Use lync outside the network

I have installed lync2010 and is working perfectly from inside the org.
Now I need important users to connect to lync when they are out.

Without edge is possible? without edge is recommended?
As of now I am using my internal CA certificate.
LVL 32
MASEE Solution Guide - Technical Dept HeadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:
Without edge interface you will be not install the certificate for external linc access.
Have a look at this MS article which detsils the steps
technet.microsoft.com/en-us/library/gg398409.aspx
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
You mean I have to install Lync on another hardware?
Radhakrishnan RSenior Technical LeadCommented:
If only you have multiple edge severs, You should purchase a public certificate for external access and import this on each edge server.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

MASEE Solution Guide - Technical Dept HeadAuthor Commented:
As of now I have only one server.
what all things I have to do to make it available from outside (except NAT in firewall)
Radhakrishnan RSenior Technical LeadCommented:
Purchase a public certificate and install it as per the tech article. Then it will be accessible externally.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
How lync client will reach the server. Using what name?
servername.internaldomain.com
or
I have to configure external name ?
Radhakrishnan RSenior Technical LeadCommented:
Obviously it should be external one for external access.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Where Io will configure external name in such a way a user go out from office and open laptop it should work.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Where I will configure external name in such a way a user go out from office and open laptop it from outside and it works?
Radhakrishnan RSenior Technical LeadCommented:
Yes, it will work
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Where I will configure external name?
Radhakrishnan RSenior Technical LeadCommented:
You can can configure the server and the certificate should be https://servername.yourpublicdomain.com
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
"The server is not responding or cannot be reached...."
This is the error I get when I try to login from outside

What could be wrong
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Now getting this error.
Your help is appreciated to finish this question
error.png
Radhakrishnan RSenior Technical LeadCommented:
Could you add the site into trusted list from IE and provide admin credentials to login.
Ensure that the logon users are member os Csadministrator group in AD.
Also, check the dns entries whether its present.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
It is only working with internal servername/IP
It is not working with external servername/IP

From internal network I configured internal and external name. it is working
But outside network it is not working. when I connect VPN from outside it is working with the internal name

What shall I do to make it working from outside with the external name?
Radhakrishnan RSenior Technical LeadCommented:
The name should be configure in the certificate.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
It is already configured
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
BTW
SIP domain is internal domain name (i.e. xyz.com)
external FQDN is abc.com (I added this as additional SIP domain)
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Now I added SRV records (_kpasswd, _ldap, _gc) now it is working with external name from inside.

Do I have to create SRV records in external DNS?
Radhakrishnan RSenior Technical LeadCommented:
The host A record would be sufficient, since it's working internally after adding the srv records, it's worth to try creating a srv record.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
_internaltls._tcp.externalname.com
or
_sip._tls.externalname.com
?
Radhakrishnan RSenior Technical LeadCommented:
Its sip.tls.externalname.com
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
I have created SRV records same like as in internal DNS but still no luck.
Radhakrishnan RSenior Technical LeadCommented:
Please have a look at this MS article which details the steps to check the policies and configuration of linc 2010. http://technet.microsoft.com/en-us/library/gg413051.aspx

Make sure that you have configured everything.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Do you know how it works from outside?
So that I can check and trouble shoot in a short time.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Please help it is not working from outside
Paul SolovyovskySenior IT AdvisorCommented:
Any thought of connecting the users to a VPN internally and then they should be able to connect as if they were in the office..have many customers set up this way.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Already users connected through VPN from outside. I want users to connect without vpn from outside.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
awaiting your reply
Paul SolovyovskySenior IT AdvisorCommented:
I think the only way to connect without VPN is either to setup a reverse proxy (have seen customers do this, essentially publish Lynch on the DMZ) or have everyone register with an outiside entity such as Microsoft.
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
how to setup reverse proxy
I do not have DMZ
Paul SolovyovskySenior IT AdvisorCommented:
Here's what MS recommends:  Publish through Edge Role

http://www.microsoft.com/download/en/details.aspx?id=11379
MASEE Solution Guide - Technical Dept HeadAuthor Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
I have managed to work from outside by doing a port forwarding from 8080/4443 to 80/443
but no audio and video calls can you help to configure
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
I found another site to configure without reverse proxy
FarrellFritzCommented:
I am interested in comments by abbasiftt.  I have thus far been unable to get it working via VPN (this should be easier).

Getting "There was a problem verifying the certificate from the server"

From what I've read it's been suggested that I manually import the certificate from the server to the VPN client.  No problem but cannot identify which cert is the one (for Lync) I should be exporting/importing?

Is this the right suggestion?  If so, how do I identify which cert to import?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.