?
Solved

Lync 2013 deploying questions

Posted on 2013-06-19
5
Medium Priority
?
1,065 Views
Last Modified: 2013-07-06
We have separate domain namespaces
Internal domen name is domen.local
DMZ domain name is domen.com

I already install Lync 2013 Frontend Server with enterprise pool. Pool name pool01.domain.local. Create necessary  dns records on internal dns server
admin.domain.local
meet.domain.local
dialin.domain.local
lyncdiscoverinternal.domain.local
lyncdiscover.domain.local
srv record:  _sipinternaltls_tcp.domain.local port 5061 pointing to pool01.domain.local
Defaul sip domin is domain.local. Internally domain users can successfully connect to FrontEnd with upn@domain.local and create meeting, audio/video calls.
Now I need external access for domain users. I deploy Edge server with this settings:
2 ethernet nics:
1)Internal nic with ip address without defaul gateway in the same network where FrontEnd
2)External nic with 3 dmz ip adresses NAT'ed from 3 public ip adresses on cisco
Wnen creating single edge pool I check the box "External ip adress of the server translated by NAT", enter ip adresses and port(443). Then create dns records on dmz dns like
sip.domain.com - 1 ip from edge external nic
webconf.domain.com - 2 ip from edge external nic
av.domain.com - 3 ip from edge external nic
srv record _sip.domain.com port 443 pointing to sip.domain.com
srv record _sipfederation/domain.com port 5061 pointing to sip.domain.com

Is it proper configuration for external user access? I'm afraid that it was issue because we have separate domain namespaces. We don't need to create split brain dns on our internal dns server.
0
Comment
Question by:Skiff-SS-N-23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39259071
You need to change your default sip-domain to something routable from the internet. so SIP-addresses for users should be domain.com - just as with emails.
You should also create a split-brain DNS to make this run smoothly, but all you need in public DNS on inside is all records in public DNS (like, www, ftp and such if they should be reachable from LAN) - and then create sip.domain.com -> internal IP and _sipinternaltls._tcp.domain.com -> sip.domain.com

ON edge and external - choose public IP of AV.DOMAIN.COM for External ip adress of the server translated by NAT.
Make sure you have correct DNS-Suffix on Edge server, and make sure you add LYNC-related A-record in EDGE servers HOST file

For public service records:
_sip._tls.domain.com - sip.domain.com 443
_sipfederationtls._tcp.domain.com 5061

also add at least lyncdiscover.domain.com meet.domain.com to reverse proxys public IP-address.
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262085
Thanks Jakob. Split-brain DNS it is a necessity.
One more question:
We have internal enterprise certification authority(rootca). Is it enough to request/ asign certificates for edge internal and external interfaces? When I read some articles in internet it   said that there is need 3rd party certification for external edge interface?
0
 
LVL 22

Accepted Solution

by:
Jakob Digranes earned 2000 total points
ID: 39262090
you MUST have valid 3rd party certs for edge servers.
All federated partners need to trust the certificates on the edge servers, and your internal CA have no trust relationship public

Look into Digicerts UC certificates -- they're good
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262116
If I want only domain users could connect to lync with their ad account from external.If in this situation I still need 3rd party certs?
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39262143
well ... you could try, but federation will not work --- and that is the real beauty with lync; together with lync conferencing
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As with any other System Center product, the installation for the Authoring Tool can be quite a pain sometimes. This article serves to help you avoid making these mistakes and hopefully save you a ton of time on troubleshooting :)  Step 1: Make sur…
We were having a lot of "Heartbeat Alerts" in our SCOM environment, now "Heartbeat" in a SCOM environment for those of you who might not be familiar with SCOM is a packet of data sent from the agent to the management server on a regular basis, basic…
Viewers will learn how to maximize accessibility options in an Excel workbook for users with accessibility issues.
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question