Lync 2013 Federation

Similar Messages

• Lync 2013 federation failing for a specific domain

  Hello,
  We have recently migrated to Lync 2013 and noticed that one of the domains we federate with is unable to federate with us.
  we are getting the following error:
  Log Name:      Lync Server Source:        LS Protocol Stack  Event ID:      14428 Task Category: (1001)
  Level:         Error Keywords:      Classic User:          N/A Computer:      server.fqdn.com Description: TLS outgoing connection
  failures.
  Over the past 28 minutes, Lync Server has experienced TLS outgoing connection failures 4 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) while trying
  to connect to the server "sip.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "Unavailable". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to
  reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is
  not trusted by the local machine. Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check
  that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local
  machine.
  Thanks

  Thanks Michael.
  That worked for one of two issues I'm seeing, I did use the same steps for the second issue but it didn't seem to work, I have imported the CA of the domain we would like to federate with to the trusted root certification authorities and the intermediate
  certification authorities per the certificate issuer's website guidelines. I did learn that the federated partner is also using OCS 2007 R2, not sure if this may have to do with this.
  Over the past 30 minutes, Lync Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80072746 while trying to connect to
  the server "ocs.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "ocs.example.com". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target
  principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
  Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by
  DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

• Lync 2013 federation and mobile push 504 error

  Hello,
  In our company we have deployed Lync 2013 Standard with last CU
  1. Front End - External web serwis and mobile sing by wildcard certyfikate trusted in Internet, and Internal webserwis sing by our Internal CA not trusted in internet
  In Topology is registred: LyncFE.company.local
  Default SIP domain is company.com
  2. Edge Server  - All in one server sing by our Internal CA not trusted in internet with Subject Alternative Names: sip.company.local, sip.company.com, LyncEDGE.company.com
  In Topology is registred: LyncEDGE.company.local
  3. Reversed Proxyand NAT and firewall setup our firewall with Port Translating
  LyncEDGE.comapny.local have asigned by NAT public IP Adres 10.10.10.10
  LyncFE.company.local have asingned by NAT public adres IP 10.10.10.11
  Incoming traffic for 10.10.10.10 and 10.10.10.11 Lync ports TCP/UDP from documentation
  Outgoing traffic for 10.10.10.10 (LyncEDGE) on TCP 5061 need for federation
  4. DNS setup
  We have split domain and DNS like this:
  Company.local (Internal DNS) and Company.com (External DNS)
  DNS Records in our External DNS:
  LyncEDGE.company.com record A 10.10.10.10
  LyncFE.company.com record A 10.10.10.11
  sip.comapny.com TLS --> LyncEDGE.copmany.com
  _sipfederationtls._tcp.company.com -> LyncEDGE.copmany.com
  _sipinternaltls._tcp.company.com --> -> LyncEDGE.copmany.com
  lyncdiscover.company.com --> 10.10.10.10
  In this setup works for now: Lync Audio Video, Mobile access. And now we trying setup Federation and Push notyfication and when we testing we get 504 form serwer.
  Test-CsFederatedPartner -TargetFqdn lyncedge.company.local (This is the name of our LyncEDGE server in topology)-Domain microsoft.com
  Test-CsFederatedPartner : A 504 (Server time-out) response was received from
  the network and the operation failed. See the exception details for more
  information.
  At line:1 char:1
  + Test-CsFederatedPartner -TargetFqdn lyncedge.pep.local -Domain microsoft.com
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : OperationStopped: (:) [Test-CsFederatedPartner],
      FailureResponseException
      + FullyQualifiedErrorId : WorkflowNotCompleted,Microsoft.Rtc.Management.Sy
     ntheticTransactions.TestFederatedPartnerCmdlet
  My lyncedge.company.com was add by Microsoft as Federation for Skype
  telnet form Front End server to LyncEDGE.company.local on port 5061 works
  Firewall show outbond traffic form LyncEDGE.company.com (10.10.10.10) to Microsoft site
  But still i cant get working federation and push notyfication for mobile some one can advise where problem can be? I think problem is with our certyficate setup on EDGE server that is sing by our Internal CA not trusted in Internet.

  Hi, I exchanged root certyfikates with my partner. And now he can see my status, call Video, send IM to my all account but I can't do nothink I get 504, on my logs I see below:
  I tested
  telnet sip.partnerdomian.pl 5061 -- OK
  telnet sip.partnerdomian.pl 443-- ok
  nslookup _sipfederationtls._tcp.partnerdomian.pl --> sip.partnerdomian.pl port 5061
  All is ok but still timeout, where look for problem on my site or partner site. He have 3 IP LAN adreses on Edge NAT on one public
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006bc75 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B8A
  Direction: outgoing;source="internal edge";destination="external edge"
  Peer: 195.0.0.1:15224
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomain.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
  ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-network=federation;ms-source-verified-user=unverified
  $$end_record
  TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006bc14 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
  Severity: information
  Text: Response successfully routed
  SIP-Start-Line: SIP/2.0 504 Server time-out
  SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  SIP-CSeq: 1 SUBSCRIBE
  Peer: 195.0.0.1:15224
  Data: destination="[email protected]"
  $$end_record
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b949 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B8A
  Direction: incoming;source="internal edge";destination="external edge"
  Peer: LyncFE.domain.local:5061
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.0.0.1;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomin.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
  ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
  $$end_record
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b769 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531]
  $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B89
  Direction: outgoing;source="external edge";destination="internal edge"
  Peer: LyncFE.domain.local:65236
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
  Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomian.pl";PeerServer="sip.partnerdomian.pl";source="MyEdge.domain.pl"
  ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
  $$end_record
  TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b704 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
  Severity: information
  Text: Response successfully routed
  SIP-Start-Line: SIP/2.0 504 Server time-out
  SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  SIP-CSeq: 1 SUBSCRIBE
  Peer: LyncFE.domain.local:65236
  $$end_record
  TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b57a (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
  Severity: information
  Text: The message has an Allowed Partner Server domain
  SIP-Start-Line: SIP/2.0 504 Server time-out
  SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  SIP-CSeq: 1 SUBSCRIBE
  Peer: sip.partnerdomain.pl:5061
  Data: domain="partnerdomian.pl"
  $$end_record
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b35e (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B89
  Direction: incoming;source="external edge";destination="internal edge"
  Peer: sip.opteam.pl:5061
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.20.25:56348;branch=z9hG4bK62EA2C6E.CBA9E35BA4B1BC2F;branched=FALSE;ms-internal-info="bdfQfcjHqEGEYXjrThA5NV7b6oZKoU2jzjNeGxP_cA0_tb46nLxN-KzAAA";received=195.8.106.130;ms-received-port=56348;ms-received-cid=11AC00
  Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
  Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  $$end_record

• Lync 2013 federation with Skype error: 'Reference error id 504 (Source ID 239)

  I have setup lync 2013, configured skype federation (http://www.techtroubleshoot.com/federate-lync-server-with-skype/) and also done Lync provisioning. Skype federation worked for a few days (2weeks) and then stopped. Currently I am getting the following
  error 'Reference error id 504 (Source ID 239)'.
  Ports are open on the firewall. I however still get the error.
  KimaniBob

  Verify from following:
  you can telnet to your sip domain on port 5061 and 443 from external and resolve of nslookup to srv record of sipfederation is correct.
  Certificate on Edge Server not expire or damaged.
  This link had similar issue, you can check it.
  http://terenceluk.blogspot.com/2013/04/unable-to-send-instant-messages-or-view.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• MS Lync 2013 federation with Cisco CUP 8.6

  Hi all,
  I am currently trying to federate CUPS 8.6 with MS Lync 2013.
  After a lot of certificate issues we finally got a one-way IM from CUPS to Lync. I can't get Presence in either direction or send an IM from Lync to CUPS user.
  I have followed the Cisco guide for inter-domain federation within an enterprise. so no edge server or Cisco ASA involved.
  The error message I am seeing on the Lync side is:
  ms-diagnostics:
  1010;reason="Certificate trust with another server could not be established";ErrorType="Refer to HRESULT code for specific security status";tls-target="CUP-A.cupdomain.co.uk";HRESULT="0x80090326(SEC_E_ILLEGAL_MESSAGE)";source="LCT-LYNCFE01.lyncdomain.net"
  On the CUP side I can see the TLS session being dropped with this error message:
  17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_verify_callback: TLS protocol error(ssl reason code=(null) [0]),lib=(null) [0],fun=(null) [0], errno=0
  17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(2409) SSL server accept returned SSL_ERROR_SSL
  17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_accept: TLS protocol error(ssl reason code=no certificate returned [178]),lib=SSL routines [20],fun=SSL3_GET_CLIENT_CERTIFICATE [137], errno=0
  17:22:58.945 |Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(1056) sip_tcp : Hard close/destroy of tcp connid 93 sock_fd 37 flags 0
  On the cisco side I have only set a TLS Peer as the LYNCPOOL server. do I need to set up a TLS Peer for all of the Lync Servers?
  The lyncpool server has client and server enhanced key usage - do I need to reissue the certs with this for ALL servers in the lync cluster?
  It seems like TLS will neogotiate successfully using the LYNCPOOL server but not with any of the other servers. Must be missing something simple.
  Many thanks for advice.
  Regards
  Lee.

  Hi,
  Please double check the listen port of Lync Server．
  In the Lync Server Management Shell enter the following command to verify the current system configuration: Get-CSRegistrarConfiguration
  More ports requirement for Lync server you can refer to the link below:
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cups/8_6/english/integration_notes/IntegrationNote_CUP86_MicrosoftLyncServer2010_RCC.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Locking federation to specfic domains in Lync 2013

  Hello,
  Once federation is enabled, Is there a way to lock Lync 2013 federation to a number of selected domains, where only these domains are able to contact me and any other domains that I'm not federated to are not?
  Is this functionality supported out of the box?
  Thanks!

  Yes this is possible out of the box. you just specify what domains are allowed (Whitelisted)
  From within Lync Control Panel select "Federation & External Access", "SIP Federated Domains" and then create the domains you want to allow in there.
  From within Access Edge Configuration, uncheck "Enable Partner Domain Discovery" (which disables Open Federation)
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Lync 2013 skype federation approved

  Hi
  I have got skype and lync 2013 IM federation approved on
  https://pic.lync.com. My sip domain shows activated on its page. Now what next shall I do ? As I am still using self issued certificate on external lync edge interface, do I need to apply a public certificate so that I can add skype to my local network
  lync client? I could not send IM to my skype account otherwise. It is coming with an error id 504 source 239. As I have sip.xxx.com.au, webconf.xxx.com.au, av.xxx.com.au which point to lync edge and meet.xxx.com.au, dialin.xxx.com.au, owa.xxx.com.au, lyncdiscover.xxx.com.au
  which point to iis arr reverse proxy. Also have lynvweb.xxx.com.au as external web service. In my case, if I would need to apply public SSL to make my lync work with skype, do I have to apply a multi domain public certificate which up to 10 domain ?Would go
  daddy certificate be used ?
  Also, if lync edge external interface certificate get replaced, it needs to replace certificate on iis arr reverse proxy server of its default web site binding with public certificate too?
  WenFei Cao

  Correct, you need public CA issued certificates for your edge external interface in order for federation to work.
  Best practice would be to  have a public cert loaded on both your Edge and Reverse proxy servers, however in regards to Federation, it's your Edge that will be in use. So you don't need to load a public cert on your Reverse proxy (I assume you've loaded
  your root cert on to any mobile devices or devices that connect in) but I personally would for the sake of completeness and to prevent any possible certificate trust issues in the future. (it will save you loads of headaches) I would typically only use an
  internal cert for external facing when I am testing/labbing and then replace them with public certs before going into production.
  Also if you haven't already, follow these steps to configure the provider in Lync: http://blogs.4ward.it/lync-2013-and-skype-federation-how-to/
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Lync 2013 A/V not working federated partner

  Hi,
  I have an interesting problem. I cant make video calls / desktop sharing via only federated
  domain. But IM working properly. There is a problem only A/V call.
  in my lync organization :
  1 front-end
  1 edge
  1 reverse proxy
  From
  To
  Type
  Result
  My Lync User ( Inside )
  My Lync User ( Outside )
  IM & A/V & Desktop Sharing
  Success
  My Lync User ( Inside or Outside ) from PC
  Federated Lync domain
  IM
  Success
  My Lync User ( Inside or Outside ) from PC
  Federated Lync domain
  A/V & Desktop Sharing
  Fail due network isses
  My Lync User ( Inside or Outside ) from Lync Mobile  to Federated Lync domain, type: Audio / Video call. result:
  success
  If you sign in from Lync mobile client and start video call to federated domain worked successfully. But if you sign in from PC Lync 2013 client and start video call, to federated domain,
  fail. Video invitation is reached federated domain and connection established but after a few seconds, A/V failed due network issues or audio video device not configured.
  During issue, i collected log using OcsLogger on the Edge Server. I examined the collected log but I could not find a error line.
  please help
  thanks

  Hi,
  From your description above, there is something wrong during the deployment of Edge Server.
  To avoid routing issues, make sure there are at least two network adapters in your Edge Servers and that the default gateway is set only on the network adapter associated with the external interface.
  You can configure two network adapters in your Edge Server as follows:
  Network adapter 1 (Internal Interface)
  For example: Internal interface with 172.25.33.10 assigned.
  No default gateway is defined.
  Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running Lync Server 2013 or Lync Server 2013 clients.
  Network adapter 2 (External Interface)
  Three private IP addresses are assigned to this network adapter, for example 10.45.16.10 for Access Edge, 10.45.16.20 for Web Conferencing Edge, 10.45.16.30 for AV Edge.
  More details:
  http://technet.microsoft.com/en-us/library/gg412787.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Migrated to Lync 2013 now need federation assistance

  I have migrated from a Lync 2010 environment to a Lync 2013 environment for the Front End Servers. I am now needing to be able to Federate with several other external companies.  I am a somewhat intelligent person however, this piece has me perplexed.
  internal domain - domain.local
  external domain - domain.com
  internal front end server - server00.domain.local
  edge server - server11.domain.local (in a workgroup in DMZ)
  email domain - domain-company.com
  SIP addresses - [email protected]
  I have a DMZ that has an internal and external Checkpoint Firewall, we have blown so many holes through it the Security Expert here is afraid, however, Testconnectivity.microsoft.com succeeds as long as I do not choose A/V tests.
  I want to have Directed federation with other entities within our company and have done nslookup's, used Lync IP Tools, and multiple other tests to find out where I am failing to understand why I cannot get Federation to work.
  Any thoughts? 
  I absolutely deplore certificates....

  When you say you want to federate with other entities within your company, are they separate forest/domains?  How do you connect to them, over the Internet or via a direct path?  Or do I misunderstand?  Is your intention to also federate with
  entities external to your company?
  Your sip domain really should match your email domain, just to make it easier to locate your users from outside.  On top of this, you'll be able to get a third party certificate (they won't typically issue one for .local) which will be valuable for
  Lync mobility and federation without having the others install your self signed cert.
  Are the certificates currently deployed on the edge self signed or third party? 
  How many SIP domains do you have deployed?
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Lync 2013 Server / Roles & Components

  Lync
  2013 Server / Roles & Components 
  Front End
  User authentication and registration
  Presence information and contact card exchange
  Address book services and distribution list expansion
  IM functionality, including multiparty IM conferences
  Web conferencing, PSTN Dial-in conferencing and A/V conferencing (if deployed)
  Application hosting, for both applications included with Lync Server (for example, Conferencing Attendant and Response Group application), and third-party applications
  Primary store for user and conference data.  Information about each user is replicated among Front End Servers in the pool
  Optionally, Monitoring, to collect usage information in the form of call detail records (CDRs) and call error records (CERs). This information provides metrics about the quality of the media (audio and video) traversing your network for both Enterprise
  Voice calls and A/V conferences.
  Web components to supported web-based tasks such as web scheduler and join launcher.
  One Front End pool runs the Central Management Server DB, which manages and deploys basic configuration data to all servers running Lync
  Optionally, Archiving, to archive IM communications and meeting content for compliance reasons.
  Optionally, if Persistent chat is enabled, Persistent Chat Web Services for Chat Room Management and Persistent Chat Web Services for File Upload/Download.
  Back End
  Database server running Microsoft SQL Server
  Provide the DB services for the Front End pool
  Acts as backup store for the pool’s user and conference data
  Primary stores for other DB’s like Response Group
  High Availability for the BE DB is provided via SQL Mirroring
  Optional Witness to enable automatic failover for BE
  SQL Sever 2008 R2 or higher required for SQL Mirroring
  Edge Server
  Enable users to communicate and collaborate with users outside the organization’s firewall
  Comprises four separate server roles
  Access Edge – Acts as a secure proxy for all remote Lync signaling traffic
  Remote Access
  Federation
  Public IM Connectivity (PIC)
  Web Conferencing Edge – Enable remote users to participate in Web conferences with internal or remote workers
  A/V Edge – Responsible for secure relay of A/V media among internal, external, and federated contacts
  XMPP Gateway – Allows IM/P with XMPP federated contacts
  Reverse Proxy
  Simple URL Publishing – Required for users to join Lync meetings
  Web Conferencing Content – Users download meeting content (PowerPoint, Whiteboard, and Poll data) via Lync Web Services when in meeting
  Address Book & Distribution List Expansion – Required for users to download Lync Address Book and perform DL expansion
  User Certificates – Provides client certificate authentication via Lync Web Services
  Device Updates – Provides software updates to Lync IP endpoints
  Mobility – Provides connectivity for mobile clients via Lync Web Services
  Mediation Server
  Translates signaling and media between Lync Server and PSTN, IP-PBX, or SIP Trunk
  Can be co-located on Front End or separated as stand-alone Server dependent on call volume
  Role facilitates dial-in conferencing
  Capacity
  Co-located = 150 Concurrent Calls
  Standalone =  1100 Concurrent Calls
  Persistent Chat
  Enable users to participate in multiparty, topic-based conversations that persist over time
  Pchat Front End server role runs persistent chat service
  Pchat Back End server stores chat content and compliance events
  Geographic DR is provided via stretched pool and SQL log shipping to replicate DB info
  150k provisioned users / 80k concurrent users
  Archiving
  Uses SQL Server 2008 R2 or SQL Server 2012 for DB
  Capable of archiving the following:   
  Peer-to-peer IM
  Multiparty IM
  Web Conferences, including uploaded content and events
  A/V for peer-to-peer IM and web conferences
  Web conferencing annotations and polls
  Monitoring
  Agent that runs on each Front End Server that collects and manages information from the Front End and Mediation Servers
  Stored on SQL Server DB
  Leverages SQL Server Reporting Services for creation of reports related to call quality and metrics
  Office Web Apps Server
  External server leveraged for rendering PowerPoint slides within the Lync client and Lync Web App
  Typically leveraged within SharePoint deployments to deliver browser-based versions of Microsoft Office applications
  System Center Ops Mgr
  Health configuration in Lync Server 2013 is built around System Center Operations Manager and the use of Lync Server Management Packs. These Management Packs include a number of new features and enhancements, including:
  Feature
  Description
  Synthetic Transactions
  Windows PowerShell cmdlets that can be run from various locations to ensure that end user scenarios such as sign-in, presence, IM, and conferencing are readily available to end users.
  Call Reliability Alerts
  Database queries for Call Detail Records (CDR). These records are written by Front End Servers to reflect whether end users were able to connect to a call or why a call was terminated. These queries result in alerts that indicate when a wide range of end
  users are experiencing connectivity issues for peer-to-peer calls or basic conferencing functionality.
  Media Quality Alerts
  Database queries that look at Quality of Experience (QoE) reports published by clients at the end of each call. These queries result in alerts that pinpoint scenarios where users are likely to be experiencing poor media quality during calls and conferences.
  The data is built upon key metrics such as packet latency and loss, metrics that are known to directly contribute to call quality.
  Component Health
  Individual server components raise alerts by using event logs and performance counters. These alerts indicate failure conditions that can severely impact one or more end user scenarios. These alerts can also indicate a variety of other failure conditions,
  including services not running, high failure rates, high message latency, or connectivity issues.
  Dependency Health
  Failures can occur for a variety of external reasons. The management packs now monitor and collect data for some of the critical external dependencies that might indicate severe issues, including IIS availability, CPU and memory usage of servers and processes,
  and disk metrics.
  Exchange UM
  http://www.contactcenterarchitects.com/lync-2013-server-roles-components/

  Hi,
  Thank you for sharing the information. It is useful for others who not understand Lync Server Roles and Components. You time and effort are appreciated.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Office web Apps server Lync 2013 Certificate

  Hi,
   I'll be installing Office web app (OWA) server with Lync 2013 std edition. External users access is disabled but federation is enabled, mean OWA will be exposed to internet as wabweb.contoso.com, the interal host name of OWA server is owa.contoso.local
  Does the certificate on the on OWA server need to have owa.contoso.local and certificate principle name and wabweb.contoso.com as SAN? or only owa.contoso.local is enough?

  It really depends on how you publish the server to the internet. You have some options. If you are publishing this via a reverse proxy, internally you would have a private cert with .local on it and the public name on the reverse proxy.  If you are
  punching a firewall hole/NAT directly to the server your best option is to use a public cert on that server directly.
  That all said, personally I like to make both the internal and external farm URL the same, and use a public cert on the server (if no reverse proxy is in play).  So I would actually enter the OWAS Farm as wabweb.contoso.com in topology builder, than
  when creating the farm via PowerShell make that both the internal and external URL and get a certificate with a single name on it of wabweb.contoso.com.
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

• Lync 2013 /w Edge not working properly (internal/external same domain name and all "external" users"

  Hi,
  I've got some issues with a Lync 2013 setup.
  The config consists of 2 lync servers. One FE and one Edge. All seems to work except audio in meetings and Sip.
  The setup is like this (fake ip's used):
  Front End:
  Internal IP: 172.16.0.10
  External IP: x.x.185.10
  All ports open in Cisco ASA
  internal AD DNS: dialin/lync/meet/lyncdiscover to Front end internal ip. edge/lsedge/sip points to edge internal ip
  EDGE:
  Interal IP: 172.16.0.11 (no gateway configured)
  External IPS: x.x.185.11, x.x.185.12, x.x.185.13
  All external IP's are direct internet facing, no NAT (a firewall is in place).
  All external interfaces are using a wildcard certificate.
  All server are running in a remote data center, so basically no internal users. We all connect to the external interfaces. The Windows domain name (AD) is the same as our External DNS (companyname.com).
  Autodiscover works, we can logon, chat but there is no audio. The audio test failes. Also SIP is not working with a sip trunk.
  External DNS: sip/webconf/av are pointing to their external ip's. sipexternal is a cname to sip. lyncdiscover/lync/dialin/meet all point to the Frond end External ip.
  _sip._tls/_sipfederationtls.tcp/_xmpp-server.tcp all point to the sip.companyname.com ip.
  I just can't figure out what is wrong.

  @PSingh123 I'll try the logs in a minute and get back with the results.
  @PaulB_NZ Thanks for the input. In my opinion the FE does need an external IP. How else will you be able to connect if you are a remote worker?
  The Edge is (asfar as i know) needed for Enterprise voice and Federation with other (external) sip domains. It's not needed for basic (chat/video/whiteboard etc) Lync functionality for both internal and external (remote) users.
  The Edge is to communicate with services/users outside the origanisation.
  I do still think that the basic topology (FE with internal IP and Nat'ed external ip working with an Edge with internal IP and 1 external IP nat'ed to 3 DMZ ip's) is correct in this case.
  I can be wrong and in that case would like to be pointed to the correct configuration.
  75           
  Points
  Top 15
  PSingh123        
  Partner        
  Joined  Jun 2007        
  9
  PSingh123's threads
  Show activity

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Lync 2013 Edge server compatibility with Lyn 2010 Front end Pool

  Hi All,
  Technet article (http://technet.microsoft.com/en-us/library/jj688121.aspx) says the following:
  If your legacy Lync Server 2010 Edge Server is configured to use the same FQDN for the Access Edge service, Web Conferencing Edge service, and the A/V Edge service, the procedures in this section are not supported. If the
  legacy Edge services are configured to use the same FQDN, you must first migrate all your users from Lync Server 2010 to Lync Server 2013, then decommission the Lync Server 2010 Edge Server before enabling federation on the Lync Server 2013 Edge Server.
  Can you tell me why it is you have to change the External Lync Web services URL during a migration to Lync 2013 from Lync 2010. What purpose does this serve?
  Also can you clarify this and explain why this is required, why would you have to migrate all of your users, would a Lync 2013 Edge not talk to a Lync 2010 front-end?
  Any help would be much appreciated. MANY THANKS.

  Thank you very much for all your inputs.
  We still have few questions:
  Questions:
  Can you tell me if Lync 2010 users will be able to login using mobility if we repoint the reverse proxy (TMG) web services publishing rule to the Lync 2013 server? Remember both systems Lync 2010 and 2013 are using the same web
  services URL so they will both end up at the Lync 2013 server. Alternatively if not we will migrate all users to 2013, this is not a problem
  In addition to this I cannot find anything that states how Exchange UM will operate when you are running from a backup pool and the exchange UM contacts are not available because they are homed on the server that is down. This
  configuration is 2 x standard edition servers pool paired. How can we make sure Exchange voice mail works during a pool failover?
  Call Park is not clear to me I read the following:
  Lync Server 2013 provides new disaster recovery mechanisms in the form of failover and failback processes. These failover and failback processes support recovery of Call Park functionality by allowing
  users who are homed in the primary pool to leverage the Call Park application of the backup pool when an outage occurs in the primary pool. Support for disaster recovery of the Call Park application is enabled as part of the configuration and deployment of
  paired Front End pools.
   Is this saying we need to deploy Call Park in the DR pool and use a different range of orbit numbers, or can we use the same range in the DR pool?
  Further, I can see that Common Area Phones will be fine as they will log into the DR pool automatically. Response Groups need to be exported and imported to the DR pool. Incidentally these did not migrate well at all and have
  caused us a big headache!
  Any inputs will be greatly appreciated. Thanks again for all of your time.

• Merge Lync 2013 Edge servers in same pool

  Hi guys.
  - We had Lync 2013 FE STD version.
  - We have added one more Lync 2013 FE STD and done front end pool pairing.
  - We had single Edge Pool, soo only 1 EDGE server being in 1 POOL.
  We wish to add another Edge server and put previous and this new Edge server in one pool.
  This is a printscreen of our current Edge Deployment.
  Because we have a federation enabled with external partners who had put in their lync configuration
  to trust to our public external address of current edge server: LyncEDGESIP.domain.com, we would like to avoid sending them new address and we have decided to keep that public address and make it EDGE POOL NAME where both edge servers would be inside.
  Now we are little bit confused/amused what to do next.
  If use LyncEDGESIP.domain.com to be FQDN of EDGE POOL with 2 two edge servers, what would we need to do with our current edge server.
  What to put for:
  Access Edge Service public address on both edge servers
  Web Conferencing Edge Service public address on both edge servers
  A/V Edge Service public address on both edge servers.
  bostjanc

  Go with cutover migration if you can take downtime. Here is the high level summary for your reference;
  Remove existing edge server from topology and publish the changes.
  Create a new edge server pool in topology builder.
  Make sure that access edge , web conference edge and AV edge name remains the same.
  Publish the topology and run the setup on both edge servers. You need to configure external and internal IP addresses based on Lync topology.
  Replicate the configuration change and run the deployment wizard.
  Import the certificate and start the services.
  Create additional DNS A records for load balancing externally.
  Thanks
  Saleesh
  If answer is helpful, please hit the green arrow on the left, or mark as answer.
  Technet Blog