Module 3bDesigning for Conferencing

and External Scenarios

Part 2

Designing Lync Server 2010 Jump StartDay 1:

Topology Design

Day 2: Infrastructure &

Network Design

Day 3: Services &

Maintenance Design

Mod 1: Lync Server 2010

Design Process Overview

Module 5: Designing a

Mediation Server Topology

Module 9: Designing

Location Services in Lync

Server 2010

Module 2a: Designing a LS

2010 Topology—ONE

Module 6a: Designing Voice

Infrastructure

—ONE

Module 10: Designing

Response Group Services

Module 2b: Designing a LS

2010 Topology—TWO

Module 6b: Designing Voice

Infrastructure

—TWO

Module 11: Designing

Resiliency

Module 3a: Designing for

Conferencing and Ext.

Scenarios—ONE

Module 7: Designing

Exchange Server UM

Integration

Module 12: Designing for

Backup and Disaster

Recovery

Module 3b: Designing for

Conferencing and Ext.

Scenarios—TWO

Module 8a: Creating a

Network Design—ONE

Module 13: Designing

Monitoring and Archiving

Server

Module 4: Planning and

Designing Load Balancing

Connectivity

Module 8b: Creating a

Network Design—TWO

Module 14:Planning a

Migration to Lync Server

2010

Module Agenda

• Conferencing Network Requirements

• Lync Deployment Process

• Requirements Gathering

• General Strategies

• Scenario Exercise

Reverse Proxy External IP

Reverse Proxy External IP

External Firewall

Internal Firewall

HTTPS/443

TO PERIMETER

TO INTERNET

TO CORP NET

TO PERIMETER

INTERNETCORP NET

HTTP/80

HTTPS/443

Access Edge External IP

WebCon Edge External IP

AV Edge External IP

EdgeInternal IP

Media Authentication

Service

Reverse Proxy Server

Lync Server 2010 Single Consolidated

Edge

DNS/53

SIP/TLS/443

SIP/MTLS/5061

PSOM/TLS/443

RTP/TCP/50,000-59,999

RTP/UDP/50,000-59,999

STUN/UDP/3478

STUN/TCP/443

SIP/MTLS/5061

PSOM/MTLS/8057

SIP/MTLS/5062

STUN/UDP/3478

STUN/TCP/443

Traffic by Server Role

Reverse Proxy

Access Edge

WebCon Edge

AV Edge

Enterprise Perimeter Network

Reverse Proxy External IP

Reverse Proxy External IP

External Firewall

Internal Firewall

HTTPS/443

TO PERIMETER

TO INTERNET

TO CORP NET

TO PERIMETER

INTERNETCORP NET

HTTP/80

HTTPS/443

Access Edge External IP

WebCon Edge External IP

AV Edge External IP

EdgeInternal IP

Media Authentication

Service

Reverse Proxy Server

Lync Server 2010 Single Consolidated

Edge

DNS/53

SIP/TLS/443

SIP/MTLS/5061

PSOM/TLS/443

RTP/TCP/50,000-59,999

STUN/UDP/3478

STUN/TCP/443

SIP/MTLS/5061

PSOM/MTLS/8057

SIP/MTLS/5062

STUN/UDP/3478

STUN/TCP/443

Traffic by Server Role

Reverse Proxy

Access Edge

WebCon Edge

AV Edge

Reverse Proxy External IP

Reverse Proxy External IP

External Firewall

Internal Firewall

HTTPS/443

TO PERIMETER

TO INTERNET

TO CORP NET

TO PERIMETER

INTERNETCORP NET

HTTP/80

HTTPS/443

Access Edge External IP

WebCon Edge External IP

AV Edge External IP

EdgeInternal IP

Media Authentication

Service

Reverse Proxy Server

Lync Server 2010 Single Consolidated

Edge

DNS/53

SIP/TLS/443

SIP/MTLS/5061

PSOM/TLS/443

STUN/UDP/3478

STUN/TCP/443

SIP/MTLS/5061

PSOM/MTLS/8057

SIP/MTLS/5062

STUN/UDP/3478

STUN/TCP/443

Traffic by Server Role

Reverse Proxy

Access Edge

WebCon Edge

AV Edge

Firewall Requirements Design: External Scenarios

Conferencing IP Communication

• Single Edge Server

‒ 1:1 NAT

• Hardware Load Balanced

‒ Routable IPs

• DNS Load Balanced

‒ 1:1 NAT

External Edge Interface

No NAT supported

Internal Edge Interface

Edge Network Requirements

You can block certain URLs from being clicked, and you can define this at a global level or at a site level

URL Filters

Use these filters to block certain types of files from entering your network

File Filters

You can use Client Versioning Filters to block and upgrade clients, so that you can ensure a certain minimum version level of your Lync Server 2010 clients in your organization

Client Versioning Filters

Defining Filters

Client discovery of logon

servers

Server to Server discovery of

federation partners

Client and server discovery

of servers

Device discovery of Device

Update servers to update

devices

Clients and servers securely

set up sessions

DNS Usage in Lync Server 2010

Location DNS Record Target

External DNS SRV: _sip._tls.contoso.com Access Edge Server:

sip.contoso.com port:443

External DNS SRV: _sipfederationtls._tcp.contoso.com Access Edge Server:

sip.contoso.com port:5061

External DNS A: sip.contoso.com IP of Access Edge Server

External DNS A: webconf.contoso.com IP of Web Conferencing Edge

External DNS A: av.contoso.com IP of AV Edge

External DNS A: rp.contoso.com IP of Reverse Proxy

External DNS A: dialin.contoso.com IP of Reverse Proxy

External DNS A: meet.contoso.com IP of Reverse Proxy

Identifying Required DNS Records

Within the Lync Server 2010, Public Key Infrastructure (PKI) is used while using

Transport Layer Security (TLS) and Mutual Transport Layer Security (MTLS)

Lync Server 2010 certificates are used for:

• TLS connections between client and server

• MTLS connections between servers

• Federation using automatic DNS discovery of partners

• Remote user access for instant messaging (IM)

• External user access to audio/video (A/V) sessions, application sharing, and conferencing

PKI Certificate Usage in Lync Server 2010

Subject Names and Subject Alternate Names

• Subject Name of a given X.509 certificate is supported

by all PKIs and certificate authority implementations,

including all commercial third-party certificate

authorities

• Subject Alternative Name property on X.509 certificate:‒ Provides alternative subject names in the certificate

‒ Enables TLS and MTLS connections to different names which

all resolve to the same physical or virtual server

• The following server roles use certificates with SAN:‒ Edge Servers

‒ Front End servers and Directors

You can use public certificates for Lync Server Access Edge, Reverse

Proxy, and Exchange Web Services

You can deploy private certificates for all internal Lync Server 2010

roles, and for the internal interface of Lync Server Edge servers

When deploying an internal certificate authority, a key item that you

need to configure is CRL download locations

When deploying public certificates, you need to consider a few items

such as CRL download locations and root certificate support

Planning for Types of Certificates and Providers

SBA Provisioning

Other Certificate Usage Scenarios

• In Lync Server 2010 infrastructure, the following use

certificates:‒ Survivable Branch Appliances (SBAs)

‒ Web Services

1. SBA gets a certificate installed on it and uses it for client authentication

2. SBA looks at the SIP domain part of the SIP URI of the client attempting to register and compares it to the installed certificate

3. If the domain part of the SIP URI matches a domain that is present in the SBA certificate, the client is allowed to register to the SBA

Scenario—Technical Requirements

• High Availability: ‒ Presence, Conferencing, and Voice should be available 24x7

‒ Solution in place to allow for redundancy for the deployed solutions for the SIP traffic and web traffic.

• Scalability:‒ The solution must be able to scale to accommodate 10,000

total users at the Redmond site alone.

• Archiving:‒ Archive user communication on demand, if the need arises, for

specific users or across the Office Communication Organization for users that are provisioned on the system.

‒ Get statistics on the usage of the system, such as total Instant Messages, VoIP calls, and conferences that take place throughout the architecture.

Scenario—Technical Requirements (cont)

• Archiving (cont.):‒ Adherence to the legal requirement to archive user

communication is pending at this time.

• External Access: ‒ Ability to have the following functions externally (from outside

the corporate network, without requiring VPN):

• Instant Messaging

• Web Conferencing

• Audio/Video Conferencing

• Application Sharing

• Dial-in Conferencing

Scenario—User Requirements

• User Requirements:‒ All users should have access to Instant Messaging as well as Web

and Audio\Video Conferencing abilities, unless otherwise specified

‒ System infrastructure able to handle load of approximately 60% concurrent usage for IM, Web, or A/V Conferencing

• Client Requirements:‒ Users must be able to connect over slow link connections

‒ Support Lync Server 2010, and on a smart phone or pocket PC, Web Access deployment is not a requirement.

‒ Currently, A. Datum has 500–600 Windows mobile devices, and about 5,000 laptops

‒ Where applicable, auto-configuration should be used for clients to sign in to the proposed solution, using the current DNS architecture.

‒ Enable internal and external users to download the necessary address book files.

Scenario—User Requirements (cont.)

• Client Requirements (cont.)‒ SIP URI will be the SMTP address used for current email address,

such as firstname.lastname@nov.com.

• System Requirements:‒ Local administrators around the world should have the ability to

administer their Office Communications Servers.

‒ Proposed solution should incorporate necessary antivirus or anti-spam applications; Enable encryption of SIP traffic from client-to-server and server-to-server communication

‒ The proposed solution should have the ability to incorporate monitoring into System Center Operations Manager.

• Migration requirements:‒ A. Datum would like a smooth migration with minimum user impact.

‒ A. Datum can tolerate that some services are not load balanced/ highly available during a shorter coexistence period.

Scenario—Assumptions

• A. Datum resources will communicate with the project team and perform their assigned tasks within the given time frame.

• The project will comply with existing security and operational policies where they exist and where they are consistent with requirements of the system. Where they are insufficient, the project team will define the policies and procedures.

• Executive sponsorship for overall program/initiative will be provided, including business unit support where needed.

• Steering committee consisting of global resources will assist with key design requirements and decisions.

• A. Datum stakeholders will provide access to any other updated information regarding the existing network environment, other IT project initiatives, and so on.

Scenario—Assumptions (cont.)

• Team members will be empowered to make decisions

quickly.

• Steering committee will record the baseline set of

requirements.

• There may be external projects that may have

significant impact on the timeline, schedule, and

deliverables.

• A. Datum will be responsible for ensuring that

adequate WAN bandwidth and connectivity exist

between the sites.

• Active Directory is being designed to support Exchange

2010

Scenario—Service Level Agreements

• The following SLAs were documented in completing

the list of requirements from key stakeholders:

• Services statement:‒ Strive to ensure end-user satisfaction.

‒ Respond to request for support within published time frames.

‒ Interact with faculty and staff in a positive manner.

‒ Continue to improve quality of service for users.

‒ Regularly review and monitor VoIP calls ingress and egress the

environment.

• Hours of operation:‒ Service support is available when needed during the following

hours of operation.

• 24 hrs; 7 days a week

Scenario—Service Level Agreements (cont.)

• Customer responsibilities:‒ Provide detailed information regarding service request.

‒ Make every effort to be available for very critical issues.

‒ Notify the helpdesk in advance about any changes to the environment that will affect users.

• Priority levels:‒ High–A problem with no known workaround that affects a

single user

• Response time within 10 mins

‒ Medium–A general service issue or problem with a workaround solution

• Response time within 30 mins

‒ Low–A service request that does not require immediate attention or involves long range planning

• Response time within 45 mins

Scenario—Lync Server 2010-specific SLAs (cont.)

• Federation capabilities with instant messaging and voice should be put at a high level with regard to uptime.

• VoIP should never fail and should always be available.

• Existing PSTN connectivity will be used with the initial planning and deployment.

• SIP Trunking should be considered as an option, going forward, with the Enterprise Voice solution, if at all possible.

• Archiving is important to us and needs to be operational.

• A. Datum requires that Instant Messaging capabilities with Lync Server 2010 should be available 99.99% of the time because this would be used as the major method for communication, should phones or email not be available.

• Head office users are essential that they work 24/7 with regard to VoIP.

Scenario—Lync Server 2010-specific SLAs (cont.)

• The core services of Lync Server such as Lync Server

Audio/Video Conferencing, Lync Server Bandwidth

Policy Service (Authentication), Lync Server Bandwidth

Policy Service (core), Lync Server Web Conferencing,

Lync Server Web Conferencing Compatibility, Lync

Server Replica Replicator Agent, and Lync Server

Response Group should be a best effort if they fail for

any reason.

Interview Notes

David Alexander, CEO

The Board of Directors has initiated a three-year plan that will result in A.

Datum increasing in size. Some of this growth is going to come from internal

growth by expanding our current businesses, but the plan also calls for a very

aggressive acquisitions strategy in the coming years. Much of my time for the

next three years will be spent identifying potential acquisitions around the

world and negotiating partnerships or takeovers. Your communications

solution has to be very flexible and easily expandable.

Mary Kay Andersen, CIO

In the last three years since I became the CIO, our email and communications

system has changed from being a useful tool for business to being a critical

part of our business processes. For example, everybody notices when someone

is not available when you are trying to reach them in critical moments, and this

applies both to our internal users and our business partners.

The solution we decide to go with should be utilized for all users, so we do not

have different communications silos, where our Unified Communications

solutions do not talk together.

Interview Notes cont.

Sidney Higa, Vice President–North America

The organization’s Security and Compliance Department is based in Redmond,

so they report to me. The head of that department tells me that the rules for

how we do business, and especially, how we handle confidential or private

information are changing all the time. Just about every country has laws

regulating what we can do with private customer information, but the rules are

often not the same. This gets very complicated for an international

organization like ours where some of that information is crossing country

borders. We need a communication solution that we can use to enforce some

of the compliance requirements with regard to the method we use to

communicate.

Interview Notes cont.

Lucio Iallo, IT Manager

My biggest concern with this project is the budget. This company has a history

of setting very high expectations for a project and then not providing the

budget to do the job right. So, whatever design you come up with, we are

going to have to be very conscious of the budget. I have been looking at SIP

Trunking as one possible way to save costs on hardware and to provide local

dial-in and dial-out capabilities for our remote locations, so I would like you to

investigate this further.

Jonas Brandel, Network Operations Manager

The Network Operations department is responsible for managing all WAN

links, local LANs, and firewalls. One of the restrictions that the Security

department placed on us recently is that we have to restrict the ports that are

open on the firewalls. We can accept SNMP, SIP, and SMTP traffic into our

perimeter network, but not to the internal network.

Interview Notes cont.

Zhang Larry, Network Specialist

I can provide you with a Microsoft Visio diagram that has all our WAN

connections and our connections to the Internet. Our network right now is

quiet reliable, but we do not have much bandwidth between company

locations.

Michael Holm, Directory Services Manager

The company just finished upgrading all Active Directory directory service

domain controllers to Windows Server 2008. As part of the upgrade, we did a

thorough review of our whole Active Directory design. We do not anticipate

making any more changes to the Active Directory configuration for a while.

Interview Notes cont.

Michelle Fredette, Unified Communications Services Manager

One of our biggest problems right now is all the mobile users that we have to

support. We have quite a few users who travel quite a bit across the U.S. and

are rarely in the head office. They will need a form of communication that

allows them to talk to other mobile users who are remote or internal. I also

have security concerns with these clients, but a bigger problem for them is

functionality. We have more and more people asking for access to their Lync

through cell phone devices.

Interview Notes cont.

John Doe, Helpdesk Manager

I consider our ACD setup pretty straight forward in that it’s not that

complicated. In fact, let me explain it to you for you might need it for your

Unified Communications project.

To begin with, all our customers call into A. Datum Corporation today for all

their needs. We have different methods for users to get in contact with the

areas they need. For example customers can email “Shipping” if they need to.

Customers can email “Sales” if they need to. We even have a line of offering

where customers can complete their own orders and request from the Internet

or intranet. We would like for customer to be able to call into Adatum.

However, for “Sales” and Shipping” needs, that is the way we have it today with

the current ACD.

So, the following is what they do today:

Interview Notes (cont.)

• A call comes into Adatum‒ Caller lets the automated system know which department the caller is trying to

reach between Sales and Shipping

• If call goes to Sales:‒ The call is queued there.

‒ Then, I believe it gets routed to two users on the helpdesk at the same time.

‒ I don’t believe we have serial calls, where the call is directed to one person and then directed to another if the first person is busy. (Not interested in that right now, but maybe sometime later in the future.)

• If callers in helpdesk don’t answer the call, it goes to a shared voicemail as of today.

• One of the agents answers the call.

• If the call cannot be resolved by the agent, the agent transfers the call to another person or group.

• Most of the time, the agent doesn’t have to transfer the call and can resolve the issue right there on the line with the customer.

• Same basic process for Shipping

Module Reviews and Takeaways

• Review Questions

• Real-World Issues and Scenarios

• Best Practices

©2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered

trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft

Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the

part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.