Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering
  3. Telecommunications

Module 20 - Microsoft Lync Server 2010

Microsoft® Lync™ Server 2010
Hybrid Scenarios
Module 20
Microsoft Corporation
Session Objectives
At the end of this session you will be able to:
•
Describe the Lync Online high level architecture
and topology
• Have a more detailed understanding of the Lync
Online topology to assist in issue analysis and
troubleshooting
2
Lync Online Topology Introduction
•
•
High level Architecture
Office Communications Data Forests (OCDFs)
•
Shared OCDF Resources
•
•
•
•
•
•
•
•
•
Pool Resources
•
•
3
Pools
Directors
Domain controllers (DCs)
System Center Operations Manager (SCOM)
Monitoring
Edge Server
Mediation <-> Public Switched Telephone Network (PSTN) for Audio
Conferencing Provider (ACP)
Witness Server
Up to 5 pools with 8 Lync Server 2010 Front End (FE) servers and a pair of
Back End (BE) servers
BE databases (DBs) Windows Clustered and SQL Server® mirrored
3
Tenant Residency
•
Both Office 365 Standard and Light customers are hosted on the same Lync
Online deployment infrastructure. There are no separate deployments for the
two service classes since they only differ in the tenant and/or user policies
•
Each Lync Online tenant is either a Standard customer or a Light customer,
but not both
•
Each Lync Online tenant belongs to exactly one OCDF in the geographical
data center conforming to regional/country regulations. All users of the tenant
are assigned to one Pool of the OCDF
•
There is no support for multi-national tenancy where tenant users have to be
assigned to geographically dispersed data centers based on regional
regulations
4
4
Generic Lync Online Deployment
Architecture
5
5
Lync Online Specifics
First point of contact – Director Array
•
Front End stamps users as external instead of the Edge
Access Proxy (AP)/Lync Edge for federation with non-Lync Online partners or
personal Internet communicator (PIC)
•
Inter-tenant federation traffic does not go through APs. – Routed internal
Domain Name Service (DNS) load balancing not employed – Using Hardware Load
Balancing (HLB)
Server draining not available in all cases due to HLB use
AddressBook (AB) Web Query online – No AB Download
Distribution List Expansion (DLX) – no control to hide DL membership for user in
same tenant
Call Admission Control (CAC)/ Packet Data Protocol (PDP) not used
Global routing – Directors sync with the Active Directory® Domain Services (AD DS)
from other ODCFs
GeoDNS – used to balance client traffic among OCDFs
6
•
•
•
•
•
•
•
•
•
6
Lync Online Specifics
•
Firewall – No external or internal firewall in Lync Online. Use Global
Foundation Services (GFS) firewall infrastructure and place
access control list (ACL) rules there
•
Reverse Proxy not used. ACLs for web traffic placed on GFS firewall
•
Archiving – there is no archiving in Lync Online. It may be offered in the
future for compliance
•
Enterprise Voice feature - Lync Online does not offer any Enterprise Voice
features, e.g., Call Park Server (CPS)/Response Group Service (RGS) at this
time as there is no onsite PSTN gateway
•
Group Chat – Lync Online does not support this feature
•
Device support – there is no device support for Lync Online. The only client
supported will be Lync 2010
7
7
Global Traffic Management
•
Global Traffic Management (GTM). This is used to distribute traffic
using DNS between VIPs either in the same data center or between
global data centers. It provides optimal performance based on closest
node in terms of network latency, geographic proximity or configured
balanced datacenter load distribution. Azure GTM has additional
feature that other GTM providers don’t have and that is building
proximity regional maps based on network performance between
subnets across Microsoft backbone.
•
Lync Online is on boarded onto the Azure GTM platform
8
8
Global Routing
•
Global GeoDNS Routing
•
•
•
Inter-OCDF Routing
•
•
•
•
Client connects to closest geographical OCDF
May or may not be client’s home OCDF
Director is equipped with the global routing database built by querying the ADs in all
OCDFs
Director Array has a public VIP that is the central point of contact for SIP messages
from entities outside of the OCDF or from the Lync Edge Servers in the case of
federation or PIC
In the case of registration, it redirects the registering client to the home Pool Fully
Qualified Domain Name (FQDN)
Intra-OCDF Routing
•
Each FE has the full routing information for any user within the same OCDF
replicated from the AD of the OCDF.
9
9
Global Routing
10
10
Flexibility for Growth
•
Add servers into the existing shared resources and existing
Pools
•
Directors
•
Mediation
•
Edge servers
•
Add a new Pool into the existing OCDF
•
Add a new OCDF
•
11
Currently 2 OCDFs
•
One in San Antonio (SN2)
•
One in Blue Ridge (BL2)
11
Exchange Online Unified Messaging
Integration
•
•
•
•
Lync Online supports Exchange Online (EXO) Unified Messaging (UM)
integration for customers who are still deploying Lync on-premise
On-premise deployment must be Lync 2010
A separate domain with just Lync Online Edge Servers, Media Relays
and Central Management Server is deployed as a routing point for
messages between EXO/Outlook Web App (OWA) and on-premise
Lync 2010
This domain is called ExUM, standing for Exchange UM integration
12
12
VLANS - IP Address Management
•
Virtual local-area network (VLAN) A for public IP addresses
•
•
VLAN B for Mediation Server Public IP addresses
•
•
Hosts the public IP addresses for mediation servers to have a separate VLAN for
routing ACP traffic through dedicated circuits to ACP partners other than through
the Internet
VLAN C for private VIPs
•
•
Hosts the public VIPs for the server arrays and public Secure Network Address
Translation (SNAT) Internet Protocol (IP) addresses on the external network
interface of the HLB; as well as public IP addresses for the Edge Servers on their
external network interfaces
Hosts only the private VIPs for the server arrays on the internal network interface of
the HLB
VLAN D for Back-end Lync Online Servers
•
Hosts the private IP addresses for all the Lync Online servers, including the Edge
servers and the Mediation servers
13
13
Public IP Assignments
•
For Media Relay public IP is assigned to the Edge Server hosting the
Media Relay role. Allowing the clients to talk to the Edge Servers
directly without going through the HLB avoids potential negative
impacts on A/V quality incurred by hair-pinning both media streams
through the HLB
•
A public IP is assigned to each Mediation Server due to the fact that
some ACP partners do not support Real-Time Transport Protocol
(RTP) latching on their Session Initiation Protocol (SIP) Session
Border Controllers (SBC). In order to overcome this Lync Online
exposes a public IP as the source address as we cannot expose
Private address networks between Microsoft data center and ACP
14
14
Details on Public IP
•
Two public VIPs, one for SIP and one for web, are assigned to the Director
Array for each OCDF
•
Two public VIPs, one for SIP and one for web, are assigned to the LYNC FE
Array for each Pool
•
One public VIP is assigned to the Access Proxy Array for each OCDF
•
One public VIP is assigned to the Data Proxy Array for each OCDF
•
One public VIP is assigned to the Media Relay Array for each OCDF
•
One public DIP is assigned to the Media Relay role on each Edge server
•
One public DIP is assigned to each Mediation server
•
One public DIP is assigned to the Dashboard server
15
15
SNAT Pool Public IP Addresses
•
•
•
•
•
The HLB needs to allocate a public IP address and a port to the
connection before forwarding the connection to an individual
server in the Array
Each IP address has at most 65535 ports, multiple SNAT IP
addresses may be needed
Each Pool in Lync Online is expected to handle up to 100K
concurrent connections
For 5 Pools there will be 500K concurrent connections per
OCDF, which requires at least 8 public IP addresses
At least 10 public IP addresses allocated for SNAT purposes per
OCDF
16
16
DNS Management
•
•
•
•
<geodns> = lync.glbdns.microsoft.com, which is the domain for
the GeoDNS provider
<lyncprod> = online.lync.com, which is the domain for Lync
Online.
<sn20a> = mcsn20a001.local, which is the internal domain
name for OCDF SN20A.
<bl20a> = mcbl20a001.local, which is the internal domain name
for OCDF BL20A.
17
17
Disjoint DNS/Service Domain
•
•
Public domain – what Lync Online presents to the external world
Internal domain – OCDF specific – internal only
Type
OCDF
Domain Suffix
Public Domain
Any
<lyncprod>
Internal Domain
SN2
mcsn20a001.local
BL2
mcbl20a001.local
18
18
GeoDNS Setup
•
Top-level <geodns> is reserved for production deployment only
to distribute incoming traffic to the services
•
Second-level xxx.<geodns> can be used for non-production
deployments such as Engineering Dogfood (EDF), Commercial
Technology Preview (CTP), or Pre-Production Environment
(PPE)
•
Two FQDN
•
sipdir.<geodns> - VIP of the Director Array
•
sipfed.<geodns> - VIP of the Access Proxy Array
19
19
Public DNS Setup
Two CNAME records redirect clients to GeoDNS
Lync Online
FQDN
sipdir.<lyncprod>
Type
GeoDNS FQDN
Notes
CNAME
sipdir.<geodns>
Redirect client DNS query to GeoDNS for SIP
sipfed.<lyncprod>
CNAME
sipfed.<geodns>
Redirect client DNS query to GeoDNS for
federation
20
20
Private DNS Setup
•
Internal VIPs on the HLB
•
Any server within the OCDF
•
Special roles such as SQL in the Lync Online BE also require
private FQDNs be set up for the DBA.
•
Refer to the course module for the table of Private IP Addresses
23
23
Tenant DNS SRV Setup
•
For auto-discovery and federation, two DNS SRV records must
be provisioned on each tenant’s domain
•
Vanity domain (contoso.com) – Tenant must provision
•
Managed domain (contoso.onmicrosoft.com) – provisioned
automatically
24
24
Tenant SRV Records
Type
Purpose
FQDN
Port
Protocol
Mapping
Vanity
Auto-Discovery
_sip._tls.contoso.com
443
SIP
sipdir.<lyncprod>
Federation
_sipfederationtls._tcp.contoso.com
5061
SIP
sipfed.<lyncprod>
Auto-Discovery
_sip._tls.contoso.onmicrosoft.com
443
SIP
sipdir.<lyncprod>
Federation
_sipfederationtls._tcp.contoso.onmi
crosoft.com
5061
SIP
sipfed.<lyncprod>
Managed
25
25
AutoDiscovery Flow
27
27
Integration with the Environment
AD and Certificate Provisioning
Cert
SN
Private/Public Keys
Servers
Cert Store (Local
Computer)
LiveID Token
Encryption
liveid.<lyncprod>
Lync Online/LiveID
FEs,
DIRs
Personal
Wildcard Lync
Online
*.<lyncprod>
Lync Online/OC
All
Personal
Federation
sipfed.<lyncprod>
Lync Online/Partner
Edge
Servers
Personal
Provisioning
 MSODS Sync
 PIC
prov.<lyncprod>
Lync Online/BPOS
DIRs
Personal
BOX UI
boxazppe.partner.microsoftonline.com
BOX/Lync Online
DIRs
Personal
Dashboard
dashboard.<lyncprod>
Lync Online/Lync
Online
DIRs
Personal
31
31
Certificate Descriptions/Usage
•
LiveID Token Encryption Cert
•
This cert is shared between Lync Online and LiveID
•
Wildcard Lync Online Cert
•
This cert is shared between Lync Online and external clients and among Lync
Online servers
•
Federation Cert
•
This is the cert used for federation with other partners, including PIC
•
Business Online Experience (BOX) UI Cert
•
This is the cert used for BOX to establish remote PS session with Lync Online for
Tenant Admin user experience
•
Dashboard Cert
•
Used internally to enable secured communications between the Dashboard Server
and the Directors for web services required of Dashboard
32
32
Microsoft Online Directory Service Integration
•
Lync Online is a federated service to MSO-DS
•
•
Tenant/user information first stored in the MSO master AD before a subset of the
information is synced to Lync Online
Only tenants with valid Lync Online license are synced to LO AD
•
Each OCDF is a Service Instance (e.g., SN20A, BL20A)
•
Each OCDF connects to MSO-DS separately
•
•
•
MSO-DS webservice URL – which identifies the MSO-DS system Lync Online
connects to in order to enable the provisioning flow-through from MSO-DS
OCDF Service Instance name – which identifies the OCDF service instance that is
unique for the Lync Online deployment. The name is provisioned into MSO-DS
The Provisioning Cert – which enables authentication between MSO-DS and an
OCDF
33
33
Business Online Experience (BOX) UI
Integration
•
•
BOX UI Cert:
The Lync Online Remote PS WS URL exposed to BOX UI
OCDF
Lync Online Remote PS WS URL
SN20A
https://webdirsn20a00.<lyncprod>/ocspowershell
BL20A
https://webdirbl20a00.<lyncprod>/ocspowershell
34
34
LiveID Integration
•
Lync Online utilizes LiveID for client authentication
•
Each OCDF is registered with LiveID
•
Certificate generated during the registration process by LiveID to
associate with the OCDF
•
This cert is called the LiveID Token Encryption cert
•
OCDF users this cert to authenticate LiveID
35
35
Exchange Access Proxy Production
Topology
The Exchange Access Proxy (ExAP) Forest supports integration of EXO
UM with Lync Server 2010 on-premise and OWA IM and Presence
between EXO and Lync Server 2010 on-premise or Lync Online
36
36
ExAP Forest High Level Architecture
From a signaling perspective, Exchange UMS and ExAP servers can initiate connections from either side
(say for voice mail deposits and retrievals). On the other hand, for OWA IM and Presence, only the code
access security (CAS) on the OWA side initiates connections to ExAP; ExAP never initiates connections to
OWA CAS
37
37
ExUM AP Topology for Lync Online
The ExAP Forest is a degenerated OCDF in the sense that there is no Lync Pool in the
forest. Only the Edge Servers are doing the work with AP and Media Relay (MR) roles.
The shared servers, i.e., DC and content management system (CMS), are for
configuration of the ExAP
Public IP VLAN
EXO UMS
Internal VIP VLAN
OCO Port ACL Rules
EXAP1
CMS1 (SE)CMS2 (SE)
EXAP2
CMS (1U)

CMS FE

CMS BE

SCOM FE

SCOM BE
OWA CAS
EXO
EXAP3
DC/WDS1DC/WDS2
EXAP(1U)
Dual Homed

AP & MR
DC/WDS (1U)

DC/WDS

DNS/DHCP
1 ExAP Forest

3 Service AP (3-1U)

2 CMS FE&BE on OCS SE (1U)

2 DCs for the domain (1U)

7 machines in EXAP domain (7-1Us)
ExAP Forest
GFS FW
HLB
Backend LAN
38
38
IP Address Management
•
•
The ExAP Forest resides in the same set of VLANs as the OCDF in
the same data centers (e.g., SN2 and BL2 for NA).
Public IP Assignments
•
•
•
•
One public VIP for SIP signaling assigned to the Access Proxy Array
One public VIP for media assigned to the Media Relay Array
One public DIP is assigned to each Media Relay role on each of the three
Edge Servers.
Private IP Assignment
•
•
For each Edge server Array, private IP addresses are assigned to each
individual server.
Internal VIPs are also assigned to Access Proxy and Media Relay Arrays
for EXO UMS and OWA CAS to establish connections to the ExAP Forest
39
39
DNS Management
•
•
•
•
<geoum> = um.glbdns.microsoft.com, which is the domain for
the GeoDNS provider
<exapprod> = um.outlook.com, which is the domain for UM in
Exchange.
<sn20b> = mcsn20b001.local, which is the internal domain
name for ExAP Forest SN20B.
Disjoint DNS/Service Domain
•
•
Public domain -What ExAP presents to the external world and to
EXO UM and OWA CAS
Internal domain - internal to the ExAP Forest
40
40
GeoDNS Setup
•
•
•
•
sipex.<geoum>, which is the external global FQDN for on-premise
Lync to establish media connectivity with the ExAP Forest outside of
the Microsoft data centers
sipex-int.<geoum>, which is the internal global FQDN for EXO UMS
and OWA CAS to establish SIP connectivity with the ExAP Forest
within the Microsoft data centers
mrex.<geoum>, which is the external global FQDN for on-premise
Lync to establish media connectivity with the ExAP Forest from outside
of the Microsoft data centers
mrex-int.<geoum>, which is the internal global FQDN for EXO UMS
and OWA CAS to establish media connectivity with the ExAP Forest
within the Microsoft data centers
41
41
Lync Online Topology Diagram
•
•
•
•
Instructor to show Visio diagram in
c:\classmaterials\docs\reference\Lync Online Topology Diagram
Production.vsd
You can install Visio viewer from c:\labfiles\visio viewer\visioviewer.exe
Click on Forest A tab
Note there are 2 forests per data center and a forest spans 2 data
centers.
47
47
Q&A
48
© 2011 Microsoft Corporation. All rights reserved.
Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information provided after the date of this presentation. This document may contain information related to pre-release software, which may be substantially modified before
its first commercial release. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.
Related documents
Quick Start: Get started as a response group agent
Quick Start: Get started as a response group agent
Module 07 - Lync Ignite - Network Assessment Tools and Processes
Module 07 - Lync Ignite - Network Assessment Tools and Processes
lync_integrated_conference_rooms_v4
lync_integrated_conference_rooms_v4
Download