module 3bdownload.microsoft.com/download/4/4/4/444563a9-1493-4ee8... · 2018-10-13 · server...
TRANSCRIPT
Module 3bDesigning for Conferencing
and External Scenarios
Part 2
Designing Lync Server 2010 Jump StartDay 1:
Topology Design
Day 2: Infrastructure &
Network Design
Day 3: Services &
Maintenance Design
Mod 1: Lync Server 2010
Design Process Overview
Module 5: Designing a
Mediation Server Topology
Module 9: Designing
Location Services in Lync
Server 2010
Module 2a: Designing a LS
2010 Topology—ONE
Module 6a: Designing Voice
Infrastructure
—ONE
Module 10: Designing
Response Group Services
Module 2b: Designing a LS
2010 Topology—TWO
Module 6b: Designing Voice
Infrastructure
—TWO
Module 11: Designing
Resiliency
Module 3a: Designing for
Conferencing and Ext.
Scenarios—ONE
Module 7: Designing
Exchange Server UM
Integration
Module 12: Designing for
Backup and Disaster
Recovery
Module 3b: Designing for
Conferencing and Ext.
Scenarios—TWO
Module 8a: Creating a
Network Design—ONE
Module 13: Designing
Monitoring and Archiving
Server
Module 4: Planning and
Designing Load Balancing
Connectivity
Module 8b: Creating a
Network Design—TWO
Module 14:Planning a
Migration to Lync Server
2010
Module Agenda
• Conferencing Network Requirements
• Lync Deployment Process
• Requirements Gathering
• General Strategies
• Scenario Exercise
Reverse Proxy External IP
Reverse Proxy External IP
External Firewall
Internal Firewall
HTTPS/443
TO PERIMETER
TO INTERNET
TO CORP NET
TO PERIMETER
INTERNETCORP NET
HTTP/80
HTTPS/443
Access Edge External IP
WebCon Edge External IP
AV Edge External IP
EdgeInternal IP
Media Authentication
Service
Reverse Proxy Server
Lync Server 2010 Single Consolidated
Edge
DNS/53
SIP/TLS/443
SIP/MTLS/5061
PSOM/TLS/443
RTP/TCP/50,000-59,999
RTP/UDP/50,000-59,999
STUN/UDP/3478
STUN/TCP/443
SIP/MTLS/5061
PSOM/MTLS/8057
SIP/MTLS/5062
STUN/UDP/3478
STUN/TCP/443
Traffic by Server Role
Reverse Proxy
Access Edge
WebCon Edge
AV Edge
Enterprise Perimeter Network
Reverse Proxy External IP
Reverse Proxy External IP
External Firewall
Internal Firewall
HTTPS/443
TO PERIMETER
TO INTERNET
TO CORP NET
TO PERIMETER
INTERNETCORP NET
HTTP/80
HTTPS/443
Access Edge External IP
WebCon Edge External IP
AV Edge External IP
EdgeInternal IP
Media Authentication
Service
Reverse Proxy Server
Lync Server 2010 Single Consolidated
Edge
DNS/53
SIP/TLS/443
SIP/MTLS/5061
PSOM/TLS/443
RTP/TCP/50,000-59,999
STUN/UDP/3478
STUN/TCP/443
SIP/MTLS/5061
PSOM/MTLS/8057
SIP/MTLS/5062
STUN/UDP/3478
STUN/TCP/443
Traffic by Server Role
Reverse Proxy
Access Edge
WebCon Edge
AV Edge
Reverse Proxy External IP
Reverse Proxy External IP
External Firewall
Internal Firewall
HTTPS/443
TO PERIMETER
TO INTERNET
TO CORP NET
TO PERIMETER
INTERNETCORP NET
HTTP/80
HTTPS/443
Access Edge External IP
WebCon Edge External IP
AV Edge External IP
EdgeInternal IP
Media Authentication
Service
Reverse Proxy Server
Lync Server 2010 Single Consolidated
Edge
DNS/53
SIP/TLS/443
SIP/MTLS/5061
PSOM/TLS/443
STUN/UDP/3478
STUN/TCP/443
SIP/MTLS/5061
PSOM/MTLS/8057
SIP/MTLS/5062
STUN/UDP/3478
STUN/TCP/443
Traffic by Server Role
Reverse Proxy
Access Edge
WebCon Edge
AV Edge
Firewall Requirements Design: External Scenarios
Conferencing IP Communication
• Single Edge Server
‒ 1:1 NAT
• Hardware Load Balanced
‒ Routable IPs
• DNS Load Balanced
‒ 1:1 NAT
External Edge Interface
No NAT supported
Internal Edge Interface
Edge Network Requirements
You can block certain URLs from being clicked, and you can define this at a global level or at a site level
URL Filters
Use these filters to block certain types of files from entering your network
File Filters
You can use Client Versioning Filters to block and upgrade clients, so that you can ensure a certain minimum version level of your Lync Server 2010 clients in your organization
Client Versioning Filters
Defining Filters
Client discovery of logon
servers
Server to Server discovery of
federation partners
Client and server discovery
of servers
Device discovery of Device
Update servers to update
devices
Clients and servers securely
set up sessions
DNS Usage in Lync Server 2010
Location DNS Record Target
External DNS SRV: _sip._tls.contoso.com Access Edge Server:
sip.contoso.com port:443
External DNS SRV: _sipfederationtls._tcp.contoso.com Access Edge Server:
sip.contoso.com port:5061
External DNS A: sip.contoso.com IP of Access Edge Server
External DNS A: webconf.contoso.com IP of Web Conferencing Edge
External DNS A: av.contoso.com IP of AV Edge
External DNS A: rp.contoso.com IP of Reverse Proxy
External DNS A: dialin.contoso.com IP of Reverse Proxy
External DNS A: meet.contoso.com IP of Reverse Proxy
Identifying Required DNS Records
Within the Lync Server 2010, Public Key Infrastructure (PKI) is used while using
Transport Layer Security (TLS) and Mutual Transport Layer Security (MTLS)
Lync Server 2010 certificates are used for:
• TLS connections between client and server
• MTLS connections between servers
• Federation using automatic DNS discovery of partners
• Remote user access for instant messaging (IM)
• External user access to audio/video (A/V) sessions, application sharing, and conferencing
PKI Certificate Usage in Lync Server 2010
Subject Names and Subject Alternate Names
• Subject Name of a given X.509 certificate is supported
by all PKIs and certificate authority implementations,
including all commercial third-party certificate
authorities
• Subject Alternative Name property on X.509 certificate:‒ Provides alternative subject names in the certificate
‒ Enables TLS and MTLS connections to different names which
all resolve to the same physical or virtual server
• The following server roles use certificates with SAN:‒ Edge Servers
‒ Front End servers and Directors
You can use public certificates for Lync Server Access Edge, Reverse
Proxy, and Exchange Web Services
You can deploy private certificates for all internal Lync Server 2010
roles, and for the internal interface of Lync Server Edge servers
When deploying an internal certificate authority, a key item that you
need to configure is CRL download locations
When deploying public certificates, you need to consider a few items
such as CRL download locations and root certificate support
Planning for Types of Certificates and Providers
SBA Provisioning
Other Certificate Usage Scenarios
• In Lync Server 2010 infrastructure, the following use
certificates:‒ Survivable Branch Appliances (SBAs)
‒ Web Services
1. SBA gets a certificate installed on it and uses it for client authentication
2. SBA looks at the SIP domain part of the SIP URI of the client attempting to register and compares it to the installed certificate
3. If the domain part of the SIP URI matches a domain that is present in the SBA certificate, the client is allowed to register to the SBA
Scenario—Technical Requirements
• High Availability: ‒ Presence, Conferencing, and Voice should be available 24x7
‒ Solution in place to allow for redundancy for the deployed solutions for the SIP traffic and web traffic.
• Scalability:‒ The solution must be able to scale to accommodate 10,000
total users at the Redmond site alone.
• Archiving:‒ Archive user communication on demand, if the need arises, for
specific users or across the Office Communication Organization for users that are provisioned on the system.
‒ Get statistics on the usage of the system, such as total Instant Messages, VoIP calls, and conferences that take place throughout the architecture.
Scenario—Technical Requirements (cont)
• Archiving (cont.):‒ Adherence to the legal requirement to archive user
communication is pending at this time.
• External Access: ‒ Ability to have the following functions externally (from outside
the corporate network, without requiring VPN):
• Instant Messaging
• Web Conferencing
• Audio/Video Conferencing
• Application Sharing
• Dial-in Conferencing
Scenario—User Requirements
• User Requirements:‒ All users should have access to Instant Messaging as well as Web
and Audio\Video Conferencing abilities, unless otherwise specified
‒ System infrastructure able to handle load of approximately 60% concurrent usage for IM, Web, or A/V Conferencing
• Client Requirements:‒ Users must be able to connect over slow link connections
‒ Support Lync Server 2010, and on a smart phone or pocket PC, Web Access deployment is not a requirement.
‒ Currently, A. Datum has 500–600 Windows mobile devices, and about 5,000 laptops
‒ Where applicable, auto-configuration should be used for clients to sign in to the proposed solution, using the current DNS architecture.
‒ Enable internal and external users to download the necessary address book files.
Scenario—User Requirements (cont.)
• Client Requirements (cont.)‒ SIP URI will be the SMTP address used for current email address,
such as [email protected].
• System Requirements:‒ Local administrators around the world should have the ability to
administer their Office Communications Servers.
‒ Proposed solution should incorporate necessary antivirus or anti-spam applications; Enable encryption of SIP traffic from client-to-server and server-to-server communication
‒ The proposed solution should have the ability to incorporate monitoring into System Center Operations Manager.
• Migration requirements:‒ A. Datum would like a smooth migration with minimum user impact.
‒ A. Datum can tolerate that some services are not load balanced/ highly available during a shorter coexistence period.
Scenario—Assumptions
• A. Datum resources will communicate with the project team and perform their assigned tasks within the given time frame.
• The project will comply with existing security and operational policies where they exist and where they are consistent with requirements of the system. Where they are insufficient, the project team will define the policies and procedures.
• Executive sponsorship for overall program/initiative will be provided, including business unit support where needed.
• Steering committee consisting of global resources will assist with key design requirements and decisions.
• A. Datum stakeholders will provide access to any other updated information regarding the existing network environment, other IT project initiatives, and so on.
Scenario—Assumptions (cont.)
• Team members will be empowered to make decisions
quickly.
• Steering committee will record the baseline set of
requirements.
• There may be external projects that may have
significant impact on the timeline, schedule, and
deliverables.
• A. Datum will be responsible for ensuring that
adequate WAN bandwidth and connectivity exist
between the sites.
• Active Directory is being designed to support Exchange
2010
Scenario—Service Level Agreements
• The following SLAs were documented in completing
the list of requirements from key stakeholders:
• Services statement:‒ Strive to ensure end-user satisfaction.
‒ Respond to request for support within published time frames.
‒ Interact with faculty and staff in a positive manner.
‒ Continue to improve quality of service for users.
‒ Regularly review and monitor VoIP calls ingress and egress the
environment.
• Hours of operation:‒ Service support is available when needed during the following
hours of operation.
• 24 hrs; 7 days a week
Scenario—Service Level Agreements (cont.)
• Customer responsibilities:‒ Provide detailed information regarding service request.
‒ Make every effort to be available for very critical issues.
‒ Notify the helpdesk in advance about any changes to the environment that will affect users.
• Priority levels:‒ High–A problem with no known workaround that affects a
single user
• Response time within 10 mins
‒ Medium–A general service issue or problem with a workaround solution
• Response time within 30 mins
‒ Low–A service request that does not require immediate attention or involves long range planning
• Response time within 45 mins
Scenario—Lync Server 2010-specific SLAs (cont.)
• Federation capabilities with instant messaging and voice should be put at a high level with regard to uptime.
• VoIP should never fail and should always be available.
• Existing PSTN connectivity will be used with the initial planning and deployment.
• SIP Trunking should be considered as an option, going forward, with the Enterprise Voice solution, if at all possible.
• Archiving is important to us and needs to be operational.
• A. Datum requires that Instant Messaging capabilities with Lync Server 2010 should be available 99.99% of the time because this would be used as the major method for communication, should phones or email not be available.
• Head office users are essential that they work 24/7 with regard to VoIP.
Scenario—Lync Server 2010-specific SLAs (cont.)
• The core services of Lync Server such as Lync Server
Audio/Video Conferencing, Lync Server Bandwidth
Policy Service (Authentication), Lync Server Bandwidth
Policy Service (core), Lync Server Web Conferencing,
Lync Server Web Conferencing Compatibility, Lync
Server Replica Replicator Agent, and Lync Server
Response Group should be a best effort if they fail for
any reason.
Interview Notes
David Alexander, CEO
The Board of Directors has initiated a three-year plan that will result in A.
Datum increasing in size. Some of this growth is going to come from internal
growth by expanding our current businesses, but the plan also calls for a very
aggressive acquisitions strategy in the coming years. Much of my time for the
next three years will be spent identifying potential acquisitions around the
world and negotiating partnerships or takeovers. Your communications
solution has to be very flexible and easily expandable.
Mary Kay Andersen, CIO
In the last three years since I became the CIO, our email and communications
system has changed from being a useful tool for business to being a critical
part of our business processes. For example, everybody notices when someone
is not available when you are trying to reach them in critical moments, and this
applies both to our internal users and our business partners.
The solution we decide to go with should be utilized for all users, so we do not
have different communications silos, where our Unified Communications
solutions do not talk together.
Interview Notes cont.
Sidney Higa, Vice President–North America
The organization’s Security and Compliance Department is based in Redmond,
so they report to me. The head of that department tells me that the rules for
how we do business, and especially, how we handle confidential or private
information are changing all the time. Just about every country has laws
regulating what we can do with private customer information, but the rules are
often not the same. This gets very complicated for an international
organization like ours where some of that information is crossing country
borders. We need a communication solution that we can use to enforce some
of the compliance requirements with regard to the method we use to
communicate.
Interview Notes cont.
Lucio Iallo, IT Manager
My biggest concern with this project is the budget. This company has a history
of setting very high expectations for a project and then not providing the
budget to do the job right. So, whatever design you come up with, we are
going to have to be very conscious of the budget. I have been looking at SIP
Trunking as one possible way to save costs on hardware and to provide local
dial-in and dial-out capabilities for our remote locations, so I would like you to
investigate this further.
Jonas Brandel, Network Operations Manager
The Network Operations department is responsible for managing all WAN
links, local LANs, and firewalls. One of the restrictions that the Security
department placed on us recently is that we have to restrict the ports that are
open on the firewalls. We can accept SNMP, SIP, and SMTP traffic into our
perimeter network, but not to the internal network.
Interview Notes cont.
Zhang Larry, Network Specialist
I can provide you with a Microsoft Visio diagram that has all our WAN
connections and our connections to the Internet. Our network right now is
quiet reliable, but we do not have much bandwidth between company
locations.
Michael Holm, Directory Services Manager
The company just finished upgrading all Active Directory directory service
domain controllers to Windows Server 2008. As part of the upgrade, we did a
thorough review of our whole Active Directory design. We do not anticipate
making any more changes to the Active Directory configuration for a while.
Interview Notes cont.
Michelle Fredette, Unified Communications Services Manager
One of our biggest problems right now is all the mobile users that we have to
support. We have quite a few users who travel quite a bit across the U.S. and
are rarely in the head office. They will need a form of communication that
allows them to talk to other mobile users who are remote or internal. I also
have security concerns with these clients, but a bigger problem for them is
functionality. We have more and more people asking for access to their Lync
through cell phone devices.
Interview Notes cont.
John Doe, Helpdesk Manager
I consider our ACD setup pretty straight forward in that it’s not that
complicated. In fact, let me explain it to you for you might need it for your
Unified Communications project.
To begin with, all our customers call into A. Datum Corporation today for all
their needs. We have different methods for users to get in contact with the
areas they need. For example customers can email “Shipping” if they need to.
Customers can email “Sales” if they need to. We even have a line of offering
where customers can complete their own orders and request from the Internet
or intranet. We would like for customer to be able to call into Adatum.
However, for “Sales” and Shipping” needs, that is the way we have it today with
the current ACD.
So, the following is what they do today:
Interview Notes (cont.)
• A call comes into Adatum‒ Caller lets the automated system know which department the caller is trying to
reach between Sales and Shipping
• If call goes to Sales:‒ The call is queued there.
‒ Then, I believe it gets routed to two users on the helpdesk at the same time.
‒ I don’t believe we have serial calls, where the call is directed to one person and then directed to another if the first person is busy. (Not interested in that right now, but maybe sometime later in the future.)
• If callers in helpdesk don’t answer the call, it goes to a shared voicemail as of today.
• One of the agents answers the call.
• If the call cannot be resolved by the agent, the agent transfers the call to another person or group.
• Most of the time, the agent doesn’t have to transfer the call and can resolve the issue right there on the line with the customer.
• Same basic process for Shipping
Module Reviews and Takeaways
• Review Questions
• Real-World Issues and Scenarios
• Best Practices
©2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered
trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft
Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.