microsoft ® lync™ server 2010 hybrid scenarios module 20 microsoft corporation
TRANSCRIPT
Microsoft® Lync™ Server 2010Hybrid ScenariosModule 20
Microsoft Corporation
Session ObjectivesAt the end of this session you will be able to:• Describe the Lync Online high level
architecture and topology• Have a more detailed understanding of the
Lync Online topology to assist in issue analysis and troubleshooting
2
Lync Online Topology Introduction• High level Architecture• Office Communications Data Forests (OCDFs)
• Shared OCDF Resources• Pools• Directors• Domain controllers (DCs)• System Center Operations Manager (SCOM)• Monitoring• Edge Server• Mediation <-> Public Switched Telephone Network (PSTN) for Audio
Conferencing Provider (ACP)• Witness Server
• Pool Resources• Up to 5 pools with 8 Lync Server 2010 Front End (FE) servers and a
pair of Back End (BE) servers• BE databases (DBs) Windows Clustered and SQL Server® mirrored
33
Tenant Residency
• Both Office 365 Standard and Light customers are hosted on the same Lync Online deployment infrastructure. There are no separate deployments for the two service classes since they only differ in the tenant and/or user policies
• Each Lync Online tenant is either a Standard customer or a Light customer, but not both
• Each Lync Online tenant belongs to exactly one OCDF in the geographical data center conforming to regional/country regulations. All users of the tenant are assigned to one Pool of the OCDF
• There is no support for multi-national tenancy where tenant users have to be assigned to geographically dispersed data centers based on regional regulations
44
Generic Lync Online Deployment Architecture
55
Lync Online Specifics• First point of contact – Director Array
• Front End stamps users as external instead of the Edge• Access Proxy (AP)/Lync Edge for federation with non-Lync Online partners
or personal Internet communicator (PIC)• Inter-tenant federation traffic does not go through APs. – Routed internal
• Domain Name Service (DNS) load balancing not employed – Using Hardware Load Balancing (HLB)
• Server draining not available in all cases due to HLB use• AddressBook (AB) Web Query online – No AB Download• Distribution List Expansion (DLX) – no control to hide DL membership for
user in same tenant• Call Admission Control (CAC)/ Packet Data Protocol (PDP) not used• Global routing – Directors sync with the Active Directory® Domain Services
(AD DS) from other ODCFs• GeoDNS – used to balance client traffic among OCDFs6
6
Lync Online Specifics• Firewall – No external or internal firewall in Lync Online. Use Global
Foundation Services (GFS) firewall infrastructure and place access control list (ACL) rules there
• Reverse Proxy not used. ACLs for web traffic placed on GFS firewall• Archiving – there is no archiving in Lync Online. It may be offered in
the future for compliance• Enterprise Voice feature - Lync Online does not offer any Enterprise
Voice features, e.g., Call Park Server (CPS)/Response Group Service (RGS) at this time as there is no onsite PSTN gateway
• Group Chat – Lync Online does not support this feature• Device support – there is no device support for Lync Online. The only
client supported will be Lync 2010
77
Global Traffic Management • Global Traffic Management (GTM). This is used to
distribute traffic using DNS between VIPs either in the same data center or between global data centers. It provides optimal performance based on closest node in terms of network latency, geographic proximity or configured balanced datacenter load distribution. Azure GTM has additional feature that other GTM providers don’t have and that is building proximity regional maps based on network performance between subnets across Microsoft backbone.
• Lync Online is on boarded onto the Azure GTM platform
88
Global Routing • Global GeoDNS Routing
• Client connects to closest geographical OCDF• May or may not be client’s home OCDF
• Inter-OCDF Routing• Director is equipped with the global routing database built by querying
the ADs in all OCDFs• Director Array has a public VIP that is the central point of contact for SIP
messages from entities outside of the OCDF or from the Lync Edge Servers in the case of federation or PIC
• In the case of registration, it redirects the registering client to the home Pool Fully Qualified Domain Name (FQDN)
• Intra-OCDF Routing• Each FE has the full routing information for any user within the same
OCDF replicated from the AD of the OCDF.
99
Global Routing
1010
Flexibility for Growth• Add servers into the existing shared resources and
existing Pools• Directors
• Mediation
• Edge servers
• Add a new Pool into the existing OCDF
• Add a new OCDF • Currently 2 OCDFs
• One in San Antonio (SN2)
• One in Blue Ridge (BL2)11
11
Exchange Online Unified Messaging Integration
• Lync Online supports Exchange Online (EXO) Unified Messaging (UM) integration for customers who are still deploying Lync on-premise
• On-premise deployment must be Lync 2010• A separate domain with just Lync Online Edge Servers, Media
Relays and Central Management Server is deployed as a routing point for messages between EXO/Outlook Web App (OWA) and on-premise Lync 2010
• This domain is called ExUM, standing for Exchange UM integration
1212
VLANS - IP Address Management• Virtual local-area network (VLAN) A for public IP addresses
• Hosts the public VIPs for the server arrays and public Secure Network Address Translation (SNAT) Internet Protocol (IP) addresses on the external network interface of the HLB; as well as public IP addresses for the Edge Servers on their external network interfaces
• VLAN B for Mediation Server Public IP addresses • Hosts the public IP addresses for mediation servers to have a separate
VLAN for routing ACP traffic through dedicated circuits to ACP partners other than through the Internet
• VLAN C for private VIPs • Hosts only the private VIPs for the server arrays on the internal network
interface of the HLB• VLAN D for Back-end Lync Online Servers
• Hosts the private IP addresses for all the Lync Online servers, including the Edge servers and the Mediation servers
1313
Public IP Assignments
• For Media Relay public IP is assigned to the Edge Server hosting the Media Relay role. Allowing the clients to talk to the Edge Servers directly without going through the HLB avoids potential negative impacts on A/V quality incurred by hair-pinning both media streams through the HLB
• A public IP is assigned to each Mediation Server due to the fact that some ACP partners do not support Real-Time Transport Protocol (RTP) latching on their Session Initiation Protocol (SIP) Session Border Controllers (SBC). In order to overcome this Lync Online exposes a public IP as the source address as we cannot expose Private address networks between Microsoft data center and ACP
1414
Details on Public IP• Two public VIPs, one for SIP and one for web, are assigned to the
Director Array for each OCDF
• Two public VIPs, one for SIP and one for web, are assigned to the LYNC FE Array for each Pool
• One public VIP is assigned to the Access Proxy Array for each OCDF
• One public VIP is assigned to the Data Proxy Array for each OCDF
• One public VIP is assigned to the Media Relay Array for each OCDF
• One public DIP is assigned to the Media Relay role on each Edge server
• One public DIP is assigned to each Mediation server
• One public DIP is assigned to the Dashboard server
1515
SNAT Pool Public IP Addresses• The HLB needs to allocate a public IP address and a port
to the connection before forwarding the connection to an individual server in the Array
• Each IP address has at most 65535 ports, multiple SNAT IP addresses may be needed
• Each Pool in Lync Online is expected to handle up to 100K concurrent connections
• For 5 Pools there will be 500K concurrent connections per OCDF, which requires at least 8 public IP addresses
• At least 10 public IP addresses allocated for SNAT purposes per OCDF
1616
DNS Management• <geodns> = lync.glbdns.microsoft.com, which is the
domain for the GeoDNS provider• <lyncprod> = online.lync.com, which is the domain for
Lync Online.• <sn20a> = mcsn20a001.local, which is the internal
domain name for OCDF SN20A.• <bl20a> = mcbl20a001.local, which is the internal
domain name for OCDF BL20A.
1717
Disjoint DNS/Service Domain• Public domain – what Lync Online presents to the
external world• Internal domain – OCDF specific – internal only
18
Type OCDF Domain Suffix
Public Domain
Any <lyncprod>
Internal Domain
SN2 mcsn20a001.local
BL2 mcbl20a001.local
18
GeoDNS Setup• Top-level <geodns> is reserved for production
deployment only to distribute incoming traffic to the services
• Second-level xxx.<geodns> can be used for non-production deployments such as Engineering Dogfood (EDF), Commercial Technology Preview (CTP), or Pre-Production Environment (PPE)
• Two FQDN• sipdir.<geodns> - VIP of the Director Array
• sipfed.<geodns> - VIP of the Access Proxy Array19
19
Public DNS Setup
20
Two CNAME records redirect clients to GeoDNS
Lync Online FQDN
Type GeoDNS FQDN Notes
sipdir.<lyncprod>
CNAME sipdir.<geodns> Redirect client DNS query to GeoDNS for SIP
sipfed.<lyncprod>
CNAME sipfed.<geodns> Redirect client DNS query to GeoDNS for federation
20
Private DNS Setup
• Internal VIPs on the HLB
• Any server within the OCDF
• Special roles such as SQL in the Lync Online BE also require private FQDNs be set up for the DBA.
• Refer to the course module for the table of Private IP Addresses
2323
Tenant DNS SRV Setup
• For auto-discovery and federation, two DNS SRV records must be provisioned on each tenant’s domain
• Vanity domain (contoso.com) – Tenant must provision
• Managed domain (contoso.onmicrosoft.com) – provisioned automatically
2424
Tenant SRV Records
25
Type Purpose FQDN Port Protocol
Mapping
Vanity Auto-Discovery
_sip._tls.contoso.com 443 SIP sipdir.<lyncprod>
Federation _sipfederationtls._tcp.contoso.com
5061 SIP sipfed.<lyncprod>
Managed
Auto-Discovery
_sip._tls.contoso.onmicrosoft.com
443 SIP sipdir.<lyncprod>
Federation _sipfederationtls._tcp.contoso.onmicrosoft.com
5061 SIP sipfed.<lyncprod>
25
AutoDiscovery Flow
2727
Integration with the Environment AD and Certificate Provisioning
31
Cert SN Private/Public Keys
Servers
Cert Store (Local Computer)
LiveID Token Encryption
liveid.<lyncprod> Lync Online/LiveID FEs, DIRs
Personal
Wildcard Lync Online
*.<lyncprod> Lync Online/OC All Personal
Federation sipfed.<lyncprod> Lync Online/Partner
Edge Servers
Personal
Provisioning MSODS
Sync PIC
prov.<lyncprod> Lync Online/BPOS DIRs Personal
BOX UI boxazppe.partner.microsoftonline.com
BOX/Lync Online DIRs Personal
Dashboard dashboard.<lyncprod> Lync Online/Lync Online
DIRs Personal31
Certificate Descriptions/Usage
• LiveID Token Encryption Cert• This cert is shared between Lync Online and LiveID
• Wildcard Lync Online Cert• This cert is shared between Lync Online and external clients and among
Lync Online servers
• Federation Cert• This is the cert used for federation with other partners, including PIC
• Business Online Experience (BOX) UI Cert• This is the cert used for BOX to establish remote PS session with Lync
Online for Tenant Admin user experience
• Dashboard Cert• Used internally to enable secured communications between the
Dashboard Server and the Directors for web services required of Dashboard
3232
Microsoft Online Directory Service Integration• Lync Online is a federated service to MSO-DS
• Tenant/user information first stored in the MSO master AD before a subset of the information is synced to Lync Online
• Only tenants with valid Lync Online license are synced to LO AD
• Each OCDF is a Service Instance (e.g., SN20A, BL20A)• Each OCDF connects to MSO-DS separately
• MSO-DS webservice URL – which identifies the MSO-DS system Lync Online connects to in order to enable the provisioning flow-through from MSO-DS
• OCDF Service Instance name – which identifies the OCDF service instance that is unique for the Lync Online deployment. The name is provisioned into MSO-DS
• The Provisioning Cert – which enables authentication between MSO-DS and an OCDF
3333
Business Online Experience (BOX) UI Integration
• BOX UI Cert: • The Lync Online Remote PS WS URL exposed to BOX UI
34
OCDF Lync Online Remote PS WS URL
SN20A https://webdirsn20a00.<lyncprod>/ocspowershell
BL20A https://webdirbl20a00.<lyncprod>/ocspowershell
34
LiveID Integration
35
• Lync Online utilizes LiveID for client authentication
• Each OCDF is registered with LiveID • Certificate generated during the registration process by
LiveID to associate with the OCDF
• This cert is called the LiveID Token Encryption cert
• OCDF users this cert to authenticate LiveID
35
Exchange Access Proxy Production Topology
The Exchange Access Proxy (ExAP) Forest supports integration of EXO UM with Lync Server 2010 on-premise and OWA IM and Presence between EXO and Lync Server 2010 on-premise or Lync Online
3636
ExAP Forest High Level Architecture
37
From a signaling perspective, Exchange UMS and ExAP servers can initiate connections from either side (say for voice mail deposits and retrievals). On the other hand, for OWA IM and Presence, only the code access security (CAS) on the OWA side initiates connections to ExAP; ExAP never initiates connections to OWA CAS
37
ExUM AP Topology for Lync Online
38
The ExAP Forest is a degenerated OCDF in the sense that there is no Lync Pool in the forest. Only the Edge Servers are doing the work with AP and Media Relay (MR) roles. The shared servers, i.e., DC and content management system (CMS), are for configuration of the ExAP
Public IP VLAN
GFS FW HLB
EXAP1
EXAP2
EXAP3
EXAP(1U)Dual Homed· AP & MR
EXO UMS
DC/WDS1DC/WDS2
DC/WDS (1U)· DC/WDS· DNS/DHCP
CMS1 (SE)
CMS (1U)· CMS FE· CMS BE· SCOM FE· SCOM BE
ExAP Forest
Backend LAN
1 ExAP Forest· 3 Service AP (3-1U)· 2 CMS FE&BE on OCS SE (1U)· 2 DCs for the domain (1U)· 7 machines in EXAP domain (7-1Us)
CMS2 (SE)
OWA CAS
EXO
OCO
Por
t ACL
Rul
es
Inte
rnal
VIP
VLA
N
38
IP Address Management• The ExAP Forest resides in the same set of VLANs as the
OCDF in the same data centers (e.g., SN2 and BL2 for NA). • Public IP Assignments
• One public VIP for SIP signaling assigned to the Access Proxy Array
• One public VIP for media assigned to the Media Relay Array• One public DIP is assigned to each Media Relay role on each of
the three Edge Servers.
• Private IP Assignment• For each Edge server Array, private IP addresses are assigned to
each individual server.• Internal VIPs are also assigned to Access Proxy and Media Relay
Arrays for EXO UMS and OWA CAS to establish connections to the ExAP Forest
3939
DNS Management• <geoum> = um.glbdns.microsoft.com, which is the
domain for the GeoDNS provider• <exapprod> = um.outlook.com, which is the domain for
UM in Exchange.• <sn20b> = mcsn20b001.local, which is the internal
domain name for ExAP Forest SN20B.• Disjoint DNS/Service Domain
• Public domain -What ExAP presents to the external world and to EXO UM and OWA CAS
• Internal domain - internal to the ExAP Forest
4040
GeoDNS Setup
41
• sipex.<geoum>, which is the external global FQDN for on-premise Lync to establish media connectivity with the ExAP Forest outside of the Microsoft data centers
• sipex-int.<geoum>, which is the internal global FQDN for EXO UMS and OWA CAS to establish SIP connectivity with the ExAP Forest within the Microsoft data centers
• mrex.<geoum>, which is the external global FQDN for on-premise Lync to establish media connectivity with the ExAP Forest from outside of the Microsoft data centers
• mrex-int.<geoum>, which is the internal global FQDN for EXO UMS and OWA CAS to establish media connectivity with the ExAP Forest within the Microsoft data centers
41
Lync Online Topology Diagram• Instructor to show Visio diagram in c:\classmaterials\docs\
reference\Lync Online Topology Diagram Production.vsd• You can install Visio viewer from c:\labfiles\visio viewer\
visioviewer.exe• Click on Forest A tab• Note there are 2 forests per data center and a forest spans 2
data centers.
4747
Q&A
48
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. This document may contain information related to pre-release software, which may be substantially modified before its first commercial release. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.