Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Secure Remote Access & Lync

advertisement 
Secure Remote Access & Lync
Ilse Van Criekinge
http://blogs.technet.com/ilvancri
@ivcrieki
Session Objectives and Takeaways
• Session Objectives
• Overview of typical Lync Server Edge configurations
• DNS Load Balancing and Hardware Load Balancing
• NAT support for Edge Deployment
• Reverse Proxy
• ICE
• Takeaways
• Understand typical Edge planning and deployment process
• Understand certificate requirements for Edge and Reverse
Proxy
2
Introduction
3
Conferencing Capabilities of Lync
Web
Conferencing
Video
Conferencing
Audio
Conferencing
PSTN
Conferencing
Instant
Messaging
Conferencing
Integration
with thirdparty A/V SIP
endpoints
and MCUs
ACP
Integration
Dial-In Conferencing
Conferencing
Attendant
Application
Conferencing
Announcing
Application
Dial-in
Conferencing
Web Page
Mediation
Servers and
Gateways or
PBX
Simple URLs
• Lync Server 2010
• Meet
• Dial-in
• Admin
• Scope = Global & Site
• Created using PowerShell or Topology Builder
Edge Server Role
Lync Server Edge scenarios
• External User Access
• Lync clients can transparently connect to the Lync Server
deployment over the public Internet
• PIC
• Connecting with public IM providers
• Federation
• Federation with other Enterprises
• IM&P only, or
• All modalities A/V and Application Sharing
Edge Server Role Requirements
• General Requirements
• 64-bit Windows 2008, Windows 2008 R2
• Microsoft .NET Framework 3.5 SP1
• Windows PowerShell v2
• Cannot be collocated with any other Microsoft Lync Server role
• Virtualization is supported (Windows 2008 R2 OS!)
Server role
Edge
Server
Physical
Virtual
CPU
Memory
Number of
users
supported
CPU
Memory
Number of
users
supported
8 cores
16 GB
15,000
4 cores
5 GB
7,500
Edge Server Roles
• Access Edge = handles all SIP traffic crossing the corporate
firewall
• Web Conferencing Edge = proxies PSOM (Persistant Shared
Object Model) traffic between the Web Conferencing Server
and external clients
• Audio/Video Edge = provides a single trusted connection point
through which audio and video traffic enters and exits your
network
Edge Server Role
1 IP, 2 IP, 3 IP, 4 IP, ... ?
A Few Networking Lync Facts
• Lync Server 2010 supports only IPv4
• It does niet support IPv6
• Can function in a network with dual IP stack enabled
• Two network adapters for each Edge Server are required:
• one for the internal-facing interface
• one for the external-facing interface
• Important: The internal and external subnets must not be
routable to each other.
Single IP address Edge
edge.contoso.com
131.107.155.10
External
SIP: 5061
Web Conf: 444
A/V Conf: 443, 3478
edge-int.contoso.com
172.25.33.10
Internal
SIP: 5061
Web Conf: 8057
A/V Conf: 443, 3478
Multiple IP address Edge
access.contoso.com
131.107.155.10 443, 5061
External SIP
edge-int.contoso.com
172.25.33.10
webcon.contoso.com
131.107.155.20 443
External Web Conf
av.contoso.com
131.107.155.30 443, 3478
External AV
Edge Server
Internal
SIP: 5061
Web Conf: 8057
A/V Conf: 443, 3478
Edge using NAT IP addresses
Public IP space
IP1’
Lync Server does not need
to know translated SIP and
Web Conf IP
IP2’
Client
Clients connect to
IP for A/V traffic
Translated AV IP must
be configured in Lync
Server
IP3’
IP1
External SIP
IP2
External Web
Conf
IP3
External AV
Int
DNS Load Balanced Edge
Public IP space
DNS A records
access.contoso.com IP1 and IP4
webcon.contoso.com IP2 and IP5
av.contoso.com
IP3 and IP6
Client
Client can retrieve and handle multiple IP
addresses and can fail over
DNS server returns randomized IP address
DNS Load Balanced Edge using NAT
Public IP space
DNS A records
access.contoso.com
webcon.contoso.com
av.contoso.com
IP1’ and IP4’
IP2’ and IP5’
IP3’ and IP6’
Translated AV IP addresses must
be configured in Lync Server
individually
IP3 to IP3’
IP6 to IP6’
IP2’
IP3’
IP4’
IP5’
IP6’
Hardware Load Balanced Edge
Public IP space
DNS A records
access.contoso.com
webcon.contoso.com
av.contoso.com
VIP1
VIP2
VIP3
Initial AV connection requires will
land on VIP and gets forwarded.
However clients will connect to Edge
directly (UDP)
TCP traffic continues to use VIP
NAT and HLB is not
possible
VIP1
VIP2
VIP3
Edge Server Role
INSTALLATION
Edge Server Role
CERTIFICATE REQUIREMENTS
Certificate Requirements Edge Server Role
• A single public certificate is supported in Lync for
• Access Edge external interface
• Web conferencing Edge external interface
• A/V Authentication Edge internal interface
• Edge internal interface
• Can be issued by an internal CA
• Subject name is typically the Edge internal interface FQDN or
HWLB VIP
• No subject alternative names required
Requirements External Certificate
• Issued by an approved public CA
(http://go.microsoft.com/fwlink/?LinkId=202834)
• If Edge pool, same cert on every Edge, must be exportable
• Subject Name = Access Edge FQDN or HWLB VIP(Not required,
but recommended (previous versions) )
• Subject Alternative Names
• Access Edge external interface or HWLB VIP
• Web Conferencing Edge external interface or HWLB VIP
• Any SIP doman FQDN (for auto-discovery, federation)
Edge Server Role
DNS REQUIREMENTS
DNS Requirements
• DNS Entries
• External DNS lookups by remote users and federated
partners
• Entries for DNS lookups for use by the Edge Servers within
the perimeter network
• Internal DNS entries for lookups by the internal clients and
servers running Lync Server 2010
• Edge Server requires DNS Suffix
Need client
auto
configuration?
YES
Default SIP
domain FQDN
= AD domain
FQDN
NO
NO
YES
You are using split-brain DNS
Internal DNS
_sipinternaltls._tcp.<sip domain>
External DNS
_sip._tls. <sip domain>
Use GPOs or configure clients
manually
You are not using split-brain DNS
Internal DNS
_sipinternaltls._tcp.<sip domain>
sip. <sip domain>
External DNS
_sip._tls. <sip domain>
Is Federation
required?
NO
Internal DNS
A Record internal interface
External DNS
A Record external interfaces
YES
External DNS
_sipfederationtls._tcp.<sip domain>
DNS Records for External Devices
Type
Value
Note
SRV
Edge Server:
_sipexternal._tls.<SIP domain>, and
_sipexternaltls.<SIP domain>
Allows external devices to
connect by using SIP over TLS to
the Registrar internally.
Reverse proxy FQDN:
<server name>.<SIP domain>
Allows external devices to
connect by using TLS over HTTP
to the Device Update Web
service.
A
Edge Server Role
REVERSE PROXY & DIRECTOR
Reverse Proxy and Director
Internet
Perimeter Network
Internal Network
Reverse Proxy
Front End
Remote Clients
Federated Clients
Anonymous Clients
Edge Server
Director
Reverse Proxy and external access (1)
• Forwards External HTTPS and HTTP traffic to Front
End and Director Pool
• External user access to:
•
•
•
•
•
•
•
Meeting content for meetings (HTTPS)
Expand and display of distribution groups (HTTPS)
Downloadable files from the Address Book Service (HTTPS)
The Lync Web App client (HTTPS)
The Dial-In Conferencing Settings web page (HTTPS)
Location Information Service (HTTPS)
Device Update Service and obtain updates (HTTP)
Reverse Proxy and external access (2)
• Simple URL forward to Director (recommended)
•
•
Forwarding rule for Simple URL to a single Director (or Pool); port
443
Reverse Proxy certificate’s SAN to contain base FQDN of each
Simple URL
• Web External Pool traffic forwarded to pools by
Reverse Proxy
•
•
•
Reverse Proxy requires a forwarding rule each Web External FQDN
(Front End Pool and Director); port 443
If external Phone Devices are implemented, Reverse Proxy rule for
port 80 is required
Reverse Proxy certificate’s SAN to contain base FQDN of all
configured Web external Pools (Front End Pool and Director)
Edge Server Role
RECAP DNS VS HW LOAD BALANCING
DNS vs. Hardware Load Balancing
DNS LB
HLB
Public IP addresses
required
Each Server x 3
(Each Server+1 VIP) x 3
Failover Support
No, Delayed Failover* for:
• Exchange UM (remote
user)
• PIC
• Federation of older
version of OCS
Yes, instant Failover for:
• Exchange UM (remote
user)
• PIC
• Federation of older
version of OCS
NATing of IP
addresses (Edge
Server)
Supported
Not supported
* Delayed Failover: DNS TTL period
Edge Server Role
XMPP
Extensible Messaging and Presence Protocol (XMPP)
Gateway
• Features provided
• Add and delete each other as contacts
• Publish Presence and subscribe for each other’s Presence
• Engage in one-to-one conversations
• Three scenarios
• Public federation with hosted network
• Federation between two organizations
• On-premises deployment with Jabber
SIP/MTLS:5061
XMPP Gateway
Edge Server Role
MANAGE & CONTROL REMOTE ACCESS
Manage & Control Remote Access
• To support external user access, you must do both of the
following:
• Enable support for external user access to your organization
• Configure and assign one or more policies to support
external user access
• Policies
• External user access policies
• Conferencing policies
Edge Server Role
CLIENT COMMUNICATIONS
IM And Presence Workload
Step 1. Client resolves
DNS SRV record
_sip._tls.<sip-domain>
to Edge Server
Step 2. Client connects
to Edge Server
SIP/MTLS:5061
Step 3. . Edge Server
proxies connection to
Director
HTTPS: 443
SIP/MTLS:5061
Step 4. Director
authenticates user and
proxies connection to
user’s home pool
SIP/MTLS:5061
Federated IM &
Presence Workloads
HTTPS: 443
SIP/MTLS:5061
SIP/MTLS:5061
ICE
ESTABLISHING MEDIA PATH
SDP, STUN, TURN, ICE
• Lync uses SDP to provide initialization parameters for media
stream
• Add a Media Relay (aka A/V Edge Server)
• STUN reflects NAT addresses
• TURN relays media packets
• ICE exchanges candidates (cand) and determines optimal media
path to assist media in traversing NATs without requiring the
endpoints to be aware of their network topologies
• All three protocols based IETF standards
ICE Details
• There are five phases for establishing a media path
• During login
• TURN Provisioning and Credentials
(MRAS – Media Relay Authentication Service)
• When establishing a call
• Address Discovery (Allocation) (Obtain Candidate List)
• Address Exchange (SIP Invite/200 OK)
• Connectivity Checks
• Candidate Promotion
In summary, to send media into the enterprise, the external user must be
authenticated and have an authenticated internal user explicitly agree to
exchange media streams. Lync Server 2010 uses TCP 50,000-59,999
outbound. Lync Server 2010 federating with Office Communications Server
2007 partners continues to use the port range of 50,000 – 59,999 UDP/TCP.
Federation involving Lync Server 2010 partners or Office Communications
Server 2007 R2 partners will use 3478/UDP and 443/TCP, and TCP 50,00059,999 outbound
Step 1. Inband Provisioning Process duing Lync Sign-In
Step 2. Obtain Candidate List
Step 3. Connectivity Checks
Step 4. Candidate Promotion
Stay up to date with TechNet Belux
Register for our newsletters and stay up to date:
http://www.technet-newsletters.be
• Technical updates
• Event announcements and registration
• Top downloads
Join us on Facebook
Download
MSDN/TechNet Desktop Gadget
http://www.facebook.com/technetbe
http://bit.ly/msdntngadget
http://www.facebook.com/technetbelux
LinkedIn: http://linkd.in/technetbelux/
Twitter: @technetbelux
TechDays 2011 On-Demand
• Watch this session on-demand via TechNet Edge
http://technet.microsoft.com/fr-be/edge/
http://technet.microsoft.com/nl-be/edge/
• Download to your favorite MP3 or video player
• Get access to slides and recommended resources by the speakers
THANK YOU
ilvancri@microsoft.com
Related documents
Presentation - Achieving Impact 2014
Presentation - Achieving Impact 2014
Combine your voice and data networks Why use
Combine your voice and data networks Why use
Questions for Unit-7
Questions for Unit-7
AAC7 SIP CALL - Avaya Support
AAC7 SIP CALL - Avaya Support
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
VoIP Paging Amplifier Vocalcity Provisioning Guide
VoIP Paging Amplifier Vocalcity Provisioning Guide
- Krest Technology
- Krest Technology
CNA and SIT
CNA and SIT
Download
advertisement