Share via

Installing Lync Edge Server in Double Hop DMZ

  • Article

Overview

Active Directory and Lync Standard

In this article I set the Edge server role in a DMZ separated by firewalls between the Front End All servers are installed with Windows Server 2008 R2 Service Pack 1, Lync Standard Server was configured with the domain sip home.com.br domain and Active Directory  is named fqdn home.intranet

http://3.bp.blogspot.com/-CDX8ZYslWEY/TynFpp8sQLI/AAAAAAAAC7Q/ch2c18S9wwo/s640/topologia.jpg 
 

The servers were configured as follows

 

Server Name

Role

IP Address

hm01.home.intranet

Domain Controller and Certificate Authority

192.168.1.200

Hm02.home.intranet

Lync Server Standard Edition

192.168.1.201
Hm10.home.intranet TMG 2010 / filter packets between the internal network and a DMZ IP1: 192.168.1.250 / DMZ1: 172.16.0.250
HmRV.home.dmz 2010 TMG configured with Reverse Proxy / filter packet between a DMZ and DMZ 2 DMZ11: 172.16.0.254 / DMZ2: 10.0.0.251 

hmEdge.home.dmz

Lync Server Edge Server - not part of the field

DMZ 1: 172.16.0.200 / DMZ 2: 10.0.0.200, 10.0.0.201, 10.0.0.202
Internet firewall Firewall with NAT active DMZ 2 10.0.0.254 Internet: 223.0.0.1, 223.0.0.2, 223.0.0.3, 223.0.0.4 

The pool Lync Server has been updated with the Cumulative Pack 4 using the procedure of Article  Update Lync Server Pool with Cumulative Update 4
On the domain controller was created a zone called home.com.br with records 

Type of Record

FQDN

IP Address

The

admin.home.com.br

192.168.1.201

The

dialin.home.com.br

192.168.1.201

The

meet.home.com.br

192.168.1.201

The

Sip.home.com.br

192.168.1.201

SRV

Service: _sipinternaltls

Protocol: tcp

Port: 5061

Sip.home.com.br

In the area of Active Directory home.intranet was created a record for the Edge server. 

 http://3.bp.blogspot.com/-Tq0KskoJp-4/TyWXFu02j_I/AAAAAAAAC0k/LmhhiVhuuD4/s320/edge01.png 

The record type Address resolves the FQDN HmEdge.home.intranet to set ip on the board inside the server 172.16.0.200. In the Internet DNS records were created to serve the Edge Server:

 

Public URL

IP

  Type of Record

sip.home.com.br

223.0.0.1

 The

WebConf.home.com.br

223.0.0.2

 The

AV.home.com.br

223.0.0.3

 The
_sip._tls.home.com.br sip.home.com.br: 443 SRV
_sipfederationtls._tcp.home.com.br sip.home.com.br: 5061  SRV

Internal Firewall 

The internal firewall Hm10.home.intranet are running Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 .  
The following protocols and ports must be freed from the internal network and internal network adapter of the Edge server.

http://2.bp.blogspot.com/-_U8VYlMlAfA/TynF3qJqTjI/AAAAAAAAC7Y/RjMPUlKSqvc/s320/InstallEdge.jpg 
 

Port

Source Network

 Destination Network  Finalizadade 

4443/TCP

Back End Server Role

 Edge Server Role Port replication of Central Management Store for the Edge Server Local Store

5062/TCP

Front End Server Role

 Edge Server  Role 
 Traffic authentication session

443/TCP

Fron End Server Role /  
Edge Server Role / 
Internal Network

 Fron End Server Role /  
Edge Server Role 
 HTTPS traffic to be released in both directions between the Front End Server and Edge. 
3478/UDP Fron End Server Role /  
Edge Server Role /
Internal Network 
 Fron End Server Role /  
Edge Server Role 
 Port used by the Web Conference service. The traffic of this port should be released in both directions between the Front End Server and Edge.  sessions Used for Audio and Video 
5061/TCP Fron End Server Role /  
Edge Server Role  
 Fron End Server Role /  
Edge Server Role  
 Sip traffic safe,   port should be released in both directions between the Front End Server and Edge  
8057/TCP Front End Server Edge Server Port of customer sessions

For this article I will demonstrate the rules that I set for release in TMG, I will demonstrate step by step each rule. I set up two network entities to the firewall.

*Internal  - represents all the network's internal ip 192.168.1.0 to 192.168.1.255 
Network DM | 1  -  *represents all ip's network *  a DMZ 172.16.0.0 to 172.16.0.255
*

http://4.bp.blogspot.com/-5tAlhSXBRhE/TyWqVJajZDI/AAAAAAAAC00/I7Np4roOj9k/s320/edge02.png 

Between the two there is a network interface Route, this means that I have active NAT between the DMZ and internal network!

http://2.bp.blogspot.com/-nxEEYgH0IAM/TyWqViLx1ZI/AAAAAAAAC08/DL2WR1IYFBE/s320/edge03.png 
 

The ip's are configured on ethernet of the firewall, the internal network card was not configured gateway address and network card connected to a DMZ was configured with the gateway 172.16.0.254 which is the second TMG configured as Reverse Proxy and performs routing and filter between the DMZ 1 and DMZ 2

http://1.bp.blogspot.com/--2PYerikp1E/TyWqWP4qyiI/AAAAAAAAC1E/hU-iXpZoQhg/s320/edge04.png 

It was created two network objects:

*Front End / Back End
*

http://1.bp.blogspot.com/-N-antHLmY2s/TyWr-jprD6I/AAAAAAAAC1M/oVeB6lSjdJk/s320/edge05.png 

Edge Server

           http://2.bp.blogspot.com/-c0GcJSg1eLY/TyWr_DWx7iI/AAAAAAAAC1U/OhEol9UAvko/s320/edge06.png 

This object will be used to release the rules of doors between Lync Server Standard and the *Edge Server.
*Then were created the protocols, the TMG console tab Toolbox create a new protocol.

http://2.bp.blogspot.com/-qwEVEab7RUM/TyWxsX3NVXI/AAAAAAAAC1c/i2rUGjPNAOI/s320/edge07.png 

We created three   different protocols: 

*MRAS Authentication
*

Port: 5062 
Protocol: TCP 
Direction:

*http://3.bp.blogspot.com/-O5R8f1BZcgQ/TyWxs0U1y_I/AAAAAAAAC1k/bwz5FmCc4mE/s320/edge08.png 

*

*CMS Replica:
*

Port: 4443 
Protocol: TCP 
Direction: Outgoing

*http://2.bp.blogspot.com/-4nM7ApzdkPM/TynF7_RsmnI/AAAAAAAAC7g/EvU5CCWQ1lc/s320/edge56.png 
 

*

*WebConf Traffic
*

Port: 8057 
Protocol: TCP 
Direction:

*http://4.bp.blogspot.com/-UydE2UBZE1o/TyWxuqC2RGI/AAAAAAAAC10/OCm51QNysUw/s320/edge10.png 

*

*AV Traffic
*

Port: 3478 
Protocol: UDP 
Direction

*http://1.bp.blogspot.com/-fyW1R9Zq3C4/TyWxvP3305I/AAAAAAAAC18/HHRLVJJGqMU/s320/edge11.png 

*

The protocols and objects created missing only create rules for releasing traffic. Access the guide Tasks in TMG management console and create a Create Access Rule.

http://1.bp.blogspot.com/-sX2dOzZ94uU/TyW1NnLMluI/AAAAAAAAC2g/i3ZxL8bC8KU/s1600/edge15.png 

We created three access rules:

Rule 1: Access to the Internal Network Edge releasing the protocols HTTPS and AV Traffic to internal network clients to the server Edge Server

http://4.bp.blogspot.com/-ZYBOQZHrF4s/TyWxwJTGsVI/AAAAAAAAC2U/XXcq4Xwuzsc/s640/edge14.png 

Rule 2: Communication Front End Edge Server releasing protocols HTTPS and SIPS AV Traffic in both directions of communication between the Standard and Lync Edge Server

http://1.bp.blogspot.com/-egaDLf83V1o/TyWxv4PlEYI/AAAAAAAAC2M/vE_RNC7aUPw/s640/edge13.png 
 

Rule 3: *Access Front End  releasing protocols *  CMS Replica, MRAS WebConf Authentication and Traffic originating from the  Lync Standard for Edge Server 

http://4.bp.blogspot.com/-DU8cLw7jvPc/TyWxviIU0RI/AAAAAAAAC2E/gX_QFRGPkyA/s640/edge12.png 
 

To facilitate testing of routing between the DMZ and an Internal Network created a rule allowing ping. 

http://1.bp.blogspot.com/-plOUP1Xn3v4/TynHtS9BLEI/AAAAAAAAC7w/DGL-jmIodKo/s640/edge58.png 
 

Configuring   External Access Policy

To allow users to connect to the Edge Server need to change the policy for external access. 
Log in Lync Management Console on page External User Access tab, click the Access Edge Configuration. Edit Default Policy and Global

http://3.bp.blogspot.com/-z6Rj4Dz9OWw/TyW6XZn77oI/AAAAAAAAC2o/Jqa-cEo6LfU/s320/edge16.png 

Select Enable remote user access and save the changes

http://3.bp.blogspot.com/-CjarISGNzLA/TyW6X-8SzeI/AAAAAAAAC2w/doY0RIaO9Bk/s320/edge17.png 

Creation of Pool Edge

To create the Edge Pool start the Topology Builder and select Download Topology from existing deployment.

http://4.bp.blogspot.com/-wSh2CR2Y4DI/TyXUkLZ_YpI/AAAAAAAAC3A/WsD5eeFINoM/s320/edge20.png

Select the folder Edge Pool and click New Edge pool ....

http://3.bp.blogspot.com/-mLPp18SMpuw/TyXUk7M0BXI/AAAAAAAAC3I/q4HPuxsJsm0/s320/edge21.png 

The setup wizard Edge Pool starts, proceed to configure the service

http://1.bp.blogspot.com/-MnOulP_xwSg/TyXUlSzBV6I/AAAAAAAAC3Q/HvoROwIZwFM/s320/edge22.png 

Select Single Computer pool and set the internal fqdn Edge Server in this case the name fqdn *HmEdge.home.intranet * (this record must be created manually in the DNS Active Directory Domain )

http://3.bp.blogspot.com/-UFoLwrssKHU/TyXUl5rHAdI/AAAAAAAAC3Y/hH2j1GJU0M4/s320/edge23.png 

I set the Edge through a NAT, so I selected The external IP address of Edge this pool is translated by NAT

http://3.bp.blogspot.com/-hvwv4pwSCBE/TyXUmZuBayI/AAAAAAAAC3g/VHGEI0MTSV4/s320/edge24.png 

Set up fqdn's will be used and the doors of each service

Sip.home.com.br  443 
WebConf.home.com.br  443 
AV.home.com.br  443

http://4.bp.blogspot.com/-i8IxqWwlGMA/TyXUmwuG2QI/AAAAAAAAC3o/4-lj9yacq7E/s320/edge25.png 

Set the IP address configured on the internal network card of the Edge

172.16.0.200

http://1.bp.blogspot.com/-ctVfuiz4QBc/TyXUnaBK0lI/AAAAAAAAC3w/oqskZeMHM6U/s320/edge26.png 

Configure the IP addresses of the network card's external Edge server

10.0.0.200 
10.0.0.201 
10.0.0.202

http://1.bp.blogspot.com/-Ze1xAyknoxs/TyXUn6sejJI/AAAAAAAAC34/SYkk7xh2p98/s320/edge27.png 

Enter the valid ip firewall configured in Internet

http://1.bp.blogspot.com/-6qVFcgZSnVE/TyXUoPAH2sI/AAAAAAAAC4A/R5J5oPGOC-A/s320/edge28.png 

Join the new service to existing pool

http://3.bp.blogspot.com/-cNgdbPTJ1PQ/TyXUovrPz8I/AAAAAAAAC4I/dWumkvQYoPA/s320/edge29.png 

Select the Front End's pool and finish the wizard.

http://1.bp.blogspot.com/-0PsG5IFPr9c/TyXUpNznoiI/AAAAAAAAC4Q/AyIOvqDB_Nk/s320/edge30.png 

Back in the Topology Builder publish the changes in the topology.

http://2.bp.blogspot.com/-5gh19HR5MYk/TyXUp3ZcWRI/AAAAAAAAC4Y/MJajb_BxbjE/s320/edge31.png 

http://3.bp.blogspot.com/-q9CRQiZk6so/TyXUqWn8C1I/AAAAAAAAC4g/8IcnY3Env80/s320/edge32.png 
http://1.bp.blogspot.com/-3_Vct2MuiRY/TyXUrPNHeUI/AAAAAAAAC4o/2Zaf2L4RgxY/s320/edge33.png 

With the pool set up and created the Central Store Management changes to export a file to be used in the service installation on the target server. Start Lync Server Management Shelland run the cmdlet

Export-CsConfiguration <file path>

http://2.bp.blogspot.com/-sF7Lok0eLrY/TyXUrg8AwRI/AAAAAAAAC4w/_CVVWiS30p4/s320/edge34.png 

Access the portal server certificate and export the root certificate to a file.

http://1.bp.blogspot.com/-7XzxJlzuy4E/TyXUsNbAeOI/AAAAAAAAC44/GelZ0PmNS3M/s320/edge35.png 

I saved the two files in the folder location C: \ InstallEdge. Copy this folder to the server where you install the Edge server services;

http://4.bp.blogspot.com/-AwSUojvIFAQ/TyXUsrmtUZI/AAAAAAAAC5A/GV0-2Y1h4QY/s320/edge36.png 

Configuring the Edge Server

The server that services will be installed Edge Server was installed with two network cards, one card configured in the network a DMZ and a second DMZ

http://3.bp.blogspot.com/-QiSx_VST5FQ/TyXeau8ZQRI/AAAAAAAAC5M/TaC0K7emZ6k/s320/edge37.png 

The internal network card was configured with the ip network a DMZ, was not configured any gateway or DNS server on this board.

Ip: 172.16.0.200/24

http://1.bp.blogspot.com/-UYkElHQl1Ls/TyXebDBqAMI/AAAAAAAAC5U/t9swfM-CmZ0/s320/edge38.png 

On board  configured with the ip network  *DMZ 2,  *the address has been configured firewall gateway that connects to the Internet and an external DNS server. 

http://3.bp.blogspot.com/-kPiy34B09XY/TyXebXBx-tI/AAAAAAAAC5c/0fVPhuD1CiE/s320/edge39.png 

The Edge server server need to access corporate network resources, with the network configuration server is unable to route requests to the network 192.168.1.0/24

http://1.bp.blogspot.com/-Rt8NFOmZHVM/TyXeb0ve-eI/AAAAAAAAC5k/HzTG0EWVxyA/s320/edge40.png 

This is because the server has no route to the corporate network, 

route print

http://4.bp.blogspot.com/-jCl9r45b4nk/TyXecic5oAI/AAAAAAAAC5s/i1_G14Z069U/s320/edge41.png 

To allow communication server to the corporate network you need to add an exit route for the 192.168.1.0/24 network for internal network adapter of the Edge Server. To identify which interface will be used in the command route add run the ipconfig / all and note the physical address of the internal network card.

http://2.bp.blogspot.com/-xrFlyyS6wpY/TyXedZNMsYI/AAAAAAAAC5w/-94jBZUJmUI/s320/edge42.png 

Identify the route print which is the interface number of the recorded physical address. In this case the internal network card has the ID IF 12

http://3.bp.blogspot.com/-5PXNU-AuBJc/TyXedr1vh8I/AAAAAAAAC54/-hLAB1mFDuE/s320/edge43.png 

Use the command route add to add the route, use the option -p to make the route persistent and it will not be lost when the server restarts

route add mask <rede destino> <mascara of identificação> <IP gateway> if <identificação card <Network-p

http://2.bp.blogspot.com/-D6w69rgKpKU/TyXed6QTw-I/AAAAAAAAC6E/-52_Qwka-tA/s640/edge44.png  

Set the suffix Edge dns server, dns suffix should be identical to the dns suffix of the Active Directory Domain . 
tab for the computed mudaça name, click More

http://1.bp.blogspot.com/-AuiUUtlYmrk/TyXjZBw2DxI/AAAAAAAAC6Q/mpflKn_u1E8/s320/edge45.png 

In the dialog box set the Primary DNS suffix of this computer to add the same suffix of the Active Directory Domain . Do not forget to create a record in dns zone home.intranet pointing to the ip of Edge server, you need to set this manually input the DNS server for the Lync Edge is not part of the domain Active Directory .

http://1.bp.blogspot.com/-O9U26VLU3jU/TyXjZp5dCwI/AAAAAAAAC6Y/QmW0gC_tm94/s320/edge46.png 

Configure the file hosts server and add the name and address ip fqdn of the domain controller and Lync Server Standard

C: \ Windows \ System32 \ drivers \ etc \ hosts

http://1.bp.blogspot.com/-9qYXbvPwaPI/TyXlG4mq36I/AAAAAAAAC6g/dxU_9fedkPE/s320/edge47.png 

Copy the folder to the root certificate of the certification and configuration file generated in the Front End server to the root;

http://4.bp.blogspot.com/-AwSUojvIFAQ/TyXUsrmtUZI/AAAAAAAAC5A/GV0-2Y1h4QY/s320/edge36.png 

Start an administration console by running mmc in the run, and select the Certificates Snap-In

http://4.bp.blogspot.com/-l35_sdmJ28M/TyXmrAnvGeI/AAAAAAAAC6o/QtPMaBX5TKE/s320/edge48.png 

Manages the Select *Computer account *

http://4.bp.blogspot.com/-hKNpLiribFs/TyXmrY4WjBI/AAAAAAAAC6w/PtSiZs_gNtI/s320/edge49.png 

Select Local Computer

http://1.bp.blogspot.com/-jrCPm1a0s54/TyXmr1puKZI/AAAAAAAAC64/5VhFTxbesUs/s320/edge50.png 

In the console right-click on Trusted Root Certification Authorities select All Tasks and click Import

http://4.bp.blogspot.com/-JY8firMy4m8/TyXmsYEN-PI/AAAAAAAAC7A/kimXXEo8Xvg/s320/edge51.png 

Select the root certificate and end the console

http://2.bp.blogspot.com/-7GDg6kMplso/TyXms6rmSqI/AAAAAAAAC7I/79K6gOk4F_M/s320/edge52.png 

With the change of route in the hosts file and ping by fqdn name of Lync Standard is successfully completed.

http://2.bp.blogspot.com/-QtAE9Yu2TAA/TynHtG8FUWI/AAAAAAAAC7o/f9jGD70smbQ/s320/edge57.png 

Before proceeding with the installation of the Edge Server service is recommended to restart the server to apply all changes made.

Installation Services Edge Server

Creation of Local Configuration Store

To start the service installation mount the Edge Server installation media Lync server and start the installation wizard. The wizard installs the *Visual C + + 2008 *

http://3.bp.blogspot.com/-4_Lo74WXspU/TynLajceOAI/AAAAAAAAC8A/dMoGZdy5ME8/s320/edge60.png 

Then install the core components of the Lync Server

http://2.bp.blogspot.com/-Vk54oD7uzGw/TynLbOYbIYI/AAAAAAAAC8I/w62IfweoAWg/s320/edge61.png 
http://1.bp.blogspot.com/-aHB867661Qw/TynLb1qOVNI/AAAAAAAAC8Q/xbHhlvugQKE/s320/edge62.png 

In the installation wizard click Install or Update Lync Server System

http://1.bp.blogspot.com/-I4gYk7oct-I/TynP8xH-DqI/AAAAAAAAC8Y/Hkc3grxdbdA/s320/edge63.png 

Start the first step *Install Configuration Local Store *

http://4.bp.blogspot.com/-o5TdhmxyaSw/TynP9j7wMxI/AAAAAAAAC8g/Ve7bnUQETLg/s320/edge64.png 

Select the file created with the Export-CsConfiguration

http://4.bp.blogspot.com/-42PrqlScP3M/TynP-RKm3aI/AAAAAAAAC8o/yb9G23qQiF0/s320/edge65.png 

Verify that no error occurred and complete the first step

http://2.bp.blogspot.com/-9cWh0PwJMFg/TdB_ZwCaQyI/AAAAAAAAAhY/9Sc6N980VWQ/s400/edg09.png 

Start the second step *Lync Server Setup or Remove Components *

http://2.bp.blogspot.com/-8lph0H6wMSE/TynP_F5x1_I/AAAAAAAAC8w/hKbl88Bx564/s320/edge66.png 

Installation Services and Components

Proceed to begin installation

http://3.bp.blogspot.com/-vjv9fuwslHA/TynP_hPiSaI/AAAAAAAAC84/oWVlRYKF9aY/s320/edge67.png 

Verify that no errors were logged in and complete the second step

http://2.bp.blogspot.com/-FvtR6bhmzro/TynQBSaSyeI/AAAAAAAAC9A/c6dctDGJP1k/s320/edge68.png 

Creation of Digital Certificates

The third step, the wizard configures the digital certificates used in communicating with clients and other servers in the pool. 
Click Run To start *Request, Install or Assing Certificates *

http://4.bp.blogspot.com/-8G3ljur3b3o/TynZH-YwIyI/AAAAAAAAC9I/94R112VflSY/s320/edge69.png 

Select the Internal Edge to issue the certificate used in the internal network card. Click Request

http://3.bp.blogspot.com/-4sp8L0uB_xM/TynZIQ4-7PI/AAAAAAAAC9M/Pykdo_VsLwE/s320/edge70.png 

Go to start the wizard of the certificate

http://3.bp.blogspot.com/-DwHzDg1jBNo/TynZI7JllEI/AAAAAAAAC9U/wHpqVe20bRI/s320/edge71.png 

Select Prepare the request now, but send it later (offline certificate request). This option generates a file to be imported into the certificate

http://4.bp.blogspot.com/-2bMA5X35lpo/TynZJJ3gHmI/AAAAAAAAC9g/d56uMv4hw9c/s320/edge72.png 

Select the file path

http://3.bp.blogspot.com/-Cq6suHUI45k/TynZJwBsN2I/AAAAAAAAC9o/OMmrlJDJaSE/s320/edge73.png 
 

Do not change any setting in Certificate Template

http://2.bp.blogspot.com/-XyvaBRS-alY/TynZKVuQiLI/AAAAAAAAC9w/HC0gPz7qMvs/s320/edge74.png 

Set Friendly Name for the certificate and check the Mark the certificate's private key exportable. The Friendly Name of the certificate can be configured with any name, this value does not change any functionality of the certificate

http://2.bp.blogspot.com/-64d1MrDRkeI/TynZKz3bV7I/AAAAAAAAC94/7s8rKckUKMw/s320/edge75.png 

Configure the organization's information in the certificate

http://3.bp.blogspot.com/-Wo8fXOzrN1I/TynZLQaE5zI/AAAAAAAAC-A/Ek1x5fzMAMc/s320/edge76.png 

Configure geographic information

http://4.bp.blogspot.com/-cQJwLmQ5vH4/TynZLzWE2sI/AAAAAAAAC-I/KD_s2W5Qc0Y/s320/edge77.png 

In the Subject Name must be configured with the name created in the fqdn DNS Active Directory Domain

http://2.bp.blogspot.com/-mAo6fTQkXq4/TynZMXesxvI/AAAAAAAAC-Q/ACyeJROBtmE/s320/edge78.png 

It is not necessary to add any Subject Alternative Names

http://3.bp.blogspot.com/-RKHEhTCge2w/TynZOJTtLoI/AAAAAAAAC-Y/7xTQkjEIhDk/s320/edge79.png 

Make sure all information is correct and finish the wizard

http://3.bp.blogspot.com/-iG-2E8QTcjk/TynZOuFCjtI/AAAAAAAAC-k/wFRMCUNcSE0/s320/edge80.png 
http://1.bp.blogspot.com/-GZmXXIHjw0g/TynZPWaL18I/AAAAAAAAC-s/rRa157_vTNM/s320/edge81.png 

Finish the wizard.

http://3.bp.blogspot.com/-arziywYVwx4/TynZPxK1MvI/AAAAAAAAC-0/7-0Nv4fQHP8/s320/edge82.png 

Back to the Certificate Wizard select External Edge certificate and click Request

http://3.bp.blogspot.com/-wttTpmrbzeo/TynZQrv6EdI/AAAAAAAAC-8/Mi5jvQNDf4w/s320/edge83.png 

The process is done the same for the internal certificate, change only the filename from the request 

http://3.bp.blogspot.com/-euBkRAaz6Ro/TynZRDlFSiI/AAAAAAAAC_E/3AGzqyI89dg/s320/edge84.png 

And the names that will be configured the certificate, the wizard adds the names configured for services in the Standard Pool

http://2.bp.blogspot.com/-hQy4Wdkmwyo/TynZRfiBBHI/AAAAAAAAC_M/7ontYAGgcXg/s320/edge85.png 

At the end of the process we have two files to generate digital certificates, copy both to some server on the internal network.

http://3.bp.blogspot.com/-74Wa4bZZ764/TynqW0Xe26I/AAAAAAAAC_Y/66m2tqIcNNo/s320/edge86.png 

The contents of the files is similar

http://1.bp.blogspot.com/-rI6PXOvOTDw/TynsvtJC_iI/AAAAAAAADCI/iQmAEMFm2WQ/s320/edge86_2.png 

Visit the Web Certificate Enrrolement this structure the domain controller has the certificate installed enterprise. Click *Request a certificate *

http://3.bp.blogspot.com/-aNiPotJP9Zw/TynqY9l7nvI/AAAAAAAAC_g/9dQao0F5Vig/s320/edge87.png 

Select Advanced certificate request

http://3.bp.blogspot.com/--BA5WOsh9QE/TynqagSPXdI/AAAAAAAAC_o/yNnN3eByEN8/s320/edge88.png 

Click  Submit a certificate by using a base-64 encoded CMC or PKCS # 10 file, or submit a renewal request by using the base 64-encoded PKCS # 7 Faithful

http://2.bp.blogspot.com/-neK8KPHRgVk/TynqbaEShkI/AAAAAAAAC_w/O48GSfbDGB8/s320/edge89.png 

In the Saved Request Copy the contents of a file request and paste this location. In the Certificate Template select Web Server and click Submit

http://1.bp.blogspot.com/-uicbHmBpBho/Tynqb3Boi-I/AAAAAAAAC_4/PkTShz-o1Hs/s320/edge90.png 

The certificate is generated by the portal save to a file and repeat the process for certification of external network

http://2.bp.blogspot.com/-rhRwLwm58yE/TynqcsqWzFI/AAAAAAAADAA/8Tk_WCjkTPU/s320/edge91.png 

In the destination folder have the two certificates issued 

http://2.bp.blogspot.com/-4V7IXIC8MjA/TynqdIMRAaI/AAAAAAAADAI/1SHVZp9Q56U/s320/edge92.png 

Copy the folder to the Edge server, access the management console with the Snap-In Certificate computed in local and import the two certificates

http://3.bp.blogspot.com/-MgfdH81XWfY/TynqdvzM7CI/AAAAAAAADAQ/lkF-_KXrOeg/s320/edge93.png 

Select the file path

http://1.bp.blogspot.com/-Za6hgYGWncY/Tynqd7m-rzI/AAAAAAAADAY/yOLurzBY5Gs/s320/edge94.png 

The imported certificates should be listed as follows, private keys must be part of the certificate so they can be used by the Edge Server services

http://4.bp.blogspot.com/-Dxj2c3Rnupk/Tynqfr0-a0I/AAAAAAAADAg/QkdQw5fWeJw/s320/edge95.png 

Return to the installation wizard Lync, the tab of the Certificate Wizard. Select the Edge Internal and click Assign

http://2.bp.blogspot.com/-0FMj5521OxU/TynqgNwt2OI/AAAAAAAADAo/xyE-yS8LFaY/s320/edge96.png 

Proceed to begin installation of the certificate

http://4.bp.blogspot.com/-SCBGoFmGjzY/TynqgkYHHtI/AAAAAAAADAw/LcRFC3chpPw/s320/edge97.png 

Select the certificate generated for the internal network card

http://4.bp.blogspot.com/-E2ZljO9eVgw/Tynqho_0axI/AAAAAAAADA4/us_aqBU7W8M/s320/edge98.png 

 Verify the certificate information and the name fqdn is correct and go start importing

http://2.bp.blogspot.com/-KH1yOUcYVHs/TynqjhvnLnI/AAAAAAAADBA/GQNNghcGPNc/s320/edge99.png

Verify that no errors occurred and finish the wizard

http://3.bp.blogspot.com/-mMwEmL1YrRE/TynqkZ8XdgI/AAAAAAAADBI/H-axnTJepgw/s320/edge100.png

Back to the Assistant certificate perform the same procedure, only this time select the External Edge Certificate

http://4.bp.blogspot.com/-4mQoGSuiKio/Tynqk9vhJSI/AAAAAAAADBQ/C-NzjTfoTfc/s320/edge101.png

And check the generated certificate to the external network

http://1.bp.blogspot.com/-Qb0DdDceiWg/TynqlmbDKGI/AAAAAAAADBY/CRQhcR_fKMM/s320/edge102.png

Start Services Lync Edge

Perform step Start Service to start all services on Edge;

http://1.bp.blogspot.com/-WOoQctRcHP4/TynqnYhRdXI/AAAAAAAADBg/-DUCFZoCfOc/s320/edge103.png 
http://4.bp.blogspot.com/-PUJFatks4lE/TynqoNsQQwI/AAAAAAAADBo/el3Pj7I6log/s320/edge104.png 

 Start the management console services and make sure that all services have been created

http://1.bp.blogspot.com/-LPLOmFWdjrw/Tynq4Ez92GI/AAAAAAAADCA/8w9Qi_PTUb4/s320/edge106.png 

Replication Between Edge and Back End Server

Edge Server on the server the wizard created a shared folder called replica-xds. Changes in the topology and replication necessary for the Edge will be saved in this folder by Replication Service Back End and services installed on the Edge apply the necessary changes.

http://1.bp.blogspot.com/-_AQKuZVlQoE/TysoIZu18BI/AAAAAAAADCo/L23lwCxGAok/s1600/edge110.png 

To start the replication process of the Back End for Local Store in Edge server run the cmdlet

Invoke-CsManagementStoreReplication

http://2.bp.blogspot.com/-OCxtEpdnFdk/TysoH7CeCHI/AAAAAAAADCY/AxGiTA_sp2c/s640/edge108.png 

This forces the entire topology check for updates in the Back End, after the execution of the command.  
Use the cmdlet:

Get-CsManagementStoreReplication

http://2.bp.blogspot.com/-2BvNyYAx4EA/TysoICaw6jI/AAAAAAAADCg/gEseVy8zPfw/s320/edge109.png 

Depending on the size of the structure and the link between the available server roles, the status of the servers can take a while to upgrade to a simple environment with a Standard Pool and Edge Server update takes less than a minute. If all settings have been placed successfully the status should be updated to:

http://3.bp.blogspot.com/-IHVROeIzbbA/TysoHbNHwtI/AAAAAAAADCQ/_Od8XtYGnL0/s320/edge107.png 

Publication of the Edge Server 

The publication of services to customers using the Internet is necessary to release the following firewall ports for internet ip's network cards outside of the Edge server.

http://1.bp.blogspot.com/-ye7rR03_FtI/TysxISsySiI/AAAAAAAADCw/_h3TyxZ8gRk/s320/FWExt.jpg 

Doors 50000 - 59999/TCP 50000-59999/UDP and are necessary only if the federation with Office Communicator 2007 and Live Messeger is configured.

Reference

http://technet.microsoft.com/en-us/library/gg425891.aspx 
http://www.microsoft.com/download/en/details.aspx?id=6797 
http://technet.microsoft.com/en-us/library/gg398918.aspx 

This article was originally written by: 
Fernando Lugão Veltem
**blog:  **http://flugaoveltem.blogspot.com  
**twitter:  **@ flugaoveltem