It’s been such a busy month with multiple projects on the go that I’ve only been able to whatever caught my eye on my long list of “to-blogs” so while I had these Edge server deployment screenshots for awhile, I never really got the chance to put them together for this post. Now that I have a bit of time over the long weekend, I figure there’s no better way to spend it than to knock this one off my list. :)
Preparing the Edge Server
There are quite a few tasks required before you can actually begin installing Edge services onto the server you’ve allocated for this server role and the first item you should turn your attention to is the network interface configuration. Make sure you have 2 NICs for your Edge server as shown in the following screenshot:
The NIC I’ve labeled Internal will be the NIC that is connected to your internal network while the NIC labeled Local Area Connection (sorry, I forgot to name it properly when I did the screenshot) will be the NIC that is connected to either your DMZ network or directly to the internet.
I was actually quite happy with the amount of detail in the documentation I saw in the LS_Deploy_Edge_Dir.doc document for the Set Up Network Interfaces for Edge Servers:
**How you configure your Edge server’s NICs will depend on your network topology such as whether there are DNS servers available in the perimeter network.
**Great note about not accessing the internal DNS servers as this is a security risk.
**I find static routes have always been one of the items administrators deploying Edge services tend to miss. The Edge server will have 2 NICs and you can only assign 1 gateway to it which should be for your external interface and therefore getting to the internal subnets will require static persistent routes.
**If there are no DNS servers in the perimeter network then the host file will be used to resolve internal names.
External DMZ NIC Configuration
This is what the DMZ NIC settings for the Edge server looks like:
**Note: My apologies for the missing default gateway in the screenshot above. The external DMZ NIC is supposed to be configured with a default gateway while the internal DMZ leg does not.
I always prefer to disable the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks for the external network so there is less surface area for attacks.
Make sure you put the additional 3 IPs if the configuration will be multiple FQDN and IP addresses:
I prefer to uncheck the Register this connection’s addresses in DNS because the external DNS servers being public, will not allow you to register the server name anyways:
There is no reason to enable NetBIOS for the public interface:
Internal NIC Configuration
This is what the internal NIC settings for the Edge server looks like:
Internal DNS Resolution
Since the environment I’m using for this example does not have DNS servers in the perimeter network, I will be using the host file to resolve the internal Lync pool:
Since the Edge server is not a part of the domain, it will not register its name and IP in the internal DNS servers so in order for your internal pool to be able to look up the Edge server, you will need to create an A record manually:
Configure a DNS Suffix for the Edge Server
A DNS suffix is automatically added if a server is joined to the domain but since the Edge server isn’t and shouldn’t be, we will need to manually add it:
Installing .NET Framework 3.5.1 Features
As with other Lync server roles (i.e. front-end, monitoring), the Edge server will need .NET Framework 3.5.1 installed:
Import internal certificate authority’s root certificate
Domain joined servers automatically trust the domain’s enterprise certificate authority but since the Edge is not joined to the domain, you’ll need to manually export and import it:
Defining the Edge Topology
Once the Edge server has been configured, the next step is to define and then publish the topology:
Fire up Topology Builder:
Right click on the Edge pools folder and select New Edge Pool…:
The wizard to define a new edge pool will launch:
This example will demonstrate how to define a single computer pool:
Select the settings as it pertains to your environment:
**For more information about the Use a single FQDN & IP Address checkbox, see my previous post: http://terenceluk.blogspot.com/2011/02/should-i-use-use-single-fqdn-ip-address.html
For the purpose of this example, the Use a single FQDN & IP Address checkbox was no checked so fill in the appropriate FQDNs:
Specify the internal interface’s IP address:
Specify the external (or NAT-ed) IP addresses for SIP Access, Web Conferencing, and A/V Conferencing:
If you’ve selected the checkbox The external IP address of this Edge pool is translated by NAT:
Then you will now be asked for the public IP address:
Select the front-end pool in your environment:
You can then choose to associate the Edge server with your pool:
Clicking the Finish button will bring you back to the Topology Builder:
With the new topology defined, proceed with publishing it:
Exporting the Topology for the Edge Install
Since the Edge server is not a part of the domain, there is no easy way for it to download the topology during the install which is why we will need to manually export the topology on your front-end server and copy it over to the Edge server:
Open up the Lync Server Management Shell and execute:
Export-CsConfiguration -FileName <fileNameOfYourChoice.zip>
Copy the zip package to your Edge server:
Installing Edge Server
Launch setup.exe from the Lync installation binaries:
Choose Install or Update Lync Server System from the Deployment Wizard:
Select Install Local Configuration Store:
There is no option to retrieve the topology from the CMS because the Edge server is not joined to the domain so choose Import from a file and locate the zip package we copied over from the front-end server:
Once the local configuration store has been installed, proceed with step 2: Setup or Remove Lync Server Components:
Once the Edge server components has been installed continue with setting up the internal and external certificates:
Request and Assign a Certificate for the Internal Interface
The first certificate you’ll need is for the internal interface of the Edge server so select Edge internal and click on the Request button:
Select the Send the request immediately to an online certification authority:
Since the Edge server isn’t joined to the domain, the wizard will not be able to detect your internal CA:
What we’ll need to do is use the Specify another certification authority and manually type in the path to our internal CA. Notice that the tip that existed with OCS 2007 R2’s wizard also no longer exists:
Specify the credentials that can request a certificate from your internal CA:
Using an alternate certificate template is not necessary so continue with the defaults:
Specify a friendly name for the certificate:
Fill in the information required for the certificate:
Unlike the front-end server deployment, the wizard doesn’t automatically populate additional entries for you:
I always prefer to put in the server name into the subject alternate name:
Review the summary:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
If you receive the following error message:
Command execution failed: Cannot connect to certificateAuthority.domain.com. Verify that you can connect to the server, have the appropriate permissions, and that you logged on with the correct credentials.
It’s most likely you’ve entered the incorrect credentials or you have network connectivity issues. If you've configured the Edge server to use the host file to resolve internal server names, make sure you add an entry for your CA:
If you receive the following error after you’ve fixed the connectivity issues:
> Request CertificateRequest-CSCertificate -New -Type Internal -CA "venus.someDomain.com\Your CA X" -Country CA -State "Ontario" -City "Oakville" -FriendlyName "LyncEdge" -KeySize 2048 -PrivateKeyExportable $True -Organization "Your CA" -OU "IT" -DomainName "lyncedge" -CAAccount "domain\tluk" -CAPassword "****" -Verbose -Report "C:\Users\Administrator\AppData\Local\Temp\2\Request-CSCertificate-[2011_02_09][20_24_17].html"Creating new log file "C:\Users\Administrator\AppData\Local\Temp\2\Request-CSCertificate-b95d7045-45e6-4d35-a067-2f8e05ef5061.xml".Create a certificate request based on Lync Server configuration for this computer.A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109)The certificate was not imported.Issued thumbprint "" for use "Internal" by "venus.someDomain.com\Your CA X".Creating new log file "C:\Users\Administrator\AppData\Local\Temp\2\Request-CSCertificate-[2011_02_09][20_24_17].html".Warning: Request-CSCertificate failed.Warning: Detailed results can be found at "C:\Users\Administrator\AppData\Local\Temp\2\Request-CSCertificate-[2011_02_09][20_24_17].html".Command execution failed: Value cannot be null.Parameter name: thumbprint
See my previous post for the fix: http://terenceluk.blogspot.com/2011/02/requesting-lync-server-2010-edge.html
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Once the request completes, you can assign the certificate immediately to the internal interface:
Assign Certificates for the External Interface
Since the Lync Server 2010 Edge server I was deploying for this example is a replacement for another OCS 2007 R2 server, all that needs to be done is to export the 3 certificates (or 1 if it’s a SAN certificate) from the legacy OCS 2007 R2 server, import it onto the Lync Edge server and then assign it through the wizard. If you’re using 1 certificate with multiple SAN entries for all 3 services, you can simply check the 3 checkboxes and assign the certificate. If you’re using multiple certificates then you’ll need to assign them one after another:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
If you receive the following error:
> Assign CertificateSet-CSCertificate -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication -Thumbprint 3D38E6906DD8FB0B2D22E2B1F442543A16B60EA3 -Verbose -Confirm:$false -Report "C:\Users\Administrator\AppData\Local\Temp\2\Set-CSCertificate-[2011_02_09][21_20_06].html"Creating new log file "C:\Users\Administrator\AppData\Local\Temp\2\Set-CSCertificate-8db604ab-4bd7-4ede-a207-02df1c8e2ab3.xml".Assign the certificate to the Central Management Store.Creating new log file "C:\Users\Administrator\AppData\Local\Temp\2\Set-CSCertificate-[2011_02_09][21_20_06].html".Warning: Set-CSCertificate failed.Warning: Detailed results can be found at "C:\Users\Administrator\AppData\Local\Temp\2\Set-CSCertificate-[2011_02_09][21_20_06].html".Command execution failed: "3D38E6906DD8FB0B2D22E2B1F442543A16B60EA3" not found in MY certificate store or not trusted. To enable trust, install the root certificate in the Trusted Certification Authorities store.
See my previous post for the solution: http://terenceluk.blogspot.com/2011/02/lync-server-2010-edge-server-public.html
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Once you’ve completed the assignment of certificates, you can proceed to start the Edge services:
… and now we’re done!
30 comments:
I'm trying to set up an Edge server on our network. We don't have a perimeter network or a DMZ and we only have one external IP address. How would we set this up as all instructions I can find on setting up and Edge server won't work on our network.
Hi Adrienne,
If you don't have a perimeter or DMZ network, you'll simply have 2 NICs on your Edge server where:
NIC 1: External IP
NIC 2: Internal IP
You can actually just treat the DMZ network I reference to in my blog post as your external network and everything else will pretty much be the same.
I dicussed this with my colleagues and they say that you can't put an external IP address on an internal networked server. The Edge server is behind a firewall and NAT setup so by putting an external IP address on the server wouldn't really do anything.
I should probably add that we also do not have a reverse proxy server. Is there anything extra we will need to configure/not configure in this situation?
Hi Adrienne,
It's fine to have your public IP NAT-ed so in this case, you should create a subnet for the external interface of your Edge server which is effectively creating a DMZ-like network. You should have the 2 NICs on your Edge server sitting on different IP subnets because you need to clearly define which is for external and internal traffic.
As for not having a reverse proxy, you can have your firewall provide SSL tunneling to your internal front-end server for external requests to download address book, expansion groups, etc.
Hi Terence
Great blog you got going here!
If you use DNS loadbalancing for the front end pool, do you know if it will work to use the hosts file when you dont have a DNS server in the DMZ? Or do you have to rely on DNS to make it work properly?
Hi Terence, great blog of this deployment! I really like the detailed explanation other sites don't have.
This will be a first/fresh install of Edge and I have a question about the external certificate. What certificate names do I need to purchase? Also, what is the URL for people working from home/remote to IM without using VPN? That was orignally my main goal when deploying this.
Thanks,
Charles
Hi Terence!
I follow your steps to deploy my edge server, but i had one error when i try start the services:
Warning: Cannot start service RTCMEDIARELAY on computer 'edgeserver.domain.com'
Any idea to help me?
Very good how to!
Sorry about the delay in reply guys.
@Anonymous: I'm not positively sure but I do not think host files will work because I don't think the server performing lookups via the host file will round robin entries.
@Charles: The edge service requires 2 entries for SIP and web conferencing from your public CA but it is possible to use the public CA to add internal entries. The ones I typically use for edge is sip.domain.com, webconf.domain.com, av.internalDomain.com, edgeServerName.domain.com. Now before you proceed and go buy the certificate, it's important to review what other services you would like to deploy and whether you would like to put the additional public DNS entries into the same certificate. Case in point, I've always preferred to have 1 single certificate with 10 entries but it's really preference.
@Pedro: There could be many reasons why so I would suggest that you review the event logs
to get some additional information about what might be causing the error.
Is it me or is does this process seem a bit overly-complicated? Even from the comments people seem to be trying to simplify or reduce requirements.
Hi..Do I need an ende server in the following scenario?
1.I have Lync Server installed in 2 different locations. Both these locations are connected by site to site VPN. what are things that have to be installed inorder for federated user access to work?
2. Even if I have to install the Edge Server, can I install the Edge Server in the same machine as the Standard Edition Server?
Hi, thanks for the article. I am trying to add Edge server (services) to an existing Lync server. I have gone through all the steps to prepare the topology and publish the topology but when I go into the deployment wizard I cannot run setp 1 it is greyed our as completed. Any suggestions. Thanks
Hi Danny,
What usually causes Step 1 to be greyed out is if there are prerequsites missing. Can you go through the list of tasks you need to do on the Edge server prior to running step 1 and ensure that they've all been completed? I wouldn't worry about the configuration for the topology builder as I don't think that would affect step 1. Thanks.
Hello, When you say that you want to add a persistent route on the edge server how are you formulating the command? If you already have one NIC setup with an internal IP address will Windows not know to route traffic that direction?
Internal IP: 10.1.1.10
External IP: 10.2.1.10
You cant do:
route add 10.1.1.0 MASK 255.255.255.0 10.1.1.10
What would the command look like?
~Matt
When trying to connect to lync from outside the firewall I get the error...cannot connect to the server because the required security is not in place......is this because I need the reverse proxy?
hi, i have a error "Command execution failed: Cannot connect to KOREA.kor.contoso.com. Verify that you can connect to the server, have the appropriate permissions, and that you logged on with the correct credentials." i did guide but not sucessful. i dont to do, help me!
Once we are back online we can begin the install. The process will be basically the same as other Lync roles with a few exceptions. We will begin with step 1 to install the Local Config store.
When I run the setup I never get the option on step 1 to click on run. It shows for a second and then is greyed out. Any suggestions?
Thanks
Hi,
Great article, certainly given me something to think about.
If I have a single standard lync server, do I still need an edge server to get external A/V working?
By poking some holes in our firewall I can get IM to work but not A/V.
Many Thanks
Rob
we are in the process of deploying the edge server.
We do not have a DMZ. Most of the blogs explain on how to have 1 Internal IP, 3 DMZ IP & 3 Public IPs.
Since we do not have a DMZ,
1. Do we need 2 NICs, one internal & external?
2. If so, what will be the entries on the external link?
3. do we need to set up static routing?
4. now while setting up rules on the firewall,how can we assign 3 public IPs to a single edge server.
please advise.
Thank You in advance
Philip
Hi Terence,
This is such a great article I've been looking for and thanks to you.
But I have a small question. How can an extended client may configure a connection for Lync server automatically. Do I need to put some a SRV dns record ? So maybe I should to provide them a Lync Atendee program ?
Hi Terence,
This article is great as many others at your blog!
Paul:
Regarding your question about automatic sign in, you just need to create a SRV record on your public DNS zone pointing to the external A record for access address (for example sip.contoso.com) and that's all.
Have a look at: http://technet.microsoft.com/en-us/library/gg398288.aspx
Marcs thanks a lot for Your comment,
but ragerding to Microsoft gg398288.aspx website it is not as so clear like to me.
A have a question,
whet ports should I have to forward in dmz NAT ?
I saw 443 and 5061 (if I want a fedaration in Lync).
And I'm wondering if I want to add a federation to my lync topology, shoult I provide to lync another Windows Server R2 with a federation services onboard ?
Great Post. Having a problem requesting the internal edge certificate. It completes with 1 error.
Active Directory Certificate Services denied request X because There is a time and/or date difference between the client and server. 0x80070576 (WIN32: 1398). The request was for CN=lyncedge.XXXX.Com, OU=BLAH, O=BLAH, L=BLAH, S=BLAH, C=US. Additional information: Denied by Policy Module 0x80070576, Active Directory Certificate Services could not find required Active Directory information.
All the Time and Dates are synced.
TIA
Coop
You have to have some problems with AD connection with your machine,
You shouldn't to change date/time.
That's a role of kerberos authentication between AD and your host.
I think maybe you should try to move your host from ad client -> to workgroup,
restart,
and then connect host to domain.
It probably should be helpful.
EDGE and Direcor pool.
Hey guys,
I have wondering about one thing,
when I was red about technet manuals about deploying an Edge Server,
they are first creating a director pool, and I'm wondering what is actually a purpose of director pool,
I was deploying an edge server to my Lync FE server and everything works fine (I wasn't deploying even a TMG server as they recommended in technet),
and one more question,
many people in my company are using MSN live communicator, and Microsoft Live Meeting,
I would like to integrate Lync with msn so the users could chatting with msn users and could to establish sessions with users over a LiveMeeting,
I don't know if is it possible,
In Lync ControllPanel thereis an bookmark (on the left) 'External UserAccess' and then federated servers, but this thing doesn't work to me.
and final question :) (I'm so sorry there's a huge questions from me)
After deploying edge server to my topology I should put an SRV record to my extarnal DNS,
but my extrnal dns is a bind in linux,
how could I can type SRV record over bind ?
Terence,
I ran into similar issue and I'm wondering if I need to install the certificate. You mentioned that it just needs to be imported...but it doesn't work for me.
I have time wait on my CA trying to get response from the edge server. I tried disabling firewall on both but nothing helps.
Any idea how to fix this issue?
Sorry, addition to my previous post. I meant "Command execution failed: Cannot connect to Servername.local. Verify that you can connect to the server, have the appropriate permissions, and that you logged on with the correct credentials."
Please advise.
I am trying to set up the edge server (In the DMZ with 2 NIC)everything goes smooth, but assigning the certificate for the internal part, i get to see the internal as missing rather than unassigned, not sure why so while i go to assign, i dont see any cert there. Any help?
hello
i have one standard edition server and now i am deploying edge server (single-edge).
as i dotn have any DMZ right now, am i able to deploy edge with using PUBLIC IP on edternal edge or i must use NAT ?
nomansaeed@gmail.com
Dear Terence, I am receiving "warning host not found in topology" although I have dns suffix and Edge pool seems to be good configured.
Can you help ? What else needs to be checked ?
Post a Comment