Skype for Business 2015 ( Edge Server)
Skype for Business 2015,
We have two Domains ( there is two way trust between these Domains), Skype for business 2015, servers installed & working between these two domains, but skype users are not communicate each other in there domain . Now need to communicate over the Domains
is there Skype Edge server need to install between there two domain or there is other-way around. please reply urgently
We have two Domains ( there is two way trust between these Domains), Skype for business 2015, servers installed & working between these two domains, but skype users are not communicate each other in there domain . Now need to communicate over the Domains
is there Skype Edge server need to install between there two domain or there is other-way around. please reply urgently
ASKER
yes i made two way trust between these domain & also install SFB Edge server but still External contact showing "Presence Unknown ".
please advice If you have any docs to install SFB edge server step by step .. then please let me know. Thanks in advance...
please advice If you have any docs to install SFB edge server step by step .. then please let me know. Thanks in advance...
It really depends how you installed the Edge Server. About two way trust between domain, as mentioned before it doesn’t make any difference forLync unless both Domain are members of a Central Forest.
But because they seem to be not a Member of an Central Forest, and I don’t have experience if its easy to use Resource Forest, below are some Tips and URL about the Edge Server.
Please be not offendent if I write here something completely basic for you, but I don’t know how exactly you setup looks like.
About a Step-By Step Configuration for a Edge Server there is nothing more I could add what’s written already in Jeff Schirtz Blog:
http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/
Also What I find useful for this type of deployment is this Diagram:
https://www.google.ie/search?q=skype+for++business+ports&client=firefox-b-ab&dcr=0&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjll9bdvYfaAhXH16QKHYxnCC0Q_AUICigB&biw=1600&bih=771#imgrc=cv9wxmkjBgpsEM:
Please download It and below I will explain a bit how to look at this from Edge Server Perspective, also when you look at the Diagram you will see a Reverse Proxy which I will mention a bit below what it is and why you need it.
Please download the Skype For Business 2015 Planning Tool, as I attached a Topology for a Example small environment. The Planning Tool will give you a report of Firewall, DNS names requirement. You will find that for each Client whenever in the Firewall its says “Any”, that really means that any machin in your Corporate Network needs to be able to talk directly to the Edge Server over the ports.
You can open the XML in the Planning Tool, by double Click on the Site1. You then can edit it, and pass IP addresses in your environment.
https://www.microsoft.com/en-us/download/details.aspx?id=50357
Tips, Comments and Suggestions:
Lync Edge Server:
- For Each Front End Server on the opposite domains you need one Edge Server
- The Edge Server is a server which you don’t join to the Domain and it needs to be installed on Perimeter Network rather than LAN network
- The Edge Server needs 1xNIC Card routable to LAN network, and 3xNIC cards routable to Public Internet.
o If you look at the Diagram you will see from Right to Left Internal LAN ->Public Internet. The Edge Server in the Diagram is in the bottom.
For the Edge Server in Public Network you will see that 3 IP addresses are assigned. Microsoft wants that 3 services have own IP:
Access Edge, Audio/Video,Web Conferencing. Are using separate Streams for better Quality.
If you will ask now, if it is possible instead using 3 IPS to use 1. The answer is yes but it’s not recommended from Microsoft and not recommended in large Environment.
Anwyay, if you would like to achieve that with 1 IP address then you need to assign different port instead 443 to the Web Access Service and A/V as you can’t overlap same port for 3 different services, and Access Edge uses also 443, a Example is here
https://blog.netnerds.net/2013/08/setup-a-fully-functional-lync-2013-lab-using-only-one-public-ip-address/
o What we used is we NAT’ed the NIC Cards facing Public Internet.
o If you will say now “Feck, we don’t want to go over public internet”, there is also a Workaround where you can use a VPN or something between the Sites and Route the Public facing IP addresses to talk to the other Edge Server on the required ports. You can trick that by using Host Files and routing to tell the Edge Server where to other Edge Server is.
o If you look at the Diagram and XML oyu will find the required Firewall rules. In specially look at the Firewall rules between LAN and the Internal facing NIC Card for Edge Server. Whenever it says “Any” it means literally any Laptop, desktop need to be able to talk on that Port with the Edge Server. Your Network team might complain, but if they won’t open that then you can Uninstall your Skype For Business and search for other solution as it will never work.
- IMPORTANT to remember when you use Firewall, or will decide to use VPN to not go over Public internet, you can’t use SSL Inspection at all . Microsoft already is using encrypted traffic SSL inspection on Firewall will block your communication
- If you look at the XMl file for the Topology builder you will find the required DNS entrie on the Public Internet. Keep in mind thatSfB/Lync doesn’t support widcards.
Reverse Proxy:
When installing Lync Edge Server you also need to thing about Reverse Proxy to have full functionality. What’s the difference between Lync Edge and Reverse Proxy.
The Lync Edge server is responsible for Federation and SIP traffic between Companies, thanks to the Edge Server If you and the other company have a valid Lync Client you will be able to IM, chat and talk. Now, what will happen if you send a meet request to someone on the other domain or other domain? It most likely will fail.
If you look at the diagram on the Public DNS in the left top site you will see entries for:
Meet, dialin, lyncdiscover (used for mobiles)
Reverse Proxy is used for:
- webmeeting join for joining web conference (meet.domain.com)
- Mobile clients (lyncdiscover.domain.com)
- dialin url(to access dialin webpage so you can Control your PSTN settings) This URL however I don’t suggest to publish publically to Internet as hackers can use it to test your domain credentials, unless you have some kind of 2Factor put in place.
- Lync External WebServices (like: lync.domain.com), for Powerpoint Presentations for example.
You can setup a Reverse Proxy either using a Network device F5 or something, or you ca install Windows Server with IIS ARP.
The rule is the same. Reverse Proxy needs be in Premineter Network. 1xNic routing to LAN, and second either directly to Internet or NATEd with exernal address.
The topology attached contains also Reverse Proxy Firewall and DNS rules.
A step by step setup you can find here
http://jackstromberg.com/2014/11/tutorial-deploying-a-reverse-proxy-for-lync-server-2013/
Hope that helps.
If you find the Answer helpful please mark the solution so it will help others to find it easier.
Troubleshooting SfB:
Download on your machine following Tools and use Snooper to analuze Log:
https://www.microsoft.com/en-us/download/details.aspx?id=47263
To Produce a Log logon to the Front End Server:
Using Powershell:
Start-CsClsLogging -Scenario AlwaysOn
Try to contact the person on your lync to produe ssue
Search-CsClsLogging -OutputFilePath “C:\LogFiles\logfile.txt“
Stop-CsClsLogging -Scenario AlwaysOn -Computers computera,computerb -Pools pool1.domain.com,pool2.dom
Open log file in Snooper. Find your name and see what the error is.
Sync-CsClsLogging – If doing multiple log runs, use this to clear the Server Cache
SmallEnvironmentTopology.xml
But because they seem to be not a Member of an Central Forest, and I don’t have experience if its easy to use Resource Forest, below are some Tips and URL about the Edge Server.
Please be not offendent if I write here something completely basic for you, but I don’t know how exactly you setup looks like.
About a Step-By Step Configuration for a Edge Server there is nothing more I could add what’s written already in Jeff Schirtz Blog:
http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/
Also What I find useful for this type of deployment is this Diagram:
https://www.google.ie/search?q=skype+for++business+ports&client=firefox-b-ab&dcr=0&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjll9bdvYfaAhXH16QKHYxnCC0Q_AUICigB&biw=1600&bih=771#imgrc=cv9wxmkjBgpsEM:
Please download It and below I will explain a bit how to look at this from Edge Server Perspective, also when you look at the Diagram you will see a Reverse Proxy which I will mention a bit below what it is and why you need it.
Please download the Skype For Business 2015 Planning Tool, as I attached a Topology for a Example small environment. The Planning Tool will give you a report of Firewall, DNS names requirement. You will find that for each Client whenever in the Firewall its says “Any”, that really means that any machin in your Corporate Network needs to be able to talk directly to the Edge Server over the ports.
You can open the XML in the Planning Tool, by double Click on the Site1. You then can edit it, and pass IP addresses in your environment.
https://www.microsoft.com/en-us/download/details.aspx?id=50357
Tips, Comments and Suggestions:
Lync Edge Server:
- For Each Front End Server on the opposite domains you need one Edge Server
- The Edge Server is a server which you don’t join to the Domain and it needs to be installed on Perimeter Network rather than LAN network
- The Edge Server needs 1xNIC Card routable to LAN network, and 3xNIC cards routable to Public Internet.
o If you look at the Diagram you will see from Right to Left Internal LAN ->Public Internet. The Edge Server in the Diagram is in the bottom.
For the Edge Server in Public Network you will see that 3 IP addresses are assigned. Microsoft wants that 3 services have own IP:
Access Edge, Audio/Video,Web Conferencing. Are using separate Streams for better Quality.
If you will ask now, if it is possible instead using 3 IPS to use 1. The answer is yes but it’s not recommended from Microsoft and not recommended in large Environment.
Anwyay, if you would like to achieve that with 1 IP address then you need to assign different port instead 443 to the Web Access Service and A/V as you can’t overlap same port for 3 different services, and Access Edge uses also 443, a Example is here
https://blog.netnerds.net/2013/08/setup-a-fully-functional-lync-2013-lab-using-only-one-public-ip-address/
o What we used is we NAT’ed the NIC Cards facing Public Internet.
o If you will say now “Feck, we don’t want to go over public internet”, there is also a Workaround where you can use a VPN or something between the Sites and Route the Public facing IP addresses to talk to the other Edge Server on the required ports. You can trick that by using Host Files and routing to tell the Edge Server where to other Edge Server is.
o If you look at the Diagram and XML oyu will find the required Firewall rules. In specially look at the Firewall rules between LAN and the Internal facing NIC Card for Edge Server. Whenever it says “Any” it means literally any Laptop, desktop need to be able to talk on that Port with the Edge Server. Your Network team might complain, but if they won’t open that then you can Uninstall your Skype For Business and search for other solution as it will never work.
- IMPORTANT to remember when you use Firewall, or will decide to use VPN to not go over Public internet, you can’t use SSL Inspection at all . Microsoft already is using encrypted traffic SSL inspection on Firewall will block your communication
- If you look at the XMl file for the Topology builder you will find the required DNS entrie on the Public Internet. Keep in mind thatSfB/Lync doesn’t support widcards.
Reverse Proxy:
When installing Lync Edge Server you also need to thing about Reverse Proxy to have full functionality. What’s the difference between Lync Edge and Reverse Proxy.
The Lync Edge server is responsible for Federation and SIP traffic between Companies, thanks to the Edge Server If you and the other company have a valid Lync Client you will be able to IM, chat and talk. Now, what will happen if you send a meet request to someone on the other domain or other domain? It most likely will fail.
If you look at the diagram on the Public DNS in the left top site you will see entries for:
Meet, dialin, lyncdiscover (used for mobiles)
Reverse Proxy is used for:
- webmeeting join for joining web conference (meet.domain.com)
- Mobile clients (lyncdiscover.domain.com)
- dialin url(to access dialin webpage so you can Control your PSTN settings) This URL however I don’t suggest to publish publically to Internet as hackers can use it to test your domain credentials, unless you have some kind of 2Factor put in place.
- Lync External WebServices (like: lync.domain.com), for Powerpoint Presentations for example.
You can setup a Reverse Proxy either using a Network device F5 or something, or you ca install Windows Server with IIS ARP.
The rule is the same. Reverse Proxy needs be in Premineter Network. 1xNic routing to LAN, and second either directly to Internet or NATEd with exernal address.
The topology attached contains also Reverse Proxy Firewall and DNS rules.
A step by step setup you can find here
http://jackstromberg.com/2014/11/tutorial-deploying-a-reverse-proxy-for-lync-server-2013/
Hope that helps.
If you find the Answer helpful please mark the solution so it will help others to find it easier.
Troubleshooting SfB:
Download on your machine following Tools and use Snooper to analuze Log:
https://www.microsoft.com/en-us/download/details.aspx?id=47263
To Produce a Log logon to the Front End Server:
Using Powershell:
Start-CsClsLogging -Scenario AlwaysOn
Try to contact the person on your lync to produe ssue
Search-CsClsLogging -OutputFilePath “C:\LogFiles\logfile.txt“
Stop-CsClsLogging -Scenario AlwaysOn -Computers computera,computerb -Pools pool1.domain.com,pool2.dom
Open log file in Snooper. Find your name and see what the error is.
Sync-CsClsLogging – If doing multiple log runs, use this to clear the Server Cache
SmallEnvironmentTopology.xml
Hi
Did that comment help you. If yes can you mark my Answer so other can easly find it?
Did that comment help you. If yes can you mark my Answer so other can easly find it?
ASKER
Dear Krzysztof
thanks for you reply, and sorry for late replying . Regarding my Network, i have three domain, have two way trust with each other & these domains are not connected with outside world (internet ). they didn't have DMZ network.
they are separated with the different subnet only. becuase of this SFB edge server i have installed in the LAN ( same network as FE). but did not join to domain. please advice on this..
thanks for you reply, and sorry for late replying . Regarding my Network, i have three domain, have two way trust with each other & these domains are not connected with outside world (internet ). they didn't have DMZ network.
they are separated with the different subnet only. becuase of this SFB edge server i have installed in the LAN ( same network as FE). but did not join to domain. please advice on this..
Hello Pankaj
Well. Then you already will face issues, the way you Installed the Edge Server will not work.
If the domain don't share same Central Forest you must do Federation. For Federation you need a Edge Server, that's a requirement from Microsoft.
However you still don't need to go and expose the Service to Internet. Technically what you need do is to convert the Infrastructure required for the Edge Server into your LAN Environment. The Below suggestion might not work but it's worth to try, as from technical point of view the difference is just that you are not routing over internetl
Let's call your domainslike this:
Domain 1 - sip.domain1.com
Domain 2 - sip.domain2.com
Domain 3 - sip.domain3.com
Domain 1 Front End Server IP is:
10.210.10.10
Domain 2 Front End Server IP is:
10.220.10.10
Domain 2 Front End Server IP is:
10.230.10.10
1. For each Front End Server you installed on the domains you will need a dedicated Edge Server. There reason for that is becasue, you need to configure on each Topology a Edge Server so the SfB Server will know what to use when you try to contact Federate/External partners (Keep in mind that fo Sfb if a domain is not part of the same Forest it threats that domain as External Contact)
2. Each Edge Server will still need to have at least 2 NIC Cards. And both NIC Cards need to be setup on different VLANS. The reason is simple, when you setup a Edge Server you need to set routes to tell the Edge Server how to route to back to your FE and how to route to the Edge Server of your External Partner Edge Server.
Basically when you looked at the Diagram I send previously when it was saying about Permimeter LAN ad Public Lan, you will need to replace that with VLANs you have internally.
Also the NIC Card which will be use to communicate with the Front End Server on a domain can’t be in the same VLAN.
For Example:
Domain 1 Front End Server IP is:
10.210.10.10
Edge Server IP address:
NIC 1 Facing Internal LAN/FE Server(Simulating Permieter NIC) : 10.245.10.10
NIC 2 Simulating Internet LAN: 10.245.20.10
Domain 2 Front End Server IP is:
10.220.10.10
Edge Server IP address:
NIC 1 Facing Internal LAN/FE Server(Simulating Permieter NIC) : 10.245.30.10
NIC 2 Simulating Internet LAN: 10.245.40.10
Domain 3 Front End Server IP is:
10.230.10.10
Edge Server IP address:
NIC 1 Facing Internal LAN/FE Server(Simulating Permieter NIC) : 10.245.40.10
NIC 2 Simulating Internet LAN: 10.245.50.10
On Each Edge Server Setup the NIC Cards with Static IP Address, but only on the NIC Cards simulating Pblic Internet setup DNS with IP 127.0.0.1
3-5 Steps are now to setup the Communication based on the above Config
3. First thing you need to setup Permanent route on the Edge Server with the cmd “route add” command.
Based on the Example for Domain 1 you need to setup following routes:
All traffic going to 10.210.10.0 need to rout over the gateway of IP 10.245.10.254
route ADD destination_network MASK subnet_mask gateway_ip
route add 10.210.10.0 MASK 255.255.255.0 10.245.10.254
All Traffic going to 10.245.40.0 (The External simulating NIC Card VLAN of Edge Server on Domain 2), and all traffic going to 10.245.50.0 (The External simulating NIC Card VLAN of Edge Server on Domain 3) need to go through the gateway of IP 10.245.20.254 (Your Edge Server External NIC VLAN Gateway)
route add 10.245.40.0 MASK 255.255.255.0 10.245.20.254 -p
route add 10.245.50.0 MASK 255.255.255.0 10.245.20.254 -p
You need configure in the same logic the other Edge Servers.
4. On Each Edge Server you need to install a DNS Server role, cause you need to simulate a DNS Server holding the required DNS entries like they would published Externally.
As Example on Edge Server on Domain 1:
In the DNS Role you need to setup 3 Forward Lookup zone with following DNS Entries:
Domain1
A sip.domain1.com 10.210.10.10
Domain 2
A sip.domain2.com 10.245.40.10
SRV _sip._tls.domain2.com 442 sip.domain2.com
SRV _sipfederationtls._tcp.dom
Domain 3
A sip.domain3.com 10.245.50.10
SRV _sip._tls.domain3.com 442 sip.domain2.com
SRV _sipfederationtls._tcp.dom
5. Certificates. With Certificates it’s much easier for you as you need to use your Internal CA and follow the Edge Setup to generate the cert I send you previously.
6. Because we are using 1 IP address on the NIC cards which are simulating Public Internet you need to setup your Topology on FE like on this picture
https://blog.netnerds.net/2013/08/setup-a-fully-functional-lync-2013-lab-using-only-one-public-ip-address/
7. Firewall. Depends how your Firewall is set between the domains, you need to allow Traffic between Edge Server on the same Ports as you would Communicate over Public Internet. In the XML file you have a Firewall Table with all required Firewall Ports. Keep in mind that because we are using 1 NIC Card on Edge for External communication you need to allow also communication on port 442.
That’s. I can warranty that it will work, however IT should as you are just moving the Edge Server from DMZ into LAN, so from technically point of View SfB should accept. You are basically simulating as you would communicate over Internet.
If you don’t have the option to Put the Server on Different VLANs/Scopes, then it will not work. You need to separate the edge Server from same VLAN/Scope the FE sits.
Good Luck
Well. Then you already will face issues, the way you Installed the Edge Server will not work.
If the domain don't share same Central Forest you must do Federation. For Federation you need a Edge Server, that's a requirement from Microsoft.
However you still don't need to go and expose the Service to Internet. Technically what you need do is to convert the Infrastructure required for the Edge Server into your LAN Environment. The Below suggestion might not work but it's worth to try, as from technical point of view the difference is just that you are not routing over internetl
Let's call your domainslike this:
Domain 1 - sip.domain1.com
Domain 2 - sip.domain2.com
Domain 3 - sip.domain3.com
Domain 1 Front End Server IP is:
10.210.10.10
Domain 2 Front End Server IP is:
10.220.10.10
Domain 2 Front End Server IP is:
10.230.10.10
1. For each Front End Server you installed on the domains you will need a dedicated Edge Server. There reason for that is becasue, you need to configure on each Topology a Edge Server so the SfB Server will know what to use when you try to contact Federate/External partners (Keep in mind that fo Sfb if a domain is not part of the same Forest it threats that domain as External Contact)
2. Each Edge Server will still need to have at least 2 NIC Cards. And both NIC Cards need to be setup on different VLANS. The reason is simple, when you setup a Edge Server you need to set routes to tell the Edge Server how to route to back to your FE and how to route to the Edge Server of your External Partner Edge Server.
Basically when you looked at the Diagram I send previously when it was saying about Permimeter LAN ad Public Lan, you will need to replace that with VLANs you have internally.
Also the NIC Card which will be use to communicate with the Front End Server on a domain can’t be in the same VLAN.
For Example:
Domain 1 Front End Server IP is:
10.210.10.10
Edge Server IP address:
NIC 1 Facing Internal LAN/FE Server(Simulating Permieter NIC) : 10.245.10.10
NIC 2 Simulating Internet LAN: 10.245.20.10
Domain 2 Front End Server IP is:
10.220.10.10
Edge Server IP address:
NIC 1 Facing Internal LAN/FE Server(Simulating Permieter NIC) : 10.245.30.10
NIC 2 Simulating Internet LAN: 10.245.40.10
Domain 3 Front End Server IP is:
10.230.10.10
Edge Server IP address:
NIC 1 Facing Internal LAN/FE Server(Simulating Permieter NIC) : 10.245.40.10
NIC 2 Simulating Internet LAN: 10.245.50.10
On Each Edge Server Setup the NIC Cards with Static IP Address, but only on the NIC Cards simulating Pblic Internet setup DNS with IP 127.0.0.1
3-5 Steps are now to setup the Communication based on the above Config
3. First thing you need to setup Permanent route on the Edge Server with the cmd “route add” command.
Based on the Example for Domain 1 you need to setup following routes:
All traffic going to 10.210.10.0 need to rout over the gateway of IP 10.245.10.254
route ADD destination_network MASK subnet_mask gateway_ip
route add 10.210.10.0 MASK 255.255.255.0 10.245.10.254
All Traffic going to 10.245.40.0 (The External simulating NIC Card VLAN of Edge Server on Domain 2), and all traffic going to 10.245.50.0 (The External simulating NIC Card VLAN of Edge Server on Domain 3) need to go through the gateway of IP 10.245.20.254 (Your Edge Server External NIC VLAN Gateway)
route add 10.245.40.0 MASK 255.255.255.0 10.245.20.254 -p
route add 10.245.50.0 MASK 255.255.255.0 10.245.20.254 -p
You need configure in the same logic the other Edge Servers.
4. On Each Edge Server you need to install a DNS Server role, cause you need to simulate a DNS Server holding the required DNS entries like they would published Externally.
As Example on Edge Server on Domain 1:
In the DNS Role you need to setup 3 Forward Lookup zone with following DNS Entries:
Domain1
A sip.domain1.com 10.210.10.10
Domain 2
A sip.domain2.com 10.245.40.10
SRV _sip._tls.domain2.com 442 sip.domain2.com
SRV _sipfederationtls._tcp.dom
Domain 3
A sip.domain3.com 10.245.50.10
SRV _sip._tls.domain3.com 442 sip.domain2.com
SRV _sipfederationtls._tcp.dom
5. Certificates. With Certificates it’s much easier for you as you need to use your Internal CA and follow the Edge Setup to generate the cert I send you previously.
6. Because we are using 1 IP address on the NIC cards which are simulating Public Internet you need to setup your Topology on FE like on this picture
https://blog.netnerds.net/2013/08/setup-a-fully-functional-lync-2013-lab-using-only-one-public-ip-address/
7. Firewall. Depends how your Firewall is set between the domains, you need to allow Traffic between Edge Server on the same Ports as you would Communicate over Public Internet. In the XML file you have a Firewall Table with all required Firewall Ports. Keep in mind that because we are using 1 NIC Card on Edge for External communication you need to allow also communication on port 442.
That’s. I can warranty that it will work, however IT should as you are just moving the Edge Server from DMZ into LAN, so from technically point of View SfB should accept. You are basically simulating as you would communicate over Internet.
If you don’t have the option to Put the Server on Different VLANs/Scopes, then it will not work. You need to separate the edge Server from same VLAN/Scope the FE sits.
Good Luck
ASKER
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A direct connection between domain without having a need to use Edge will only work if both domains/Forest are members of one Forest.
Here you can see what Lync/SfB supports regarding Topologies
https://technet.microsoft.com/en-us/library/gg398173.aspx
If your domains are on completely seperate forest and are not connected with any forest like explained in the lync then Two Sided Domain trusts will not be enough, do of the Product limitation
If you run logging on the SfB server and tied to communicate with the other person you will get either a error that SfB can't dinf Federated partners Server, or something like communication between domains not supported.
Basically this is how Microsoft Designed the product to thing. If you domain is in a completely different Forest it threats you as a External Company. To Communicate with External copanies you need to Federate and for that you need to use a Edge Server