Lync 2013 edge-no reverse proxy question

Similar Messages

• Lync 2013 Edge and Reverse proxy on same server with SNI

  Hello
  I cannot find information if it is possible to create a single Lync 2013 Edge server with a Reverse proxy on the same server?
  Would it not be possible to share port 443 with SNI support? That way we could use only one public IP?
  Thanks!

  Sorry, it doesn't work.  Remember that 443 isn't HTTPS for the Edge.  If you went with the single IP model for the edge, 443 would be used for the A/V role which would be STUN/TURN. 
  The edge will always want to listen on 443, it just doesn't work to collocate a reverse proxy.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync 2013 Edge & Web proxy

  Hi Everyone
  I'm having a little trouble getting my head around the setup for Lync external access.
  I have setup an ADFS server, Lync 2013 server(works internally), 2012 web proxy server(doing nothing) and an edge server(currently doing nothing).
  My understanding is that the Edge and Web proxy server are in "parallel", I.E, they both face the WAN as they perform different tasks.
  The problem I have is that I'm unsure how to map everything correctly, I also don't understand how an external Lync client will get it's config. If my domain setup is:
  something.domain.internal, and I would like to register a DNS entry externally as something.domain.external. How do I map those correctly via the web proxy and edge server? Sending the request via the firewall is easy enough, however I'm unsure how I'm supposed
  to define them on my servers. Is the Lync server supposed to know about the external URL? Or does it not care?

  Hi,
  The Edge Servers run the services that allow external access to IM and presence, conferencing, audio/video, and other media services. You can also configure the Edge Server to federate with other Lync Server and other XMPP deployments.
  Lync Server uses the reverse proxy to publish a number of features, such as conferencing meetings, conference join locations, the address book, distribution list expansion, downloading meeting content, device updates, Mobility services, and more. Any reverse
  proxy that can meet the requirements for publishing the necessary resource locations can be used.
  You just need to define the Edge information in topology builder and publish it. Then configure the server as defined in topology and install local configuration store, setup Lync components and assign certificate. Here is a topology that
  using private IP addresses and NAT.
  http://technet.microsoft.com/en-us/library/gg399001.aspx
  Here are other resource how to publish Lync Server web services
  http://blogs.technet.com/b/dodeitte/archive/2013/10/29/how-to-publish-lync-server-2013-web-services-with-windows-server-2012-r2-web-application-proxy.aspx
  https://social.technet.microsoft.com/wiki/contents/articles/9807.how-to-configure-forefront-tmg-2010-as-reverse-proxy-for-lync-server-2010.aspx
  Kent Huang
  TechNet Community Support

• Lync 2013 Edge server compatibility with Lyn 2010 Front end Pool

  Hi All,
  Technet article (http://technet.microsoft.com/en-us/library/jj688121.aspx) says the following:
  If your legacy Lync Server 2010 Edge Server is configured to use the same FQDN for the Access Edge service, Web Conferencing Edge service, and the A/V Edge service, the procedures in this section are not supported. If the
  legacy Edge services are configured to use the same FQDN, you must first migrate all your users from Lync Server 2010 to Lync Server 2013, then decommission the Lync Server 2010 Edge Server before enabling federation on the Lync Server 2013 Edge Server.
  Can you tell me why it is you have to change the External Lync Web services URL during a migration to Lync 2013 from Lync 2010. What purpose does this serve?
  Also can you clarify this and explain why this is required, why would you have to migrate all of your users, would a Lync 2013 Edge not talk to a Lync 2010 front-end?
  Any help would be much appreciated. MANY THANKS.

  Thank you very much for all your inputs.
  We still have few questions:
  Questions:
  Can you tell me if Lync 2010 users will be able to login using mobility if we repoint the reverse proxy (TMG) web services publishing rule to the Lync 2013 server? Remember both systems Lync 2010 and 2013 are using the same web
  services URL so they will both end up at the Lync 2013 server. Alternatively if not we will migrate all users to 2013, this is not a problem
  In addition to this I cannot find anything that states how Exchange UM will operate when you are running from a backup pool and the exchange UM contacts are not available because they are homed on the server that is down. This
  configuration is 2 x standard edition servers pool paired. How can we make sure Exchange voice mail works during a pool failover?
  Call Park is not clear to me I read the following:
  Lync Server 2013 provides new disaster recovery mechanisms in the form of failover and failback processes. These failover and failback processes support recovery of Call Park functionality by allowing
  users who are homed in the primary pool to leverage the Call Park application of the backup pool when an outage occurs in the primary pool. Support for disaster recovery of the Call Park application is enabled as part of the configuration and deployment of
  paired Front End pools.
   Is this saying we need to deploy Call Park in the DR pool and use a different range of orbit numbers, or can we use the same range in the DR pool?
  Further, I can see that Common Area Phones will be fine as they will log into the DR pool automatically. Response Groups need to be exported and imported to the DR pool. Incidentally these did not migrate well at all and have
  caused us a big headache!
  Any inputs will be greatly appreciated. Thanks again for all of your time.

• Lync 2013 Edge Server Migration

  Hi,
  Our organisation is in the process of changing gateway providers, so we have to move our currently deployed Lync 2013 Edge Server and TMG (Lync related sites) to the new provider datacentre. We have new public and DMZ IP addresses allocated for these services
  and we can't use the current addresses.
  Has someone been through this and is there a best practice to follow to transition these services with minimal outages to the users?
  Any help would be appreciated.

  the steps that you mentioned would work. I need to add some bits in to it,
  1. Take a copy of the current Edge Server (VM) and place into the new datacentre
  2. changed the IP addressing (of services) for the Edge Pool in the Topology builder and publish/sync
  3. Change the IP address of the edge server and run the deployment wizard with "Add remove Lync server component step" 
  3. Start services
  4. Publish the Lync services on the new TMG reverse proxy
  5. Test connectivity
  http://thamaraw.com

• What is best recommendstion for DNS LB for lync 2013 Edge servers

  What is best recommendation for DNS LB for lync 2013 Edge servers ?. We have F5 LB for edge and want to decide if we can go with DNS base LB for Edge servers.
  Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com

  It will be better to Use Hardware Load balancing (F5).
  If you choose to use DNS load balancing for a pool but still need to implement hardware load balancers for traffic such as HTTP traffic, the administration of the hardware load balancers is greatly simplified. For example, configuring the hardware load balancer
  will be simpler as it will only manage the HTTP and HTTPS traffic, while all other protocols will be managed by DNS load balancing
  Also for more info., you can check below links
  http://technet.microsoft.com/en-us/library/gg615011.aspx
  http://technet.microsoft.com/en-us/library/gg398634.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Do we need License for Lync 2013 Edge server?

  Hello Team,
  We are currently running Lync 2013 Standard Edition Server. We are planning to enable users for External access and planning to deploly Lync 2013 edge server.
  1. Do we need License for Lync 2013 Edge server?
  2. Any other client licenses needed?
  Please advise.

  Hi,
  No you don't required any additional License in order to install Lync Edge server. the only license required at OS level i mean windows server licence in terms of Lync concern you don't require any additional License   
  check this 
  https://products.office.com/en-us/lync/microsoft-lync-licensing-overview-lync-for-multiple-users
  http://lyncuc.blogspot.in/2013/02/lync-2013-licensing-guide-how-to.html
  And for client also you don't require any additional license with your existing client license will work for externally as well
  Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

• Lync 2013 Edge Server Issues

  Forgive me if this question sounds rather "entry level", I have never worked with Lync and this project was handed to me by my boss, who hasn't worked with Lync either.
  I have been reading various posts and forum messages until I went cross eyed about setting up Lync 2013 Edge server correctly.  I am still running into some questions and issues with the Access, Web, and A/V services starting.  Here is my main
  question, and below is my setup. 
  Question:
  Is there a need for both an external and internal nic card IF all three external IP's for the external services are programmed at the firewall and router to go directly to 1 internal IP address?
  Setup:
  Currently I have 1 FE-Standard server that also acts as the Mediation Server, and 1 Edge Server both of which are virtual and running Server 2012.  Originally I did have 2 network cards setup, as all other documentation suggested, 1 external and 1 internal. 
  However my boss, who setup the DNS/Firewall entries stated to remove the External Card since the external address that was setup for the 3 services was routed to 1 internal address. The Access Services, Web Services, and A/V services are all running on three
  separate ports with their own unique FQDN- 443, 444, and 445.  The cert that was deployed is a wild card cert from GoDaddy, this has been used by other servers that point inside and outside without issues.  
  Issues and Errors Messages:
  I have run into a few different issues and error messages from the Event Viewer:
  System
  Provider
  [ Name]
  LS Protocol Stack
  EventID
  14352
  [ Qualifiers]
  50153
  Level
  2
  Task
  1001
  Keywords
  0x80000000000000
  TimeCreated
  [ SystemTime]
  2013-09-09T15:44:51.000000000Z
  EventRecordID
  2885
  Channel
  Lync Server
  Computer
  edgesvr01
  Security
  EventData
  0xC3E93C0A
  SIP_E_STACK_TRANSPORT_FAILED
  System
  Provider
  [ Name]
  LS Server
  EventID
  12303
  [ Qualifiers]
  50152
  Level
  2
  Task
  1000
  Keywords
  0x80000000000000
  TimeCreated
  [ SystemTime]
  2013-09-09T15:44:51.000000000Z
  EventRecordID
  2884
  Channel
  Lync Server
  Computer
  edgesvr01
  Security
  EventData
  80072741
  The requested address is not valid in its context.
  System
  Provider
  [ Name]
  LS Protocol Stack
  EventID
  14336
  [ Qualifiers]
  50153
  Level
  2
  Task
  1001
  Keywords
  0x80000000000000
  TimeCreated
  [ SystemTime]
  2013-09-09T15:44:51.000000000Z
  EventRecordID
  2883
  Channel
  Lync Server
  Computer
  edgesvr01
  Security
  EventData
  TLS
  external IP address that is now used now
  5061
  Please help, I am at a loss as to where to go from here.

  Thanks for the quick responses. 
  I have re-enabled the external NIC.  All services are running now.  When I ran the Remote Connectivity tester this was the outcome.
  Testing remote connectivity for user: username@domain... to the Microsoft Lync server.
   Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
  Test Steps
  Attempting to resolve the host name lync.metisconnect.com in DNS.
   The host name resolved successfully.
  Additional Details
   IP addresses returned: xxx.xxx.xxx.xxx (external address)
  Testing TCP port 443 on host: host fqdn to ensure it's listening and open.
   The port was opened successfully.
  Testing the SSL certificate to make sure it's valid.
   The certificate passed all validation requirements.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server host fqdn on port 443.
   The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
   Remote Certificate Subject: CN=*.ourdomain.com, OU=Domain Control Validated, Issuer: SERIALNUMBER=######, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona,
  C=US.
  Validating the certificate name.
   The certificate name was validated successfully.
  Additional Details
   The host name that was found, lync.metisconnect.com, is a wildcard certificate match for common name *.ourdomain.com.
  Certificate trust is being validated.
   The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.ourdomain.com, OU=Domain Control Validated.
   One or more certificate chains were constructed successfully.
  Additional Details
   A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
   Potential compatibility problems were identified with some versions of Windows.
  Additional Details
   The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Testing the certificate date to confirm the certificate is valid.
   Date validation passed. The certificate hasn't expired.
  Additional Details
   The certificate is valid. NotBefore = 7/31/2013 4:02:03 PM, NotAfter = 7/31/2014 4:02:03 PM
  Testing remote connectivity for user username@domain to the Microsoft Lync server.
   Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
    Tell me more about this issue and how to resolve it
  Additional Details
   Couldn't sign in. Error: Error Message: Operation failed because the network connection was not available..
  Error Type: ConnectionFailureException.
  External calls from a 3g/4g data connection are not connecting when using the Lync call feature to an internal users Lync Client.  Outcome is: Connecting Call and No Audio.  Then call ends.

• Lync 2013 Edge Server Deployment

  We have already deployed 5 Frontend Server (1 Standard Server and 1 Pool with 4 FE Servers) and one Edge Server some Days ago. Now we are trying to Setup another Lync 2013 Edge Server and get stucked.
  When we try to Import the Configuration File, which we had exported from a Frontend Server (export-Csconfiguration..) we get the following error:
        Cannot open database "xds" requested by the loging
  We can publish the topology on the Frontend Server without Errors.
  We have already deinstalled all the lync and SQL componentes and tried again  - no success
  Best regards
  Bueschu
  Bueschu

  On reviewing the error and confirming the backup service was started, in order to resolve the issue the following actions were performed.
  1. In the Lync Topology Builder remove the front end resiliency settings that were previously applied and publish the topology.
  2. Connect to each front end server that comprises the pool pairing and run step two of the deployment wizard, by performing this the replicator and backup services will be removed and essentially the pairing will be broken.
  3. In the topology Builder re-apply the resiliency settings and publish the topology in order to recreate the pairing.
  4. Connect to each front end server that comprises the pool pairing and run step two of the deployment wizard, by performing this the replicator and backup services will be added again. Once the deployment wizard is completed, ensure the
  backup services are started on each front end and ensure the Invoke-CSBackupServiceSync PowerShell commands are run as per the "What to do next" information.
  5. In the Lync Server Mangement Shell run the "Get-CsBackupServiceStatus -PoolFqdn yourpool.domain.local" and ensure the services is operating in a normal state for both front end servers.
  That's it, the deployment wizard and associated xds database access error should now be cleared.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Lync 2013 Edge Server

  I have a few questions on setting up a Lync 2013 Edge Server.  Let me give a little background into what is going on.  My comapny currently still has the old Communicator server(1 user left to migrate to Lync!) and a Lync 2013 that is all setup
  and functional.  Our current Lync environment is only internal, since we do not have a Edge Server setup.  That is what I am task to work on now.  I have read alot of guides on how to build this server, where it needs to be placed in the DMZ,
  and what is needed for it. 
  First question - Is there a hardware spec needed for this server?
  Second question - I read that 3 public ip are needed.   What are they needed for?  So I can explain to our network guys why I need this.
  Third question - Does it matter if the Edge server is on the domain or not?  I read it shouldnt be.  I dont think it will be an issue either way for me, but its easier to manage if on the domain.
  Fourth question - Should I finish my Communicator server decom before worrying about the Edge server? 
  Final question - is there a guide on how to get rid of the Communicator Server Connections to our Lync Server?
  Thanks in advance.

  First question - Is there a hardware spec needed for this server?
  Second question - I read that 3 public ip are needed.   What are they needed for?  So I can explain to our network guys why I need this.
  Third question - Does it matter if the Edge server is on the domain or not?  I read it shouldnt be.  I dont think it will be an issue either way for me, but its easier to manage if on the domain.
  Fourth question - Should I finish my Communicator server decom before worrying about the Edge server? 
  Final question - is there a guide on how to get rid of the Communicator Server Connections to our Lync Server?
  First question- HW spec  https://technet.microsoft.com/en-us/library/gg398835.aspx
  For your reference, my edge servers happen to have 40 GB ram and 2x'E5-2690 2.9GHz' ... they don't have to be physical ... can be virtual however.
  Second - 3 IP's are recommended ... it makes it easier because you can use standard ports as opposed to straying from 443 etc. ... and it makes troubleshooting easier.  All three of the edge services include a 443 requirement - and, with SSL you can't
  just share that socket on a single IP - so, lucky service gets 443.  Also, you can segregate the traffic and see exactly what is happening.  If you only had 1 IP - many scenarios in Lync would not work (e.g., I'm at a hotel and yoru AV port is not
  allowed through the firewall). 
  Here is a wonderful reference - https://blogs.perficient.com/microsoft/2012/12/lync-scaled-consolidated-edge-public-ip-addresses/
  Third - it is recommened that it is NOT domain joined - however, it's ok that it is.  Mine IS domain joined because I have a domain in my DMZ and it assists with management (etc.) and may be required for yoru security.  Your call.  IMO, if
  you have a domain , join it.  Why not?
  RE: OCS - there is a migration path from OCS 2007 R2 to Lync 2013 as per https://technet.microsoft.com/en-us/library/gg425764.aspx   and several documents on the Internet that show the process for those who need to do so.   It's not trivial.
  Another interesting link:  http://blogs.technet.com/b/saleesh_nv/archive/2014/04/24/lync-2013-tri-co-existance.aspx

• Lync 2013 Edge - Windows Standard 2012 - Set-CSCertificate gives me "The buffer supplied to a function was too small."

  Hello,
  I'm having some issues during the installation of our new Edge 2013 server, specifically when trying to assign the external certificate.
  We have a Lync 2010 deployment already, and this is a step in the migration to the new version.
  On the 2010 Edge server, we have a Geotrust SAN certificate currently which it has been running nicely with for the past couple of years since we installed it.
  However, after trying to assign the certificate to the Lync 2013 Edge server, it just keeps giving me "set-cscertificate : Command execution failed: The buffer supplied to a function was too small."
  If I request a certificate from our Internal CA, it assigns fine and there's no problem - however I've gone over all the Subject Alternate Names on the Geotrust Cert and all of them are present, the certificate was exported and imported with the private
  key so that should not be the issue either. The common name on them are the same, and all the SAN's are there, along with quite a few others (Though I expect this should not present any problems.)
  We didnt have the intermediate Geotrust CA in the "Intermediate Certification Authorities" list, so I've imported that along with a current CRL but it still refuses to assign the certificate.
  Trying to find some more details on the error message seems rather futile - some more details to the error messages would have been helpful, but I'm hoping someone here might be able to give me a hand in diagnosing the actual issue.
  Thanks in advance,
  Johan

  In our case we traced the problem to the version of the certificate template. We could not utilize a v3 template from our Enterprise CA. Once the CA administrator configured and granted us the permissions to a v2 certificate template we were able to successfully
  assign a certificate to Lync.
  The problems comes in regarding the cryptography provider of the certificate template. Certificates based upon a v2 template utilize CryptoAPI (Cryptography API), and v3 templates utilize CNG (Cryptography API: Next Generation) as the cryptography
  provider.
  Lync Server 2010 and 2013 it appears, do not seem to utilize v3 certificates properly. This article explains how to determine which version of cryptography provider is being used by for the certificates in your environment:   http://www.ehloworld.com/751.
  You may consider checking the template version of your certificate to see if that helps your situation, perhaps Geotrust can reissue you a v2 certificate if necessary.
  Further background info:  http://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx
  Regards,
  Jason
  Jason Hindson

• Exchange 2013 using ARR reverse proxy OWA options won't open

  Hi,
  I've been using the exchange team's blog post (http://blogs.technet.com/b/exchange/archive/2013/08/05/part-3-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx)
  as a guidelin on configuring my ARR deployment in my lab.
  Everything was working perfectly right until i got the last part of the blog on restricting the pattern matches.
  The rewrite rules all work fine and everything is working as expected with the excpetion of the fact that i cannot access the options in OWA. ECP itself works great if i access it via the
  https://ecp.domain.com/ecp url, but as soon as i use the https//mail.domain.com/ecp it just wont display anything.
  Looking at the failed request logs it just shows that it executes a 302 rewrite to ecp.domain.com, which is what i would expect it to base done rewrite rule matching
  https://mail.domain.com/ecp to the ecp.domain.com server farm.
  If i look at the iis logs it looks like it's getting into some sort of loop (the section below is about a 10% of a single attempt to access the options pages:
  2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp/ rfr=owa&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6983c585-b0ea-4fd0-9bb1-fc747ee8e992 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
  - 302 0 0 15
  2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa/&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=d32a3a4f-d8a6-4712-91d4-56360be33793 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
  - 302 0 0 0
  2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa//&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=14797897-f1ad-454a-b73c-fde041a43d2b 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
  - 302 0 0 0
  Did anyone ever run into something like this? Or have an idea where i may have made a mistake? I've tried everything i could think of.
  The rewrite rules i have in place are basically exactly the same as the exchange team's blog but just in case i overlooked somehthing, please se the image below.
  thanks in advance for your time

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,
  How about IIS ARR?
  http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
  http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Lync 2013 Edge replication not working

  hi, I have a Lync 2013 Edge replication issue - it is simply not working.
  UpToDate           : False
  ReplicaFqdn        : LyncEdge.contoso.com
  I have already checked the following:
  1) telnet from FEP servers to the Edge sever on port 4443 is working
  2) Certificates are installed correctly - Lync Federation, Voice/Video to Skype, Lync Mobile is all working fine.
  3) Replication traffic checking showing the following error in XDS logs:
  (000000000126DB35)[FileTransferTask(11, 9/03/2015 2:44:24 PM): {TASK_NOT_STARTED, fromReplica, [lyncedge.contoso.com, HttpsWebService, 4443], 0}] Failed to copy files from replica. Exception: [System.ServiceModel.Security.MessageSecurityException: The HTTP
  request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
     at System.Net.HttpWebRequest.GetResponse()
     at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
     --- End of inner exception stack trace ---
  Server stack trace:
     at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
     at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
     at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
     at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.Rtc.Xds.Replication.Common.IReplicationWebService.DownloadFiles(String senderFqdn, String sourceDirPath, String tempDirPath)
     at Microsoft.Rtc.Xds.Replication.FileTransfer.FileTransferTask.CopyFilesFromReplicaUsingWcf(String fromDir, String tmpDir, String toDir)]
  I have checked certificate stores: there are only 34 certificates in the Root folder and the SendTrustedIssuerList reg. key has been configured, which did not solve the issue.
  Any idea how to troubleshoot this or possible root causes?

  Try Test-CsComputer on the Frontend Servers and the Edge Servers. This should check Windows Firewall exceptions are correct. Then check permissions on your Lync fileshare. You can also try to reinstall CMS Database with the following command (user must be
  memeber of CsAdministrator group and sysadmin group of SQL Server)
  Install-CsDatabase -CentralManagementDatabase -SqlServerFqdn CMS.FQDN 
  -SqlInstanceName DBInstance -Verbose

• Change Lync 2013 Edge Server Natted public ip addresses

  we changed public ip addresses for Lync 2013 edge. I changed only a/v edge service NAT-Enabled public ipv4 address to the new public ip address .
  published the topology
  run
  Invoke-CsManagementStoreReplication command
  restarted edge server.
  what else to do to solve it ?
  Error:
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.*****.com on port 5061.
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
  Additional Details
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

  Hi,
  Please re-run Step 2-Setup or Remove Lync Server Components after changing IP in topology.
  Kent Huang
  TechNet Community Support

• Lync 2013 edge server request certificates

  I am deploying Lync 2013 edge server, how to get the certificate request file[certificate
  signing request (CSR)] on setp 3: Reques,install or Assign Certficates. 
  i need your help!
  Thanks!

  Agree with Jason.
  On the Certificate Request File page, type the full path and file name to which the request is to be saved.
  After you get Certificate Request File, you need to submit this file to your CA (by email or other method supported by your organization for your enterprise CA) and, when you receive the response file, copy the new certificate to this computer so that it
  is available for import.
  Check how to set up certificates for the internal edge interface at
  http://technet.microsoft.com/en-us/library/gg412750.aspx.
  Check how to set up certificates for the external edge interface
  http://technet.microsoft.com/en-us/library/gg398409.aspx.
  Lisa Zheng
  TechNet Community Support