Tag Archives: Edge Server Installation and Configuration

#Skype4B – Edge Pool Deployment Part IV


Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.

Part IV of Skype for Business Server Edge Pool deployment focus on certificates. Once you are done with Edge server installation you can request a certificate. Edge server need two different types of certificates one for internal and another for external. For internal certificate you can use internal CA while for external certificate you can generate the request and send it to your external CA to get the public certificate. Follow the step by step process to request and assign the certificates:

Select “Edge internal” and click on “Request”

Select offline certificate request and click on Next

Browse to location where you want to store the certificate request

Click on Next

Enter friendly name and select “Mark the certificate’s private key as exportable”

Fill the Organization Information

Fill the Geographical Information

Click on Next

Add all the Edge servers FQDN which are going to be part of this pool

Review the summary and click on Next

Once completed successfully, click on Next

Click on finish to generate the CSR

As you have request CSR for internal certificate, copy the *.req file and go to the internal CA to request the internal certificate.

Access your ADCS through web and click on “Request a certificate”

Select “advanced certificate request”

Select “Submit a certificate request …… PKCS#7 file”

Copy and paste the *.req file content here and select “Web Server” as a certificate template

Select “Base 64 encoded” and download both the files

Install the root certificate on your Edge server, you may run “Download certificate chain” to install the root certificate.

Install only root certificate form “certificate chain” and store it to “Local Computer” under “Trusted Root Certification Authorities”

If you don’t install root certificate then you can face below error while assigning certificate

Once done with root certificate installation, go to the Certificate Wizard and click on “Import Certificate”

Select the *.cer file and click on next

Click on Next to import the certificate

Once completed click on finish

Now, select “Edge internal” and click on “Assign”

Click on Next

Select Certificate and click on Next

Review the summary and click on Next

Once completed click on Finish.

Once Certificate is assigned to “Edge internal”, you can select the “External Edge certificate…” and click on “Request”

Select “offline certificate request” and click on Next

Browse to location to save the certificate request file

Click on Next

Enter “Friendly name” and make sure “Mark the certificate’s private key as exportable” is being selected

Enter your Organization Information

Enter Geographical Information

Click on Next

Select SIP domains and click on Next

Enter alternative SANs if you have any (For Example: If you want to use the same certificate for reverse proxy as well add same names such as lyncdiscover.domain.com, meet.domain.com, externalwebservices.domain.com etc.)

Once certificate request has been completed successfully, click on Next

Click on Finish to generate the CSR

Sent the *.req file to you Public CA vendor and get the certificate. Once you receive the certificate then Import and assign the certificate.

Once certificate part is done, start the Edge server services

Open Skype for Business Server Management Shell and run “Start-CsWindowsService”

Enjoy your Edge services J

Make sure you have public DNS records in place for external users.

Advertisements

#Skype4B – Edge Pool Deployment Part III


Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.

This post is a continuation of my preceding post #Skype4B – Edge Pool Deployment Part II and describes the step by step installation of Edge Server.

Log on one of the Edge Server with administrative rights.

Open PowerShell and add following features.

Add-WindowsFeature NET-Framework-Core, Windows-Identity-Foundation, NET-WCF-HTTP-Activation45, Web-Asp-Net45 -Source D:\sources\sxs

Run windows update (KB2982006).

Install Silverlight.

Insert Skype for Business Server 2015 media and run setup.exe.

Accept License Agreement.

Run “Install or Update Skype for Business Server System” from deployment Wizard.

Run “Install Local Configuration Store”

Navigate to the exported edge configuration and click on Next.

Run “Setup or Remove Skype for Business Server Components”

Once completed step1 and step2 successfully, request for the certificates.

Request Edge internal and external certificate separately. Internal certificate can be created from internal CA while external certificate request can be sent to Public CA to generate the certificate.

Once you have created internal and external certificates, Import the certificates and assign it.

I hope you enjoyed it J

Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.

#Skype4B – Edge Pool Deployment Part II


Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.

This post is a continuation of #Skype4B – Edge Pool Deployment Part I and focus on SfB topology configuration for Edge pool. Open Topology Builder on one of the FE / SfB management server and follow the steps as given below:

Open topology builder and select “Download Topology from existing deployment”

Right click on Edge Pools and click on New Edge Pool…

Click on Next

Define Edge Pool FQDN

Enable federation if you want

Server this option if you are using single FQDN and IP address.

Select “The external IP address of this Edge pool is translated by NAT” if you are using NAT for external interfaces.

Define External FQDNs

Click on Add to add FQDN of your Edge servers.

Define internal ip address and FQDN of your first Edge server

Define external ip addresses of your first Edge server

In the same way, add second edge server.

Select the Next hop pool. Select you FE pool if not using director otherwise use director.

Select FE and Mediation pools which you want to associate with this Edge server pool.

Once you are done, publish the topology.

Once topology is published successfully. Export this configuration to install the edge server.

Next part of this post will cover the step by step installation of Edge server.

Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.

#Skype4B – Edge Pool Deployment Part I


Skype for Business Server Edge role is precisely the same as Lync Server 2013 Edge role and follow the same deployment process. Edge server role allows external Skype for Business Server users such as remote, anonymous, federated and PIC users to connect with FE Pool/Server. Edge server can be deployed as standalone server or as a pool. If you are planning to deploy standalone server, you can follow the Step by Step Lync 2013 Edge Server deployment blogpost.

This post will cover step by step deployment process of Skype for Business Server Edge Pool. Below illustration describes very high level design of Skype for Business Server topology.

As illustrated in the above diagram, there will be three external interfaces and one internal interface for each Edge server. However, you can use one external and one internal interface for each edge server but in that condition you will use different ports for each service.

First prepare all the edge servers in perimeter network.

  • Install Operating System (Windows Server 2012 / 2012 R2)
  • Define Server Host Name with DNS Suffix (Ex: P1Edge01.UC.LAB, where UC.LAB is primary DNS suffix)
  • Configure IP Addresses (Define gateway only in external interfaces)
    • In my setup, I have three different subnets:
      • 172.80.x.x/21 for Corporate Network (assigned on internal servers such as FE Pool)
      • 192.168.10.x/24 for Perimeter Network (assigned on Edge internal interface)
      • 10.10.80.x/16 for External Network (assigned on Edge external interfaces)
    • If you have two Edge Server in a pool then you need total 9 ip addresses for external interfaces
      • 3 ip addresses per server
        • 1 for Access Edge
        • 1 for Web Conf Edge
        • 1 for A/V Edge
      • 3 ip addresses for VIP for all three services
        • 1 for Access Edge
        • 1 for Web Conf Edge
        • 1 for A/V Edge

Below are the list of ip addresses which will be used in this deployment.

P1Edge01.UC.LAB Access Edge Web Conf Edge A/V Edge
External Interface 10.10.80.11 10.10.80.12 10.10.80.13
Internal Interface 192.168.10.11

 

P1Edge02.UC.LAB Access Edge Web Conf Edge A/V Edge
External Interface 10.10.80.14 10.10.80.15 10.10.80.16
Internal Interface 192.168.10.12

 

P1EdgePool.UC.LAB Access Edge Web Conf Edge A/V Edge
VIP 10.10.80.17 10.10.80.18 10.10.80.19

Once you are done with IP configuration part, create network route to move the external traffic via Edge internal interface from Edge Pool to Director / FE pool.

Open the Windows PowerShell or CMD and run ipconfig /all and note down the “Description” of internal adapter.

Run “route print” and note down the Interface list number in this case it is “12”.

Now add route for internal traffic via Edge internal interface; 192.168.10.1 is an ip address of internal firewall which will be used as a gateway to route the traffic. (Again make sure internal interface doesn’t have any gateway assigned.)

Follow the same steps to configure route on second Edge Server.

Next part of this post will cover the topology configuration and SfB Edge Server role installation and configuration.

Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.

Step by Step Lync 2013 Edge Server


Lync server consists of multiple roles and Edge server role is one of them. Lync server 2013 Edge server role take care of external connectivity of Lync users. It provides connectivity to Remote, PIC, Mobile, Federated and Anonymous users. Edge server deployment provides external access to different communication modalities IM & Presence, Web Conferencing and Audio/Video Conferencing.

Edge server deployment is not as simple as other Lync server roles and requires attentive preparation before jump into the installation. Let’s start the preparation for deploying standalone Edge server role.

IP Address Planning:

I am using 192.168.x.x/16 IP addressing for Internal Network, 172.25.x.x/16 IP addressing for Perimeter Network and 10.x.x.x/8 IP addressing for External Network. IP address on internal firewall is 172.25.33.100 which will act as a gateway for communication between perimeter network and internal network, IP address on External firewall is 10.1.1.100.

As internal NIC of Edge server is behind internal firewall and don’t have gateway in internal network address. So, we will have to route traffic from 172.25.33.10 to internal network via 172.25.33.100.

Follow below steps to add route.

Open command prompt with administrative rights on Edge Server.

Run “ipconfig /all” and note down the physical address and Ethernet adapter description of internal NIC.

 

Now run route print and note the Interface List ID of the internal NIC.

 

Now add the persistent route for internal traffic.

 

Open Lync Server Topology Builder on Lync Front-End / Standard Edition Server.

Right click on Edge Pool and select New Edge Pool.

 

Click on Next.

 

Write Edge Server FQDN.

 

Select appropriate features as per your requirements.

 

Select IP versions and NAT option according to your requirement.

 

Specify external FQDN and associated port numbers. (Note: If you have selected “Use a Single FQDN and IP address” then you will have to use different port numbers for all three FQDNs).

 

Specify the IP address for Edge server internal NIC.

 

Now specify the external IP address for all services.

 

Please specify the Public IP address which will be NAT to the A/V edge service. (In my case, the deployment has been done in LAB and don’t have public IP address. That’s why I am taking a different IP address.)

 

Define the next hop server. Next hop server will be your Lync pool if you don’t have director otherwise next hop will be your director pool.

 

Select pool and click on finish.

 

Now publish your topology.

 

 

 

Open Lync management shell with administrative privilege on Lync FE server and export the configuration.

 

Login to the Edge Server with administrative privilege and run Microsoft Lync Server 2013 setup and follow the steps.

 

 

 

 

After installing Lync 2013 core components, open Lync server 2013 deployment wizard.

 

Click on “Install or Update Lync Server System”.

 

Run “Install Local Configuration Store”

 

Browse Edge configuration file which you had exported in Lync FE server.

 

Click on Next.

 

 

 

Cross verify the installation through log file.

 

Now, Run “Setup or Remove Lync Server Components”.

 

 

 

 

 

Now, it’s time to request and assign certificates.

 

Follow the steps to request the Edge Internal Certificate.

 

 

 

 

 

 

Fill the appropriate information.

 

 

 

 

 

 

 

Now, request External Edge certificate.

 

 

 

 

 

 

 

 

(Note: If you want to use same public certificate for Reverse proxy also, add additional SAN’s for reverse proxy: lyncdiscover.domain.com, lyncwebservicesexternalname.domain.com, dailin.domain.com, meet.domain.com)

 

 

 

 

Once you have generated certificate request, can send these request to your certification authority to generate the certificates for you. As we are doing this setup in our lab, so we will use our internal AD CA.

Once you have generated the certificates open mmc and add certificates (Local Computer) via add/remove snap-in to import the generated certificates.

 

Import root CA onto Trusted Root Certification Authority.

 

Import generated certificates into Personal store.

 

 

 

 

 

Follow same step to import Edge Public cert also.

 

Now, It’s time to assign certificate to Edge services.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Once certification assignment is done, open Lync control panel in Lync FE server and go to Federation and External access.

 

Change External access policy as shown below.

 

Change Access Edge configuration policy as shown below.

 

Now everything has been done, it’s time to perform last step. Add Front End Pool / FE server entry into Edge server host file.

 

Finally, your external Lync clients will be able to login and you can use Edge services for external connectivity.

But, still you cannot use those services which require Reverse proxy. Therefore, configure your reverse proxy also to get all the things worked seamlessly.