End of Life Products and Features - Configuring the Lync Edge Server Role for Express for Lync 2.0

Overview

An edge server is a required component of Express for Lync if you plan on deploying external access to the Lync environment. It can provide access to the following Lync components:

• External Client Access

• Audio/Video conferencing support to external and public users

• Federation support (XMPP and Office 365)

• Web conferencing support

It is important to note that the Lync Edge Server MUST NOT be a domain joined computer. This will protect the Active Directory (AD) domain from any unwanted activity or access.

You require 2 SSL certificates for the operation of the Reverse Proxy Server:

• Internal Active Directory generated certificate which was covered while setting up Active Directory Certificate Services

• External SSL Unified Communications certificate. Can be purchased online through various different certificate authorities

The external certificate is used to authenticate requests through the TLS protocol. The Edge server will send requests directly to the front end pool, and act as a Session Border Controller (SBC) for your Lync environment. This is not to be confused with your actual SBC, which is used for Enterprise Voice and PSTN connectivity.

The Lync Edge server MUST sit in a De-militerized Zone (DMZ) of any network with a persistant static route to the internal network.

***PLEASE NOTE THAT THERE IS NOW AN UPDATE AVAILABLE TO THE EDGE SERVER VM. IT ADDS IN THE WINDOWS IDENTITY FOUNDATION 3.5 FEATURE AS WELL SOME LYNC DEPENDENCIES. PLEASE FOLLOW THIS LINK TO UPDATE YOUR EXPRESS FOR LYNC APPLIANCE WITH THE NEW VIRTUAL MACHINE IMAGE***

 ***PLEASE NOTE THAT THIS PAGE IS UNDER CONSTRUCTION. A LINK HAS BEEN ADDED TO A PAGE WHICH WILL HELP COMPLETE THE EDGE SERVER DEPLOYMENT. WE WILL HAVE A FULL GUIDE SOON***

Activate the Edge Server

In order to begin using the edge server role, you must turn it on within the Hyper-V manager. Follow the steps below to gain access to the server.

1. Launch the Hyper-V manager from the windows Start Screen
   
   

   Open

   

2. In the windows Hyper-V manager window, select the virtual machine labelled "LyncEdgeServer2012". Right click on it and select "Settings...".
   
   

   Open

   

3. In the settings window, on the left hand side you will notice configuration options. Scroll down to "Automatic Start Action" and select "Always Start the Virtual Machine automatically". This will always start the domain controller when the Express for Lync appliance boots up. Click OK to accept the changes.
   
   

   Open

   

4. Double click on the virtual machine labelled "LyncEdgeServer2012" to launch the Remote Terminal Window. Click on the start button to start the virtual machine. The start button is the Green icon at the top of the virtual machine connection window.
   
   

   Open

   

Setup Networking for the Lync Edge Server

At the virtual machine welcome screen, go to the action menu, and click on the menu item "Ctrl+Alt+Delete" to bring up the login screen. Enter the following credentials to login: 
username: administrator
password: sangoma1!

Configure the Internal and External Network Interfaces

The internal and external network interfaces have to be configured to use static IP addresses. Follow the instructions below in order to setup the static IP addresses for both interfaces.

1. From the windows start screen, click on the "Control Panel" icon.
   
   

   Open

   

2. In the control panel, select "Network and Sharing Center".
   
   

   Open

   

3. In the Network and Sharing Center, you will notice 2 network interfaces. "Ethernet" is identified as the EXTERNAL interface and "Ethernet 2" is identified as the INTERNAL interface. The first thing we will do is setup the external interface. Click on "Ethernet" to bring up the ethernet properties.
   
   

   Open

   

4. From the Ethernet Status window, click on the "Properties" button to bring up the Ethernet Properties.
   
   

   Open

   

5. From the Ethernet Properties window, select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties".
   
   

   Open

   

6. In the IPv4 properties, enter the DMZ static IP or the External un-NATed IP being used for the Reverse Proxy Server. It is common practice to place this server in a DMZ, however, for smaller installs, you may use a direct external IP address. If using an external IP, make sure that the Windows Firewall is left on as the server will have no protection to malicious activity.
   Once the IP information is entered, click "Ok" to close the window, and click "Ok" to close the ethernet properties window. Click "Close" on the ethernet status window to close that window as well. Return to the Network and Sharing Center to setup the internal NIC.
   
   

   Open

   

7. From the Network and Sharing Center, click on "Ethernet 2" to bring up the ethernet status screen. Repeat steps 4 and 5 to bring up the IPv4 properties window. For the internal NIC, all we need to enter is the IP address and Subnet Mask. You should not enter a Default Gateway and a DNS Server. We will setup a permanent static route so that the reverse proxy server can communicate with the internal LAN.
   Once the IP information is entered, close all the windows again and close the control panel as the IP configuration is now complete.
   
   

   Open

   

Setup a Permanent Static Route to the Internal Network

We need to setup a permanent static route to the internal network so the reverse proxy server can communicate with the Lync front end pool. Follow the instructions below to setup the route.

1. Launch the "Command Prompt" by going to the windows start screen and searching for the app "Command Prompt".
   
   

   Open

   

2. In order to setup the static route, you must first find the numerical value for the internal network interface. This can be done by using the "ROUTE PRINT" command. On this system, my internal interface is "Microsoft Hyper-V Network Adapter #2". The interface ID number is "13".
   
   

   Open

   

3. In the command prompt, enter the following command. Adjust the command depending on the Internal LAN networking schema.
   route add -p 10.10.0.0 mask 255.255.248.0 10.10.2.56 metric 2 if 13
   
   

   Open

   

4. You can confirm if the route addition worked by pinging an IP address on your network. If you were unable to ping, you must delete the old route by using the "ROUTE DELETE" command and re-enter it.
   
   

   Open

   

If the ping was successful, then you have successfully setup the static route and can proceed with your configuration.

Configure the Edge Server

After the LAN interfaces have been configured, you must add the edge server FQDN (Fully Qualified Domain Name) to the internal and external DNS servers.

For the internal DNS Server, you must add the machine FQDN. I.e. if your machine name is lyncexpressedge.lynctest.local, then you must add this to the internal DNS server as well as the internal IP address of the server.

For the external DNS Server, you must add the FQDN which is published within the lync topology. If you published lync-edge.lynctest.com, then you must add this to the external DNS server as well as the external IP address of the lync edge server as documented within the topology.

External Certificates

In order to configure the Edge Server, we must purchase external SSL certificates. Without the external SSL certificates, you cannot complete the Lync Deployment wizard. The External Certificate MUST be a Unified Communications (UC) Subject Alternate Name (SAN) based SSL certificate. These types of certificates are generally sold online through various different certificate authorities. You may visit some of the websites below in order to purchase a UC SAN certificate:

• Entrust

• Symantec

• Digicert

The primary certificate name is to be the FQDN of the edge server. If the external name of the edge server is different from the internal name, you MUST use the external name of the edge server.

You would require at least 3 SAN names within your SSL Certificate. By default, we use the names below:

• access.<domain>.com

• webconf.<domain>.com

• av.<domain>.com

You will need to perform a certificate request as per the Lync Edge Server Deployment. The Deployment wizard will have these already populated within the request.

Configure the Edge Server

At the moment, there is no step by step configuration for the edge server provided by Sangoma, please see the link below in order to complete your edge server:
Technet:https://social.technet.microsoft.com/wiki/contents/articles/16931.installing-lync-2013-edge-server.aspx
Other Source: https://www.orcsweb.com/blog/cory-granata/installing-lync-2013-edge-server/