In part one of this two part series, we went through the server setup and created a new edge pool, published and exported the topology. We will be going through the rest of the steps in this final part. So, let’s get started.
First things first. We need to configure both the internal and external NIC of the Edge server. The internal NIC will only have IP and subnet mask.
The external NIC will have all fields filled in (from the DMZ range).
The topology.zip file which we exported from the internal Lync server (covered in the first part) needs to be copied into the Edge server’s local drive.
We will need to provide a route back to the internal network so that the edge knows where to send the packet to. In our case, anything destined to the internal network 172.16.0.0/16 should have a next hop of 172.16.0.1. Run the following from an elevated command prompt on the Edge server to configure a persistent route.
Route add –p 172.16.0.0 mask 255.255.0.0 172.16.0.1
Next step is to give the edge server an fqdn, similar to the internal AD domain. For that, change the primary DNS suffix of the edge server to exchangemaster.local, so that the fqdn becomes lyncedge.exchangemaster.local.
Reboot the edge for the changes to take effect.
Now that the edge server has an fqdn, login to the internal DNS server and add an “A” record for lyncedge.exchangemaster.local to point to the Edge server’s internal NIC IP (172.16.0.10 in my case).
All the work from now on will be done on the Edge server. One of the pre-req for Lync 2010 Edge server is to have .Net framework 3.5.1. Install it using Server Manager.
It’s time to put the Lync DVD into the drive / mount the ISO. Running setup immediately prompts you to install Visual C++ 2008 package. Click Yes.
Choose the installation folder and click Install.
Agree to the terms and conditions and click OK.
The deployment wizard will be launched automatically after the installation of the core components. Click on Install or Update Lync Server System.
Click the Run button against Install Local Configuration Store.
Browse to the location where you have the copied (from internal Lync) topology.zip file and click Next.
Click Finish once the task is completed.
Make sure you will have a green tick mark against step one. Click the Run button against step two.
This runs the actual Lync setup. Click Finish once the setup is completed.
Next step is to request the certificates from the internal CA and external (if you want to). We need to have name resolution working and the internal CA’s root certificate should be in the trusted root cert authorities before hand. Keep the deployment wizard open in the background, we will come back to it.
For name resolution, we will edit the host file of the edge server and add in DC & internal Lync details. I won’t be going through the steps of editing the host file, as it is pretty basic. You will end up with a file similar to the screenshot below.
To tackle the issue of trusting the certificate from the internal CA, we need to have the root CA certificate in the trusted certificate store of the edge server. For that, launch the browser from edge and go to http://dc/certsrv, login with your admin credentials and select the third option (download a CA certificate).
Select the first option in the next page, Download CA Certificate.
Download the CA cert to the edge server’s local drive. Launch the certificate snap-in (mmc) and import the certificate into the trusted store.
You will now have your intertal CA cert in the trusted root and hence any cert issued by your CA will be trusted by the edge server (that is what we want anyway!).
It’s time to click the Run button against step 3 in the deployment wizard.
Highlight Edge Internal and click the Request button.
Select to send the request immediately.
Select the second option and put in the fqdn of your internal CA.
Punch in your internal admin account credentials.
Don’t select any custom template and click Next.
Type in a friendly name for your internal Lync certificate and click Next.
The subject name for the cert will be filled in automatically. Click Next.
Go through the summary, verify all options and click Next.
The Request-CsCertificate cmdlet will be run and click Next when enabled.
Like with the internal Lync server, you will be able to assign the certificate straightaway using the wizard. Make sure the checkbox to assign the cert is selected and click Next.
The Set-CsCertificate cmdlet is run and click the Finish button when enabled.
You will now have a cert assigned against Edge Internal.
Select External Edge and go through the same process if you want a cert from the internal CA (if in a lab). If you are doing it in production, you need a third party certificate. The process is the same, but select the second option while creating the cert request.
You will have the external fqdn filled up automatically in the subject name of the certificate.
If you go with a third party company, create the CSR as mentioned above, send it to the public CA and use the Process Pending Certificate option to import the cert back. Once you have done that, the certificate window should look like below.
Click the Run button against step 4 in the deployment wizard to start all Lync Edge services.
Click the Finish button when enabled.
That completes the Lync edge installation.
The remaining step (to make the Edge fully functional) are given below:
- NAT the traffic and forward 5061, 444 and 443 traffic to your Edge server’s external IP. If you have three public IPs, you will only need to open port 443.
- Create an “A” record in the public DNS sip.exchangemaster.me to point to your public IP. Again, if you use three public IPs, you will have three “A” records to create.
- Create an SRV record _sip._tls.exchangemaster.me (in the public DNS ) pointing to the access edge server (sip.exchangemaster.me)
- Create an SRV record (for federation) _sipfederationtls_.tcp.exchangemaster.me (in the public DNS ) pointing to access edge.
The last step is to test whether what you have done so far works! Use the Microsoft OCS Test website. Select the test and run it with a test account enabled for Lync. Make sure you get all green
This completes the article series. Phew!