Friday, August 29, 2014

Configuring Lync Edge Server

In this post I’m going to add Lync Edge server and XMPP gateway to an existing Lync environment. The lab has the following servers and IPs:
Server Name
IP Address
Domain Controller/DNS/CA
Lync Enterprise Edition Front End
Lync Enterprise Edition Front End
Monitoring/Archiving Server
Lync Edge server – not domain joined (internal NIC)
The active directory domain name for this lab is, with the public sip domain 
To start with I have to create a copy of my public zone on my internal DNS server so internal clients can reach the Lync server directly.  To accomplish this I’ve created the following records in DNS:
Record Type
DNS Entry
IP Address
We also need to create an SRV record for client automatic sign-in.  The new record will be for “” and will point to on port 5061.

Now that our DNS zone is in order we can plan for our edge server.  In this example I will be using 1 internal IP, 3 DMZ IPs and 3 Public IPs.  Instead of placing the public IPs directly on the edge servers public NIC, I will NAT the public IPs to the private IPs with my lab.  I’ve also matched the last octet of the address to make it easier to manage at a glance.
Public Name
Public IP
Here is what the design looks like:

To start we need to add an edge to our topology, on the front end server (lyncfe) open “Lync Server Topology Builder”. Then we need to expand our topology, right click “Edge Pools” and choose “New Edge Pool”
Click “Next” on the “Define Edge Pool” page

Enter the FQDN you will be using for your edge and select “Single Computer Pool”
Next we have a screen offering 3 options:
  • “Use a Single FQDN & IP Address” – this option will not be selected because we have plenty of public IPs to use.  If you only have 1 IP this is a good option – however this will force you to use ports other than 443 which aren’t always open outbound from corporate networks and may cause usability issues on networks you cannot control.
  • “Enable Federation (port 5061) – this option will configure the edge server to listen on port 5061 of the access edge IP for inbound federation traffic from other Lync and OCS environments
  • “The external IP address of this edge pool is translated by NAT” – this option tells Lync the IP addresses on the outside interface of the edge are not the actual public IP addresses.  Putting the edge behind another firewall can give an extra layer of security and help prevent the server from being compromised.
For this scenario we have selected “Enable Federation (port 5061)” and “The external IP address of this edge pools is translated by NAT”

Next we define our public names for the edge roles, notice all roles use port 443.  I would highly recommend using this method if possible.

 Now we set the IP address for the internal network of our edge server.  In this scenario I have placed the internal NIC on the same subnet as the domain controller and front end server.  Because of limited resources in my lab I have configured the environment this way, whenever possible I recommend placing this NIC in another DMZ that has a higher security level than the DMZ for the outside interfaces.

At this point we specify the DMZ IP addresses of our edge server

In the next box we will enter the Public IP address of the A/V edge services (  

Next we select our next hop server (the front end server)

Next we click “Finish” and the wizard completes, we can now see our newly defined edge server in the Topology.

Now we can publish our topology.

Before we move on to working on the edge server we need to open the Lync Server Control Panel and configure our External User Access policies.
Under External Access Policy>Global Policy: Modify the existing policy to allow remote user access, federation and public IM connectivity (all of these are optional).  Click “Commit” when you have selected the options that are right for your environment

Now under Access Edge Configuration>Global Policy: Modify the existing policy to Enable Federation, remote user access and anonymous access to meetings.  I’ve also enabled dynamic domain discovery.  This allows our Lync users to automatically add Lync users from other environments without requiring administrative configuration.  This option may not be right for all environments, if it isn’t right for your environment you’ll want to use the “Federated Domains” tab to define the allowed domains and uncheck this option.  Next click “Commit”

Now that our environment is ready, we need to export the topologies configuration to a file which we we’ll import during the Edge install.  On the front end server open “Lync Server Management Shell” and run the command:
Export-csconfiguration –filename c:\

The file “” will now be on the C drive of your front end server.  This file will need to be copied to the edge server.

Now that the topology has been updated we need to log into our edge server and configure it.
First we need to make sure that all the IP Addresses get assigned to the appropriate NIC.
On the internal NIC we will use only an IP Address and subnet mask, we cannot put a default gateway on this interface.

Next, on the external NIC we will fill in an IP address, subnet mask, default gateway and DNS, do not click “OK” yet

We also need to bind our other 2 IP addresses to the external NIC, to do this click the “Advanced” button and then click “Add” under “IP Addresses” and add each IP address

At this point we’ll want to add a route back to any internal networks the internal NIC. 
Route add –p mask
The “-p” portion of this command makes the route persistent, “” is the next hop router to reach the other internal networks.
Next we need to configure hostname of our edge server.  When we configure this value we must also add a primary DNS suffix.  This is different than adding the computer to the domain, but it does tell 
the computer it’s full name.

Once you have updated the name and primary DNS suffix and you click “OK” you will be prompted to reboot the edge server.
While the edge server is rebooting we can add a DNS entry on the domain controller so all internal resources know how to reach the server by its “FQDN” – it’s not actually an FQDN because it isn’t domain joined, but the rest of the systems will need to be able to route to it like it is.

Once the edge has rebooted we will need to add the feature “Microsoft .NET Framework 3.5”, to do this open Server Manager, go to Features, click “Add Features” and choose “Microsoft .NET Framework 3.5”.

You can click “next” through all other screens and then click “Install”.  Once the install completes we can move on to starting the Lync install.  First we need to copy the file created above to the C drive of the edge server.

Now we can run the CD, we will immediately be prompted to install the “Microsoft Visual C++ 2008 Redistributable”, click OK here:

The install window for Lync will pop up when the C++ install completes
Click “Install” and then accept the terms and click “OK”
Now we are back in the familiar Lync Server Deployment Wizard
Click on “Install or Update Lync Server System”

Under Step 1 we click “Run”
Select the file from the C drive and click “Next”.  This will allow the edge server to gather its settings from the export file.

A number of pre-requisites are installed at this point.  When this completes click “Finish”

Now click “Run” under Step 2

Click “Next” and a number of pre-requisites are installed

Once the install completes we can open up the Services snap-in and see the Lync Services are now present.

Before we can move on to Step 3 (Requesting Certificates), we need to make it possible for the edge server to resolve names of the internal servers it will talk to.  This will include the CA because we will need to request the certificate for the internal interface from the internal CA.  Also, we will need to trust the internal CA so we will need to export its certificate and install it on the edge server.
To allow the edge server to resolve some internal names but not all we have a few options, a DNS server in the DMZ is one, but for this article we will be editing the host file.  The reason I’ve chosen not to utilize the internal DNS servers is to limit the number of servers the edge server can look up in case it is compromised.
The host file is located at “C:\windows\system32\drivers\etc”, the best method of editing this file is to run Notepad as administrator and then open this file (You’ll have to switch to “All Files” in the file type selection box)

For this scenario I will add entries for the CA and the Front End server:

Now that we can resolve the CA, we’ll use the web enrollment page to download the Root CA chain.
Open IE and go to, you may have to authenticate, if you do use your domain account.  Click on “Download a CA Certificate, Certificate Chain, or CRL”

Click on “Download CA Certificate”

Save the file to the desktop or another location on the edge server.
Open the certificates snap-in for the local computer, expand “Trusted Root Certificate Authorites”, right click “Certificates” and choose “Import”

Browse to the file you download in the last step and click “Open”
This will import the certificate into the trusted store for the local computer.

Now we move on to Step 3 in the Deployment Wizard, requesting and installing certificates
Highlight “Edge Internal” and click “Request” – this will allow us to request the certificate for our internal communications between the edge server and the front end.

you should be using all defaults here other than information specific to your environment.  I will however strongly suggest you do not add any SANs to this certificate.  One other thing of note, you will want to do this certificate request online, specifying your internal CA as show below

You will also have to provide domain credentials to request the certificate
Once the request is completed the wizard will automatically take you to the next wizard to assign the certificate.  Again, this is a next-next-finish scenario.

Because this is a lab scenario and I will not be requesting public certificates I will just re-run this wizard select “External Edge Certificate” for the second certificate.  If you are using public certificates you will want to choose “Prepare Request now but send later (offline request)” for your request.

The new certificate will have the following fields automatically, unless you are configuring multiple sip domains there is no need to modify this or add additional SANs.
Subject (Common Name)
Now we can run Step 4 to start the services and our edge server should be up and running.

Once this process is complete the NATs and access lists must be created on the firewall to allow the appropriate traffic in and out
After the firewall changes are made we need to create the A records for each of our services on the public DNS server
Record Type
IP Address
You will also need to create an SRV record for auto sign-in on the domain and federation. For automatic sign-in you can create an SRV record for pointing to your access edge server ( on port 443.  For federation you will need to createn an SRV record for pointing to your access edge server on port 5061.
Now we can test the server using and get ready to deploy reverse proxy.