1. TechEd 2013
11/30/2018 7:07 AM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Planning and Deployment for Edge Server with Lync 2013
11/30/2018 7:07 AM
OUC-B328
Planning and Deployment for Edge Server with Lync 2013
Bryan Nyce
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Session Objectives And Takeaways
Tech Ready 15
11/30/2018
Session Objectives And Takeaways
Session Objective(s):
Explain Edge Server architecture
Highlight common misunderstandings
Address best practices
Understand Edge Server requirements
Deploy best possible design
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Agenda Why Edge? Edge Components Client sign-in Signaling vs. Media
Reverse Proxy
DNS & Certificates
Networking
Load Balancing
HA/DR
Sizing & Placement
Validate deployment

5. About me bryanyce @microsoft.com Mission Viejo, CA Since 2011
MCS Voice CoE
UC Voice Architect
Since 2011
MCSM: Communications
MCM

6. Why Edge

7. Edge Scenarios * Skype will replace MSN *soon* Scenario Remote user
Federated
Anonymous
PIC/XMPP
Presence ü
IM 1:1
IM conferencing
Collaboration
Audio 1:1
ü (Skype/MSN)*
Video 1:1
ü (MSN)*
A/V Conferencing
File Transfer/File Upload
* Skype will replace MSN *soon*

8. What about VPN instead of Edge?
Edge Scenarios
Scenarios relying on Edge Server
Remote users, Federation, anonymous users, PIC
Mobility client
Push notifications
Lync Web App
Hosted Exchange UM
O365 integration
What about VPN instead of Edge?

9. Public Internet Connectivity
TechReady 16
11/30/2018
Public Internet Connectivity
MSN
Allows 1:1 Audio and Video
MSN will be retired *soon*
Skype
Allows 1:1 Audio – June 2013
Video planned for future
AOL
Certificate requires client EKU
Yahoo!
Not available for purchase as of September 1st 2012
Active licenses will continue to work until June 1,
XMPP
GoogleTalk*
New in 2013
New in 2013
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Edge Components

11. Edge Components Access Edge Web Conferencing Edge Server
TechReady 16
11/30/2018
Edge Components
Access Edge
SIP – Session Initiation Protocol
Signaling, Presence, IM
Web Conferencing Edge Server
PSOM – Persistent Shared Object Model
PowerPoint Sharing, whiteboard, annotations, polls
AV Edge Server
SRTP – Secure Real Time Protocol
Audio, Video, File Transfer, AppSharing
Reverse Proxy
HTTP(s) traffic
Address book, Lyncdiscover, Meeting content, Lync Web App, Office Web App (WAC), …
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Client Sign-in

13. Client sign-in Lync 2010 SRV record _sip._tls.<sipdomain>
TechReady 16
11/30/2018
Client sign-in Lync 2010
SRV record _sip._tls.<sipdomain>
Front End
Director
Reverse Proxy
Edge Server
Data center 1
4. Director proxies to home Pool
3. Client connects to Edge Server, proxies to Director
Lync client
1. Query for _sip._tls_. <sipdomain>
2. DNS points to Edge Server
Front End
Reverse Proxy
Edge Server
Data center 2
DNS Server
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Client sign-in Lync 2013 A record Lyncdiscover.<sipdomain>
TechReady 16
11/30/2018
Client sign-in Lync 2013
A record Lyncdiscover.<sipdomain>
5. Client directly connects to local
Edge Server
Front End
3. Client connects to Reverse Proxy
Lync client
4. Returns local Access Edge
Reverse Proxy
Data center 1
1. Query for Lyncdiscover. <sipdomain>
2. DNS points to Reverse Proxy
Edge Server
Front End
DNS Server
Reverse Proxy
Data center 2
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Client Sign in Lyncdiscover Fallback
TechReady 16
11/30/2018
Client Sign in
Lyncdiscover
Lyncdiscoverinternal.<sipdomain> and Lyncdiscover.<sipdomain>
Preferred sign-in method
Points to Reverse Proxy
Web Service will point user to local Access Edge Server
Use GeoDNS for Disaster Recovery scenarios
Fallback
_sipinternaltls._tcp.<sipdomain>
_sip._tls.<sipdomain>
Sipinternal.<sipdomain>
Sip.<sipdomain>
Sipexternal.<sipdomain>
Mobile clients, Lync Windows Store app always rely on Lyncdiscover.<sipdomain>
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Value of Director Redirecting traffic Security Not required anymore
TechReady 16
11/30/2018
Value of Director
Redirecting traffic
Not required anymore
Security
Next hop for SIP traffic from Edge Server
Next hop from Reverse Proxy for Simple URLs and Lyncdiscover
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Signaling vs. Media

18. Signaling independent of media
User homed in EU
User will always use this pool for AV Edge
Also for meetings created by user US EU
Contoso

19. Federation flows User homed in EU Edge Pool used for Federation
User will always use this pool for AV Edge US EU EU
Contoso
Litwareinc

20. Reverse Proxy

21. Reverse Proxy Requirements
Support SSL/TLS to publish internal websites
Publish internal websites with as well as without encryption
Publish internal websites using FQDN
Ability to handle certificates with Subject Alternate Names
Must be able to sent original host header
Bridging of some ports

22. Reverse Proxy settings
Published FQDNs
Lyncdiscover.<sipdomain>
External WebFarm FQDN
Simple URLs
Office Web App (WAC) Server
Bridge port 443 to port 4443
For all FQDNs except Office Web App (WAC)
Optionally bridge port 80 to port 8080

23. DNS & Certificates

24. Certificates requirements
Reverse Proxy
Use public certificate
Lyncdiscover.<sipdomain>
Simple URLs FQDN
External Webfarm FQDN
Office Web App (WAC)
Edge Server external interfaces
Access Edge Server FQDN
Web Conferencing Edge Server FQDN
<hostname>.<sipdomain>
Edge Server internal interface
Use private certificate
Internal Edge Server FQDN
Private certificate will cause problems if CRL cannot be accessed
Please note that AV Edge Server FQDN is not part of the certificate

25. Rolling AV Authentication Certificate
New in 2013
Purpose of AV Authentication certificate
Creates token to allow clients to use AV Edge Server
Token acquired at sign in or after 8 hours
By internal users as well by external user
If certificate is renewed…
Clients have still tokes
However tokens can not be validated by new certificate
Media endpoints unable to use AV Edge Server up to 8 hours
Rolling AV Certificate
Allows to stage new certificate while old one is still in place
Edge Server will issue tokens based on new certificate, but be able to validate all tokens
Set-CsCertificate –Type –Roll –Thumbprint –EffectiveDate

26. DNS requirements Lyncdiscover.<sipdomain> Simple URLs
SRV records need to point to A records in same domain
A lot of SIP domains means a lot of SANs in the certificate
Lyncdiscover.<sipdomain>
Use GeoDNS for Disaster Recovery
Simple URLs
External WebFarm FQDN
Office Web App (WAC)
Access Edge
<hostname>.<sipdomain>
Web Conf Edge
AV Edge
_sip._tls.<sipdomain>
Point to Access Edge Server on port TCP:443
Point to A record in same domain
_sipfederationtls._tcp.<sipdomain>
Point to Access Edge Server on port TCP:5061
_xmpp-server._tcp.<sipdomain>
Point to Access Edge TCP: 5269
New in 2013
New in 2013

27. Network

28. Number of IPs per Edge Two supported scenarios
Single external IP for Access Edge, Web Conferencing Edge and AV Edge Server
Dedicated external IP for Access Edge, Web Conferencing Edge and AV Edge Server
Firewall on client location might block ports other than 443 TCP.
SIP (TCP: 5061)
PSOM (TCP: 444)
SRTP (TCP: 443)
SIP (TCP: 443)
PSOM (TCP: 443)
SRTP (TCP: 443)
Even if 443 TCP is the only open port, all features will work.

29. Number of IPs per Edge Single external IP per Edge
Will not require as many public IP addresses
Might limit connectivity
Dedicated IP per Edge Role
Will require 3 external IP addresses per Edge Server
Will provide best connectivity

30. Subnets Subnet requirements
External interfaces and internal interface on different subnets
Must not be routable to each other

31. Firewall

32. Firewall: Edge

33. 50,000 requirements OCS 2007 OCS 2007 R2, Lync 2010, Lync 2013
Requires 50,000-59,999 TCP/UDP outbound and inbound
OCS 2007 R2, Lync 2010, Lync 2013
Requires “50,000-59,999 TCP outbound”
Source IP
Destination IP
A/V Edge service interface
Any
Source Port
Destination Port
TCP 50,000-59,999
TCP 443
UDP 3478
Any

34. IPv6 support Requires February 2013 CU Bridging between IPv4 and IPv6
New in 2013
Requires February 2013 CU
Bridging between IPv4 and IPv6
Edge Server can bridge between IPv4 networks and IPv6 networks
Edge Pool (External Edge) : IPv4
Edge Pool (External Edge): Dual Stack
Edge Pool (External Edge): IPv6
Edge Pool (Internal Edge): IPv4
Yes No
Edge Pool (Internal Edge): Dual Stack
Edge Pool (Internal Edge): IPv6
Yes*
* Use this combination only in a lab environment.

35. Load Balancing

36. What is DNS Load Balancing?
Multiple A records
Each with the same Pool FQDN
Each with the IP address of a single server
Logic in server/client
Will connect to on IP
If attempts fail, next IP will be used
Not possible for http(s) traffic
Browser not aware of DNS LB
Hardware Load Balancer always required
Not working for legacy communication partner
PIC: MSN, AOL; MOC 2007 R2, Federation with OCS 2007/OCS 2007 R2; Lync for Mac 2011
Exchange 2007, Exchange 2010
Exchange 2010 support DNS LB only for signaling against the Front End Pool

37. Hardware Load Balancing
Additional Virtual IP to point to HLB per service
All external IPs (VIPs and IPs on servers) must be public routable
HLB must not be configured for SNAT for AV Edge Server
Scenarios
Will work in all scenarios
Edge Server need to see client IP address

38. DNS LB vs. HLB DNS LB HLB IP addresses required Server x 3
TechReady 16
11/30/2018
DNS LB vs. HLB
DNS LB
HLB
IP addresses required
Server x 3
Server x VIPs
Scenarios
No high availability for
Exchange 2007/2010 UM
AOL, MSN
Down level Federation
Legacy client
All scenarios
Use of NATed IPs
Possible
Not supported
Server draining
Supported
Configuration
Simple
Complex
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. HA/DR

40. High Availability
Ability to recover from losing a component within a datacenter
Deploy Edge Servers as pool
Deploy Reverse Proxy in array
Use an n+1 model
Avoid any single point of failure

41. Disaster Recovery Ability to recovery from losing complete data center
New in 2013
Disaster Recovery
Ability to recovery from losing complete data center
Deploy paired Front End pools in different Data Centers
Deploy Edge pools corresponding to each Front End Pool
Use GeoDNS for lyncdiscover.<sipdomain> and Simple URLs
Datacenter failover per Lync Management Shell

42. Outage; administrator initializes failover
Disaster Recovery
User homed in Vienna
Paired pool
Vienna
Munich
Outage; administrator initializes failover

43. Disaster Recovery Federation
Will not fail over as part of pool failover
Manually change external SRV record and internal Federation route

44. Sizing and placement

45. Sizing Standard user model Servers per pool Your mileage may vary
12,000 concurrent remote users per Edge Server
Servers per pool
Up to 12
Your mileage may vary
Depending on usage
Always monitor resources on servers

46. Placement considerations
Edge Server
In every datacenter with FE pool vs. centralized Edge Servers
Assign centralized pool to multiple Front End Pools
Centralize Reverse Proxy
Next to each Edge pool vs. centralized reverse Proxy
Use centralized reverse Proxy to publish multiple internal pools
Technically possible, but…
This will affect the call flows
Impacting user experience and bandwidth
What about Disaster Recovery?

47. Validate Edge deployment

48. Validate Edge deployment
Eventvwr
Check for errors and warnings
Validate replication to Edge Server
Get-CsManagementStoreReplicationStatus
Remote Connectivity Analyzer
Lync Connectivity Analyzer

49. Session Objectives And Takeaways
Tech Ready 15
11/30/2018
Session Objectives And Takeaways
Session Objective(s):
Explain Edge Server Architecture
Highlight common misunderstandings
Address best practices
Understand Edge Server requirements
Deploy best possible design
Edge is awesome!
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50. Resources TechNet Documentation
Tech Ready 15
11/30/2018
Resources
TechNet Documentation
Lync Deep Dive: Edge Media Connectivity with ICE
NextHop: Rolling AV Certificate
cscertificate-for-audio-video-edge-and-oauthtokenissuer-certificate-maintenance.aspx
Bryan Nyce
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51. 11/30/2018 7:07 AM
Related content
OUC-B303: Designing for High Availability and Disaster Recovery in Microsoft Lync Server 2013
OUC-B334: Migration and Coexistence with Microsoft Lync Server 2013
Exam : Core Solutions of Microsoft Lync Server 2013
Exam : Enterprise Voice & Online Services with Microsoft Lync Server 2013
Find Me Later At the Lync 2013 Booth and ATE
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52. Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd
11/30/2018 7:07 AM
Resources
Learning
Sessions on Demand
Microsoft Certification & Training Resources
TechNet
msdn
Resources for IT Professionals
Resources for Developers
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

53. Complete an evaluation on CommNet and enter to win!
11/30/2018 7:07 AM
Complete an evaluation on CommNet and enter to win!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54. 11/30/2018 7:07 AM
Required Slide
*delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

55. 11/30/2018 7:07 AM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.