Skapa anpassat tema
0
Publishing Lync with Forefront TMG (part 5)
Skriven av
Silverdrake
,
26 April 2012
·
1336 visningar
Installing Lync Front End and Lync Edge
This is part 5 of 5 in a series that describes how to publish Lync Web Services and Lync Edge with a Microsoft Forefront TMG 2010 server.
Part 1 - Covers the initial configuration of Forefront TMG
Part 2 - Publishing Lync Web Services with Forefront TMG
Part 3 - Creating the protocols needed for publishing Lync Edge server
Part 4 - Publishing Lync Edge server with Forefront TMG
Part 5 - Installing Lync Front End and Lync Edge
Setup your Lync servers
Open Lync Topolgy Builder and create a new Standard Edition Front End Server
<a href="http://3.bp.blogspot...+1-746618.jpg">
Enter the FQDN of the server.
Select the features you want
Select collocated server roles
Check "Enable an Edge pool to be used by the media component on this Front End pool"
Nothing to see here. Move along...
Remember to create the share on the server as well.
Enter the external Base URL.
Click New… to enter the wizard to create a new Edge pool.
Enter the FQDN and select "Single computer pool"
Tick the box "The external IP address of this Edge pool is translated by NAT".
You can also tick "Enable federation (port 5061)" if you are going to use federation.
http://3.bp.blogspot.com/-KZmnJfm1VxY/T5bbhGt2hXI/AAAAAAAAAVU/8dPIHgMHQyc/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B11-760481.jpg
Enter the external FQDNs you will use.
http://1.bp.blogspot.com/-e-uqBtcdCfs/T5bbhau_VSI/AAAAAAAAAVg/PrND0L7Q9z8/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B12-761287.jpg
Enter the IP address of the Internal (DMZ 2) interface on the Edge server.
The following two dialogues are probably the most confusing parts of the Wizard!
http://1.bp.blogspot.com/-7t6_8tP96Q8/T5bbhvNux6I/AAAAAAAAAVs/YSc6xm_7cAY/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B13-762117.jpg
Enter the IP addresses of each service. These are the addresses on DMZ 1. Not the public addresses!
http://2.bp.blogspot.com/-Oe2_pvZ9UmM/T5bbh5QuZOI/AAAAAAAAAV4/2yTQIYJ1Ol8/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B14-763147.jpg
The address you should enter in this box is the public address for your AV Edge Service.
http://1.bp.blogspot.com/-VaLLbl6VQeM/T5bbiAOMylI/AAAAAAAAAWE/W5bf6bDZ00o/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B15-764478.jpg
Select the Front End server or pool that your Edge will forward its traffic to.
Finish the wizards and publish the topology.
Open up the Lync Deployment Wizard and select "Install or Update Lync Server System"
Run through all steps in the Wizard.
Run
Export-CsConfiguration -FileName config.zip
Copy this file over to Lync02
Install Lync02
This computer should not be joined to the domain but you might need to add the primary DS suffix of your domain to the computer by clicking "More…" in the "Computer Name/Domain Changes" dialogue.
http://4.bp.blogspot.com/-EnMrlDtaq0Y/T5bbiYc-l5I/AAAAAAAAAWQ/H3Wpq5c0msg/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B16-765433.jpg
Configure the NICs: Interface IP Mask Gateway DNS DMZ1 172.16.0.10
Additional IPs:
172.16.0.11
172.16.0.12 255.255.255.0 172.16.0.1 127.0.0.1 DMZ2 192.168.90.10 255.255.255.0
For simplicity I choose to install a DNS server on Lync02 to use as DNS for external clients. Normally this role would reside on a separate server or hosted externally.
Create a Zone for domain.se and add these records: A lync01.domain.se 10.0.0.2 A meet.domain.se 10.0.0.2 A dialin.domain.se 10.0.0.2 A sip.domain.se 10.0.0.10 A webconf.domain.se 10.0.0.11 A av.domain.se 10.0.0.12 SRV _sipfederationtls._tcp.domain.se sip.domain.se:5061 SRV _sip._tls.domain.se sip.domain.se:443
Create a Zone for domain.local and add an A record for Lync01 (192.168.100.10)
If you don't have an DNS available to your Edge server like in this case you could
route add -p 192.168.100.0 mask 255.255.255.0 192.168.90.1
Export the root certificate for your internal CA and import this on your edge server.
Start Deployment Wizard and import config.zip during Install Local Configuration Store
In the wizard request the following certificates from your internal CA:
Edge Internal
SN = lync02.domain.local
Expand External Edge and remove the checkbox for A/V Edge external
http://3.bp.blogspot.com/-PlPBrFSxxQo/T5bbiro8ZmI/AAAAAAAAAWY/m6a7U_7BH80/s320/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B17-766703.jpg
Create a request from a public CA: (I will use my internal CA for this lab.)
SN = sip.domain.se
SAN = webconf.domain.se
Uncheck SIP Access Edge external and Web Conferencing Edge external
Check A/V Edge external and create a request from your internal CA:
SN = av.domain.se
Assign the certificates to their respective services.
In your internal DNS add an A record for lync02.domain.local. Point it to 192.168.90.10.
Testing:
During my initial tests I had troubles signing in with an external user. After a lot (well 5 minutes or so) of head scratching I ran ocslogger.exe on my Edge server and there it was. So obvious. I hadn't enabled neither the users nor the Edge for Remote user access. After doing so it worked perfectly.
Things to test:
Open up http://meet.domain.se both external and internal. You should see an error stating that the conference could not be found.
Open up http://dialin.domain.se both external and internal. You should see a page with settings for Dial-In conferencing.
In both cases above you should be redirected from http to https.
Verify that two or more users can communicate with each other internally
Peer-to-peer IM, A/V, desktop/application sharing
Web conference; Poll, Whiteboard, Powerpoint
Then proceed to signing in with a user on the external network
Initiate conversations both ways (internal -> external and vice versa)
Try all modalities again.
Federations
Add federated contacts both ways.
Try all modalities with a federated user.
You should also try with an external client behind a firewall. (i.e a home user)
If all this works you're all good to go!
Happy Lyncing!
https://blogger.goog...ke.blogspot.com
Källa
This is part 5 of 5 in a series that describes how to publish Lync Web Services and Lync Edge with a Microsoft Forefront TMG 2010 server.
Part 1 - Covers the initial configuration of Forefront TMG
Part 2 - Publishing Lync Web Services with Forefront TMG
Part 3 - Creating the protocols needed for publishing Lync Edge server
Part 4 - Publishing Lync Edge server with Forefront TMG
Part 5 - Installing Lync Front End and Lync Edge
Setup your Lync servers
Open Lync Topolgy Builder and create a new Standard Edition Front End Server
<a href="http://3.bp.blogspot...+1-746618.jpg">
Enter the FQDN of the server.
Select the features you want
Select collocated server roles
Check "Enable an Edge pool to be used by the media component on this Front End pool"
Nothing to see here. Move along...
Remember to create the share on the server as well.
Enter the external Base URL.
Click New… to enter the wizard to create a new Edge pool.
Enter the FQDN and select "Single computer pool"
Tick the box "The external IP address of this Edge pool is translated by NAT".
You can also tick "Enable federation (port 5061)" if you are going to use federation.
http://3.bp.blogspot.com/-KZmnJfm1VxY/T5bbhGt2hXI/AAAAAAAAAVU/8dPIHgMHQyc/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B11-760481.jpg
Enter the external FQDNs you will use.
http://1.bp.blogspot.com/-e-uqBtcdCfs/T5bbhau_VSI/AAAAAAAAAVg/PrND0L7Q9z8/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B12-761287.jpg
Enter the IP address of the Internal (DMZ 2) interface on the Edge server.
The following two dialogues are probably the most confusing parts of the Wizard!
http://1.bp.blogspot.com/-7t6_8tP96Q8/T5bbhvNux6I/AAAAAAAAAVs/YSc6xm_7cAY/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B13-762117.jpg
Enter the IP addresses of each service. These are the addresses on DMZ 1. Not the public addresses!
http://2.bp.blogspot.com/-Oe2_pvZ9UmM/T5bbh5QuZOI/AAAAAAAAAV4/2yTQIYJ1Ol8/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B14-763147.jpg
The address you should enter in this box is the public address for your AV Edge Service.
http://1.bp.blogspot.com/-VaLLbl6VQeM/T5bbiAOMylI/AAAAAAAAAWE/W5bf6bDZ00o/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B15-764478.jpg
Select the Front End server or pool that your Edge will forward its traffic to.
Finish the wizards and publish the topology.
Open up the Lync Deployment Wizard and select "Install or Update Lync Server System"
Run through all steps in the Wizard.
Run
Export-CsConfiguration -FileName config.zip
Copy this file over to Lync02
Install Lync02
This computer should not be joined to the domain but you might need to add the primary DS suffix of your domain to the computer by clicking "More…" in the "Computer Name/Domain Changes" dialogue.
http://4.bp.blogspot.com/-EnMrlDtaq0Y/T5bbiYc-l5I/AAAAAAAAAWQ/H3Wpq5c0msg/s400/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B16-765433.jpg
Configure the NICs: Interface IP Mask Gateway DNS DMZ1 172.16.0.10
Additional IPs:
172.16.0.11
172.16.0.12 255.255.255.0 172.16.0.1 127.0.0.1 DMZ2 192.168.90.10 255.255.255.0
- -
For simplicity I choose to install a DNS server on Lync02 to use as DNS for external clients. Normally this role would reside on a separate server or hosted externally.
Create a Zone for domain.se and add these records: A lync01.domain.se 10.0.0.2 A meet.domain.se 10.0.0.2 A dialin.domain.se 10.0.0.2 A sip.domain.se 10.0.0.10 A webconf.domain.se 10.0.0.11 A av.domain.se 10.0.0.12 SRV _sipfederationtls._tcp.domain.se sip.domain.se:5061 SRV _sip._tls.domain.se sip.domain.se:443
Create a Zone for domain.local and add an A record for Lync01 (192.168.100.10)
If you don't have an DNS available to your Edge server like in this case you could
- Add a pointer to lync01.domain.local in your hosts file
- Use your internal AD-DNS. Open up in the firewall for DNS-traffic from Lync Edge to the internal DNS(s)
route add -p 192.168.100.0 mask 255.255.255.0 192.168.90.1
Export the root certificate for your internal CA and import this on your edge server.
Start Deployment Wizard and import config.zip during Install Local Configuration Store
In the wizard request the following certificates from your internal CA:
Edge Internal
SN = lync02.domain.local
Expand External Edge and remove the checkbox for A/V Edge external
http://3.bp.blogspot.com/-PlPBrFSxxQo/T5bbiro8ZmI/AAAAAAAAAWY/m6a7U_7BH80/s320/Picture%2B%2528Device%2BIndependent%2BBitmap%2529%2B17-766703.jpg
Create a request from a public CA: (I will use my internal CA for this lab.)
SN = sip.domain.se
SAN = webconf.domain.se
Uncheck SIP Access Edge external and Web Conferencing Edge external
Check A/V Edge external and create a request from your internal CA:
SN = av.domain.se
Assign the certificates to their respective services.
In your internal DNS add an A record for lync02.domain.local. Point it to 192.168.90.10.
Testing:
During my initial tests I had troubles signing in with an external user. After a lot (well 5 minutes or so) of head scratching I ran ocslogger.exe on my Edge server and there it was. So obvious. I hadn't enabled neither the users nor the Edge for Remote user access. After doing so it worked perfectly.
Things to test:
Open up http://meet.domain.se both external and internal. You should see an error stating that the conference could not be found.
Open up http://dialin.domain.se both external and internal. You should see a page with settings for Dial-In conferencing.
In both cases above you should be redirected from http to https.
Verify that two or more users can communicate with each other internally
Peer-to-peer IM, A/V, desktop/application sharing
Web conference; Poll, Whiteboard, Powerpoint
Then proceed to signing in with a user on the external network
Initiate conversations both ways (internal -> external and vice versa)
Try all modalities again.
Federations
Add federated contacts both ways.
Try all modalities with a federated user.
You should also try with an external client behind a firewall. (i.e a home user)
If all this works you're all good to go!
Happy Lyncing!
https://blogger.goog...ke.blogspot.com
Källa
