Secure Remote Access & Lync Ilse Van Criekinge

Slides:



Advertisements
Similar presentations
SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Enabling Secure Internet Access with ISA Server
Unified. Simplified. Unified Communications Launch 2007.
Name | Title | Microsoft Corporation
Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Module 4: Configuring Network Connectivity
Configuring and Troubleshooting Network Connections
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Lync Deep Dive: Edge Media Connectivity with ICE Thomas Binder UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation EXL412.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.
externalinternal SIP Proxy a w.
Lync Deep Dive: Edge Media Connectivity with ICE Bryan Nyce UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation EXL412.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Module 5: Configuring Access to Internal Resources.
High Availability and Web Publishing for UC Deployments Load Balancing & Reverse Proxy October 24, 2013 Bhargav Shukla Director – Product Research and.
Key Elements to Deploying OCS. Where to Start  OCS can seem to require an awful lot of servers _ Edge, Director, Front End, SQL, Monitoring, SQL, Archiving,

Unified. Simplified. Unified Communications Launch 2007.
1 Enabling Secure Internet Access with ISA Server.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Microsoft ® Lync Ignite Microsoft Lync 2013.
What features are required? FeatureLync ServerLync Online Rich presence Peer-to-Peer Audio/Video Calling Click to Communicate—Office integration.
Microsoft ® Lync™ Server 2010 Edge Server/Remote Access Module 16 Microsoft Corporation.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN
On-Premises Cloud On-PremisesHybridCloud.
Barracuda Load Balancer Server Availability and Scalability.
Mobility And Anywhere Access Clancy Priest Technology Services Director City of Hayward.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Access Gateway Operation
Microsoft Office Communicator A General Introduction.
Securing Microsoft® Exchange Server 2010
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Federation and Federated Identity: Part 2 Building Federated Identity Solutions with Forefront Unified Access Gateway (UAG) and ADFS v2 John Craddock Infrastructure.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Enabling Embedded Systems to access Internet Resources.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
EXL321. Lync 2010 Planning tool+ Planning guides+ * new in LS significant enhancements in LS 2010.
Module 4 Planning and Deploying Client Access Services in Microsoft® Exchange Server 2010 Presentation: 120 minutes Lab: 90 minutes After completing.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Appendix A UM in Microsoft® Exchange Server 2010.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Lync Server Private cloud / dedicated Lync Server Single domain & directory Users split – server / online Lync Hybrid Office 365 Lync Online Hosted.
Johann Kruse National Technology Specialist Microsoft Australia UNC310.
Integrating and Troubleshooting Citrix Access Gateway.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Windows Azure for IT Pros Kurt CLAEYS (TSP Windows Azure, Microsoft EMEA)
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 10: Windows Firewall and Caching Fundamentals.
What’s new in Communications Server “14” Architecture & Deployment Ferjan Ormeling
Vakhtang Assatrian Asia Communications TSP Lead, Microsoft
Microsoft ® Lync™ Server 2010 Setup and Deployment Module 04 Microsoft Corporation.
Integrated System Enterprise voice Audio, video & web conferencing Mobile Persistent chat Reduced maintenance Single system Scalable Flexible Small.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING.
Microsoft /25/ :33 AM BRK4007 Troubleshoot media flows in Skype for Business across online, server and hybrid Thomas Binder Senior Program.
Module 3: Enabling Access to Internet Resources
Securing the Network Perimeter with ISA 2004
Unit 27: Network Operating Systems
Alan Shen Director Unify Square
TechEd /30/2018 7:07 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
09 | Configuring Lync Online
Presentation transcript:

Secure Remote Access & Lync Ilse Van Criekinge

Session Objectives and Takeaways Session Objectives Overview of typical Lync Server Edge configurations DNS Load Balancing and Hardware Load Balancing NAT support for Edge Deployment Reverse Proxy ICE Takeaways Understand typical Edge planning and deployment process Understand certificate requirements for Edge and Reverse Proxy 2

Introduction 3

Conferencing Capabilities of Lync Web Conferencing Audio Conferencing Video Conferencing Instant Messaging Conferencing PSTN Conferencing ACP Integration Integration with third- party A/V SIP endpoints and MCUs

Dial-In Conferencing Conferencing Attendant Application Conferencing Announcing Application Dial-in Conferencing Web Page Mediation Servers and Gateways or PBX

Simple URLs Lync Server 2010 Meet Dial-in Admin Scope = Global & Site Created using PowerShell or Topology Builder

Edge Server Role

Lync Server Edge scenarios External User Access Lync clients can transparently connect to the Lync Server deployment over the public Internet PIC Connecting with public IM providers Federation Federation with other Enterprises IM&P only, or All modalities A/V and Application Sharing

Edge Server Role Requirements General Requirements 64-bit Windows 2008, Windows 2008 R2 Microsoft.NET Framework 3.5 SP1 Windows PowerShell v2 Cannot be collocated with any other Microsoft Lync Server role Virtualization is supported (Windows 2008 R2 OS!) Server role PhysicalVirtual CPUMemoryNumber of users supported CPUMemoryNumber of users supported Edge Server 8 cores16 GB15,0004 cores5 GB7,500

Edge Server Roles Access Edge = handles all SIP traffic crossing the corporate firewall Web Conferencing Edge = proxies PSOM (Persistant Shared Object Model) traffic between the Web Conferencing Server and external clients Audio/Video Edge = provides a single trusted connection point through which audio and video traffic enters and exits your network

1 IP, 2 IP, 3 IP, 4 IP,... ? Edge Server Role

A Few Networking Lync Facts Lync Server 2010 supports only IPv4 It does niet support IPv6 Can function in a network with dual IP stack enabled Two network adapters for each Edge Server are required: one for the internal-facing interface one for the external-facing interface Important: The internal and external subnets must not be routable to each other.

Single IP address Edge External edge.contoso.com SIP: 5061 Web Conf: 444 A/V Conf: 443, 3478 Internal edge-int.contoso.com SIP: 5061 Web Conf: 8057 A/V Conf: 443, 3478

Multiple IP address Edge Edge Server External SIP access.contoso.com , 5061 Internal edge-int.contoso.com SIP: 5061 Web Conf: 8057 A/V Conf: 443, 3478 External Web Conf External AV webcon.contoso.com av.contoso.com , 3478

Edge using NAT IP addresses External SIP IP1 Int External Web Conf External AV IP2 IP3 Public IP space IP2’ IP1’ IP3’ Client Clients connect to IP for A/V traffic Translated AV IP must be configured in Lync Server Lync Server does not need to know translated SIP and Web Conf IP

DNS Load Balanced Edge Public IP space Client Client can retrieve and handle multiple IP addresses and can fail over DNS server returns randomized IP address DNS A records access.contoso.com IP1 and IP4 webcon.contoso.com IP2 and IP5 av.contoso.com IP3 and IP6

DNS Load Balanced Edge using NAT Public IP space DNS A records access.contoso.com IP1’ and IP4’ webcon.contoso.com IP2’ and IP5’ av.contoso.com IP3’ and IP6’ IP2’ IP3’ IP4’ IP5’ IP6’ Translated AV IP addresses must be configured in Lync Server individually IP3 to IP3’ IP6 to IP6’

Hardware Load Balanced Edge Public IP space DNS A records access.contoso.com VIP1 webcon.contoso.com VIP2 av.contoso.com VIP3 VIP1 VIP2 VIP3 Initial AV connection requires will land on VIP and gets forwarded. However clients will connect to Edge directly (UDP) TCP traffic continues to use VIP NAT and HLB is not possible

INSTALLATION Edge Server Role

CERTIFICATE REQUIREMENTS Edge Server Role

Certificate Requirements Edge Server Role A single public certificate is supported in Lync for Access Edge external interface Web conferencing Edge external interface A/V Authentication Edge internal interface Edge internal interface Can be issued by an internal CA Subject name is typically the Edge internal interface FQDN or HWLB VIP No subject alternative names required

Requirements External Certificate Issued by an approved public CA ( If Edge pool, same cert on every Edge, must be exportable Subject Name = Access Edge FQDN or HWLB VIP(Not required, but recommended (previous versions) ) Subject Alternative Names Access Edge external interface or HWLB VIP Web Conferencing Edge external interface or HWLB VIP Any SIP doman FQDN (for auto-discovery, federation)

DNS REQUIREMENTS Edge Server Role

DNS Requirements DNS Entries External DNS lookups by remote users and federated partners Entries for DNS lookups for use by the Edge Servers within the perimeter network Internal DNS entries for lookups by the internal clients and servers running Lync Server 2010 Edge Server requires DNS Suffix

Need client auto configuration? Default SIP domain FQDN = AD domain FQDN Use GPOs or configure clients manually You are not using split-brain DNS Internal DNS _sipinternaltls._tcp. sip. External DNS _sip._tls. You are not using split-brain DNS Internal DNS _sipinternaltls._tcp. sip. External DNS _sip._tls. You are using split-brain DNS Internal DNS _sipinternaltls._tcp. External DNS _sip._tls. You are using split-brain DNS Internal DNS _sipinternaltls._tcp. External DNS _sip._tls. YES NO

Is Federation required? Internal DNS A Record internal interface External DNS A Record external interfaces Internal DNS A Record internal interface External DNS A Record external interfaces External DNS _sipfederationtls._tcp. External DNS _sipfederationtls._tcp. NO YES

DNS Records for External Devices TypeValueNote SRV Edge Server: _sipexternal._tls., and _sipexternaltls. Allows external devices to connect by using SIP over TLS to the Registrar internally. A Reverse proxy FQDN:. Allows external devices to connect by using TLS over HTTP to the Device Update Web service.

REVERSE PROXY & DIRECTOR Edge Server Role

Reverse Proxy and Director Internal Network Director Remote Clients Federated Clients Anonymous Clients Front End Perimeter Network Internet Edge Server Reverse Proxy

Reverse Proxy and external access (1) Forwards External HTTPS and HTTP traffic to Front End and Director Pool External user access to: Meeting content for meetings (HTTPS) Expand and display of distribution groups (HTTPS) Downloadable files from the Address Book Service (HTTPS) The Lync Web App client (HTTPS) The Dial-In Conferencing Settings web page (HTTPS) Location Information Service (HTTPS) Device Update Service and obtain updates (HTTP)

Reverse Proxy and external access (2) Simple URL forward to Director (recommended) Forwarding rule for Simple URL to a single Director (or Pool); port 443 Reverse Proxy certificate’s SAN to contain base FQDN of each Simple URL Web External Pool traffic forwarded to pools by Reverse Proxy Web External Pool traffic forwarded to pools by Reverse Proxy Reverse Proxy requires a forwarding rule each Web External FQDN (Front End Pool and Director); port 443 Reverse Proxy requires a forwarding rule each Web External FQDN (Front End Pool and Director); port 443 If external Phone Devices are implemented, Reverse Proxy rule for port 80 is required If external Phone Devices are implemented, Reverse Proxy rule for port 80 is required Front End Pool and Director) Reverse Proxy certificate’s SAN to contain base FQDN of all configured Web external Pools (Front End Pool and Director)

RECAP DNS VS HW LOAD BALANCING Edge Server Role

DNS vs. Hardware Load Balancing DNS LBHLB Public IP addresses required Each Server x 3(Each Server+1 VIP) x 3 Failover SupportNo, Delayed Failover* for: Exchange UM (remote user) PIC Federation of older version of OCS Yes, instant Failover for: Exchange UM (remote user) PIC Federation of older version of OCS NATing of IP addresses (Edge Server) SupportedNot supported * Delayed Failover: DNS TTL period

XMPP Edge Server Role

Extensible Messaging and Presence Protocol (XMPP) Gateway Features provided Add and delete each other as contacts Publish Presence and subscribe for each other’s Presence Engage in one-to-one conversations Three scenarios Public federation with hosted network Federation between two organizations On-premises deployment with Jabber

XMPP Gateway

MANAGE & CONTROL REMOTE ACCESS Edge Server Role

Manage & Control Remote Access To support external user access, you must do both of the following: Enable support for external user access to your organization Configure and assign one or more policies to support external user access Policies External user access policies Conferencing policies

CLIENT COMMUNICATIONS Edge Server Role

IM And Presence Workload

Step 1. Client resolves DNS SRV record _sip._tls. to Edge Server

Access Edge – SIP/TLS: 443 Step 2. Client connects to Edge Server

Access Edge – SIP/TLS: 443 Step 3.. Edge Server proxies connection to Director SIP/MTLS:5061

Access Edge – SIP/TLS: 443 Step 4. Director authenticates user and proxies connection to user’s home pool SIP/MTLS:5061 HTTPS: 443

Access Edge: SIP/TLS: 443 SIP/MTLS:5061 HTTPS: 443 SIP/MTLS: 5061 Federated IM & Presence Workloads

ESTABLISHING MEDIA PATH ICE

SDP, STUN, TURN, ICE Lync uses SDP to provide initialization parameters for media stream Add a Media Relay (aka A/V Edge Server) STUN reflects NAT addresses TURN relays media packets ICE exchanges candidates (cand) and determines optimal media path to assist media in traversing NATs without requiring the endpoints to be aware of their network topologies All three protocols based IETF standards

ICE Details There are five phases for establishing a media path During login TURN Provisioning and Credentials (MRAS – Media Relay Authentication Service) When establishing a call Address Discovery (Allocation) (Obtain Candidate List) Address Exchange (SIP Invite/200 OK) Connectivity Checks Candidate Promotion

In summary, to send media into the enterprise, the external user must be authenticated and have an authenticated internal user explicitly agree to exchange media streams. Lync Server 2010 uses TCP 50,000-59,999 outbound. Lync Server 2010 federating with Office Communications Server 2007 partners continues to use the port range of 50,000 – 59,999 UDP/TCP. Federation involving Lync Server 2010 partners or Office Communications Server 2007 R2 partners will use 3478/UDP and 443/TCP, and TCP 50, ,999 outbound

Step 1. Inband Provisioning Process duing Lync Sign-In

Step 2. Obtain Candidate List

Step 3. Connectivity Checks

Step 4. Candidate Promotion

Stay up to date with TechNet Belux Register for our newsletters and stay up to date: Technical updates Event announcements and registration Top downloads Join us on Facebook LinkedIn: Download MSDN/TechNet Desktop Gadget

TechDays 2011 On-Demand Watch this session on-demand via TechNet Edge Download to your favorite MP3 or video player Get access to slides and recommended resources by the speakers

THANK YOU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.