Solved

Lync 2013 deploying questions

Posted on 2013-06-19
5
1,063 Views
Last Modified: 2013-07-06
We have separate domain namespaces
Internal domen name is domen.local
DMZ domain name is domen.com

I already install Lync 2013 Frontend Server with enterprise pool. Pool name pool01.domain.local. Create necessary  dns records on internal dns server
admin.domain.local
meet.domain.local
dialin.domain.local
lyncdiscoverinternal.domain.local
lyncdiscover.domain.local
srv record:  _sipinternaltls_tcp.domain.local port 5061 pointing to pool01.domain.local
Defaul sip domin is domain.local. Internally domain users can successfully connect to FrontEnd with upn@domain.local and create meeting, audio/video calls.
Now I need external access for domain users. I deploy Edge server with this settings:
2 ethernet nics:
1)Internal nic with ip address without defaul gateway in the same network where FrontEnd
2)External nic with 3 dmz ip adresses NAT'ed from 3 public ip adresses on cisco
Wnen creating single edge pool I check the box "External ip adress of the server translated by NAT", enter ip adresses and port(443). Then create dns records on dmz dns like
sip.domain.com - 1 ip from edge external nic
webconf.domain.com - 2 ip from edge external nic
av.domain.com - 3 ip from edge external nic
srv record _sip.domain.com port 443 pointing to sip.domain.com
srv record _sipfederation/domain.com port 5061 pointing to sip.domain.com

Is it proper configuration for external user access? I'm afraid that it was issue because we have separate domain namespaces. We don't need to create split brain dns on our internal dns server.
0
Comment
Question by:Skiff-SS-N-23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39259071
You need to change your default sip-domain to something routable from the internet. so SIP-addresses for users should be domain.com - just as with emails.
You should also create a split-brain DNS to make this run smoothly, but all you need in public DNS on inside is all records in public DNS (like, www, ftp and such if they should be reachable from LAN) - and then create sip.domain.com -> internal IP and _sipinternaltls._tcp.domain.com -> sip.domain.com

ON edge and external - choose public IP of AV.DOMAIN.COM for External ip adress of the server translated by NAT.
Make sure you have correct DNS-Suffix on Edge server, and make sure you add LYNC-related A-record in EDGE servers HOST file

For public service records:
_sip._tls.domain.com - sip.domain.com 443
_sipfederationtls._tcp.domain.com 5061

also add at least lyncdiscover.domain.com meet.domain.com to reverse proxys public IP-address.
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262085
Thanks Jakob. Split-brain DNS it is a necessity.
One more question:
We have internal enterprise certification authority(rootca). Is it enough to request/ asign certificates for edge internal and external interfaces? When I read some articles in internet it   said that there is need 3rd party certification for external edge interface?
0
 
LVL 22

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 39262090
you MUST have valid 3rd party certs for edge servers.
All federated partners need to trust the certificates on the edge servers, and your internal CA have no trust relationship public

Look into Digicerts UC certificates -- they're good
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262116
If I want only domain users could connect to lync with their ad account from external.If in this situation I still need 3rd party certs?
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39262143
well ... you could try, but federation will not work --- and that is the real beauty with lync; together with lync conferencing
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As with any other System Center product, the installation for the Authoring Tool can be quite a pain sometimes. This article serves to help you avoid making these mistakes and hopefully save you a ton of time on troubleshooting :)  Step 1: Make sur…
We were having a lot of "Heartbeat Alerts" in our SCOM environment, now "Heartbeat" in a SCOM environment for those of you who might not be familiar with SCOM is a packet of data sent from the agent to the management server on a regular basis, basic…
Viewers will learn the different options available in the Backstage view in Excel 2013.
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question