Improve company productivity with a Business Account.Sign Up

x
?
Solved

Lync 2013 deploying questions

Posted on 2013-06-19
5
Medium Priority
?
1,077 Views
Last Modified: 2013-07-06
We have separate domain namespaces
Internal domen name is domen.local
DMZ domain name is domen.com

I already install Lync 2013 Frontend Server with enterprise pool. Pool name pool01.domain.local. Create necessary  dns records on internal dns server
admin.domain.local
meet.domain.local
dialin.domain.local
lyncdiscoverinternal.domain.local
lyncdiscover.domain.local
srv record:  _sipinternaltls_tcp.domain.local port 5061 pointing to pool01.domain.local
Defaul sip domin is domain.local. Internally domain users can successfully connect to FrontEnd with upn@domain.local and create meeting, audio/video calls.
Now I need external access for domain users. I deploy Edge server with this settings:
2 ethernet nics:
1)Internal nic with ip address without defaul gateway in the same network where FrontEnd
2)External nic with 3 dmz ip adresses NAT'ed from 3 public ip adresses on cisco
Wnen creating single edge pool I check the box "External ip adress of the server translated by NAT", enter ip adresses and port(443). Then create dns records on dmz dns like
sip.domain.com - 1 ip from edge external nic
webconf.domain.com - 2 ip from edge external nic
av.domain.com - 3 ip from edge external nic
srv record _sip.domain.com port 443 pointing to sip.domain.com
srv record _sipfederation/domain.com port 5061 pointing to sip.domain.com

Is it proper configuration for external user access? I'm afraid that it was issue because we have separate domain namespaces. We don't need to create split brain dns on our internal dns server.
0
Comment
Question by:Skiff-SS-N-23
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39259071
You need to change your default sip-domain to something routable from the internet. so SIP-addresses for users should be domain.com - just as with emails.
You should also create a split-brain DNS to make this run smoothly, but all you need in public DNS on inside is all records in public DNS (like, www, ftp and such if they should be reachable from LAN) - and then create sip.domain.com -> internal IP and _sipinternaltls._tcp.domain.com -> sip.domain.com

ON edge and external - choose public IP of AV.DOMAIN.COM for External ip adress of the server translated by NAT.
Make sure you have correct DNS-Suffix on Edge server, and make sure you add LYNC-related A-record in EDGE servers HOST file

For public service records:
_sip._tls.domain.com - sip.domain.com 443
_sipfederationtls._tcp.domain.com 5061

also add at least lyncdiscover.domain.com meet.domain.com to reverse proxys public IP-address.
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262085
Thanks Jakob. Split-brain DNS it is a necessity.
One more question:
We have internal enterprise certification authority(rootca). Is it enough to request/ asign certificates for edge internal and external interfaces? When I read some articles in internet it   said that there is need 3rd party certification for external edge interface?
0
 
LVL 22

Accepted Solution

by:
Jakob Digranes earned 2000 total points
ID: 39262090
you MUST have valid 3rd party certs for edge servers.
All federated partners need to trust the certificates on the edge servers, and your internal CA have no trust relationship public

Look into Digicerts UC certificates -- they're good
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262116
If I want only domain users could connect to lync with their ad account from external.If in this situation I still need 3rd party certs?
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39262143
well ... you could try, but federation will not work --- and that is the real beauty with lync; together with lync conferencing
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Let Bitmoji into your life. Now is the time to learn a new language of smartphone messaging with this brief introduction.
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question