Installing Lync 2013 Edge Server
Overview
*The Edge Server provides users with the same external characteristics and internal experience that Lync Server 2013..
*With the publication of the Edge Server, the following features are supported:
- Connecting remote clients;
- Federation with messenger;
- Integration with Public IM's;
To run the setup, the service requires a server with two network cards, each one connected to a different network segment.. The Edge Server supports the use of NAT only on the NIC that is routed to the Internet. NAT is not supported on the network card connecting to the internal network. To run the setup, the Edge have a DMZ divided into two networks . The IP address of the servers and networks are described in the figure and table below:
http://2.bp.blogspot.com/-zUUW9hm7rkA/UWwiYqBL7_I/AAAAAAAAFok/Qlcq2sJh6zM/s640/Office2013.png
Corporate networks servers are running Windows Server 2012. All servers are part of the same Active Directory Domain Services with the internal FQDN home.intranet, there is a pool of the Lync Server Standard with the domain name: sip *home.com.br. *
| Server Name | IP | Role |
| Hm01.home.intranet | 172.16.1.245/24 | Domain Controller and Enterprise Certification |
| Hm02.home.intranet | 172.16.1.246/24 | Lync Server Standard |
| Hm11.home.intranet | 172.16.1.251/24 | Office Web Apps Server |
I have three firewalls settings to networks segments below:
| Firewall Names | 1st IP Address | IP Address 2 | Description |
| FW-Internal | 172.16.1.210/24 | 192.168.0.210/24 | Firewall separating the DMZ Network Corporate Network 1.There is a relationship between the two routing networks. |
| FW-DMZ | 192.168.0.250/24 | 10.0.0.250 | Network Firewall DMZ that separates the DMZ Network 1 and 2. There is a relationship between routing network. |
| FW-External | 10.0.0.254 | xxx.x.178.155 xxx.x.178.156 xxx.x.178.157 |
Firewall separating the DMZ Network and Internet 2. There is a relationship between the two NAT network and all IPs address valid structure are configured on this device. |
In the DMZ, I have two servers configured with two network cards, each network adapter connected to a different network DMZ. These servers are part of the Workgroup home.dmz. Only the ports required for the publication of the services are configured on the internal and external firewalls.
| Server Name | Ip Network Address DMZ 1 | IP Network DMZ 2 | Description |
| HmRP |
192.168.0.150/24 | 10.0.0.150/24 | IIS Reverse Proxy |
| HmEdge | 192.168.0.120/24 | 10.0.0.120/24 10.0.0.121 10.0.0.122 |
Lync Edge Server |
Configuring the DNS Service
Internal DNS
I have two zones settings in the domain controller HM01. The zone home.intranet integrated with Active Directory supporting dynamic updates. and it was manually created a record that resolves the FQDN of the Edge Server in the DMZ.
http://1.bp.blogspot.com/-xCKlgOppGMo/UWb6R1TtwHI/AAAAAAAAFas/qz-wqyHVkxM/s400/edg001.png
The second zone called home.com.br, are not support dynamically updates from the records that were created at the zone by the the pool Lync and Exchange.
| http://4.bp.blogspot.com/-CFuoYDPTLTA/UWgQXq2kyDI/AAAAAAAAFbQ/iEUHLCteg6E/s400/edg002.png | http://4.bp.blogspot.com/-v-ArQVXOEVI/UWgQXut8O7I/AAAAAAAAFbM/hCJUjtsyzVk/s320/edg003.png |
The following records were set in the area:
| Type of Record | FQDN | IP | Description |
| A | sip.home.com.br | 172.16.1.246 | Address internal Front End or Director for internal network clients |
| A | admin.home.com.br | 172.16.1.246 | URL Administration pool |
| A | DialIn.home.com.br | 172.16.1.246 |
URL Access to Dial In |
| A | meet.home.com.br | 172.16.1.246 | URL of Web services meeting |
| A | lyncdiscoverinternal.home.com.br | 172.16.1.246 | Register for Lync AutoDiscover service to internal users |
| A | lyncdiscover.home.com.br | 172.16.1.246 | Register for Lync AutoDiscover service to external users |
| SRV | Service: _sipinternaltls Protocol: _tcp Port: 5061 |
sip.home.com.br | Record pointer services to internal customer connections using TLS |
External DNS
At DNS zone home.com.br internet records were created:
| Type of Record | FQDN | IP | Description |
| A | sip.home.com.br | xxx.x.178.155 | Address external Edge Server for connecting external customers |
| A | WebConf.home.com.br | xxx.x.178.156 | URL Access to Web Services Edge Server |
| A | AV.home.com.br | xxx.x.178.157 |
URL services Audio and Video |
| SRV | _sip._tls.home.com.br |
sip.home.com.br: 443 | Record scorer services for external connections using TLS clients. This connection should be pointed on port 443. |
Configuring the Firewall
Ports Requirement for Internal Access
The following ports must be allowed access between the Edge Server internal network , Lync pool servers and internal network clients:
| Protocol / Port | Source | Destination | Description |
| Sip/TCP/5061 | Ip Address of the Front End Server or Director Server | IP address of the network card's internal Edge Server | SIP outbound traffic from Front Endor Director Server to the network card's internal Edge Server |
| Sip/TCP/5061 | IP address of the network card intena the Edge Server |
Ip Address of the Front End Server or Director Server |
Traffic inbound SIP network card's internal Edge Server to the address of the Front End or Director |
| PSOM/TCP/8057 |
Ip Address of the Front End Server or Director Server |
IP address of the network card's internal Edge Server |
Traffic Conference Web Front End Server to the internal network card of the Edge Server |
| Sip/TCP/5062 |
Ip Address of the Front End Server or Director Server |
IP address of the network card's internal Edge Server |
Authentication of users of Audio / Video Front End Server for Edge Server |
| STUN/UDP/3478 | All ip's Corporate Network | IP address of the network card's internal Edge Server | Traffic Media Audio / Video between internal and external users |
| STUN/TCP/443 | All ip's Corporate Network | IP address of the network card's internal Edge Server | Traffic Restraint Media Audio / Video between internal and external users. If the connection to the UPD protocol fails, the 443/TCP port will be used for media traffic. |
| Https/TCP/4443 | Ip Address of the Front End or Back End Server | IP address of the network card's internal Edge Server | Replication traffic from the internal pool settings for the Local Configuration Store the Edge Server |
| MTLS/TCP/50001 | All ip's Corporate Network | IP address of the network card's internal Edge Server | Controller Centralized Logging Service using the Lync Server Management Shell cmdlets and Centralized Logging Service, ClsController (ClsController.exe) or commands and agent logs (ClsAgent.exe) |
| MTLS/TCP/50002 | All ip's Corporate Network | IP address of the network card's internal Edge Server | Controller Centralized Logging Service using the Lync Server Management Shell cmdlets and Centralized Logging Service, ClsController (ClsController.exe) or commands and agent logs (ClsAgent.exe) |
| MTLS/TCP/50003 | All ip's Corporate Network | IP address of the network card's internal Edge Server | Controller Centralized Logging Service using the Lync Server Management Shell cmdlets and Centralized Logging Service, ClsController (ClsController.exe) or commands and agent logs (ClsAgent.exe) |
http://3.bp.blogspot.com/-vVv_8hSmrbY/UWitWoTPruI/AAAAAAAAFgs/v8Tg31YQJ3E/s400/Fw-int.png
Ports Requirement for External Access
To publish Lync and services necessary to create the following rules on the firewall of internet:
| Protocol | Source | Destination | Description |
| Sip/TCP/443 |
Any Internet address | Ip public service for the SIP Edge Server | SIP traffic between client-server for external users |
| Sip/TCP/5061 |
Any Internet address |
Ip public service for the SIP Edge Server |
|
| Sip/TCP/5061 |
Ip public service for the SIP Edge Server |
Any Internet address |
|
| PSOM/TCP/443 |
Any Internet address |
Web Conferencing Service Edge Server | Media Web conferencing |
| STUN/UDP/3478 | Ip public service for the A / V Edge Server | Any Internet address | Traffic used by the client to determine the version of the Edge Server. |
| STUN/UDP/3478 | Any Internet address | Ip public service for the A / V Edge Server | Traffic trading connection over UTP |
| STUN/TCP/443 | Any Internet address | Ip public service for the A / V Edge Server | Traffic trading connection on TCP/443 |
| STUN/TCP/443 | Ip public service for the A / V Edge Server | Any Internet address | Traffic trading connection on TCP/443 |
http://3.bp.blogspot.com/-27xIA9S1lDY/UWitWnHH97I/AAAAAAAAFgw/K3LUAHXdPQg/s400/Fw-ext.png
Configuring Access Policies
By default when the pool is created, the Lync external access policy called Global is created with all access disabled. To allow external access to Lync clients need to change the default policy or create a new policy for users.
Changing the policy Global allows all users to have the ability to connect external. Visit the Lync Server Control Panel tab to access the *Federation and External Access *access policies on the Edge Access Edge Configuration. politics Select Global.
http://3.bp.blogspot.com/-HNzf9oMhGLg/UWgbShvqPYI/AAAAAAAAFbo/TfRq0DWilmA/s320/edg004.png
Select the options Enable remote user access and Enable anonymous user access to conferences
http://1.bp.blogspot.com/-AWuJA_G1k8M/UWgbSohDC0I/AAAAAAAAFbk/j7Zf_n0_Db4/s320/edg005.png
Check that the policy was changed successfully.
http://1.bp.blogspot.com/-UPrbgMxjSWE/UWgbSuiv9oI/AAAAAAAAFbs/FOr1MJukQHQ/s320/edg006.png
Return to the Lync Server Console click in External Access Policy and change the Global policy.
http://1.bp.blogspot.com/-Sq6YiejG0I0/UW6SqIccQZI/AAAAAAAAFo0/Qfdj4iuXuTk/s320/edg095.png
Check the option Enable communication with remote users and apply the changes.
http://3.bp.blogspot.com/-4Jm4GPdEYsM/UW6SqL7_z5I/AAAAAAAAFo4/EAvwiEtEqWM/s320/edg096.png
Creating the Edge Server Pool
All steps of creating and configuring the Edge Server pool are performed using the Topology Builder. Begin the configuration tool and select Download Topology from existing deployment.
http://1.bp.blogspot.com/-ldUaUNC8Obs/UWgtQWpHgrI/AAAAAAAAFcU/R7An7mORGJ0/s320/edg007_1.png
http://3.bp.blogspot.com/-YUpBr_Ia890/UWgtP12KwKI/AAAAAAAAFcQ/m41rTpNjzQU/s320/edg007.png
Select settings Edge Pools right click and create a pool in New Edge Pool ....
http://2.bp.blogspot.com/-gh94aqFxAss/UWgtPzN-0lI/AAAAAAAAFcY/HeoXbcMh5dU/s320/edg008.png
Go to start creating the pool
http://4.bp.blogspot.com/-w8whnmxnsYw/UWgtRXfB6-I/AAAAAAAAFcs/d2moDr2hD8s/s320/edg009.png
Click Single computer pool and add the name *internal FQDN * reserved for the Edge server, this environment HmEdge.home.intranet
http://4.bp.blogspot.com/-7nHrCMFODGw/UWgtRZZJlRI/AAAAAAAAFeA/TvZN5UHeXI8/s320/edg010.png
At this time I will not configure any feature integration with other IM services, leave all the boxes unchecked and go.
http://4.bp.blogspot.com/-5j-DY7WpXMo/UWgtRrd3iHI/AAAAAAAAFeM/X7Y4Mh9ZQwA/s320/edg011.png
In this environment I have only IPv4 addresses for both internal and external interfaces, therefore only leave these boxes configured address. The external network adapter of the Edge Server connected to this network that the firewall is configured as NAT Network DMZ 2, so I marked the last dialog box The external IP address of this Edge pool is translated by NAT.
http://1.bp.blogspot.com/-56uPLjjXtGc/UWgtSf8sCCI/AAAAAAAAFeg/hhS9OBfIofQ/s320/edg012.png
Then configure the names for the external FQDN's access services Edge Pool. As availability will have three services set for publication in the secure port 443 and publish each with a different Ip valid internet.
http://1.bp.blogspot.com/-u46KQzZUSGo/UWgtSq6d69I/AAAAAAAAFeE/dpngyVk10pQ/s320/edg013.png
Configure which IP address of the network card that communicates with the Pool on the corporate network. In this scenario configured with the IP 192.168.0.120
http://3.bp.blogspot.com/-S916U3mm_yo/UWgtS3p_EMI/AAAAAAAAFeQ/MDapGwJAaoI/s320/edg014.png
Configure which ips configured on the network adapter external Edge Server associating a private Ip with each service.
http://4.bp.blogspot.com/-e4pf-Zfqc48/UWgtTBAdNUI/AAAAAAAAFeI/9uoNAL5Xml0/s320/edg015.png
Configure Ip public service that will be configured for Audio and Video pool.
http://1.bp.blogspot.com/-VS2lK69tcvM/UWgx5xp025I/AAAAAAAAFes/begEOsjCzyo/s320/edg019.png
Configure which the pool Front End Edge will be involved.
http://2.bp.blogspot.com/-_OQ2G3IMPb4/UWgtTvgAicI/AAAAAAAAFdI/FRiNl2a1ANk/s320/edg017.png
Configure which servers Front End will be used by Edge, and finalize the pool creation.
http://1.bp.blogspot.com/-nhrjYa6WCi8/UWgtT2OjDqI/AAAAAAAAFeY/m4gzIylSpHQ/s320/edg018.png
Return to Builer Topology and publish settings.
http://2.bp.blogspot.com/-olyEmTWx7GM/UWgtVhJ64UI/AAAAAAAAFd8/-EtYJmqAvAQ/s320/edg022.png
Go ahead and start the writing process on the basis
http://4.bp.blogspot.com/-nPkZB11KXo4/UWgtV5nnBJI/AAAAAAAAFd4/i5693LqeAQ0/s320/edg023.png
The process should finish without errors.
http://1.bp.blogspot.com/-zchJHwhGzRg/UWgtV6Ry85I/AAAAAAAAFdw/b4vWtsqxr0E/s320/edg024.png
With the Edge Server pool created and published on the Central Management Store we have to export the settings to a file pool that will be used in the Edge server installation. Start the Lync Server Management Shell and run the cmdlet:
Export-CsConfiguration <folder path>
http://1.bp.blogspot.com/-8LW6fbffz_Y/UWgtW9THM1I/AAAAAAAAFd0/POJ6Xv5Zdp8/s400/edg025.png
Access the Web service server certificate and export the root certificate into the same folder.
http://2.bp.blogspot.com/-ruferNn-hI8/UWg24T7jzQI/AAAAAAAAFe8/LZltlAKP18Y/s320/edg026.png
http://1.bp.blogspot.com/-WbmMnNqh0HE/UWg23ZRlHmI/AAAAAAAAFe0/f3MVuX9KoZo/s320/edg027.png
Copei entire contents of this folder to the server Edge Server.
Server Configuration Edge Server
The Edge Server server has two network cards each connected to a different network DMZ. A plate of Network DMZ one that is treated as a network card inside the server, and other network card connected Network DMZ 2 that is treated as the external network adapter on the server.
http://3.bp.blogspot.com/-TSBTNSDaQ1U/UWhRq88l9gI/AAAAAAAAFfQ/72xdSCTuLSE/s320/edg029.png
The NIC Network DMZ 1 was configured with the ip 192.168.0.120. This plate was configured without a default gateway address.
http://4.bp.blogspot.com/-BmJUwRnp45I/UWhRrMxC7HI/AAAAAAAAFfg/37m_bWjo9C4/s320/edg030.png
The NIC Network DMZ 2 was configured with three private ip's. Each ip is configured with an Access Service Edge. The three ip's are 10.0.0.120/24, and 10.0.0.121/24 10.0.0.122/24. This plate was configured with the default gateway pointing to the external firewall.
http://2.bp.blogspot.com/-1CN919UCIiU/UWhRrRGj0VI/AAAAAAAAFfk/ArzBwpXSXC8/s320/edg031.png
The Edge server should be able to route packets from clients for Lync Front End pool. To this you must add a route to the server in Corporate Network on IP address range 172.16.1.0/24.
http://1.bp.blogspot.com/--pxZGQJIcfY/UWhRsiffEaI/AAAAAAAAFgI/_TCK3EXBIVg/s320/edg032.png
To enable communication with the Edge Server Front End must add an exit route for the 172.16.1.0/24 network originated in inner plate Edge Server. To identify which interface is used to add the route first run ipconfig / all
http://1.bp.blogspot.com/-MlY9nhs7t-8/UWhRs0tUibI/AAAAAAAAFgA/I7Z8ubfAKuA/s320/edg033.png
Identify the route print how many physical interface. In this scenario the internal network card is labeled IF 12
http://4.bp.blogspot.com/-1Jp9oKBLkIc/UWhRsmGwKlI/AAAAAAAAFf4/ZxJNclP7v0M/s400/edg034.png
Run the command route add with the option -p to set the route as persistent. For that is not erased when the server restarts.
route add <rede address> mask <mascara of identificação> <IP gateway> if <identificação board <Network-p
http://4.bp.blogspot.com/-tfnxbY76dOw/UWhRtOzEhGI/AAAAAAAAFgE/qrt4hOoy0A4/s400/edg035.png
After configuring the DNS suffix add routes to Edge server. Tab to change the computer name click Change, in Full computer name click More and add Primary DNS suffix of this computer: the suffix of the Active Directory Domain Services. This step is necessary to ensure that the FQDN will match the FQDN value for the edge that was entered in the topology builder. Failing to complete this step will cause issues installing the edge server role.
http://3.bp.blogspot.com/-k1MqcTbDAvw/UWhRtrxuMgI/AAAAAAAAFgQ/N1BJ--0wnUU/s320/edg036.png
The Edge Server must be able to resolve the FQDN name of the *Front End, *to this add the name and ip of the Front End in the host file. Navigate to the folder *C: \ windows \ System32 \ drivers \ etc \ hosts. *
http://3.bp.blogspot.com/-ZtFzEM-SwPk/UWhRrK7RKDI/AAAAAAAAFfo/PEtXcGH_rgM/s320/edg028.png
To test the routing firewall release the ping and ping internal to the corporate network.
http://3.bp.blogspot.com/-ymy49Td8h9k/UWha5NIDSCI/AAAAAAAAFgU/xR6RIPgpi_o/s400/edg037.png
To finalize the operating system configuration, import the root certificate HM01 folder of Trusted Root Certification
http://3.bp.blogspot.com/-edXkKxVz2VI/UWhdfjvoJrI/AAAAAAAAFgc/hDZYt5BdIQI/s400/edg038.png
Installation Services Edge Server
Supported are the following operating systems to install the Edge Server
- Windows Server 2008 R2 Enterprise Edition SP1 or Windows Server 2008 R2 Standard Edition SP1
- Windows Server 2012 Standard or Datacenter
The installation of services also requires inclusion of the following server features:
- . NET Framework 4.5, for installation on Windows Server 2008 R2 download link in http://www.microsoft.com/en-us/download/details.aspx?id=30653
- Windows Identity Foundation, for installation on Windows Server 2008 R2 download link in http://www.microsoft.com/en-us/download/details.aspx?id=17331
In Windows Server 2012 features are implemented by the Server Manager
- Windows Identity Foundation run the cmdlet
add-WindowsFeature Windows-Identity-Foundation
http://1.bp.blogspot.com/-N94y3tLnfuw/UWi2xcKt2WI/AAAAAAAAFhE/g6EcODqrheo/s400/edg039.png
- . NET Framework 4.5,
add-WindowsFeature Net-Framework-45-core
http://4.bp.blogspot.com/-Q-3nWYc8ooc/UWi2yNSDe7I/AAAAAAAAFhM/sxPFPJUI_eU/s400/edg040.png
Creating the Local Configuration Store
To begin installing the Local Configuration Store lot of media *Lync Server * and double-click to start the wizard
http://2.bp.blogspot.com/-e1jbtqN3lr8/UWi_y0lLfrI/AAAAAAAAFhg/Gt2AP72AznA/s320/edg041.png
Set the installation folder of files and click Install
http://1.bp.blogspot.com/-d60dy-6R7S8/UWi_zGuZ3EI/AAAAAAAAFhw/DIFL_RdrdLs/s320/edg042.png
Accept the license terms and click OK
http://2.bp.blogspot.com/-C8YwJnFO1VI/UWi_zB9bfeI/AAAAAAAAFhs/8Gcs5Ej7rpY/s320/edg043.png
Click Install or Update Lync Server System
http://2.bp.blogspot.com/-f5gNQA_v0Ug/UWi_2pUUq2I/AAAAAAAAFh4/YacJUKdL_GU/s320/edg044.png
Run the first step Install Local Configuration Store
http://1.bp.blogspot.com/-7pb2AGZX2iM/UWi_512DN1I/AAAAAAAAFiI/7Ip21Tzg0cs/s320/edg045.png
In the Import from file (recommended for Edge Servers) click *Browse .. *and select the file generated by the cmdlet Export-CsConfiguration in Front End
http://4.bp.blogspot.com/-Vh289TpShH0/UWi_5Iz5ZSI/AAAAAAAAFiA/8qtbSks-Wvw/s320/edg046.png
Finalize the installation of Configuration Store and return to the setup wizard
http://4.bp.blogspot.com/-AsjFTN_Jgxc/UWi_6p-R1XI/AAAAAAAAFiQ/S0MmekB13uo/s320/edg047.png
Installation and Service Components
Run the second step Setup or Remove Lync Server Components
http://3.bp.blogspot.com/--6H_0I_Xlsk/UWi_-Cl4s9I/AAAAAAAAFig/apEeYNxFlg0/s320/edg048.png
Go to start copy the file and services
http://1.bp.blogspot.com/-4ewsu2awhZM/UWi_7ZfD3BI/AAAAAAAAFiY/vg3Hbg_CTJ0/s320/edg049.png
Finish the installation wizard and return to the Lync Server
http://3.bp.blogspot.com/-99nRkvFRuNg/UWi_-oixRyI/AAAAAAAAFio/2TXZBK2nUSc/s320/edg050.png
Creation of Digital Certificates
All traffic Edge Server Front-End and Edge Server, Lync Client is encrypted using digital certificates. Each network card requires a digital certificate with the names FQDN's configured for remote connection services.
Board Certified Internal Network
To configure the certificate for the internal network card of the Edge Server run the third step Request, Install or Assign Certificates.
http://1.bp.blogspot.com/-B7KRFvRaTGg/UWv5llH4kGI/AAAAAAAAFjI/NYbxypDIbAw/s320/edg051.png
Select the Internal Edge and click Request.
http://1.bp.blogspot.com/-Mc0ApvcYEeI/UWv5ltm4u0I/AAAAAAAAFjA/4bdszWqIUaw/s320/edg052.png
Proceed to start the certificate request.
http://2.bp.blogspot.com/-wxJqnFxflyE/UWv5lddpb5I/AAAAAAAAFi0/6p77hTBb14g/s320/edg053.png
How the Edge Server does not have access to the server digital certificate will generate a file with the settings and import the certificate to the server's internal network.Select Prepare the Request now, but send it later (offile certificate request)
http://3.bp.blogspot.com/-MgkjSaIjim0/UWv5mOYUd-I/AAAAAAAAFjQ/E1G1LcCgXI4/s320/edg054.png
Select the file path and go
http://3.bp.blogspot.com/-BMePzXJjkDM/UWv5mT7g9NI/AAAAAAAAFjU/LsuxEycEQ-A/s320/edg055.png
No need to change the certificate templates.
http://1.bp.blogspot.com/-92uHJd7YvWM/UWv5mSHNGVI/AAAAAAAAFjY/Y2ifde-NE2A/s320/edg056.png
Configure the Friendly Name of the digital certificate, this field does not affect any practical configuration of the certificate try the function only identification certificate.
http://3.bp.blogspot.com/-yZpmQqw1WrA/UWv5mszQGkI/AAAAAAAAFjg/FxpcDAK-aIU/s320/edg057.png
Configure the organization's information
http://2.bp.blogspot.com/-PvANAMCQKUE/UWv5m7wB3cI/AAAAAAAAFjk/dWyWAo2j81Q/s320/edg058.png
Configure the geographic information
http://3.bp.blogspot.com/-abXAayyPLBM/UWv5nGeUMKI/AAAAAAAAFjw/U9QZCRQQVs4/s320/edg059.png
In Subject Name configure the internal FQDN created for the Edge Server and advance
http://2.bp.blogspot.com/-IF-tqn8a0eA/UWv5nY0M6_I/AAAAAAAAFj0/qKztHhIQIHg/s320/edg060.png
No need to add any records in the SAM internal certificate
http://3.bp.blogspot.com/-ufmH9JJLVbU/UWv5nhXEhQI/AAAAAAAAFj4/T7BWdbVkH2Q/s320/edg061.png
In Summary Request make sure all information is correct and proceed.
http://4.bp.blogspot.com/-A0cp55WLqzo/UWv5n8uXvBI/AAAAAAAAFkE/GxRgQBxEXj4/s320/edg062.png
The command to generate the certificate should be executed and the file created in the folder configured
http://1.bp.blogspot.com/-BUzGhIZe_8Y/UWv5oAFzAbI/AAAAAAAAFkI/LD0Vre3xhEE/s320/edg063.png
Finalize the assistant certificate, then you need to create a request for external certificates
http://1.bp.blogspot.com/-Slokk5aHEW0/UWv5oQwp9aI/AAAAAAAAFlA/cporV-pVtiM/s320/edg064.png
Board Certified External Network
The application process for the external certificate is identical to the internal process, I will show only the differences between the processes.
installation wizard Return to Lync Server, select External Edge Certificate and click Request.
http://1.bp.blogspot.com/-XIIOPON5IaE/UWv5ogTsQZI/AAAAAAAAFkg/4v7TCziVffE/s320/edg065.png
Set the folder where you saved the file request
http://4.bp.blogspot.com/-g9s2gdvIJXY/UWv5olSGBvI/AAAAAAAAFkY/gnOUlWlE6ug/s320/edg066.png
Configure the Friendly Name for the external certificate
http://2.bp.blogspot.com/-NnfuCVglP6s/UWv5pKsr7MI/AAAAAAAAFkk/Y_zzDgucoZ4/s320/edg067.png
Domain names sip supported by the Front End are now automatically added to the certificate
http://1.bp.blogspot.com/-GUubQcx8iW4/UWv5pbIcq1I/AAAAAAAAFk4/2V7mZxO2bpg/s320/edg068.png
Select the SIP domain that will be supported for remote connections. Go ahead and finalize the request for the certificate.
http://1.bp.blogspot.com/-Krqn0HAvUlY/UWv5pj1-o8I/AAAAAAAAFk8/5zTlcQ7NU1o/s320/edg069.png
Installation of Digital Certificates
Copy the certificate to the internal network and make the generation of the digital certificate in the certification. Copy the certificates to the final server Edge Server
http://2.bp.blogspot.com/-eqC6TNRznFg/UWv5pypIwEI/AAAAAAAAFk0/OtWwKgWFYT8/s1600/edg070.png
Start the MMC console, connect to the local computer. Click *Personal -> Import *browse to the certificate and import the two files generated.
http://2.bp.blogspot.com/-IpCe7PSBwgU/UWv5qVTBqZI/AAAAAAAAFlQ/1_0MzQCT8-g/s320/edg071.png
Both certificates must be installed on the computed form below
http://2.bp.blogspot.com/-vOTXHbQky0g/UWwEIV5qUtI/AAAAAAAAFls/inBwbZD53-E/s320/edg072.png
Configuring Certificates in the Services
With the certificate installed on the server you must associate them services and network card. Return to the installation wizard Lync Server and rerun the third step Request, Install or Assign Certificates
http://1.bp.blogspot.com/-sGRpB2GpQD4/UWwMuG3KeUI/AAAAAAAAFmQ/U2d7W9QXWzc/s320/edg073.png
Select Edge Internal and click Assign.
http://1.bp.blogspot.com/-az_CrAW4C8k/UWwMtugo0II/AAAAAAAAFmI/Ak0iAW5EPKM/s320/edg074.png
Go on Assignment Certificate.
http://1.bp.blogspot.com/-wsYQqD0mP6M/UWwMtCFL-eI/AAAAAAAAFmA/Gq9LS7Z6ja0/s320/edg075.png
Select the certificate generated for the internal card's Edge, and click Next
http://1.bp.blogspot.com/-9SqVNhOMkKM/UWwMvnbHKKI/AAAAAAAAFmY/1mwrKxb54Sg/s320/edg076.png
Ensure that all information is correct and proceed to start the configuration.
http://1.bp.blogspot.com/-xqIKcKzUSK0/UWwMv6ijs8I/AAAAAAAAFmg/QN4Vq9FrBwI/s320/edg077.png
The wizard must configure the certificate for the internal network card's Edge. Finish the wizard.
http://4.bp.blogspot.com/-xiYz1FGgCVg/UWwMwoOa6yI/AAAAAAAAFmo/HPAKXEcAN7k/s320/edg078.png
Return to assistant certificate configuration, select *External Edge Certificate *and click Assign
http://2.bp.blogspot.com/-eK-VdRiojcI/UWwMyD7Dl9I/AAAAAAAAFm4/RcrFI3MEacw/s320/edg079.png
Proceed to start the configuration process
http://3.bp.blogspot.com/-utJ0A4SNI9U/UWwMyFG0aRI/AAAAAAAAFm0/DXEaAbZSWaI/s320/edg080.png
Select the certificate generated for the services of the external network adapter and go
http://2.bp.blogspot.com/-RxPXR4wGxYk/UWwMzE9lkBI/AAAAAAAAFnA/9S5jVhWlX_s/s320/edg081.png
Ensure that all information is correct and proceed to start the configuration.
http://2.bp.blogspot.com/-SkFOeXQgIY0/UWwM0jyUnDI/AAAAAAAAFnI/faDDtoZ_fKs/s320/edg082.png
The wizard must configure the certificate for the external network adapter of the Edge. Finish the wizard.
http://3.bp.blogspot.com/-1HBuFzNO3h4/UWwM14_ZhwI/AAAAAAAAFnU/xsRPb_6mlg8/s320/edg083.png
The configuration console should show the two certificates installed and configured services.
http://3.bp.blogspot.com/-SQf3EVwvTfs/UWwM10x-eRI/AAAAAAAAFnY/PYXYh2ouzmE/s320/edg084.png
Close the assistant certificate and return to the main screen installation.
Starting the Services
In the installation wizard Lync Server run the fourth step, Start Services.
http://1.bp.blogspot.com/-ZA_BNOi83C0/UWwM4qDlomI/AAAAAAAAFnk/W73sC5RX3gM/s320/edg085.png
This process must start all services Lync Server Edge.
http://1.bp.blogspot.com/-YhwnkX940Dc/UWwM48sFPhI/AAAAAAAAFno/cpFwkpankTY/s320/edg086.png
http://3.bp.blogspot.com/-OjmPPhDabJE/UWwM5u8krPI/AAAAAAAAFnw/4GnR3QF4qqY/s320/edg087.png
To verify that the services are running open the service console and check the status changed to running
http://4.bp.blogspot.com/-box_4UhaVvc/UWwM7HV7ebI/AAAAAAAAFn4/MOF6gSLJ4r8/s320/edg089.png
Testing the Access
With the services started, the Front End Server initiates the replication settings for the Local Store on Edge Server. replication After first external users should be able to initiate connection to the Edge Server. Microsoft provides a portal https:/ / www.testocsconnectivity.com to perform connection tests and doors in the structure.
http://1.bp.blogspot.com/-Pec25jE1pYE/UWwaJH_Pn7I/AAAAAAAAFoM/39q0Aikr4J0/s320/edg090.png
Provide the information of a user enabled for remote connection and check the server status
http://1.bp.blogspot.com/-3h8I3W5ajAA/UWwaJU6J3BI/AAAAAAAAFoU/09KvbbwVYRk/s320/edg091.png
Related Articles
Other Languages
This article is also available in the following languages:
Brazilian Portuguese
This article was originally written by:
**Fernando Lugão Veltem **
**blog: ** http://flugaoveltem.blogspot.com
**twitter: ** @ flugaoveltem