Solved

Lync 2013 deploying questions

Posted on 2013-06-19
5
1,048 Views
Last Modified: 2013-07-06
We have separate domain namespaces
Internal domen name is domen.local
DMZ domain name is domen.com

I already install Lync 2013 Frontend Server with enterprise pool. Pool name pool01.domain.local. Create necessary  dns records on internal dns server
admin.domain.local
meet.domain.local
dialin.domain.local
lyncdiscoverinternal.domain.local
lyncdiscover.domain.local
srv record:  _sipinternaltls_tcp.domain.local port 5061 pointing to pool01.domain.local
Defaul sip domin is domain.local. Internally domain users can successfully connect to FrontEnd with upn@domain.local and create meeting, audio/video calls.
Now I need external access for domain users. I deploy Edge server with this settings:
2 ethernet nics:
1)Internal nic with ip address without defaul gateway in the same network where FrontEnd
2)External nic with 3 dmz ip adresses NAT'ed from 3 public ip adresses on cisco
Wnen creating single edge pool I check the box "External ip adress of the server translated by NAT", enter ip adresses and port(443). Then create dns records on dmz dns like
sip.domain.com - 1 ip from edge external nic
webconf.domain.com - 2 ip from edge external nic
av.domain.com - 3 ip from edge external nic
srv record _sip.domain.com port 443 pointing to sip.domain.com
srv record _sipfederation/domain.com port 5061 pointing to sip.domain.com

Is it proper configuration for external user access? I'm afraid that it was issue because we have separate domain namespaces. We don't need to create split brain dns on our internal dns server.
0
Comment
Question by:Skiff-SS-N-23
  • 3
  • 2
5 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
You need to change your default sip-domain to something routable from the internet. so SIP-addresses for users should be domain.com - just as with emails.
You should also create a split-brain DNS to make this run smoothly, but all you need in public DNS on inside is all records in public DNS (like, www, ftp and such if they should be reachable from LAN) - and then create sip.domain.com -> internal IP and _sipinternaltls._tcp.domain.com -> sip.domain.com

ON edge and external - choose public IP of AV.DOMAIN.COM for External ip adress of the server translated by NAT.
Make sure you have correct DNS-Suffix on Edge server, and make sure you add LYNC-related A-record in EDGE servers HOST file

For public service records:
_sip._tls.domain.com - sip.domain.com 443
_sipfederationtls._tcp.domain.com 5061

also add at least lyncdiscover.domain.com meet.domain.com to reverse proxys public IP-address.
0
 

Author Comment

by:Skiff-SS-N-23
Comment Utility
Thanks Jakob. Split-brain DNS it is a necessity.
One more question:
We have internal enterprise certification authority(rootca). Is it enough to request/ asign certificates for edge internal and external interfaces? When I read some articles in internet it   said that there is need 3rd party certification for external edge interface?
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 500 total points
Comment Utility
you MUST have valid 3rd party certs for edge servers.
All federated partners need to trust the certificates on the edge servers, and your internal CA have no trust relationship public

Look into Digicerts UC certificates -- they're good
0
 

Author Comment

by:Skiff-SS-N-23
Comment Utility
If I want only domain users could connect to lync with their ad account from external.If in this situation I still need 3rd party certs?
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
well ... you could try, but federation will not work --- and that is the real beauty with lync; together with lync conferencing
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

The canonical version of this article is on my web site here: http://iconoun.com/articles/collisions/ A companion presentation is available here: http://iconoun.com/articles/collisions/Unicode_Presentation.pdf
Lync meeting or Lync conferencing is what many organizations would like to deploy to allow them save money. But companies are now giving up for various reasons, one of which is that they cannot join external meetings (non-federated company meetings)…
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now