Sunday, March 20, 2011

Lync 2010 Deployment Guide (adding Edge Role - part II)

It is now time for the Big Bang – the actual Edge deployment.

On the previous step, we added the new Edge to the topology and published it. The assumption is that our Edge server is on the perimeter network and so, we must export the topology from our FE and transfer the file to the edge somehow.

I will run “export-CsConfiguration -filename C:\” from Lync management shell.

...and transfer the file to the Edge

Next we run the setup.

Because our Edge is not a member of Domain (i.e. CMS cannot be read, we must point to the .zip file moved to this server on the previous step.

Have patience – SQLExpress installation takes time (good time for trip to the fridge).

Ah, certificates. A major pain point.

Edge server must have two certificates – one with the CN = FQDN of the machine, assigned to the internal interface ( in our example), and one with the FQDN we entered earlier in topology builder ( in this case). Note that because we are building our Edge server with ONE Public IP address only, all three roles will use “” and so, I need certificate for CN = – i.e. no SAN is needed.

First, I will create CSR (Certificate Signing Request) for the internal interface. Later I will use it to sign it from my internal Domain Certificate Authority.

Here I will add (our sip domain)

Open the CSR with Notepad and copy the content.

Go to your AD Certificate Authority and request certificate signing.

Paste our request in the “Saved Request” field and select “Web Server” from “Certificate Template” list.

Download and save the certificate.

***Note that I have already save the Domain Root Certificate. Edge is not a member of domain and so, the Root CA must be imported manually.

First, install the Domain Root Certificate

Proceed with the import of our certificate

***Note that because we created the CSR, the Private Key is stored locally (we just asked to be signed).


Our internal certificate is now assigned.

Perform the steps above to generate CSR, have it signed and assign it to the Public interface.

***This certificate must be signed from Public CA in order to have fully functional federation capabilities.

We are ready to start the services now.

Next step will be to verify the functionality of our Edge.


Peter said...

Suppose I have a .local internal domain and .com external domain, should I select them both for the external interface certificate (public CA) in the "SIP Domain settings on Subject Alternate Names" window?

Drago said...

for the "External" interface, you need only ".com" domain since ".local" is not publicly recognized.