Setup a Fully Functional Lync 2013 Lab Using only One Public IP Address

Note: This article assumes you know how to setup Lync 2013 already and just need to know the intricacies of changing the default ports.

Ever since I was exposed to Lync in 2011, I’ve been a huge proponent of using chat to communicate at work. Years ago, I recall corporate chat being a hard sell, but now it seems generally accepted; many customers who don’t use chat are open to it, they just haven’t have the resources to set it up yet. I’ve setup Google Apps w/Talk for small businesses in the past, but I’ve have been curious implementing Microsoft Lync on-premise so I setup a lab last week to better understand it.

Because my lab is limited on RAM, I attempted to use just one server to accomplish everything I wanted — chat, “PC-to-PC” calls, and video conferencing. I was able to get chat working fine for internal and external users, but video conferencing and calls failed for users who were not on the same internal network.

After learning about the Edge server’s role in providing media services, I gave in and added an Edge server to my topology. I also added a Reverse Proxy because holy smokes, setting up a Reverse Proxy using IIS ARR was way easier than I thought it’d be (and I already had a web server that could do this.)

Here’s the thing about the Edge server: both the Front End and the Edge server use port 443 for very different things. Autodiscovery, which is provided by the Front End/Reverse Proxy, requires HTTPS (though you can use HTTP but I don’t want), and Autodiscovery was a requirement that I gave myself so, I was left having to modify the A/V port for the Edge server. In the setup below, you can see that I changed it to port 442. Modifying the port in the Topology was easy enough, but then I had to figure out exactly what DNS records needed to change.

The DNS change seems obvious now, but I started this with little knowledge about AutoDiscovery and service records. Because of this, I ended up with a ton of unnecessary/incorrect DNS entries.

Here’s how my lab is configured:

Network
Internal SIP domain: ad.local
External SIP domain: acme.com
External IP address 24.0.175.22
DMZ Subnet: 10.0.10.x
Internal Subnet: 10.0.0.x

Servers
Role Hostname Internal IP External IP
Lync Front End lyncfe.ad.local 10.0.0.20 None
Lync Edge lyncedge 10.0.10.5 10.0.0.5
Reverse proxy (optional) rp 10.0.10.2 10.0.0.2

Port Forwarding
Protocol Port Function IP
TCP 443 Autodiscovery (HTTPS) 10.0.10.2
TCP 442 STUN/SIP/PSOM 10.0.10.5
TCP 444* Web Conferencing 10.0.10.5
UDP 3478 STUN 10.0.10.5
TCP 5061** MTLS 10.0.10.5
Both 50000-59999 RTP 10.0.10.5

* I’m not entirely sure this needs to be exposed, but I opened mine anyway.
** In order to support the widest variety of Lync clients, 5061 appears to
be required for authentication even if you don’t do federation.


External DNS A & CNAME Records
Type Hostname Points to
A lync.acme.com 24.0.175.222
CNAME sip.acme.com lync.acme.com
CNAME meet.acme.com lync.acme.com
CNAME lyncdiscover.acme.com lync.acme.com

External DNS SRV Record
Service Protocol Port Target
_sip _tls 442 lync.acme.com



Some DNS providers offer an SRV Host field. This is useful if your users authenticate as [email protected] instead of [email protected] In this case, “x” would be your host. Also, I’ve seen different numbers of Priority and Weight. I left mine at 100 and 1, though I’ve seen it at 0 and 0. I don’t think it matters much unless you’re doing load balancing.

Also, after examining client logs, I noticed that some external logins for desktop clients failed when sip.acme.com didn’t exist, so I added it to DNS. Microsoft documentation mentions A records in a whole lot of places, but I found CNAMES work just as well.

A few things to note:

I didn’t hook Lync into Exchange and I didn’t even attempt Enterprise Voice because I don’t have the equipment (or desire.) Authentication was accomplished by adding [email protected] to each AD account email property, then using [email protected] as the sign-in name and ad\username for User Name. Of course, my domain’s Root CA cert had to be installed on all of the client computers, including mobile devices.

I did test to see if Office Web Apps was required for Lync-to-Lync calls (it wasn’t) and blew up one of my server’s IIS configs in the process. OWA doesn’t like to share and deletes all of your IIS Sites during configuration, so don’t install it on a server that does anything else related to IIS.

Also, if you have just one internal subnet and you’re comfortable with the security repercussions, you don’t need a reverse proxy — just a router that can forward from port 443 to port 4443. Also, your edge server will need 2 IPs (no way around that), so you can just give it two on the same subnet and make sure your router NATs to the “External” IP of the Edge server as listed in the Lync Topology.

Posted in Lync
7 comments on “Setup a Fully Functional Lync 2013 Lab Using only One Public IP Address
  1. Maxime says:

    Hi,

    Thanks for this topic.
    I have installed a lab environnement with this infos but I still have a problème.
    Desktop sharing works on the LAN but external users connected in Lync cannot share or view shared desktop.
    Do you have an idea ?
    Thanks by advance.

    Maxime

  2. Allan says:

    Thank you for your post, got a question for you if you don’t mind. I see you are using 442 instead of 443, that would make my life very easy. Do you have to make custom settings in your external clients?

    Another angle, if I do not change port 443 in my topology. I’m going with the most simple solution, single external IP, single subnet, but my exchange is also on this LAN and so I have 443 already redirected to my Exchange Server from my router. Cannot mess with that. Wondering if I can use a custom port for 443, in other words… can I redirect say, 445 to 443? I do that often with remote desktops so I can send different people from the outside to 3389 on the inside… just put the custom external port into my RDP client. If this is possible, then I can put a custom port into my external clients?

  3. Daimian WIlliams says:

    Hi, this guide is great! One question – How did you manage to change the AV port to 442?

    Thanks,

  4. Daimian WIlliams says:

    Also, am I right in thinking that no actual ports are forwarded to the External NIC of the Edge server? 443 & 80 (4443 & 8080) are forward to FE and all others to Internal NIC of Edge?

    Thanks,

    • Daimian WIlliams says:

      Should have said, I am using two NICS on same subnet on Edge, so it would be:

      192.168.2.1 – FE
      192.168.2.2 – Edge (internal)
      192.168.2.3 – Edge (external)

      and also not using reverse proxy and port forwarding 443/80 to 4443/8080 to 192.168.2.1.

      Sorry for all this, just trying to clear my head.

      Thank you,

  5. Mehran says:

    Dear Friend

    Thank you for your very valuable guidances on Lync they are wonderful and very comprehensive.

    We faced an strange problem after Lync 2013 fully implementation, would you give us any issue to solve this problems
    1- Whiteboard works about 30 minutes each time after Lync server restarting, for internal and external user both, and after that, it stops and give an error says “An error occurred while presenting”
    2- Totally we face “An error occurred while presenting” by PowerPoint sharing
    3- The call communication among two users that are both outside of domain is possible but the same call communication among a user inside domain and one outside of domain could be established , we added the user outside of domain the certificate and also in host etc, relevant IPs is added.
    We are in desperate need of a solution or guidance for this problem.

    Mehran

Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">