This section outlines common
configuration tasks for Edge Server pools. Major changes to the Edge
Server configuration must be carried out using Lync Server Topology
Builder. This includes changing IP addresses, changing DNS names, or
changing pool associations. Any topology changes will require running
the Lync Server Deployment Wizard again to ensure that the changes are
reflected on the Edge Server.
Other configuration changes, such as
enabling certain features or configuring federation, can be carried out
in the Lync Server Control Panel, or the Lync Server Management Shell.
Common configurations are outlined in this section, as well as the
administration section.
1. Enabling Edge Server Features
To enable Edge Servers to process remote
access and federation requests, the Access Edge configuration must be
updated to enable these features. Figure 1 shows a sample policy configuration. Use the following steps to enable Access Edge features to the Lync Server infrastructure:
1. Open the Lync Server Control Panel.
2. Select Federation and External User Access in the navigation pane.
3. Click Access Edge Configuration.
4. Highlight the Global policy, and then click Edit and then Modify.
5. Check the Enable Federation and Public IM Connectivity box.
6. If DNS SRV lookups are allowed to discover federated partners, check the Enable Partner Domain Discovery box.
7. If an archiving
disclaimer should be sent to federated contacts when initiating an IM
conversation, check the Send Archiving Disclaimer to Federated Partners
box.
8. Check the Enable Remote User Access box.
9. If the web
conferencing service enables anonymous external participants, check the
Enable Anonymous User Access to Conferences box.
10. Click Commit to accept the changes.
Figure 1. Access Edge configuration.
Alternatively, the Lync Server Management Shell can be used to configure the following setting:
Set-CSAccessEdgeConfiguration –AllowOutsideusers
$true –AllowFederatedUsers $true – EnablePartnerDiscovery $true
–EnableArchivingDisclaimer $true AllowAnonymousUsers $true
Some additional options
are available for Access Edge Server configuration that are not exposed
in the Lync Server Control Panel. The following parameters can also be
used as part of the Set-CSAccessEdgeConfiguration cmdlet to configure external access:
• BeClearingHouse—This has a true or false
value indicating whether the Access Edge Servers are directly connected
to other organizations. A clearinghouse Access Edge Server can be used
to support direct federation between multiple organizations. It can
also be considered a federation gateway for multiple internal Lync
Server deployments. Typically, this value is false.
• CertificatesDeletedPercentage—New
to Lync Server 2013, this setting controls the percentage of Trusted
Certificate entries that are deleted during certificate maintenance.
• DefaultRouteFQDN—This
is used to override a default federation route. If it is required to
proxy client connections through a specific server for federation, this
parameter can be entered. This parameter must be used in conjunction
with the UseDefaultRouting parameter.
• EnableDiscoveredPartnerContactsLimit—This has a true or false
value. By default, any federated partners that are discovered
automatically have a contact limit imposed. This setting can be used to
disable that contact limit by default.
• UseDefaultRouting—This has a true or false value indicating whether the Access Edge Servers will use a manually entered default route FQDN. This value is false by default, which enables Access Edge Servers to use DNS SRV records for routing federation requests.
• KeepCRLsUpToDateForPeers—This has a true or false
value indicating whether the Access Edge Servers will periodically
check whether a partner’s certificate is still valid based on the CRL.
This parameter is true by default.
• MarkSourceVerifiableOnOutgoingMessages—This has a true or false value indicating whether the Access Edge Servers mark outgoing messages from a verified source. This
enables partners to assign a higher level of trust to messages they
receive from an organization marking messages as verifiable. This
parameter is true by default.
• MaxAcceptedCertificatesStored—New
to Lync Server 2013, this setting allows administrators to control the
maximum number of trusted certificates that are stored on each Edge
Server. The default value is 1000.
• MaxContactsPerDiscoveredPartner—By
default, any federated partners that are discovered automatically have
a contact limit of 1,000 imposed. This setting can be used to decrease
or increase that limit.
• OutgoingTLSCountForFederatedPartners—This
is a numeric value from 1 to 4 indicating the maximum number of
connections that can be used for a federated partner. The default value
is 4, but if connections should be more limited, this value can be reduced.
• VerificationLevel—If you are using default routing, the VerificationLevel property is used to monitor and assess the verification level of incoming messages. These are the valid values:
• AlwaysVerifiable—All
requests received on the default route are marked as verified. If a
verification header is not present, it automatically is added to the
message.
• AlwaysUnverifiable—Messages
are passed only if the addressee (the user the message is intended for)
has configured an Allow ACE (access control entry) for the person who
sent the message.
• UseSourceVerification—Message
verification is based on the verification level included with the
message. If no verification header is present, the message is marked as
unverified.
2. Managing A/V Edge Configuration
By default, an A/V Edge Server applies a
global policy, which controls bandwidth limits for users and ports as
well as the lifetime of media relay tokens. This setting is not exposed
in the Lync Server Control Panel and must be managed with the Lync
Server Management Shell.
First, use the Get-CsAVEdgeConfiguration cmdlet to view the Global defaults:
Unless there is a need to limit the values,
leave the Global policy in place. To create a new A/V Edge
configuration, which applies at the SF site level, use the following
command. In this example, the MaxTokenLifetime is increased to 10 days, the bandwidth per user is decreased to 5000KB, and maximum bandwidth per port is decreased to 2000KB:
New-CsAVEdgeConfiguration "site:SF" –MaxTokenLifetime "10:00:00" –MaxBandwidthPerUserKb 5000 –MaxBandwidthPerPortKb 2000
3. Introducing High-Availability
Redundancy for Edge Servers requires just
adding more Edge Servers to a pool. There is no logical limit on the
number of Edge Servers that can be part of an Edge Server Pool. Load
balancing can be done either with DNS load-balancing requests or by
using a hardware load balancer.
DNS load balancing is done by entering
multiple host records for the Edge Server pool name within DNS. When
clients or servers attempt to reach a server that is unavailable, they
attempt to use an alternative server.
A hardware load balancer can still be used
for Edge Servers in Lync Server, which adds greater load-balancing
capabilities at the price of greater complexity. As in prior releases,
the internal Access Edge and A/V Authentication Edge interfaces should
be load balanced, but the Web Conferencing Edge internal ports should
not be load balanced.
Tip
This method is best achieved using a single
VIP for the internal-facing services. From an external perspective, all
three services should be load balanced, but they should all use a
separate VIP.
4. Adding Edge Servers to a Pool
Adding an Edge Server to a pool requires
updating and publishing the topology to reflect the change. Use the
following steps to add another pool member:
1. Expand the Edge Servers node.
2. Right-click the Edge Server pool name, and select New Server.
3. Enter the internal IP address and FQDN IP address of the Edge Server’s internal interface. Click Next.
4. Enter the external IP addresses for the Edge Server’s Access Edge, Web Conferencing Edge, and A/V Edge services. Click OK.
5. Click OK when complete.
Now, publish the topology again and proceed with the new Edge Server installation.
After installation, be
sure to add the IP address to the pool in DNS, or in the Hardware Load
Balancer configuration, so that clients can locate the new Edge Server.
