56. Lync Server Edge scenarios External User Access Lync clients can transparently connect to the Lync Server deployment over the public Internet PIC Connecting with public IM providers Federation Federation with other Enterprises IM&P only, or All modalities A/V and Application Sharing
58. Terms & Acronyms Candidate Possiblecombinationof IP addressandportformediachannel NAT Network Address Translation TURN TraversalUsing Relay NAT STUN Simple Traversal of UDP through NAT Session Traversal Utilities for NAT
59. Home NATs General NAT/Firewall behavior Allow connections from the private network Blocks connection from the Internet Security/usability tradeoff Blocks attackers from harming your system PROBLEM: Also blocks incoming signaling and media Home Internet Home NAT
60. Corporate Firewalls Though more scrutinized, goals are similar Sharing of IP addresses Controlling data traffic from the internet Two firewalls isolate via perimeter network Work Perimeter Network Internet Inner FW Outer FW
61. Why is NAT Traversal a problem? SIP signaling over TCP uses Access Edge UDP media flows over separate channel Pre-ICE endpoints uses local IPs & ports No media can be sent between (a) and (w) UDP TCP INVITE m/c = a 200 OK m/c = w Access Edge Home Work a w Outer FW Inner FW Home NAT
62. Solution – STUN, TURN, ICE Add a Media Relay (aka A/V Edge Server) STUN reflects NAT addresses (b) and (e) TURN relays media packets (c) (d) (x) (y) ICE exchanges candidates (cand) and determines optimal media path All three protocols based IETF standards UDP TCP INVITE m/c = a 200 OK m/c = w Access Edge Home Work cand=a,b,c,d,e cand=w,x,y c b a STUN TURN Server (AV Edge) w d e x y Inner FW Outer FW Home NAT
64. Single IP address Edge Edge Server edge-int.contoso.com 172.25.33.10 SIP: 5061 Web Conf: 8057 A/V Conf: 443, 3478 edge.contoso.com 131.107.155.10 SIP: 5061 Web Conf: 444 A/V Conf: 443, 3478 Internal External
65. Multiple IP address Edge Edge Server access.contoso.com 131.107.155.10 443, 5061 External SIP edge-int.contoso.com 172.25.33.10 SIP: 5061 Web Conf: 8057 A/V Conf: 443, 3478 webcon.contoso.com 131.107.155.20 443 Internal External Web Conf av.contoso.com 131.107.155.30 443, 3478 External AV
66. Edge using NAT IP addresses Public IP space NAT Edge Server IP1 IP1’ External SIP Lync Server does not need to know translated SIP and Web Conf IP IP2’ IP2 Client Int External Web Conf Clients connect to IP for A/V traffic Translated AV IP must be configured in Lync Server IP3’ IP3 External AV
67.
68.
69. DNS Load Balanced Edge using NAT NAT Public IP space Edge Server 1 IP1 IP1’ DNS A records access.contoso.com IP1’ and IP4’ webcon.contoso.com IP2’ and IP5’ av.contoso.com IP3’ and IP6’ Int IP2 IP2’ IP3 IP3’ Translated AV IP addresses must be configured in Lync Server individually IP3 to IP3’ IP6 to IP6’ Edge Server 2 IP4 IP4’ Int IP5 IP5’ IP6 IP6’
70. Hardware Load Balanced Edge HLB Public IP space Edge Server 1 IP1 DNS A records access.contoso.com VIP1 webcon.contoso.com VIP2 av.contoso.com VIP3 Int IP2 IP3 VIP1 VIP2 AV client connections are initiated over the VIP. Subsequent client AV traffic (UDP) connect directly to Edge. TCP traffic continues to use VIP. NAT and HLB is not possible Edge Server 2 VIP3 IP4 Int IP5 IP6
71. DNS Load Balancing and Interop/Migraion Co-existence/Side-by-Side OCS 2007 OR OCS 2007 R2 pool and Edge Server can co-exist with Lync Server pool and Lync Edge Server Only a single Edge (server/pool) for Federation is possible DNS Load Balancing Legacy components do not support DNS LB If co-existence time is short: DNS LB If co-existence time is long: Hardware LB
73. Reverse Proxy and external access Forwards External HTTPS and HTTP traffic to Front End and Director Pool HTTPS Simple URLs (Join Launcher URL) Address Book (download and/or web service) ABS Distribution List Expansion DLX Web Ticket (Web Auth) HTTP Device Updates (Firmware) Device Update logs upload
74. Reverse Proxy and external access Simple URL forward to Director (recommended) Forwarding rule for Simple URL to a single Director (or Pool); port 443 Reverse Proxy certificate’s SAN to contain base FQDN of each Simple URL Web External Pool traffic forwarded to pools by Reverse Proxy Reverse Proxy requires a forwarding rule each Web External FQDN (Front End Pool and Director); port 443 If external Phone Devices are implemented, Reverse Proxy rule for port 80 is required Reverse Proxy certificate’s SAN to contain base FQDN of all configured Web external Pools (Front End Pool and Director)
75. Reverse Proxy Front End Pool1 Reverse Proxy Front End Pool2 Client Director join.contoso.com to Director meet.fabrikam.com to Director webext1.contoso.com to Pool 1 webext2.contoso.com to Pool 2 DNS LB not supported for HTTP/S traffic SAN in Reverse Proxy Certificate
84. Edge Validation Public Web Service Tool available for Edge Validation Supports OCS 2007 R2 and Lync Server 2010 https://www.testocsconnectivity.com
86. More Terms Internal IP address The IP address assigned to the network interface of the client computer. Reflexive IP address IP address of the public address assigned to the home router. Media relay address The public IP address of the Audio/Video Edge service that is associated with the internal Lync 2010 user’s pool.
87. nic a c default MRAS a b b c Allocate UDP candidate list c Media Relay Allocate TCP d e d e UDP TCP local remote Endpoint NAT/Firewall AddressDiscovery (AV)
88. c Address Discovery (Desktop Sharing) nic a default a MRAS b c candidate list Media Relay Allocate TCP c b UDP TCP local remote Endpoint NAT/Firewall
89. Address Exchange TURN TURN nic nic a b w x SIP INVITE c :: a,b,c,d local remote local remote y y c c default default 183 Session Progress y :: w,x,y,z w a a w 200 OK y :: w,x,y,z x b b x candidate list candidate list y c c y z d d z c y d z SIP NAT/Firewall Endpoint NAT/Firewall Endpoint 45
Slides Objective:Give an overview over the sessionNotes:This session will include the most important topics around changes for Edge Server in Lync Server 2010:Edge Scenarios – what Edge enables your users to doInterop Federation – Federations with non OCS/Lync Server 2010 environments: PIC, XMPP, Sametime, CiscoPlan for Edge –FQDNs/Simple URLs, Certificates, Firewall, Load BalancingManage Edge – Install, BigFin, FederationsEdge Architecture with Multiple sites
Slides Objective:Give an overview of ArchitectureNotes:Edge Server enables a Lync Server 2010 deployment to communicate with external participants – Remote users, Federated users (including PIC) and anonymous users. On the left side we have the public network/internet, then we have a perimeter network between an internal and external firewall. On the right side we have the internal network.In the perimeter the Edge Server runs three services: Access Edge, Web Conferencing Edge und AV Edge. Additionally there is a Reverse Proxy, publishing meeting content, address book, and group expansion.The director in the internal network is an optional role, that acts as a next hop server. It adds additional security and – in a deployment with multiple internal pools – offloads the distribution of users to their home pools.The internal deployment here is simplified, of course there can be additional components such as AV conferencing pool, Exchange UM, Monitoring Server,…Also the symbols for Edge and Front End show a pool, also single servers can be used.
Slide Objective: Discuss the planning for Edge Server locationsNotes: This is the same as in OCS 2007 R2. The only way to install Edge is as a consolidated Edge with all three server roles (Access Edge, Web Conferencing Edge, AV Edge). While multiple Edge Server (pools) can be used as SIP ingress points for remote user, only a single Edge Server (pool) can be used for Federation traffic (including PIC). However, the SRV record will point only to one Edge Server (pool) that is used for client sign in. To use localized Edge Servers (pools) for SIP traffic, GPOs can be used to specify connection settings.However, it is important to know, which Edge Server and also which Edge Server role is used when by a user. Remote users for SIP traffic always use the Access Edge Server they used for sign in (located either through automatic login or via “manual” configuration/GPO). Independently they will always use the AV Edge Server that is assigned to their home pool.For Federation/PIC traffic, the Access Edge server used for outgoing route is configured for the whole deployment. However, the AV Edge Server used for media sessions will always be the one, assigned to the home pool of a user.Because media traffic is very dependent on network quality such as latency, it makes complete sense to use localized Edge servers in all locations where you have also a pool.For conferences, the Web Conferencing Edge server and the AV Edge Server used for the conference will be the one assigned to the home pool of the user organizing the conference.
Slides Objective:Explain Edge Server ScenariosNotes:Edge Server is useful in a number of scenarios. Depending of the type of communication partner, different features are available. This is a description of the features:PresenceIM 1:1 – two party instant messagesIM conferencing – IM sessions with more than two usersCollaboration– Share the desktop, one or more applications, whiteboard and filesA/V 1:1 – two party Audio-/VideoA/V conferencing: Audio-/Video sessions with more than two peopleFile Transfer: Sending files over Lync 2010, two party only; in Lync Server 2010 File Transfer uses the ICE protocol to establish a media path between two endpoints. That means that in contrast to earlier versions of Lync 2010, we can now transfer files trough NATs and firewalls. In conferences, files are not sent directly to other users, they are uploaded to the meeting on Lync Server 2010 and participants can download it from there.In general there are four different kind of users that interact with an Edge environment:Remote Users: These are users of the same company, with an Active Directory account, however these users are not connected to the internal enterprise network and are also not using any VPN connection.Remote users will have the full feature set and the same user experience as internal users.Federated Users: Federated users are users from a different company with an Active directory account at that different company. They are configured for OCS at the other company and between your company and the other company, a Federation is established: a trust relationship to allow users from both companies to communicate with each others.Federated users will have the full features set except for address book. There is no address book sharing over the Edge Server, but contacts can be added to Active Directory Domain Services (AD DS) so that Federated users can be found. In Lync 2010, Federated users are marked with a planet icon to distinguish them from internal users. If the federation partner has an older version of Lync Server 2010, the user experience will be the same as in Migration/co-existence scenarios and the feature set will be limited. However, same as for co-existence, Federated users can use the Lync Attendee to join meetings with the full feature set.Anonymous users are users without an AD account in your OCS environment nor in a Federated one. These users can use the AOC to join meetings. However, the AOC does not offer presence or 1:1 capabilities – from a technical perspective this is a conference and hence hosted on a conference server, without peer-to-peer traffic in the client. Of course, you can have a conference with only two participants.Non Lync Server 2010 Federation partners such as PIC (MSN, Yahoo!, AOL) or XMPP partners support only basic presence (a reduced set of presence status) and 1:1 IM. The only exception is MSN, that will offer AV capabilities with the Windows Live Messenger client from Windows Live Essentials 2011.
Slides Objective:Discuss Federations with non-OCS/Lync Server 2010 environmentsNotes:Lync Server 2010 offers a number of interoperability scenarios with non OCS/Lync Server 2010 environments. Goal of this and the following slides is to give an overview over the solutions and create awareness of the possibilities, not to give deep dive configuration information. Detailed information is provided in the links sections.PIC (Public Internet Connectivity) is the integration of public Instant Messaging providers into Lync Server 2010. PIC can be activated also only for a subset of PIC partners.IBM Lotus Sametime and Cisco Presence allow integration for IM and Presence, on the Lync Server 2010 side this is configured as Federation.For XMPP an additional server in the perimeter network is required with the XMPP gateway installed on it. The XMPP gateway is provided by Microsoft and does not require an additional license.
Slides Objective:Provide a brief overview on how to set up interop FederationsNotes:Federation with Windows Live and AOL do not need additional licenses, Federation with Yahoo! requires the LyncServer 2010 Public IM Connectivity (PIC) per user subscription license. The LyncServer 2010 PIC license is sold separately on a per-user, per-month basis as a Microsoft service. PIC service licenses are available for Microsoft Volume License customers only.http://www.microsoft.com/en-us/lync/public-im-connectivity.aspxFederation with Google Talk and Jabber can be enabled through the Microsoft Office Communications Server 2007 R2 XMPP Gateway, available at no additional licensing cost. This Gateway provides presence sharing and instant messaging (IM) with XMPP networks like Google Talk.IBM Lotus Sametime requires version 8.0.2 with Hot-Fix One (HF1) or above of Sametime – Sametime is SIP/SIMPLE based – required Sametime Gateway.http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v85.doc/config/config_gw_conn_ocs.htmlCisco Unified Presence requires at least Unified Presence Server 7.0 and Adaptive Security Appliance 8.0.4.X. A guide for Federating Cisco Unified Presence with OCS can be found here: http://www.cisco.com/en/US/docs/voice_ip_comm/cups/7_0/english/integration_notes/federation/Integration_Guide_for_Configuring_Cisco_Unified_Presence_70__for_Interdomain_Federation.book.pdf
Slide Objective: Discuss Certificate requirementsNotes: Lync Server 2010 requires less public certificates (certificates that are signed by a public certification authority). A single public certificate can be used for Access Edge, Web Conferencing Edge, AV Edge and even Reverse Proxy if the SANs are manually added in the request. Consider the various SANs that might be required (Simple URLs, multiple domains)The wizard can automatically add all required Subject Names/Subject Alternate NameFor the internal interface, an internal certificate can be used.
Slide Objective: Explain port changes for Reverse Proxy from OCS 2007 R2.Notes:First explain the setup: this first diagram is about reverse proxy. On the left side is the external network, the internet. On the right side is the internal network, the corp net. In between, there is the perimeter network with an internal and external firewall. For the external interface, port 80 was added on Reverse Proxy. This port was not required in previous version.On the internal interface port 8080 was added to forward all requests send to port 80. Another change is, that request to port 443 are now mapped to port 4443 for web components. This enables us to use on the internal server port 443 for all internal queries and port 4443 for all external queries.
Slide Objective: Explain port changes for Edge Server from OCS 2007 R2.Notes:Again we have from left to right the external network, perimeter network and internal network. There is one Edge Server with all roles installed (Access Edge, Web Conferencing Edge and AV Edge). On the left side, the blue arrows at the top connect to the Access Edge IP. The single arrow in the middle connects to the Web Conferencing Edge and the green arrows at the bottom connect to the AV Edge.On the internal firewall, all connections point to the internal Edge IP address.For replicating the configuration, the central management store (CMS), running on one of the Front End Servers, uses port 4443 to push the configuration file to the internal interface of the Edge Server. The configuration data is stored on a SQL Express database on the Edge Server.
Slide Objective: Explain requirements for the 50,000-59,999 port rangeNotes: This has not changed from OCS 2007 R2.The port range is required for federated media traffic. If Federating with OCS 2007, the port range has to be opened for UDP and TCP in/ and outbound. For Federation with OCS 2007 R2 or Lync Server 2010 only TCP outbound is required.If you don’t open the port range, media to Federated contacts will not work at all (OCS 2007) respectively Desktop Sharing and File Transfer (OCS 2007 R2 and Lync Server 2010) – please note that File Transfer over firewalls will work only Lync Server 2010 to Lync Server 2010.
Slides Objective:Give an overview over the sessionNotes:This session will include the most important topics around changes for Edge Server in Lync Server 2010:Edge Scenarios – what Edge enables your users to doInterop Federation – Federations with non OCS/Lync Server 2010 environments: PIC, XMPP, Sametime, CiscoPlan for Edge –FQDNs/Simple URLs, Certificates, Firewall, Load BalancingManage Edge – Install, BigFin, FederationsEdge Architecture with Multiple sites