Due to security restrictions we have been asked to place our Lync Edge in the DMZ domain. As you know putting the Edge in a domain is not recommended, but everything we found said that Microsoft did support it.
After battling with trying to get replication to work for several days after adding it to the DMZ domain we relented and opened a case with MS. Yes, they do support it, but they don't recommend it - what they do insist on is that the domain suffix has to match the other Lync servers, so having dmzdomain.com as the suffix just wasn't going to work when the rest of your boxes are domain.com.
We pulled it out of the dmz domain, recreated the internal certificates and wham, replication came back.
In order to slightly appease the security team, we have put both of the Edge nics in the DMZ, rather than the traditional one in trust, one in dmz. Then used a static route and firewall rules to get to the FE. This does seem to be working, but more testing it needed. I'll report back once we've got that working.
No comments:
Post a Comment