaviour from Lync, and I have firewall issues somewhere else. *_*

Reply
Peter says:

March 10, 2011 at 2:15 am

Hi Kevin, my problem is that the edge server was connecting to a procurve switch before getting to the firewall. All i did was plug the Edge directly into the Firewall, redfine my topology and publish. Then it all started working

Thanks for the great article. This has been bugging me for months and now finaly it works. Time for a salary increase i guess 🙂

Regards
Peter

Reply
Hampus says:

March 14, 2011 at 12:00 pm

Hi Kevin,

First let me thank you for an excellent guide, you made Lync installation easy (or at least easier).

I have some issues with a federated partner that is using OCS 2007 R2. This is the first federation we are doing and everything went fine to start with. The user at the other end managed to add, IM me and even voice call me. But I cannot reply to any IM’s, voice calls initiated by me fails and his contact card says “Presence unknown”.

We have three public IP’s configured for the edge server and we are using NAT. My edge server is located on same subnet as the front end so the internal NIC and external NIC is located on the same subnet. I have configured the “internal NIC” without default gw or DNS. Could it still be a problem or do you have any other suggestions?

Thanks in advance!

Best regards,
Hampus

Reply
Kevin Peters says:

March 14, 2011 at 8:42 pm

Hampus,

From your description it sounds like both of your NICs on your edge server are on the same subnet. If that is the case you will have to move them to different subnets to have a supported install. Although it may not be the root cause of your problem, it would have to be the first step taken in troubleshooting. Please let me know if I have mis-understood.

Thanks for reading!

-kp

Reply
Ed says:

March 16, 2011 at 9:40 am

Hi Kevin,

I am running into an issue trying to get our external access working. I have deployed the Edge server from your instructions(we only have 1 external IP for the Edge so I used that option.)

We are a small non-profit law firm so TMG and ISA are out of the question for us cost wise. Is there another way of getting the external user access working? I have tried URL rewrites, but they do not seem to be working. I ran the OCS Connectivity test, but I just get an error saying that the remote connectivity test failed with no errors. What should be the correct website that we test? Is it the external address in the Lync topology builder or the one you create during the Edge Pool setup?

Reply
Tom O says:

March 16, 2011 at 3:56 pm

I got our Edge server rolled out and can login remotely with the client. I can do A/V with clients that are on the same subnet as the Lync front-end. When I try to connect to clients at another office I can do IM but not A/V. Any ideas? Thanks

Reply
Tom O says:

March 17, 2011 at 1:14 pm

Nevermind… figured it out. Needed to make it so the clients on the other subnet could talk to the Edge server

Reply
Jose Bautista says:

March 17, 2011 at 1:57 pm

Hello Kevin,

Nice article, and I just deployed Lync Standard Edition for my company, now we want to to :

– Federation with Public IM (this *could* be deploy, management still no sure about it, but I dont want to re-deploy again, so i’d like to do one job and then enabled it when they decided to use or not)

– Federation with a partner (this is using VPN Site2 Site) that it’s currently using OCS2007. This is the mandatory need.

So, my questions are :
– What will be the best aproach for this?
– Should I deploy the edge with 3 Public Ips’+3 DMZ Ip’s ?
– If we are using the VPN S2S between 2 companies, do I still need those IP’s??
– Do I need to deploy Director as well?

I’m a little confused about what exactly I need to do…
Thank you !

Jose

Reply
Jonas says:

March 21, 2011 at 6:50 am

Hi,

I’ve followed your excellent guide.
I can’t see that 443 is openend on the first external nic interface?

When I print out a netstat I get the following
sip.company.com
TCP 192.168.200.71:139
TCP 192.168.200.71:5061

webconf.company.com
TCP 192.168.200.72:444

av.company.com
TCP 192.168.200.73:443
TCP 192.168.200.73:50950
TCP 192.168.200.73:58024

those three ip addresses are on the “DMZ”
and i’ve got one internal interface for internal network. 192.168.100.71 (lyncedge.company.com)

TCP 192.168.100.71:139
TCP 192.168.100.71:443
TCP 192.168.100.71:3389
TCP 192.168.100.71:5061

Though interna users seems to be able to log on to lync from their clients from outside. (Using port 5061???)

Shouldnt all interfaces on dmz listen on port 443?

Thanks
Jonas

Reply
Kevin Peters says:

March 21, 2011 at 5:41 pm

Hi Jonas,

As long as you selected port 443 for each IP in your topology than each port should be listening there. Please verify there isn’t a mistake in your topology just in case.

Hope this helps!
-kp

Reply
- Jonas says:
  
  March 22, 2011 at 3:53 am
  
  Well,
  
  Under “Edge Server Configuration” in Topology Builder default values are set –
  sip.company.com 5061 (TLS)
  webconf.company.com 444 (TLS)
  av.company.com 443 (TCP)
  
  Should I just simply change those to 443 on all interfaces?
  
  If i re-publish the topology with changes made – do I have to “install local configuration store” from a new zip-file all over again?
  
  Thanks again,
  Jonas
  
  Reply
Kevin Peters says:

March 22, 2011 at 9:00 pm

Hi Jonas,

Please make sure “Use a Single FQDN and IP address” is not checked on this page:

As long as that is checked each of the 3 IPs should default to port 443.

Then you just need to republish and possibly re-import on the edge.

Hope this helps!
-kp

Reply
Brian says:

March 25, 2011 at 7:57 am

Hi,

I set up an Edge Server using one NAT IP address. We are using this for both the external and internal NIC. The only way I could get the Lync Access Edge service to start successfully was by binding the public IP to the NIC. I don’t really want to do this. Do I need to NAT another IP and bind it to the NIC as well? If I do, can they be on the same subnet? Also, I am getting an error on the Lync clients now since setting up the Edge server that states that “some calls to and from people outside of your network may not connect due to server connectivity problems”. We are only using Lync for IM so is there any way to resolve this error showing up? Thanks for any help you can provide.

Reply
Kevin Peters says:

March 27, 2011 at 7:47 am

Brian,

Edge server requires 2 different NICs on 2 different subnets. To make your edge work that is what you will need to do. As far as what IP the external NIC gets it can be a public IP or a DMZ IP that is NAT’d by your firewall. Please have a look at this diagram again: https://kptheocsguy.files.wordpress.com/2010/11/lyncedge.jpg

You don’t have to use the same IP addresses as I did, but you must have the interfaces on 2 different subnets.
Hope this helps!
-kp

Reply
- Brian says:
  
  March 31, 2011 at 3:36 pm
  
  Thanks for the advice, Kevin. That worked. Now I ran into something else that I see too many conflicting theories on. When I run the get-CSManagementStoreReplicationStatus PowerShell cmdlet, I get the following.
  
  UpToDate : True
  ReplicaFqdn : lyncfe.company.com
  LastStatusReport : 3/31/2011 9:16:22 AM
  LastUpdateCreation : 3/31/2011 9:16:19 AM
  ProductVersion : 4.0.7577.0
  
  UpToDate : False
  ReplicaFqdn : lyncedge.company.com
  LastStatusReport :
  LastUpdateCreation : 3/31/2011 3:20:21 PM
  ProductVersion :
  
  I was told that this is due to a problem with the certificates between the front-end and internal edge interfaces. I was using a third-party wildcard certificate on those interfaces. We don’t want a cert authority server on our network (don’t ask why, it was a decision between our CIO and lead network admin and I can’t get them to change their minds). Should I be getting 3 certificates then for the front-end, internal Edge, and external Edge, or could this be done with a SAN certificate with all three FQDNs in there. I know you said in your blog not to use SANs in between the internal Edge and front-end, why is that? Thanks again.
  
  Reply
Kevin Peters says:

April 1, 2011 at 12:03 am

Hi Brian,

Sorry I can’t be more in depth on why at the moment (away at MCM for the next three weeks and am very busy) but you definitely do not want any SAN fields on your edge servers internal interface.
As far as wild card on the internal interface of the edge it is supported there (as long as it doesn’t have SANs) but I would still recommend a single CN cert. I’ve seen people do the same cert for all roles thing, but I tend to go the other direction with a unique cert specifically for each role. I’m not saying you can’t make it work, but in a lot of cases the money saved on only buying one certificate is lost on troubleshooting issues.

As for replication to the edge, the front end server will push the updates to the edges internal interface over https on port 4443. Please make sure you can reach the edge from the front end on that port.

Hope this helps!

-kp

Reply
- Brian Osley says:
  
  April 27, 2011 at 2:16 pm
  
  Thanks for the answers, Kevin. One other thing that is stopping me cold right now is communication with Yahoo users. I put in a request for PIC licensing and Microsoft Support Services tells me it is done, but they haven’t given me any direction on how to get it all setup to work. Is this supposed to just work? I can’t find anything on the Internet for information on what the next steps are and I get “Error ID 504 (source ID 239) when I try to send a message to a Yahoo user. Any idea where I could go to find the answer for this?
  
  Reply
  - Brian Osley says:
    
    April 27, 2011 at 2:18 pm
    
    BTW, I did set up Lync and the Edge server for federation and have Yahoo selected as a public provider and enabled all communications option for Yahoo. Port 5061 is also open on my firewall.
  - Kevin Peters says:
    
    April 27, 2011 at 5:11 pm
    
    Brian,
    As long as you have the PIC domain providers allowed on the allow list and your SRV record up to date it should just work. If it’s not you may want to run the logging utility on SIP for your edge server and try to contact someone to see what happens.
    
    Hope this helps!
    
    -kp
- Amit Sharma says:
  
  October 19, 2011 at 2:51 am
  
  Hi Kevin,
  
  I am deploying Lync Edge Server and i am confuse about Ports. Please confirm me what port i need to open in Firewall and Edge Server.
  
  Waiting for you reply.
  
  Thanks |
  
  Amit Sharma
  
  Reply
  - Kevin Peters says:
    
    October 19, 2011 at 8:15 pm
    
    Hi Amit,
    
    It may be worth reading the edge guide or even looking at the Lync ports and protocols poster. There are a number of different combinations based on deployment type and if you would like it to integrate with other systems. If you can be more specific about which interfaces and the type of edge deployment I may be able to provide some guidance.
    
    hth
    -kp
Phil says:

April 19, 2011 at 8:12 am

Hi Kevin,

We are running OCS 07 R2 with two pools and recently decommissioned one pool and migrated to Lync. We moved all of our users over to the new environment and are going to rebuild the rest of the hardware to Lync. My question, since our Edge server is of the OCS flavor, do we need to move that to Lync or can we leave it as is?

Thanks..

Reply
- Kevin Peters says:
  
  April 19, 2011 at 7:52 pm
  
  Hi Phil,
  
  It is definitely a good idea to upgrade your edge to Lync. You will want to do this after you have removed all of your OCS pools though, an OCS pool is not supported against a Lync edge.
  
  Hope this helps!
  -kp
  
  Reply
  - Phil says:
    
    April 20, 2011 at 9:01 am
    
    Appreciate the answer, Thanks!!
Pingback: A Few Words on Federation « The OCS Guy's Blog
Chris Towles says:

May 17, 2011 at 9:43 am

Amazing write up on adding the Lync Edge Server. Thanks for the hard work.

Reply
Deon says:

May 19, 2011 at 4:18 am

Hi Kevin,

Me again, ok at a different site now, the set up is a simple Lync Front End with Edge. 3 External IP addresses NATd and correct IP address is specified int he topology builder. So Users are able to login remotely,users can call each other internal or external.

Federated Users:
Presence and IM work
Audio and Video fail, this place has firewalls everywhere, but how could it be blocking it if remote user calls work?

Please assist, thanks.

Kind Regards,
Deon

Reply
- Kevin Peters says:
  
  May 19, 2011 at 6:17 am
  
  Deon,
  
  Maybe A/V ports are blocked at the firewall for federated contacts? Also, it could be the other end, have you tested with multiple federated partners? If so I’d start by logging client and edge server side. Also, keep in mind if you are federating with an OCS 2007/R2 environment you will need the 50,000-59,999 range open (this isn’t a requirement if the other end is Lync and your environment is Lync).
  
  Hope this helps!
  
  -kp
  
  Reply
  - Deon says:
    
    May 19, 2011 at 2:30 pm
    
    Hi Kevin,
    
    Thanks for the feedback.
    I am testing with multiple Lync sites (That do work) and get the same error. I have ran the testocsconnectivity tool and everything passes. Weird becuase this is only affecting federated contacts and not remote users. Can you tell me exactly how the media flow with ports will occur with a federated contact to an internal contact. This info out there seems a bit mushy.
    
    Kind Regards,
    Deon
  - Kevin Peters says:
    
    June 1, 2011 at 6:29 pm
    
    Hi Deon,
    
    Without testing this to verify, I BELIEVE audio/video will go directly between edge servers in a federated scenario. I believe the traffic is not P2P, I have run a few captures to verify that I am seeing this, but am not 100% sure that is the case.
    
    Hope this helps!
    
    -kp
michael musa says:

May 19, 2011 at 5:18 am

hi, i have been trying to deploy a Lync 2010 edge server in my lab but i cant install certificates.

Reply
- Kevin Peters says:
  
  May 19, 2011 at 6:14 am
  
  Do you mean you can’t install a CA to use?
  
  -kp
  
  Reply
- michael musa says:
  
  May 19, 2011 at 10:38 am
  
  i have imported the topology from my lync server. while deploying the edge server using the lync deployment wizard, i cant get past the certificate request level. i keep getting the error the certificate cannot be installed on the specified server.
  
  Reply
  - Kevin Peters says:
    
    June 1, 2011 at 6:31 pm
    
    Hi Michael,
    
    I’ve never seen this issue before, my first guess would be the CA certificate isn’t installed on the edge (if this is happening with an internal request).
    
    Hope this helps!
    
    -kp
chamila says:

May 30, 2011 at 5:16 am

Hi Kevin,

I am having a confused about one thing. Your internal IP range is 10.255.106.xand the external is 10.255.110.x. In the Define Edge Pool wizard under Define the Public IP address page the IP called x.102.182.165 is given. In the table of IP addresses it shows that public IP is for the External NICs IP 10.255.110.165.
But when comes to Topology Builder the public IP shows under the Internal IP of the Edge server(10.255.106.162). What i want to know os when doing NATting what is the IP we have to use either Inernal 10.255.106.162 or External 10.255.110.165
Kind Regards,

Kanishka.

Reply
- Kevin Peters says:
  
  June 1, 2011 at 6:25 pm
  
  Hi Chamila,
  
  The 10.255.110.X range are all DMZ IP’s used by the external NIC of the edge. The 10.255.106.X IP is the internal NIC used to communicate with internal clients and servers. Then public IPs are NAT’d to the DMZ IP addresses. Once this is done you just need to specify the A/V services public IP to allow it to work when NAT’d.
  
  Hope this helps!
  
  -kp
  
  Reply
bostjanc says:

May 31, 2011 at 6:21 am

Greetings Kevin!
Nicely done tutorial. I think a lot of people ow you a beer or a two. I have one question about your guide. Why does topology builder ask you to put only one public ip? We are using 3 dmz ip and because of nat we then thought we will need 3 public ip but in the guide you are only mentioning about putting public ip address of A/V service. Is there any special reason for doing that? With best regards.

Reply
- Kevin Peters says:
  
  June 1, 2011 at 6:27 pm
  
  Hi bostjanc,
  
  The reason you only have to specify 1 IP is the access edge and web conferencing components can work well with NAT without knowing the public IP. The AV service cannot, so you have to tell it what public IP it has.
  
  Hope this helps!
  
  -kp
  
  Reply
bostjanc says:

June 2, 2011 at 4:06 am

Hi Kevin! Thank you for a previous reply.
We have followed your tutorial and we ran on some problems in faze of creating internal edge certificate. Edge server is in our DMZ location
it has 2 NIC
-1 NIC has internal ip address without default gateway; computer is not joined to domain (just like you are mentioning it in your tutorial)
-second nic has 3 dmz ips…
-Certificate authority is installed on internal server.
-we did a routable for a subnet mask where internal ca is
-We have updated host file on edge server to see CA of internal server
-https://fqdn-internal-ca/certsrv works
– sending request for cert went well with Lync wizard
– issuing the request on internal ca went well

* but the problem appeared at the point of proces pending certificates on edge server not working with error:

Error: An error occurred: “System.Runtime.InteropServices.COMException” “The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)”

-We have tried with disabling windows firewall on both machine – still not working.

Any sugestions? Is it possible or related that this is not working because when you request a certificate you specify credentials but when you want to accept pending certificates you don’t have options to put any credentials, and because edge server is not a part of domain, internal ca does not know which credentials to use? Or is there sth else?

Reply
- Kevin Peters says:
  
  June 2, 2011 at 7:09 am
  
  Hi bostjanc,
  
  Cuuple of things:
  1> The default gateway should be on the external NIC, not the internal, route add should be used to route internal networks via a gateway on the same network as the internal NIC.
  2> Make sure the CA chain from your internal CA is installed on the edge server (this is a manual process since it isn’t domain joined)
  3> Try importing the response from the CA into the Certificates MMC instead of using the Lync wizard. To do this: Start>Run>MMC> FIle>Add Remove Snap-in>Certificates>Local Computer Then right click “Personal” choose Import, and use the response from the CA as the source.
  
  Hope this helps!
  
  -kp
  
  Reply
  - bostjanc says:
    
    June 2, 2011 at 7:22 am
    
    Hi Kevin or should I say good morning to you,
    cause in Europe its 14.13 pm. First, thank you for your quick reply.
    I will give some answers on your statements.
    
    -Default gateway has been written only in External NIC.
    -Default gateway has not been written in Internal NIC. I have put there only IP and SUBNET mask.
    -CA chain has been manually imported before i got problem pending certificates.
    -I tried with importing but I am only able to import it from a file,
    there is no option to get a response from the CA as the source.
    
    I am wondering if this got to do sth with route add, cause I’m not
    sure if I have put it right.
    
    For example
    Internal NIC IP is :192.168.50.x
    subnet mask: 255.255.248.0
    
    External NIC IP has a different subnet mask and affcourse
    a different subnet because it is in dmz,
    for example subnet is: 255.255.255.0
    
    I made routing like this:
    route add -p 192.168.50.0 mask 255.255.248.0 192.168.50.1
    
    I doubt a little that routing could be the problem because
    internal CA is in host file of edge server.
    RPC services are both launched on both server up and running.
    I am able to send request to this internal CA from example:
    Lync pool server, and then pending certs no problem, but
    for this edge computer in dmz it’s impossible to make it right.
    I have ran out of ideas where is the root of the problem.
    i thought it may be related with credentials because computer
    is out of domain 😦
  - Kevin Peters says:
    
    June 2, 2011 at 7:27 am
    
    Try downloading the response from the CA as a file, then you should be able to import it. I agree routing shouldn’t be an issue.
    
    -kp
  - bostjanc says:
    
    June 2, 2011 at 7:33 am
    
    Hi there! Maybe this will be a noob question but I don know where to find this “response” in CA server. In Certification Authority I only see the issued certificates and I am only able to export binary data.
    neither does this certificate “request” exists anywhere in mmc loca certs.
  - bostjanc says:
    
    June 3, 2011 at 6:13 am
    
    I have solved the problem by making an offline request and then sending this request over webpage of internal ca. case closed, with best regards
Jose Paulino says:

June 2, 2011 at 11:11 am

Currently I have installed on my server enterprise edition Lync Standard and we are not using the edge to get in touch with yahoo messenger msn IM Ex.
I bought a Power Edge R510 which has the features for implementation of the role these edge and tried to configure but I get the settings and I want someone to help me configure it, if someone wants to help me implement it for me at my address JPAULINO@CECOMSA.COM email

Reply
Orlando Villanueva says:

June 2, 2011 at 3:30 pm

I have a poblem when I try to make a external connection test, “Subscription for provisioning data did not return a valid MRAS URI.”, I read all the blogs but I can’t find the error, thanks for you support

Reply
- Kevin Peters says:
  
  June 5, 2011 at 2:37 pm
  
  Orlando,
  
  Can you check that you are using port 443 in your SRV record, not port 5061? Also, please verify your edge server is associated with your pool for media.
  
  Hope this helps!
  
  -kp
  
  Reply
  - Orlando Villanueva says:
    
    June 7, 2011 at 9:45 am
    
    Thanks for your response, but I have a big doubt, if my external sip is: msc.externalync.net and my external pool it usedge.msc.externalync.net , them I need to create a new external SRV record; _sip?????
    
    how as it should be called the external record?
    
    thanks
    
    OrlandoV
  - Kevin Peters says:
    
    June 12, 2011 at 10:18 am
    
    Orlando,
    
    You would create the SRV record as _sip._tls.msc.externalync.net and point it to usedge.msc.externalync.net on port 443.
    
    Hope this helps!
    -kp
Pedro says:

June 3, 2011 at 7:30 am

Hi Kevin, very good post! Congratulations.

I have have one question. I have one topology with a unique url (im.domain.com) and various ports (5061, 443 and 444), without reverse proxy, i need your help. I can create single ssl with SAN to all services. federate works with it?
And external meeting works without reverse proxy?

Reply
- Kevin Peters says:
  
  June 5, 2011 at 2:39 pm
  
  Pedro,
  
  If you are using 1 name and IP for all edge public services you can use a single name certificate. Federation will work as long as you have your SRV record created properly. However, without reverse proxy you won’t be able to join Online Meetings externally, access the simple URLs, expand distribution lists or download the address book. You will definitely need to deploy reverse proxy for that.
  
  Hope this helps!
  kp
  
  Reply
  - Pedro says:
    
    June 5, 2011 at 5:40 pm
    
    very helpful! Thank’s!
bostjanc says:

June 6, 2011 at 4:47 am

Greetings Kevin!
Would you be soo kind and explain what would be the SN and SAN of internal & External edge certificate in your scenario?

Reply
- Kevin Peters says:
  
  June 6, 2011 at 8:36 pm
  
  Hi Bostjanc,
  
  The internal edge certificate would have the CN of “Lyncedge.lyncguy.local”, issues by the internal CA and no SANs.
  The external edge certificate would have the CN of “Sip.lyncguy.com” with SANs of “Sip.lyncguy.com” and webconf.lyncguy.com”, this cert should be issued by a public CA.
  
  I typically just allow the certificate wizard to create all cert requests, this takes the guess work out of it.
  
  Hope this helps!
  -kp
  
  Reply
  - bostjanc says:
    
    June 7, 2011 at 2:10 am
    
    Greetings.
    
    Kevin thank you for your reply.
    
    Sorry for bothering you, I have some more questions:
    
    In your scenario you have chosen: Sip.lyncguy.com, Webconf.lyncguy.com, Av.lyncguy.com.
    In my deployment I have used: lyncsip.lyncguy.com, lyncwebconf.lyncugy.com, lyncav.lyncguy.com.
    – At creating external certificate wizard on edge server, SN automatically became lyncsip.lyncguy.com, is this ok?
    
    -Is using service name sip.lyncguy.com mandatory or we can use lyncsip?
    – You didn’t mention putting lyncAV.lyncguy.com in the SAN?
  - Kevin Peters says:
    
    June 7, 2011 at 6:18 am
    
    Hi Bostjanc,
    
    It is no bother at all, happy to help. As far as using names other than SIP it is absolutely supported as long as the cert CN (common name) match the FQDN you have published. I typically stick with SIP out of habit, also the lync client will search for that record as one of it’s fall back measures if it can’t find an SRV. As far as AV goes, the FQDN of the AV server is not required to be added to the certificate, only the access edge and web conferencing edge.
    
    Hope this helps!
    
    -kp
js says:

June 7, 2011 at 8:50 pm

I had confiured lync, it works fine for internal, Now i am looking to configure Edge server, I have one ip 192.168.1.10 of internal network which i had confiure on the server. and 192.168.2.10 on the other.

its not workin

Reply
- Kevin Peters says:
  
  June 12, 2011 at 10:19 am
  
  js,
  
  Definitely would need more information than that to help. Please re-read the article and maybe take a look at the MSFT deployment guides as well.
  
  -kp
  
  Reply
bostjanc says:

June 10, 2011 at 6:45 am

Kevin hi!
I would have one more question regarding to reverse proxy.
In your tutorial you are mentioning that having 3 ip’s on external NIC is recommended. I am reading: http://technet.microsoft.com/en-us/library/gg429707.aspx.

Statement: “If the reverse proxy is already being used by other applications that use HTTPS/443, such as for publishing Outlook Web Access, you either need to add another IP address ”

Can we use that DMZ IP that we have taken in this/your scenario (10.255.110.164) or ISA-server will need additional IP?

Reply
- Kevin Peters says:
  
  June 12, 2011 at 10:23 am
  
  Bostjanc,
  
  You are confusing edge server (what I wrote about) and reverse proxy (what the posted article is about), they are two different roles, each with their own requirements. ISA requires its own IPs, separate from the edge server IPs.
  
  Hope this helps!
  
  -kp
  
  Reply
bostjanc says:

June 13, 2011 at 12:21 am

kevin, thanks. My final question is about federation. If you enable it, do you need to add any sans on edge cert?

Reply
- Kevin Peters says:
  
  June 13, 2011 at 12:04 pm
  
  Bostjanc,
  
  There are no additional SANs requried for federation, it should point to your access edge FQDN using it’s own SRV record and port 5061.
  
  -kp
  
  Reply
bostjanc says:

June 20, 2011 at 5:11 am

Greetings Kevin!

Thank you for all the answers. I have another question regarding the reverse proxy. I woul be very grateful if you help me to understand the mystery.

We are trying to use our ISA SERVER 2006 as a reverse proxy for Lync.
Let me stress that Isa Server 2006 is set up as a single network adapter in our DMZ network.

On our LYNC Edge, we have 3 external NIC. I will be talking just about WEB ip.

Example:
DMZ IP on LYNC EDGE SERVER for WEB service is: 175.100.100.40
PUBLIC IP on LYNC EDGE SERVER for WEB service is: 195.100.100.40
PUBLIC IP is published in external DNS as: web.company.com

Now, here comes the confusion or should I say “the missunderstanding” how ISA should be configured. I would like to stress again, that our ISA SERVER is configured as a single network adapter in our DMZ network.

All the tutorials about reverse proxy for Lync are talking about configuring an External IP. Soo if I understand right, we need another public ip (for example: 195.100.100.50) and this ip will be pointing to ISA server and ISA will be redirecting it to our Lync FE SERVER. Now, here I don’t understand why do we need then that third IP on LYNC EDGE SERVER 175.100.100.40/195.100.100.40?

Isa is in our DMZ. We have reserved another DMZ IP for Lync Web. For example this DMZ is: 175.100.100.50. Is it possible that we don’t need another public IP, but just take that one from EDGE 195.100.100.40 which will be pointing to 175.100.100.50 DMZ IP in ISA, and then goes to Lync FE?

With best regards,

Reply
- Kevin Peters says:
  
  June 21, 2011 at 5:30 pm
  
  bostjanc,
  
  Are you using ISA for your firewall or just the reverse proxy? Typically edge has 3 public IPs, and reverse proxy has 1, for a total of 4. These will be the same requirements whether ISA is publishing edge (acting as a firewall) or just doing reverse proxy. I’ve never tried edge in a single NIC configuration, but from a security standpoint I’m not sure it is recommended.
  
  Hope this helps!
  
  -kp
  
  Reply
  - bostjanc says:
    
    June 22, 2011 at 6:51 am
    
    Hi there Kevin!
    We are using ISA just for reverse proxy, cause we already have internal firewall between LAN and DMZ.
    What are the disadvanteges in single nic configuration on ISA? Like I said, we are already using it for reverse proxy for OWA 2007 and it works fine. I’m a little bit confused about which ip should we use in this reverse proxy scenario. Lync Edge has one of the DMZ IP’s reserved for Web service and this web service also has a public ip, but tutorial’s saids that you need to connect one public ip on isa with internal address, soo now I don’t understand what is WEB service on Lync Edge doing if we do traffic directly with reverse proxy to internal server FE?
  - Kevin Peters says:
    
    June 22, 2011 at 12:46 pm
    
    Bostjanc,
    
    You may be able to do it, I’ve never tried. In your scenario, you will have 3 public IPs for Edge, and 1 for reverse proxy. They are
    * Access Edge
    * Webconferencing Edge
    * A/V Edge
    * Reverse proxy – reverse proxy will cover the simple URLs (meet, dialin) and the Lync Web Services (Not webconferencing – Address book and Distribution list expansion, among other things).
    
    Hope this helps!
    
    -kp
KeanBrown says:

June 20, 2011 at 10:46 am

Hi Kevin,

Awesome writeup! I have followed to the letter and external access is running like a champ! The Lync setup we are thinking of doing is with multiple edge servers servicing multiple Standard edition Front-End servers. All servers will exist in a single organixzation, but the external URL for each service in each site are to be unique. Is this possible? From the microsoft documentation, I can find no instance of multiple edge servers with dissimilar URL’s, only load balanced ones with similar names. Thoughts?

Reply
- Kevin Peters says:
  
  June 21, 2011 at 5:27 pm
  
  Kean,
  
  You may be able to have multiple edge servers with different URLs, and have weighted SRV records to hit the second server (or just DNS load balance). However, the media for the user will always try to use the edge server associated to that users pool. Also, federation with downlevel organizations won’t work as well in the event of an outage. Does that answer your question or get you in the right direction?
  
  -Kevin
  
  Reply
Dan says:

June 21, 2011 at 8:33 pm

Thanks for the write up Kevin,
My question or issue is that I needed to make a change on the topology. I did that on the LYNC FE and published it, then I exported it and transfered it to the LYNC EDGE but when I re-run the setup it does not let me re-run step one where you would import the topology. Is there a command or way to force step one and re-import the changed topology?
Thanks for your help.
Dan

Reply
- Kevin Peters says:
  
  June 22, 2011 at 12:39 pm
  
  Dan,
  
  You won’t need to re-run setup on the other servers, as long as the FE can talk to the edge on port 4443 (TCP) than the edge should get the update automatically. You can run “invoke-csmanagementstorereplicationstatus” to force the machine to replicate.
  Hope this helps!
  -kp
  
  Reply
- bostjanc says:
  
  June 23, 2011 at 2:21 am
  
  Or you can use this two commands in Lync Shell:
  
  export-csconfiguration -filename c:\export.zip
  import-csconfiguration -filename c:\export.zip -localstore
  
  Reply
  - Dan says:
    
    June 30, 2011 at 10:18 am
    
    Thanks for the tips. My issue was resolved by going back through the steps and looking at the IP address very carefully. I didn’t realize that when you define the addresses for “Define External IP Addresses” what it really means is define your DMZ IP addresses. It makes sense looking at the topology that the Internal and public IP is defined and then becasue you have selected that the public IP is NAT’d you set the External IP as the DMZ addresses. Thanks
Ken Stieers says:

June 23, 2011 at 1:24 pm

Hey Kevin,

I’ve had great success with your write up, so thanks so very much! I’ve got one issue: 2 users, both using full Lync clients, one on the inside of the firewall, one outside connected to the Edge server… They can IM, but Desktop Sharing doesn’t work. “…network issues…” If they create a meeting, then they can share desktops through the meeting. Is this normal behavior?

Ken

Reply
- Kevin Peters says:
  
  June 27, 2011 at 3:14 pm
  
  Hi Ken,
  
  Can you check that you have the 50,000 – 59,999 TCP port range opened outbound for your client subnet(s)?
  
  Hope this helps!
  
  -kp
  
  Reply
Brian Osley says:

June 30, 2011 at 8:41 am

Hi Kevin,

We have a Standard FE server with an Edge and have PIC setup for Yahoo IM. Works great for anybody on the outside using Yahoo’s client but have two scenarios where it’s not. First is an external contact that is using YellowJacket with a Yahoo IM address. I can see his presence information and he can receive messages from me, but he can’t see my presence info and I can’t receive messages from him. I started logging and I don’t see any messages even hitting the Edge from him, just presence incoming from him and outgoing from me. Second scenario is an external user using a Yahoo address with POD, she can only get messages from me, no presence flowing either way and I don’t see messages from her. Logs show warning of SUBSCRIBE request for get rich presence was filtered by the Access Edge Server. Any ideas? Thanks.

Reply
xaries says:

July 8, 2011 at 12:31 pm

Greetings All,

I have a very basic question about autodiscover and internal/external access. DNS is handled by by external entity.

Internal DNS: corp.internaldomian.local
External DNS: companyname.com
SIP URI is email address: username@companyname.com

How do I have autodiscover work internally if the sip uri is the email address and the dns is not local. Should we create a stub zone for companyname.com on the Active Directory DNS.

Reply
- Mike says:
  
  August 11, 2011 at 2:48 pm
  
  One solution would be to have the DNS provider add an SRV (Service) record to the Internal DNS so that _autodiscover, protocol _tcp, port 443 will find your internal Autodiscover url. The Autodiscover url was probably generated as CASname.corp.internaldomain.local and Lync uses the SIP domain to find autodiscover.
  
  Reply
  - Kevin Peters says:
    
    August 14, 2011 at 12:50 pm
    
    The best method here would be either split brain DNS, or a stub zone. If you created a public autodiscover record that points to a private resource that will break things. If you don’t have a copy of your zone hosted internally, how are you doing your SRV records for lync?
    
    -kp
Bill says:

July 9, 2011 at 10:24 pm

Hi Kevin,

Nice article. I have a quick question, it looks like you already answered it, but I thought I would ask just to verify I am interpreting it correctly.

Can a Lync 2010 Server be setup with only 1 EXTERNAL IP address, for the entire system?

Thanks in advance.

Bill

Reply
- Kevin Peters says:
  
  July 11, 2011 at 2:19 pm
  
  Yes, you can use a single IP for all 3 externally facing roles.
  
  Thanks!
  
  -kp
  
  Reply
jergomez says:

July 12, 2011 at 4:01 pm

Hey Kevin,
Ive tried to create a Edge Server and having some issues. After I go to Step 2 to to install Lync components and it goes thru the motions, no errors. It doent go to the next 3rd step to install certificate. Also, I dont see any Lync services but see it install SQL agent. Ive installed Edger server on a Microsoft Hyper V on the same Lync Server. Current LYNC server with local IM working 100%.

Please advise if you have any recommendations.

Thanks, Jerry Gomez

Reply
- Kevin Peters says:
  
  July 12, 2011 at 4:55 pm
  
  Hi Jerry,
  
  Please be sure you have set the computer name and Primary Domain Suffix.
  Reference these 2 screen shots.
  
  If you have not done that, the computer will read the topology file and not find a match for it’s FQDN, then it won’t install any roles. Be sure not to domain join the edge, you just need to change the Primary Domain Suffix as show above.
  
  Hope this helps!
  
  -kp
  
  Reply
jergomez says:

July 12, 2011 at 6:12 pm

Kevin,
Since the server is on a Hyper V, I think the virual network are not configuered correctly, I think im on the right path now… If & when I finish installing. Once it works, will my current meet now will stop working? Ill have to re-apply certificate on the edge server to get meeting.xxxx.com working again? or just add certificates and IM will see outside>?

Thanks, Jerry

Reply
- Kevin Peters says:
  
  July 12, 2011 at 7:56 pm
  
  Jerry,
  
  I don’t really understand your question, not enough info to understand what you are asking.
  
  -kp
  
  Reply
jergomezJerry says:

July 12, 2011 at 10:33 pm

Kevin,
Once I have completed the Edge Server, does the meet.xxx.com web address get transferred to the Edge Server? If so, can I re-use my current certificates that are on the front end server. Since I allready have the meeting service allready working, I want to know what to expect after this Edge install.

Thanks, Jerry

Reply
- Kevin Peters says:
  
  July 13, 2011 at 11:23 am
  
  Jerry,
  
  This depends on your topology, meet.xxx.com could be a simple URL, or a web conferencing edge server based on how you can configure your environment. It may be possible to re-use certs, it just depends on what the final topology looks like. Typically in Lync the access edge and webconferencing edge use the same certificate with SANs, where in OCS it was 2 different certs.
  
  Hope this helps!
  
  -kp
  
  Reply
Seth says:

July 13, 2011 at 1:58 pm

Hello – we have Lync 2010 SE setup and working in a test lab and I am now setting the same up in prod. In production, we currently use a single DMZ off our corporate firewall, and all traffic b/w the DMZ and the LAN routes through the firewall. The recommended install for an edge server requires dual nics in separate networks – one in the ‘external network’ (nat’d behind a public IP) and one on the ‘internal network’. My problem is that, in order to accomplish this external to internal bridge, it would require bypassing the firewall and physically connecting the DMZ to the LAN via the multi-homed edge server, which becomes an unsecured path into the network and not something I want to do. The other alternative is to setup yet another network outside the LAN, a sort-of DMZ #2, for the ‘internal network’ card to connect to before traversing the firewall into the LAN, but this requires a fair amount of network reconfiguration and impacts lots of other network traffic. Is anyone else having this challenge? Any recommendations or alternatives? I’ve been trying to think of ways to get this edge box up with a single nic, or with two IP’s on separate nics in the same subnet but keep realizing I’m going to run into routing issues with multiple default gateways, or I get limited by topology builder IP requirements. Any help would be appreciated. Thank you

Reply
- Kevin Peters says:
  
  July 13, 2011 at 2:28 pm
  
  Hi Seth,
  
  This is a common thing we run into in smaller deployments. However, the dual NICs is a requirement, otherwise you will have problems with the edge. The choices are 2 DMZs or a LAN and DMZ NIC on the edge, I’d go with 2 DMZs if I were you. As far as implementing the seconed DMZ, most customers I have worked with have gone this route (if they didn’t have one already).
  
  Hope this helps!
  
  -kp
  
  Reply
  - Seth says:
    
    July 19, 2011 at 9:28 am
    
    Thanks for your reply Kevin. I wish it wasn’t the case that you need 2 NIC’s. It requires either another port dedicated to DMZ#2 on the firewall or a second firewall/DMZ, all for one “little” application. So, Internet firewall, perimeter DMZ, DMZ firewall/interface, corporate LAN.
  - Kevin Peters says:
    
    July 19, 2011 at 9:57 am
    
    Hi Seth,
    
    Don’t think of Lync as one “little” application, think of this as an opportunity to secure your environment in a tightest fashion to allow Lync to expand your company’s ability to collaborate. 🙂
    OK, sale speech over, all in all, it’s really not too much work if you have the infrastructure and it’s even semi-recent. The gains from installing a system like Lync far exceed the little bit of effort required to deploy it in a secure and dependable fashion.
    
    Thanks!
    
    -kp
Matt Laywell says:

July 13, 2011 at 3:40 pm

Kevin,
Thanks for the write up. I have 1 standard fe server lync.domain.local, and 1 edge server lync.domain.com. http://www.testocsconnectivity.com connects fine on port 443, manual config not on 5061. I believe it would also have to work on 5061 for federation. The question is do I need just an external dns record _sipexternaltls port 5061 host lync.domain.com or would I need that enrty on internal dns on the external zone? Thanks in advance.

Reply
- Kevin Peters says:
  
  July 13, 2011 at 4:17 pm
  
  Hi Matt,
  
  For external access you will need _sip._tls.domain.com on port 443 pointing to your access edge public FQDN.
  For federation you will need _sipfederationtls._tcp.domain.com on port 5062 pointing to your access edge public FQDN
  
  Hope this helps!
  
  -kp
  
  Reply
jergomez says:

July 14, 2011 at 4:20 pm

Kevin,

I’m seeing some documentation showing a Edge server needing to connect to a “Director”. I’ll I want to get working is IM externally. I currently have meeting & IM internally working.

Thanks in advance.
Jerry

Reply
- Kevin Peters says:
  
  July 16, 2011 at 9:11 pm
  
  Jerry,
  
  A director is an optional role, it is not required for external connectivity. I would suggest reading up on the role to decide if it is right for your situation.
  
  Hope this helps!
  
  -kp
  
  Reply
Mark Lucas says:

July 19, 2011 at 7:03 am

Hi Kevin,

Phenominal blog, the Q’s & A’s following it have been tremendously helpfull. Sincerely Appreciated. Thanks for the DigiCert tip I’ve struggled with GDaddy certs prior.

M

Reply
jergomez says:

July 19, 2011 at 10:27 am

Kevin,

If I wanted to test without using a DMZ, can I just use your instructions with reference to only using the Public IP’s. Also, If I do not want to use “Reverse Proxy”, can I just NAT the ports on the Firewall and get the same result?

Thanks,

Jerry

Reply
- Kevin Peters says:
  
  July 19, 2011 at 10:32 am
  
  Hi Jerry,
  
  You can definitely just use public IPs for the edge, NAT’ing won’t work for the reverse functionality unless you factor in simple URLs in your cert and map 443 inbound to 4443 on the FE server and 80 to 8080.
  
  Hope this helps!
  
  -kp
  
  Reply
Craig Hayton says:

July 20, 2011 at 5:23 am

Hi Kevin,

I have completed the lync edge server configuration and installed and assigned certificates to my internal edge using my local CA and my external edge using DigiCert, I have also configured my firewall to allow incoming Lync traffic.

My question is, should I now be able to log into a Lync client externally and conduct messaging and look at who’s online etc. even though I haven’t yet completed the Forefront TMG configuration, it was my understanding that I should be able to but all web conferencing conferencing will not work. Is this correct?

Thanks

Craig

Reply
- Kevin Peters says:
  
  July 20, 2011 at 11:48 am
  
  Hi Craig,
  
  As long as you have the appropriate DNS records in place (including SRV) and the certs/firewall are in order, remote connecitivity for IM/P should definitely work. Possibly A/V and other stuff as well, just not meetings and address book, or other things that rely on the reverse proxy (like whiteboarding).
  
  Hope this helps!
  -kp
  
  Reply
  - Craig Hayton says:
    
    July 21, 2011 at 3:29 am
    
    Thanks for this Kevin, I think I know what my problem is, it is all DNS related. I get a sign in error when I try to log in from outside.
    
    I dont think I fully understand the DNS requirements, I have implemented the split-brain DNS. I have domain.co.uk (internal domain name) and domain.com (external domain name), on my public DNS I have created A records for ‘av.domain.com’ pointing at one external IP, ‘sip.domain.com’ pointing at another external IP and ‘webconf.domain.com’ pointing at a third external IP, these external IP’s are NAT’d by the firewall to a DMZ IP for each. The Edge server has these three DMZ IP’s on one NIC and has an internal IP on the other NIC, the internal NIC has no default gateway or DNS settings. I have no other DNS records on my public DNS server than those mentioned above.
    
    Within the DNS on my domain controller, I have replicated this public DNS zone, I have given these hostnames, av.domain.com, sip.domain.com and webconf.domain.com the same IP’s that they have on my public DNS server, that is external IP addresses. I suspect I may have gone wrong here for a start. I have also created an SRV record in this new zone for _sipinternaltls._tcp.domain.com, on port number 5061, this points at the host fe.domain.co.uk, I’m not sure this is correct either.
    
    When I perform an NSLOOKUP to sip.domain.com from my laptop on the internal network, I get a non-authoritative answer of “Name:sip.domain.com.co.uk” which Im pretty sure is no where near correct, and also an external IP which is completely unknown to me.
    
    I have added entries in my HOSTS file for my certificate authority and also my front end server on the Edge server and also have a route added back to my internal network. I am able to ping all internal network IP’s now.
    
    Have you got any suggestions, any help would be much appreciated?
    
    Thanks again
    
    Craig
  - Kevin Peters says:
    
    July 21, 2011 at 11:51 am
    
    Hi Craig,
    
    Your SRV records need to match your SIP domain, so _sipinternaltls._tcp.domain.com would point to the FQDN of your pool (unless it’s a SE, then you would use another name in the appropraite domain). You will want to use split DNS and point internal clients directly to the pool on 5061, for external they should go to the access edge public FQDN on port 443, using the SRV _sip._tls.domain.com.
    
    Hope this helps!
    
    -kp
Sergio says:

July 20, 2011 at 10:38 am

hi Kevin,

I know this looks stupid but,

is it possible to install the Edge Role in a server that isn’t in a DMZ? that is in the same network that the Front End role?

Reply
- Kevin Peters says:
  
  July 20, 2011 at 11:44 am
  
  Hi Sergio,
  
  I won’t say it’s not possible, because then someone would have to go and prove me wrong, but it definitely wouldn’t be a supported scenario and would likely be a ton of work to make it limp along. The best thing to do is follow the architecture and design recommendations established by Microsof,t that way you know it will work, and if it doesn’t you can get help.
  
  Hope this helps!
  
  -kp
  
  Reply
jergomez says:

July 20, 2011 at 11:16 am

Kevin,
Was wondering if you have seen anything for LYNC2010 that does online registration for meeting. Example: In livemeeting you can register yourself with a scheduled Livemeeting event. Its part of Livemeeting Feature’s. Have you seen any build-in or 3rd part software that can perform same funtion?
You can see how it works at: https://www302.livemeeting.com/lrs/geoscape/Registration.aspx?pageName=jqzvd61m9f79ghm3

Thanks in advance.

Jerry

Reply
- Kevin Peters says:
  
  July 20, 2011 at 11:33 am
  
  Hi Jerry,
  
  I haven’t seen anything like that, there is a web scheduler, but that’s just for the meeting organizer, not the attendee’s.
  
  -kp
  
  Reply
Dan says:

July 21, 2011 at 3:32 pm

Hi Kevin

Thanks for the article and your work.
My question is about external DNS.
I initially set up a single FE server and one of the names was meet.domain.com and regestered the name externally.
I then set up an Edge server that has Webconf.domain.com and regestered that name pointing to the Edge server. when employees create an online meeting the name is meet.domain.com/user/someumber.
For external employees do I need to point the meet.domain.com to the Edge server, it still points to the FE server? or should I remove meet.domain.com and be using Webconf.domain.com if so how do I do that.Thanks

Reply
- Kevin Peters says:
  
  July 22, 2011 at 1:58 pm
  
  Hi Dan,
  
  Meet.domain.com would be a Simple URL, which you would publish via reverse proxy. The meeting join will use meet.company.com to connect, determine client install (if needed) and then direct the external users to the edge server. So you shouldn’t need to change anything.
  
  Hope this helps!
  
  -kp
  
  Reply
Bob K says:

July 26, 2011 at 4:17 pm

Kevin:

Great article – very comprehensive!!!

Reply
Farrukh Qazi says:

July 29, 2011 at 7:16 am

Dear Kp!!
a very great article .. no doubt!!
i have a question?…
my scenario is i have 2 front-end , 2 director, 1 Monitoring , internal CA, internal communication is working well..
i want to deploy single consolidated edge server, i didnt have any dmz.. but i can have different subnets, how i can make it possible to deploy edge in such scenario, secondly what SAN entries i required such as my domain is mycompany.com how many SAN entries will be required, can i have my last SAN entry as *.mycompany.com, how many public IP i required, any more suggestion for me to deploy edge in such a scenario…?..

Reply
- Kevin Peters says:
  
  July 29, 2011 at 1:00 pm
  
  Hi Farrukh,
  
  The best practice is to use an actual DMZ, I’ve seen others use subnets but would not recommend it. As far as SAN’s on the cert, you will just have the CN as sip.company.com and the SANs of webconferencing.company.com and sip.company.com, the wizard will create the certificate exactly as it should be so please use the wizard for that, I would not add any other SANs. You need at least 1 public IP for the edge, but I would recommend using 3 if you have them.
  
  Again, I would not try to do things differently than recommended above, the little bit of cost and effort you MIGHT save could certainly cause you headaches when your deployment isn’t supportable in the future.
  
  Hope this helps!
  
  -kp
  
  Reply
  - Farrukh Qazi says:
    
    August 1, 2011 at 2:08 am
    
    Dear kp
    Thanks for a quick response ,i have 3 public IPs with 1:1 NAT, using topology builder for single consolidated esge it asks about a public IP, what IP should i use there, as i have three public IPs, as u said CN will be sip.mycompany.com, and SAN as webcon.mycompany.com, sip.mycompany.com, what abt av.mycompany.com, additionally what entries will be required for external DNS. and what are the same things for reverse proxy for Lync? i have TMG 2010 installed..
  - Kevin Peters says:
    
    August 1, 2011 at 9:44 pm
    
    Farrukh,
    
    The public IP you put in will be the IP of the A/V Edge. You will need all 3 records published in DNS (sip, webcon, av). For reverse proxy you need 1 IP with meet, dialin and your lync webservices external FQDN published. You can use the OCSGUY_QuickUI to generate that cert, it is available from the main page of the site. For more info on reverse proxy, see Randy’s blog (link above in the article).
    
    Hope this helps!
    
    -kp
Farrukh Qazi says:

August 2, 2011 at 1:34 am

Thanx kp..for a wonderful help…
i have a director pool is also deployed with its web services external is lndir-webexternal.mycompany.com, and frontend is lnfe-webexternal.mycompany.com, should i have to publish both of them for reverse proxy…with same IP…
well, kp , you rockzzz 🙂

Reply
- Kevin Peters says:
  
  August 2, 2011 at 10:37 am
  
  Farrukh, you will need to publish your simple URLs via reverse proxy to the directors. The Web Services should be published via reverse proxy to the FE servers. You will probably need 2 IPs for that.
  
  Hope this helps!
  
  -kp
  
  Reply
  - Farrukh Qazi says:
    
    August 3, 2011 at 6:40 am
    
    Dear Kp,
    i found error below when using OCSGUY_QuickUI to generate reverse proxy certificate request.
    the file is invalid for use as the following : Security Certificate
    how to make it correct ?,,, and will this request have all requirements according to my environment requirement such as subject name, SAN entries, how about using wildcard for Reverse proxy.. ?
  - Kevin Peters says:
    
    August 3, 2011 at 9:04 pm
    
    Hi Farrukh, the file it outputs can be opened with notepad and then copied into the certificate request. Is that not working for you? It will have all the appropriate names for your server including CN’s and SANs.
    
    -hope this helps!
    
    -kp
James says:

August 2, 2011 at 4:57 pm

I’m having considerable difficulty setting up the 2 NICs on my Lync Edge server and was wondering if someone here can help. I followed the instructions exactly as above in this article, but when I take away the gateway on the internal nic, the server completely loses connectivity to RDP and I cannot get to the Internet.

Reply
- Kevin Peters says:
  
  August 3, 2011 at 9:05 pm
  
  Hi James,
  
  Can you send me an IPConfig /All and a route print please? Also include gateways on each network.
  
  Thanks!
  
  -kp
  
  Reply
Farrukh Qazi says:

August 5, 2011 at 2:25 am

“Warning: Revocation status unknown. Cannot contact the revocation server specified in certificate ”
Dear kp,
i have installed CA as Enterprise on Server 2008 R2 on a single virtual machine, all lync internal certificates are issued by that CA but when i installed Edge Certificate for internal, above shown warning is appeared on log created by default. But it is also showing that Certificate is assigned. When i have have checked at my internal CA there isn’t any certificate issued for Edge Server.
Plz help!!…

Reply
- Kevin Peters says:
  
  August 5, 2011 at 7:31 am
  
  Farrukh,
  
  This error is telling you the edge server has no way to download the CRL list from the CA. You will need to modify your CA to correct this. I’d suggest searching this error on your favorite search engine to find a solution.
  
  -kp
  
  Reply
  - Farrukh Qazi says:
    
    August 9, 2011 at 2:00 am
    
    Dear Kp,
    Thanks for a great help.. moving towards reverse proxy now.. edge services are running perfectly well …
    
    -Farrukh Q.
jergomez says:

August 8, 2011 at 2:19 pm

Kevin,

I have 2 quick question.With the “External NIC” card settings, does this network have to be a sub net outside the network? IM try to set this up with no reverse proxy and can only use network IP scheme for NAT to work. Example : current network 192.168.1.0/24 the 3 nic cards 192.168.1.25,26,27 or does it have to be 192.168.100/25.26.27.?
2nd question, in your instructions under External FQDNs- Web conferencing. IS this entry the same site called “Meeting-URLs or a new site name.

Thanks for help.
Jerry

Reply
jergomez says:

August 9, 2011 at 4:48 pm

Kevin,

Ive made some progress in adding Lync Edge to my Front End Lync Server. What I can do is send IM within my organization and ONLY send IM out of organization. MSN IM shows me offline? cannot respond. Dont see anything special on event viewer? Any suggestion, please let me know.

Jerry

Reply
- Kevin Peters says:
  
  August 14, 2011 at 12:47 pm
  
  Hi Jerry,
  
  Did you go through the PIC provisioing process (https://pic.lync.com) and receive your notification that everything was provisioned?
  
  -kp
  
  Reply
  - jergomez says:
    
    August 19, 2011 at 2:15 pm
    
    Kevin,
    
    I’m almost their… (98%) . Still have 1 small hick-up.. Whats working is the meeting portion, desktop sharing, giving meeting control. With IM works internally 100%. Externally I can IM from LYNC to MSN ONLY & with their IM closed (not in previous conversation) with me. The MSN IM pops open and then I can communicate with the warning on top, jerry@domain.com is offline. My Lync does see the MSN as online. Please let me know if you have any suggestion. Thanks
    Jerry
Yehuda Haber says:

August 11, 2011 at 7:08 pm

I have a single lync server that is for both internal and external. I can do IM’s from outside to inside, but calls and video calls are failing, saying “call failed due to network issues”.

The remote connectivity analyzer returns: “Subscription for provisioning data did not return a valid MRAS URI.”

Any ideas?

Reply
- Kevin Peters says:
  
  August 14, 2011 at 12:46 pm
  
  Hi Yehuda,
  
  Do you mean you have a Front End server exposed to the internet? This would not be a supported configuration, to make this work correctly you need a Lync Edge server deployed.
  
  Hope this helps!
  
  -kp
  
  Reply
Anver says:

August 14, 2011 at 3:54 am

Kevin,
I am getting ” call failed due to network issues ” when i am calling to our edge server from outside.But inside everything works fine. IM works fine through edge server.

All the services are working fine in edge and LYNC server
Replication is working fine between edge and LYNC Server
Thankyou

Anver

Reply
- Kevin Peters says:
  
  August 14, 2011 at 12:45 pm
  
  Hi Anver?
  
  Please check that the appropriate ports are open on your edge server (3478 UDP and 50,000-59,999 TCP/UDP). Also make sure if you are NAT’ing your edge the checkbox is checked.
  If all else fails try logging SIP stack on the edge and getting a log from the external client.
  
  Hope this helps!
  
  -kp
  
  Reply
Venkat Ramisetty says:

August 17, 2011 at 6:52 am

Hi Kevin,

Thanks for the wonderful article; I am trying to install Lync Server, Edge Server for federation with XMPP servers inside our corporate network. At present, i am using the trial version of the lync s/w. I could get 4 windows 2008 server machines in the same AD domain. one machine is activing as AD, and CA; The other three are members servers, i could install Lync Server onto one of the member server, and clients can connect to the same FE and communicate among themselves.

I have installed Edge server onto 3rd member server which has 2 NICs, but I understood from your wiki that it is not supported environment. I don’t have access to convert the two machines into Workgroup mode, and was thinking if i could be able to succeed here or not.

What is your recommendation?

Regards,
Venkat

Reply
- Kevin Peters says:
  
  August 20, 2011 at 6:28 pm
  
  Hi Venkat,
  
  Edge is officially supported in a domain, but not the same domain as the internal servers for security reasons. My guess is it may still work, but wouldn’t be a good idea from the security standpoint. I would try to get it switched back to workgroup mode if at all possible.
  
  -kp
  
  Reply
  - Venkat Ramisetty says:
    
    August 25, 2011 at 7:48 am
    
    Thanks for the information Kevin!!! It is a test deployment in a corporate network, as i don’t have access rights to disjoin a server machine from the org domain, i am trying this way.
    
    Installation of Lync FE, Edge, XMPP GW are all done. But, am not able to make send messages to a federated xmpp server domain user.
    
    Regards,
    Venkat
  - Kevin Peters says:
    
    August 27, 2011 at 11:08 am
    
    Venkat,
    
    Make sure you are hitting the right interface of your edge server. Typically I just install one NIC on the XMPP and place it on the same network as the external edge. Then test out connectivity via the XMPP console and verify pings and telnets hit the right interface and connect.
    
    Hope this helps!
    -kp
Klaus says:

August 19, 2011 at 2:47 am

Dear Kevin,

we have deployed Lync 2010 as described in your article.
Still there is one major issue.
If an internal user tries to connect from outside the company network everything works fine, even Audio /Video.
Trying to share his desktop, he gets an network connectivity error.
We double checked DNS and SRV Records, Certificates are in place.
I read on other comments that we shell telnet on port 443 to the A/V external IP?
Trying to connect with putty I just get an black screen, though our firewall shows an syn ack.
What would I expect here?
Are there any other hints you could give me?

Best Regards

Reply
- Kevin Peters says:
  
  August 20, 2011 at 6:31 pm
  
  Klaus,
  
  Do you have the 50,000 – 59,999 range open for TCP? Desktop sharing will use this range.
  
  -kp
  
  Reply
  - Klaus Hube says:
    
    August 22, 2011 at 5:00 am
    
    Kevin,
    
    Ports 50.000 to 59.999 are open for incoming and outgoing traffic.
    Can you think of any other difference between A/V and desktop sharing?
    I thought that it could be a certificate issue?
    Best Regards Klaus
  - Kevin Peters says:
    
    August 27, 2011 at 11:22 am
    
    Hi Klaus,
    
    A/V will typically use UDP where as desktop sharing using TCP (RDP based). Can you verify the terminal server service is running ont he clients. If that doesn’t work it’s time to get client logs and investigate with snoooper.
    
    Hope this helps!
    
    -kp
jergomez says:

August 19, 2011 at 2:51 pm

Kevin,

Please disregard last conversation. The IM is working 100%(My workstation a Server 2008 r2) sometimes IM doesn’t work correctly). I had some post questions, if can help answer. If I IM a Hotmail user & right click to share its disabled? Is option available ? Should it work? Also I did NOT use your recommended “Route back to any internal Network” suggestion from your install. Does it really matter if IM working OK?

Thanks, Jerry

Reply
- Kevin Peters says:
  
  August 20, 2011 at 6:33 pm
  
  Jerry,
  
  Sharing won’t work with PIC to MSN, Yahoo or AOL. All services can IM and see presence, and the MSN contacts can do video (if you configure it) but there are no other functionalities. As far as the internal route back, you will definitely need this, your internal edge interface must be able to route to all of your internal networks where clients are connected or external media sessions may fail.
  
  -kp
  
  Reply
terry says:

August 23, 2011 at 9:53 am

hi

installed edge everything is working fine. when connecting externally LYNC connects but then asks for username and password to connect to outlook for contact information. is this normal behaviour or has something gone wonky with integrated authentication

Reply
- Kevin Peters says:
  
  August 27, 2011 at 11:20 am
  
  Hi Terry,
  
  This is probably an Exchange EWS issue. Can you verify you see EWS in your configuration information and try browsing the website listed? It could be IE settings or the order of authentication methods selected for the EWS directores. The order should be NTLM and then negotiate on the directory, but often times is negotiate and then NTLM. If you install Fiddler you can observer the HTTPS traffic and review what is happening when Lync tries to authenticate.
  
  Hope this helps!
  -kp
  
  Reply
Laura says:

August 24, 2011 at 8:04 am

Great information. I’m finding it very helpful …

My questions are rather generic since I’m still in the planning phase. We are a relatively small company with only 1,000 users for Lync 2010. We want to minimize the installation by collocating as much as possible.

I have two questions:
. Is an Edge server required when Federated access is enabled? I understand federated requires access to a reverse proxy sever, but we don’t really see the need for an Edge server in our environment at this point.
. We already have SQL servers where we plan to build the Lync databases. The policy here is pretty strict that all SQL be managed by one particular group on their servers. We need to run archiving, but it appears that the archiving server must either be installed on the SQL database server, or have SQL installed. Can we install the archiving server on to the Front End server and point the database to our shared SQL environment?

Thanks! LM in Vermont

Reply
- Kevin Peters says:
  
  August 27, 2011 at 11:16 am
  
  Hi LM,
  
  1 – I believe you have edge and reverse proxy confused. Edge is used to provide remtoe access, pic, federation, etc… Reverse proxy provides access to the webservices that sit on the front ends and directors, these service host address book, distribution list expansion, whiteboarding, landing pages for online meetings (simple urls), etc…
  2 – It depends on the version of the front end, SE does not support any database co-location. Here are some good reference articles:
  http://technet.microsoft.com/en-us/library/gg398131.aspx
  http://technet.microsoft.com/en-us/library/gg398102.aspx
  
  Hope this helps!
  -kp
  
  Reply
Sampath Perera says:

August 28, 2011 at 6:59 am

Hi,

I followed your guide to setup Lync EDGE server. Services and everything works fine. But when i test from connectivity analyser i get this error. I used logging tool to trace the error. Can you please tell me why this is happening. I have been trying everything but no luck so far.

TL_ERROR(TF_CONNECTION) [0]070C.0A30::08/28/2011-11:55:26.337.00000008 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_record
LogType: connection
Severity: error
Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
Local-IP: 192.168.1.11:443
Peer-IP: 65.55.150.80:58289
Connection-ID: 0x500
Transport: TLS
$$end_record

Reply
- Kevin Peters says:
  
  September 6, 2011 at 9:55 am
  
  Sampath,
  
  Are you using a public CA for your certs:
  The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
  
  That error usually means you are not, in which case the connectivity analyzer won’t trust the certificates.
  
  -kp
  
  Reply
jergomez says:

August 29, 2011 at 10:13 am

Kevin,

Wanted to check with you to see if you can confirm with me what version of LYNC 2010 I have. I downloaded from Microsoft MSDN site several months ago when it 1st came out. Just wanted to make sure I didn’t have to re-install or add license or will expire. See below. Thanks
Jerry

Microsoft Lync Server 2010 (4.0.7577.0): Volume license key installed.
PS C:\Users\Administrator.domain-AD> Get-CsManagementStoreReplicationStatus
UpToDate : True
ReplicaFqdn : webbcast.domain.com
LastStatusReport : 8/19/2011 9:35:31 AM
LastUpdateCreation : 8/9/2011 2:06:26 PM
ProductVersion : 4.0.7577.0

UpToDate : True
ReplicaFqdn : lyncedge.domain.com
LastStatusReport : 8/19/2011 3:46:55 PM
LastUpdateCreation : 8/5/2011 2:22:09 PM
ProductVersion : 4.0.7577.0

Reply
- Kevin Peters says:
  
  September 6, 2011 at 9:55 am
  
  Looks like it’s the Volume License version and not the trial:
  
  Microsoft Lync Server 2010 (4.0.7577.0): Volume license key installed.
  
  -kp
  
  Reply
Daniel says:

August 30, 2011 at 12:28 pm

Hi Kevin,
could you please explain what are the limitations while having .local Lync
and If I am not wrong someware into the Lync documentation were explained that this scenario is not supported.

Thank you

Reply
- Kevin Peters says:
  
  September 6, 2011 at 9:59 am
  
  Hi Daniel,
  
  If you use a .local address all communications to companies other than yours, such as federated IM, PIC and web conferencing wouldn’t work. It basically would make Lync an internal only tool.
  
  -kp
  
  Reply
Sampath Perera says:

September 6, 2011 at 10:06 pm

Hi Kevin,

Thanks for the reply. I was actually able to find the issue. I was using an internal root CA. So my default web server cretificate that was assigned to the Lync Edge external NIC didnt have clinet authentication enabled. So i created a new web server cert template with client authentication and assigned it to Lync Edge again. Then it worked.

Excellent guide. Thanks so much

Sampath

Reply
Harish Narain says:

September 9, 2011 at 12:36 am

Hi Kevin,

This is a great post. I just wanted to bring to attention the fact that NAT cannot be used when you have a hardware load balancer and an Edge Pool. Basically all the external addresses will need to be publicly routable on every Edge server in the pool. So for two Edge Servers and the VIPs for the HLB (3+3+3) we’re looking at a whopping 9 public IPs! Wish this wasn’t the case. Can you you confirm?

http://technet.microsoft.com/en-us/library/gg398478.aspx

Thanks.

Harish

Reply
- Kevin Peters says:
  
  September 9, 2011 at 7:51 am
  
  Hi Harish,
  
  You are correct, NAT is not supported when using an HLB and you must have an additional set of IPs to place on the load balancer. In your example with 2 edge servers you would need 9 public IPs, if for instance you had 4 edge servers, you would need 15 IPs (4 edge servers with 3 each, and the HLB with 3).
  
  You can also look at DNS load balancing as a possible solution depending on your requirements, but I would still recommend placing the public IPs directly on the edge servers in that scenario.
  
  Hope this helps!
  
  -kp
  
  Reply
jergomez says:

September 12, 2011 at 5:08 pm

Kevin,

I wanted to confirm how the LYNC corporate client works connect. I have installed LYNC 32 client and the only way I can VIEW a shared screen, is I HAVE to be connected to VPN. Is this correct? Seems very restrictive? clients who use the web connect can do both (view without installed client and share).

Thanks in advance.

Jerry Gomez

Reply
- Kevin Peters says:
  
  September 12, 2011 at 5:52 pm
  
  Hi Jerry,
  
  VPN should not be required to view or control a desktop, I’d make sure the 50,000-59,999 TCP range is open on your firewall.
  
  Thanks!
  -kp
  
  Reply
Venkat Ramisetty says:

September 17, 2011 at 10:22 am

Hi Kevin,

Finally, we got a machine with 2 IP addresses and now the edge is installed properly. I could see the traffic going from Lync FE–>Edge Internal –>Edge External–>OCS XMPP Gateway

Am trying to federate with OpenFire XMPP Server, after configuring the External Access Information as well as Federated domain info. I could see that the message sent from Lync client to OpenFire user is not reaching, there is some issue between XMPP GW and the OpenFire. I have set TCP Dailback in XMPP GW for OpenFire, and disabled the TLS in Security Settings of Openfire for s2s connection.

Is this a supported federation? I have installed hotfix on xmpp gw and tried to read as much info as possible to test this, and before writing this to you. I could not find Jabber XCP to download and test the federation and checking with OpenFire.

any input here will be a great help to me. Thank you

Regards,
Venkat

Reply
- Kevin Peters says:
  
  September 19, 2011 at 7:59 am
  
  Hi Venkat,
  
  I haven’t done an openfire config before, so my only suggestion would be to do logging on the XMPP server (maybe netmon) and see where it is trying to send the traffic. You need to make sure it is hitting the other end, if it isn’t maybe it doesn’t know how to route the request?
  
  HTH
  -kp
  
  Reply
  - Venkat Ramisetty says:
    
    September 21, 2011 at 6:16 am
    
    Hi Kevin,
    
    Thank you, i was able to make the federation to work with OpenFire now. I have to add the _xmpp-server._tcp. 5269 SRV record for the XMPP GW, which is what the Openfire looks for.
    
    But, it works only with Non-TLS mode i.e TCP-Dail back.
    
    Regards,
    Venkat
Marius Francis Sidiangco says:

September 18, 2011 at 9:20 pm

Hi Kevin
We are experiencing “When contacting your support team, reference error ID 504 (source ID 239).
Troubleshooting information is available online, including best practices for using Lync.” when contacting yahoo users. We dont experience this with users under live.com domains..

Is this due to our SRV records? what should SRV look like?

Reply
- Kevin Peters says:
  
  September 19, 2011 at 10:17 am
  
  Marius,
  
  Yahoo is the only license you have to buy to use PIC, did you buy the license to work with them?
  
  HTH
  -kp
  
  Reply
  - Marius Francis Sidiangco says:
    
    October 18, 2011 at 10:42 pm
    
    Hi Kevin
    Just want to clarify we already provisioned for yahoo users. but stil we cant federate with them. The only users we can communicate is with windows live users. what am i missing?
    Thanks
  - Kevin Peters says:
    
    October 19, 2011 at 8:18 pm
    
    Marius,
    
    Did you buy the PIC license for Yahoo? That is the only license you actually have to buy, AOL/Live are both free, but yahoo isn’t.
    
    hth
    
    -kp
  - Marius Francis Sidiangco says:
    
    October 19, 2011 at 9:22 pm
    
    We already have provisioned for yahoo/aol/wlm but we have no luck on yahoo users..
Madhav Nisal says:

September 19, 2011 at 5:07 am

Hello Kevin,

I am bit confused hope you can help.
I am deploying lync server 2010 without Edge service. All my server AD & Lync are on public IPS. I can call between two lync users in my network but when the call comes outside our network it gives error call failed due to network issues. I referred your guide and then setup Edge server but then it started giving me error in lync client server issues can restrict calling. I have SSL from internal CA. (I import the certificate in trusted root certificates on the machine the users login)
I have no NAT for my ip address. All three servers have public IP address.
Can you suggest changes I should make in order for this setup to work?
1. Buy SSL certificate for Edge.
2. take all the servers (active directory, Lync FE) on internal network.
3. Keep Edge on public network.

Please help me on this…Thanks in advance.

Reply
- Kevin Peters says:
  
  September 19, 2011 at 10:18 am
  
  Madhav,
  
  You said you are deploying without edge? If that is the case that won’t be a supported scenario. Also, putting your AD and Lync FE servers on public IPs is not a good idea for security reason. I would look at getting the network setup in a private fashion and implementing an edge server and reverse proxy.
  
  HTH
  -kp
  
  Reply
Madhav says:

September 19, 2011 at 12:02 pm

Thanks Kevin for your reply.
Can I change the IP address for the AD and Lync server now without reinstalling the full environment?

Reply
- Kevin Peters says:
  
  September 19, 2011 at 12:18 pm
  
  Hi Madhav,
  
  I don’t think Lync would mind, but I haven’t tested. Not sure on AD, you may want to do some searching there.
  
  -kp
  
  Reply
  - Madhav Nisal says:
    
    September 19, 2011 at 10:41 pm
    
    Thanks Kevin…I will give it a try and will let you know…Thanks 🙂
jergomez says:

September 26, 2011 at 10:49 am

Kevin,

SO far so good on deployment. Had a quick question? Below is the issue we are having when a “Gues User” request to Take Control.
1: He can request & take control of a meeting.
2: Cannot share desktop. User tries but then disappears while trying to.
3: Turned on logging, hard to read but saw this error: 7/20/2011-10:35:49.281 0006TL_ERROR(UI)::(UI,Microsoft.OCG.ReachClient.AppShare.AppShareManager.get_CanAttemptAppShare) Sharing not allowed at this point as both connect and disconnect are disabled

essage: Not authorized to perform the requested operation, request is refused
> StackTrace: at Microsoft.Rtc.Signaling.SipAsyncResult2`1.ThrowIfFailed()
at Microsoft.Rtc.Signaling.SipAsyncResultBase2.EndAsyncOperation[TResult](Object owner, IAsyncResult result)
at Microsoft.Rtc.Signaling.SendSessionErrorReportAsyncResult.SendErrorReportWithoutRetryCompleted(IAsyncResult asyncResult)

lease let me know your thoughts.

Jerry

Reply
- Kevin Peters says:
  
  September 27, 2011 at 6:52 am
  
  Hi Jerry,
  
  Can you run get-csconferencing and post the output back? If you have multiple policies you can run get-csuser -id USERNAME and it will tell you which policy the organizer of the conference has.
  
  HTH
  -kp
  
  Reply
Dave Kyle says:

September 27, 2011 at 10:13 pm

Hi Kevin,
Many thanks for your wisdom and knowledge on these articles!
I’m having an issue with the reverse proxy not working-everything else does (have tested through ocsconnectivity tester)Meeting urls don’t work, when I test the rule through TMG i get internal error 500, but all the other urls work?

the exact same issue is outlined here:
http://social.technet.microsoft.com/Forums/en-AU/ocsedge/thread/4fbdf954-41c4-4531-8bd9-1f25f5e3c5c9?prof=required

but no-one seems to know how to fix it..Thanks!

Reply
- Kevin Peters says:
  
  September 29, 2011 at 4:44 pm
  
  Hi Dave,
  
  From the TMG server can you browse to https://FrontEndServerFQDN:4443
  If that doesn’t work you’ll have to get that working and make sure the name is specified properly for that server in the TMG rule.
  
  HTH
  -kp
  
  Reply
Dave Kyle says:

October 5, 2011 at 6:55 pm

Hi Kevin,
Thanks-all working now, it was a cert issue.

Love your blog!

Cheers D

Reply
Jeanan says:

October 7, 2011 at 7:31 am

Hi Kevin.
In my cenario, I did a installation of Lync Standard and in the Lync topology, I’ve defined the external Web services for front end as sip.mydomain.com.
I’m following your tutorial to install a Edge server and you have use the sip.lyncguy.com DNS as sip access. In this case , I need to change my external web services addres, right?
What do you use in your enviroment? I’m having some trouble on external users to use AV with others users.

Reply
- Kevin Peters says:
  
  October 7, 2011 at 8:31 am
  
  Hi Jeanan,
  
  In my environment I use sip for the access edge, webconf for the web conferencing edge, av for the av edge, and lyncws for the web services. Ths isn’t the way it has to be done, but I found it to be the easiest. OC clients will actually search for SIP.domain.com as part of their sign-in process so this can be helpful.
  As far as AV the most common problem I see is the AV edge being behind a NAT, but not having the actual public IP address specified in the Topo under the correct location.
  
  HTH
  
  -kp
  
  Reply
Chris says:

October 7, 2011 at 9:42 am

Hi Kevin great blog. It has led me successfully through most of the issues of getting an external configuration up and running.

I seem to have only one main issue left. When an external client connects to particpate in a meeting as soon as the login they can see the error cannot connect to the sharing server. When contacting your support team reference error code 141.

On the Edge server I can see the following error in the event log
Event ID: 41998
Source: LS Web Conferencing Edge Server
Client connection was disconnected by web conferencing server.
Over the past 1 minute Lync server has diconnected clinet 2 times as a result of command from web conferencing server. The last such disconneted client is IP.IP.IP.IP:36927
Resolution: Check event log on Web Conferencing server to determine why client was disconnected.

So I then went to the Lync Server 2010 Standard Edtion FE and foudn the following error
Source LS Data MCU
Event ID: 41026
Lost connection to all Web Conferencing Edge Services.
Cause: Service may be unavailable or network connectivity may be compromised.
Resolution Verify all web conferencing edge services in the topology are running and network connectivity is available.

All services on FE and Edge are running. If I chat using IM from external users I can share without issue. Video and voice works fine. A bit lost what else to try. Any guidance would be very much apprecitated.

Reply
- Kevin Peters says:
  
  October 7, 2011 at 12:08 pm
  
  Hi Chris,
  
  The data and meeting MCU (on the front end) each will setup a connection to each web conferencing edge server via TCP. They must have a connection for this functionality to work. I would suggest making sure the front end can reach the edge on 8057 and 5062, if it can try restarting your services on the front end.
  
  HTH
  
  -kp
  
  Reply
Farrukh Qazi says:

October 13, 2011 at 7:41 am

hey Kp i m back , need your valueable help…
i have two sites, now going to deploy External user access for both sites, i have different two Front end pools one at each site with single frontend server at both site. i dont have director role. i am going with two edge servers,1 at each site.
i m confused for SAN entries requirements, it must be like lncaccess1.domain.com, webcon1.domain.com for site 1 and and lncacess1, webcon2 for site 2, right?.. and for meet and webext URL i have seperate Blucoats Firewalls as Reverse Proxy at both sites where i will be publishing meet1.domain.com and lnwebext1.domain.com for site1 and meet2, and lnwebext2 for site 2?…so total Public SAN required are 8….

or what u prefer to do for such scenario, where there is bandiwdth limitation on WAN link between two sites?…

plz reply ASAP .. thanks in advance

– Farrukh Q.

Reply
- Kevin Peters says:
  
  October 13, 2011 at 8:53 am
  
  Hi Farrukh,
  
  The simple URLs can all go to one pool, but each pool will need its webservices published. Also, each edge will need its own address, I’ve never tried putting different simple URLs on each pool, not sure it would actually work, but you could give it a shot.
  
  As far as recommendations:
  Site 1 – Web Services Cert
  CN=Pool Lync Web Services URL
  SAN= SIMPLE URL1(meet)
  SAN= SIMPLE URL2 (Dialin)
  
  Site 1 – Edge Cert
  CN= Access Edge FQDN
  SAN= webconf FQDN
  SAN= Access Edge FQDN
  
  Site 2 – Web Services Cert
  CN= Pool Lync Web Services URL
  SAN= SIMPLE URL1
  SAN=SIMPLE URL2
  
  Site 2 – Edge
  CN=Access Edge FQDN
  SAN= Webconf FQDN
  SAN= Access Edge FQDN
  
  I would not try to do all of that with one cert, the CN’s for the reverse proxy certs (Web Services Certs) need to be the service name or you will run into problems with phone updates externally
  
  HTH
  
  -kp
  
  Reply
Augusto says:

October 17, 2011 at 2:55 pm

Hi! thanks for u article!, i tried login with: http://www.testocsconnectivity.com (2° option, MS Lync server remote connectivity test), but i get the next error: Testing the Remote Connectivity to Microsoft Lync Server through the Access Edge Server lync.domain.com.ar running on port number 443 to see if user user@domain.com.ar can connect remotely.
Specified Remote Connectivity test(s) to Microsoft Lync Server failed. Please examine below details of specific reason for failure.

(Resolve host is OK, testing port 443 is OK and testing SSLCertificate is OK). Do u have some idea about this issue? Thanks again!!

Reply
- Kevin Peters says:
  
  October 18, 2011 at 3:29 pm
  
  Hi Agusto, can you provide the actual detail from the error message?
  
  -kp
  
  Reply
  - Augusto says:
    
    October 18, 2011 at 3:42 pm
    
    Hi Kevin!…i have more details about this error. Actually im debuging with “OCSLogger” tools on “SIPStack”. I get this error:
    
    LogType: connection
    Severity: information
    Text: TLS negotiation started
    Local-IP: 129.10.101.84:5061
    Peer-IP: 190.137.57.116:20100
    Connection-ID: 0xD900
    Transport: TLS
    $$end_record
    7 { « n* ãhzŒê¸ŒªÇð®Ûï‡Z”ä‚?¶ÕÌ4 P M$$begin_record
    LogType: connection
    Severity: error
    Text: The connection from a remote user client is refused because remote user access is not enabled on this port
    Peer-IP: 190.137.57.116:20100
    Transport: TLS
    Result-Code: 0xc3e93d86 SIPPROXY_E_CONNECTION_REMOTE_CLIENT_NOT_THIS_PORT
    Data: listening-port=”5061″
    $$end_record
    
    —-
    
    this happens when i try with lync client on external network.
    
    Thanks!!
  - Kevin Peters says:
    
    October 18, 2011 at 3:50 pm
    
    Hi Agusto,
    
    Please verify the port specified for remote access in your topology is the same port specified in your SRV record. For example, if your remote access port is 443 (Default) than _sip._tls.domain.com should port to sip.domain.com on port 443.
    
    HTH
    -kp
Chris says:

October 19, 2011 at 1:51 am

Hi Kevin

Thank you for reply. The answer in the end was found elsewhere on your site and was to do with the godaddy certificate not being set so that it can be used for anything. We changed this and at first throught it hadnt worked. However the next morning we came in and it was all good.

I have a question in regard to PIC provisioning. We have recieved our confirmation code that this has been provisioned from Microsoft….. what do we do now :p

Reply
- Kevin Peters says:
  
  October 19, 2011 at 8:20 pm
  
  You just enable PIC on the remote access tab, under providers. As long as your certificate matches the name you gave to the PIC provisioning folks, it should just work from there. It does take a while to actually get provisioned though.
  
  hth
  -kp
  
  Reply
jergomez says:

October 19, 2011 at 4:15 pm

Kevin,

We have been working good with LYNC, Thanks for all your help. Quick question on Meeting ID’s.When we create “scheduled” meetings”, the meeting ID doesn’t change. Is there a way to make it every time you schedule one? It does create a unique one for “Meet Now”? Please advise.

Sample: https://meet.domain.com/jgomez/7VP2X7OE
Jerry

Reply
- Kevin Peters says:
  
  October 19, 2011 at 8:13 pm
  
  Hi Jerry,
  
  You can use set-csmeetingconfiguration and the -EnableAssignedConferenceType setting set to $false. That will force a new meeting ID for each new meeting scheduled.
  http://technet.microsoft.com/en-us/library/gg398648.aspx
  
  HTH
  -kp
  
  Reply
Shahir says:

October 20, 2011 at 4:05 am

I configured my Lync server with IP address of same LAN (let’s say 10.0.0.247), this server also part of mydomain.com. in LAN lync is working fine. After that I plan to give external access to my users. For that I configured my edge pool as below.

1)FQDN :- edge.mydomain.com (DNS record created in Local, which is resolving successfully)
2)I selected “Use Single FQDN & IP Addres” and “Enable Federation” from the second step of Edge pool
3)In third step External FQDN I specified “ssl.mydomain.com”( which also resolving externally) with SIP Access , Web Conf, A/V conf ports 5061, 444 and 443 respectively.
4)In forth step Internal IP as 10.0.10.248 ( which is in same as LAN)
5)In fifth step while asking Eternal IP I put 192.168.xx.xxx (which is our DMZ)

After this all I exported my configuration from frond end server to actual Edge server.
In my Edge server I have two network card, one for Internal (10.0.10.247) and one for External (192.168.xx.xxx).
In third step of edge server installation while certificate assign I selected for internal and external same CA (it’s from Internal CA), that’s also completed successfully (I don’t know this is correct)
After that all I NAT my public IP (let’s say xx.xxx.69.181) to my edge server. Still I didn’t create any SRV record for public.
But still I can’t able to access my server via https://ssl.mydomain.com. Is there any miss configuration on my side. Could you help me for this please..

Reply
Chris says:

October 20, 2011 at 8:53 am

Hi Kevin

I have made some more progress on the PIC issue. The firewall was blocking 5061 out for the dmz. So this has now been resolved.

I am however getting a 504 error still. This time though the reason= “Previous Hop public IM provider did not report diagnostic information”.

At a loss as to what to try now…

Reply
Saif says:

October 20, 2011 at 9:11 am

Kevin,

I am extremely thankful to you for this guide. This helped a lot. you have no idea! I have a question though. I set mine up just like yours, except i have 1 public ip. Everything went well and now when i do ocsconnectivity test i got this error: “,,….Subscription for provisioning data did not return a valid MRAS URI.” so i found your solution and created an external DNS SRV record for sip.tls.domainname.com pointing to port 443. Now when i test it it finds it, but i keep getting SSL cert error.

Please correct me if i am wrong, i know i need an external ssl cert, but i don’t have one. I imported mine directly from my server onto my external laptop and was testing lync client. When i connect via lync client, right away i get sever unavailable. Like it sees it, but cant connect.

What am i doing wrong? Do i absolutely need the digicert? cant i get away with importing my own cert?

thank you for all that you have done!
Saif

Reply
Mario McGuire says:

October 20, 2011 at 11:31 am

Kevin,

I followed your blog a while back to setup our new Lync environment. We are experiencing issues with it at the moment. I have a user who is a domain admin and this user gets Network connection issues to random people on Lync. If he moves to a different machine from the outside and tries to connect it works. I also have a non domain admin user that is having the same issues. I’ve verified most of the steps in this guide to try and determine what the issue is. Do you have any suggestions?

Reply
Chris says:

October 27, 2011 at 7:06 am

I seem to have everything up and working but when some tries to come in via the web interface to join a conference they get to the screen where they choose whether they are a guest or registered user without issue.

However when they select to come in as a guest and click the join meeting button a message comes back saying the meeting link is invalid.

If you try to login as a registered user it says the username and password are unknown.

Hitting a dead end on this one could really do with some guidance on where to try next

Kind Regards

Reply
- Chris says:
  
  October 27, 2011 at 7:07 am
  
  Note that internally this all works these issues on web interface only happening when connecting from an external point to the network.
  
  Reply
Thierry Verhaegen says:

October 28, 2011 at 8:00 am

Hi Kevin,

I have followed your steps and my services all start correctly, however when i try to run ocsconnectivity i get: Subscription for provisioning data did not return a valid MRAS URI

I have made the _sip._tls.outsidedomain.eu . this makes a _tls folder inside my _tcp folder. I have this point to sip.internaldomain.eu on port 443. However I still get the above error. Any ideas?

Reply
- Kevin Peters says:
  
  October 28, 2011 at 9:08 am
  
  Hi Thierry,
  
  The A record for your public SRV should be in your public domain, not your private domain. It appears from your post that is not the case.
  
  HTH
  -kp
  
  Reply
  - Thierry Verhaegen says:
    
    October 28, 2011 at 9:47 am
    
    hey Kevin,
    I’m sorry the A record does indeed point to sip.outsidedomain.eu
    
    When i open up a command prompt and i type
    nslookup
    >server 8.8.8.8
    >type=srv
    >_sip._tls.outsidedomain.eu
    
    i get sip.outsidedomain.eu
    
    when i then do
    nslookup
    >server 8.8.8.8
    >sip.outsidedomain.eu
    
    i indeed get the correct external IP adres.
    
    However i keep getting the same error from testocsconnectivity.
    Are there any other reasons i could be getting this error apart from my srv record not being correct?
  - Kevin Peters says:
    
    October 31, 2011 at 10:01 am
    
    Thierry,
    
    Please check the Lync event log on your front end server and edge server, if you can’t get MRAS the problem is most likely communication between the FE and edge.
    
    HTH
    
    -kp
Augusto says:

October 31, 2011 at 9:51 am

Hi Kevin! i need you help (again hehe). I have just one problem with external users… i can: a/v conference, share deskopt or programs, question pools… but i cant show to external user the powerpoint presentations… on both sides. The error says “cannot download the slide”. Thanks for your time!!

Reply
- Kevin Peters says:
  
  October 31, 2011 at 9:57 am
  
  Augusto, this functionality is dependent on the reverse proxy, not the edge. Have you deployed reverse proxy and configured with a public cert?
  
  HTH
  -kp
  
  Reply
Augusto says:

October 31, 2011 at 10:20 am

Kevin, i have this error: http://tinypic.com/view.php?pic=oiuemd&s=5 when i try deployed a reverse proxy… its possible with a private cert?. Thanks!

Reply
- Kevin Peters says:
  
  October 31, 2011 at 10:24 am
  
  Hi Augusto,
  
  I can’t tell what the error says since it isn’t in english, sorry. It is possible to use a private cert for reverse proxy, but only domain joined machines will trust it. Have you had a look at Randy’s guide for reverse proxy @ ucmadeeasy.wordpress.com?
  
  HTH
  
  -kp
  
  Reply
Thierry Verhaegen says:

November 2, 2011 at 3:57 am

hey Kevin,

I have my public DNS A record point to the outside ip address of my edge SIP and have an override on my internal DNS server that points to the internal IP of my edge SIP. Should it always point to the outside ip address even for internal users? When doing the ocs test does the commincation between FE and edge happen on my internal (override) DNS record on the external DNS server record?

Do i need to check the event log directly after doing an ocsconnectivity test? because all my services are running fine now and they are giving no more error logs.

thanks

Reply
- Kevin Peters says:
  
  November 2, 2011 at 9:34 am
  
  Hi Thierry,
  
  The internal users should point to your FE, not the edge. External users should point to the edges public IP for SIP as stated above.
  
  HTH
  -kp
  
  Reply
  - Thierry Verhaegen says:
    
    November 2, 2011 at 9:38 am
    
    hey Kevin,
    A colleague of mine did the original lync deployment, i only started doing the edge deployment once lync was setup. I just checked his config in DNS and indeed the internal still points to the FE lync server.
    
    I checked the eventviewer in application and lync and don’t find any error logs, not even when i run ocsconnectivity test. I’m a bit lost where to start searching now
  - Kevin Peters says:
    
    November 2, 2011 at 9:42 am
    
    Theirry,
    
    Can you email me a copy of your topology file?
    
    -kp
Jon-Michael says:

November 3, 2011 at 2:16 pm

Hi Kevin. Great info you have posted here. I feel the same need as you do to supply very high details when creating documentation. I’ve followed the document while setting up my Edge and it helped a lot.
I have one strange issue which maybe you’ve seen? When I have an external user (remote access) and an internal user connected by IM, and one of them attempts to share the screen\video call\etc., I get the “failed due to network issues” message. However, if I try again, then it works. It happens everytime on the first attempt to initiate some kind of AV between the external user and the internal user. Do you have some recommendations?

Reply
Luuk Vos says:

November 11, 2011 at 11:06 am

Hi Kevin,

I’ve setup an environment with an edge server and running ocsconnectivity.com with autodiscover results balc positive. Now when I’m in Lync Server Control Panel and look under “Topology” and status it says the status of the edge server is N/A. Is this normal behaviour or did I overlook something?

Thanks

Luuk

Reply
- Kevin Peters says:
  
  November 17, 2011 at 4:38 pm
  
  Hi Luuk,
  
  The NA just means the control panel can’t get service status for the edge services. This is expected for edge servers, as long as replication is up to date you should be fine.
  
  HTH
  -kp
  
  Reply
Jonah says:

November 13, 2011 at 3:30 am

Hi Kevin,
This guide is awesome, but I’m having an issue that I hope maybe you can help me resolve.
I’ve got a SE server running and an Edge box.
I’ve got my Edge nat’d behind a TMG 2010 server in 3 leg mode.
I do have a dedicated Public IP assigned to the Public NIC for sip.domain.com.
All my srv records are fine. No DNS issues I can find.
For some reason I can not get the reverse proxy to work. It seems TMG is blocking port 443 on the Public IP I have my listener running on. I’ve run TMG logs and filtered it out for relevant traffic, but I can’t seem to find the issue. I know my edge is listening on 443 on the External IP, and 4443, and 5061 on the internal ip, but nothing can seem to get to it.
I’ve run port scans on the TMG box and 443 and 5061 are both Not Responding.
I’ve recreated the listener and the rule several times to no avail.
Am I missing something?
Another thing to point out is I’m also running Exchange 2010 web services, and RDGateway on other listeners with port 443 and they are running fine. Active Sync, OWA, Outlook Anywhere, and RDGateway all work with no issues.
If you can think of anything to point me to I would really appreciate it.
Thanks
Jonah

Reply
- Thierry Verhaegen says:
  
  November 18, 2011 at 3:08 am
  
  hey Jonah,
  
  I have my edge co-located with a web-server for testing purposes and one thing to note is that IIS 7.0 listens to port 443 on ALL ip adressess by default (0.0.0.0 when running netstat) you have to insert a specific listening command like this:
  netsh http add iplisten ipaddress xxx.xxx.xxx.xxx
  This will force IIS to only occupy port 443 for the ip address on which your outlook web services are running. This opened up port 443 on my web-server which the edge could now use. Not sure about 5061 but it could be related to the same issue
  
  Reply
  - Kevin Peters says:
    
    November 18, 2011 at 10:16 am
    
    Hi Thierry,
    Although this may work, it is not supported to house other services/servers on the Edge server. I would definitely avoid it if you can.
    
    HTH
    -kp
  - Thierry Verhaegen says:
    
    November 18, 2011 at 10:24 am
    
    Hey,
    I understand your concern but sometimes it is needed to at least test if it is possible because of licensing limitations and other budget restrictions. This test so far was successfull for me, everyhting about the edge works, but if some things start to go awkward i will definitely move it to a stand alone server.
    To me it seems running exchange (and their web-services) co-located with an edge is the same as co-location a web-server with an edge so i was just giving him my experiences 🙂
  - Kevin Peters says:
    
    November 18, 2011 at 11:09 am
    
    Hi Thierry,
    
    I definitely understand your point, however; since my blog is a trusted source of information, I can’t make statements that go against what Microsoft will support without at least advising that they are in fact unsupported.
    
    THanks for your input!
    -kp
  - Jonah says:
    
    November 18, 2011 at 6:19 pm
    
    Hey Kevin,
    I don’t know why, but after I posted this request. The next day, my reverse proxy started working. I still am being blocked by TMG on port 5061, but the web services are working. Dialin, and meet both have no issues now. I just can’t get external Federation to work.
    I work for a company that has Lync deployed and and trying to type in my user@mydomain.com from my job’s Lync. When I try to IM my user, I’m watching my TMG logging and can see the incoming request on my external IP, and that it’s using Protocol SIPS on port 5061, but the Default Rule is blocking it. any ideas?
    Thanks again for the replies. I really do appreciate the help.
- Jon-Michael says:
  
  November 18, 2011 at 9:15 am
  
  I had a similar issue with the web componenets rule I created with TMG and the fix for me was to select the “Forward the original host header instead of the actual one (specified in the Internal site name field)” , option in the firewall policy rule. If I remember correctly, this is complete opposite of what was selected when we ran OCSR2. It’s possible that this may help with the sip rule as well?
  
  Reply
Daniel B says:

November 23, 2011 at 6:35 pm

Hi. We are facing strange behavior on a customer’s Edge server. We have configured open federation on the edge. We are able to connect with 4 different public sip federation companies but not with two other. The problem seems to be in the root certificate. We have run update on the W2008, because we could see one fix regarding certificates. The certificate we use is from well-known public authorizer.
My collage talked about there was some internet hacking on authorizers a couple months ago. Can this have to with something in root chain is disturbed and we need to buy new ore update?
Another question. Is there any tool more than spofy that can measure bandwidth and causes of disconnection on internal and external already setup connections? Customer complains about disconnections on internal and external communication after a while. Microsoft says they have so many parameters that measure for the bandwidth and so on. There should be built in tool to be able to analyze were customer network fails. BR Daniel

Reply
Vu says:

November 27, 2011 at 11:27 pm

Thank you for your article, I resolved my system issue!

Reply
erersacz says:

December 5, 2011 at 7:35 am

I used the wildcard certificate. I was assigned

The result:

Testing the Remote Connectivity of user xxxyyyzzz@domain.com to the Microsoft Lync Server.
Specified Remote Connectivity test(s) to Microsoft Lync Server failed. Please examine below details of specific reason for failure.
Test Steps
Attempting to Resolve the host name sip.ogm.gov.tr in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: xx.xxx.50.42

Testing TCP Port 443 on host sip.ogm.gov.tr to ensure it is listening/open.
The port was opened successfully.

Testing SSLCertificate for validity.
The certificate passed all validation requirements.validation checks.
Additional Details
Testing the Remote Connectivity of user xxxyyyzzz@domain.com the Microsoft Lync Server.
Specified Remote Connectivity test(s) to Microsoft Lync Server failed. Please examine below details of specific reason for failure.
Tell me more about this issue and how to resolve it

Additional Details
Subscription for provisioning data did not return a valid MRAS URI.

Reply
Mohammed Saleem says:

December 6, 2011 at 4:25 am

Super Like ….. Many Thanks

Reply
Tommy says:

December 14, 2011 at 4:48 am

Hi great article

got my certicate installed on the lync Fe and not on the DC. can this be a problem in some way?
now i cant see the certsrv in iis “https://lyncdc.lyncguy.local/certsrv” so imported manully inte the Edge server,

Reply
Jason says:

December 23, 2011 at 3:58 pm

Thanks for your post. It helped out a ton setting up our Edge Server.

The only issue we are seeing is that only audio calls are dropped with the message “Call failed due to Network Issues” when one client is internal and the other is external, logged in the Edge server. There is no firewall between the internal client and the edge server. Audio and video calls are working between internal users. From our traces it looks like the external client is trying to contact the private IP address of the internal client. Any reason why it would be trying to do that?

Thanks in advance

Reply
- Kevin Peters says:
  
  December 23, 2011 at 4:48 pm
  
  Hi Jason,
  
  The A/V edge IP is passed directly to the external client to attempt a TURN connection with. Most likely you have entered the private IP in the Public IP address field during this step:
  
  HTH,
  
  kp
  
  Reply
  - Jason says:
    
    December 23, 2011 at 6:09 pm
    
    Thanks for the quick reply.
    
    Under the Audio/Video option I do have a public ip address set in the “NAT enabled public IP address used:” field and a private address in the “EXternal IP address:” field. Is that correct?
    
    If I wanted to edit that how would I go about doing that? Since the Edge server is not domain joined and I had to import config during install?
    
    Thanks
Kevin Peters says:

December 23, 2011 at 6:14 pm

Jason,

That should be correct. If you edit the topology the edge should still get a copy of it. Do you have the appropriate ports open and static NATs set on your edge? Make sure the internal edge FQDN resolves to the right IP (internal IP). Also, does the internal NIC of your edge server have route to the internal networks? If you want to email me your topology file, an IPConfig /ALL and a route print from your edge I can take a look. Would be good to include a ping from the FE to the internal FQDN of the edge as well.

HTH
kp

Reply
Jason says:

December 23, 2011 at 7:53 pm

OK, Yes, the Internal IP address resolves to the Internal FQDN. But, I checked that and I could not even get to (ping) the Internal IP address as I must have forgotten to add the route for it. Its a VM so I was using the console during install. I do have one question about the route add statement; would it be OK to just use a default route as we have hundreds of networks and that would be a pain to do a route add for all of them.

I will let you know if it works or not.

Thanks for the help and Merry Christmas

Reply
- Kevin Peters says:
  
  December 23, 2011 at 9:11 pm
  
  Hi Jason,
  
  You could do summarized routes, since typically your internal networks won’t be public address, you could just do a 10.X.X.X/8, 192.168.x.X/16 and the 15 or so 172’s. That would make it easier to do the routing updates on the edge.
  
  HTH, Merry Christmas to you as well!
  
  kp
  
  Reply
Gerry says:

December 29, 2011 at 10:47 pm

Great article Kevin…helped a lot in setting up our Edge.

Only one thing that we still can’t figure out. We are having a slight delay in making a call from a phone or lync client that connects via the edge. It makes beep beep for 7 or 8 times before it finally connects. Inside users no delay.
Do you experience the same?

Happy New Year!!

Thanks,
Gerry

Reply
- Kevin Peters says:
  
  December 30, 2011 at 5:38 pm
  
  Hi Gerry,
  
  Is this a PSTN call, or a Lync call? Maybe there are some routing issues between your edge servers internal NIC and your mediation server? I’d recommend grabbing a trace from your client, mediation server and edge server and reviewing.
  
  HTH
  -kp
  
  Reply
  - Gerry says:
    
    January 5, 2012 at 10:49 pm
    
    Hi Kevin,
    
    We figured it out…we mistakenly published the topo using edge sip ip instead of the a/v ip address. After we put the right ip then no more beep beep when calling from edge connected devices.
    
    Thanks again!
    
    Gerry
DOMINIK says:

January 5, 2012 at 4:24 pm

HI Guys,
thanks at first for very good step-by-step, it was very useful to me,
but I have a little question,
I developed Lync Server Std in my company with an edge server,
now I would like to integrate it with other IM’s,
in my company many people are using MSN and Microsoft Live Meding,
I would like to configure Lync so users could be using their msn contacts from Lync,
and of course users behind LiveMeeting could communicate with users from Lync side,
and I’m wondering if is it possible, I’ve heard that integrate (federation integrate) with MSN is possible so with LiveMeeting too,
have a someone some good manal (prefer step-by-step) beacuse I couldn’t find anything interesting on the net.

Reply
- Kevin Peters says:
  
  January 11, 2012 at 12:30 pm
  
  Hi Dominik,
  
  I thnk what you mean is you would like to use Lync to communicate to MS Live/Messenger contacts. Yes that is possible, but it requires a PIC license and configuration. Please contact your MSFT rep to get the licensing info and go to pic.lync.com to enable your environment for PIC.
  
  HTH
  
  kevin
  
  Reply
Jean says:

January 10, 2012 at 1:03 pm

Hi Kevin.
About a couple months ago I used your tutorial to do a deploy of Lync in our enviroment. All the components are working fine (IM, AV,etc) internal and externally.
But now I need to configure the Iphone Lync client app to connect to our Lync Server.
I’m having some problems with this connection. I did a internet research I found that we need some additional info to use the auto discovery functionnality from Lync App for Iphone.
I’ve add two CNAMEs entries called Lyncdiscover and LyncdiscoverInternal in our external DNS zones point to register lync.domain.com (my external webservices url).
But even with this, the clients using Iphone can’t connect. I read in some place that we need to update our certificates to include the two urls. Is this true?

Reply
- Kevin Peters says:
  
  January 11, 2012 at 12:25 pm
  
  Hi Jean,
  
  You should probably review the Lync Mobility guide, it is a new service added with CU4 (and additional installed bits) that requires reverse proxy configuration. You can get the guide here:
  http://www.microsoft.com/download/en/details.aspx?id=28355
  
  HTH,
  
  kevin
  
  Reply
  - Jean says:
    
    January 16, 2012 at 10:50 am
    
    Kevin, I did as the manuall explain and now is working. I justa having some problems to configure the push notification.
    I follow the instructions, but when I try to run the cmdlet:
    Test-CsFederatedPartner -TargetFqdn srv-edge.domain.local -Domain push.lync.com -ProxyFqdn sipfed.online.lync.com
    
    I’m getting the error: Test-CsFederatedPartner : This operation has timed out.
    
    Doing an internet research, I use Lync Logging Tool ont the Edge server when I run this cmdlet on FE, and the following error appear on log:
    
    TL_ERROR(TF_DIAG) [1]0678.074C::01/16/2012-14:09:19.192.00000007 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(143))$$begin_record
    LogType: diagnostic
    Severity: error
    Text: The destination in the edge route did not match any configured server and cannot be used for Request URI routing.
    Result-Code: 0xc3e93d91 SIPPROXY_E_EPROUTING_INVALID_EDGE_ROUTE_DESTINATION
    SIP-Start-Line: OPTIONS sip:Options_User@push.lync.com SIP/2.0
    SIP-Call-ID: 5fb7a12d3dc54adebc968a3e1f24949b
    
    Any ideia on this?
  - Mike says:
    
    February 24, 2012 at 1:51 pm
    
    Not able to Reply to Jean’s reply below. Federation has to be enabled for Push to work in Mobility. That includes the Federation (Port 5061) on the Edge topology, the Site topology federation route assignment, allowing federated users in the Access Edge configuration and the external DNS SRV record for _sipfederationtls.
Jerry says:

January 11, 2012 at 12:34 pm

Kevin,

So far its been 7 months since deployment of Lync with Edge server, good without much problems. I have a weird problem occurring? Once in a while I have a user select a frequent contact and they begin a chat session the name changes to a old or deleted user. Example, If you start chatting with me (jerry) the name on the chat turns to Tom? What I have done is delete the Lync certificate from EI and reconnected the Lync Client. It works for a couple of days ok but is happening again to the same user.. Please let me know of any thoughts you have on this issue.
Thanks again.

Jerry

Reply
- Kevin Peters says:
  
  January 11, 2012 at 12:36 pm
  
  Hi Jerry,
  
  In this case, would Tom be someone who is no longer with the company, and Jerry has had Tom’s email address added as an alterhante SMTP address?
  
  -kevin
  
  Reply
  - Jerry Gomez says:
    
    March 5, 2012 at 5:40 pm
    
    Kevin,
    
    I got this resloved by, deleting the local Lync certificate in Outlook and reconneting. Seemed to fix .
    
    Thanks,jerry
Jerry says:

January 11, 2012 at 12:48 pm

Tom is someone no longer with the company. There’s no email address (exchange 2010) for Tom any more. There’s a AD user for for Tom? Could it be reading it from this account? Ive deleted to troubleshoot…

Reply
- Kevin Peters says:
  
  January 11, 2012 at 12:51 pm
  
  Hi Jerry,
  
  I’ve seen this occur when someones SMTP address is added to another contact. For example, Jerry (you) get tom@company.com added as an SMTP address so you can get email directed to his account after he leaves. There may be other situations in which it occurs that I’m not aware of. Please let me know your findings after deleing his info, you may also look at contact cards for the person who notices the problem, but there would need to be some way Jerry and Tom were tied.
  
  HTH
  
  kevin
  
  Reply
chris says:

January 12, 2012 at 6:48 pm

hi there great article saved mylife.
i have built a two node edge pool andconfigured to use 3 seperate IPs all using 443
i have configured internal DNS and extral DNS and allrlevant SRV records.
my problem is that the microsoft test connectivity website fails when trying to connect to sip.domain.com
if i try and telnet localhost on the edge server to 443 it fails?

any ideas..

Reply
- Kevin Peters says:
  
  January 12, 2012 at 7:09 pm
  
  Hi Chris,
  
  Try telnetting from one edge to another on the access edge IP port 443. It’s possible the services aren’t running, a firewall is blocking them, or you have the default gateway on the internal NIC (or incorrect).
  
  HTH
  
  kevin
  
  Reply
  - chris says:
    
    January 13, 2012 at 3:36 am
    
    i cannot telnet to localhost on either edge server on 443 but i can telnet from the other edge server on 443 on the DMZ Access IP. i cannot telnet externally on the Nated External Access IP.
    
    the default gateway is on the DMZ nic and the internal NIC has no default gateway set.
kaptinkirk@msn.com says:

January 13, 2012 at 10:28 am

I am having client problems. My Lync client says I cannot contact the sharing server, error code 141. My Lync Admin says it is a client issue as i am the only complaining of this. If it is a client side issue, what should I check?

Reply
Bala says:

January 23, 2012 at 8:05 am

Hi Kevin,
I have configured Lync 2010 Standard FE & Edge.
everything is working fine with Lync Client (A/V Conf, IM, Etc..) but if i send the url of meeting thru
email or copy paste Conference call joining information and send it to other users using lync attendee then the link shows “Page Cannot be Displayed” i have following configuration

Public IP for example (10.0.0.1 to 10.0.0.6) (on public dns)
(sip) lync.domain.com 10.0.0.1 (lync edge)
(webconf) conf.domain.com 10.0.0.2 (lync edge)
(av) meeting.domain.com 10.0.0.3 (lync edge)

My Simple URLS are (on internal DNS)
dailin -> dailin.domain.local -> lyncfe.domain.local for domain.local
meet -> meeting.domain.local -> lyncfe.domain.local for domain.local

dailin -> dailin.domain.com -> lyncfe.domain.local for domain.com
meet -> meeting.domain.com -> lyncfe.domain.local for domain.com

I have not created any reverse proxies to simple url’s.
and the link for the metting is as follows
https://meeting.domain.com/“username”/4L3TC7V7
which says “Page Cannot be Displayed”.

Due to this Lync Attendee cannot join the conference.
Please Help.

Bala

Reply
- Kevin Peters says:
  
  January 27, 2012 at 6:59 pm
  
  Bala,
  
  You have to use a reverse proxy to publish Lync web services externally or meeting join will not work.
  
  HTH
  -kp
  
  Reply
  - Bala says:
    
    January 28, 2012 at 4:04 am
    
    thanks. will do same.
Sam says:

January 24, 2012 at 3:13 pm

Hey Kevin-

I have an interesting situation. We are in the process of setting up a DMZ with a second Cisco IOS router so it will be internet->DMZ router->internal router. We want to put a Lync edge server in the DMZ. I noticed that if you use the 3 different public IPs they all use port 443. We will have port 443 set up for outlook web access, can I use 443 for both OWA and all 3 Lync edge services? I am mainly concerned about our NAT statement for OWA which is (currently without DMZ):
ip nat inside source static tcp 192.168.1.186 443 interface gigabitethernet0/1 443

which points 443 to our exchange server. Can I use a different port for the Lync Edge services?

Reply
- Kevin Peters says:
  
  January 27, 2012 at 7:00 pm
  
  Sam,
  
  Normally each one of these services would get their own public IP, so they wouldn’t share the same IP/Port, they would each have their own.
  
  HTH
  -kp
  
  Reply
  - Sam says:
    
    January 31, 2012 at 11:14 am
    
    Thanks for your reply. I am still wondering about this, though. Does this mean I put the public IPs under external settings in the properties on our FE server? Or should those be the private IPs? I guess I am just wondering where you specify the public IPs
Jerry says:

January 25, 2012 at 11:34 am

Kevin,

I was wondering if you any info on sending/receiving TEXT SMS thru LYNC. Do you have information or documentation configuring or adding 3rd party? THANKS for you help.

Jerry

Reply
- Kevin Peters says:
  
  January 27, 2012 at 7:01 pm
  
  I believe UC Planet has a product for this, but I have never looked into it.
  
  Sorry,
  
  -kp
  
  Reply
kosala says:

January 26, 2012 at 3:22 am

i’m planning to install edge server. but in my case there is no DMZ zone. and server has only single NIC. is it possible to install edge server with a single NIC????

Reply
- Kevin Peters says:
  
  January 27, 2012 at 7:02 pm
  
  Kosala,
  You have to have 2 NICs for a supported configuration. I’ve heard of people trying just one, but it didn’t work well for them at all.
  
  HTH
  -kp
  
  Reply
B says:

February 1, 2012 at 3:10 am

Hi Kevin,

Thank you for the post, and for your continuous help for all of us, I managed to deploy lync in a test environment and everything ( IM, Audio/Video )is working well internally, I added edge and and external clients can sign in and send instant messages to internal clients, but I’m having a problem with external users when performing audio/video calls with internal users, the call lasts for 5 seconds and then disconnects, giving the following error “Call failed due to Network Issues” … I’ve been struggling with this error since 2 days, My firewalls are all open, I checked my DNS records the certificates are fine … I enabled logging in the clients and found this in the logs ” Call failed to establish due to media connectivity failure when one endpoint is internal and the other is remote” …. Can you please shed some light on this.

Thanks

Reply
- Kevin Peters says:
  
  February 8, 2012 at 7:21 am
  
  Hi,
  
  Is it possible your A/V edge is NAT’d on the public interface but you didn’t configure the check box for the IP being behind NAT in topology builder? If it isn’t that, then either there is something goofy with your edge network config/routing, or the firewall doesn’t have the correct ports open.
  
  HTH
  
  -kp
  
  Reply
Curtis Webb says:

February 7, 2012 at 11:00 pm

Hi Kevin,

We followed your guide here and have an interesting issue. Random users will not be able to talk to federated users, while others work just fine.
Both are allowed through the policy.

The people who cannot IM federated contacts never get a presence (always unknown) and the send fails with a “Your message may not have been received, the server did not respond”.

Ever seen this before? I am at a complete loss.

Thanks,
Curtis

Reply
- Kevin Peters says:
  
  February 8, 2012 at 7:19 am
  
  Hi Curtis,
  
  Can you check your client side logs (with snooper) for the following error:
  ms-diagnostics: 1065;reason=”Federation is disabled”;domain=”mydomain.com”;source=”sip.clientdomain.com”
  
  I’ve seen this happen even when federation was enabled. If you see that please let me know.
  
  -kp
  
  Reply
DOMINIK says:

February 9, 2012 at 8:32 am

hello,
I have managed to add to my Lync FE – Lync Edge Server,
everything with edge server looks like to work fine, when I go to controll panel on Lync FE, with an topology – there’s replication with edge server, but I have still an issue,
when I’m trying to established a/v connection on external to other user on extarnal too, everything works fine, but when I’m trying to connect (I’m on extarnal access to lync) to user on internal lync client connected there’s no way to establish a/v conference, only chat,
my Lync Edge is behind a nat, and has tcp/443, tcp/444, and tcp/5061 ports opened,
what could be a problem ?
on lync FE controll panel i have a extarnal access for users enabled

polease for advice beacuse I don’t know to do

Reply
- Kevin Peters says:
  
  February 9, 2012 at 8:52 am
  
  Hi Dominik,
  
  You’ll need to make sure 3478 UDP and 50,000-59,999 TCP/UDP are open to your a/v edge. If all roles are on one IP this would just be the public IP. Also, make sure if you are using NAT the check box on the edge config is checked for NAT, and the public IP is entered in the appropriate place.
  
  HTH
  -kp
  
  Reply
  - DOMINIK says:
    
    February 9, 2012 at 10:48 am
    
    Hi Kevin,
    thank for your reply so soon 🙂
    I know what was resolution of this problem, and it was a gateway leak to lync FE,
    but I have an another,
    I have a DNS record – meet.mydomain.com (inside domain),
    and when I want to establish connection from outside (try to send an email with online meeting) and from inside everithing works fine – from iexplorer lync is connecting to conference but from outside explorer tells me that he couldn’t find this website.
    
    I have configured edge lync so he using one FQDN domain to sip, conference and a/v,
    but there’s one think strange – conference is on 444 port and a/v is on 443 port.
    shouldn’t it just different to external – I mean a/v -> 444 and conference -> 443 ?
  - Kevin Peters says:
    
    February 9, 2012 at 2:59 pm
    
    Dominik,
    
    The meet record should point to your reverse proxy, not to the edge server. Have you deployed reverse proxy in your environment?
    
    HTH
    -kp
DOMINIK says:

February 9, 2012 at 3:25 pm

Kevin, unfortunatelly I hadn’t, I have only edge server and Lync FE.
I have another question, in my company inside I managed to establish an autodiscovery service on my DNS, on a srv record (_sipinternaltls),
on my external public link I have a dns server on linux bind server, and I can’t to establish a autodiscovery over a bind,
I tried this
_sip.tls.mydomain.com 0 5 5061 mydomain.com
I have red that it should be fine and lync client outside should autodiscovery my server but it seems that there’s not.
Do You know how to achieve autodiscovery on linux bind server using srv records ?
I have port 5061 forwarded on the nat, and when I typing an external domain name to my lync edge server lync client is establishing connection successfully. in mean about to ip of the extranal ip address of lync edge server.

Reply
- Kevin Peters says:
  
  February 9, 2012 at 4:39 pm
  
  Hi Dominik,
  
  I don’t know how to make that work with a bind server. Sorry.
  
  -kp
  
  Reply
  - DOMINIK says:
    
    February 10, 2012 at 11:12 am
    
    ok Kevin, I appreciate Your help,
    but occasionally I’m getting an error – in lync FE event viewer:
    LS Data MCU
    Service may be unavailable or Network connectivity may have been compromised.
    The resolution of this problem seems to be simple, but not at all,
    it looks like – like to me that it is connection leak, but Lync Edge has a default gateway to lync FE, and both of servers are in the same subnet, so I’m trying to misunderstand this error,
    and sometimes, when I’m on extend public network, and the otger user is locally inside in the company the desktop sharing service is not working and lync client tells me that it is becuse of net failure.
    Maybe You know what would be the problem ?
  - Kevin Peters says:
    
    February 14, 2012 at 12:25 pm
    
    Hi Dominik,
    
    The edge default gateway should not be on the internal NIC, only the external. I’d start there.
    
    HTH
    -kp
jergomezJerry says:

February 9, 2012 at 10:50 pm

Kevin,
Been using Lync for several months now no problems so far. Now that Lync is being deployed with many companies, I have come across having trouble performing meeting with customers who ALSO have lync as thier online meeting system. When they accept the meeting for x reason thier INTERNAL LYNC pops open not ABLE to open our meeting. Trying to get a screen shot and error message but have you come across this before. thanks for any help you can give me.

Thanks again,
Jerry

Reply
- Jerry says:
  
  March 1, 2012 at 11:27 am
  
  Kevin,
  
  Any thoughts on the issue I’m encountering?
  Jerry
  
  Reply
Dug says:

February 22, 2012 at 11:18 am

Hi Kevin. I hope you don’t mind giving me a few mins of your time, but i’m kinda pulling my hair out! I’m in the process of testing a Lync deployment without a reverse proxy. I’ve had success in giving the front end two IPs and have both the internal and external iis sites on 80 and 443. I also have an edge. running the remote connectivity analyser I get an invalid MRAS URI. I have read through all the comments regarding this, specifically:

“Have you created the public SRV record for your SIP domain?
It should be _sip._tls.domain.com pointing to your edge servers public name (i.e. sip.domain.com) on port 443. Without that record things will not connect.”

Now this is where i get a little hazy. What exactly does public mean? Do you mean my ISP’s DNS panel, or the public side / zone of my network? In my ISP’s DNS i have sip.domain.co.uk (which is used for sip, a/v, webconf) going to my edge, and .domain.co.uk going to my front end. On my ISP’s panel i can only add an ‘A’ record or ‘cname’. there is no option for an SRV entry – and certainly not one for a port number!

We only want the software for external online meetings which do currently work, except it will not allow the remote guest to share their desktop with the internal user (although vice-versa works!!) I assume this is something to do with the subsequent communication between the two through the sip/edge, after the initial handshake through the front end!

I hope my post doesn’t sound to dumb/basic, but i’m specifically stuck regarding the external SRV record. Many thanks,
dug.

Reply
- Dug says:
  
  February 22, 2012 at 11:23 am
  
  sorry in the 3rd paragraph it was meant to say:
  
  “….{lync., meet., dialin}.domain.co.uk going to my front end.”
  
  Reply
  - Kevin Peters says:
    
    February 23, 2012 at 8:09 am
    
    Hi Dug,
    
    It sounds like your ISP doesn’t support SRV records, without them many functions in Lync just won’t work (as you are seeing). I’d recommend checking with your ISP to see if they can begin to support them, if not you can always move your DNS zone somewhere else while still keeping your ISP for internet.
    
    HTH
    -kp
Dug says:

February 23, 2012 at 11:26 am

Hey. thanks for the response. After a fair bit of digging i found that my isp doesnt support srv records! but, it actually turns out that the desktop sharing issue was nothing to do with the srv record. After scouring the Lync log files on the edge, i found there were Error 42004 “LS Web Conferencing Edge Server” entries. It said that the “Web Conferencing Edge Server failed to post a listen”. It turned out that the web conferencing port number i had assigned on the sip was already being used for something else by the edge server. I adjusted the topology with new port numbers, uninstalled the edge services, then reinstalled using the new edge toplogy and now meeting desktop sharing works both ways!

anwyays, thanks for your advice – it’s fantastic that you’ve kept helping people on this blog for well over a year now. Kudos!

dug.

Reply
Dug says:

February 28, 2012 at 10:06 am

Hi again Kevin. Was just hoping you could sort out one more bit of confusion for me!!

As mentioned earlier I have one nic with two ips, for the internal and external iis websites on 80/443 (as i have no reverse proxy). however, the only way that i can successfully create an “external” meeting is when i forward port 443 from the router, direct to my lync front end server. unfortunately this is not a long term solution for me as our DC needs port 443 going to it for owa etc…

I’ve briefly messed about with url rewrites on the iis of our DC, but i kinda feel that i’m barking up the wrong tree. could you point me in the right direction? do i need/should i have 443 going directly to the front end server for external meetings to work? do i need a router that can port forward to multiple LAN ips?

thanks again,
dug.

Reply
- Kevin Peters says:
  
  February 28, 2012 at 12:48 pm
  
  Dug,
  
  To do this right you need to deploy a reverse proxy and use a dedicated IP for the front end. The 2 IP’s on your FE server is not a supported solution, and although it may work, it just exposes your Lync environment to possible attack. I would follow the recommended deployment method.
  
  HTH,
  -kp
  
  Reply
  - Dug says:
    
    February 29, 2012 at 11:47 am
    
    recommended deployments are for wimps!! 😉
    
    nah, i guess you’re right …TMG here we come!!
    thanks again.
    dug.
Daniel Delchev says:

February 29, 2012 at 11:51 am

Hi Kevin,
thank you for the great article.
I have a wired issue with my SSL certificate installed on the edge server.
So I have an SSL cert from GoDaddy that includes all services and names for lync – sip, EDGEservername, FronServerName, FEpoolname, lyncdiscover, internal etc.domain.com

Recently I got it and install it on both fe and edge (internal external) servers.
Then I was able to use LyncMobile, to login remotly as well as AV, desktop sharing, federating … everything.
Until I founf that I can`t see the federated partners presence once I am outside of the corp network.
Then I did some research and found that my sip.domain.com cant be validated externally, BUT at the same time I did federation with Microsoft and other companies.

So I tested my sip.domain.com and got the following:
– sip.dimain.com resolves to x.14.165.18 – passed
– No SSL certificates were found on sip.domain.com. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server’s firewall.

I tested and confirmed that all ports are open – more over I could see all my company users presence BUT the federated.

I tested also Edge server and the certificate is ok trusted through the intermediate and root chain.
I also run the digicert utility to fix if there were any errorrs present but all was ok.

Now I am stuck and realy need help.
————————————————————————————————————————–
Recently I also found some wired errors within the Lync event log related to pubishing the certificate as:

GetAndPublish web service failed.
Certificate could not be published in the database associated with User Services Cluster [pool.domain.com]. Request Details – Entity: [user@domain.com], Device Id: [{75C563CB-051D-510F-8FF8-73330D3ECF09}], Authenticated User: [sip:user@domain.com].
Cause: This could be due to network connectivity issues with the remote server, or because the database is down.
Resolution:
Please ensure that the user services is reachable and the database is up and running.

That make sence If the sip cant be validated externally.
Aside of that error all users are good no issues.

————————————————————————————————————————–
There is one more error I dont understand. It is related to port 444
some… is trying to open https://pool.domain.com:444/LiveServer/UserPinService
The problem is that I cant see any virtual directory at IIS related to that LiveServer.
I dont know whether this Virtual directory is missing or …
I am a bit confused because the port 444 is configured for the Edge conf service BUT on the edge IIS is not configured at all.

There is nothing listening for that /Liveserver 444

A server did not respond to HTTP request
Server pool.domain.com did not respond to HTTP request PublishCertRequest targeted at https://pool.domain.com:444/LiveServer/UserPinService.
Cause: Server might be down or the network path between servers might not be properly configured.
Resolution:
Please ensure that the server can be connected on the target port using telnet and then re-try.

The both servers are up and running – all services are up.

I want to thank you in advance

Daniel

Reply
Todd Albers says:

February 29, 2012 at 5:22 pm

When I try to request the internal cert I get the following error: Command execution failed: Cannot connect to sbs.domain.local. Verify that you can connect to the server.

I can connect to the CA by browsing: https://sbs.domain.local.cersrv also I have typed in the credentials as domain/admin with the correct password.

I downloaded the cert so that it would trust the CA. The CA I typed in was sbs.domain.local\domain-sbs-ca.

Any thoughts?

Reply
- Kevin Peters says:
  
  February 29, 2012 at 5:31 pm
  
  Hi Todd,
  
  Try domain\admin (you have the slash wrong in the example above). If that doesn’t work, you can do the offline request and process it from another machine.
  
  HTH
  
  -kp
  
  Reply
Steven Beard says:

March 2, 2012 at 6:17 am

Hi Kevin

Im hoping you can help me. I have configured edge service using your fantastic guide. All is up and running on the server, services etc. I can telnet to the listening IP address i’ve specified for SIP on the server itself over 443 and get a connection. I can also see using netstat that the server is listening over 443 on that IP. All NAT/Firewall rules are in place and appear correct. However when i try to connect or run the ocstestconnectivity i get the following error:

“Testing TCP Port 443 on host sip.domainname.com to ensure it is listening/open.
The specified port is either blocked, not listening, or not producing the expected response”

Running wireshark on the edge server i see the connection coming in from the ocstest website but it does not get past the (SYN) . Also if i capture the traffic going over the internal interface nothing is send out, so no connection requests are getting proxied to my FE servers

Any ideas would be greatfully recieved as i am totally stumped with this one

Thanks

Steven

Reply
- Kevin Peters says:
  
  March 2, 2012 at 9:39 am
  
  Hi Steven,
  
  Does it work for a Lync/OC client? Also, is the default gateway assigned only to the external NIC? Sounds like there is a connectivity issue there still. If it isn’t that, it could be certificate, I’d suggest hitting http://digicert.com/help to test the cert.
  
  HTH
  
  kp
  
  Reply
  - Steven Beard says:
    
    March 2, 2012 at 10:34 am
    
    Hi Kevin
    
    Thanks for your super fast reply. I have finally gotten to the bottom of this and it was user error. I had stupidly configured the gw/dns on the internal interface. I have now resolved that issue and have come up against the “Subscription for provisioning data did not return a valid MRAS URI” error. I have verified the SRV record with our external DNS company so am now trying to battle with edge > fe connection errors as per your reply above. I recieve this error in the logs “Lync Server has experienced TLS outgoing connection failures 4 time(s). The error code of the last failure is 0x80096004 (The signature of the certificate cannot be verified.) however all certificates look valid and all names are connectable!
    
    Thanks for your help though its very much appreciated
    
    Steven
  - Kevin Peters says:
    
    March 5, 2012 at 5:22 pm
    
    Hi Steve,
    
    MRAS URI is sent to the client from the FE server (through the edge) and is used for media connectivity when external. When the FE and Edge can’t establish a proper TLS connection the error can happen. Most likely the FE doesn’t trust the edge cert (or vice versa) or the edge cert has an improper common name. I’d suggest checking the cert on the edges internal interface.
    
    HTH
    -kp
Antony says:

March 4, 2012 at 10:48 pm

Hi Kevin, really appreciated your guide during setup, I have 89.7% of my install running fine now thanks to this.
So far I have meet etc working, client can connect externally no issues, Lync mobile client can connect and i even have a XMPP server that works fine (cept I have to resart the service all the time but that is another issue) but for the life of me I am having a issue with federating to Live or another company with OCS (we have Lync 2010) after doing a sip trace it looks like we are having a tls issue but I am completely lost on where to start now.

Ant

Reply
- Kevin Peters says:
  
  March 5, 2012 at 5:18 pm
  
  Hi Ant,
  
  Try going to http://www.digicert.com/help to test access to your edge server and the certificate on it. If there is a problem with your certificate it should let you know. You can do the same with the partner company.
  
  HTH
  -kp
  
  Reply
  - Antony says:
    
    March 6, 2012 at 12:24 am
    
    Hi Kevin, all tested fine, just ject keep on getting tls issuse for some reason. all other comms seem fine except for this for some daft reason.
    
    Ant
  - Antony says:
    
    April 16, 2012 at 1:53 am
    
    Hi Kevin, i have managed to get lync federated to MSN/Live fine, but still have a issue with federation to other companies, one thing I have noticed on the federation to Live/MSN is that i can’t seem to get video or file transfers to work, but all this functionality works fine from a computer outside of the company
    
    getting totally confused with this now as the errors in the SIP trace logs just don’t make any sense at all to me
    
    Ant
  - Kevin Peters says:
    
    April 18, 2012 at 8:48 am
    
    Antony, Are you saying a Lync user when external can do video with Live/MSN, but not when internal?
    
    -kp
  - manoj says:
    
    April 18, 2012 at 8:59 am
    
    Hello Kevin,
    i have done one mistake .. while installing lync and publishing external websites.. i gave external website url is same as internal websites url.. pool1.domain.local but right now my address book is not working for external user so i am thinking i need to change my external web url to something like my public domain “lyncweb.domain.com” and do the nating with this website with dns records in public DNS… my query is .. if i change my external website URL.. what steps i need to follow to make it working.. like publish topology again and restart services …anything else please confirm
  - Kevin Peters says:
    
    April 18, 2012 at 9:02 am
    
    Hi Manoj,
    
    After updating the URLs you will have to publish the topology, Re-run the deployment wizard (step 2) on all FE/Directors, update certs for the new FQDN (internal and external) and update any reverse proxy rules. That should cover it, but when you publish the topology builder will also give you a checklist (notepad doc) telling you what steps to take.
    
    HTH
    -kp
  - manoj says:
    
    April 18, 2012 at 9:32 am
    
    Hello Kevin,
    i followed below stepes but confusion on certiifcate part.
    updated the URLs & published the topology, also Re-run the deployment wizard (step 2) on FE/ servers but confusion on certiifcate part. does i need to regenerate new certifcate for default certiifcate (server default, web services internal and web services external) and assign new certifcate for all three compoenets.
    just for your information.. i am using internal certiifcate authority for this certiifcate.
  - Kevin Peters says:
    
    April 19, 2012 at 6:58 pm
    
    Yes, you should generate a new certificate and use 1 certificate for all services on your FE server. You will need a different certificate for your reverse proxy (you can use the QuickUI in the script center to generate that).
    
    HTH
    -kp
  - Antony says:
    
    April 19, 2012 at 8:29 pm
    
    Sorry i ment that i can’t send a file or video to a live/msn user internal or excternal from my lync client, but from lync to lync client i can send files and do video internal and external. When I first went to do a file transfer it had a error about encrytion mismatch so I chnage to “encryption supported” this just results now in a error about the file not being able to be sent, and a netowrk problem when trying to do vid confrence.
    
    ant
  - Kevin Peters says:
    
    April 29, 2012 at 12:09 pm
    
    Hi Antony,
    
    File transfer to MSN is definitely not supported to live MSN. Audio and Video should work though, as long as the user has the newest MSN/Live client. Make sure you have set both of these:
    Set-CsExternalAccessPolicy Global -EnablePublicCloudAccess $true -EnablePublicCloudAudioVideoAccess $true
    Set-CsMediaConfiguration Global -EncryptionLevel SupportEncryption -MaxVideoRateAllowed Hd720p15M
    
    HTH
    -kp
Steven Beard says:

March 6, 2012 at 2:40 am

Hi Kevin

Just to thank you once again. We were perfectly correct. Even though i’d installed the internal root CA cert on my edge server i noticed that the front end servers actually had two root certificates (i did update this to push the newly added crl path) simply exported/imported the extra root cert and all is running smoothly

Thanks for your help and have a fantastic day 🙂

Reply
Daniel Delchev says:

March 7, 2012 at 1:24 pm

Hi Kevin,
Did you have a chance to look through my post above?
If you have any ideas I will really appreciate.

Thank you.

Daniel

Reply
- Kevin Peters says:
  
  March 7, 2012 at 5:11 pm
  
  Hi Daniel,
  
  First thing, I’d suggest not using the same cert for all roles, it isn’t supported and is a very bad security practice. You need to have specific certs for each role. Otherwise, lots of questions in that one post. It would be best to ask them one at a time and sort them all out one at a time. Otherwise the threads will get too long and confusing.
  
  -kp
  
  Reply
  - Daniel Delchev says:
    
    March 12, 2012 at 10:18 am
    
    Hi Kevin,
    First I want to thank you for the reply.
    regarding the cert supportability I did it this way because here – http://technet.microsoft.com/en-us/library/gg398920.aspx is explained that you can use the same cert for all roles.
    So my problem is that I don`t really understand why on the edge server although everything looks ok – nothing is listening on port 443 and TLS also doesnt work.
    
    I am using one external IP for the edge with different ports 443, 444 and 5061 assigned so I thought that with sip.doman.com name will be ok. Aside of that I have all required names listed under SAN including the edge FQDN, which is not published externally – external DNS won`t resolve it.
    
    One last detail is that I don`t use Proxy – just direct NAT ext IP:443 to int IP:443 etc…
    
    Thank you
    Daniel
  - Kevin Peters says:
    
    March 14, 2012 at 9:28 pm
    
    Hey Daniel,
    
    From the edge server, can you telnet to its own DMZ IP on the correct ports? If that fails check the services console to see if the services are running (or even there) and check to make sure your default gateway is only configured on your external NIC.
    
    HTH
    -kp
  - Daniel Delchev says:
    
    March 19, 2012 at 4:34 pm
    
    Hi Kevin,
    I`ve tested all and all is good the NIC settings gateway dns etc.
    about the telnet I can`t really telnet the ports but I`ve tested all externally and is shows the port open and this is the nestat result:
    TCP 10.99.6.4:443 0.0.0.0:0 LISTENING
    TCP 10.99.6.4:444 0.0.0.0:0 LISTENING
    TCP 10.99.6.4:3389 10.99.6.2:61604 ESTABLISHED
    TCP 10.99.6.4:5061 0.0.0.0:0 LISTENING
    TCP 10.99.6.4:5061 65.55.30.130:35841 ESTABLISHED
    TCP 10.99.6.4:5061 65.55.30.130:41701 ESTABLISHED
    TCP 10.99.6.4:5061 69.90.75.179:51270 ESTABLISHED
    TCP 10.99.6.4:5061 69.90.75.179:54965 ESTABLISHED
    TCP 10.99.6.4:5061 69.90.75.179:57554 ESTABLISHED
    TCP 10.99.6.4:5061 69.90.75.179:58282 ESTABLISHED
    TCP 10.99.6.4:5061 207.46.5.73:50959 ESTABLISHED
    TCP 10.99.6.4:50114 0.0.0.0:0 LISTENING
    
    and this is from the digicert site:
    
    SSL Installation Diagnostics – Check SSL Certificate
    Welcome to DigiCert SSL Help. If you are having a problem with your SSL certificate installation, please enter the name of your server below and we will attempt to diagnose the problem and verify proper SSL installation.
    Server Address (Ex: http://www.digicert.com)
    DNS resolves ‘sip.domain.com’ to x.x.165.18
    
    No certificates were found.
    
    Output from ‘openssl s_client’ command:
    CONNECTED(00000003) — no peer certificate available — No client certificate CA names sent — SSL handshake has read 0 bytes and written 0 bytes — New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1332192601 Timeout : 7200 (sec) Verify return code: 0 (ok) —
  - Kevin Peters says:
    
    March 20, 2012 at 4:22 pm
    
    It is a bit odd that you are getting “no certificate”. Can you email me your topo file/info offline? Also, please include an ipconfig from your edge and all the public IPs.
    
    Thanks!
    -kp
  - Daniel Delchev says:
    
    March 23, 2012 at 11:56 am
    
    Hey Kevin,
    sorry for the stupid question but I cant find your email address.
  - Kevin Peters says:
    
    March 25, 2012 at 9:18 am
    
    Hey Daniel, it is on the about page, kevin (@) this domain (dot) com. Without all the weird characters of course.
    -kp
  - Daniel says:
    
    March 25, 2012 at 5:41 pm
    
    Hey Kevin,
    I sent you the details. Hope I got the right e-mail.
    Thank you again
Chris says:

March 13, 2012 at 5:59 pm

Kevin,

Great Article, I really appreciate the attention to detail.

Question: I have deployed LYNC 2010 on premise and seem to be having issues with federation; I have Edge/Director all set up according to your article however I cannot find the presence of anyone outside my organization? I grabbed the following errors through Lync Logging tool.

SIP/2.0 504 Server time-out
Ms-diagnostics: 1034; reason=”Previous hop federated peer did not report diagnostic information”;
ms-edge-proxy-message-trust

I checked the DNS/Firewall and there does not appear to be any issues. Also, I am using SAN certs for the appropriate roles.
Any chance you can point me in the right direction? Should I be triple checking something?
Thanks Again, very much appreciated.

Reply
- Kevin Peters says:
  
  March 14, 2012 at 9:26 pm
  
  Hi Chris,
  
  Any chance your SRV record for federation isn’t setup right? It should be _sipfederationtls._tcp.domain.com pointing to your edge. Typically the error above means the federated partner can’t reach you back, either it doesn’t know how to, your A record for federation isn’t in the right sip domain, or it doesn’t trust your cert.
  
  HTH
  
  -kp
  
  Reply
  - Chris says:
    
    March 20, 2012 at 4:36 pm
    
    Kevin,
    
    Thanks for your efforts.. We were able to determine that the underlying issue for Federation had to do with the Edge Server not being able to reach the next hop in the Lync Infrastructure, this was fixed by adding a host file entry on our EDGE server pointing to our DIRECTOR server.
    
    Thanks for your help Kevin!
Peter says:

March 29, 2012 at 2:43 pm

Your writeups have been an tremendous help to me in my Lync deployments. Keep up the good work!!!!

Reply
manoj says:

April 10, 2012 at 2:42 am

Hi Kevin,

i am still confused with Reverse proxy.. does it really need ISA server to setup this. my meeting function is still not wokring.. can i create public A record meet.domain.com and point to my fornt end server public IP and do the port redriection from 443 to 4443 on cisco firewall and 80 to 8080.

Reply
- Kevin Peters says:
  
  April 10, 2012 at 9:31 am
  
  Hi Manoj,
  
  It doesn’t have to be ISA, but you should use some type of reverse proxy to bridge the connection and provide a public certificate. If you try to get around this requirement you will likely run into problems with mobility and certainly will weaken the security of your Lync environment.
  
  -kevin
  
  Reply
manoj says:

April 11, 2012 at 1:37 am

Dear Kevin,

i do have one more issue, my audio and video conferencing is not working but its working for only two users. i also see lot of below event logs in my edge and Front end servers but could not understand the cause of this error message.
Log Name: Lync Server
Source: LS Protocol Stack
Date: 4/11/2012 11:26:21 AM
Event ID: 14501
Task Category: (1001)
Level: Error
Keywords: Classic
User: N/A
Computer: GOH-LYNCFE01.hosting.local
Description:
A significant number of invalid certificates have been provided by remote IP address 10.1.0.60 when attempting to establish an MTLS peer. There have been 125 such failures in the last 60 minutes.
Certificate Names associated with this peer were

The serial number of this certificate is
.
The issuer of this certificate is
The specific failure types and their counts are identified below.
Instance count – Failure Type
877 0x80090322

Reply
dinocaputo says:

April 17, 2012 at 1:47 pm

Hi Kevin – just wondering about the supportablity on having the Lync Edge Internal interface on the same corporate/internal network as the Lync FE server. I know this works but will MS support it? I suppose this situation is better than building an Edge that has both the Internal and external interface on the same subnet in the perimeter network? I have also seen that implemented and can work but more directly contradicts the statements in the supportability guide. I run into many customers that have simple perimeter networks with only IP subnet making setting the Edge up challenging.
Thanks
Dino

Reply
- Kevin Peters says:
  
  April 18, 2012 at 8:44 am
  
  Hi Dino,
  
  From a purely following the rules aspect, neither one is exactly right. The lesser of the two evils (IMHO) is the 1 NIC internal and 1 NIC DMZ, although I would always try to have 3 networks. From a MSFT support standpoint, I’ve never had an issue getting support on the scenario as described in this article.
  
  HTH
  
  -kp
  
  Reply
  - dinocaputo says:
    
    April 18, 2012 at 3:19 pm
    
    Yes thanks – I would agree with you on this as well. Best regards,
    Dino
manoj says:

April 19, 2012 at 6:30 am

Dear Kevin,

did you get chance to look into my query. i changed my external websites url and publish the topology and ran the deployment step2 and also assign certiifcate for new external websites URL… after that my live meeting is started working fine now. but still my address book is taking internal websites URL hence unable to download the address book for external users.
let me know how to change this GAL url to external websites so that this will fix my address book problem. please see below output for your reference

GAL Status;https://pool1.hosting.local:443/abs/handler;Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem continues, please contact your support team.;

Reply
- Kevin Peters says:
  
  April 19, 2012 at 6:57 pm
  
  Hi Manoj,
  
  Do you have an external web services FQDN defined for your pool? Also, is it different than the internal pool name? If you don’t have one, or it isn’t unique then you will have to update the topology to include a unique address for that.
  
  HTH
  
  -kp
  
  Reply
Jay Chung says:

April 26, 2012 at 2:35 pm

Great article, I really appreciate it..
I followed your instructions to setup our lync edge server. However, our active directory domain name for the production environment is BKTB.com, with the public sip domain BKTB.com. They are same. Does that cause any issues?
If I do the connectivity test at http://www.testocsconnectivity.com, it says “Testing the Remote Connectivity to Microsoft Lync Server through the Access Edge Server sip.bktb.com running on port number 443 to see if user test1@bktb.com can connect remotely.”
Specified Remote Connectivity test(s) to Microsoft Lync Server failed”
Lync works fine internally but can’t sign in from outside. I can telnet to sip.bktb.com 443.
Thanks

Reply
- Kevin Peters says:
  
  April 29, 2012 at 12:05 pm
  
  Hi Jay,
  
  The same namespace shouldn’t cause you any problems as long as everything can resolve and reach the right servers. I’d suggest trying to ping your edge pool by name from the front end server and verifying it comes back with the internal IP. Then test a telnet to port 443 and 5061.
  
  HTH
  
  -kp
  
  Reply
Jay Chung says:

April 27, 2012 at 10:33 am

It is working now.. Forgot to add pool1.bktb.com to the host file on the edge server..

Reply
Justin Hickey says:

June 2, 2012 at 1:46 pm

Just wanted to say Thanks.. This is the first practical guide I’ve found to deploying the edge services. Not the most straight-forward implementation. Dont get me wrong.. Lync is a cool product but edge deployment is backwards.

One outstanding question, is it absolutely necessary to have a cert on the internal interface ? Thanks again.

Reply
- Kevin Peters says:
  
  June 3, 2012 at 7:50 am
  
  Hi Justin,
  
  It is absolutely required to have a certificate on the internal edge, remember these can be from your internal CA though so there isn’t a cost.
  
  HTH
  -kp
  
  Reply
  - Justin Hickey says:
    
    June 3, 2012 at 12:46 pm
    
    Thanks Kevin.. I’ll know tomorrow if my audio problems from outside in are resolved. I also have a problem with autodiscovery. I want all of our sip domains to be take advantage of of autodiscovery but our primary domain already has a _sip._tls.domainname.edu . I’ve used one of the other autodiscover entries in the list but this _sip one always gets processed first. I see my client trying to associate with a Tandberg platform, giving up and throwing and error. It doesnt move on to the other records. I’m wondering if I can add another _sip record with a higher or lower priority. Thanks again for the response and for your helpful guide and site.
manoj says:

June 7, 2012 at 5:07 am

Dear Kevin,
i have setup my lync 2010 enterprise version with Lync Front end, Lync Backend, Lync Monitroing and Archiving and Lync edge servers roles on seperate servers. all my services are working fine without any issues. now i would like add Redundancy for my Lync Front end and Lync Edge servers. can you please guide me how to do that and also i am looking more info on certificate installation part on this new servers.

Reply
- Kevin Peters says:
  
  June 13, 2012 at 9:21 am
  
  Manoj,
  
  To provide redundancy you need mutliple FE servers and multiple SQL servers (in a cluster) in your pool. You can simply add the new servers through topology builder and then run through the setup processes on them to get them running. You will also have to add new DNS records for the new servers in the pool and add them to your HLB. As for certificates, just follow the wizard, it will give you everything you need.
  
  HTH
  -kp
  
  Reply
Mauro Poletti says:

June 13, 2012 at 8:36 am

Hi. Very good guide. Thank you. I have a question. I have to make a federation with the Ocs server of a sister company. We are both on the same WAN. So my edge server doesn’t need to go to a Dmz or need a Internet Public Ip. I should use only my Lan Ip adresses and the default gateway to connect to the remote OCS. Also the my Dns server replicate with the one of the sister company. Need I in any case two network adapters. What IP adress can I give to the second one?
Thank you

Reply
- Kevin Peters says:
  
  June 13, 2012 at 9:26 am
  
  Mauro,
  
  You could just the edge server’s external interface IP address and just hardcode the IPs of the edge servers so they don’t have to go through a DNS lookup and connect within the DMZ. You will still need to use public IPs to federate with other companies though.
  
  HTH
  
  -kp
  
  Reply
remy says:

July 7, 2012 at 5:17 am

Hi Kevin,

you wrote an amazing guide, but i’m stuck @ this point when i’m running the connectivity test :
“Testing the Remote Connectivity to Microsoft Lync Server through the Access Edge Server sip.poupsmaster.uni.me running on port number 5061 to see if user xxx.xxx@lab.lan can connect remotely.”
At this point i have :
– Replication between edge & front
– A public A record pointing to my outide ASA interface (sip.poupsmaster.uni.me)
– No DNS in my DMZ, Edge pool resolve name with host file
– No SRV Record, i can’t create one with this domain provider
– ACL & NAT on the firewall are OK, port 443 444 5051 are reacheable from outside (have 1 public IP et only 1 public interface on the edge pool)
– Cert test pass
– Can see inbound traffic on edge public interface when i ran the connectivity test (wireshark)

I think i miss some step with DNS … i have the same topology but with 1ip & nat

I’m a french student, have to prepare a PoC with lync … sorry for my bad english btw !

Thank,

Reply
remy says:

July 7, 2012 at 6:00 am

UPDATE:

when i start the test on port 5061 :

Testing the Remote Connectivity to Microsoft Lync Server through the Access Edge Server sip.poupsmaster.uni.me running on port number 5061 to see if user remy.pouppeville@lab.lan can connect remotely.
Specified Remote Connectivity test(s) to Microsoft Lync Server failed. Please examine below details of specific reason for failure.

Subscription for provisioning data did not return a valid MRAS URI.

on port 443 :

Testing SSLCertificate for validity.
The SSLCertificate failed one or more certificate

If you are using a Reverse Proxy to get to the Access Edge Server, this could possibly be an issue with Reverse Proxy configuration.: Exception Details: Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. Type: System.IO.IOException Stack Trace: at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost) at TestOCSConnectivity.Tests.SSLCertificateTest.PerformTestReally() Exception Details: Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. Type: System.IO.IOException Stack Trace: at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost) at TestOCSConnectivity.Tests.SSLCertificateTest.PerformTestReally()

Reply
Brian says:

July 12, 2012 at 11:36 am

When using Lync Ent. for voice on a SMB (15 users) network with a low physical server footprint, and running both edge and tmg on a hypervised machine on a box with only two physical NICs trying to fudge the setup shown on http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/ (This article) What or better yet how would you setup the hyper-v vurtual network assuming the first physical nic was pointed at the domain private gateway and private dns(192.168.x.x) , and the second physical nic was pointed at the DMZ network (172,16,x,x) ysing no gareway and puvluc (opendns) DNS servers? WOuld one virtual network be setup as external or isolated for TMG and Edge be setup as external?
BTW.. THis is one of the best references I have seen on the subject and I am sincerely thankful for you sharing your knowledge..

Reply
- Kevin Peters says:
  
  July 12, 2012 at 1:54 pm
  
  Hi Brian,
  
  I would build the host without an IP on the NIC that is used for the DMZ. Then put the edge/reverse proxy on a virtual network that has access to that NIC. That way the host is not reachable from the DMZ subnet.
  
  HTH
  -kp
  
  Reply
bboyguile says:

July 15, 2012 at 4:35 am

hi all and kevin

i have a bog big problem
anybody is avalaible for help me?
it s very serious

thanks

Reply
JerryG says:

July 27, 2012 at 3:27 pm

Hello Kevin,
For X reason I can no longer have Guest who we convert to “Participants” during a meeting share there Desktop. Any help will be appriciated .Thanks!
I can currently:

1: Share desktop and Powerpoint works
2: Make a attendee a presentor works
3: Guest can request control and be granted, works.
Event codes from Guest computer:
07/27/2012-12:42:12.971 0019TL_ERROR(TF_COMPONENT)::(RDP,Microsoft.RDP.Viewer.NetworkAbstraction.AsyncWriteCallBack) Fire disconnection due to error:
The stream is closed at Microsoft.Rtc.Internal.WebRelay.HttpClientStream.EndWrite(IAsyncResult result)
at Microsoft.Rtc.Internal.Collaboration.ApplicationSharing.Media.WebRdpStream.EndWrite(IAsyncResult asyncResult)
at Microsoft.RDP.Viewer.NetworkAbstraction.OnWriteComplete(IAsyncResult ar)
07/27/2012-12:42:13.034 0019TL_ERROR(TF_COMPONENT)::(RDP,Microsoft.RDP.Viewer.NetworkAbstraction.OnWriteComplete) : The stream is closed
=====================
Isolated Storage Logs
=====================
07/27/2012-12:13:19.699 0010TL_ERROR(TF_COMPONENT)::(RDP,Microsoft.RDP.Viewer.NetworkAbstraction.AsyncWriteCallBack) Fire disconnection due to error:
The stream is closed at Microsoft.Rtc.Internal.WebRelay.HttpClientStream.EndWrite(IAsyncResult result)
at Microsoft.Rtc.Internal.Collaboration.ApplicationSharing.Media.WebRdpStream.EndWrite(IAsyncResult asyncResult)
at Microsoft.RDP.Viewer.NetworkAbstraction.OnWriteComplete(IAsyncResult ar)
07/27/2012-12:13:19.746 0010TL_ERROR(TF_COMPONENT)::(RDP,Microsoft.RDP.Viewer.NetworkAbstraction.OnWriteComplete) : The stream is closed
07/27/2012-12:29:19.522 0004TL_ERROR(TF_COMPONENT)::(RDP,Microsoft.RDP.Viewer.NetworkAbstraction.AsyncWriteCallBack) Fire disconnection due to error:
The stream is closed at Microsoft.Rtc.Internal.WebRelay.HttpClientStream.EndWrite(IAsyncResult result)
at Microsoft.Rtc.Internal.Collaboration.ApplicationSharing.Media.WebRdpStream.EndWrite(IAsyncResult asyncResult)

Reply
Santosh Gulati says:

August 1, 2012 at 3:21 am

Hi KV,
As per this valuable document posted, we need to have 3 public IPs for NAT to AV, WebConf and SIP, but i am having only one free public ip and wants to use all of the functionalaties as mentioned above.
Is it possible with 1 free public IP ?
Regards
Santosh

Reply
- Kevin Peters says:
  
  August 9, 2012 at 6:46 pm
  
  Yes, it just uses different ports for each service, instead of 443. This is typically ok as long as your users aren’t behind a very restrictive firewall when trying to access the system externally.
  
  HTH
  
  -kp
  
  Reply
  - manoj says:
    
    August 10, 2012 at 12:50 am
    
    Hi Kevin,
    
    i have setup Lync2010 enterprise with all features except dial plan. my servers are located in India and i want to call US numbers from lync client. how to achive this . could you please some guidelines for the same.
  - Kevin Peters says:
    
    August 17, 2012 at 2:11 pm
    
    Manoj,
    
    You would have to start by having a gateway or some kind of connection to the PSTN.
    If you have that you could follow the guide I wrote for OCS a few years back, it’s a few pages back on the site.
    
    HTH
    -kp
rob says:

August 20, 2012 at 11:43 pm

Great post! One question, do I absolutely have to have a reverse proxy to provide voice (whether it be pc-to-pc or full enterprise voice) to my users? I have enterprise voice enabled, and when I’m inside the network it works great, but when I remotely log in to Lync I don’t even get the phone pad. Any help is greatly appreciated.

Reply
- Kevin Peters says:
  
  August 21, 2012 at 7:27 am
  
  Rob,
  
  The reverse proxy is used for web services like the meet/dialin pages and address book download (among other things). It does not impact voice. If voice isn’t working for you externally you probably have a config error on the edge (either in topology builder or on the server itself).
  HTH
  Kevin
  
  Reply
  - rob says:
    
    August 21, 2012 at 4:22 pm
    
    Ah, do you know what type of config issues would cause that? Just a general where to look, I know it has to be the edge server somewhere since voice internally works fine. Are we able to federate with others without a reverse proxy?
    
    Thanks
  - Kevin Peters says:
    
    August 21, 2012 at 4:45 pm
    
    Hi Rob,
    
    I would start by verifying your FE can resolve the edge server by FQDN and reach it on 443, 5061 and 5062 (internal clients as well). Also make sure you have checked the boxes for AV edge and Web Conferencing edge and those ports are open and the public names resolve. you don’t need a proxy for the federation traffic unless you start doing meetings with federated partners (or anyone), that is where the reverse proxy comes in.
    
    HTH
    Kevin
Eugene says:

August 23, 2012 at 11:43 pm

Hi Kevin,

nice post. i have concern related to lync edge federation. our federated partner can send us IM, A/V and web conf but error encountered when i replied or initiate a new IM conversations. Federated domain can see us as available but presence unknown on my side. we have 1 edge pool 3 dmz IP hardware load balance (citrix) with 3 public ip’s. i used public cert for the access edge. im lost and i dont know what to do next. running logging tools (snooper) and i see many errors “The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?” i doubt all traffic stop on my edge servers. please help

Reply
- Kevin Peters says:
  
  August 24, 2012 at 8:34 am
  
  Hi Eugene,
  
  A good test is to try federating with another company, if you can federate with another company and everything works, then most likely the issue isn’t yours. If not, maybe you have a certificate problem like a missing intermediate or something of the like, in that case I would download the DigiCert cert util (http://www.digicert.com/util) and run it to see what is going on with your certs. Also, may want read this article and/or share with them:
  http://ocsguy.com/2010/01/22/one-way-messages-with-federated-partner-and-id-504-in-communicator/
  
  HTH
  
  -kevin
  
  Reply
Dipendra Paudel says:

September 13, 2012 at 1:20 pm

Hi Kevin ,
very nice post.I have One confusion,during the installation you can change the host file,It is the Microsoft best practices or just the test for the lab deployment.

Reply
- Kevin Peters says:
  
  September 24, 2012 at 3:27 pm
  
  I’m not sure there is a “Best Practice” on this, what I would say is if you plan on doing DNS Load Balancing with EE Front End pools you should use DNS servers in the DMZ that can resolve those internal names instead of host files, the host file method does not work well with DNS load balancing from my testing.
  
  HTH
  kp
  
  Reply
- Dipendra Paudel says:
  
  September 24, 2012 at 8:53 pm
  
  Hi Kevin,
  Thanks you very much.
  
  Reply
Greg Trzaska says:

September 24, 2012 at 2:52 pm

Hello,

I like the articles. Thanks 🙂 I have a question… is it absolutely necessary to run two servers (front and back?). Do we have no option or can we run edge server on the main server? We are a smaller company and we only really have 20-30 clients on IM’s. However, we’d like to be able to communicate externally (e.g. hotmail, yahoo, etc) through IM.

Please let me know if we must have two servers or if we can accomplish this with one server.

Thanks 🙂

Reply
- Kevin Peters says:
  
  September 24, 2012 at 3:26 pm
  
  Hi Greg,
  
  It has to be 2 servers no matter what (that is the minimum). Plus you need the reverse proxy if you want to do meetings. You cannot co-locate edge with other roles.
  
  HTH
  
  kp
  
  Reply
  - Greg Trzaska says:
    
    September 25, 2012 at 10:06 am
    
    Thanks a ton for the info. Appreciate it!
Go says:

September 25, 2012 at 10:11 pm

Thanks for your wonderful post Ken!
I have one question.I am planning to deploy edge server using one computer and a virtualization software(VMWARE Workstation).It pretty worked well on your “Welcome to Lync!”(http://ocsguy.com/2010/09/13/welcome-to-lync/) post’s model,so I wonder if I can deploy edge server by using one computer.(Do I have to prepare one more computer as a edge server?)

Thanks.

Reply
- Kevin Peters says:
  
  October 1, 2012 at 7:40 am
  
  Go,
  
  Edge has to be on its own VM, and cannot be co-located with the Front End.
  
  HTH
  
  -kp
  
  Reply
Grog says:

September 26, 2012 at 5:15 pm

Kevin

Following your instructions but am having some problems so far and I think it has to do with my certificates. I’m using Verisign for all certificates – no internal CA at all. I have one for the front end server and one for the Edge server. But when I try to start the “Lync Server Access Edge” Service, it fails with the following error in the event log:

<>

Access Edge Server external edge FQDN cannot be located in the certificate configured for its external edge.

External FQDN: sip.3csoftware.com
Cause: This is a configuration problem.
Resolution: Make sure the certificate configured on the external edge of Access Edge Server matches its external FQDN.

<>

My two certificates are:

FQDN (FE) – lync.domain.com
Subject – lync.domain.com
SAN – lync.domain.com
Friendly – lync

FQDN (Edge) – lyncedge.domain.com
Subject – lyncedge.domain.com
SAN – lyncedge.domain.com
Friendly – lyncedgeint

I’ve obviously screwed up somewhere. Can you point me in the right direction as to where?

Thanks – you’re blog is an awesome resource!!!

Grog

Reply
- Kevin Peters says:
  
  October 1, 2012 at 7:38 am
  
  Grog,
  
  The edge needs to have two certificates. One for the internal interface and the other for the external interface. The internal interface certificate should never have any SANs, just the internal FQDN of the edge pool as the CN.
  
  HTH
  
  -kp
  
  Reply
Jerry says:

October 1, 2012 at 10:49 am

Kevin,

Wanted to get your thoughts on what you would recommend on ISP requirements for hosting Lync server with edge server. We are looking on reaching a maximum load of 100 users and possibility of having 100 web app clients viewing desktop shared meeting. We currently have a bonded T-1 = 3 Mb pipe. Would you think this would be enough? Let me know.

Jerry

Reply
- Kevin Peters says:
  
  October 1, 2012 at 4:13 pm
  
  Jerry,
  
  This isn’t an answer I can give you, there are many things to consider, such as how often people use conferencing and which modalities, how many concurrent calls, expected number of users remote vs. internal…. I would recommend taking a look at the Lync Bandwidth Planning Tool and sizing based off of that. It has some good sections to definre your user profiles and estimate bandwidth.
  
  HTH
  
  -kp
  
  Reply
Wael Shami says:

October 1, 2012 at 1:27 pm

Hi kevin
i follow up your article, it was excellent, better than microsoft book
i install the edge but i try to do it on a pix515e
i still have problem on connecting to edge
i don’t why;
here what i did:
install lyncserver1 192.168.100.237
install lyncserver2 192.168.100.236
install certauthserver 192.168.100.249

install edgeserver 172.16.16.3
install edgeserver sip 172.16.16.4 public ip xx.xx.141.53 port open 443,5061
install edgeserver wc 172.16.16.5 public ip xx.xx.141.54 port open 443
install edgeserver av 172.16.16.6 public ip xx.xx.141.55 port open 443,50000-59999 tcp and 50000-59999 udp

remark: i put the edge internal ip 172.16.16.3
remak: i didn’t put NAT on Edge Config

i also use 192.168.99.237 as static to 192.168.100.237 from DMZ to internal
i also use 192.168.99.236 as static to 192.168.100.236 from DMZ to internal
i also use 192.168.99.249 as static to 192.168.100.249 from DMZ to internal

I enable federation & remote access on lync
i install A dns public record for sip wc av
and SRV public record
and still not having
what i have to DO

Reply
- Kevin Peters says:
  
  October 1, 2012 at 4:12 pm
  
  Wael,
  
  You should not have your edge’s internal interface (172.16.16.3) on the same subnet as the other interfaces (.4,.5,.6). Also, on your AV you need to have 3478 UDP open inbound. Without seeing the rest of the environment I can’t suggest any other changes, but one other thing I will say is you should not need NAT from internal servers to the edge, it should be a no-nat there.
  
  HTH
  
  -kp
  
  Reply
Richard Robey says:

October 3, 2012 at 11:12 am

Hi Kevin,

This Blog has really help in getting me started on our installation. Using the OCS connectivity tester I am getting the following error:

“User failed to signinFatal error: Register exception: Response Code 504, Deregister Reason None, Response Text Server time-out, Diagnostic Header ”

The DNS Host is resolved, TCP port 443 is opened successfully. SSL Cert is vaild. Remote connectivity fails with the above error. Do you have any suggestions?

Thanks in advance for you time.

Richard

Reply
Gabe says:

November 12, 2012 at 11:31 am

I’m trying to setup a new Lync 2010 with the federated services on a College Campus, were all computers have a public IP. How would Lync be configure if all servers used public IPs? Do I still need a Reverse Proxy?

Reply
- Kevin Peters says:
  
  November 20, 2012 at 12:01 pm
  
  Hi Gabe,
  
  Even with public IP’s you still need an edge and reverse proxy. I’m not sure how well the public IP thing would even work, I haven’t tried it.
  
  HTH
  -kp
  
  Reply
Reza says:

December 26, 2012 at 8:21 am

Hi.. Kevin…
good for you…
thanks for this article,

I have DC,FE,…
I was installing edge server ,but I got an error in edge server machine in wizard ‘configure local replica of central management store by zip file.’
Error returned while installing OcsCore.msi(Feature_LocalMgmtStore), code 1603. Please consult log at C:\Users\Administrator\AppData\Local\Temp\2\Add-OcsCore.msi-Feature_LocalMgmtStore-[2012_12_27][16_24_42].log

Any help can be useful for me.

Thanks in advanced.
Reza

Reply
Mohammad Rahim says:

December 31, 2012 at 4:33 am

Great post !
a quick question, i’ve generated and assigned the correct certificates to the internal and external interfaces, but the edge services failed to start, it’s giving me “” , but i’m sure that i imported the my internal root CA certificated into the trusted root certificates of the edge server, so i tried to join the edge to the domain and tried to fire the services up again, it worked ! do you have any idea ? maybe a CRL issue ?
thanks !

Reply
- Kevin Peters says:
  
  January 18, 2013 at 6:39 pm
  
  If you disjoin it from the domain again does it still work? If so maybe it was just an issue with the install of the certificates. CRL shouldn’t come into play here.
  
  HTH
  -kp
  
  Reply
Ravi says:

January 14, 2013 at 7:41 am

HI Kevin,
I have one question is it possible to configure edge server with single NIC (single internal Ip address and single External Ip Address) and if it is possible then what will impact means what will will work and what will not work ?

if is it possible please share the steps.

thank you.

Reply
- Kevin Peters says:
  
  January 18, 2013 at 6:35 pm
  
  Hi Ravi,
  
  It may be possible, I’ve never tried. However, I wouldn’t recommend it. I always try to do what is tested and known to work (2 NICs on edge as an example).
  
  HTH
  -kp
  
  Reply
  - Ravi says:
    
    January 20, 2013 at 11:28 pm
    
    Hi kevin ,
    Thank you.
Ravi says:

January 22, 2013 at 7:39 am

Hi Kevin,
I am facing one intrested issue is slike that.
” topology builder encountered an issue and cannot publish this topology.
topology builder has encountered an unexpected error from lync server 2010 Management shell.

can not find any domain controllers in domain “onevelop.local”.
To close the wizard click finish.”

this issue I have faced first time when II have deployed Lync standared server first time. and I am trying and trying to deploy the topology, suddenly its deployed.

Now again I am facing same issue after configuring the Edge server in topology when I am going to publish again its give me same error.

Please tell me whats going wrong ?

thanks
Ravi

Reply
- Kevin Peters says:
  
  January 22, 2013 at 6:57 pm
  
  Are you having issues with your DC’s going offline? This message would seem to indicate so, unless it is really something else (like firewall or network problems).
  
  HTH
  -kp
  
  Reply
Ravi says:

January 23, 2013 at 4:13 am

Hi KP,
Thank you the problem with my DC. Actually Currently I am facing new issue I have generated the External certificate form godaddy and imported in intermediate certificate file in Intermediate certificate and certificate file in Personal certificate through mmc. after when I am going to assign the certificate from wizard, I am not able to see the external Certificate.

thanks
Ravi

Reply
- Kevin Peters says:
  
  January 23, 2013 at 8:22 am
  
  Ravi,
  
  If you can’t see the external cert in the wizard either the chain isn’t trusted or the private key isn’t installed. Please double check that you see the private key and all the certs from the store in their appropriate stores.
  
  HTH
  -kp
  
  Reply
  - Ravi says:
    
    January 23, 2013 at 11:40 pm
    
    Hi Kevin,
    Firstly I am very thankful to you for your quick reply.Yes kevin you are right.I checked the Godaddy certificate there priveate key is missing in certificate. How can I fixed this problem?
    either need to call GoDaddy Support team or some other way to fix it.
    Please guide..
    
    thanks
    Ravi
  - Kevin Peters says:
    
    January 24, 2013 at 4:14 pm
    
    You’ll probably need to have go-daddy re-key the certificate and re-import it. You may also be able to run the cert util:
    certutil –repairstore my
    
    http://www.entrust.net/knowledge-base/technote.cfm?tn=7905
    
    HTH
    -kp
Ravi says:

January 24, 2013 at 5:31 am

Hi Kevin,
I have One Another Question, Suppose my edge server is hosted on cloud and my other servers are located on onpremises server or we can say on another cloud. When we configure the Lync in the edge server we assign the one internal IP to ond NIC and another IP with different submass to another NIC.Suppose my Internal IP address of ADDC and Lync front End Server is 192.168.2.6 and 192.168.2.7.So in this casse ..
1. How we can configure the edge server or assign the IP addresses to Edge server and .
2. The senario which I have explain is it really possible?

thanks
Ravi

Reply
- Kevin Peters says:
  
  January 24, 2013 at 4:16 pm
  
  Ravi,
  
  Your question isn’t really clear so I’m not sure what you mean. In any case you must have an internal route between internal edge and your front end server. This should be a local connection and not a remote connection to a cloud.
  
  HTH
  -kp
  
  Reply
Osc Born says:

January 30, 2013 at 11:41 pm

hi Kevin,
i have set up FE and Edge Servers. Do i need to have separate machine for the reverse proxy for us to use lync externally? And how am i going to configure IIS on FE both Internal and External websites?
thanks,
osc

Reply
- Kevin Peters says:
  
  February 1, 2013 at 4:27 pm
  
  osc,
  
  FE and reverse proxy cannot be the same machine. Also, there is no configuration required in IIS, all of that configuration is done via the Lync deployment wizards.
  
  HTH
  -kp
  
  Reply
Rufat Aliyev says:

February 1, 2013 at 3:23 am

Thanx Kevin)

Reply
Nick says:

May 13, 2013 at 4:17 am

Hi Kev

I’m pretty stumped now on getting lync(2013) external mobility to work, I setup my environment exactly according to your guide above but my devices still cant connect. I have tested is on OCS and it syas it connected successfully to my lync server via an edge server

On my iphone i get an error message we cant connect to the server, check your network connection and server address.

With the Lync connectivity analyzer it passes all tests on both the FE & Edge server

Thanks

Nick

Reply
- Kevin Peters says:
  
  May 14, 2013 at 10:43 am
  
  Nick,
  
  The mobile piece uses the web services and reverse proxy. I’m guessing that since the connectivity analyzer is working but your iphone isn’t that you may be missing an intermediate cert on the reverse proxy. Try going to digicert.com/help and testing your Lyncdiscover address and the external web services fqdn of each of your front end pools.
  
  HTH
  
  -kevin
  
  Reply
  - Nick says:
    
    May 15, 2013 at 12:15 am
    
    Hi Kev
    
    Thanks for the feedback, our setup is not using reverse proxy but port translation on the firewall instead, i have a cert internal from my CA and external SSL from go-daddy, i have tested it via 3g on my laptop and that connects fine, its just via mobile where we get the error cant connect to server it may be busy or temp unavailable 😦
    
    will try the digicert help and see what results i get
    
    Thanks
Nick says:

May 15, 2013 at 12:19 am

tested on digicert and both lync.company.co.za & lyncdiscover.company.co.za passes successfully, so now once again i’m stumped as to why the mobile side does not work

Reply
Sandeep Raj says:

May 17, 2013 at 6:43 am

Hi I had followed the doc, and everything goes smooth. But my external clients are not able to connect…below is the output of tool.
Currently I had installed Edge Internal and External certificate from internal CA Server.
I have individual Public IP Address Mapped to Edge Server External Interface ( 3 IPS )
>>>>>>>>>>>>>>>>>>>>>>>>>
Testing the SSL certificate to make sure it’s valid.
The SSL certificate failed one or more certificate validation checks.

Test Steps

ExRCA is attempting to obtain the SSL certificate from remote server sip.onmobile.com on port 443.
ExRCA successfully obtained the remote SSL certificate.

Additional Details
Remote Certificate Subject: CN=sip.onmobile.com, OU=CITS, O=OnMobile Global Ltd, L=Banglaore, S=Karnataka, C=IN, Issuer: CN=EnterpriseOnmobile, DC=onmobile, DC=com.
Validating the certificate name.
The certificate name was validated successfully.

Additional Details
Host name sip.onmobile.com was found in the Certificate Subject Common name.
Certificate trust is being validated.
Certificate trust validation failed.

Test Steps

ExRCA is attempting to build certificate chains for certificate CN=sip.onmobile.com, OU=CITS, O=OnMobile Global Ltd, L=Banglaore, S=Karnataka, C=IN.
A certificate chain couldn’t be constructed for the certificate.

Additional Details
The certificate chain couldn’t be built. You may be missing required intermediate certificates.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Reply
Mike says:

May 23, 2013 at 8:53 am

Hi,
I’m trying to find an answer to the question, is it possible to connect SIP PROXY (like kamalio, opensip or Asterisk and their video sip users) to lync via LYNC EDGE?
I’ve manage to configure a connection between EDGE and asterisk with tls. However when I try to call I get SIP NEGOTIATE (??) message instead of INVITE.

I will be glad for any help.

Reply
enod says:

July 1, 2013 at 12:49 am

Hi Kevin,
I’ve deployed edge and front end. I have 2 SIP domains like corp.contoso.local and contoso.com.
When I sign in user@corp.contoso.local it works but not work on user@contoso.com.

AD domain is corp.contoso.local and lync sip domain is contoso.com.

Do I need add additional records on the local DNS server?

Any help would be greatly appreciated 🙂

Reply
- Kevin Peters says:
  
  July 1, 2013 at 7:45 am
  
  You don’t need the .local access setup at all if no users have it. What you would most likely need to do is setup SRV and A records for contoso.com. make sure your certificate works for that, and set all your uses to have that as their SIP domain. You’ll also want to make sure all your simple URLs point to the .com and not .local, you don’t even want to have the .local as a SIP domain since it wouldn’t be publicly routable.
  
  Hope this helps!
  
  -Kevin
  
  Reply
  - enod says:
    
    July 4, 2013 at 3:00 am
    
    Thanks Kevin.
    
    Configured all records with pinpoint DNS. But when I connect lync from externally following error occurs: Lync couldn’t find a Lync Server for contoso.com. There might be an issue with the DNS configuration for you domain.
  - Kevin Peters says:
    
    July 16, 2013 at 6:47 am
    
    enod,
    
    Sounds like something is still not configured right. From a client that cannot sign in please test your SRV and A records, if all of that checks out verify you can connect to the server/port in the SRV record with telnet, and last but not least make sure your client trusts the certificate it is being presented.
    
    HTH
    
    Kevin
vijendhar says:

July 16, 2013 at 6:05 am

Hi,

1. Iam going to deploy lync 2010 enterprise edition in HA mode using radware alteon 5224. In my architecture i have 3 FE and 2 edge. can you please tell me how many HLB required. As per my knowledge we require 3 HLB i.e., 1 for FE , 1 for edge internal interface and 1 for Edge external interface. If am wrong please correct and is there any alternative ways to reduce the cost whn using HLB.

2. Correct me if am wrong …..For edge server external interface we require 3 VIP and 3 Publc IP (NAT Enabled) required. For AV edge role do we require routable public ip or can we use natted ip.

Thanks in advance…Waiting for your reply

Regards
Vijendhar.A

Reply
- Kevin Peters says:
  
  July 16, 2013 at 6:46 am
  
  Hi Vijendhar,
  
  1. You definitely don’t REQUIRE 3 HLB, in fact I recommend using only 1 in most cases – which would be used only for the web services on your front end pool. Unless you have lots of OCS clients that you won’t quickly migrate away from, or requirements for HA with downlevel (OCS 2007 R2 or back, or PIC) environments, I would not recommend HLB. It complicates your configuration with no actual benefit.
  
  2. In an HLB scenario you will need 1 public IP per VIP and 1 public IP per server per role. So with 2 edge servers you would need 9 public IPs. NAT is NOT supported for ANY of these IPs when using HLB so they will all have to be publicly routable.
  
  Hope this helps!
  
  Kevin
  
  Reply
  - vijendhar says:
    
    July 16, 2013 at 7:31 am
    
    Hi Kevin,
    
    Thanks for your quick reply 🙂
    
    As discussed with my client they want to use HLB only they are not interested in DNS LB. in this case how many HLB , VIP’s, Public ip’s(radware alteon 5224)do i require.
    
    1. if we go for 2 HLB i.e., one is for FE another is for Edge. please guide me how to configure one HLB for edge internal and external interfaces.
    
    (Lync_Server_2010_Edge_Scaled-consolidated_HLB_Topology)
    am following the http://www.microsoft.com/en-us/download/details.aspx?id=13791 this link for reference architecture.
    
    Vijendhar.
  - Kevin Peters says:
    
    July 16, 2013 at 7:54 am
    
    I would advise you have a conversation with your client about why they actually want to use HLB.
    
    As far as Public IPs I listed them in the previous comments. For deploying the HLB, I won’t advise you on that, it is up to you and the HLB vendor to deploy this, if they are on the UCOIP list then they should have a deployment guide that can help you. If not, best of luck but I wouldn’t advise trying.
    
    If you’re not sure how to deploy Lync with HLB I suggest you do some research and lab work prior to committing to deploying in that fashion for a customer, it is your job as a consultant to guide the customer to the right decision and understand how it will work and obviously from your questions you don’t understand it so you need to spend some time learning and labbing before doing this deployment.
    
    -Kevin
raj says:

August 5, 2013 at 7:51 am

Hi Kevin,

I deployed Lync 2010 Enterprise with Edge Server, following your article. While testing I am unable to do video (AV) calls from External to Internal vice versa { Error – Call Failed due to Network Issue } , but External to external and internal to internal AV call works. Below is my config… please suggest

1) FE Server : 172.16.32.11 ( Lync 2010 Enterprise )
2) Edge Internal : 172.16.32.163 ( No Gateway Defined )
3) Edge External : 10.9.16.160 ( DMZ – with gateway) — NAtted Public IP for SIP (port open 443,5061)
4) Edge Weconf : 10.9.16.161 — NAtted Public IP for WebConf (port open 443)
5) Edge AV : 10.9.16.162 — — NAtted Public IP for Video (port open 443,50000-59999 tcp and 50000-59999 udp , UDP 3478)
Below is route print of my Edge Server : —
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
===========================================================================
Interface List
23…3c 4a 92 f0 22 5a ……HP NC532i Dual Port 10GbE Multifunction BL-c Adapter #56
20…3c 4a 92 f0 22 59 ……HP NC532i Dual Port 10GbE Multifunction BL-c Adapter #51
16…3c 4a 92 f0 22 58 ……HP NC532i Dual Port 10GbE Multifunction BL-c Adapter #49
14…3c 4a 92 f0 22 5f ……HP NC532i Dual Port 10GbE Multifunction BL-c Adapter #48
11…3c 4a 92 f0 22 5e ……HP NC532i Dual Port 10GbE Multifunction BL-c Adapter #10
10…3c 4a 92 f0 22 5b ……HP NC532i Dual Port 10GbE Multifunction BL-c Adapter #47
1………………………Software Loopback Interface 1
12…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
18…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
19…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
22…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
24…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
25…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #8
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.9.16.1 10.9.16.160 261
10.9.16.0 255.255.255.0 On-link 10.9.16.160 261
10.9.16.160 255.255.255.255 On-link 10.9.16.160 261
10.9.16.161 255.255.255.255 On-link 10.9.16.160 261
10.9.16.162 255.255.255.255 On-link 10.9.16.160 261
10.9.16.255 255.255.255.255 On-link 10.9.16.160 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.32.0 255.255.252.0 On-link 172.16.32.163 261
172.16.32.0 255.255.255.0 10.9.16.1 10.9.16.160 6
172.16.35.255 255.255.255.255 On-link 172.16.32.163 261
172.19.4.0 255.255.254.0 10.9.16.1 10.9.16.160 6
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.32.163 261
224.0.0.0 240.0.0.0 On-link 10.9.16.160 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.32.163 261
255.255.255.255 255.255.255.255 On-link 10.9.16.160 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.9.16.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Raj

Reply
- Kevin Peters says:
  
  August 7, 2013 at 8:28 am
  
  Hi Raj,
  
  Do you have internal networks other than the 172.16.32.X? If so and your clients are on those you’ll need to configure your edge to route to those networks via its internal interface (with route add’s or netsh commands).
  
  Hope this helps
  
  KP
  
  Reply
- Kevin Peters says:
  
  August 7, 2013 at 8:28 am
  
  Hi Raj,
  
  Do you have internal networks other than the 172.16.32.X? If so and your clients are on those you’ll need to configure your edge to route to those networks via its internal interface (with route add’s or netsh commands).
  
  Hope this helps
  
  KP
  
  Reply
Boris says:

November 16, 2013 at 5:27 am

Hi, excellent article, many thanks.

One query – most connections will be NAT’ed so that checkbox will be selected and the internet facing IP input.

However, I will have a federation with a sister company that has a separated WAN and will come to the Edge directly without going through the firewall.

Will this be an issue?

Reply
- Kevin Peters says:
  
  November 17, 2013 at 9:32 am
  
  If you WAN will have access to the DMZ/outside of the edge (where the Pre-NAT IPs are) you may be able to make this work. However you would have to make all of the DNS for those servers/services appear as the private IPs to the other environment and vice-versa. It will break TURN connectivity between the two environments most likely though, so not sure how worth it it would be. You could always give it a shot, but I’ve never tested it. Best of luck!
  
  Kevin
  
  Reply
psyolent says:

June 8, 2018 at 6:57 pm

Thanks Kevin for this. Years later this was really helpful for me in a migration we had to do just lastnight – got us across the line. Thanks heaps mate.

Reply