Solved

Lync 2013 deploying questions

Posted on 2013-06-19
5
1,049 Views
Last Modified: 2013-07-06
We have separate domain namespaces
Internal domen name is domen.local
DMZ domain name is domen.com

I already install Lync 2013 Frontend Server with enterprise pool. Pool name pool01.domain.local. Create necessary  dns records on internal dns server
admin.domain.local
meet.domain.local
dialin.domain.local
lyncdiscoverinternal.domain.local
lyncdiscover.domain.local
srv record:  _sipinternaltls_tcp.domain.local port 5061 pointing to pool01.domain.local
Defaul sip domin is domain.local. Internally domain users can successfully connect to FrontEnd with upn@domain.local and create meeting, audio/video calls.
Now I need external access for domain users. I deploy Edge server with this settings:
2 ethernet nics:
1)Internal nic with ip address without defaul gateway in the same network where FrontEnd
2)External nic with 3 dmz ip adresses NAT'ed from 3 public ip adresses on cisco
Wnen creating single edge pool I check the box "External ip adress of the server translated by NAT", enter ip adresses and port(443). Then create dns records on dmz dns like
sip.domain.com - 1 ip from edge external nic
webconf.domain.com - 2 ip from edge external nic
av.domain.com - 3 ip from edge external nic
srv record _sip.domain.com port 443 pointing to sip.domain.com
srv record _sipfederation/domain.com port 5061 pointing to sip.domain.com

Is it proper configuration for external user access? I'm afraid that it was issue because we have separate domain namespaces. We don't need to create split brain dns on our internal dns server.
0
Comment
Question by:Skiff-SS-N-23
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39259071
You need to change your default sip-domain to something routable from the internet. so SIP-addresses for users should be domain.com - just as with emails.
You should also create a split-brain DNS to make this run smoothly, but all you need in public DNS on inside is all records in public DNS (like, www, ftp and such if they should be reachable from LAN) - and then create sip.domain.com -> internal IP and _sipinternaltls._tcp.domain.com -> sip.domain.com

ON edge and external - choose public IP of AV.DOMAIN.COM for External ip adress of the server translated by NAT.
Make sure you have correct DNS-Suffix on Edge server, and make sure you add LYNC-related A-record in EDGE servers HOST file

For public service records:
_sip._tls.domain.com - sip.domain.com 443
_sipfederationtls._tcp.domain.com 5061

also add at least lyncdiscover.domain.com meet.domain.com to reverse proxys public IP-address.
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262085
Thanks Jakob. Split-brain DNS it is a necessity.
One more question:
We have internal enterprise certification authority(rootca). Is it enough to request/ asign certificates for edge internal and external interfaces? When I read some articles in internet it   said that there is need 3rd party certification for external edge interface?
0
 
LVL 21

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 39262090
you MUST have valid 3rd party certs for edge servers.
All federated partners need to trust the certificates on the edge servers, and your internal CA have no trust relationship public

Look into Digicerts UC certificates -- they're good
0
 

Author Comment

by:Skiff-SS-N-23
ID: 39262116
If I want only domain users could connect to lync with their ad account from external.If in this situation I still need 3rd party certs?
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39262143
well ... you could try, but federation will not work --- and that is the real beauty with lync; together with lync conferencing
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We were having a lot of "Heartbeat Alerts" in our SCOM environment, now "Heartbeat" in a SCOM environment for those of you who might not be familiar with SCOM is a packet of data sent from the agent to the management server on a regular basis, basic…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now