Building Lync 2010 Server Infrastructure

This article describes systems requirement of Lync 2010 Server and the steps necessary to create a Lync 2010 topology in a production environment in a single forest, single domain topology.

Lync 2010 Server Roles: Lync 2010 is delivered through the following server roles.

  • Front End Server and Back End SQL Server
  • A/V Conferencing Server
  • Edge Server
  • Mediation Server
  • Monitoring Server
  • Archiving Server
  • Director

Lync 2010 Features:

  • Instant messaging (IM) and presence are always enabled
  • Audio Video Conferencing
  • Enterprise Voice is the voice over IP (VoIP) solution
  • Exchange UM features include enabling users to receive voice mail notices and listen to voice mail from Outlook or OWA, to access their Microsoft Exchange mailboxes using a telephone and to receive faxes in their Microsoft Exchange mailboxes.
  • Federated partner/supplier users can easily send and receive IM messages, invite each other to meetings and see each other’s presence.
  • IM and Enterprise voice support for branch office over the WAN link

Reference Topology with High Availability

image

How Lync 2010 Communication works?

image

Hardware Requirements:

Hardware

Lync Front End

Director

DB, Archive, Monitor server

CPU

64-bit processor

64-bit processor

64-bit  processor

RAM

16 GB

4 GB

Min 16GB for Archiving or Monitoring
Max 32GB

System Partition

72 GB free disk space

72 GB free disk space

72 GB free disk space

Additional Partition

Separate Page File partition

Separate Page File partition

Separate Page File partition+ Other Partition for DB & Data

No of NIC
Gbps or higher

2

2

2

Operating Systems for Standard Front End, Director, Edge Server and Proxy Server:

  • Windows Server 2008 R2 Standard/Enterprise/datacenter With SP
  • Windows Server 2008 Standard/Enterprise/datacenter with SP

Clients OS:

  • Windows 7 Pro, Enterprise with all patches installed via WSUS
  • Windows Mobile
  • IP Phone such as Astra/Cisco desk phone set

Database Server:

  • Microsoft SQL Server 2008 R2 Standard/Enterprise with SP x64
  • Microsoft SQL Server 2005 Standard/Enterprise with SP3 x64

Additional Software:

  • Microsoft .NET Framework 3.5 with SP1
  • Silverlight 4.0
  • Windows PowerShell 2.0
  • Active Directory Administrative tools feature installed on Front End Server and Director
  • Microsoft Forefront Threat Management Gateway (TMG) 2010 software.

Internet Information Services (IIS): Front End Servers and Standard Edition servers must run Internet Information Services (IIS), with the following modules:

  • Static Content
  • Default Document
  • HTTP Errors
  • ASP.NET
  • .NET Extensibility
  • Internet Server API (ISAPI) Extensions
  • ISAPI Filters
  • HTTP Logging
  • Logging Tools
  • Tracing
  • Windows Authentication
  • Request Filtering
  • Static Content Compression
  • IIS Management Console
  • IIS Management Scripts and Tools
  • Anonymous Authentication (This is installed by default when IIS is installed.)
  • Client Certificate Mapping Authentication

Software Auto installed:

  • Microsoft Visual C++ 2008 Redistributable
  • Microsoft Visual J# version 2.0 Redistributable
  • URL Rewrite Module version 2.0 Redistributable
  • SQL Server 2008 Native Client

Network Requirements:

  • For public switched telephone network (PSTN) integration, you can integrate by using either T1/E1 lines or SIP trunking
  • Provision your network links to support throughput of 65 kilobits per second (Kbps) per audio stream and 500 Kbps per video stream, if enabled, during peak usage periods. A bidirectional audio or video session consists of two streams.
  • WAN links for Branch servers
  • Reverse Proxy server in Edge

Supported configuration:

  • Windows Server 2008 R2, Windows Server 2008, or at least Windows Server 2003 native mode Forrest Functional level
  • Single/Multiple Forests
  • Single/Multiple Domains
  • Federated Lync Server
  • DNS Load balancing

Un-supported Configuration:

  • x86 Windows Server 2008
  • x86 SQL server database
  • RODC Domain Controllers

Virtualizing Lync 2010 Server: Microsoft Lync Server 2010 supports all workloads and server roles in both physical and virtualized topologies. User capacity in a virtualized topology is roughly 50 percent of the capacity in a physical topology. For details, see Running in a Virtualized Environment in the Planning for Other Features documentation.

Examples of SIP and Domain Name System (DNS) Requirements

SIP Domain

Microsoftguru.com.au

Front End Pool

mypool.Microsoftguru.com.au

Director Pool

dir-pool.microsoftguru.com.au

Edge Pool

myedge.microsoftguru.com.au

Examples of DNS Records and IPs

FQDN

Internal IP Address

Routable Public IP

FrontEnd.Microsoftguru.com.au

192.168.1.6

x

Mediation.Microsoftguru.com.au

192.168.1.7

x

Director.Microsoftguru.com.au

192.168.1.8

x

Archiving.Microsoftguru.com.au

192.168.1.9

x

Monitor.Microsoftguru.com.au

192.168.1.10

x

Edge.microsoftguru.com.au

192.168.1.11

203.9.x.1 , 203.9.x.5, 203.9.x.3

Proxy.microsoftguru.com.au

192.168.1.12

203.9.x.4

Important! Note that Edge and reverse proxy server are in a workgroup environment using microsoftguru.com.au DNS suffix.

Requirements of DNS SRV record for client auto login

DNS SRV Service record for automatic login

SRV Service: _sipinternaltls

Protocol: _TCP

FQDN: Lync.Microsoftguru.com.au

5061

Necessary URLs and Ports

Name

URL

Port

Administrative Access

https://admin.microsoftguru.com.au

443

Meeting

https://meet.microsoftguru.com.au

443

Phone Dialin

https://dialin.microsoftguru.com.au

443

Edge Access

https://internal.microsoftguru.com.au (internal)
http://external.microsoftguru.com.au (External-SIP, Web, AV)

4443

4061
444
443

Director

https://external1.microsoftguru.com.au

443

5060

5061

Certificate Requirements for Internal Servers

Certificate

Subject name/

Common name

Example

Default

FQDN of the pool

SN=FrontEnd.microsoftguru.com.au;

SAN= mypool.microsoftguru.com.au;

SAN=sip.microsoftguru.com.au;

If this pool is the auto-logon server for clients and strict DNS matching is required in SAN

Web Internal

FQDN of the server

SN=FrontEnd.microsoftguru.com.au;

SAN=internal.microsoftguru.com.au;

SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au; SAN=admin.microsoftguru.com.au

Using a wildcard certificate:

SN= FrontEnd.microsoftguru.com.au; SAN=internal.microsoftguru.com.au; SAN=*.microsoftguru.com.au

Web external

FQDN of the server

SN=FrontEnd.microsoftguru.com.au; SAN=external.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=meet.fabrikam.com; SAN=dialin.microsoftguru.com.au

Using a wildcard certificate:

SN= FrontEnd.microsoftguru.com.au; SAN=external.microsoftguru.com.au; SAN=*.microsoftguru.com.au

Certificates for Director

Certificate

Subject name/

Common name

Example

Default

FQDN of the Director pool

SN=dir-pool.microsoftguru.com.au;

SAN=dir-pool.microsoftguru.com.au;

If this Director pool is the auto-logon server for clients and strict DNS matching is required in SAN

Web Internal

FQDN of the server

SN=Director.microsoftguru.com.au;

SAN= Director.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au; SAN=admin.microsoftguru.com.au

To use Wild Card Certificate

SN= Director.microsoftguru.com.au;

SAN= Director.microsoftguru.com.au SAN=*.microsoftguru.com.au

Web external

FQDN of the server

The Director external web FQDN must be different from the Front End pool or Front End Server.

SN= Director.microsoftguru.com.au; SAN=external1.microsoftguru.com.au SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au

SN= Director.microsoftguru.com.au; SAN=external1.microsoftguru.com.au; SAN=*.microsoftguru.com.au

Ports Requirements:

Server role

Service name

Port

Protocol

Front End Servers

Lync Server Front-End service

5060

TCP

Front End Servers

Front-End service

5061

TCP (TLS)

Front End Servers

Front-End service

444

HTTPS

TCP

Front End Servers

Lync Server Front-End service

135

DCOM and remote procedure call (RPC)

Front End Servers

Lync Server IM Conferencing service

5062

TCP

Front End Servers

Lync Server Web Conferencing service

8057

TCP (TLS)

Front End Servers

Web Conferencing Compatibility Service

8058

TCP (TLS)

Front End Servers

Lync Server Audio/Video Conferencing service

5063

TCP

Front End Servers

Lync Server Audio/Video Conferencing service

57501-65335

TCP/UDP

Front End Servers

Web Compatibility service

80

HTTP

Front End Servers

Lync Server Web Compatibility service

443

HTTPS

Front End Servers

Lync Server Conferencing Attendant service (dial-in conferencing)

5064

TCP

Front End Servers

Lync Server Conferencing Attendant service (dial-in conferencing)

5072

TCP

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5070

TCP

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5067

TCP (TLS)

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5068

TCP

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5081

TCP

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5082

TCP (TLS)

Front End Servers

Lync Server Application Sharing service

5065

TCP

Front End Servers

Lync Server Application Sharing service

49152-65335

TCP

Front End Servers

Lync Server Conferencing Announcement service

5073

TCP

Front End Servers

Lync Server Call Park service

5075

TCP

Front End Servers

Audio Test service

5076

TCP

Front End Servers

Not applicable

5066

TCP

Front End Servers

Lync Server Response Group service

5071

TCP

Front End Servers

Lync Server Response Group service

8404

TCP (MTLS)

Front End Servers

Lync Server Bandwidth Policy Service

5080

TCP

Front End Servers

Lync Server Bandwidth Policy Service

448

TCP

Front End Servers where the Central Management store resides

CMS Replication service

445

TCP

All internal servers

Various

49152-57500

TCP/UDP

Directors

Lync Server Front-End service

5060

TCP

Directors

Lync Server Front-End service

5061

TCP

Mediation Servers

Lync Server Mediation service

5070

TCP

Mediation Servers

Lync Server Mediation service

5067

TCP (TLS)

Mediation Servers

Lync Server Mediation service

5068

TCP

Mediation Servers

Lync Server Mediation service

5070

TCP (MTLS)

Required Client Ports

Component

Port

Protocol

Clients

67/68

DHCP

Clients

443

TCP (TLS)

Clients

443

TCP (PSOM/TLS)

Clients

443

TCP (STUN/MSTURN)

Clients

3478

UDP (STUN/MSTURN)

Clients

5061

TCP (MTLS)

Clients

6891-6901

TCP

Clients

1024-65535 *

TCP/UDP

Clients

1024-65535 *

TCP/UDP

Clients

1024-65535 *

TCP

Clients

1024-65535 *

TCP

Aastra 6721ip common area phone

Aastra 6725ip desk phone

Polycom CX500 common area phone

Polycom CX600 desk phone

67/68

DHCP

FF TMG 2010 Reverse Proxy Firewall Rule Configuration:

Edge External Interface

Protocol

Port

Firewall Direction

Description

HTTP

80

Out

Checking certificate revocation lists

DNS

53

Out

External DNS queries

SIP / TLS

443

In

Client to server SIP traffic for remote user access

SIP / MTLS

5061

In / Out

Federation and connectivity with a hosted service

PSOM / TLS

443

In

Remote user access to conferences for anonymous and federated users

RTP / TCP

50,000 – 59,999

Out

Media exchange

RTP / TCP

50,000 – 59,999

In

Media exchange required for Office Communications Server 2007 R2 interoperability

RTP / UDP

50,000 – 59,999

In / Out

Media exchange required for Office Communications Server 2007 interoperability

STUN / MSTURN / UDP

3478

In / Out

External user access to A/V sessions (UDP)

Edge Internal Interface

Protocol

Port

Firewall Direction

Description

SIP / MTLS

5061

In / Out

SIP traffic

PSOM / MTLS

8057

Out

Web conferencing traffic from pool to Edge Server

SIP / MTLS / 5062

5062

Out

Authentication of A/V users (A/V authentication service)

STUN / MSTURN / UDP

3478

Out

Preferred path for media transfer between internal and external users (UDP)

STUN / MSTURN / TCP

443

Out

Alternate path for media transfer between internal and external users (TCP)

HTTPS 4443 (out)

4443

Out

Pushing Central Management store updates to Edge Servers

HTTP

80

Out

Checking certificate revocation lists the YVW Certificate Authority

Reverse Proxy External Interface

Protocol

Port

Firewall Direction

Description

HTTP

80

In

(Optional) Redirection to HTTPS if user accidentally enters http://<publishedSiteFQDN&gt;

HTTPS

443

In

Address book downloads, Address Book Web Query service, client updates, meeting content, device updates, group expansion, dial-in conferencing, and meetings.

Reverse Proxy Internal Interface

Protocol

Port

Firewall Direction

Description

HTTPS 4443 (out)

4443

In

Traffic sent to 443 on the reverse proxy external interface is redirected to a pool on port 4443 from the reverse proxy internal interface so that the pool web services can distinguish it from internal web traffic.

Install Lync Planning Tool: Microsoft Lync Server 2010 Planning Tool is a wizard that interactively asks you a series of questions about your organization, the Lync Server features you want to enable, and your capacity planning needs. It then creates a recommended deployment topology based on your answers, and produces several forms of output to aid your planning and installation.

Create a Topology: Topology Builder is an installation component of Lync Server 2010. You use Topology Builder to create, adjust and publish your planned topology. It also validates your topology before you begin server installations. When you install Lync Server on individual servers, the servers read the published topology as part of the installation process, and the installation program deploys the server as directed in the topology.

  • From the Microsoft Lync Server 2010 program group, open Planning Tool.
  • Start the Planning Tool wizard from the beginning by clicking the Get Started button.
  • Select Yes and click Next on the Audio and Video Conferencing page.
  • Select No and click Next on the Dial-In Conferencing page.
  • Select Yes and click Next on the Web Conferencing page.
  • Select No and click Next on the Enterprise Voice page.
  • Select No and click Next on the Call Admission Control page.
  • Select No and click Next on the Monitoring page.
  • Select No and click Next on the Archiving page.
  • On the Federation page, ensure that both boxes are selected and click Next.
  • Select No and click Next on the High Availability page.
  • Select Shared WAN and click Next on the Network Connection page.
  • Click Design Sites>On the Central Sites page, make the following changes:

Enter a descriptive name for Site Name. Type as MyCompany or your company name

Enter the number of users in your organization. for example 1000

Under Online Collaboration, ensure that Dial-in Conferencing is unchecked.

Under Server Applications, uncheck Call Admission Control.

Click Next to continue.

  • On the SIP Domain page, enter the primary SIP domain. For example microsoftguru.com.au. Click Add then click Next.
  • On the Bandwidth Capacity Planning page, accept the default settings and continue.
  • On the Branch Office page, leave each field blank and continue.
  • On the External User Access page, uncheck Enable high availability for external users, click Finish, and then click Draw.
  • From the File menu, select Save Topology.
  • Create a backup of this topology named MyCompany.xml

If you would like to create a design document then you can export the topology to Microsoft Visio or Microsoft Excel

From the File menu, select Export>Select Export to Visio or Export to Excel.

View Site Topology you just created by using topology builder

1. From the Planning Tool Actions pane, view the hardware resources required in this global topology.

2. Double-click on the MyCompany site.

3. Notice the three tabbed pages: Site Topology, Edge Network Diagram, Edge Admin Report at the bottom of the page.

4. On the Site Topology page, move the mouse pointer over icons for a description of each role.

5. Click an icon to see server and port requirements.

Modify Edge Network Diagram: Click on the Edge Network diagram, update the FQDN and IP addresses of each server role in the network diagram by double-clicking the sample data in red.

Role

FQDN

IP Address

FrontEnd Lync Server

FrontEnd.microsoftguru.com.au

192.168.1.6

Director

director.microsoftguru.com.au

192.168.1.8

Reverse Proxy Server

proxy.microsoftguru.com.au

192.168.1.12

203.9.x.4

Edge Server

edge.microsoftguru.com.au

192.168.1.11

203.9.x.1 (access)

203.9.x.5 (web)

203.9.x.3 (av)

Reverse Proxy External FQDN

proxy.microsoftguru.com.au

203.9.x.4

External Access Edge service URL

external.microsoftguru.com.au

203.9.x.1

External Web Conferencing Edge service URL

external.microsoftguru.com.au

203.9.x.5

External A/V Edge service URL

External1.microsoftguru.com.au

203.9.x.3

Review Edge Admin Report

  • Select the Edge Admin Report tab, and then click View to open the report in a browser window.
  • Review the certificate, firewall, and DNS entries.

Export Topology to Topology Builder

  • From the Planning Tool, select File>Export> Export to Topology Builder.
  • Click Yes on the Sample Data Warning dialog.
  • Save the file to the local machine. This lab will save the file as MyCompany.tbxml. Exit the Planning Tool.

Modify the Topology Using Topology Builder: Now import the topology from the Planning Tool and modify it in Topology Builder, in preparation for publishing the topology. Install Topology Builder and Import the Topology from the Planning Tool

  • From the Standard Edition Server, open the Lync Server Deployment Wizard.
  • Select Install Topology Builder.
  • From the Microsoft Lync Server 2010 program group, open Lync Server Topology Builder.
  • Select Open Topology from a local file
  • From the Open dialog, navigate to the file you saved earlier. This lab used MyCompany.tbxml.

Edit Topology: After importing the topology file from the Planning Tool into Topology Builder, you must make some edits to the topology before you can publish the topology. In the left hand pane of Topology Builder, you will see a few small red-X, indicating errors in the topology. To begin resolving these topology issues, follow the guidance below.

Modify Topology in Topology Builder

  • Open Topology Builder. Choose to open an existing file and select MyCompany.tbxml.
  • Expand the top node Lync Server 2010 and navigate to the Standard Edition Front End Servers node.
  • Select Front End Pool>From the Actions pane, select Edit Properties.
  • Under the General section, update the FQDN entry to the name of your Standard Edition Server. For this lab, specify FrontEnd.microsoftguru.com.au.
  • Under the Web Services section, update the External Web Services FQDN. For this lab, specify external.microsoftguru.com.au.
  • Navigate to the Director pools node>Expand the node and select Director.microsoftguru.com.au.
  • Select Edit Properties.Under the Web Services section, update the External Web Services FQDN. For this lab, specify external1.microsoftguru.com.au
  • Click OK to exit the Edit Properties page.

Edit Edge pools

  • From Topology Builder, in the left hand pane, select Lync Server 2010 .
  • Navigate down the tree until you reach Edge pools>Expand Edge pools and select the Edge Server edge.microsoftguru.com.au.
  • From the Actions pane, select Edit Properties>On the Edit Properties page, verify the following settings:

Parameter

Value

Internal Server FQDN

edge.microsoftguru.com.au

Internal IP address

192.168.1.11

Enable federation for this Edge pool (Port 5061)

Enabled

NAT enabled public IP address used

203.9.x.1, 203.9.x.5, 203.9.x.3

Internal Configuration Replication Port (HTTPS)

4443

Next hop pool

director.microsoftguru.com.au (MyCompany)

Enable separate FQDN and IP address for web conferencing and A/V

enabled

SIP Access

internal.microsoftguru.com.au

203.9.x.1

443

Web Conferencing Edge service

external.microsoftguru.com.au

203.9.x.5

443

A/V service

External1.microsoftguru.com.au

203.9.x.3

443

  • Click OK to close the Edit Properties page

Configure Administration URL

  • In Topology Builder, click Lync Server 2010 from the left hand pane.
  • Click Edit Properties>Click Simple URLs.
  • Under Administrative access URL: type https://admin.microsoftguru.com.au.
  • Click OK to close the Edit Properties window.

Review and Save Topology: The topology file should now be ready to be published. Let’s validate the topology settings are valid prior to publishing.

  • In Topology Builder, click on Lync Server 2010. You should have the following settings configured:

· Default SIP domain: microsoftguru.com.au

· Phone access URLS: https://dialin.microsoftguru.com.au

· Meeting URLs: https://meet.microsoftguru.com.au

· Administrative access URL: https://admin.contos.net

· Central Management Server: FrontEnd.microsoftguru.com.au

  • In the left pane of Topology Builder, navigate to Standard Edition Front End Servers.
  • Expand the node and select the FrontEnd.microsoftguru.com.au pool.
  • Verify the following settings:

Parameter

Value

FQDN

FrontEnd.microsoftguru.com.au

IP addresses

Use all configured

Instant messaging and presence

Enabled

Conferencing

Enabled

SQL Store

FrontEnd.microsoftguru.com.aurtc

File store

\FrontEnd.microsoftguru.com.aushare

Edge pool

myedge.microsoftguru.com.au (MyCompany)

Internal web services

Listening Ports: HTTP 80 , HTTPS: 443

External web services

FQDN: external.microsoftguru.com.au

FQDN: external1.microsoftguru.com.au

Listening Ports: HTTP 8080 , HTTPS: 4443

Conferencing

All four services enabled

Collocated Mediation Server

Disabled

Prepare first Standard Edition Server

  • On the Standard Edition Server, open the Lync Server Deployment Wizard.
  • Select Prepare first Standard Edition Server and click Next to install the initial Central Management Store.

Publish Topology

  • From Topology Builder, select Lync Server 2010.
  • From the Actions pane, select Publish Topology and click Next.
  • On the Select Central Management Server page, ensure that FrontEnd.microsoftguru.com.au is selected and continue.

The following URL would be handy for you once you build your topology:

Deploy Lync Edge Server

Deploy Lync Director Server

Install and Configure Lync Front End Server

Lync 2010 Planning Tool

Download Microsoft Lync Server 2010
180-Day Trial

Microsoft Lync Server 2010 Mobility Service and Microsoft Lync Server 2010 Autodiscover Service

Microsoft Lync Server 2010 Mobility Guide

Deploy Lync 2010 Edge Server

Prerequisites:Before you configure external client access, you will need the servers and clients required in the internal deployment of Lync Server 2010, plus the following:

  • Domain controller is running Windows Server 2008 R2 configured as a domain controller, DNS server, and certification authority (CA).
  • Standard Edition Server is running Windows Server 2008 R2 on which you will install Lync Server 2010.
  • Lync Director Server installed and operational
  • Prepare and publish Lync director in Microsoft Active Directory
  • Edge Server running Windows Server 2008 operating system on which you will install Lync Server 2010 Edge server role.
  • Reverse-Proxy server running Windows Server 2008 operating system on which you will install a reverse-proxy server using FF TMG 2010.
  • FF TMG 2010 Reverse Proxy and Lync Edge Servers are running as members of the same Workgroup.
  • The Edge server and reverse proxy are multi-homed and have an internal interface connected to the internal domain.

Windows Server 2012 Step by Step

6665

Picture: Successfully published Edge Topology

Step1: Configure Internal and External Network Interface Card

1. Verify two network adapters are installed in the Edge Server, one for the internal-facing interface and one for the external-facing interface. The internal and external subnets must not be routable to each other.

3

2. On the external interface, configure 3 static IP addresses on the external perimeter network subnet and published Edge pools for static IP addresses.

3. On the internal interface, configure one static IP address on the internal perimeter network subnet and do not set a default gateway. Leave adapter DNS settings empty.

Step2: DNS Records for Edge Support Verify the following DNS entries match the external topology shown earlier in standard Lync Server deployment. The procedure for creating DNS A and DNS SRV records has been configured and available for internal and external network via reverse proxy.

Description FQDN IP Address
Proxy Server Internal Interface proxy.yourdomain.com.au 192.168.100.4
Edge Server Internal Interface edge.yourdomain.com.au 192.168.100.5
Web services external URL external.yourdomain.com.au

external1.yourdomain.com.au

192.168.100.4

192.168.100.4

Step3: Configure the DNS Suffix for Edge Servers

1.On the Edge Server computer, click Start, right-click Computer, and then click Properties.

1

2. Under Computer name, domain, and workgroup settings, click Change settings.

3. On the Computer Name tab, click Change.

4. In the Computer Name/Domain Changes dialog box, click More.

5. In the DNS Suffix and NetBIOS Computer Name dialog box, in Primary DNS suffix of this computer, type yourdomain.com.au and then click OK three times.

2

6. Restart the computer

Step4: Export and Make Your Topology Data available on an Edge Server

1. From the Standard Edition server, open Lync Server 2010 Management Shell.

2. In the Lync Server 2010 Management Shell as an administrator, run the following cmdlet:

Export-CsConfiguration -FileName c:configuration.zip

6

3. Copy the exported file to c:configuration.zip on the Edge Server.

Step5: Request Root Certificate Chain from the Internal Enterprise CA

1.From the Standard Edition Server, click Start, click Run, type http://lab-pdc.contoso.net/certsrv and then click OK.

2. Under Select a task, click Download a CA certificate, certificate chain, or CRL.

3. Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.

4. In the File Download dialog box, click Save. Save the .p7b file as certchain.p7b to the hard drive on the server, and then copy it to a folder on your Edge Server.

Step6: Install Deploy Edge Servers

1. Log on to the Edge Server as a member of the local Administrators group or an account with equivalent permissions. From the installation media, run Setup.exe. Install the Visual C++ 2008 Redistributable if asked.

2. Select the default installation directory and begin the installation.

3. Ensure that the topology configuration file, c:configuration.zip, that you created using Topology Builder, is available on the Edge Server

4. Open the Lync Server Deployment Wizard.

8

5. In the Deployment Wizard, click Install or Update Lync Server System. In the Deployment Wizard, click Install Local Configuration Store. After the wizard determines the deployment state, click Step 1. Install Local Configuration Store.

6. In the Local Server Configuration dialog box, click Local configuration from a file, and then browse to c:configuration.zip. The Deployment Wizard reads the configuration information from the configuration file and writes the XML configuration file to the local computer.

9

10

11

7. In the Deployment Wizard, click Step 2: Set Up or Remove Lync Server Components. The Deployment Wizard installs the Lync Server edge components specified in the XML configuration file that is stored on the local computer.

1213

15

12. Close the Deployment wizard.

Step7:Install Certificates for the Internal Edge Interface

1. On the Edge Server, open the Microsoft Management Console (MMC) by clicking Start, clicking Run, typing mmc in the Open box, and then clicking OK.

2. On the File menu, click Add/Remove Snap-in, and then click Add.

image

3. In the Add Standalone Snap-ins box, click Certificates, and then click Add.

4. In the Certificate snap-in dialog box, click Computer account, and then click Next.

5. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.

6. Click Close, and then click OK.

7. In the console tree, expand Certificates (Local Computer), right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.

image

8. In the wizard, in File to Import, specify the filename of the certificate, certchain.p7b.

9. Select Place all certificates in the following tree and click Next.

10. Click Finish and verify the import was successful.

Step8: Create the certificate request for the internal interface

1. On the Edge Server, open the Deployment Wizard, and next to Step 3: Request, Install, or Assign Certificates, click Run. Click Request.

14

16

2. On the Delayed or Immediate Requests page, click Prepare the request now, but send it later.

17

3. On the Certificate Request File page, type the full path and file name to which the request is to be saved (for example, c:internal.req).

18

4. On the Specify Alternate Certificate Template page, click Next.

19

5. On the Name and Security Settings page, do the following:  In Friendly name, type InternalEdge. In Bit length, select, the default of 2048). Clear the Mark certificate private key as exportable check box and click Next.

20

6. On the Organization Information page, type Contoso for the Organization name, and Marketing for the Organizational Unit name.

21

7. On the Geographical Information page, specify:

Country/Region: Australia

State/Province: WA

City/Locality: Perth

22

8. On the Subject Name/Subject Alternate Names page, click Next.

23

9. On the Configure Additional Subject Alternate Names page, click Next.

24

10. On the Request Summary page, review the certificate information to be used to generate the request.

25

11. After the commands complete, click Next.

26

12. On the Certificate Request File page, click Finish.

27

Step9: Copy the certificate request to your CA and create a certificate for the internal interface

1. Copy internal.req from the Edge server to a location on your Domain Controller (c:internal.req).

2. On the Domain Controller, open CA from the Administrative Tools group.

3. Right-click on Contoso CA, select All Tasks,then Submit new request.

61

4. In the Open Request File page, browse to c:internalreq.

5. Save the certificate as c:internal.cer.

63

6. Copy c:internal.cer to c:internal.cer on the Edge Server.

Step10: Import the certificate and assign it to the internal interface

1. In the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run. In the Certificate Wizard page, click Import Certificate.

28

2. On the Import Certificate page, type the full path and file name of the certificate that you requested and received for the internal interface. This lab used c:internal.cer.

29

30

33

34

31

3. Click Next twice and then Finish. Click Assign.  You should see internal listed. Click Nextto assign it to the internal Edge interface.

3235

Step11:Create the certificate request for the external interface

1. On the Edge Server, open the Deployment Wizard, and next to Step 3: Request, Install, or Assign Certificates, click Run. Select External Edge Certificate. Click Request.

36

37

2. On the Delayed or Immediate Requests page, click Prepare the request now, but send it later.

38

3. On the Certificate Request File page, type the full path and file name to which the request is to be saved (for example, c:external.req).

39

4. On the Specify Alternate Certificate Template page, click Next.

40

5. On the Name and Security Settings page, do the following:

In Friendly name, type ExternalEdge.

In Bit length, select, the default of 2048).

Clear the Mark certificate private key as exportable check box and click Next.

42

6. On the Organization Information page, type Contoso for the Organization name, and Contoso for the Organizational Unit..

43

7. On the Geographical Information page, specify:

Country/Region: Australia

State/Province: WA

City/Locality: Perth

44

8. On the Subject Name/Subject Alternate Names page, click Next.

45

9. On the SIP Domain Setting Window Select Contoso.net

46

10. On the Configure Additional Subject Alternate Names page, click Next.

47

11. On the Request Summary page, review the certificate information to be used to generate the request.

48

12. After the commands complete, click Next.

49

13. On the Certificate Request File page, click Finish.

50

Step12: Copy the certificate request to your CA and create a certificate for the external interface

1. Copy external.req from the Edge server to a location on your Domain Controller (ie,c:external.req).

2. On the Domain Controller, open CA from the Administrative Tools group.

3. Right-click on contoso CA, select All Tasks, then Submit new request.

61

4. In the Open Request File page, browse to c:external.req.

62

5. Save the certificate as c:external.cer.

64

6. Copy c:external.cer to c:external.cer on the Edge Server.

Step13: Import the certificate and assign it to the external interface

1. In the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run.

2. In the Certificate Wizard page, click Import Certificate.

58

3. On the Import Certificate page, type the full path and file name of the certificate that you requested and received for the internal interface. This lab used c:external.cer.

51

52

4. Click Next twice and then Finish.

53

54

55

5. Click Assign.

56

6. You should see external listed. Click Next to assign it to the external Edge interface.

57

Step14: Start Edge Servers

1. On each Edge Server, in the Deployment Wizard, next to Step 4: Start Services, click Run.

2. On the Start Lync Server 2010 Services page, review the list of services, and then click Next to start the services.

59

3. After the services are started, do the following: To view the log for the certificate request, click View Log.

4.To close the wizard, click Finish.

60

Install and Configure Lync Server 2010—Step by Step

Microsoft Lync Server is the next generation unified communication server. In this article, I will design and deploy Lync Server 2010 on a test platform. You can follow through this article to make up your own Lync Server and modify your design according to your need.

Windows Server 2012 Step by Step

Step1: Prepare a Design Download Microsoft Lync Server 2010, Planning Tool and assess your need for Unified Communication in your company.

image

In this design, I have shown a full scale deployment of Lync Server. However, you can choose to deploy a standard version of Lync. Once you design Lync Server. you need to create a list of IP address, FQDN and Certificate or you might write project documents and Visio design, Sample as follows.

SIP Domain Microsoftguru.com.au
Lync Pool MyLync.Microsoftguru.com.au
FQDN Internal IP Address External IP Address
Lync.Microsoftguru.com.au 192.168.1.6 x
Mediation.Microsoftguru.com.au 192.168.1.7 x
Director.Microsoftguru.com.au 192.168.1.8 x
Archiving.Microsoftguru.com.au 192.168.1.9 x
Monitor.Microsoftguru.com.au 192.168.1.10 x
Edge.Microsoftguru.com.au 192.168.1.11 192.168.100.11

Necessary URLs and Ports

Name URL Port
Administrative Access https://admin.microsoftguru.com.au 443
Meeting https://meet.microsoftguru.com.au 443
Phone Dialin https://dialin.microsoftguru.com.au 443
Edge Access https://edge.microsoftguru.com.au (internal)
http://web.microsoftguru.com.au (External-SIP, Web, AV)
4443

4061
444
443DNS SRV Service record

SRV Service: _sipinternaltls

Protocol: _TCP

FQDN: Lync.Microsoftguru.com.au

5061

 

 

Important! All the CANME and HOST (A) records must be present at internal DNS server. For external client access you must host all CNAME and public IP through your ISP. Don’t worry about the IP addresses I mentioned here. On a practical project, it will be different for sure.

Windows Server 2012 Step by Step

SQL & File

Name FQDN Instances/Share
SQL Lync.Microsoftguru.com.au RTC
File Lync.Microsoftguru.com.au Share

Other Servers

Domain Controller DC.Microsoftguru.com.au
Certificate Authority MyCA.Microsoftguru.com.au
Frontend TMG TMG1.Microsoftguru.com.au
Backend TMG TMG2.Microsoftguru.com.au
Reverse Proxy TMG3.Microsoftguru.com.au

 

Step2: Collect Prerequisites

Before you can actually deploy Lync Server 2010 you need to download following prerequisites, install and prepare environment.

  • Windows Server 2008 R2 x64 Lync Server Roles
  • Windows 7 installed on client computers.
  • .NET 3.5 SP1 installed on all servers.
  • Microsoft Silverlight browser plug-in installed on Standard Edition Server and Director
  • Active Directory Administrative tools feature installed on Standard Edition Server and Director
  • All clients and servers are up to date with patches from Windows Update.
  • Domain controller is running Windows Server 2008 R2 or Windows Server 2008 configured as a DC, DNS and CA
  • FF TMG 2010 is running on Windows Server 2008 R2
  • Service Account or Management user account as Domain Admin

A typical Installation of Lync Server involves completion of the following installation Wizard shown as 1, 2 and 3.

3

Step3: Understanding Lync Server Roles

Internal Users: Lync Server Standard can provide IM, A/V Conferencing, Web Conferencing

External Users: Edge Server, Director and reverse-proxy server provide remote user access, federation, and conferencing

Step4: DNS Creationyou must create all the DNS records, CNAME record, SRV Service Location. I am showing DNS SRV Record here but you can create an Alias records and Host A record yourself.  To create a DNS SRV record

  • On the DNS server, click Start Menu >click Control Panel>click Administrative Tools>click DNS
  • In the console tree for your SIP domain, expand Forward Lookup Zones>right-click the SIP domain in which your Lync Server will be installed> Click Other New Records.
  • In Select a resource record type>click Service Location (SRV)>click Create Record>Click Service and type _sipinternaltls.
  • Click Protocol and type _tcp.
  • Click Port Number, and type 5061
  • Click Host offering this service> type the FQDN of the pool
  • Click OK>Click Done.

Step5: Prepare Environment Prior to deployment, you must install all the servers as their required platform and join domain. On Lync Server, install following windows roles and features

  • IIS 7.0
  • Active Directory Admin Tools
  • SQL Server 2008 with Native Tools (Available in Lync ISO )
  • Windows PowerShell
  • Enable Remote Admin
  • Prepare File Share

On the Standard Edition server, create a file share named share. Configure the administrator account to have full rights. Configure everyone else to have read only privileges. On the Standard Edition server and Director, enable remote administration of the server. Allow Firewall Rules exception for SQL Server and remote administration. Open Command Prompt in Lync Server as an Administrator and Type as follows

netsh firewall set portopening protocol = TCP port = 1433 name = SQLPort mode = ENABLE scope = SUBNET profile = CURRENT

and

netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN

To create an exception for SQL Server in Windows Firewall, follow these steps:

  • In Windows Firewall, click the Exceptions tab>click Add Program.
  • In the Add a Program window, click Browse.
  • Click the C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe executable program, click Open, and then click OK.

Open SQL Server Configuration Manager>Expand SQL Server Network Configuration>Select Protocols>Enable TCP/IP

49

Step6: Prepare Domain, Forest and Schema

Insert Lync Server DVD>Run Lync Server 2010 Setup

1

2

Click on Prepare Active Directory. Follow the screenshots. Run Prepare Schema, Prepare Domain, Prepare Forest.

3

4

5

6

7

8

9

10

11

12

Step7: Lync Server Privileged Access

Now Open Active Directory Users and Computer Console.  Add Users Account whoever installing Lync Server and will be administering Lync Server to the following Groups.

  • CSAdministrator
  • RTCUniversalServerAdmins

50

Step8: Create a Topology using Topology Builder

image

In this step, we’ll use the Planning Tool to define our initial topology. The Planning Tool populates the topology with some initial sample data that will be exported to Topology Builder. Once you import .xml file in Topology Builder, you can edit Topology according to desired IP, Port and URLs.

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

To configure Admin Site, In Topology Builder, click Lync Server 2010 from the left hand pane>Click Edit Properties>Click Simple URLs. Under Administrative access URL: type https://admin.contoso.net. Click OK to close the Edit Properties window.

37

38

39

40

Step9: Deploy Lync Server 2010 Standard Edition

Now that the topology has been published to the Central Management Store, you must install a local replica on the Standard Edition Server, followed by the Director. Additionally, you can install the core components and start the services.

On the Deployment Wizard page, click Install or Update Lync Server System. On the Lync Server 2010 page, Install Local Configuration Store, click Run. On the Local Server Configuration page, ensure that the Retrieve configuration automatically from the Central Management Store option is selected, and then click Next. When the Local Server Configuration installation is complete, click Finish.

41

Setup or Remove Lync Server Components, click Run. On the Setup Lync Server Components page, click Next to set up components as defined in the published topology. When Lync Server components setup completes, click Finish.

42

44

In the Lync Server Deployment Wizard, Request, Install or Assign Certificates, click Run.

On the Certificate Wizard page, click Request>click Next.

Immediate Requests page, accept the default Send the request immediately option, and then click Next>accept the default. On the Certification Authority Account page, click Next. On the Name and Security Settings page, for Friendly Name enter Lync Server, accept the remaining defaults, and then click Next.

On the Organization Information page, optionally provide organization information>click Next. On the Geographical Information page>provide State, Country, City, click Next>click Next. On the SIP Domain setting page, select the SIP Domain and then click Next>click Next. On the Certificate Request Summary page, click Next>click Next>click Finish. On the Certificate Assignment page, click Next>click Next>click Finish>click Close.

45

In the Lync Server Deployment Wizard, on the Lync Server 2010 page, click the Run button>Click Start Services. On the Start Services page, click Next to start the Lync Server services on the server. On the Executing Commands page, after all services have started successfully, click Finish.

46

In the Lync Server Deployment Wizard, Start Services>Click Run

Open Command Prompt>Type Services.msc hit Enter. Now check all the services related Lync Server are running.

47

Click on Start Menu>Click All Program>Click Lync Server 2010>Click Lync Server Control Panel

54

51

Click Users>Find Active Directory test users>Enable users for Lync Server.

52

Define SIP Domain, Log on format and Lync Pool. Click Enable.

53

 

55

Step10: Install Lync Client and Test Lync

Install Lync Client on any Windows7 SIP domain client. Click Start Menu>Click All Program>Click Microsoft Lync Client>Click Tools>Click Option as shown on the picture.

56

Click Manual Configuration>Type Lync.Microsoftguru.com.au>Click Ok.

57

Type sign-in address as test.account@microsoftguru.com.au

Type users name as microsoftgurutest and password. Hit Sign-in. you are not logged on to Lync Client.

58

59

Relevant References:

Microsoft Lync Server 2010

Lync Server 2010 AD Guide

SQL Server 2008 SP1

Microsoft Lync Server 2010, Planning Tool

How to Configure Reverse proxy Using TMG 2010

Install and Configure TMG 2010

Exchange 2010 UM

Back to Back DMZ