Lync 2010 Standard Edition Front-End and Edge Cerificate Renewal issue

Similar Messages

• Configuring Lync 2010 Mobility with Front end and Edge Server

  I have been racking my brain the past week trying to figure out how to get the lync edge server working properly and how to get the mobility service working properly.
  Currently I have 1 front end server that is configured and working.  I have one edge server that has been configured according to nearly every online help I could find along with public CERT.
  If I use microsoft's online connectivity test and I run the test for
  Lync Server Remote Connectivity Test everything passes.  I am also able to connect to lync using a windows lync client from outside of the internal network however I have to specify the server name as being sip.ourdomain.com I cannot get connected using
  autodiscover.
  When I run the Lync Autodiscover Web Service Remote Connectivity Test it fails due to SSL error to lyncdiscover.ourdomain.com which then lead me down the path that I needed to install
  the Mobility service but it also tells me that I may need to update our SSL cert as well.
  This is where I am getting confused and would like to be pointed in the correct direction.
  When I installed mobility service on the front end server it created the autodiscover section in IIS.  If I am inside our network I can browse to it without any issue.  Where I am confused at this point is how to either setup DNS or how to configure
  the edge server to use autodiscover.
  Do I need to setup an additional public IP and point lyncdiscover.ourdomain.com to the IP of our front end server or to our edge server?  If I have to point this to our front end server then that would mean that I use one public IP that goes to 443,
  444 and 5061 for our edge server and then I would need one public IP that goes to ports 443 and 80 that get redirected to ports 4443 and 8080 on our front end server?  If that is the case then do I have to get an external cert for the front end server
  that contains lyncdiscover or can clients connect if it is just using the self signed cert from the domain?
  This is where I am getting confused at and hopefully some nice folks out there can clarify this for me so I can get this resolved.
  Thank you
  KK

  You need an additional public IP to point to a reverse proxy, which will listen on port 443 and proxy requests to your front end server on port 4443 (notice the extra 4).  You can use IIS ARR, Web Application Proxy, or whatever else you may have for
  this purpose, but you need to ensure you redirect port 443 to port 4443.  This reverse proxy cannot be collocated on your front end server or edge, you'll need a separate box or appliance. 
  Beyond Lyncdiscover, you'll want to do this for your external web services FQDN as defined in the topology builder and your meet and dialin URLs too.  You'll want a third part cert for all of this (though it doesn't need to be installed on the front
  end, just the reverse proxy) so that you don't need to install any internally signed root certs on anyone's smartphone.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync Front End and Edge on same host

  Hey guys can anyone confirm if having a front end and edge on single host is supported, providing of course the ram and cpu requirements are met.
  Thank you.

  The Front End and Edge must be on separate computers and can't be collocated. Both servers can coexist on the same Virtual Host if using VMware or Hyper-V.
  See: http://technet.microsoft.com/en-us/library/gg398131.aspx
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Lync 2013 Enterprise load balancing on the front end and edge pool

  Hi,
  I am setting up a Lync 2013 Enterprise deployment consisting of a Front End pool (x2 FE servers) and an Edge pool (x2 Edge servers).  I'm seeing some conflicting advice regarding load balancing using hardware or DNS for the front end and the edge.
  On the front end I have 2 internal DNS records 'lyncfepool1.contoso.local' each of which map to one of the IPs of the FE servers.  I've used my details to populate the Detailed Design Planner excel spreadsheet and am told that I require a HLB to load
  balance my front end pool.  I'm aware of the need to load balance HTTPS traffic internally (which will be done by TMG) however other traffic to the front end (SIP, etc) can be balanced by DNS only, and not require a HLB?
  Can someone clarify the front end requirement?
  Also - looking now at the edge pool - this site again have two edge servers in a pool.  We are using a total of six private IP addresses, two per edge service (2 x av.contoso.com, 2 x sip.contoso.com and 2 x webcon.contoso.com).  These will be
  NAT'ed by the external firewall and directed to the respective external (DMZ) IP addresses on the Edge servers on port 443.  I know this isn't true roundrobin due to the intelligence of the Lync client when connecting (in that the Lync client will connect
  to one of the public IPs and if it can't connect, it will know to connect to the other service IP), however I want to clarify this set up, particularly the need to direct the external public IP traffic at the DMZ Edge IP specified in the topology builder.
  I've attached a basic diagram of the external/DMZ/Edge side which hopefully helps with this question
  Persevere, Persevere, Per..

  That is because you will always need HLB for a front-end server since it hosts the Lync webservices which use HTTP/HTTPS traffic.
  The description on the calculation tool also describes this correctly:
  Supports Standard and Enterprise pools (up to 12 nodes), with pure device-based load balancing or a combination of DNS load balancing and device-based load balancing (for
  Lync web services)
  You can use either Hardware or DNS loadbalancing for SIP traffic only, but you will always need a HLB for the webservices.  Both are applicable for the Front-End so you have either
  full HLB for both SIP and HTTP(S) traffic
  DNS LB for SIP traffic and HLB for HTTP(S) traffic
  Hope this is more clear :-)
  Lync Server MVP | MCITP Lync Server 2010 | If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.

• LYNC 2010 Enterprise Pool Front End Servers

  Can we mix Windows 2008 R2 Enterprise Edition and Standard Edition virtual servers in same LYNC 2010 Front End Pool?
  Tek-Nerd

  Agree with Lisa,Lync Server virtualization supports a mix of operating systems. For example, a host server running Windows Server 2012 R2 that runs virtual servers that run Windows Server 2008 R2 is supported.
  You cannot mix different types of servers within the same pool. All servers within the same pool must either be physical or virtual
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg399035.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Lync 2013- Standard Edition - Persistent Chat

  What is the capacity of the Persistent Chat if it is collocated on Lync 2013 Standard edition front end ?
  ie, number of chat rooms /usage?
  In a Lync 2013 standard edition deployment if Persistent Chat is on separate server, can the SQL be offloaded to central SQL cluster enviornment or  it will be held on the local server?

  I haven't seen a chart that really defines the capacity, and it's difficult to measure because it's difficult to say how active the rooms will be or how much content you'll generate.  That much is different from organization to organization. 
  There are some guidelines in general here:
  https://technet.microsoft.com/en-us/library/gg615006(v=ocs.15).aspx but they don't really touch the standard model.
  The pChat database can be offloaded to a central SQL cluster if you'd prefer, there are no requirements to collocate it with the local Lync databases.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Certificate Requirement for Lync 2013 Standard Edition

  I have successfully run the setup of lync 2013 standard edition now I am stuck due to certificates required for lync 2013. when I generate a csr. it show the subjected urls for that.
  hostname.domain.com
  sip.domain.com
  diali.domain.com
  meet.domain.com
  admin.domain.com
  lyncdiscover.domain.com
  lyncdiscoverinternal.domain.com
  im.domain.com (External URL)
  so if I go for 3 party CA then I need 8 certicate only for internal lync. As I also need to connected federated partner and external user so I need Edge for again I need 3 more certificates
  web.domain.com
  a/v.domain.com
  sip.domain.com
  now when I go for these certificate it quit costly and I didn't understand why such certifcates required. can anyone help me to fix such requirement.
  Or, what are the necessary url to which I buy 3 party CA rest leave as it is.
  I also want to deploy Edge with single adopter as we have only one network so can anyone assist me to proceed it further.
  Talha Faraz Malik

  To save on the cost of your third party certificates, I would deploy an internal certificate authority to sign certificates for your internal front end.   For your third party certificate, you would only need the SANs for the edge and for your
  reverse proxy and as Edwin said, this can be a single cert with multiple SANs.
  For example, for your edge you would need:
  sip.domain.com
  web.domain.com
  You would not need A/V as this role does not require a SAN on your certificate.  On the same certificate, which you could also use on your reverse proxy, you'd likely want the following FQDNs.
  lyncdiscover.domain.com
  im.domain.com (your external web services FQDN)
  meet.domain.com
  dialin.domain.com
  You may also want to consider your internal web services FQDN and include the following so third party mobile devices can connect without needing a certificate installed:
  im_internal.domain.com (your internal web services FQDN)
  lyncdiscoverinternal.domain.com
  I'm sure that's not entirely clear yet, so feel free to ask more questions or what the purpose of each is. 
  When you say Edge with a single adapter, you mean a single adapter in a DMZ or internal?  You definably want two NICS, both in separate DMZs, but I've managed to get the edge working with a single adapter in a DMZ before.  What you don't want is
  the edge in your internal network.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync 2013 Standard Edition on Cisco UCS E-Series

  Hello,
  We have a working Lync 2013 deployment:
  - Front-End Enterprise Pool consisting of 3 FE servers
  - one Edge Server
  - one Back-End server
  - one Mediation Server
  - one IP PBX gateway, where ITSP's SIP trunks end.
  Because we have geographically distributed offices, we are considering deploying of branch offices deployments.
  Technet recommends to use SBA for branch offices where there are less than 1000 users. But in case of WAN outage, no conferencing will be available for branch users.
  Lync 2013 Standard edition branch deployment would offer all Lync features in case of WAN outage.
  In every branch, we consider deploying a Cisco ISR G2 router for terminating branch SIP trunks. This equipment have option to add Cisco UCS E-Series blade that supports CPU with hardware virtualization and supports decent amount of RAM (up to 16GB and up
  to 48GB).
  Have anyone experience with deploying Lync Standard Edition on this equipment - Cisco UCS E-Series blades? In every branch office there are up to 50 - 500 users that will use Lync.
  Thanks,
  Andrei Moraru Endava

  Hi,
  I don’t think you can deploy Lync server 2013 on Cisco UCS E-Series blades.
  Here is a link below of “System Requirements for Servers Running Lync Server 2013” may help you:
  http://technet.microsoft.com/en-us/library/gg398588.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 standard edition server disadvantages

  I have 3000 users, client is so cost effective , wanna insisting on Lync 2013 standard edition server. no enterprise voice
  Feature required :- IM.presence, A/V conf, persistence chat, external access.
  planned servers :- 1 Standard server in DC, 1 in DR.  1 edge server in DC and 1 in DR
  1. if i make a pool of standard servers, then will it serve as HA, if yes how much time wil take for failover and what would be the impact on users?
  2. If complete DC is down how mch time would take for fail-over and what is the procedure, impact on users?
  3. can i collocate persistence chat role on standard edition? any limitation? how backend sizing would be for persistence chat as sql express would be there
  4. can i suggest any better solution with standard servers where HA in DC .

  For 3000 users Standard Edition will be fine. Use the capacity planner to size out your environment. http://www.microsoft.com/en-us/download/details.aspx?id=36828
  1. It won't really serve as HA, as pool pairing is the only option it's more of a DR solution. The RTO for a pool failover is 30mins. So it could take anywhere up to 30mins. http://technet.microsoft.com/en-us/library/jj205079.aspx
  2. Same as above. Here is how you failover http://technet.microsoft.com/en-us/library/jj204678.aspx 
  3. Yes, you can co-locate Persistent Chat on the Front End with Standard Edition. If sized correctly, there should be no performance issues.
  4. The only option with Standard is Pool Pairing, so no better suggestions.
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)
  This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync 2010 Stranded Edition Limitations

  Can Lync 2010 Stranded Edition provide same features as Enterprise Edition other than failover options?
  Kris

  Hi,
  With Enterprise Edition you can choose to collocate or define a stand-alone Mediation Server. The Monitoring Server and Archiving Server can use a stand-alone server running SQL Server. Or, they can have instances of SQL Server running on the database server
  for the Front End Servers and pools.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Could you tell me if it would be supported to pair a two node enterprise edition front end pool inc mirror sql with a one node enterprise edition front end pool inc single sql?

  Hi all,
  Could anyone tell me if it would be supported to pair a two node enterprise edition front end pool inc mirror sql with a one node enterprise edition front end pool inc single sql?
  MUCH THANKS.

  The answer from TechNet found at http://technet.microsoft.com/en-us/library/jj204697.aspx Is, and I quote:-
  Enterprise Edition pools can be paired only with other Enterprise Edition pools. Similarly, Standard Edition pools can be paired only with other Standard Edition pools.
  Also, "Neither Topology Builder nor topology validation will prohibit pairing two pools in a way that does not follow
  these recommendations. For example, Topology Builder allows you to pair an Enterprise Edition pool with a Standard Edition pool.
  However, these types of pairings are not supported."
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Authentication with UME separation of front end and back end

  My webdynpro project has 2 application. One for Admin one for Rating.
  Is it possible to create a java class at Webdynpro level and share it between the 2 applications?
  Why the need?
  Created a custom class (lets called it CommonEJB), to point to the right pages and set of UI controls after the initial login with UME. This class utilizes the IWDClientUser.getSAPUset() method to get IUser object.
  If it is not possible to create a java class at Webdynpro, then this ejb will need to be deployed to the backend.
  Putting it at the backend is not good as security wise, its always better to separate the authentication between front and back end.
  Any ideas/solutions?
  thanks

  s0003358504
  au-?Krup
  LDAP
  ==============================================
  Computer Associates Int'l  [eTrust Directory]  
  Critical Path  [CP Directory Server (CP DS)]  
  Microsoft  [Windows 2000 Active Directory Server]  
  Microsoft  [Windows 2003 Server - Active Directory]  
  Netscape Communications  [Netscape Directory Server]   
  Novell  [DirXML Driver for User Management]  
  Novell  [Novell DirXML Driver for SAP HR/PA]  
  Novell  [Novell eDirectory]  
  Oracle Deutschland  [Oracle Internet Directory (OID)]  
  Siemens  [DirX Directory Server]  
  Siemens  [DirX Extranet Edition]  
  Sun Microsystems  [Sun Java System Directory Server] 
  •     Test Objectives
  •     Testing Scope
  •     Test Approach
  •     Test Environment
  •     Test Data
  •     Entry / Exit Criteria
  •     Risks
  •     Schedule and Resources
  •     SIT Deliverables
  •     Test Planning Source Documents
  Well, i wish to create a java class that can separate the view areas depending on their login.
  lets say you're a manager, u can see certain views. and if you're a supervisor u see another. This is achieved using the java class with information from getSAPUser() position. After retrieving the position, using the java class will programmatically assigned the appropriate views, buttons, tabs etc.
  so this class need to in front end, and not back end. problem is we have 2 application.
  if the class is created front end in one application can it be shared with another.

• Removing admin password form Access 2003 database front end and back end

  We have a legacy database that has been passed down from the original creator, who is no longer with the organization. It was created in Access 2003. It has a front end and a back end. The original admin password can not be located and we are in the process
  of upgrading this application to 2010.  Is there a way to remove that password so we can make changes to the original files?

  Hi,
  What password are you talking about, the one created with the workgroup manager? That will be difficult since 2010 doesn't have the workgroup manager anymore. You can still use the database in the 2010 environment but you can't make any changes to the original
  database without the password.
  Maurice

• What is BW Front-end and Whats BW Back-end? Technica ? Functional?

  Hi Gurus,
  Can some one throw light on the diff between a BW Front-end and BW BAck-end? How will u diff the responsibilities of a Functional BW Consultant and Technical BW Consultant?
  thanks
  kishore karnati

  Hi,
  BW Front end is the one that deals with reporting. Eg: BEx
  BW back end is the one that deals with the components that stores data which is used for the reporting purpose.
  Eg: R3
  Functional consultant comes into picture when there is a need to understand the functional aspects of a requirement, say for example, you have a requirement to use Sales Order in your BW application, as a pure BW person, you wont know what a Sales Order is about. A functional consultant has the ability here to map the sales order requirement in the BW application. This means that, he knows what field and what table this sales order relates to. This way, a functional consultant maps the user requirements to the technical detail in the system.
  A pure BW consultant is one who knows how to setup data extraction from source system , how to build various components in a BW system, how to schedule a load, how to troubleshoot in case of any issues in the BW application.
  Hope this helps..
  Assign points if this helps...
  Thanks,
  Raj

• Https front end and http backend

  Hi there....I am having a small issue....I have a web app that is https based....I have installed the cert on the CSS, and DNS for this app points to the VIP....the client is wanting to have an https front end, and then load balance in http to the backend servers....the issue I am running into is that this only works if I have an active port 80 rule on that same VIP....if I suspend the port 80 rule and only leave the port 443 rule active on that VIP, it doesn't work....please see appropriate config portions below....Thanks in advance!
  Sandeep
  ANy suggestions? I have been trying this for a couple of days now...it works fine if the backend sessions are also https, but the client has changed their requirement....
  ssl-proxy-list SSL1
  ssl-server 1
  ssl-server 1 rsakey app1-test
  ssl-server 1 rsacert app1-test
  ssl-server 1 vip address 10.19.55.10
  ssl-server 1 cipher rsa-with-rc4-128-md5 10.19.55.10 81
  backend-server 1
  backend-server 1 port 81
  backend-server 1 server-ip 10.19.55.132
  backend-server 1 ip address 10.19.55.132
  backend-server 2
  backend-server 2 port 81
  backend-server 2 server-ip 10.19.55.133
  backend-server 2 ip address 10.19.55.133
  backend-server 3
  backend-server 3 port 83
  backend-server 3 server-ip 10.19.55.132
  backend-server 3 ip address 10.19.55.132
  backend-server 4
  backend-server 4 port 83
  backend-server 4 server-ip 10.19.55.133
  backend-server 4 ip address 10.19.55.133
  backend-server 5
  backend-server 5 port 85
  backend-server 5 server-ip 10.19.55.132
  backend-server 5 ip address 10.19.55.132
  backend-server 6
  backend-server 6 port 85
  backend-server 6 server-ip 10.19.55.133
  backend-server 6 ip address 10.19.55.133
  active
  service webserver002:81
  ip address 10.19.55.132
  port 81
  keepalive port 2199
  keepalive type tcp
  protocol tcp
  active
  service webserver003:81
  ip address 10.19.55.133
  port 81
  keepalive port 2199
  keepalive type tcp
  protocol tcp
  add ssl-proxy-list SSL1
  active
  service webserver002:83
  ip address 10.19.55.132
  port 83
  add ssl-proxy-list SSL1
  keepalive port 2399
  keepalive type tcp
  protocol tcp
  active
  service webserver003:83
  ip address 10.19.55.133
  port 83
  keepalive port 2399
  keepalive type tcp
  protocol tcp
  add ssl-proxy-list SSL1
  active
  service webserver002:85
  ip address 10.19.55.132
  port 85
  add ssl-proxy-list SSL1
  keepalive port 2599
  keepalive type tcp
  protocol tcp
  active
  service webserver003:85
  ip address 10.19.55.133
  port 85
  keepalive port 2599
  keepalive type tcp
  protocol tcp
  add ssl-proxy-list SSL1
  active
  service SSL_Front
  slot 2
  type ssl-accel
  keepalive type none
  add ssl-proxy-list SSL1
  active
  owner app1-test
  content app-test_back
  vip address 10.19.55.10
  add service webserver002:81
  add service webserver003:81
  add service webserver002:83
  add service webserver003:83
  add service webserver002:85
  add service webserver003:85
  balance aca
  protocol tcp
  port 81
  active
  content app1-test_front
  vip address 10.19.55.10
  application ssl
  add service SSL_Front
  protocol tcp
  port 443
  advanced-balance ssl
  balance aca
  active

  Thanks for the quick reply....there is another port 80 rule setup for that vip....I was using that to test with the app until I got the front end https rules working....
  my port 80 rules just says listen to 10.19.55.10 on port 80 and load balance btwn the webervers on port 8x in the back end...
  I am trying to do https front end and http backend....
  no where in my SSL config have I configured port 80....but when I suspend that rule it all fails....
  I am wondering if the backend server sessions are happening properly?
  I don't fully get what you mean by "You need to have the rule in port 443 to match traffic coming from the client and the clear text rule (port 81) to match traffic already decrypted coming from the SSL module"
  Haven'tI done that?
  Thanks again!
  Sandeep