Module 6

Designing and Deploying External Access

MVA Jump Start

Module Overview
Conferencing and External Capabilities of Lync Server 2013
Planning for IM and Presence Federation Designing Edge Services

Lesson 1: Conferencing and External Capabilities of Lync Server 2013

Conferencing Capabilities of Lync Server 2013
Overview of Public Instant Messaging Features of Extensible Messaging and Presence Protocol (XMPP)

Gateway

Lync Server 2013 XMPP Federation XMPP Federation - Architecture Usage Control through Policies Security in Conferencing and External Scenarios

Conferencing Capabilities of Lync Server 2013

Web Conferencing

Instant Message Conferencing

PSTN PSTN Conferencing

Audio Conferencing

ACP Integration
(online only)

Lync Server 2013

Video Conferencing

Integration with third-party A/V SIP endpoints and MCUs

Overview of Public Instant Messaging

Lync Server 2013

PIC Service Integration

P2P Audio & Video

PIC 1

PIC 2

Lync 2013 Clients

Windows Live

Extensible Messaging and Presence Protocol (XMPP) Gateway

Add and delete each other as contacts
Publish presence and subscribe for each other presence Engage in one-to-one conversations

Lync Server 2013 XMPP Federation

XMPP natively integrated into the Lync Front End Server and Edge Server Scale-out, high availability consistent with rest of Lync Cisco/Jabber, Google Talk interoperability
o Separate gateway not needed o Integrated setup, management

US East
XMPP Federation Lync Pool 1 (Runs XMPP GW)

Lync Edge (Runs XMPP Proxy) Outbound & Inbound External XMPP Fed Route

Fabrikam.com

Lync Pool 2 (Runs XMPP GW)

US West
Lync Pool 3 (Runs XMPP GW) Lync Edge (Runs XMPP Proxy)

Google Talk

Google Talk Servers

adatum.com

External XMPP Fed (Direction shows TLS Connection establishment)

XMPP Federation - Architecture

On-Premises Deployment (Site 1)
Lync Edge
IM & P (SIP) Persistent Chat (XCCOS) Address Book, DLX, Photos (Web)

IM & P (SIP)

Lync FE Pool

Persistent Chat (XCCOS)

Lync Persistent Chat Pool

Contacts Notifications IM Archiving (uses S2S authorization)

OWA IM & P

Lync Online- Office 365

Exchange 2013
Address Book DLX, Photo (Web)

Reverse proxy

OCS/ Lync Federated

Usage Control through Policies

Security in Conferencing and External Scenarios

Plan for usage Directors Set conferencing policies to prevent unsupported usage scenarios Keep the default security settings requiring TLS or SSL in all signaling and

media Evaluate the need for anti-malware solutions Avoid deployment of Edge Servers in an internal domain Deploy the Edge Server between an internal firewall and an external firewall Lock down Edge Servers for additional security Evaluate the need for anonymous or federated access

Lesson 2: Planning for IM and Presence Federation

Designing Federation in Lync Server 2013
Designing Interoperability in Lync Server 2013 Implementing the Public Instant Messaging Provisioning Process

Functionalities Supported by Lync Server 2013

Designing Federation in Lync Server 2013

Internet

Perimeter Network

Internal Network

Reverse Proxy

Front End

Remote Clients Federated Clients Anonymous Clients

Edge Server Director

Designing Interoperability in Lync Server 2013 Federation with PIC (MSN/Skype) Public IM Connectivity (PIC) provisioning process
XMPP (Jabber/Google Talk) XMPP Proxy/Gateway Third Party Presence Engines Supports federation with Third Party Presence Engines

Implementing the Public Instant Messaging Provisioning Process

1. You provide the FQDN, SIP domains, and contact information to

Microsoft

2. Microsoft tests the information, establishes credibility, and then

provides access

3. You will be notified and then the provisioning process for each

PIC domain will start

Functionalities Supported by Lync Server 2013

Communications capabilities by type of user:

Scenario
Presence IM peer-to-peer IM conferencing Collaboration A/V peer-to-peer

Remote Federated User User

+ + + + + + + + + +

PIC/Inter Anonymous op User

+ + X X +* X X X + X

XMPP
+ + X X X

A/V conferencing
File transfer

+
+

+
+

X
X

+
X

X
X

* For PIC A/V peer-to-peer support, you must use the new version of Windows Live Messenger.

Lesson 3: Designing Edge Services

Firewall Requirements Design for External Scenarios
Edge Network Requirements Defining Filters

DNS Usage in Lync Server 2013

Identifying Required DNS Records PKI Certificate Usage in Lync Server 2013

Subject Names and Subject Alternate Names

Planning for Types of Certificates and Providers Other Certificate Usage Scenarios

Firewall Requirements Design for External Scenarios

TO PERIMETER External Firewall

Enterprise Perimeter Network

Internal Firewall

TO CORP NET

TO INTERNET

TO PERIMETER

Reverse Proxy External IP

HTTPS/443, HTTPS/443 80 (optional) Reverse Proxy Server

Reverse Proxy External IP

HTTP/8080 HTTPS/4443 HTTPS/443

INTERNET

CORP NET

XMPP/TCP/5269

XMPP Proxy Service

HTTP/80
DNS/53 SIP/TLS/443 SIP/MTLS/5061 Access Edge External IP Edge Internal IP WebCon Edge External IP Media Authentication Service XMPP/TCP/23456 SIP/MTLS/5061 PSOM/MTLS/8057 SIP/MTLS/5062 STUN/UDP/3478 STUN/TCP/443 HTTPS/4443 Lync Server 2013 Single Consolidated Edge

PSOM/TLS/443 RTP/TCP/50,000-59,999 RTP/UDP/50,000-59,999 STUN/UDP/3478 STUN/TCP/443

AV Edge External IP

Traffic by Server Role

Reverse Proxy Access Edge WebCon Edge AV Edge

Edge Network Requirements Internal Edge Interface

No NAT supported

External Edge Interface

Single Edge Server

1:1 NAT Hardware Load Balanced Routable Ips DNS Load Balanced 1:1 NAT

Defining Filters File Filters You can use these filters to block certain types of files from entering your network URL Filters You can use these filters to block certain types of files from entering your network Client Versioning Filters You can use Client Versioning Filters to block and upgrade clients, so that you can ensure a certain minimum version level of your Lync Server 2013 clients in your organization

DNS Usage in Lync Server 2013

Client and mobile discovery of logon servers
Device discovery of Device Update servers to update devices Server to Server discovery of federation partners

Client and server discovery of servers

Clients and servers securely set up sessions

Identifying Required DNS Records

Location External DNS External DNS External DNS DNS Record SRV: _sip._tls.adatum.com SRV: _sipfederationtls._tcp.adatum.com A: sip.adatum.com Target Access Edge Server: sip.adatum.com port:443 Access Edge Server: sip.adatum.com port:5061 IP of Access Edge Server

External DNS
External DNS External DNS External DNS External DNS External DNS

A: webconf.adatum.com
A: av.adatum.com A: rp.adatum.com A: dialin.adatum.com A: meet.adatum.com A: lyncdiscover.adatum.com

IP of Web Conferencing Edge

IP of AV Edge IP of Reverse Proxy IP of Reverse Proxy IP of Reverse Proxy IP of Reverse Proxy

PKI Certificate Usage in Lync Server 2013

Within the Lync Server 2013, Public Key Infrastructure (PKI) is used while using Transport Layer Security (TLS) and Mutual Transport Layer Security (MTLS)

Lync Server 2013 certificates are used for:

TLS connections between client and server

MTLS connections between servers

Federation using automatic DNS discovery of partners Remote user access for instant messaging (IM)

External user access to audio/video (A/V) sessions, application sharing, and conferencing
Mobile requests using automatic discovery of Web Service Persistent Chat Web Services for File Upload/Download

Subject Names and Subject Alternate Names

The Subject Name of a given X.509 certificate is supported by all PKIs and certificate authority implementations, including all commercial third-party certificate authorities

The Subject Alternative Name property on an X.509 certificate:

Provides alternative subject names in the certificate
Enables TLS and MTLS connections to different names which all resolve to the

same physical or virtual server

The following server roles use certificates with SAN:

Edge Servers Front End servers and Directors

Planning for Types of Certificates and Providers

You can use public certificates for Lync Server Access Edge, Reverse Proxy, and

Exchange Web Services You can deploy private certificates for all internal Lync Server 2013 roles, and for the internal interface of Lync Server Edge servers When deploying an internal certificate authority, a key item that you need to configure is CRL download locations When deploying public certificates, you need to consider a few items such as CRL download locations and root certificate support

Other Certificate Usage Scenarios In a Lync Server 2013 infrastructure, the following use certificates:
Survivable Branch Appliances (SBAs) Web Services

SBA Provisioning
1. 2. 3.

SBA gets a certificate installed on it and uses it for client authentication SBA looks at the SIP domain part of the SIP URI of the client attempting to register and compares it to the installed certificate If the domain part of the SIP URI matches a domain that is present in the SBA certificate, the client is allowed to register to the SBA

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.