Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft ® Lync™ Server 2010 Hybrid Scenarios Module 20 Microsoft Corporation.

Similar presentations


Presentation on theme: "Microsoft ® Lync™ Server 2010 Hybrid Scenarios Module 20 Microsoft Corporation."— Presentation transcript:

1 Microsoft ® Lync™ Server 2010 Hybrid Scenarios Module 20 Microsoft Corporation

2 Session Objectives At the end of this session you will be able to: Describe the Lync Online high level architecture and topology Have a more detailed understanding of the Lync Online topology to assist in issue analysis and troubleshooting 2

3 Lync Online Topology Introduction High level Architecture Office Communications Data Forests (OCDFs) Shared OCDF Resources Pools Directors Domain controllers (DCs) System Center Operations Manager (SCOM) Monitoring Edge Server Mediation Public Switched Telephone Network (PSTN) for Audio Conferencing Provider (ACP) Witness Server Pool Resources Up to 5 pools with 8 Lync Server 2010 Front End (FE) servers and a pair of Back End (BE) servers BE databases (DBs) Windows Clustered and SQL Server ® mirrored 3 3

4 Tenant Residency Both Office 365 Standard and Light customers are hosted on the same Lync Online deployment infrastructure. There are no separate deployments for the two service classes since they only differ in the tenant and/or user policies Each Lync Online tenant is either a Standard customer or a Light customer, but not both Each Lync Online tenant belongs to exactly one OCDF in the geographical data center conforming to regional/country regulations. All users of the tenant are assigned to one Pool of the OCDF There is no support for multi-national tenancy where tenant users have to be assigned to geographically dispersed data centers based on regional regulations 4 4

5 Generic Lync Online Deployment Architecture 5 5

6 Lync Online Specifics First point of contact – Director Array Front End stamps users as external instead of the Edge Access Proxy (AP)/Lync Edge for federation with non-Lync Online partners or personal Internet communicator (PIC) Inter-tenant federation traffic does not go through APs. – Routed internal Domain Name Service (DNS) load balancing not employed – Using Hardware Load Balancing (HLB) Server draining not available in all cases due to HLB use AddressBook (AB) Web Query online – No AB Download Distribution List Expansion (DLX) – no control to hide DL membership for user in same tenant Call Admission Control (CAC)/ Packet Data Protocol (PDP) not used Global routing – Directors sync with the Active Directory ® Domain Services (AD DS) from other ODCFs GeoDNS – used to balance client traffic among OCDFs 6 6

7 Lync Online Specifics Firewall – No external or internal firewall in Lync Online. Use Global Foundation Services (GFS) firewall infrastructure and place access control list (ACL) rules there Reverse Proxy not used. ACLs for web traffic placed on GFS firewall Archiving – there is no archiving in Lync Online. It may be offered in the future for compliance Enterprise Voice feature - Lync Online does not offer any Enterprise Voice features, e.g., Call Park Server (CPS)/Response Group Service (RGS) at this time as there is no onsite PSTN gateway Group Chat – Lync Online does not support this feature Device support – there is no device support for Lync Online. The only client supported will be Lync 2010 7 7

8 Global Traffic Management Global Traffic Management (GTM). This is used to distribute traffic using DNS between VIPs either in the same data center or between global data centers. It provides optimal performance based on closest node in terms of network latency, geographic proximity or configured balanced datacenter load distribution. Azure GTM has additional feature that other GTM providers don’t have and that is building proximity regional maps based on network performance between subnets across Microsoft backbone. Lync Online is on boarded onto the Azure GTM platform 8 8

9 Global Routing Global GeoDNS Routing Client connects to closest geographical OCDF May or may not be client’s home OCDF Inter-OCDF Routing Director is equipped with the global routing database built by querying the ADs in all OCDFs Director Array has a public VIP that is the central point of contact for SIP messages from entities outside of the OCDF or from the Lync Edge Servers in the case of federation or PIC In the case of registration, it redirects the registering client to the home Pool Fully Qualified Domain Name (FQDN) Intra-OCDF Routing Each FE has the full routing information for any user within the same OCDF replicated from the AD of the OCDF. 9 9

10 Global Routing 10

11 Flexibility for Growth Add servers into the existing shared resources and existing Pools Directors Mediation Edge servers Add a new Pool into the existing OCDF Add a new OCDF Currently 2 OCDFs One in San Antonio (SN2) One in Blue Ridge (BL2) 11

12 Exchange Online Unified Messaging Integration Lync Online supports Exchange Online (EXO) Unified Messaging (UM) integration for customers who are still deploying Lync on-premise On-premise deployment must be Lync 2010 A separate domain with just Lync Online Edge Servers, Media Relays and Central Management Server is deployed as a routing point for messages between EXO/Outlook Web App (OWA) and on-premise Lync 2010 This domain is called ExUM, standing for Exchange UM integration 12

13 VLANS - IP Address Management Virtual local-area network (VLAN) A for public IP addresses Hosts the public VIPs for the server arrays and public Secure Network Address Translation (SNAT) Internet Protocol (IP) addresses on the external network interface of the HLB; as well as public IP addresses for the Edge Servers on their external network interfaces VLAN B for Mediation Server Public IP addresses Hosts the public IP addresses for mediation servers to have a separate VLAN for routing ACP traffic through dedicated circuits to ACP partners other than through the Internet VLAN C for private VIPs Hosts only the private VIPs for the server arrays on the internal network interface of the HLB VLAN D for Back-end Lync Online Servers Hosts the private IP addresses for all the Lync Online servers, including the Edge servers and the Mediation servers 13

14 Public IP Assignments For Media Relay public IP is assigned to the Edge Server hosting the Media Relay role. Allowing the clients to talk to the Edge Servers directly without going through the HLB avoids potential negative impacts on A/V quality incurred by hair-pinning both media streams through the HLB A public IP is assigned to each Mediation Server due to the fact that some ACP partners do not support Real-Time Transport Protocol (RTP) latching on their Session Initiation Protocol (SIP) Session Border Controllers (SBC). In order to overcome this Lync Online exposes a public IP as the source address as we cannot expose Private address networks between Microsoft data center and ACP 14

15 Details on Public IP Two public VIPs, one for SIP and one for web, are assigned to the Director Array for each OCDF Two public VIPs, one for SIP and one for web, are assigned to the LYNC FE Array for each Pool One public VIP is assigned to the Access Proxy Array for each OCDF One public VIP is assigned to the Data Proxy Array for each OCDF One public VIP is assigned to the Media Relay Array for each OCDF One public DIP is assigned to the Media Relay role on each Edge server One public DIP is assigned to each Mediation server One public DIP is assigned to the Dashboard server 15

16 SNAT Pool Public IP Addresses The HLB needs to allocate a public IP address and a port to the connection before forwarding the connection to an individual server in the Array Each IP address has at most 65535 ports, multiple SNAT IP addresses may be needed Each Pool in Lync Online is expected to handle up to 100K concurrent connections For 5 Pools there will be 500K concurrent connections per OCDF, which requires at least 8 public IP addresses At least 10 public IP addresses allocated for SNAT purposes per OCDF 16

17 DNS Management = lync.glbdns.microsoft.com, which is the domain for the GeoDNS provider = online.lync.com, which is the domain for Lync Online. = mcsn20a001.local, which is the internal domain name for OCDF SN20A. = mcbl20a001.local, which is the internal domain name for OCDF BL20A. 17

18 Disjoint DNS/Service Domain Public domain – what Lync Online presents to the external world Internal domain – OCDF specific – internal only 18 TypeOCDFDomain Suffix Public DomainAny Internal DomainSN2mcsn20a001.local BL2mcbl20a001.local 18

19 GeoDNS Setup Top-level is reserved for production deployment only to distribute incoming traffic to the services Second-level xxx. can be used for non-production deployments such as Engineering Dogfood (EDF), Commercial Technology Preview (CTP), or Pre-Production Environment (PPE) Two FQDN sipdir. - VIP of the Director Array sipfed. - VIP of the Access Proxy Array 19

20 Public DNS Setup 20 Two CNAME records redirect clients to GeoDNS Lync Online FQDN TypeGeoDNS FQDNNotes sipdir. CNAMEsipdir. Redirect client DNS query to GeoDNS for SIP sipfed. CNAMEsipfed. Redirect client DNS query to GeoDNS for federation 20

21 Public FQDNs for Public VIPs on HLB 21 OCDFRolePublic Server Array FQDNTypePublic VIP Address SN20ADirector Array for SIPsipdirSN20A00. Shared207.46.5.20 Director Array for WebwebdirSN20A00. Shared207.46.5.21 Access Proxy ArraysipfedSN20A00. Shared207.46.5.22 Data Proxy ArraydpSN20A00. Shared207.46.5.23 Media Relay ArraymrSN20A00. Shared207.46.5.24 FE Array for SIPsippoolSN20A01. Pool 1207.46.5.40 FE Array for WebwebpoolSN20A01. Pool 1207.46.5.41 FE Array for SIPsippoolSN20A02. Pool 2207.46.5.42 FE Array for WebwebpoolSN20A02. Pool 2207.46.5.43 FE Array for SIPsippoolSN20A03. Pool 3207.46.5.44 FE Array for WebwebpoolSN20A03. Pool 3207.46.5.45 FE Array for SIPsippoolSN20A04. Pool 4207.46.5.46 FE Array for WebwebpoolSN20A04. Pool 4207.46.5.47 FE Array for SIPsippoolSN20A05. Pool 5207.46.5.48 FE Array for WebwebpoolSN20A05. Pool 5207.46.5.49 21

22 Public DIP for Lync Online Production 22 OCDFVLANServer RolePublic DIP Address SN20AAMedia Relay #1207.46.5.62 AMedia Relay #2207.46.5.63 AMedia Relay #3207.46.5.64 BMediation Server #1 BMediation Server #2 BMediation Server #3 22

23 Private DNS Setup Internal VIPs on the HLB Any server within the OCDF Special roles such as SQL in the Lync Online BE also require private FQDNs be set up for the DBA. Refer to the course module for the table of Private IP Addresses 23

24 Tenant DNS SRV Setup For auto-discovery and federation, two DNS SRV records must be provisioned on each tenant’s domain Vanity domain (contoso.com) – Tenant must provision Managed domain (contoso.onmicrosoft.com) – provisioned automatically 24

25 Tenant SRV Records 25 TypePurpose FQDN PortProtocolMapping VanityAuto-Discovery_sip._tls.contoso.com443SIPsipdir. Federation_sipfederationtls._tcp.contoso.com5061SIPsipfed. ManagedAuto-Discovery_sip._tls.contoso.onmicrosoft.com443SIPsipdir. Federation_sipfederationtls._tcp.contoso.onmi crosoft.com 5061SIPsipfed. 25

26 DNS Entries 26

27 AutoDiscovery Flow 27

28 Networking - HLB Configuration 28 An inbound connection terminates at a public VIP on the HLB, HLB performs SNAT and port mapping before forwarding it to a server belonging to the server array of the VIP Server Array Public VIPOld Destination PortProtocolNew Destination Port Director Array for SIP443SIP/TLS443 Director Array for Web443SIP/TLS4443 Director Array for Web80HTTPS8080 Access Proxy Array443SIP/TLS443 Access Proxy Array5061SIP/MTLS5061 Media Relay Array443SIP/TLS443 Media Relay Array3478STUN/UDP3478 Data Proxy Array443PSOM/TLS443 FE Array for SIP (Pool 1)443SIP/TLS443 FE Array for Web (Pool 1)443SIP/TLS4443 FE Array for Web (Pool 1)80HTTPS8080 FE Array for SIP (Pool 2)443SIP/TLS443 FE Array for Web (Pool 2)443SIP/TLS4443 FE Array for Web (Pool 2)80HTTPS8080 28

29 Internal VIP Forwarding Rules 29

30 GFS Port ACLs for Lync Online Traffic 30 DirectionProtocolSource IP/NetmaskDestination IP/NetmaskPort LowPort High InboundTCPANY/ANY207.46.5.0/2480 TCPANY/ANY207.46.5.0/24443 TCPANY/ANY207.46.5.0/245061 TCPANY/ANY207.46.5.0/245060 TCPANY/ANY207.46.5.0/245723 UDPANY/ANY207.46.5.0/245061 UDPANY/ANY207.46.5.0/243478 UDPANY/ANY207.46.5.0/245000059999 UDPANY/ANY207.46.5.0/246000064000 OutboundTCP207.46.5.0/24ANY/ANY80 TCP207.46.5.0/24ANY/ANY443 TCP207.46.5.0/24ANY/ANY5061 TCP207.46.5.0/24ANY/ANY5060 TCP207.46.5.0/24ANY/ANY5723 TCP207.46.5.0/24ANY/ANY25 UDP207.46.5.0/24ANY/ANY5061 UDP207.46.5.0/24ANY/ANY3478 UDP207.46.5.0/24ANY/ANY5000059999 UDP207.46.5.0/24ANY/ANY6000064000 TCP port 5723 is for SCOM External STs alert reporting; and TCP port 5060 is for Mediation Servers talking to the SBCs of ACP partners. 30

31 Integration with the Environment AD and Certificate Provisioning 31 CertSNPrivate/Public KeysServers Cert Store (Local Computer) LiveID Token Encryption liveid. Lync Online/LiveID FEs, DIRs Personal Wildcard Lync Online *. Lync Online/OCAllPersonal Federationsipfed. Lync Online/Partner Edge Servers Personal Provisioning  MSODS Sync  PIC prov. Lync Online/BPOSDIRsPersonal BOX UIboxazppe.partner.microsoftonline.comBOX/Lync OnlineDIRsPersonal Dashboarddashboard. Lync Online/Lync Online DIRsPersonal 31

32 Certificate Descriptions/Usage LiveID Token Encryption Cert This cert is shared between Lync Online and LiveID Wildcard Lync Online Cert This cert is shared between Lync Online and external clients and among Lync Online servers Federation Cert This is the cert used for federation with other partners, including PIC Business Online Experience (BOX) UI Cert This is the cert used for BOX to establish remote PS session with Lync Online for Tenant Admin user experience Dashboard Cert Used internally to enable secured communications between the Dashboard Server and the Directors for web services required of Dashboard 32

33 Microsoft Online Directory Service Integration Lync Online is a federated service to MSO-DS Tenant/user information first stored in the MSO master AD before a subset of the information is synced to Lync Online Only tenants with valid Lync Online license are synced to LO AD Each OCDF is a Service Instance (e.g., SN20A, BL20A) Each OCDF connects to MSO-DS separately MSO-DS webservice URL – which identifies the MSO-DS system Lync Online connects to in order to enable the provisioning flow-through from MSO-DS OCDF Service Instance name – which identifies the OCDF service instance that is unique for the Lync Online deployment. The name is provisioned into MSO-DS The Provisioning Cert – which enables authentication between MSO-DS and an OCDF 33

34 Business Online Experience (BOX) UI Integration BOX UI Cert: The Lync Online Remote PS WS URL exposed to BOX UI 34 OCDFLync Online Remote PS WS URL SN20Ahttps://webdirsn20a00. /ocspowershell BL20Ahttps://webdirbl20a00. /ocspowershell 34

35 LiveID Integration 35 Lync Online utilizes LiveID for client authentication Each OCDF is registered with LiveID Certificate generated during the registration process by LiveID to associate with the OCDF This cert is called the LiveID Token Encryption cert OCDF users this cert to authenticate LiveID 35

36 Exchange Access Proxy Production Topology The Exchange Access Proxy (ExAP) Forest supports integration of EXO UM with Lync Server 2010 on-premise and OWA IM and Presence between EXO and Lync Server 2010 on-premise or Lync Online 36

37 ExAP Forest High Level Architecture 37 From a signaling perspective, Exchange UMS and ExAP servers can initiate connections from either side (say for voice mail deposits and retrievals). On the other hand, for OWA IM and Presence, only the code access security (CAS) on the OWA side initiates connections to ExAP; ExAP never initiates connections to OWA CAS 37

38 ExUM AP Topology for Lync Online 38 The ExAP Forest is a degenerated OCDF in the sense that there is no Lync Pool in the forest. Only the Edge Servers are doing the work with AP and Media Relay (MR) roles. The shared servers, i.e., DC and content management system (CMS), are for configuration of the ExAP 38

39 IP Address Management The ExAP Forest resides in the same set of VLANs as the OCDF in the same data centers (e.g., SN2 and BL2 for NA). Public IP Assignments One public VIP for SIP signaling assigned to the Access Proxy Array One public VIP for media assigned to the Media Relay Array One public DIP is assigned to each Media Relay role on each of the three Edge Servers. Private IP Assignment For each Edge server Array, private IP addresses are assigned to each individual server. Internal VIPs are also assigned to Access Proxy and Media Relay Arrays for EXO UMS and OWA CAS to establish connections to the ExAP Forest 39

40 DNS Management = um.glbdns.microsoft.com, which is the domain for the GeoDNS provider = um.outlook.com, which is the domain for UM in Exchange. = mcsn20b001.local, which is the internal domain name for ExAP Forest SN20B. Disjoint DNS/Service Domain Public domain -What ExAP presents to the external world and to EXO UM and OWA CAS Internal domain - internal to the ExAP Forest 40

41 GeoDNS Setup 41 sipex., which is the external global FQDN for on-premise Lync to establish media connectivity with the ExAP Forest outside of the Microsoft data centers sipex-int., which is the internal global FQDN for EXO UMS and OWA CAS to establish SIP connectivity with the ExAP Forest within the Microsoft data centers mrex., which is the external global FQDN for on-premise Lync to establish media connectivity with the ExAP Forest from outside of the Microsoft data centers mrex-int., which is the internal global FQDN for EXO UMS and OWA CAS to establish media connectivity with the ExAP Forest within the Microsoft data centers 41

42 Public DNS Setup 42 ExAP FQDNTypeGeoDNS FQDNNotes sipex. CNAMEsipex. Redirect DNS queries to GeoDNS from on-premise Lync Online APs for SIP mrex. CNAMEmrex. Redirect DNS queries to GeoDNS from on-premise Lync Online APs for media sipex-int. CNAMEsipex-int. Redirect DNS queries to GeoDNS from EXO UMS or OWA CAS mrex-int. CNAMEmrex-int. Redirect DNS queries to GeoDNS from EXO UMS or OWA CAS for media 42

43 Private DNS Setup 43 Unlike OCDF, there are no private DNS records for internal VIPs for each Edge Server Array in a data center within the ExAP Forest. They are exposed via the public DNS for SIP and Media connectivity from EXO UMS and OWA CAS Private DNS entries for the ExAP Forest are A records for hostnames of individual servers with the common internal DNS suffix Data CenterServer RoleInternal FQDNPrivate IP Address SN2Edge Server – AP #1SN20B00EDG-AP01. Edge Server – AP #2SN20B00EDG-AP02. Edge Server – AP #3SN20B00EDG-AP03. Edge Server – MR #1SN20B00EDG-MR01. Edge Server – MR #2SN20B00EDG-MR02. Edge Server – MR #3SN20B00EDG-MR03. DC/DNS Server #1SN20B00ADS01. DC/DNS Server #2SN20B00ADS02. CMS/SCOM Server #1SN20B00CMS01. CMS/SCOM Server #2SN20B00CMS02. 43

44 HLB - Networking Configuration For an inbound connection terminating at a public VIP on the HLB from on- premise Lync APs, the port forwarding rules on the HLB are the same for Access Proxy and Media Relay Arrays as in those for OCDF 44 Server Array Public VIPOld Destination PortProtocolNew Destination Port Access Proxy Array5061SIP/MTLS5061 Media Relay Array443SIP/TLS443 Media Relay Array3478STUN/UDP3478 44

45 HLB - Networking Configuration Internal VIP Forwarding Rules for Inbound Traffic from EXO UMS and OWA CAS 45 Access Proxy Array5061SIP/MTLS5061 Media Relay Array443STUN/TCP443 Media Relay Array3478STUN/UDP3478 Media Relay Array5062SIP/MRAS5062 45

46 GFS Port ACLing Like Lync Online, the ExAP Forest utilizes the perimeter defense infrastructure from global file system (GFS) for traffic protection and filtering between the Edge Server Arrays and the Internet 46 DirectionProtocolSource IP/NetmaskDestination IP/NetmaskPort LowPort High InboundTCPANY/ANY207.46.5.0/24443 TCPANY/ANY207.46.5.0/245061 UDPANY/ANY207.46.5.0/243478 OutboundTCP207.46.5.0/24ANY/ANY5061 UDP207.46.5.0/24ANY/ANY5000059999 46

47 Lync Online Topology Diagram Instructor to show Visio diagram in c:\classmaterials\docs\reference\Lync Online Topology Diagram Production.vsd You can install Visio viewer from c:\labfiles\visio viewer\visioviewer.exe Click on Forest A tab Note there are 2 forests per data center and a forest spans 2 data centers. 47

48 Q&A 48

49 © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. This document may contain information related to pre-release software, which may be substantially modified before its first commercial release. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.


Download ppt "Microsoft ® Lync™ Server 2010 Hybrid Scenarios Module 20 Microsoft Corporation."

Similar presentations


Ads by Google