Skapa anpassat tema
0
Publishing Lync with Forefront TMG (part 1)
Skriven av
Silverdrake
,
26 April 2012
·
941 visningar
Introduction
This is part 1 of 5 in a series that describes how to publish Lync Web Services and Lync Edge with a Microsoft Forefront TMG 2010 server.
I will go through the steps necessary to publish Microsoft Lync with Forefront TMG in a NAT scenario. I will also try to clarify some things with Lync Edge in a NAT situation that I found a bit confusing. Hopefully this helps a bit! I am not sure that this configuration is officially supported but as far as I can see it is working fine.
This guide will not go through each and every step that is needed to set up Lync or TMG as there are plenty of guides covering that on the Internet already. I will just try to clarify some things that I found confusing during my deployment.
Part 1 - Covers the initial configuration of Forefront TMG
Part 2 - Publishing Lync Web Services with Forefront TMG
Part 3 - Creating the protocols needed for publishing Lync Edge server
Part 4 - Publishing Lync Edge server with Forefront TMG
Part 5 - Installing Lync Front End and Lync Edge
The internal AD domain is called domain.local
The external DNS domain is domain.se
If you have a set of public routable IP-addresses to use on DMZ 1 then it is fully possible and a bit easier to do so in this design as well. However this article is meant to show how to do it with NAT.
Forefront TMG is set up with 4 NICs. One facing Internet, two perimeter (DMZ1 & DMZ2) and one internal. Lync Edge have one NIC connected to DMZ1 and one to DMZ2. It is possible to use just one DMZ by either connecting both Lync Edge NICs to the same network or to connect the Lync Edge Internal interface to the internal network however it is easier and more secure to use two DMZ. The reference designs by Microsoft indicates that you should have two firewalls. One facing Internet and the other facing the internal network with Lync Edge in the middle. I do not think that there are many small/medium companies with a setup like that. However this guide would work fine in that case as well. You just need to figure out which rules to put on each firewall.
<a href="http://2.bp.blogspot...9+1-790339.jpg" style="margin-left: auto; margin-right: auto;">
Illustration of the setup.
Install Forefront TMG
On a fresh Windows Server 2008 R2 that will be your TMG start by configuring the four interfaces InterfaceIPMaskGatewayDNS Labb External 10.0.0.2
Additional IPs:
10.0.0.10
10.0.0.11
10.0.0.12 255.255.255.0 10.0.0.1 - Labb DMZ1 172.16.0.1 255.255.255.0 - - Labb DMZ2 192.168.90.1 255.255.255.0 - - Labb Internal 192.168.100.1 255.255.255.0 - 192.168.100.5 (DC)
Join the computer to the domain.
Install Forefront TMG
Warning: If you install IE 9 on your TMG you might run into problems. The management interface for TMG stops working and you need to do a hack to get it working again! http://blogs.technet.com/b/asiasupp/archive/2011/04/29/internet-explorer-9-ie9-and-forefront-tmg-2010.aspx
Run through the Getting started wizard
Select 3-leg perimeter as a starting point
Select your internal interface
Select your external interface.
Select your DMZ1 interface. Under "What type of IP addresses do servers in the Perimeter network use?" select "Private"
Finish the wizard and go through steps 2 and 3.
Open the Network section in TMG and rename Perimeter to DMZ1.
Click " Create a new network"
Name: DMZ2
Select Perimeter network.
Add the address range for your second DMZ and then finish this wizard.
Switch to the Network Rules tab and edit the rule "Perimeter to External"
Add DMZ2 to Source Networks
Edit the rule "Internal to Perimeter"
Add DMZ2 to Destination Networks.
If you like you can add a route relationship between DMZ1 and DMZ2 but that is not necessary for this guide.
Switch to the Firewall Policy section and select the Toolbox tab.
Create these five Computers under Network Objects. Lync Access Edge 172.16.0.10 Lync Webconf Edge 172.16.0.11 Lync AV Edge 172.16.0.12 Lync Edge Internal 192.168.90.10 Lync Front End 192.168.100.10
Go back to the Networking section and select the tab Network Rules
Click "Create a network rule"
Name: Lync Access Edge
http://2.bp.blogspot.com/-paaphkedCcE/T5bSW9UOLRI/AAAAAAAAAGE/NbAcBnq79R8/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B14-715332.jpg
Select Lync Access Edge as traffic source
http://1.bp.blogspot.com/-LhIlgLjVzaU/T5bSXbqPWuI/AAAAAAAAAGQ/sXoyKl_sjYg/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B15-717057.jpg
Select External as destination
http://1.bp.blogspot.com/-T_DuwN7I3CM/T5bSXrWuK6I/AAAAAAAAAGc/9jFFOWS5NI4/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B16-718580.jpg
Select NAT as network relationship
http://3.bp.blogspot.com/-CvmvzV3AwUw/T5bSYALuoZI/AAAAAAAAAGo/cStnYCQnIGA/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B17-720803.jpg
Select "Use the specified IP address" and select the IP 10.0.0.10
Repeat these steps for Lync Webconf Edge (10.0.0.11) and Lync AV Edge (10.0.0.12)
http://4.bp.blogspot.com/-SXnmUwcnBzA/T5bSYplpnaI/AAAAAAAAAG0/rulouY4cb9I/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B18-722096.jpg
Your result should look something like this. Remember that these rules are processed in order so you must have your Lync NAT rules above the rule "Perimeter to External"
In part 2 we publish Lync Web Services using TMG as reverse proxy
https://blogger.goog...ke.blogspot.com
Källa
This is part 1 of 5 in a series that describes how to publish Lync Web Services and Lync Edge with a Microsoft Forefront TMG 2010 server.
I will go through the steps necessary to publish Microsoft Lync with Forefront TMG in a NAT scenario. I will also try to clarify some things with Lync Edge in a NAT situation that I found a bit confusing. Hopefully this helps a bit! I am not sure that this configuration is officially supported but as far as I can see it is working fine.
This guide will not go through each and every step that is needed to set up Lync or TMG as there are plenty of guides covering that on the Internet already. I will just try to clarify some things that I found confusing during my deployment.
Part 1 - Covers the initial configuration of Forefront TMG
Part 2 - Publishing Lync Web Services with Forefront TMG
Part 3 - Creating the protocols needed for publishing Lync Edge server
Part 4 - Publishing Lync Edge server with Forefront TMG
Part 5 - Installing Lync Front End and Lync Edge
The internal AD domain is called domain.local
The external DNS domain is domain.se
If you have a set of public routable IP-addresses to use on DMZ 1 then it is fully possible and a bit easier to do so in this design as well. However this article is meant to show how to do it with NAT.
Forefront TMG is set up with 4 NICs. One facing Internet, two perimeter (DMZ1 & DMZ2) and one internal. Lync Edge have one NIC connected to DMZ1 and one to DMZ2. It is possible to use just one DMZ by either connecting both Lync Edge NICs to the same network or to connect the Lync Edge Internal interface to the internal network however it is easier and more secure to use two DMZ. The reference designs by Microsoft indicates that you should have two firewalls. One facing Internet and the other facing the internal network with Lync Edge in the middle. I do not think that there are many small/medium companies with a setup like that. However this guide would work fine in that case as well. You just need to figure out which rules to put on each firewall.
<a href="http://2.bp.blogspot...9+1-790339.jpg" style="margin-left: auto; margin-right: auto;">
Illustration of the setup.Install Forefront TMG
On a fresh Windows Server 2008 R2 that will be your TMG start by configuring the four interfaces InterfaceIPMaskGatewayDNS Labb External 10.0.0.2
Additional IPs:
10.0.0.10
10.0.0.11
10.0.0.12 255.255.255.0 10.0.0.1 - Labb DMZ1 172.16.0.1 255.255.255.0 - - Labb DMZ2 192.168.90.1 255.255.255.0 - - Labb Internal 192.168.100.1 255.255.255.0 - 192.168.100.5 (DC)
Join the computer to the domain.
Install Forefront TMG
Warning: If you install IE 9 on your TMG you might run into problems. The management interface for TMG stops working and you need to do a hack to get it working again! http://blogs.technet.com/b/asiasupp/archive/2011/04/29/internet-explorer-9-ie9-and-forefront-tmg-2010.aspx
Run through the Getting started wizard
Select 3-leg perimeter as a starting point
Select your internal interface
Select your external interface.
Select your DMZ1 interface. Under "What type of IP addresses do servers in the Perimeter network use?" select "Private"
Finish the wizard and go through steps 2 and 3.
Open the Network section in TMG and rename Perimeter to DMZ1.
Click " Create a new network"
Name: DMZ2
Select Perimeter network.
Add the address range for your second DMZ and then finish this wizard.
Switch to the Network Rules tab and edit the rule "Perimeter to External"
Add DMZ2 to Source Networks
Edit the rule "Internal to Perimeter"
Add DMZ2 to Destination Networks.
If you like you can add a route relationship between DMZ1 and DMZ2 but that is not necessary for this guide.
Switch to the Firewall Policy section and select the Toolbox tab.
Create these five Computers under Network Objects. Lync Access Edge 172.16.0.10 Lync Webconf Edge 172.16.0.11 Lync AV Edge 172.16.0.12 Lync Edge Internal 192.168.90.10 Lync Front End 192.168.100.10
Go back to the Networking section and select the tab Network Rules
Click "Create a network rule"
Name: Lync Access Edge
http://2.bp.blogspot.com/-paaphkedCcE/T5bSW9UOLRI/AAAAAAAAAGE/NbAcBnq79R8/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B14-715332.jpg
Select Lync Access Edge as traffic source
http://1.bp.blogspot.com/-LhIlgLjVzaU/T5bSXbqPWuI/AAAAAAAAAGQ/sXoyKl_sjYg/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B15-717057.jpg
Select External as destination
http://1.bp.blogspot.com/-T_DuwN7I3CM/T5bSXrWuK6I/AAAAAAAAAGc/9jFFOWS5NI4/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B16-718580.jpg
Select NAT as network relationship
http://3.bp.blogspot.com/-CvmvzV3AwUw/T5bSYALuoZI/AAAAAAAAAGo/cStnYCQnIGA/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B17-720803.jpg
Select "Use the specified IP address" and select the IP 10.0.0.10
Repeat these steps for Lync Webconf Edge (10.0.0.11) and Lync AV Edge (10.0.0.12)
http://4.bp.blogspot.com/-SXnmUwcnBzA/T5bSYplpnaI/AAAAAAAAAG0/rulouY4cb9I/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B18-722096.jpg
Your result should look something like this. Remember that these rules are processed in order so you must have your Lync NAT rules above the rule "Perimeter to External"
In part 2 we publish Lync Web Services using TMG as reverse proxy
https://blogger.goog...ke.blogspot.com
Källa
