Building Lync 2010 Server Infrastructure

This article describes systems requirement of Lync 2010 Server and the steps necessary to create a Lync 2010 topology in a production environment in a single forest, single domain topology.

Lync 2010 Server Roles: Lync 2010 is delivered through the following server roles.

• Front End Server and Back End SQL Server
• A/V Conferencing Server
• Edge Server
• Mediation Server
• Monitoring Server
• Archiving Server
• Director

Lync 2010 Features:

• Instant messaging (IM) and presence are always enabled
• Audio Video Conferencing
• Enterprise Voice is the voice over IP (VoIP) solution
• Exchange UM features include enabling users to receive voice mail notices and listen to voice mail from Outlook or OWA, to access their Microsoft Exchange mailboxes using a telephone and to receive faxes in their Microsoft Exchange mailboxes.
• Federated partner/supplier users can easily send and receive IM messages, invite each other to meetings and see each other’s presence.
• IM and Enterprise voice support for branch office over the WAN link

Reference Topology with High Availability

How Lync 2010 Communication works?

Hardware Requirements:

Hardware	Lync Front End	Director	DB, Archive, Monitor server
CPU	64-bit processor	64-bit processor	64-bit  processor
RAM	16 GB	4 GB	Min 16GB for Archiving or Monitoring Max 32GB
System Partition	72 GB free disk space	72 GB free disk space	72 GB free disk space
Additional Partition	Separate Page File partition	Separate Page File partition	Separate Page File partition+ Other Partition for DB & Data
No of NIC Gbps or higher	2	2	2

Operating Systems for Standard Front End, Director, Edge Server and Proxy Server:

• Windows Server 2008 R2 Standard/Enterprise/datacenter With SP
• Windows Server 2008 Standard/Enterprise/datacenter with SP

Clients OS:

• Windows 7 Pro, Enterprise with all patches installed via WSUS
• Windows Mobile
• IP Phone such as Astra/Cisco desk phone set

Database Server:

• Microsoft SQL Server 2008 R2 Standard/Enterprise with SP x64
• Microsoft SQL Server 2005 Standard/Enterprise with SP3 x64

Additional Software:

• Microsoft .NET Framework 3.5 with SP1
• Silverlight 4.0
• Windows PowerShell 2.0
• Active Directory Administrative tools feature installed on Front End Server and Director
• Microsoft Forefront Threat Management Gateway (TMG) 2010 software.

Internet Information Services (IIS): Front End Servers and Standard Edition servers must run Internet Information Services (IIS), with the following modules:

• Static Content
• Default Document
• HTTP Errors
• ASP.NET
• .NET Extensibility
• Internet Server API (ISAPI) Extensions
• ISAPI Filters
• HTTP Logging
• Logging Tools
• Tracing
• Windows Authentication
• Request Filtering
• Static Content Compression
• IIS Management Console
• IIS Management Scripts and Tools
• Anonymous Authentication (This is installed by default when IIS is installed.)
• Client Certificate Mapping Authentication

Software Auto installed:

• Microsoft Visual C++ 2008 Redistributable
• Microsoft Visual J# version 2.0 Redistributable
• URL Rewrite Module version 2.0 Redistributable
• SQL Server 2008 Native Client

Network Requirements:

• For public switched telephone network (PSTN) integration, you can integrate by using either T1/E1 lines or SIP trunking
• Provision your network links to support throughput of 65 kilobits per second (Kbps) per audio stream and 500 Kbps per video stream, if enabled, during peak usage periods. A bidirectional audio or video session consists of two streams.
• WAN links for Branch servers
• Reverse Proxy server in Edge

Supported configuration:

• Windows Server 2008 R2, Windows Server 2008, or at least Windows Server 2003 native mode Forrest Functional level
• Single/Multiple Forests
• Single/Multiple Domains
• Federated Lync Server
• DNS Load balancing

Un-supported Configuration:

• x86 Windows Server 2008
• x86 SQL server database
• RODC Domain Controllers

Virtualizing Lync 2010 Server: Microsoft Lync Server 2010 supports all workloads and server roles in both physical and virtualized topologies. User capacity in a virtualized topology is roughly 50 percent of the capacity in a physical topology. For details, see Running in a Virtualized Environment in the Planning for Other Features documentation.

Examples of SIP and Domain Name System (DNS) Requirements

SIP Domain	Microsoftguru.com.au
Front End Pool	mypool.Microsoftguru.com.au
Director Pool	dir-pool.microsoftguru.com.au
Edge Pool	myedge.microsoftguru.com.au

Examples of DNS Records and IPs

FQDN	Internal IP Address	Routable Public IP
FrontEnd.Microsoftguru.com.au	192.168.1.6	x
Mediation.Microsoftguru.com.au	192.168.1.7	x
Director.Microsoftguru.com.au	192.168.1.8	x
Archiving.Microsoftguru.com.au	192.168.1.9	x
Monitor.Microsoftguru.com.au	192.168.1.10	x
Edge.microsoftguru.com.au	192.168.1.11	203.9.x.1 , 203.9.x.5, 203.9.x.3
Proxy.microsoftguru.com.au	192.168.1.12	203.9.x.4

Important! Note that Edge and reverse proxy server are in a workgroup environment using microsoftguru.com.au DNS suffix.

Requirements of DNS SRV record for client auto login

DNS SRV Service record for automatic login

SRV Service: _sipinternaltls Protocol: _TCP FQDN: Lync.Microsoftguru.com.au

5061

Necessary URLs and Ports

Name	URL	Port
Administrative Access	https://admin.microsoftguru.com.au	443
Meeting	https://meet.microsoftguru.com.au	443
Phone Dialin	https://dialin.microsoftguru.com.au	443
Edge Access	https://internal.microsoftguru.com.au (internal) http://external.microsoftguru.com.au (External-SIP, Web, AV)	4443 4061 444 443
Director	https://external1.microsoftguru.com.au	443 5060 5061

Certificate Requirements for Internal Servers

Certificate	Subject name/ Common name	Example
Default	FQDN of the pool	SN=FrontEnd.microsoftguru.com.au; SAN= mypool.microsoftguru.com.au; SAN=sip.microsoftguru.com.au; If this pool is the auto-logon server for clients and strict DNS matching is required in SAN
Web Internal	FQDN of the server	SN=FrontEnd.microsoftguru.com.au; SAN=internal.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au; SAN=admin.microsoftguru.com.au Using a wildcard certificate: SN= FrontEnd.microsoftguru.com.au; SAN=internal.microsoftguru.com.au; SAN=*.microsoftguru.com.au
Web external	FQDN of the server	SN=FrontEnd.microsoftguru.com.au; SAN=external.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=meet.fabrikam.com; SAN=dialin.microsoftguru.com.au Using a wildcard certificate: SN= FrontEnd.microsoftguru.com.au; SAN=external.microsoftguru.com.au; SAN=*.microsoftguru.com.au

Certificates for Director

Certificate	Subject name/ Common name	Example
Default	FQDN of the Director pool	SN=dir-pool.microsoftguru.com.au; SAN=dir-pool.microsoftguru.com.au; If this Director pool is the auto-logon server for clients and strict DNS matching is required in SAN
Web Internal	FQDN of the server	SN=Director.microsoftguru.com.au; SAN= Director.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au; SAN=admin.microsoftguru.com.au To use Wild Card Certificate SN= Director.microsoftguru.com.au; SAN= Director.microsoftguru.com.au SAN=*.microsoftguru.com.au
Web external	FQDN of the server	The Director external web FQDN must be different from the Front End pool or Front End Server. SN= Director.microsoftguru.com.au; SAN=external1.microsoftguru.com.au SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au SN= Director.microsoftguru.com.au; SAN=external1.microsoftguru.com.au; SAN=*.microsoftguru.com.au

Ports Requirements:

Server role	Service name	Port	Protocol
Front End Servers	Lync Server Front-End service	5060	TCP
Front End Servers	Front-End service	5061	TCP (TLS)
Front End Servers	Front-End service	444	HTTPS TCP
Front End Servers	Lync Server Front-End service	135	DCOM and remote procedure call (RPC)
Front End Servers	Lync Server IM Conferencing service	5062	TCP
Front End Servers	Lync Server Web Conferencing service	8057	TCP (TLS)
Front End Servers	Web Conferencing Compatibility Service	8058	TCP (TLS)
Front End Servers	Lync Server Audio/Video Conferencing service	5063	TCP
Front End Servers	Lync Server Audio/Video Conferencing service	57501-65335	TCP/UDP
Front End Servers	Web Compatibility service	80	HTTP
Front End Servers	Lync Server Web Compatibility service	443	HTTPS
Front End Servers	Lync Server Conferencing Attendant service (dial-in conferencing)	5064	TCP
Front End Servers	Lync Server Conferencing Attendant service (dial-in conferencing)	5072	TCP
Front End Servers that also run a Collocated Mediation Server	Lync Server Mediation service	5070	TCP
Front End Servers that also run a Collocated Mediation Server	Lync Server Mediation service	5067	TCP (TLS)
Front End Servers that also run a Collocated Mediation Server	Lync Server Mediation service	5068	TCP
Front End Servers that also run a Collocated Mediation Server	Lync Server Mediation service	5081	TCP
Front End Servers that also run a Collocated Mediation Server	Lync Server Mediation service	5082	TCP (TLS)
Front End Servers	Lync Server Application Sharing service	5065	TCP
Front End Servers	Lync Server Application Sharing service	49152-65335	TCP
Front End Servers	Lync Server Conferencing Announcement service	5073	TCP
Front End Servers	Lync Server Call Park service	5075	TCP
Front End Servers	Audio Test service	5076	TCP
Front End Servers	Not applicable	5066	TCP
Front End Servers	Lync Server Response Group service	5071	TCP
Front End Servers	Lync Server Response Group service	8404	TCP (MTLS)
Front End Servers	Lync Server Bandwidth Policy Service	5080	TCP
Front End Servers	Lync Server Bandwidth Policy Service	448	TCP
Front End Servers where the Central Management store resides	CMS Replication service	445	TCP
All internal servers	Various	49152-57500	TCP/UDP
Directors	Lync Server Front-End service	5060	TCP
Directors	Lync Server Front-End service	5061	TCP
Mediation Servers	Lync Server Mediation service	5070	TCP
Mediation Servers	Lync Server Mediation service	5067	TCP (TLS)
Mediation Servers	Lync Server Mediation service	5068	TCP
Mediation Servers	Lync Server Mediation service	5070	TCP (MTLS)

Required Client Ports

Component	Port	Protocol
Clients	67/68	DHCP
Clients	443	TCP (TLS)
Clients	443	TCP (PSOM/TLS)
Clients	443	TCP (STUN/MSTURN)
Clients	3478	UDP (STUN/MSTURN)
Clients	5061	TCP (MTLS)
Clients	6891-6901	TCP
Clients	1024-65535 *	TCP/UDP
Clients	1024-65535 *	TCP/UDP
Clients	1024-65535 *	TCP
Clients	1024-65535 *	TCP
Aastra 6721ip common area phone Aastra 6725ip desk phone Polycom CX500 common area phone Polycom CX600 desk phone	67/68	DHCP

FF TMG 2010 Reverse Proxy Firewall Rule Configuration:

Edge External Interface
Protocol	Port	Firewall Direction	Description
HTTP	80	Out	Checking certificate revocation lists
DNS	53	Out	External DNS queries
SIP / TLS	443	In	Client to server SIP traffic for remote user access
SIP / MTLS	5061	In / Out	Federation and connectivity with a hosted service
PSOM / TLS	443	In	Remote user access to conferences for anonymous and federated users
RTP / TCP	50,000 – 59,999	Out	Media exchange
RTP / TCP	50,000 – 59,999	In	Media exchange required for Office Communications Server 2007 R2 interoperability
RTP / UDP	50,000 – 59,999	In / Out	Media exchange required for Office Communications Server 2007 interoperability
STUN / MSTURN / UDP	3478	In / Out	External user access to A/V sessions (UDP)

Edge Internal Interface
Protocol	Port	Firewall Direction	Description
SIP / MTLS	5061	In / Out	SIP traffic
PSOM / MTLS	8057	Out	Web conferencing traffic from pool to Edge Server
SIP / MTLS / 5062	5062	Out	Authentication of A/V users (A/V authentication service)
STUN / MSTURN / UDP	3478	Out	Preferred path for media transfer between internal and external users (UDP)
STUN / MSTURN / TCP	443	Out	Alternate path for media transfer between internal and external users (TCP)
HTTPS 4443 (out)	4443	Out	Pushing Central Management store updates to Edge Servers
HTTP	80	Out	Checking certificate revocation lists the YVW Certificate Authority

Reverse Proxy External Interface
Protocol	Port	Firewall Direction	Description
HTTP	80	In	(Optional) Redirection to HTTPS if user accidentally enters http://<publishedSiteFQDN&gt;
HTTPS	443	In	Address book downloads, Address Book Web Query service, client updates, meeting content, device updates, group expansion, dial-in conferencing, and meetings.

Reverse Proxy Internal Interface
Protocol	Port	Firewall Direction	Description
HTTPS 4443 (out)	4443	In	Traffic sent to 443 on the reverse proxy external interface is redirected to a pool on port 4443 from the reverse proxy internal interface so that the pool web services can distinguish it from internal web traffic.

Install Lync Planning Tool: Microsoft Lync Server 2010 Planning Tool is a wizard that interactively asks you a series of questions about your organization, the Lync Server features you want to enable, and your capacity planning needs. It then creates a recommended deployment topology based on your answers, and produces several forms of output to aid your planning and installation.

Create a Topology: Topology Builder is an installation component of Lync Server 2010. You use Topology Builder to create, adjust and publish your planned topology. It also validates your topology before you begin server installations. When you install Lync Server on individual servers, the servers read the published topology as part of the installation process, and the installation program deploys the server as directed in the topology.

From the Microsoft Lync Server 2010 program group, open Planning Tool. Start the Planning Tool wizard from the beginning by clicking the Get Started button. Select Yes and click Next on the Audio and Video Conferencing page. Select No and click Next on the Dial-In Conferencing page. Select Yes and click Next on the Web Conferencing page. Select No and click Next on the Enterprise Voice page. Select No and click Next on the Call Admission Control page. Select No and click Next on the Monitoring page. Select No and click Next on the Archiving page. On the Federation page, ensure that both boxes are selected and click Next. Select No and click Next on the High Availability page. Select Shared WAN and click Next on the Network Connection page. Click Design Sites>On the Central Sites page, make the following changes: Enter a descriptive name for Site Name. Type as MyCompany or your company name Enter the number of users in your organization. for example 1000 Under Online Collaboration, ensure that Dial-in Conferencing is unchecked. Under Server Applications, uncheck Call Admission Control. Click Next to continue. On the SIP Domain page, enter the primary SIP domain. For example microsoftguru.com.au. Click Add then click Next. On the Bandwidth Capacity Planning page, accept the default settings and continue. On the Branch Office page, leave each field blank and continue. On the External User Access page, uncheck Enable high availability for external users, click Finish, and then click Draw. From the File menu, select Save Topology. Create a backup of this topology named MyCompany.xml

If you would like to create a design document then you can export the topology to Microsoft Visio or Microsoft Excel

From the File menu, select Export>Select Export to Visio or Export to Excel.

View Site Topology you just created by using topology builder

1. From the Planning Tool Actions pane, view the hardware resources required in this global topology. 2. Double-click on the MyCompany site. 3. Notice the three tabbed pages: Site Topology, Edge Network Diagram, Edge Admin Report at the bottom of the page. 4. On the Site Topology page, move the mouse pointer over icons for a description of each role. 5. Click an icon to see server and port requirements.

Modify Edge Network Diagram: Click on the Edge Network diagram, update the FQDN and IP addresses of each server role in the network diagram by double-clicking the sample data in red.

Role	FQDN	IP Address
FrontEnd Lync Server	FrontEnd.microsoftguru.com.au	192.168.1.6
Director	director.microsoftguru.com.au	192.168.1.8
Reverse Proxy Server	proxy.microsoftguru.com.au	192.168.1.12 203.9.x.4
Edge Server	edge.microsoftguru.com.au	192.168.1.11 203.9.x.1 (access) 203.9.x.5 (web) 203.9.x.3 (av)
Reverse Proxy External FQDN	proxy.microsoftguru.com.au	203.9.x.4
External Access Edge service URL	external.microsoftguru.com.au	203.9.x.1
External Web Conferencing Edge service URL	external.microsoftguru.com.au	203.9.x.5
External A/V Edge service URL	External1.microsoftguru.com.au	203.9.x.3

Review Edge Admin Report

Select the Edge Admin Report tab, and then click View to open the report in a browser window. Review the certificate, firewall, and DNS entries.

Export Topology to Topology Builder

From the Planning Tool, select File>Export> Export to Topology Builder. Click Yes on the Sample Data Warning dialog. Save the file to the local machine. This lab will save the file as MyCompany.tbxml. Exit the Planning Tool.

Modify the Topology Using Topology Builder: Now import the topology from the Planning Tool and modify it in Topology Builder, in preparation for publishing the topology. Install Topology Builder and Import the Topology from the Planning Tool

From the Standard Edition Server, open the Lync Server Deployment Wizard. Select Install Topology Builder. From the Microsoft Lync Server 2010 program group, open Lync Server Topology Builder. Select Open Topology from a local file From the Open dialog, navigate to the file you saved earlier. This lab used MyCompany.tbxml.

Edit Topology: After importing the topology file from the Planning Tool into Topology Builder, you must make some edits to the topology before you can publish the topology. In the left hand pane of Topology Builder, you will see a few small red-X, indicating errors in the topology. To begin resolving these topology issues, follow the guidance below.

Modify Topology in Topology Builder

Open Topology Builder. Choose to open an existing file and select MyCompany.tbxml. Expand the top node Lync Server 2010 and navigate to the Standard Edition Front End Servers node. Select Front End Pool>From the Actions pane, select Edit Properties. Under the General section, update the FQDN entry to the name of your Standard Edition Server. For this lab, specify FrontEnd.microsoftguru.com.au. Under the Web Services section, update the External Web Services FQDN. For this lab, specify external.microsoftguru.com.au. Navigate to the Director pools node>Expand the node and select Director.microsoftguru.com.au. Select Edit Properties.Under the Web Services section, update the External Web Services FQDN. For this lab, specify external1.microsoftguru.com.au Click OK to exit the Edit Properties page.

Edit Edge pools

From Topology Builder, in the left hand pane, select Lync Server 2010 . Navigate down the tree until you reach Edge pools>Expand Edge pools and select the Edge Server edge.microsoftguru.com.au. From the Actions pane, select Edit Properties>On the Edit Properties page, verify the following settings: Parameter Value Internal Server FQDN edge.microsoftguru.com.au Internal IP address 192.168.1.11 Enable federation for this Edge pool (Port 5061) Enabled NAT enabled public IP address used 203.9.x.1, 203.9.x.5, 203.9.x.3 Internal Configuration Replication Port (HTTPS) 4443 Next hop pool director.microsoftguru.com.au (MyCompany) Enable separate FQDN and IP address for web conferencing and A/V enabled SIP Access internal.microsoftguru.com.au 203.9.x.1 443 Web Conferencing Edge service external.microsoftguru.com.au 203.9.x.5 443 A/V service External1.microsoftguru.com.au 203.9.x.3 443 Click OK to close the Edit Properties page

Configure Administration URL

In Topology Builder, click Lync Server 2010 from the left hand pane. Click Edit Properties>Click Simple URLs. Under Administrative access URL: type https://admin.microsoftguru.com.au. Click OK to close the Edit Properties window.

Review and Save Topology: The topology file should now be ready to be published. Let’s validate the topology settings are valid prior to publishing.

In Topology Builder, click on Lync Server 2010. You should have the following settings configured: · Default SIP domain: microsoftguru.com.au · Phone access URLS: https://dialin.microsoftguru.com.au · Meeting URLs: https://meet.microsoftguru.com.au · Administrative access URL: https://admin.contos.net · Central Management Server: FrontEnd.microsoftguru.com.au In the left pane of Topology Builder, navigate to Standard Edition Front End Servers. Expand the node and select the FrontEnd.microsoftguru.com.au pool. Verify the following settings: Parameter Value FQDN FrontEnd.microsoftguru.com.au IP addresses Use all configured Instant messaging and presence Enabled Conferencing Enabled SQL Store FrontEnd.microsoftguru.com.aurtc File store \FrontEnd.microsoftguru.com.aushare Edge pool myedge.microsoftguru.com.au (MyCompany) Internal web services Listening Ports: HTTP 80 , HTTPS: 443 External web services FQDN: external.microsoftguru.com.au FQDN: external1.microsoftguru.com.au Listening Ports: HTTP 8080 , HTTPS: 4443 Conferencing All four services enabled Collocated Mediation Server Disabled

Prepare first Standard Edition Server

On the Standard Edition Server, open the Lync Server Deployment Wizard. Select Prepare first Standard Edition Server and click Next to install the initial Central Management Store.

Publish Topology

From Topology Builder, select Lync Server 2010. From the Actions pane, select Publish Topology and click Next. On the Select Central Management Server page, ensure that FrontEnd.microsoftguru.com.au is selected and continue.

The following URL would be handy for you once you build your topology:

Deploy Lync Edge Server

Deploy Lync Director Server

Install and Configure Lync Front End Server

Lync 2010 Planning Tool

Download Microsoft Lync Server 2010
180-Day Trial

Microsoft Lync Server 2010 Mobility Service and Microsoft Lync Server 2010 Autodiscover Service

Microsoft Lync Server 2010 Mobility Guide