Lync 2013 Federation
Hi,
We are planning to Deploy Lync Server 2013 Federation with client domain.
We have a separate domain at client location onsite (They have their own Lync environment) and Separate domain in Our offshore ODC. The Point-to-Point (Dedicated link ) enabled. So there is no DMZ. We are planning to enable lync federation with client domain.
Can We place Edge Server in the same network where Front end Server installed? How do we go about this requirement? Please suggest.
For configure Lync Edge, you need to have two network adapters for each Edge Server, one for the internal-facing interface and one for the external-facing interface.
Yes, you can put internal NIC with Lync Front End
For more details about Network interface of Lync Edge, you can check below link
http://technet.microsoft.com/en-us/library/gg412847.aspx
For Deploy and Configure Lync Edge
http://technet.microsoft.com/en-us/library/gg398147.aspx
Configuring SIP federation, XMPP federation and public instant messaging in Lync Server 2013
http://technet.microsoft.com/en-us/library/jj205134.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical | Twitter:
Mai Ali
Similar Messages
-
Lync 2013 federation failing for a specific domain
Hello,
We have recently migrated to Lync 2013 and noticed that one of the domains we federate with is unable to federate with us.
we are getting the following error:
Log Name: Lync Server Source: LS Protocol Stack Event ID: 14428 Task Category: (1001)
Level: Error Keywords: Classic User: N/A Computer: server.fqdn.com Description: TLS outgoing connection
failures.
Over the past 28 minutes, Lync Server has experienced TLS outgoing connection failures 4 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) while trying
to connect to the server "sip.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "Unavailable". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to
reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is
not trusted by the local machine. Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check
that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local
machine.
ThanksThanks Michael.
That worked for one of two issues I'm seeing, I did use the same steps for the second issue but it didn't seem to work, I have imported the CA of the domain we would like to federate with to the trusted root certification authorities and the intermediate
certification authorities per the certificate issuer's website guidelines. I did learn that the federated partner is also using OCS 2007 R2, not sure if this may have to do with this.
Over the past 30 minutes, Lync Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80072746 while trying to connect to
the server "ocs.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "ocs.example.com". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target
principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by
DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine. -
Lync 2013 federation and mobile push 504 error
Hello,
In our company we have deployed Lync 2013 Standard with last CU
1. Front End - External web serwis and mobile sing by wildcard certyfikate trusted in Internet, and Internal webserwis sing by our Internal CA not trusted in internet
In Topology is registred: LyncFE.company.local
Default SIP domain is company.com
2. Edge Server - All in one server sing by our Internal CA not trusted in internet with Subject Alternative Names: sip.company.local, sip.company.com, LyncEDGE.company.com
In Topology is registred: LyncEDGE.company.local
3. Reversed Proxyand NAT and firewall setup our firewall with Port Translating
LyncEDGE.comapny.local have asigned by NAT public IP Adres 10.10.10.10
LyncFE.company.local have asingned by NAT public adres IP 10.10.10.11
Incoming traffic for 10.10.10.10 and 10.10.10.11 Lync ports TCP/UDP from documentation
Outgoing traffic for 10.10.10.10 (LyncEDGE) on TCP 5061 need for federation
4. DNS setup
We have split domain and DNS like this:
Company.local (Internal DNS) and Company.com (External DNS)
DNS Records in our External DNS:
LyncEDGE.company.com record A 10.10.10.10
LyncFE.company.com record A 10.10.10.11
sip.comapny.com TLS --> LyncEDGE.copmany.com
_sipfederationtls._tcp.company.com -> LyncEDGE.copmany.com
_sipinternaltls._tcp.company.com --> -> LyncEDGE.copmany.com
lyncdiscover.company.com --> 10.10.10.10
In this setup works for now: Lync Audio Video, Mobile access. And now we trying setup Federation and Push notyfication and when we testing we get 504 form serwer.
Test-CsFederatedPartner -TargetFqdn lyncedge.company.local (This is the name of our LyncEDGE server in topology)-Domain microsoft.com
Test-CsFederatedPartner : A 504 (Server time-out) response was received from
the network and the operation failed. See the exception details for more
information.
At line:1 char:1
+ Test-CsFederatedPartner -TargetFqdn lyncedge.pep.local -Domain microsoft.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Test-CsFederatedPartner],
FailureResponseException
+ FullyQualifiedErrorId : WorkflowNotCompleted,Microsoft.Rtc.Management.Sy
ntheticTransactions.TestFederatedPartnerCmdlet
My lyncedge.company.com was add by Microsoft as Federation for Skype
telnet form Front End server to LyncEDGE.company.local on port 5061 works
Firewall show outbond traffic form LyncEDGE.company.com (10.10.10.10) to Microsoft site
But still i cant get working federation and push notyfication for mobile some one can advise where problem can be? I think problem is with our certyficate setup on EDGE server that is sing by our Internal CA not trusted in Internet.Hi, I exchanged root certyfikates with my partner. And now he can see my status, call Video, send IM to my all account but I can't do nothink I get 504, on my logs I see below:
I tested
telnet sip.partnerdomian.pl 5061 -- OK
telnet sip.partnerdomian.pl 443-- ok
nslookup _sipfederationtls._tcp.partnerdomian.pl --> sip.partnerdomian.pl port 5061
All is ok but still timeout, where look for problem on my site or partner site. He have 3 IP LAN adreses on Edge NAT on one public
TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006bc75 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
Trace-Correlation-Id: 441892531
Instance-Id: 2B8A
Direction: outgoing;source="internal edge";destination="external edge"
Peer: 195.0.0.1:15224
Message-Type: response
Start-Line: SIP/2.0 504 Server time-out
From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
Content-Length: 0
ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomain.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-network=federation;ms-source-verified-user=unverified
$$end_record
TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006bc14 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
Severity: information
Text: Response successfully routed
SIP-Start-Line: SIP/2.0 504 Server time-out
SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
SIP-CSeq: 1 SUBSCRIBE
Peer: 195.0.0.1:15224
Data: destination="[email protected]"
$$end_record
TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b949 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
Trace-Correlation-Id: 441892531
Instance-Id: 2B8A
Direction: incoming;source="internal edge";destination="external edge"
Peer: LyncFE.domain.local:5061
Message-Type: response
Start-Line: SIP/2.0 504 Server time-out
From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.0.0.1;ms-received-port=15224;ms-received-cid=11600
Content-Length: 0
ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomin.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
$$end_record
TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b769 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531]
$$begin_record
Trace-Correlation-Id: 441892531
Instance-Id: 2B89
Direction: outgoing;source="external edge";destination="internal edge"
Peer: LyncFE.domain.local:65236
Message-Type: response
Start-Line: SIP/2.0 504 Server time-out
From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
Content-Length: 0
ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomian.pl";PeerServer="sip.partnerdomian.pl";source="MyEdge.domain.pl"
ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
$$end_record
TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b704 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
Severity: information
Text: Response successfully routed
SIP-Start-Line: SIP/2.0 504 Server time-out
SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
SIP-CSeq: 1 SUBSCRIBE
Peer: LyncFE.domain.local:65236
$$end_record
TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b57a (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
Severity: information
Text: The message has an Allowed Partner Server domain
SIP-Start-Line: SIP/2.0 504 Server time-out
SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
SIP-CSeq: 1 SUBSCRIBE
Peer: sip.partnerdomain.pl:5061
Data: domain="partnerdomian.pl"
$$end_record
TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b35e (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
Trace-Correlation-Id: 441892531
Instance-Id: 2B89
Direction: incoming;source="external edge";destination="internal edge"
Peer: sip.opteam.pl:5061
Message-Type: response
Start-Line: SIP/2.0 504 Server time-out
From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 172.19.20.25:56348;branch=z9hG4bK62EA2C6E.CBA9E35BA4B1BC2F;branched=FALSE;ms-internal-info="bdfQfcjHqEGEYXjrThA5NV7b6oZKoU2jzjNeGxP_cA0_tb46nLxN-KzAAA";received=195.8.106.130;ms-received-port=56348;ms-received-cid=11AC00
Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
Content-Length: 0
$$end_record -
Lync 2013 federation with Skype error: 'Reference error id 504 (Source ID 239)
I have setup lync 2013, configured skype federation (http://www.techtroubleshoot.com/federate-lync-server-with-skype/) and also done Lync provisioning. Skype federation worked for a few days (2weeks) and then stopped. Currently I am getting the following
error 'Reference error id 504 (Source ID 239)'.
Ports are open on the firewall. I however still get the error.
KimaniBobVerify from following:
you can telnet to your sip domain on port 5061 and 443 from external and resolve of nslookup to srv record of sipfederation is correct.
Certificate on Edge Server not expire or damaged.
This link had similar issue, you can check it.
http://terenceluk.blogspot.com/2013/04/unable-to-send-instant-messages-or-view.html
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer" -
MS Lync 2013 federation with Cisco CUP 8.6
Hi all,
I am currently trying to federate CUPS 8.6 with MS Lync 2013.
After a lot of certificate issues we finally got a one-way IM from CUPS to Lync. I can't get Presence in either direction or send an IM from Lync to CUPS user.
I have followed the Cisco guide for inter-domain federation within an enterprise. so no edge server or Cisco ASA involved.
The error message I am seeing on the Lync side is:
ms-diagnostics:
1010;reason="Certificate trust with another server could not be established";ErrorType="Refer to HRESULT code for specific security status";tls-target="CUP-A.cupdomain.co.uk";HRESULT="0x80090326(SEC_E_ILLEGAL_MESSAGE)";source="LCT-LYNCFE01.lyncdomain.net"
On the CUP side I can see the TLS session being dropped with this error message:
17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_verify_callback: TLS protocol error(ssl reason code=(null) [0]),lib=(null) [0],fun=(null) [0], errno=0
17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(2409) SSL server accept returned SSL_ERROR_SSL
17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_accept: TLS protocol error(ssl reason code=no certificate returned [178]),lib=SSL routines [20],fun=SSL3_GET_CLIENT_CERTIFICATE [137], errno=0
17:22:58.945 |Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(1056) sip_tcp : Hard close/destroy of tcp connid 93 sock_fd 37 flags 0
On the cisco side I have only set a TLS Peer as the LYNCPOOL server. do I need to set up a TLS Peer for all of the Lync Servers?
The lyncpool server has client and server enhanced key usage - do I need to reissue the certs with this for ALL servers in the lync cluster?
It seems like TLS will neogotiate successfully using the LYNCPOOL server but not with any of the other servers. Must be missing something simple.
Many thanks for advice.
Regards
Lee.Hi,
Please double check the listen port of Lync Server.
In the Lync Server Management Shell enter the following command to verify the current system configuration: Get-CSRegistrarConfiguration
More ports requirement for Lync server you can refer to the link below:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cups/8_6/english/integration_notes/IntegrationNote_CUP86_MicrosoftLyncServer2010_RCC.html
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Locking federation to specfic domains in Lync 2013
Hello,
Once federation is enabled, Is there a way to lock Lync 2013 federation to a number of selected domains, where only these domains are able to contact me and any other domains that I'm not federated to are not?
Is this functionality supported out of the box?
Thanks!Yes this is possible out of the box. you just specify what domains are allowed (Whitelisted)
From within Lync Control Panel select "Federation & External Access", "SIP Federated Domains" and then create the domains you want to allow in there.
From within Access Edge Configuration, uncheck "Enable Partner Domain Discovery" (which disables Open Federation)
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
www.lynced.com.au | Twitter
@imlynced -
Lync 2013 skype federation approved
Hi
I have got skype and lync 2013 IM federation approved on
https://pic.lync.com. My sip domain shows activated on its page. Now what next shall I do ? As I am still using self issued certificate on external lync edge interface, do I need to apply a public certificate so that I can add skype to my local network
lync client? I could not send IM to my skype account otherwise. It is coming with an error id 504 source 239. As I have sip.xxx.com.au, webconf.xxx.com.au, av.xxx.com.au which point to lync edge and meet.xxx.com.au, dialin.xxx.com.au, owa.xxx.com.au, lyncdiscover.xxx.com.au
which point to iis arr reverse proxy. Also have lynvweb.xxx.com.au as external web service. In my case, if I would need to apply public SSL to make my lync work with skype, do I have to apply a multi domain public certificate which up to 10 domain ?Would go
daddy certificate be used ?
Also, if lync edge external interface certificate get replaced, it needs to replace certificate on iis arr reverse proxy server of its default web site binding with public certificate too?
WenFei CaoCorrect, you need public CA issued certificates for your edge external interface in order for federation to work.
Best practice would be to have a public cert loaded on both your Edge and Reverse proxy servers, however in regards to Federation, it's your Edge that will be in use. So you don't need to load a public cert on your Reverse proxy (I assume you've loaded
your root cert on to any mobile devices or devices that connect in) but I personally would for the sake of completeness and to prevent any possible certificate trust issues in the future. (it will save you loads of headaches) I would typically only use an
internal cert for external facing when I am testing/labbing and then replace them with public certs before going into production.
Also if you haven't already, follow these steps to configure the provider in Lync: http://blogs.4ward.it/lync-2013-and-skype-federation-how-to/
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
www.lynced.com.au | Twitter
@imlynced -
Lync 2013 A/V not working federated partner
Hi,
I have an interesting problem. I cant make video calls / desktop sharing via only federated
domain. But IM working properly. There is a problem only A/V call.
in my lync organization :
1 front-end
1 edge
1 reverse proxy
From
To
Type
Result
My Lync User ( Inside )
My Lync User ( Outside )
IM & A/V & Desktop Sharing
Success
My Lync User ( Inside or Outside ) from PC
Federated Lync domain
IM
Success
My Lync User ( Inside or Outside ) from PC
Federated Lync domain
A/V & Desktop Sharing
Fail due network isses
My Lync User ( Inside or Outside ) from Lync Mobile to Federated Lync domain, type: Audio / Video call. result:
success
If you sign in from Lync mobile client and start video call to federated domain worked successfully. But if you sign in from PC Lync 2013 client and start video call, to federated domain,
fail. Video invitation is reached federated domain and connection established but after a few seconds, A/V failed due network issues or audio video device not configured.
During issue, i collected log using OcsLogger on the Edge Server. I examined the collected log but I could not find a error line.
please help
thanksHi,
From your description above, there is something wrong during the deployment of Edge Server.
To avoid routing issues, make sure there are at least two network adapters in your Edge Servers and that the default gateway is set only on the network adapter associated with the external interface.
You can configure two network adapters in your Edge Server as follows:
Network adapter 1 (Internal Interface)
For example: Internal interface with 172.25.33.10 assigned.
No default gateway is defined.
Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running Lync Server 2013 or Lync Server 2013 clients.
Network adapter 2 (External Interface)
Three private IP addresses are assigned to this network adapter, for example 10.45.16.10 for Access Edge, 10.45.16.20 for Web Conferencing Edge, 10.45.16.30 for AV Edge.
More details:
http://technet.microsoft.com/en-us/library/gg412787.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Migrated to Lync 2013 now need federation assistance
I have migrated from a Lync 2010 environment to a Lync 2013 environment for the Front End Servers. I am now needing to be able to Federate with several other external companies. I am a somewhat intelligent person however, this piece has me perplexed.
internal domain - domain.local
external domain - domain.com
internal front end server - server00.domain.local
edge server - server11.domain.local (in a workgroup in DMZ)
email domain - domain-company.com
SIP addresses - [email protected]
I have a DMZ that has an internal and external Checkpoint Firewall, we have blown so many holes through it the Security Expert here is afraid, however, Testconnectivity.microsoft.com succeeds as long as I do not choose A/V tests.
I want to have Directed federation with other entities within our company and have done nslookup's, used Lync IP Tools, and multiple other tests to find out where I am failing to understand why I cannot get Federation to work.
Any thoughts?
I absolutely deplore certificates....When you say you want to federate with other entities within your company, are they separate forest/domains? How do you connect to them, over the Internet or via a direct path? Or do I misunderstand? Is your intention to also federate with
entities external to your company?
Your sip domain really should match your email domain, just to make it easier to locate your users from outside. On top of this, you'll be able to get a third party certificate (they won't typically issue one for .local) which will be valuable for
Lync mobility and federation without having the others install your self signed cert.
Are the certificates currently deployed on the edge self signed or third party?
How many SIP domains do you have deployed?
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Lync 2013 Server / Roles & Components
Lync
2013 Server / Roles & Components
Front End
User authentication and registration
Presence information and contact card exchange
Address book services and distribution list expansion
IM functionality, including multiparty IM conferences
Web conferencing, PSTN Dial-in conferencing and A/V conferencing (if deployed)
Application hosting, for both applications included with Lync Server (for example, Conferencing Attendant and Response Group application), and third-party applications
Primary store for user and conference data. Information about each user is replicated among Front End Servers in the pool
Optionally, Monitoring, to collect usage information in the form of call detail records (CDRs) and call error records (CERs). This information provides metrics about the quality of the media (audio and video) traversing your network for both Enterprise
Voice calls and A/V conferences.
Web components to supported web-based tasks such as web scheduler and join launcher.
One Front End pool runs the Central Management Server DB, which manages and deploys basic configuration data to all servers running Lync
Optionally, Archiving, to archive IM communications and meeting content for compliance reasons.
Optionally, if Persistent chat is enabled, Persistent Chat Web Services for Chat Room Management and Persistent Chat Web Services for File Upload/Download.
Back End
Database server running Microsoft SQL Server
Provide the DB services for the Front End pool
Acts as backup store for the pool’s user and conference data
Primary stores for other DB’s like Response Group
High Availability for the BE DB is provided via SQL Mirroring
Optional Witness to enable automatic failover for BE
SQL Sever 2008 R2 or higher required for SQL Mirroring
Edge Server
Enable users to communicate and collaborate with users outside the organization’s firewall
Comprises four separate server roles
Access Edge – Acts as a secure proxy for all remote Lync signaling traffic
Remote Access
Federation
Public IM Connectivity (PIC)
Web Conferencing Edge – Enable remote users to participate in Web conferences with internal or remote workers
A/V Edge – Responsible for secure relay of A/V media among internal, external, and federated contacts
XMPP Gateway – Allows IM/P with XMPP federated contacts
Reverse Proxy
Simple URL Publishing – Required for users to join Lync meetings
Web Conferencing Content – Users download meeting content (PowerPoint, Whiteboard, and Poll data) via Lync Web Services when in meeting
Address Book & Distribution List Expansion – Required for users to download Lync Address Book and perform DL expansion
User Certificates – Provides client certificate authentication via Lync Web Services
Device Updates – Provides software updates to Lync IP endpoints
Mobility – Provides connectivity for mobile clients via Lync Web Services
Mediation Server
Translates signaling and media between Lync Server and PSTN, IP-PBX, or SIP Trunk
Can be co-located on Front End or separated as stand-alone Server dependent on call volume
Role facilitates dial-in conferencing
Capacity
Co-located = 150 Concurrent Calls
Standalone = 1100 Concurrent Calls
Persistent Chat
Enable users to participate in multiparty, topic-based conversations that persist over time
Pchat Front End server role runs persistent chat service
Pchat Back End server stores chat content and compliance events
Geographic DR is provided via stretched pool and SQL log shipping to replicate DB info
150k provisioned users / 80k concurrent users
Archiving
Uses SQL Server 2008 R2 or SQL Server 2012 for DB
Capable of archiving the following:
Peer-to-peer IM
Multiparty IM
Web Conferences, including uploaded content and events
A/V for peer-to-peer IM and web conferences
Web conferencing annotations and polls
Monitoring
Agent that runs on each Front End Server that collects and manages information from the Front End and Mediation Servers
Stored on SQL Server DB
Leverages SQL Server Reporting Services for creation of reports related to call quality and metrics
Office Web Apps Server
External server leveraged for rendering PowerPoint slides within the Lync client and Lync Web App
Typically leveraged within SharePoint deployments to deliver browser-based versions of Microsoft Office applications
System Center Ops Mgr
Health configuration in Lync Server 2013 is built around System Center Operations Manager and the use of Lync Server Management Packs. These Management Packs include a number of new features and enhancements, including:
Feature
Description
Synthetic Transactions
Windows PowerShell cmdlets that can be run from various locations to ensure that end user scenarios such as sign-in, presence, IM, and conferencing are readily available to end users.
Call Reliability Alerts
Database queries for Call Detail Records (CDR). These records are written by Front End Servers to reflect whether end users were able to connect to a call or why a call was terminated. These queries result in alerts that indicate when a wide range of end
users are experiencing connectivity issues for peer-to-peer calls or basic conferencing functionality.
Media Quality Alerts
Database queries that look at Quality of Experience (QoE) reports published by clients at the end of each call. These queries result in alerts that pinpoint scenarios where users are likely to be experiencing poor media quality during calls and conferences.
The data is built upon key metrics such as packet latency and loss, metrics that are known to directly contribute to call quality.
Component Health
Individual server components raise alerts by using event logs and performance counters. These alerts indicate failure conditions that can severely impact one or more end user scenarios. These alerts can also indicate a variety of other failure conditions,
including services not running, high failure rates, high message latency, or connectivity issues.
Dependency Health
Failures can occur for a variety of external reasons. The management packs now monitor and collect data for some of the critical external dependencies that might indicate severe issues, including IIS availability, CPU and memory usage of servers and processes,
and disk metrics.
Exchange UM
http://www.contactcenterarchitects.com/lync-2013-server-roles-components/Hi,
Thank you for sharing the information. It is useful for others who not understand Lync Server Roles and Components. You time and effort are appreciated.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Office web Apps server Lync 2013 Certificate
Hi,
I'll be installing Office web app (OWA) server with Lync 2013 std edition. External users access is disabled but federation is enabled, mean OWA will be exposed to internet as wabweb.contoso.com, the interal host name of OWA server is owa.contoso.local
Does the certificate on the on OWA server need to have owa.contoso.local and certificate principle name and wabweb.contoso.com as SAN? or only owa.contoso.local is enough?It really depends on how you publish the server to the internet. You have some options. If you are publishing this via a reverse proxy, internally you would have a private cert with .local on it and the public name on the reverse proxy. If you are
punching a firewall hole/NAT directly to the server your best option is to use a public cert on that server directly.
That all said, personally I like to make both the internal and external farm URL the same, and use a public cert on the server (if no reverse proxy is in play). So I would actually enter the OWAS Farm as wabweb.contoso.com in topology builder, than
when creating the farm via PowerShell make that both the internal and external URL and get a certificate with a single name on it of wabweb.contoso.com.
Richard
Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com -
Hi,
I've got some issues with a Lync 2013 setup.
The config consists of 2 lync servers. One FE and one Edge. All seems to work except audio in meetings and Sip.
The setup is like this (fake ip's used):
Front End:
Internal IP: 172.16.0.10
External IP: x.x.185.10
All ports open in Cisco ASA
internal AD DNS: dialin/lync/meet/lyncdiscover to Front end internal ip. edge/lsedge/sip points to edge internal ip
EDGE:
Interal IP: 172.16.0.11 (no gateway configured)
External IPS: x.x.185.11, x.x.185.12, x.x.185.13
All external IP's are direct internet facing, no NAT (a firewall is in place).
All external interfaces are using a wildcard certificate.
All server are running in a remote data center, so basically no internal users. We all connect to the external interfaces. The Windows domain name (AD) is the same as our External DNS (companyname.com).
Autodiscover works, we can logon, chat but there is no audio. The audio test failes. Also SIP is not working with a sip trunk.
External DNS: sip/webconf/av are pointing to their external ip's. sipexternal is a cname to sip. lyncdiscover/lync/dialin/meet all point to the Frond end External ip.
_sip._tls/_sipfederationtls.tcp/_xmpp-server.tcp all point to the sip.companyname.com ip.
I just can't figure out what is wrong.@PSingh123 I'll try the logs in a minute and get back with the results.
@PaulB_NZ Thanks for the input. In my opinion the FE does need an external IP. How else will you be able to connect if you are a remote worker?
The Edge is (asfar as i know) needed for Enterprise voice and Federation with other (external) sip domains. It's not needed for basic (chat/video/whiteboard etc) Lync functionality for both internal and external (remote) users.
The Edge is to communicate with services/users outside the origanisation.
I do still think that the basic topology (FE with internal IP and Nat'ed external ip working with an Edge with internal IP and 1 external IP nat'ed to 3 DMZ ip's) is correct in this case.
I can be wrong and in that case would like to be pointed to the correct configuration.
75
Points
Top 15
PSingh123
Partner
Joined Jun 2007
9
PSingh123's threads
Show activity -
Lync 2013 certificate requirements for multiple SIP domains
Hi All,
I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
Friendly URL option 3 from this page:
http://technet.microsoft.com/en-us/library/gg398287.aspx
Client auto-configuration:
i.
Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
ii.
Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
iii.
Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
HTTPS.
If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
Many thanks,Many thanks for the response.
I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
http://technet.microsoft.com/en-us/library/gg398287.aspx
What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
http://technet.microsoft.com/en-gb/library/hh690030.aspx
Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
to an address of director.contoso.net is not supported over HTTPS.
In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
rule for port 80 (HTTP).
For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
domain.”
I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
As per the below article:
http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
“The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field. This is no longer a requirement (it was in OCS) as it is possible to
create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net).
This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
the same domain namespace. Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
===================
1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
fall under the XXX umbrella but are very much run as individual entities.
Question:
Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
Thanks. -
Lync 2013 Edge server compatibility with Lyn 2010 Front end Pool
Hi All,
Technet article (http://technet.microsoft.com/en-us/library/jj688121.aspx) says the following:
If your legacy Lync Server 2010 Edge Server is configured to use the same FQDN for the Access Edge service, Web Conferencing Edge service, and the A/V Edge service, the procedures in this section are not supported. If the
legacy Edge services are configured to use the same FQDN, you must first migrate all your users from Lync Server 2010 to Lync Server 2013, then decommission the Lync Server 2010 Edge Server before enabling federation on the Lync Server 2013 Edge Server.
Can you tell me why it is you have to change the External Lync Web services URL during a migration to Lync 2013 from Lync 2010. What purpose does this serve?
Also can you clarify this and explain why this is required, why would you have to migrate all of your users, would a Lync 2013 Edge not talk to a Lync 2010 front-end?
Any help would be much appreciated. MANY THANKS.Thank you very much for all your inputs.
We still have few questions:
Questions:
Can you tell me if Lync 2010 users will be able to login using mobility if we repoint the reverse proxy (TMG) web services publishing rule to the Lync 2013 server? Remember both systems Lync 2010 and 2013 are using the same web
services URL so they will both end up at the Lync 2013 server. Alternatively if not we will migrate all users to 2013, this is not a problem
In addition to this I cannot find anything that states how Exchange UM will operate when you are running from a backup pool and the exchange UM contacts are not available because they are homed on the server that is down. This
configuration is 2 x standard edition servers pool paired. How can we make sure Exchange voice mail works during a pool failover?
Call Park is not clear to me I read the following:
Lync Server 2013 provides new disaster recovery mechanisms in the form of failover and failback processes. These failover and failback processes support recovery of Call Park functionality by allowing
users who are homed in the primary pool to leverage the Call Park application of the backup pool when an outage occurs in the primary pool. Support for disaster recovery of the Call Park application is enabled as part of the configuration and deployment of
paired Front End pools.
Is this saying we need to deploy Call Park in the DR pool and use a different range of orbit numbers, or can we use the same range in the DR pool?
Further, I can see that Common Area Phones will be fine as they will log into the DR pool automatically. Response Groups need to be exported and imported to the DR pool. Incidentally these did not migrate well at all and have
caused us a big headache!
Any inputs will be greatly appreciated. Thanks again for all of your time. -
Merge Lync 2013 Edge servers in same pool
Hi guys.
- We had Lync 2013 FE STD version.
- We have added one more Lync 2013 FE STD and done front end pool pairing.
- We had single Edge Pool, soo only 1 EDGE server being in 1 POOL.
We wish to add another Edge server and put previous and this new Edge server in one pool.
This is a printscreen of our current Edge Deployment.
Because we have a federation enabled with external partners who had put in their lync configuration
to trust to our public external address of current edge server: LyncEDGESIP.domain.com, we would like to avoid sending them new address and we have decided to keep that public address and make it EDGE POOL NAME where both edge servers would be inside.
Now we are little bit confused/amused what to do next.
If use LyncEDGESIP.domain.com to be FQDN of EDGE POOL with 2 two edge servers, what would we need to do with our current edge server.
What to put for:
Access Edge Service public address on both edge servers
Web Conferencing Edge Service public address on both edge servers
A/V Edge Service public address on both edge servers.
bostjancGo with cutover migration if you can take downtime. Here is the high level summary for your reference;
Remove existing edge server from topology and publish the changes.
Create a new edge server pool in topology builder.
Make sure that access edge , web conference edge and AV edge name remains the same.
Publish the topology and run the setup on both edge servers. You need to configure external and internal IP addresses based on Lync topology.
Replicate the configuration change and run the deployment wizard.
Import the certificate and start the services.
Create additional DNS A records for load balancing externally.
Thanks
Saleesh
If answer is helpful, please hit the green arrow on the left, or mark as answer.
Technet Blog
Maybe you are looking for
-
On how many systems can i install dreamweaver cs6
About a month ago i have format my whole old pc with also dreamweaver cs6 deleted (i had troubles with my whole pc, thats the reason to format the whole pc) I sell the empty pc. only windows 7 on it. Now i have an new pc. and i have installed dreamwe
-
Hi All, Please provide some links for small scenarios to start working with AII. I want to transfer some data from AII to R3 through XI. It will be better if i find some "How to" docs. (I have referred blogs by Sheng Wang) Thanks, Uma
-
To view package variables in Forms 6i debugger
Can anyone tell me how to view the value of the variables declared in the package spec(from forms side)? i can see only the local variables and global variables(declared using :GLOBAL) in the debugger window.
-
Deploy the JSF app to integrated Weblogic Server Error
Hi, All, I just created a new ADF app and have only one single JSF page in which have one Calender component. After right click the ViewController project and select deploy to Integrated Weblogic server and i got the below error: [01:05:25 AM] ---- D
-
Dear All, As a part of our software project, there are servers and Cisco swicthes in our DC, as we are going to upgrade and install new software's vendor came up with the below product. We do not want to go with this product since we have a complete