Friday, 14 March 2014

Lync Edge in a DMZ Domain? ...No.

Due to security restrictions we have been asked to place our Lync Edge in the DMZ domain. As you know putting the Edge in a domain is not recommended, but everything we found said that Microsoft did support it.

After battling with trying to get replication to work for several days after adding it to the DMZ domain we relented and opened a case with MS. Yes, they do support it, but they don't recommend it - what they do insist on is that the domain suffix has to match the other Lync servers, so having dmzdomain.com as the suffix just wasn't going to work when the rest of your boxes are domain.com.

We pulled it out of the dmz domain, recreated the internal certificates and wham, replication came back.

In order to slightly appease the security team, we have put both of the Edge nics in the DMZ, rather than the traditional one in trust, one in dmz. Then used a static route and firewall rules to get to the FE. This does seem to be working, but more testing it needed. I'll report back once we've got that working.


Posted by at No comments:

Tuesday, 4 March 2014

Lync 2013 Topology shenanigans

Moving a Lync 2013 Std Pool to a new Central Site


I'm in the middle of a Lync 2013 project at the moment, which seems to become more of a ball ache the further we get into the project!
What started as a simple upgrade from 2010 to 2013 with a bit of HA thrown in, has now been consumed in a cloud of certificates and not so simple urls. There are two things are I really hate in life: one is stripping paint, the other is certificates.

 So initially we had both our 2013 std pools in one site - halfway through we realise that our master plan for HA won't work very well unless we have each pool in a different central site. 'Easy' we think, we can just move it over right? Wrong.

 Apart from a couple of vague technet articles, we could find nothing of use that could point us in the right direction. So with fear in my heart I did it the long way, apparently this is the only way you can do it - but since I haven't seen it documented anywhere I thought I would put it down here.

 So first of all I attempted to delete my front end from the topology - got a big fat fail from that in the form of 

  "Cannot publish topology changes. Conference directories still exist on a pool that would be deleted. Remove the conference directories before continuing."

 After a bit of Googling I found this rather useful article which instructed me to use the get-csconferencedirectory command and then the remove-csconferencedirectory command to remove it - this scared me initially - as in the article he was decomissioning a server and didn't care if it went forever. I however, only wanted to move it. Well, what's the worst that could happen??

 So with that out of the way, I could continue - in brief here's the steps I took.
  1. Create new Central Site - publish topology
  2. Move any users on the pool you want to move to another one
  3. Remove any dependancies on your FE like persistent chat or monitoring
  4. Delete the FE Pool you want to move - Republish (do the remove-csconferencdirectory step if necessary)
  5. Go to your existing FE and run the Install CMS task in setup
  6. Run the Install/Remove Lync components on your FE - this will remove the FE role.
  7. Reboot the FE for good measure
  8. Back in Topology builder add your FE back into the topology into the new site you've created previously
  9. Publish topology again
  10. Back on the FE, re-run the CMS install
  11. Run the Install Lync components to re-install the FE role
  12. Add back your dependancies (monitoring/persistent chat)

 Then I had to do the same with the Edge, although the steps were slightly different because of the lack of connection to the CMS.
  1. Delete Edge Pool from Topology
  2. Publish
  3. run an export-csconfiguration to file and copy that to the Edge
  4. On the Edge run the CMS install task and import this newly created file
  5. Run the Install/Remove task to remove the Edge role
  6. Back in Topology Manager, re-add your Edge in the new Site with the same settings - note you will only be able to point it at your newly moved FE now.
  7. Publish
  8. Export-csconfiguration to a file again and copy it to the Edge
  9. Run the CMS install task and import the file
  10. Run the Install Lync task to re-install the Edge role.
So far this has worked - I also need not have worried about doing a force remove of the csconferencedirectory entry  as when I reinstalled the edge it was re-added. I'm still waiting on certificates to get my Edge up and running properly - I'll update later on that.
Posted by at No comments:
Subscribe to: Comments (Atom)