Microsoft Lync Server 2013

Basic Administration
Release 2.1
Author: Fabrizio Volpe
1

Acknowledgements

This book is dedicated to those who live every day with me, my family, Federico and
Antonella and to my parents. It is dedicated to Flavia who has just started her life, and
to my grandmother Ines who still lives in my thoughts.

There Ain't no Such Thing as a Free Lunch

You will read this book at no cost.
I hope the work that I am making available to you, which is the result of the end of an
interesting and complex collaboration with the publisher Manning Publications will be
useful to you in understanding and managing Lync. But I do not believe in free lunches.
So if this text will be useful to you, and you will have the desire to pay for it, I invite you
to make a donation to Save the Childrens or to another association for the protection of
minors.
Then you will have paid for your meal.
Disclaimer

This release 2.1 adds a full chapter (6, Firewall Requirements for Lync Server 2013) to
the previous work. Again, I had a great technical review and useful hints from Lync MVP
Thomas Poett (@ThomasPoett). The Lync client debugging paragraph you will find in
chapter 6 comes from his hands-on experience and is outstanding imho.
This time I had also another reviewer that gave me a great feedback not only on the final
draft, but also on the first versions I have published on my website. Alessio Giombini
(@AlessioGiombini), an experienced solution architect and Lync professional, gave a
fundamental help to this work. To both of them I say thank you. The Lync community is
a big place to be because there are people like you.


Cover image: Calgary skyline and a pedestrian bridge in Calgary, Alberta Canada. Used
under Extended Print RF License
2

About the Author


Fabrizio Volpe Has worked in the Iccrea Banking Group since 2000, as Network
and Systems Administrator. Since 2011 he has been awarded Microsoft MVP on
Directory Services from Microsoft. In the year 2014 he has been awarded Microsoft
MVP on Lync. Fabrizio has authored books dedicated to the IT and security
professionals, has participated as speaker on well-known IT conferences and is
committed to creating content that is accessible to a wide number of people, so he often
publishes contents
on his channel on YouTube ( http://www.youtube.com/user/lync2013)
on his personal blog (http://blog.lync2013.org)
on SlideShare ( http://www.slideshare.net/fabriziov )
About the Reviewers


Thomas Poett - Professional, consistent, and experienced expert who is technically
savvy with over 20 years of experience in IT, telecommunication and software
development. Additional extensive experience in business and market development.
Specialized in intercultural and business relationship in Asia. Successful in providing
leadership on new topics and complex global projects that require interfacing with
internal/external teams and ecosystems. Early adaptor of visionary technologies. 20+
3

year career within different companies in the areas software development,
telecommunication, IT, mobility and hosted/cloud services.


Alessio Giombini - Alessio is an Infrastructure Solutions Architect, with a strong
focus in Microsoft and Unified Communications area. Over 15 years' study and hands on
experience delivering small to large-scale projects for major EMEA enterprise
industries, mainly based on Microsoft and other leading edge technologies, systems
applications and operations running on top of them. He has Broad and mixed technical
background in infrastructure and communications field, systems integration, Systems
Management, security, as well as an in-depth understanding of the business of
computing and networking in enterprise organisations. Currently works for InterCall
UK and his main tasks are Architectural design and delivery of Microsoft environments,
with specific focus on multi-vendor UC solutions, based on Microsoft Lync 2013 with
Enterprise Voice, Exchange Unified Messaging, migrations from Lync 2010 and OCS
2007, load balancers, reverse proxy, firewall, Exchange UM.










4

ACKNOWLEDGEMENTS ......................................................................................................................................... 1
THERE AIN'T NO SUCH THING AS A FREE LUNCH ...................................................................................................... 1
DISCLAIMER ......................................................................................................................................................... 1
ABOUT THE AUTHOR ............................................................................................................................................. 2
ABOUT THE REVIEWERS .......................................................................................................................................... 2
1 BEFORE YOU BEGIN .................................................................................................................................. 7
WHAT IS MICROSOFT LYNC 2013 SERVER? ............................................................................................................ 7
WHY LYNC 2013 MATTERS?.................................................................................................................................. 7
LOOKING AT LYNC 2013 FROM THE CLIENT ........................................................................................................... 8
LOOKING AT LYNC 2013 FROM THE SERVER ........................................................................................................ 13
ADOPTING LYNC: WHAT I NEED AND HOW MUCH DOES IT COST ........................................................................ 14
EXTRA COSTS TO BE AWARE OF WITH LYNC 2013 ................................................................................................ 18
FINAL WORD ..................................................................................................................................................... 19
2 BUILDING YOUR LYNC 2013 LAB ........................................................................................................... 20
PLANNING A MINIMAL WORKING INFRASTRUCTURE ................................................................................................ 20
INTERNAL LYNC SERVER SERVICES ONLY .............................................................................................................. 20
Try it now .................................................................................................................................................................. 21
LYNC SERVER AVAILABLE FOR EXTERNAL USERS .................................................................................................... 21
Try it now .................................................................................................................................................................. 22
EXCHANGE 2013 AND SHAREPOINT 2013 INTEGRATION ...................................................................................... 22
ASSEMBLING THE REQUIRED SOFTWARE AND HARDWARE ....................................................................................... 23
Virtualization ........................................................................................................................................ 23
Acquiring the Required Resources ................................................................................................... 24
REALIZING THE DEPLOYMENT SCENARIOS ............................................................................................................. 25
Try it now .................................................................................................................................................................. 25
DEPLOYING THE LAB ........................................................................................................................................... 26
Domain controller ............................................................................................................................... 26
Try it now .................................................................................................................................................................. 27
Lync Server Front End ......................................................................................................................... 28
Office Web Apps Server .................................................................................................................... 28
Reverse Proxy ...................................................................................................................................... 28
Lync Edge ............................................................................................................................................ 28
Exchange and SharePoint ................................................................................................................. 28
LAB ................................................................................................................................................................... 29
3 MANAGING USERS WITH LYNC SERVER CONTROL PANEL .................................................................. 30
INTRODUCING LYNC ADMINISTRATION FROM THE CONTROL PANEL ....................................................................... 30
CHOOSING BETWEEN THE CONTROL PANEL AND THE MANAGEMENT SHELL ........................................................... 31
POLICIES AND POLICY SCOPES IN LYNC ADMINISTRATION..................................................................................... 32
ROLES IN LYNC ADMINISTRATION ......................................................................................................................... 34
Try It Now .................................................................................................................................................................. 34
5

ENABLING AND CONFIGURING USERS ................................................................................................................. 35
ENABLING A USER TO LYNC ................................................................................................................................. 36
Pool assignment .................................................................................................................................. 37
SIP URI configuration ........................................................................................................................... 38
Telephony options .............................................................................................................................. 40
Dial plan policy ................................................................................................................................... 41
Voice policy ........................................................................................................................................ 43
Policy assignment ............................................................................................................................... 43
Try it Now .................................................................................................................................................................. 46
LAB ................................................................................................................................................................... 46
4 MANAGING CLIENTS, AND DEVICES WITH LYNC SERVER CONTROL PANEL ...................................... 48
SOFTWARE CLIENTS ............................................................................................................................................ 51
Try It Now .................................................................................................................................................................. 53
HARDWARE DEVICES .......................................................................................................................................... 54
MOBILITY ........................................................................................................................................................... 56
SOME THINGS YOU HAVE TO DO OUTSIDE THE CONTROL PANEL .......................................................................... 58
Try It Now .................................................................................................................................................................. 60
LAB ................................................................................................................................................................... 60
5 MANAGING USERS WITH LYNC SERVER MANAGEMENT SHELL ........................................................... 62
ADMINISTERING USERS FROM THE MANAGEMENT SHELL ....................................................................................... 62
ENABLE OR DISABLE LYNC USERS ......................................................................................................................... 65
Try It Now .................................................................................................................................................................. 67
MOVING LYNC USERS BETWEEN DIFFERENT POOLS ............................................................................................... 67
HANDLING POLICIES FROM THE MANAGEMENT SHELL .......................................................................................... 69
LAB ................................................................................................................................................................... 73
6 FIREWALL REQUIREMENTS FOR LYNC SERVER 2013 .............................................................................. 74
PLANNING A LYNC DEPLOYMENT THE RIGHT WAY: TOOLS YOU WILL LOVE (PART 1) ............................................. 74
THE BASIC DIAGRAM OF A LYNC DEPLOYMENT WE WILL USE IN THE CHAPTER ....................................................... 75
LYNC SERVER 2013: INTERNAL NETWORK ............................................................................................................ 76
Servers located in the LAN ................................................................................................................ 76
Servers located in the DMZ ................................................................................................................ 78
Try it now .................................................................................................................................................................. 80
INFRASTRUCTURE REQUIREMENTS .......................................................................................................................... 80
FIREWALL RULES REQUIRED FOR LYNC SERVER 2013 ............................................................................................. 81
6.1 NETWORK TRAFFIC FROM SERVERS IN THE DMZ TO SERVERS IN THE INTERNAL NETWORK ................................. 83
6.2 NETWORK TRAFFIC FROM THE SERVERS IN THE DMZ TO THE EXTERNAL NETWORK ........................................... 83
6.3 NETWORK TRAFFIC FROM THE EXTERNAL NETWORK TO THE SERVERS IN THE DMZ ........................................... 84
6.4 NETWORK TRAFFIC FROM THE SERVERS IN THE INTERNAL NETWORK TO THE SERVERS IN THE DMZ ..................... 86
6.5 NETWORK TRAFFIC RELATED TO LYNC CLIENTS IN THE INTERNAL NETWORK .................................................... 87
NOTES RELATED TO THE FIREWALL RULES REQUIRED FOR LYNC SERVER 2013 .......................................................... 88
6

VERIFYING A LYNC DEPLOYMENT IN THE RIGHT WAY: TOOLS YOU WILL LOVE (PART 2) .......................................... 89
VERIFYING A LYNC DEPLOYMENT IN THE RIGHT WAY: SOME HIGH-LEVEL DEBUGGING STEPS IF LYNC CLIENTS ON THE
EXTERNAL NETWORK ARE NOT WORKING ............................................................................................................ 90
LAB ................................................................................................................................................................... 90


























7

1 Before You Begin
What is Microsoft Lync 2013 server?

Lync 2013 server is a unified communication system. Lync is able to deliver instant
messaging (IM), audio conferencing, video conferencing, multi-party high-resolution
meetings and voice over ip (VOIP), as well as persistent chat. You can integrate Lync
with the public switched telephone network (PSTN) to offer full telephony features and
to replace existing IP PBX.
If we define unified communications (UC), usually it integrates:
Real-time communication services such as instant messaging (chat), presence
information, telephony (including IP telephony), video conferencing, data sharing,
call control and speech recognition
Non-real-time communication services such as unified messaging (integrated
voicemail, e-mail, SMS and fax)

Talking about Lync there are some features missing from the aforementioned list.
Speech recognition, fax and SMS depend from third-party products while voice mail and
e-mail are "integrated" only if we interface with Exchange
Why Lync 2013 matters?

Lync server 2013 has the following benefits:
Integrates out of the box with Active Directory, Microsoft Exchange, and
Microsoft SharePoint
Uses Microsoft management tools to enable easier management
Grants access to external users and federated with UC partners and public IM
systems like SKYPE, via secured Internet access, reducing the costs (no dedicated
secure connection or VPN is required)
Act together with hardware from different makers in an agnostic manner
Lync is the probable winner in the confrontation for the control of the unified
communication market for the next few years. On one side, we have enterprises that
produce hardware and that have created a software interface to manage only their
products. On the other side, we have Microsoft, a software developer. Microsoft has
8

decided to make Lync compatible with as many hardware products (dedicated to voice
and conferencing) as possible. A large number of coexistence scenarios with other
unified communication solutions is also available. Finally yet importantly, Lync has high
quality interfaces for administrators and users that are proving to be the strong point.
Looking At Lync 2013 from the Client

One of the best ways to get an idea of the capabilities of Lync is to open one of the
available clients, as I did in figure 1.1.

Figure 1.1 Full Lync 2013 client with presence indicators
As soon as a user logs into Lync, he uses the first feature of Lync called "rich presence".
Virtually all the people connected and enabled to our Lync infrastructure (colleagues,
employees of partner companies or business associates) display the rich presence
indicator as a status marker. Rich presence is like a simple traffic light with green,
yellow or red colors. It shows whether the person is able (and willing) to communicate
with us in a direct way (green indicator) rather than receive messages using a non-real-
time method (yellow or red indicator).
In the first situation, if you need to communicate with the other user, an instant
message or a call are a good solution, while you could prefer e-mail or invitations to a
scheduled meeting for a busy contact.
9

Rich presence status in Lync includes a set of information that allow the user to specify
the reason why he or she is not available. You can see the indicators summarized in the
following figure


Figure 1.2 a quick look at the presence status you can use in Lync client
1

Presence indicator of Lync are extended also to Exchange and SharePoint, so if we are
going to write a mail message or to organize a meeting, we know the presence status of
other users as you can see in figure 1.3


Figure 1.3 scheduling a meeting in Outlook for Lync enabled users. Some of them are busy at the moment

1
Via an individual configuration, based on standard xml files, those presence indicators can be
enhanced with up to 4 additional, corporate based standards (see
http://technet.microsoft.com/en-us/library/gg398997.aspx )
10


Other Microsoft and 3
rd
party vendor application, e.g. Microsoft Office, Dynamic CRM
or most of the web based application also support a native integration with Lync Client
API. This enables us to start a quick communication regardless what we are doing.

Figure 1.3a Contact in Microsoft Word

I just mentioned the possibility to see the presence status of contacts that are not part of
our company. That is achieved using a further feature, Lync federation. Federation is
the capability of two companies with a Lync infrastructure to extend functionalities (IM
but also conferencing and voice) to each other if they establish a trust relationship. The
federation feature has been improved recently to include Skype users. Lync 2013 can
federate also with non-Microsoft services based on XMPP. You can see an example of
Lync users shown inside a Skype client in figure 1.4

Figure 1.4 Lync users are available in Skype if their company is using federation
11

Instant Messaging (including the ability to exchange files between users) and the
direct video conference between two users are an experience similar to what you
may have already seen in other systems like Skype. One feature often not available in
other UC systems is the capability to use a web interface (the Lync Web App) to
enable people with no Lync client installed on their workstation to participate in a
meeting. In figure 1.5 you can see the logon screen for the Web App


Figure 1.5 the Lync Web App plug-in is required if you want all the meeting features
Lync 2013 Web App comprises all the possibilities, including participation in audio and
video (in Lync 2010 it was limited to IM). This tool broadens the participation to those
who are working on a temporary workplace. External users using the Web App are able
to take part to a Lync meeting with an interface they are familiar with (as you can see in
figure 1.6)

Figure 1.6 a Lync meeting seen from the Lync Web App. Voice and video are available in the browser
Lync 2013 for Mobile clients is another tool that will expand your Lync user base. It
is available for Windows Phone, iPhone, iPad and Android. As you can see in the next
12

figure, the mobile client includes almost all of the features comprised in full client,
including video conferencing and VOIP functions.

Figure 1.7 doing a video call from a Windows Phone is no longer a big problem
The quality of this new mobile client is a major asset of Lync 2013, and it is very popular
with top management in the companies.
A series of plug-ins and third party packages exists to optimize the Lync client in a
virtualized working place (including both virtual desktops and remote desktop
services).
Lync includes a feature known as persistent chat that lets you create rooms. Rooms
are a way to categorize IM messages and preserve them. Anytime a user needs to read or
update a conversation, it is available on the server.
To complete this quick overview of the client side of Lync, I have to talk about the
enterprise voice features. Lync can replace seamlessly an IP PBX and provide all kind
of service you can expect from a VOIP solution. It is also easy to integrate with pre-
existing solutions (such as the Cisco CUCM). Extending the voice functionalities to users
connecting from an external network requires only the Lync client we have already seen



Available Mobile Clients are:
Windows Phone 7.x (Lync 2010)
Windows Phone 8 (Lync 2013)
Windows App (Lync 2013 App)

iPhone
iPAD

Android
13

Lync server 2013 supports also hardware desk phones like the ones you see in figure 1.8

Figure 1.8 some desk phones you can use with Lync Enterprise Voice
Adding support for more traditional-looking devices like the aforementioned ones, Lync
give to the users the capability to choose between these telephones and headsets
connected directly to the computer (a more practical choice especially for mobile users).
Looking At Lync 2013 from the Server

Often, as a Lync administrator, you will see the infrastructure and features from the
server point of view. There are many tools to help you managing or debugging a Lync
deployment but the two main instruments, the ones you will use for day-by-day tasks,
are the administrative graphical interface of Lync (Lync Server Control Panel) and
the administrative command line (Lync Server Management Shell) based on
PowerShell.
You can see both of them in figure 1.9

Figure 1.9 the Control Panel and the Management Shell side by side
14

The Control Panel is the tool you can use for around 80% of all the administrative tasks.
The remaining 20% is available only in the Management Shell (that includes also all the
features you have in the Control Panel).
Adopting Lync: What I Need and How Much Does It Cost

Lync clearly distinguishes between two editions (Standard and Enterprise). The
basic server license costs the same in the two versions. However, the kind of edition you
will use has an impact on the available continuity features and on the number of
required servers.
To understand the aforementioned differences, it is required to explain also Lync server
roles.
Roles:
Every role grants to the infrastructure one or more Lync features
Roles can be held by one or more Lync server at the same time
Roles make the architecture of Lync Server 2013 highly scalable. A deployment in a
small business with no external users can consist of a single standard edition server,
with the role of Lync Front End. This is because the Lync Front End is the
fundamental role, and runs a great part of the basic Lync Server functions.
Adding to the scenario an Active Directory server (Directory Services are required for
Lync) and a server with Office Web Apps installed (this is required for PowerPoint
presentations inside a Lync meeting) we have the fully functional (internal) Lync
deployment you can see in figure 1.10

Figure 1.10 a minimal infrastructure that will grant Lync features to our internal user
15

Users are homed on a Front End and their capability to work with Lync depends on
the availability of this role or of a server able to replace their home server in case of
errors.
The solution based on standard edition is interesting, especially to keep the costs as low
as possible.
It requires no additional licenses outside a single standard edition of Lync and does not
use an external database, as is the case for the enterprise edition. This kind of solution,
based on a single box, has its limits. Lync standard edition cannot guarantee high
availability. There is, as you will see, a method to pair two Front End server to grant
resiliency but this is not automatic and requires operations by the Lync administrator.
The enterprise edition deployment is more expensive and complex. At least two Lync
Front End servers are required to create a Pool. It also requires the deployment of a
load balancer. This is required due to session persistence for http/ https.
A pool is a group of servers with identical configuration that provide high availability. In
a pool Lync features will be available even if one server goes offline. The functional
databases of Lync arent cohosted on the Front End (as it was for the standard edition)
but are active on an external SQL server. If we need also database continuity, we are
able to use the SQL mirroring mechanism. Clustered SQL installation is supported too,
but you have to keep in mind that this kind of high availability is focused on the SQL
server itself and does not give the additional continuity to the database that we have
with mirroring.
In Lync high availability of the server roles requires the deployment of pools.








16

In figure 1.11 you can see a plan for a Lync deployment with an enterprise edition Front
End pool.

Figure 1.11 a plan for a Lync deployment including a pool for Front End high availability
Office Web Apps is not a Lync role, so if you need it in high availability you have to use
its mechanism that is deploying a farm.
The cost of this solution derive from:
From licenses for Lync enterprise edition servers
From SQL server licenses, needed to create the Lync database infrastructure,
called Back End.
Note: SQL 2012 Licensing Guide states that, if the second SQL server is used only as
a passive copy, you need only a single SQL license (the one for the first server)
http://download.microsoft.com/download/7/3/C/73CAD4E0-D0B5-4BE5-AB49-
D5B886A5AE00/SQL_Server_2012_Licensing_Reference_Guide.pdf
Usually the next step after the installation of services for the internal network is the
exposure of the Lync features to external users.
To achieve the aforementioned result you are required to deploy a Lync Edge server
and a reverse proxy.
The Lync Edge server is a Lync role installed on a standalone machine, typically located
in a perimeter network and not added to the Active Directory domain. Lync edge makes
audio, video and conferencing services of available to the external users in a secure
17

manner, acting like a man in the middle that receive requests from the Internet and
forwards them to the Lync Front End. There is no direct connection between the user
and the Lync servers on the internal network.
A reverse proxy is similar to a Lync edge, but it exposes safely the web functionalities
(like the Web App, Address Book or Simple URLs) of the Front End, placing itself in the
middle between the client and the target server.
A reverse Proxy solution could be Microsoft TMG, Microsoft IIS ARR, Microsoft Web
Application Proxy (2012 R2) or any other supported firewall.
In figure 1.12 , you can see a schema including the servers required for external users
access.

Figure 1.12 schema with a perimeter network and the servers required for external user access
Adding the Lync edge and a reverse proxy does not require additional costs, because
edge requires no license and there are many free solutions to deploy reverse proxy
functionalities.
Talking about Lync roles there are some of them that I have not mentioned yet:
Monitoring is a role dedicated to the registration of quality parameters and to the
related reporting.
Archiving role saves the contents of IM communications for legal and compliance
requirements and archives IM, Conferencing and Persistent Chat.
18

In Lync 2013 server monitoring and archiving role are always collocated on the Front
End. The decision to make is whether these roles are required. Monitoring is very useful
for troubleshooting and gains additional value if you use the enterprise voice. The
presence of archiving is related only to legal constraints.
Persistent Chat is a role that enables the creation of IM chat rooms. You will be able
to create thematic areas and the room are persistent. A user can re-read the
conversation or add something at any time. A function like this makes sense, for
example, to create a corporate knowledge base. Persistent chat can be collocated on a
standard edition Front End or deployed as a dedicated server (or pool).
Mediation server is required to operate the enterprise voice (it manages the
"signaling" data stream). In Lync 2013, the hardware requirements have been reduced
due to the presence of the media bypass (which will be discussed in the chapters devoted
to the implementation of voice). This innovation allows collocating the mediation as a
role on a Lync Front End. The possibility of creating a server or a pool of mediation is
still available.
Director is a role that manages user authentication before they connect directly with
Lync Front End. In Lync server 2013 this role is not really useful. It could provide an
additional layer of security but director adds (also) a potential critical point.
Extra Costs to Be Aware of with Lync 2013

During the previous explanation, I have not mentioned some costs that have their
importance in the design of a Lync solution. The first aspect to consider is the cost of the
base operating systems on which we will install Lync and the required additional
servers (Office Web Apps and reverse proxy). Lync supports installation on a virtual
environment, so we could use the virtualization rights of Windows to reduce costs (for
example, the Datacenter edition of Windows 2012 allows you to install unlimited virtual
machines on a single physical host). Nevertheless, a complex structure, such as the one
with a Front End pool, will also require a significant expense for the base operating
systems.

The second aspect is the cost of client licenses. Lync requires a CAL (Client Access
License) for each user or machine that logs on to the server. CALs are of three types and
each one is entitled to the use of a part of the features. Access to premium functionality
is determined by adoption of the Standard CAL and then you have to add
19

supplemental CALS, an Enterprise CAL and, for some additional features, a third
license called Plus CAL (you may think to Enterprise CAL and Plus CAL as
supplemental to the Standard CAL).
Standard CAL: offers IM (Instant Messaging) and Presence, as well as PC-PC
audio and video communication
Enterprise CAL: the user can use multi-party Lync meetings (including Gallery
View, a feature allowing up to five active video streams to be displayed at once)
and PSTN conferencing dial-out..
Plus CAL: enables enterprise voice capabilities

The Lync 2013 client software can lead to a further increase in costs. The full Lync 2013
client for desktop is available as part of Office 2103 Plus or as a standalone application
under an Enterprise Agreement contract, so we'll have to consider the cost of this
package. The free alternative (Basic client for Lync 2013) has some limitations, for
example the Lync enterprise voice features are scaled down for such a client. It is also
possible to keep on using the pre-existing Lync 2010 clients but, however, the choice of a
client solution requires a proper assessment of the costs.
Note: Lync CALs:are additive, so possible combinations under the licensing agreement
only are:
Standard CAL
Standard CAL + Enterprise CAL or Standard CAL + Plus CAL
Standard CAL + Enterprise CAL + Plus CAL
Final Word

This brief overview has introduced concepts that you will see in detail throughout the
book. Many of the ideas presented here will make a greater sense when viewed in their
context, then I invite you to start with the first main chapter, Building your Lync 2013
Lab.



20

2 Building your Lync 2013
Lab
Usually a book like the one you are reading starts with a step-by-step installation
procedure of the product. This chapter is dedicated to help you building up a laboratory
to study Lync 2013 with a high-level overview of the required resources and of the
different operations from a logical point of view.
Planning a minimal working infrastructure

I will consider three different scenarios for the test bed. Each one will be the base
building block for the next:
internal Lync server services only
External users enabled to Lync services
Exchange 2013 and SharePoint 2013 integration
In paragraph 2 I will survey the different tasks related to the hardware and software
required and the available solutions to make the aforementioned settings work.
Internal Lync Server Services Only

Lync is based on Active Directory, so the first mandatory server you have to deploy is
not Lync but a domain controller. The good news is that this server will be used for more
than a single role and it can also be your DNS (names resolution is a critical aspect of
Lync) and your enterprise C.A.
The second server of you list should be a Lync Front End joined to the domain.
NOTE: We are talking about a lab with limited resources. Anyway this is a server that
needs at least 3 Gb of RAM (else Lync installation will not start at all).
An additional requirement is an Office Web Apps server for the PowerPoint
presentations during meetings.
21

With the three servers above, you have a working Lync environment. It is a good idea to
add a virtualized client to test the behavior of a Lync user inside and outside the domain.
Your lab should look like the one in the next figure

Figure 2.1 the basic lab environment
With the above deployment (and adding a DHCP server on your domain controller) you
could even test a Lync phone edition.
Try it now
Are you able to install Lync Front End with no Office Web Apps server available? What
are the consequences?
Lync Server Available for External Users

If you want to test also the external user access, you have to add a Lync Edge and a
software or hardware to reverse proxy Lync Front End services (for example IIS or
Forefront TMG). An additional requirement will be to simulate the most common
scenario, a DMZ network between the Internet and your internal network. You could
achieve the result with a schema like the one in the next image using Forefront TMG as
a three legged firewall, configuring RRAS on a virtual Windows server or using a
hardware to simulate the network topology.
NOTE:
Under all circumstances, if you deploy Lync Edge Server in a real, fully supported
environment, you MUST ensure that each Edge Server is deployed with TWO network
interfaces , one for internal and the other for external access!
22


Figure 2.2 lab environment with three simulated networks
Try it now

Accepting to work in an unsupported scenario to limit the number of servers required,
are you able to deploy Lync for the external users with no reverse proxy? Is it possible to
achieve the result without the Lync Edge server?
Exchange 2013 and SharePoint 2013 Integration

Exchange and SharePoint add a lot of interesting features to Lync (Unified contact store
and high resolution images from Exchange 2013, skill based search with SharePoint
2013). With Exchange you should consider also the Unified Messaging feature to
integrate voice mail and other voice services. Also, to explore the integration between
Lync and Outlook you will need to mail enable your Lync users with an Exchange
mailbox. The lab at this point is not easy to deploy and manage as the ones we have seen
before
23


Figure 91630_2_3 lab environment with Exchange and SharePoint deployed
Assembling the required software and hardware

So, we are going to build working lab environments. One driver is (usually) keeping a
low cost (in terms of space, money and time required). Which are the resources we need
to save the much? What we are able to keep on a virtual environment and what we need
to install on a dedicated hardware?
Virtualization

Lets start from the last of the aforementioned aspects: Lync 2013 enables virtualization
of all the Lync roles. Also, almost everything in the infrastructure that will support you
deployment or add features (domain controllers, mail servers and so on) is virtualizable
too. This is really important and will help you obtaining the first objective (learning
Lync with the least effort) and adds the support for snapshots, so you are able to test
configurations and rollback with a simple command. If you have access to a SIP trunk
(or you can simulate it, for example with a second Lync deployment or an alternative
voice solution like Asterisk) you are able to learn a lot of things about Lync Enterprise
Voice with no required dedicated hardware. If you are able to buy a Lync desk phone
and a switch you are able to explore also the management of telephony hardware with
24

Lync. So, what you will miss with such a solution? Well, what you cannot expect is the
working knowledge on how to configure third party voice gateways, IP PBX and so on.
That is something important that you will have to learn (probably) on the field, hoping
that the vendor documentation is as good as possible.
Acquiring the Required Resources

First lets examine the single resources you will need. After the next paragraph (in which
you will see the different deployment scenarios) I will try to propose best way to
obtaining them.
RAM (memory): it is a costly asset to attain. On laptops and desktops the maximum
memory you are able to use is limited by the hardware, and a really good motherboard
could use up to a maximum of 32 Gb (but you have to consider the costs of the memory
modules too).So one of your focus will be on creating the required infrastructure using
the less memory possible. A limit here is usability because often you are able to keep
some servers up and running with few Mb of RAM but their performances will be so bad
that they will be like unusable. Virtualization can be of help supporting dynamic
memory but required memory is often a bottleneck anyway.
Hard disks: usually allocating disk space to the servers is fast and cheap (especially if
we are talking about a virtualized deployment). Disk performances may create an issue.
The more virtual machines you put on a single disk physical, the slower they will work.
Again, the solution here could be adding disks (easier on a desktop), to distribute the
files of the virtual servers on external disks or using SSD disks (costly).
CPU: this is a resource that usually overpowers the requirements. If you have a good
x64 processor with multiple cores and hyper threading enabled, that is something you
dont have to worry about.
Networking: if you want to try also the access for external users you will have to
simulate an Internet network and an internal one (with your edge server and reverse
proxy acting as an entry point to your Lync deployment). You could use an hardware
(SOHO firewalls and routers are really cheap) or a software (a virtualized Windows
server system with routing and remote access enables)
SSL Certificates: in a test environment you could use an internal C.A. to create and
distribute your certificates. Keep in mind that in a real world scenario a third party C.A.
is the easiest way to expand Lync services to external users and to avoid headaches and
problems.
25

Software: for the base system (hyper visor) you can use a free product (Microsoft and
VMware offer good solutions). The servers you are going to deploy (Windows 2012 or
Windows 2008 R2) and the back office software you need (Lync, Exchange, Forefront
TMG and SharePoint) are usually available as 180 days trials so this should be the
cheapest and easiest asset to find.
Realizing the Deployment Scenarios

I will base my following explanation on a virtual environment. For a physical deploy the
setup of the different servers requires additional work and complexity (that is an overkill
for a test deploy in my humble opinion). To realize the internal Lync server services
scenario a single laptop / desktop with a hyper visor, at least 8 Gb of RAM and a fast
hard disk is enough.
The addition of services accessible from the Internet (second scenario) requires two
additional severs and may be too heavy for a laptop. A good desktop with 12 Gb of RAM
and a couple of disks where you can distribute the different virtual machines could be
enough.
For the Exchange 2013 and SharePoint 2013 integration deployment you could try
with a really good desktop (with as much RAM and as many disks as possible) o with a
refurbished server hardware (there are good opportunities to buy old hardware that fits
with your needs with an affordable price).
Another solution I have tried is to buy some virtual private servers on the cloud, from a
hosting provider. They are cheaper than buying the hardware, require no space or
maintenance on your side and often offer public IP addresses, so that you do not need to
simulate the Internet because you have a real directly connected server. The drawback
in such a solution is that the more servers (and time) you need, the more you are going
to spend. So, such a solution is a good one only if you are going to concentrate your tests
and study in a short time.
Try it now

If you need to test a specific aspect of Lync, like the deployment of a Front End or of a
Lync Edge, try the Microsoft Ignite virtual labs http://lynclabs.vlabcenter.com/Signin .
They are free, available to Microsoft customers and Partners and give you a virtual
environment (limited by time) that you can use according to the steps that will be
outlined in the lab or to test feature that you want to verify hands on.
26


Deploying the lab

Starting with the Internal Lync Server Services Only scenario you have to deploy:
A domain controller
A Lync Front End (Standard Edition)
An Office Web Apps Server
Domain controller

Lync will use the following servers as a base infrastructure:
Active Directory
DNS
Certification Authority
Lync interacts with Active Directory to build up the infrastructure, modify the schema,
the forest and the domains so that new classes and attributes are created. One of the
boundaries is that you can have only one Lync organization for every forest. It is
required to have at least a Windows 2003 level for the forest and for the domains.
DNS : Lync requires the capability to resolve all the names involved in the
infrastructure, including both the ones associated with the internal domain and the ones
related to the public name (or names) of our company. The latter are usually defined SIP
domains for a company (Session Initiation Protocol or SIP is the protocol used to
initiate or terminate live communication sessions). That makes sense because your
users will log into Lync always with the same SIP address (or by using their mail
address) regardless of their location (tablet outside our company, desktop joined to the
domain and so on). So the internal DNS must be able to resolve the public names of
your domain AND must be able to route the requests to network addresses that are
inside our network. To achieve this result two solutions are available: split DNS (that is
hosting a fake public zone on the internal DNS) or to use PinPoint zones, that enables
you to point single public names to internal IPs, without the need to manage the whole
internal copy of the public zone that is typical of the split brain scenarios.
To create a PinPoint zone (for a example for meet.lync2013.org to point to
192.168.1.100), you can use the following commands from a command prompt on the
DNS server.
27

dnscmd . /zoneadd meet.lync2013.org. /dsprimary
dnscmd . /recordadd meet.lync2013.org. @ A 192.168.1.100
In the next image you can see the messages resulting from the dnscmd commands

Figure 2.4 successfully pinpointing the meet record for the Lync Front End
Note: if you try the aforementioned commands from PowerShell, only the first one will
succeed.
Note: Regardless, of the kind of DNS records that you will use, it is important to fully
understand the impact you create for the Lync Clients. Lync Client use a given
procedure to identify their Lync Server, based on the users SIP Domain
(@domain.com). The process is based on SRV DNS records. For our Test Lab, we will
not go into more detail.
Certification Authority: the whole Lync system is secure by design and communication
travels only in a secure from. That is why certificates are really important in Lync (base
services will not event start if there is an issue with certificates). For a test environment
the C.A. installed on the domain controller is all we need to create internally the
certificates required for internal and Internet connected servers.
Try it now
Pinpointing can be done from the graphical interface too. Try it and evaluate what
method best fits for you



28

Lync Server Front End

Talking about the lab deployment what I suggest is to install Lync Standard Edition, and
collocate the Monitoring role, the Group Chat role and the Mediation server.
Note: to collocate the Monitoring role, you need to deploy also the monitoring reports. The whole process is well
described on the Matt Landis blog http://windowspbx.blogspot.it/2012/07/aaa-donotpost-install-lync-
standard.html
Office Web Apps Server

The installation is well described on the TechNet article Deploy Office Web Apps Server
http://technet.microsoft.com/en-us/library/jj219455.aspx . Only warning here is to select
and remember the internal and public name of the server, because they will be required
for certificates and for Lync Topology building.
You have additional requirements for the second scenario Lync Server Available for
External Users
Reverse Proxy

Microsoft does not suggest a specific solution for the Lync 2013 publishing process.
With TMG on the road toward the end of life, a viable solution is to use IIS as a reverse
proxy. Such a solution is outlined on the NextHop blog Using IIS ARR as a Reverse
Proxy for Lync Server 2013
http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-
proxy-for-lync-server-2013.aspx
Lync Edge

Lync Edge installation ill be discussed in chapter 25. In a test environment I suggest to
use the hosts file on the edge server to resolve the names of the internal Lync
infrastructure.
Exchange and SharePoint

The setup of Exchange and SharePoint is tied to the version of the aforementioned
servers you are going to deploy. Lync is able to integrate with Exchange 2007, 2010 and
2013. SharePoint is supported if the selected release is 2010 or 2013.
Some hints here:
29

In Exchange 2013 there is no UM role:
The functionality is into the Mailbox server role.
Client Access server role provides the UM Call Router service
Server-to-server authentication and authorization, OAuth (Open Authorization)
is a protocol required by Lync Server 2013, Exchange 2013 and Microsoft
SharePoint Server User credentials and passwords are not transmitted from one
computer to another (OAuth is based on the exchange of security tokens) Tokens
grant access to a specific set of resources for a specific amount of time

Lab

The configuration of OAuth can be started from Lync 2013 Assigning a Server-to-
Server Authentication Certificate to Microsoft Lync Server 2013
http://technet.microsoft.com/en-us/library/jj205253.aspx or from Exchange 2013
Integrating Exchange 2013 + Lync 2013 for UCS & OWA integration
http://memphistech.net/?p=280
Try both the methods and evaluate pros and cons of the different approaches.









30

3 Managing users with
Lync Server Control Panel
The Lync Control Panel is the first administrative tool youll head to after the Lync
installation is complete. Around 80-90% of all the administrative tasks can be managed
with this graphical interface (the remaining operations will be limited to the Lync Server
Management Shell that I will explain starting from chapter 5).
This chapter is ideally split in two base topics:
An high level overview of the Control Panel and of some fundamental concepts of
Lync administration (policies, policy scopes and administrative roles)
A complete explanation of the user configuration parameters available in the
Control Panel, including pool assignment, SIP URI configuration, telephony
options and policy assignment
Introducing Lync Administration from the Control Panel

If you are not a PowerShell expert and if your Lync deployment does not require
frequent troubleshooting, the Control Panel is the tool you will use more often in the day
by day administration of Lync.
The first operation you will usually perform in the Control Panel (and the one that is
suggested by default) is to enable users to Lync. The aforementioned operation may
sound logical if we ignore one basic fact: the configuration your user will receive is based
for a large part on Lync policies and rules while his / her Enterprise Voice configuration
will depend largely on the dial plans and voice routes you will deploy in your company.
So the unspoken assumption here is that before enabling the first user you should have
all the required settings already in place and the planning for voice, workload balancing
and so on done by this time.
My personal experience says that usually (for a lot of good reasons) you will have to
enable users to Lync and later modify the user settings accordingly to the configurations
you will deploy in a second moment.
31

So lets examine some of the steps you need to take if youre going to enable our users
(Patricia Johnson, Peter Duggan and Julie Penny) to Lync keeping in mind their
different needs. Summarizing what we said about here in the 1
st
Chapter, they will
Enterprise Voice (for Julie with the external access prefix configured, for Peter with
delegation), mobility, conferencing (with gallery view feature for Patricia) and
federation with an XMPP external provider (again for Patricia).
Choosing Between the Control Panel and the Management Shell

A decision you need to make before you begin the actual work is about what tool you will
use. As I said at the beginning of the chapter, Lync 2013 enables management from a
graphical interface (Lync Server Control Panel) and a command line (Lync Server
Management Shell). Managing with a GUI is easier, but for example, if you are going to
enable a large number of users with a batch modification, the best tool it the
Management Shell.
The Control Panel may be confusing because you will have all the administrative
interfaces available, including ones related to features that you have still not deployed
(and ones that you will never use). Looking at the next image, for example, you see the
Persistent Chat tab in the Control Panel of a Lync deployment that does not have
persistent chat enabled.


Figure 3.1 The Home screen of the Control Panel
32

Now, before actually doing administrative operations, lets translate the information we
about Patricia in a list of Lync parameters: she will need a telephone number, reachable
from the public telephone system with an internal extension (I will use 1(555)555-5555
and her extension will be 5555). The company dialing habit is to add the 9 before dialing
an external number and we want to keep this pattern. Patricia will be enabled for the
advanced voice features, including call transfer, simultaneous ringing, and so on and
from the video conferencing point of view she will use also the gallery view (multiple
simultaneous video streams).
Policies and Policy Scopes in Lync Administration

The whole Lync experience of our users will be dictated by the policies we apply to them,
to the Lync site (i.e. network location), to the Lync Pools and to the organization as a
whole.
When your scope is to create a configuration or constrains for the larger part of your
users it is advisable to use a global policy. The default policies that Lync applies just
after the installation phase are all global ones. Lets say, for example, that Lync2013.Org
has an internal policy to deny delegation (a feature that enables users to specify other
users to send and receive calls on their behalf). To address a requirement like that we
will work on a global policy (a Voice Policy with a global scope, to be more specific)

As said, policies apply in a hierarchical order, which is illustrated in the schema below:

33

The policy will apply to all the Lync infrastructure (see figure 3.2)

Figure 3.2 a global policy with delegation not enabled
Few Lync users like Peter Duggan (that will delegate to Julie Penny) will have access to
the aforementioned feature. To create an exception to the rule you will create an
additional Voice Policy (with scope = user) and then you will be able to apply it to the
requiring users. We are going to define a new voice policy to respond to this need in
figure 3.3

Figure 3.3 selecting the scope to create policies that will be applied to specific users
If you had a branch office with a lot of users in need of the delegation feature, you could
have used the third scope (site) that applies to all the users in a specific Lync site. The
more specific policy overrides the others to allow a granular management (i.e.
conflicting parameters will be resolved by the User policy overriding the Site policy
and the site policy replacing the Global policy parameters).
As a consequence, the network aspect of your deployment will influence your Lync
administration; this is obvious because if you have a single site, you will lose a level of
flexibility when managing your policies.
34

Roles in Lync Administration

Role Based Access Control (RBAC) is the permissions model used in Lync 2013. During
the forest and domain preparation that is mandatory for the deployment of Lync, some
universal groups are created and permissions are assigned to them.
The aforementioned groups are the base of RBAC and enable you to control what
administrators and end-users can do. The division between Lync roles and other
administrative tasks (like Directory Services administration) is so net that just after the
domain preparation you have to insert at least one user in the CsAdministrator
group, to define the first administrator of Lync 2013.
Each RBAC role is associated with a set of Lync Server Management Shell cmdlets
corresponding to the tasks that can be carried out by users the users in a specific group.
Lets try to imagine a scenario: Lync2013.Org wants to delegate to a group of operators
the monitoring of Lync health. The only operation that the Lync administrator will need
to perform is to insert their users in the CsViewOnlyAdministrator group (the tool
to use is Active Directory Users and Computers, there is no way from Lync to
perform this task)

Try It Now

We said that the groups have a limited subset of cmdlets available. To verify what
commands every group is able to perform you can use the following string in the Lync
Management Shell
Staying with the aforementioned example, you can launch the following line
GET-CSADMINROLE -IDENTITY "CSVIEWONLYADMINISTRATOR" | SELECT-OBJECT -EXPANDPROPERTY
CMDLETS
The result will show a list of the cmdlets related to the CsViewOnlyAdministrator group.
You can try the same command with CsAdministrator and see the differences.


35

Enabling And Configuring Users

In figure 3.4 I have divided the New Lync Server User screen into four zones:
Pool assignment
SIP URI configuration
Telephony options
Policy assignment
I will use the aforementioned division to separate the different tasks related to user
parameters that you have at your disposal to configure your users (later in the chapter,
we will do the same thing for clients and devices).

Figure 3.4 The New Lync Server User page with the options divided into four zones
36

Enabling a User to Lync

Lets take a look to a standard process to enable to Lync one our users, Patricia Johnson.
We want to give her a Lync user that matches with her mail address, to assign her to the
Lync pool that is located in the companys headquarter and to give her a phone number
that is directly reachable from the public telephony system 1(555)555-5555.
She will use the Lync capability to view multiple video streams in a single conference
(gallery view) and she required to simplify her access to public IM services like
Jabber.Org (at the moment she has many different accounts on the various systems).
Patricia and her colleagues have used for many years a PBX that required dial 9 before
you were able to compose an external number. We want to accommodate also this
dialing habit.
We can start from the Control Panel, Users tab and select Enable Users

Figure 3.5 Starting with the enabling process
In the next screen select Add

Figure 3.6 The New Lync Server User screen
In the Select From Active Directory screen you are able to search the user with a
search or you can simply press the Find button and have a list of all the Active Directory
users not enabled to Lync. Select Patricia Johnson.
37


Figure 3.7 Starting with the enabling process

Pool assignment

Several parameters are already set to automatic, meaning that the Global policy will
apply as long as we do not decide otherwise. The first area is used to decide which pool
will host the user account (Patricia Johnson) as you can see in the following screen
capture (figure 3.8). The information related to the pool in which the user is homed
are shown in the first part of the menu and are important, for example, if we need to
move our users from one server to another one in case of a disaster recovery.

Figure 3.8 Assigning the user to a Standard Edition server
In Lync 2013 the so called Front End pool is in charge of a great part of base Lync
functionalities including authentication and registration. A Front End pool could be
38

constituted by a single Lync Standard edition server or by a group of Lync Enterprise
edition servers (the suggested minimum is two servers for an Enterprise pool).
Every user enabled to Lync must be homed on a pool. If the pool contains more than one
server, every person connecting to Lync will have a defined registration order (that is
build and updated using an algorithm) containing a primary server, a secondary server
and so on. The aforementioned mechanism balances the users on the pool nodes and
gives continuity if one or more of the servers fails. If you have a geographical network
with different Lync sites, the standard scenario is to have users homed on a pool that is
on their local network, although this is not mandatory.
With the so called brick logic implemented in Lync 2013, we have an additional
continuity feature (Front End pairing). If you have two separate pools, you are able to
failover and failback the accounts from one Front End pool to another. This is not the
same continuity level that you have with a single enterprise pool because you will have
to manually fail users form one Standard edition server to the other one. However this
method supports continuity (not high availability) because data are replicated in a way
that permits the user to be moved with no information lost.

SIP URI configuration

Patricia Johnson has a mail address on our companys Exchange system
(PatriciaJ@lync2013.org ). She will be more comfortable if you enable her to use the
same address to access also the Lync services( afeature called unified communication).
Customers and partners will expect to contact her via Lync / Skype federation using the
same mail address (reported also on his business card). A second reference, different
from the aforementioned address, could be confusing.
As you know, Lync uses Session Initiation Protocol (SIP) as the signaling protocol. To
citate the RFC 3261 SIP is an application-layer control protocol that can establish,
modify, and terminate multimedia sessions (conferences) such as Internet telephony
calls. SIP can also invite participants to already existing sessions.
SIP URI is the SIP addressing schema to call another person. In other words, a SIP URI
is the software version of a traditional phone number based on the SIP protocol.
Each resource in an SIP network needs a unique URI (uniform resource identifier) and
Lync is no exception. The second zone, SIP URI Configuration is where you can
39

configure an SIP address for your user that must be unique in the Lync structure and
should be as easy as possible to remember for both internal and external users.

Figure 3.9 The SIP options available for every user
The available choices for the SIP URI depend heavily on the choices you make in the
Lync Topology Builder. When you design (and publish) your Lync infrastructure, you
are required to list all the SIP domains that your deployment will manage.
In figure 3.10 you can see the configuration related to the default SIP domain and to the
additional ones you are able to add. SIP URI containing domains that are not existing
here are not configurable in Lync Server 2013.

Figure 3.10 Adding or removing SIP domains requires modifications to the topology
If one of the SIP domains is also a public mail domain for the company, the Use users
email address option should be your first choice.
The option to use the UPN (user principal name) has been widely used, but if your
Active Directory domain uses an internal name, the limits on the third party certificates
that will be effective on November 2015 make this option less convenient than it was in
40

the past. The remaining options add flexibility to give you the possibility to use a SIP
URI naming scheme that matches your companys needs.

Telephony options

In the third zone, telephony options, four settings are available in the first drop-down
menu as you can see in figure 3.11.

Figure 3.11 the Telephony drop-down menu
Audio/video disabled implies that the user cannot make calls with audio and video
and is limited to Presence and IM only
PC-to-PC the user can make only PC-to-PC audio or video calls.
Enterprise Voice enables the user to take incoming and place outgoing voice calls
(this feature requires a specific Client Access License that you will need to buy in
addition to the server license, as I will explain later in the chapter). Remote call control
has two different settings
Remote call control enables the user to remote call control. There are two option,
Remote call control and Remote call control only. If RCC only is chosen, the PC-to-PC
call feature is disabled.
All parameters (excluding Audio/video disabled) require a Line URI (the telephone
number of the user).
Patricia requires full Enterprise Voice features and a number reachable from the public
telephonic system, 1(555)555-5555.
The first parameter we need is a Line URI. We said that Lync is based on the SIP
protocol, so you have to format it according to the ITU-T recommendation E. 164
(tel:+15555555555).
41

Such a format includes a country code, an area code, and a local user number and it is
required to put Lync server 2013 in a position to talk (also) with the Public switched
telephone network (PSTN) and with the outside world in general. Enterprise voice
will be explained in greater detail later in the book.
The aforementioned number may be directly reachable from outside the company (this
is called DID, Direct Inward Dialing) or may be an internal number that requires calling
a main number. In the latter scenario, we have support for an additional parameter, ext.
The Line URI will look like the one in the figure 3.12, where the extension is 5555.

Figure 3.12 Configuring a user DID with extension

Dial plan policy

The Dial plan policy and the Voice policy will add some parameters we need to manage
an Enterprise Voice user.
The Dial plan policy resolves a common issue: you need to normalize the numbers (for
example, the ones that a user dials) so that they are transmitted to the voice gateways or
SIP trunks in E. 164 format. A Dial plan contains one or more normalization rules that
you can apply to a site, a pool, a user, or to the whole Lync system (the default Global
policy).
Normalization rules are created using regular expressions such as $ match the end (a
topic we will explore in the Enterprise Voice part of the book).
42


Figure 3.13 Configuring a dial plan with an external access prefix
In the figure 3.13 I have added also an External access prefix (9) thats often used for
calls going outside the company.
This parameter is useful if your users dialing habit includes adding a number to identify
calls that are going outside the company. Our user Julie Penny usually uses a desktop
phone and composes telephone numbers after she has lift the receiver off the hook (off-
hook dialing). She adds 9 at the beginning of the external number (a habit she has
learned with the old companys PBX) and then reads the number and composes it. The
external access prefix says to Lync that 9 will be used for external number (so rules for
internal numbers will be ignores) and that the number 9 is not to be considered when
normalizing the number.



43

Voice policy

Voice policies are made up from two parts: features (that you can enable or disable)
and PSTN Usage records, as shown in figure 3.14

Figure 3.14 Editing a Voice policy
The previous screen capture shows the default configuration for a voice policy. For our
user we will enable also the call park feature (that is, the capability to leave a call
waiting and pick it up from another phone). The PSTN records are labels that we use
to group rules needed to manage call costs and voice routing. Well talk more about
Enterprise Voice in the third part of the book.
Earlier, we mentioned Lync CALs. Lync licensing is honor-based, so there is no control
or limit on the features you are able to use even if you havent acquired the necessary
licenses and you have no dedicated screen or configuration to add or remove licenses.
The only way you have to keep control over the number of required licenses is with the
policies you assign to Lync users, adding or removing features.

Policy assignment

We said that Patricia will use a feature called Gallery view. This is a new conferencing
layout that features up to five active video streams at the same time. The Allow multiple
video streams parameter (enabled by default and introduced for the first time in Lync
2013) can be disabled in situations where we need to inhibit access to a conference that
uses Gallery view. This is something we have to enable using a policy (that is, by working
44

in the last area of the Control Panel). The parameters are set in the screen you see in
figure 3.15 (in the Conferencing tab, editing the conferencing policy).

Figure 3.15 Editing the global conferencing policy to enable multiple video streams
Patricia Johnson keeps in touch with a large number of customers of our company and
she is often required to meet them on public IM services like jabber.org . You want to
make it easy for her to connect with the aforementioned external services using her Lync
account (and replacing with the latter a long list of accounts she uses on the various
platforms). You can achieve the result configuring a federation based on XMPP. I will
explain the details later, but basically what you need to do is to configure the policy in
the Federation and External Access tab, editing the External Access Policy as
shown in figure 3.16
45


Figure 3.16 Configuring a policy, with a scope limited to the user, for XMPP federation
It is important to point out that the policy will be a User scope policy, because we want
that XMPP integration not to be a generally available feature.
Returning to the users parameters for Patricia (figure 3.17) we will bind her to the
XMPP Federation policy, leaving the global/default policy with no changes.

Figure 3.17 Applying a User policy for Google Talk
The various policies we see in this screen will dictate the whole user experience and will
be discussed deeper in the next chapters. To give you a quick idea of the available
parameters, we have:
Conferencing policyDefines the features and capabilities that users have available
during a meeting, including the audio and video features and the data sharing tools.
Client Version policyThis policy defines for Lync the versions of clients that are
supported in your environment.
PIN policyTo participate in a dial-in conference, a Lync user requires a personal
identification number (PIN). PIN policy dictates maximum logon attempts, PIN
expiration, and so on.
46

External Access policyYou can configure which public systems (including XMPP
federated partners) or external users can collaborate with internal users.
Archiving policyArchiving enables your company to keep a record of IM
conversations involving your Lync users. The aforementioned feature could be required
for legal reasons and could be turned on only for specific users, with a dedicated policy
applied to the people you need to track.
Location policyLocation policy contains the E9-1-1 settings.
Mobility policyThe features you can control from here are related principally to the
Lync 2013 clients for mobile devices, e.g. Wifi Connection requirement for Video Calls
from those devices.
Persistent Chat policyThe parameters you can modify here are related to the
persistent chat service.
Client policyThe client policy dictates which client features will be available for the
user.
As youve seen, even the configuration of a user that doesnt have particularly complex
requirements involves several steps. A users policies and configuration (especially
projected on a large scale) have a deep impact on costs and on the performance of your
system and are not to be undervalued.
Try it Now

Move a user from one Lync pool to another and to disable their conferencing policies
using the Control Panel.
Lab

NOTE For this lab, youll need your domain controller and a Lync Front End up and running.

Proceed to enable a new users in Lync
Delegate to this user the capability to enable and disable users for Lync Server
Launch the Lync Control Panel whit the aforementioned user and enable two new
users to Lync
Define their policies so that one of them is enabled only to IM while the other one
is an Enterprise Voice user
47

For the latter, configure a dial policy that includes 0 as an external access prefix
Try an audio call and then configure everything so that users are able to talk each
other with Enterprise Voice
Test the delegation feature, enabling it for a Lync user and applying the number
delegation from the Lync client

















48

4 Managing Clients, and
Devices with Lync Server
Control Panel
As a Lync server administrator, one of your tasks is to manage software updates and
usage policies for the clients. The definition of client in Lync includes Lync client
software installed on the user workstation or on a mobile device and IP deskphones. You
can add to the list the Lync Web App, a web interface accessible to the users with no
client software on their local machine. The Web App is not a full featured client but
enables participation to an existing meeting.
In figure 4.1 you can see the full client, the Web App and a deskphone side by side.

4.1 A graphic representation of some of Lync 2013 clients
The Control Panel of Lync 2013 server will be of great help in this task with the tools
incorporated in a tab called CLIENTS (as I explained previously, the Control Panel is
the graphical interface for Lync administration). You can see it in figure 4.2

4.2 The left pane of Lync 2013 server Control Panel. The green circle shows the clients tab

In the client tabs we have the instruments to manage:
49

Clients: Lync and OCS client software installed on desktop clients (OCS 2007 R2 was
the UC product published from Microsoft before Lync)
Hardware: this definition includes all the deskphones you can use with Lync. These
can be divided into two broad categories:
Compatible IP Phones Tested and Qualified for Lync that are phones that use a
third-party software compatible with Lync
IP Phones Optimized for Lync that are phones based on Lync Phone Edition (see
figure 4.3). Lync Phone Edition is a client software from Microsoft that runs on qualified
devices and provides traditional and advanced telephony features.

Figure 4.3 the phone on the left uses Lync Phone Edition while the one on the right uses a software from the
hardware manufacturer
Mobility: dedicated to the management of client functionality designed for mobile
devices such as smartphones and tablets
In Figure 4.4, in addition to showing contents of the Clients tab, I have divided it into
three "zones" (client, hardware and mobility). It should be easier to explain the different
tools this way.

Figure 4.4 Clients tab in Lync Control Panel with the three zones
50

As you can see, two tabs are for Software Clients management, four are for Hardware
Devices and two focus on Mobility.
You can map each tab with the administrative tasks you accomplish inside, like in the
following table

Client Version Policy Client version policies enable you to specify
which clients will accepted from Lync Server
Client Version
Configuration
Here you can specify a default action for
clients with no client version policy defined
Device Update You are able to approve and distribute
software updates to the devices
Test Device You can add a test device and use it to verify
new updates before deploying them to
production devices
Device Log
Configuration
You can manage settings related to the
device updates logging
Device Configuration Device configuration enable you to modify
management options for Lync Phone Edition
like phone lock after time-out
Mobility Policy You can create a mobility policy to allow or
deny Lync features to mobile users
Push Notification
Configuration
You can enable o disable push notifications.
A notification is an on-screen warning about
missed Lync communications. It is available
only on certain versions of the Lync mobile
client

I will explain some of the configurations available in the various tab, keeping the logical
division into three areas to improve the clarity.

NOTE: Usually client management is not a job that you will perform on a daily basis.
Usually you will work in the face of new software updates or if you need to change
policies for your clients.
Now, to start with a practical example, lets imagine that you have just migrated your
corporates Lync infrastructure to Lync server 2013. You will probably have the Lync
2010 clients displaying the following error: Microsoft Lync 2010 is not a version that
can be used to sign in to the server, as you can see in figure 4.5
51


Figure 4.5 Default error with Lync 2010 clients
The solution to your problem is in what I have called the software clients zone of the
clients tab in the Lync serve Control Panel.
Software Clients

The parameters in the Client Version Policy and in the Client Version
Configuration tabs dictate together which clients can login to Lync server.
Every time a Lync user logs on, the client version configuration select if it is subject to
client version checks or not.
If the Client Version Configuration is enabled (see figure 4.6 the Client Version Policy
will check the release of the client software and allow (or deny) it the access.


Figure 4.6 Client Version Configuration enabled
Then the Client Version Policy establishes the rules for admitting or blocking the
different clients.
52

The default policy is a global one (that means that it applies to the entire infrastructure
Lync) as you can see in figure 4.7

Figure 4.7 client version policy with the default (global) policy
Opening the policy, you will see the list in the image 4.7. The value I have pointed out in
green is the one that regards our Lync 2010 clients. If they are older than version
4.0.7577.4103 they will not be able to connect to Lync server 2013.

Figure 4.7 client version policy with the parameter regarding Lync 2010 client highlighted
The default settings are too restrictive, for our scenario, cutting out a part of the Lync
2010 clients. What you have to do is modify to set to allow the OC 4.0.7577.4103 version
of the User agent (corresponding to the Lync 2010 client) as you can see in the next
screen capture
53


Figure 4.6 Enabling Lync 2010 clients
Now, lets add some information to go beyond the specific issue you have just seen.
Version Configuration includes a setting to allow or block unidentified clients. That is an
important set because it dictates how Lync will manage any client it is not able to match
with the versions listed in the policy parameters.
To manage scenarios with a companys deployment of the Lync clients that is not
homogenous you can create site or user policies to manage exceptions for a single office
or employer.
Note: If you want to keep also Microsoft Office Communicator 2007 R2 clients running,
the version to modify is 3.5.6907.233
Hint: I suggest you a free tool (Find Lync Versions
http://www.stumper66.com/software/lync.html ) that queries the RTCLocal database to
retrieve the client versions that your users have on their workstation.

Try It Now

Open a Lync client and identify its version number.
Prepare a list of the required steps to allow connection to the Lync server for
legacy clients in a branch office with a local Lync Front End server where the
users are homed.
Now, imagine the aforementioned branch office with a SBA deployment of Lync (
Survivable Branch Appliance is a an hardware with limited Lync features to
increase voice resiliency in branch-office scenarios). The list of required steps to
keep legacy clients working will change ?
54

Hardware Devices

If your company uses the Enterprise Voice of Lync server 2013 (that is the Lync term to
define voice communications over Internet Protocol or VOIP) you probably have also
deployed deskphones as the ones you have seen at the beginning of the chapter.
A part of your administrative tasks is to keep up to date and to align to the last version of
software the aforementioned physical phone devices.
In this zone of the Control Panel you are able to approve and distribute updates to the
devices (and to rollback in case an issue arises), to test them or to configure some
parameters (see figure 4.7)

Figure 4.7 Device Management in Lync Control Panel
Lets assume that you need to update an HP4110 phone to the last release of the
software. The first step is to download an updated .bin file (this file, deployed to the
deskphones, will update their software). Then you need to make it available to the
devices.
Lync enables software distribution to the devices through the web service installed by
default on the Lync Front Ends.
Note: the procedure will require also the use of the Lync Management Shell (that is the
command line based on Windows PowerShell for Lync administration) and its cmdlets
(a lightweight command that is used in the PowerShell environment)
You need a cmdlet to import the .bin files in Lync server. The base command is Import-
CsDeviceUpdate but you need also to know a parameter of your Front End called
identity.
If you do not know the -identity parameter for your server you can use the following
cmdlet Get-CsService WebServer.
In my example I have a value equal to Webserver:2012SE1.Lync2013.dom.
The .bin file I have downloaded is located in c: and named ucupdates.cab. The ending
cmdlet to import it will be
Import-CsDeviceUpdate -identity WebServer:2012SE1.Lync2013.dom -FileName
c:\ucupdates.cab
55

To verify if the update have been imported correctly you have to go in the Lync Control
Panel and open the Device Update in the clients tab.
The result is the one you can see in figure 4.8 (I have also opened the Action menu for
the approval).

Figure 4.8 Updates are available for approval in Lync Control Panel
Before deploying it on a large scale you can verify the new updates on a test devices
using the dedicated menu (Test Device) in the Control Panel. The hardware can be
identified using the MAC address (unique identifier of the network interface of the
deskphone). In my case 00:04:13:72:00:7F. You could also use the serial number
(M08400000) as shown in figure 4.9

Figure 4.9 Configuring a Test Device
If the test device shows no issue, you can deploy the update approving it in the
aforementioned Device Update tab.
56

Note: The pre-requirements for a successful Phone Edition deployment include a
working Lync Enterprise Voice implementation and modifications to the network
infrastructure servers like DNS and DHCP.
Mobility

Lets say that our user Patricia Johnson needs:
To use a mobile client and the call via work feature (i.e. the capability to call from
her cell phone using her work number)
We want her to use voice and video only if a Wi-Fi connection is available (so
mobile data connection should be inhibited for those features)
The bad news are that you cant achieve the result using only the Control Panel.
The default policy (global) that you can see in the Mobility Policy tab (figure 4.10)
does not satisfy the aforementioned requirements and that there is no way to force the
Wi-Fi parameter from the Control Panel.

Figure 4.10 The Mobility Policy with the default policy opened
I have zoomed the previous image in figure 4.11. As you can see, the settings are only to
enable or disable mobility and call via work.
57


Figure 4.11 Global Mobility Policy
The solution is to use (again) the Lync Management Shell. If you launch the cmdlet Get-
CsMobilityPolicy you will see a result like

Identity: Global
Description:
EnableOutsideVoice: True
EnableMobility: True
EnableIPAudioVideo: True
RequireWIFIForIPAudio: False
RequireWIFIForIPVideo: False

So to get the result you want (limiting it to a user scope because we want to apply it to
the single users) the cmdlet will be something like
New-CsMobilityPolicy -identity "Wi-Fi required" -RequireWiFiForIPAudio $True -
RequireWiFiForIPVideo $True

Push Notifications
Depending on the kind of mobile device the user will work with, you could prefer to
enable the push notifications of Lync (as we said before, on-screen warning about
missed Lync communications).

58

Push Notification are disabled by default (see Figure 4.12)

Figure 4.12 Default Policy for Push Notifications
To continue with our previous example, if Patricia has Lync 2013 Mobile on an Apple
device, you do not need push notifications because the new version of the client for IPad
and IPhone does not support them. If she uses Lync 2010 Mobile on an Apple device or
a Windows Phone, notifications useful. The aforementioned configurations will use the
push service to notify the user for lost IM messages and contacts when the client is in
background.
Note: the feature requires configurations for the Lync Edge and for the reverse proxy
that we will see later in the text.
Some Things You Have to Do Outside the Control Panel

Some devices, like the ones dedicated to conferencing and the common area phones are
not managed from the Control Panel and we will talk about them.
A part of the client management and configuration (bootstrapping policy) is managed
through Group Policies (Lync 2013 administrative templates are included in the Office
2013 Administrative Template files (ADMX, ADML)) as you can see in figure 4.13

Figure 4.13 Microsoft Lync 2013 administrative template in Group Policy editor
As you may already know, Group Policies enables you to modify the whole working
experience of a user, adding or removing features, programs and permissions from the
client based on his / her group membership, the organizational unit in which we insert
59

the Active Directory account, the computer object and so on. Usually this is something
managed from the administrative group responsible for the companys Directory
Services. As a Lync administrator, you can use the Active Directory infrastructure to
configure Lync client parameters. Group Policies for Lync are policies for the computer
object, so you are able to modify some settings of the Lync client based on the
workstation that the user is logged on.
A useful application of the Group Policies with Lync 2013 brings a solution to the Lync
Sign In error Lync cannot verify that the server is trusted for your sign-
in address. Connect anyway?.
Usually this is an error related to some mismatching information in the Lync
certificates, where the users SIP Address is not matching the internal Server DNS Suffix.
For example, your Active Directory domain is Lync2013.dom and that your Lync Front
End name (and DNS records) are associated to the Lync2013.org domain.
All the Lync clients, the first time you try to connect, will show the aforementioned
error. You can manually add the server to the trusted domains list but a smarter solution
is to use the Group Policies. Adding the Lync server in the Trusted Domain List
(TrustModelData) parameter (see next image).

Figure 4.14 the Trusted Domain List
The error will never show in any of the clients joined to your Active Directory domain.
This is only one example of the results you are able to obtain with Group Policies. In the
next Try it now I will show you some additional tasks that you can perform.
60


Try It Now

To further explore the power of the Group Policy for Lync 2013 you could try to create
two different policies: the first one (that you can call Tracing) will enable the tracing for
troubleshooting on the client (Turn on tracing for Lync enabled in the policy) and you
can link it to an organizational unit that you can call Debug. The second policy (that you
can call No Tracing) will have the same tracing parameter configured in disable and will
be linked to an o.u. called Lync clients.
The situation will be the one you can see in the next figure

Figure 4.13 Organizational units with the two Lync group policies linked
Now, every time you have a problem with the Lync client of a single workstation, you
can move the computer object to the Debug o.u. so that the next time the client logs on
to the domain tracing is enabled. When the issue is resolved, you can move the endpoint
back to the original o.u. and the tracing will be disabled at next log on.

Lab

In this chapter you have seen a portion of the management through the Lync control
panel that encompasses all the client solutions available to the users (Lync clients for
desktop and mobile environments and external users based on mobile devices options).
As you have seen, some specific tasks have to be executed outside the graphical interface
and the characteristics of the Lync management shell are the topic of the next chapters.
NOTE For this lab, youll need your domain controller and a Lync Front End up and
running.
61

Try to answer the following questions and complete the specified tasks. This lab is
focused on the features that the Lync Control panel offer to manage the different kind of
clients and devices.
Can you inhibit the use of Lync for a group of users? How do you perform this?
How do you enable the use of Lync 2010 client only for a specific site?
What is the best method to test a Lync desktop phone firmware before deploying
it to all the devices?
How can you dictate that audio and voice features for mobile clients are available
only if a Wi Fi Network is connected?













62

5 Managing Users with
Lync Server Management
Shell

Lync Server Management Shell is and administrative interface built on the Windows
PowerShell 3.0. Although it is possible to perform around 80% of the management and
configuration tasks from the Lync Control Panel, you have to remember that the
aforementioned graphical interface implement only a subset of the cmdlet that you have
at your disposal in the Management Shell. The Lync Server Management Shell also the
best tool to automate administrative tasks.
Administering Users From The Management Shell

Using the new PowerShell 3.0 means that new features and improvements are available
to manage Lync. The first useful tool is the Show-Command cmdlet. As you can see in
figure 5.1, the new version of this cmdlet opens a graphical interface that lets you select
the PowerShell module you want to use and then brings up a list of available cmdlets.

5.1 Using the Show-Command cmdlet to explore Lync commands

63

Selecting a cmdlet you are able to see the available parameters (see figure 5.2)

Figure 5.2 the parameters are shown in the graphical interface
Get Information About Lync Users
You can start examining one of the most used cmdlets for Lync user management: Get-
CsUser

Figure 5.3 the Get-CsUser cmdlet with a list of the available options
64

Figure 5.3 shows of the most common properties that you can use with the get-CsUser
command. A first, interesting cmdlet that you can use is
Get-CsUser | Get-Member -MemberType Properties
This command will show all the properties you could query with Get-CsUser
In the following image I have launched filtered only the name of the properties to have a
clearer list
Get-CsUser | Get-Member -MemberType Properties | select-object Name

Figure 5.4 the result of the previous cmdlet with the selected values in a table
Some examples:
65

Get-CsUser | Select-Object DisplayName
The command will list all the users enabled to Lync and will show only the display name
for each one
Get-CsUser -Filter {EnterpriseVoiceEnabled -eq $true}| Select-Object DisplayName
The command will list all the users enabled to Enterprise Voice and will show only the
display name for each one
Get-CsUser | where {$_.LineURI -like "tel:+39*"} | Sort-Object LineURI | Select-Object
Displayname, LineURI, PrivateLine
The command will show all the users enabled to Lync enterprise voice with a number
starting with +39 and sort them based on their telephone number in a table as you can
see in the next figure

Figure 5.5 the result of the previous cmdlet with the selected values in a table
$list = Get-CsUser
$list.Count
To count the users enabled to Lync and display a numeric value
$list=Get-CsUser -Filter {EnterpriseVoiceEnabled -eq $true}
$list.count
If you want to list only the users enabled to Enterprise Voice you can mix the
aforementioned command and one of the previous exaples
Get-CsUser | where {$_.registrarpool -match "Lync01.lync2013.intra"}
If you want to list the users hosted on a specific registrar pool (for example
Lync01.lync2013.intra)
Enable or Disable Lync Users

To enable a user to log on Lync server you have to enable he or she to the Lync services.
The aforementioned user must have a valid account in the Active Directory forest.
66

While you were able to launch the Get-CsUser cmdlet with no parameter, the Enable-
CsUser cmdlet has some required parameters. Identity, RegistrarPool and SipAddress
have to be defined (although the latter can be parameterized automatically or manually
in the cmdlet).


Figure 5.6 required parameters of the Enable-CsUser are in yellow
Some examples:
get-csaduser -filter {windowsemailaddress -like *@domain.com} -OU
ou=OrganizationUnitName,dc=domain,dc=com | Enable-CsUser RegistrarPool
PoolServer.domain.com -SipAddressType EmailAddress
Bulk enabling of Active Directory users to Lync is something that is really often
required. I have used the solution published on this blog
http://jamesosw.wordpress.com/2012/01/16/enabling-lync-users-in-bulk/
This one builds on the get-csaduser cmdlet and lets you pick user objects from a specific
organizational unit, filtering them using the e-mail address end enabling them to Lync
with an auto-generated address based on the aforementioned mail address.
67

The Control Panel cant modify domain users that are part of an administrative group. If
you try to do that you will have the error shown in the next figure


Figure 5.7 the error message related to the modification of an administrator
It is required to operate from the Management Shell with the following cmdlet
Enable-CsUser Identity "Administrator" RegistrarPool Lync01.lync2013.intra -
SipAddressType EmailAddress
Try It Now

Try the WhatIf parameter to test an Enable-CsUser cmdlet
Try the difference between the Set-CsUser Identity "username" Enabled $False
cmdlet and the Disable-CsUser Identity "username" cmdlet. You will notice that
the first one disables the user from Lync with no configuration or policy lost,
while the second clears all the Lync parameters.
Moving Lync Users Between Different Pools

The Move-CsUser cmdlet enables you to move a user account from one Registrar pool to
another.
The command is important in Lync 2013 because we can use it to failover / failback
Lync enabled users from one pool to another one if we have decided to take advantage of
the Front End pairing feature (see later in the text for a detailed explanation).
The parameters related to Move-CsUser are the ones you can see in figure 5.8, with the
ones in yellow (Identity and Target) required.

68


Figure 5.8 the Move-CsUser cmdlet with the required and optional parameters
As a part of the failover procedure if a paired Front End is no longer available, you have
to use the following cmdlet (including the Force parameter)
Get-csuser -Filter {RegistrarPool -eq "Lync1.Lync2013.Intra"} | Move-CsUser -Target
Lync1.Lync2013.Intra -Force
Lync2013.Org has deployed a hybrid environment with a split domain. Although we will
talk about this kind of configuration in Chapter 21, at the moment it is important to
remember that it enables your users to work on-premises and online with the same SIP
domain. You can also move the users online and back on-premises using the Move-
CsUser cmdlet. The syntax will be similar to the one you can see here
Move-CsUser -Identity UserURI @Lync2013.Org -Target sipfed.online.lync.com -
Credential Office 365 administrator credentials -HostedMigrationOverrideUrl
Migration URI taken from the Office 365 Portal


69

Handling Policies From The Management Shell

As you have seen in the previous chapters, Lync Server provides a number of
policies to manage features and configurations. For every policy you have seen in the
Control Panel there is a matching cmdlet in the Management Shell. Policies related to
clients and devices (Client Version, Pin, Client Policy) will be explained in Chapter 6.
Regarding Lync users we have the schema you can see in figure 5.9. Note that the
schema uses only the New- cmdlet used to create a new policy, but you have also
Grant- to assign an existing policy, Get- to retrieve information about policies,
Remove- to remove policies and Set- to modify an existing policy.


Figure 5.9 User policies paired with the cmdlet used to generate a new policy
The first policy Lync2013.Org wants to deploy for conferencing, will limit the users with
a standard CAL to IM, presence and participation (not scheduling) in conferences. Tim
Harrington has done a great job here
http://howdouc.blogspot.it/2011/09/understanding-and-enforcing-licensing_21.html
with a policy that does what you need using the Management Shell (the articles were
based on Lync 2010 but standard CAL limits and cmdlets to use are the same in Lync
2013):
New-CsConferencingPolicy Identity Conf-StandardCAL AllowIPAudio $false
AllowIPVideo $false AllowUserToScheduleMeetingsWithAppSharing $false AllowPolls
$false EnableAppDesktopSharing None EnableDialinConferencing $false
70


The policy will disable all the features not included in the standard CAL as you can see
in the results shown in figure 5.10

Figure 5.10 configuring a new policy to enforce a standard CAL
The next step will be to apply the policy to users. For example lets say that when Julie
Penny was hired in the company the features we granted to her were the ones included
in the standard cal
Grant-CsConferencingPolicy Identity "Julie Penny" PolicyName "Conf-StandardCAL"
When Julie began working with Stacey Duggan the Lync administrator decided to align
them to the Global policy, which includes additional features.
Again, from the Management Shell, we are able to perform the task using:
Grant-CsConferencingPolicy Identity "Julie Penny" PolicyName $Null
CsExternalAccessPolicy is dedicated to manage your external access policies (like
federation). So, the first step you could perform is to get a list of the existing policies
with Get-CsExternalAccessPolicy. Now, lets suppose that the interns of your company
should be not able to use the external access features. You are able to address the need
creating a user policy with a cmdlet like this:
New-CsExternalAccessPolicy -identity Intern
71

You dont need to specify parameters, because the features will default to $False (i.e.
disabled) like you can see in the next figure 5.11

Figure 5.10 Configuring a restrictive policy for a group of users
Now all you need to define is a parameter that identifies the intern users enabled to
Lync and applies the aforementioned policy in a consistent manner. If their Title in
Active Directory is Intern, the cmdlet will be something like the following one
Get-CsUser LdapFilter "Title=Intern" | Grant-CsExternalAccessPolicy PolicyName Intern
Lync Server (with the Archiving role) enables organizations to archive IM content,
conferencing (meeting) content, or both. The first step will be to read the policies
running in your company with the Get-CsArchivingPolicy cmdlet. The default
configuration a global policy like the one you can see in the figure 5.11

Figure 5.11 Reading the Archiving policies
Being involved in the legal affairs, Stacey Duggan has required to have her internal and
external conferencing to be archived.
You can proceed to create and apply the policy to her with the following cmdlet:
New-CsArchivingPolicy -Identity LegalAffairs -ArchiveInternal $True ArchiveExternal
$True
Grant-CsArchivingPolicy Identity "Stacey Duggan" PolicyName LegalAffairs

Some configuration associated to the mobile clients are available only from the
Management Shell. Working on Stacey account, you want to enable her to Call via
Work (the user is able to make and receive phone calls on their mobile phone by using
their work phone number) but you want also to be sure that she is able to use the VOIP
72

and Video features of the Lync 2013 mobile client only when a Wi-Fi network is
available (avoiding to use her data plan).
The latter parameter is available only from the Shell and it is not visible in the Control
Panel after you have added the new policy.
The cmdlet will be like the following one:
new-CsMobilityPolicy -Identity "CallviaWork" -EnableOutsideVoice $True -
RequireWIFIForIPAudio $True -RequireWIFIForIPVideo $True
In the next figure the different visualization is shown, with the Control Panel and the
Management Shell combined

Figure 5.12 the mandatory Wi-Fi connection for VOIP is not shown in the Control Panel
After you have granted the CallviaWork policy to Stacey, the settings on her mobile
client will be locked so that she is not able to use a connection different from the Wi-Fi
(figure 5.13)

Figure 5.13 the client settings are dictated by the policy
Lync2013.Org will use the Persistent Chat feature (we will talk about this in Chapter 10)
and you will need to use the dedicated cmdlets (that are new in the Lync 2013
Management Shell).
The New-CsPersistentChatPolicy cmdlet creates a new Persistent Chat policy to
determine if the user is allowed access to Persistent Chat rooms.
A policy you will need is to enable users to Persistent Chat
73

New-CsPersistentChatPolicy -Identity "ChatPolicy" -EnablePersistentChat $True

Lab

To test the flexibility and power of the Management Shell a good starting point is to try
the following well known one-liners
Get-CsAdUser | ?{$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -
eq$true} | Disable-CsUser
This one is from Pat Richard and disable users for Lync who are already disabled in
Active Directory
(get-csuser -OnLyncServer -Filter {EnterpriseVoiceEnabled -eq $true}).count
This one is from Mike Pfieffer and in this example uses AD PowerShell to import a
photo named rhouston.jpg for a user named rhouston
(get-csuser -OnLyncServer -Filter {EnterpriseVoiceEnabled -eq $true}).count
From Chris Norman, it counts the number of voice enabled Lync users.












74

6 Firewall Requirements for
Lync Server 2013
As I have explained in previous chapters, Lync Server 2013 contains many unified
communication features and each one of them will require the use of a series of
protocols and network ports. If you sum all of the available functionalities, the number
of firewall configurations required is high and not trivial. In this chapter I will try to
explain some resources you should use to design your network security for Lync Server
2013, the rules required on your firewalls and some useful tools to verify and debug your
deployment.
Planning a Lync Deployment the Right Way: Tools You Will Love (Part
1)

TechNet Gallery is full of outstanding (and free) tools. I would suggest a couple of them
for this part of your Lync Server 2013 planning:
Lync 2013 Detailed Design Calculator: by Alessio Giombini
(@AlessioGiombini ), Alberto Nunes (@AA_Nunes ). Quoting the
overview it is an offline, free, Excel-based, low-level design calculator for
Microsoft Lync 2013 deployments
http://gallery.technet.microsoft.com/lync/Lync-2013-Standard-Edition-
324bf0f1 . Based on your planned design it will generate a lot of useful
information, including the required firewall rules
Lync 2013 Firewall Diagram V2: by Randy Chapman. It is a base
Visio diagram of a Lync Server 2013 deployment
http://gallery.technet.microsoft.com/lync/Lync-2013-Firewall-Diagram-
9a7e3c92 . You can modify it to explain your requirements to the security /
firewall people. Quoting the overview So I took to Visio and made a
picture which I hope is worth at least a thousand words. I strongly agree
on that.
Port Requirements: a TechNet post that links to all the different
resources related to Lync Server 2013 firewall requirements
http://technet.microsoft.com/en-us/library/gg398798.aspx
75

Microsoft Lync Server 2013 Protocol Workloads Poster: this one
shows in a .pdf / .vsd file all the different workloads related to Lync Server
2013 and the protocols and ports you need to enable for them
http://www.microsoft.com/en-us/download/details.aspx?id=39968 . This
resource is outstanding for quality but a bit hard to use if you are not
already experienced with Lync.
Microsoft Lync Server 2013 Internal Certificate Planning and
Deployment: this resource will help you in understanding and managing
Lync Server 2013 requirements, with a focus on internal certificates
http://lyncuc.blogspot.de/2014/04/internal-certificate-deployment-in-
lync.html.
The Basic Diagram of a Lync Deployment We Will Use in the Chapter

The explanation of Lync requirements will start from a diagram in figure 6.1 (identical
to the one shown in figure 2.2), representing the minimal infrastructure required to
deploy a Lync server 2013 that is available also for external users

Figure 6.1 A minimal working infrastructure of Lync Server 2013 including external users
To explain the Lync infrastructure, as I said, we will need to add names and network
addresses (IPs) to our Lync design. To grant the name resolution we will use the same
DNS server that is already required for the Active Directory Domain Services (AD DS).
76

Note: There will be two different DNS names resolutions required, one for the Internet
and one for the internal network. The latter is the one that will leverage the existing
DNS server. Those DNS servers are internally used for Active Directory member servers
and for users SIP domain auto-login process.
Lync Server 2013: Internal Network

In figure 6.2 I have added names, network address and Virtual LANs (VLANs) to the
schema shown in the previous figure 6.1

Figure 6.2 The previous Lync diagram, populated with names, IPs and VLANs

Servers located in the LAN

The Domain Controller, Aphrodite will be in charge of user authentication,
permissions and DNS service. Lync is built over Active Directory, so the internal
deployment will require a Domain with the following requirements:
All domain controllers have to be at least 32-bit or 64-bit versions of the
Windows Server 2003 operating system
Domain functional level at least Windows Server 2003
Forest functional level at least Windows Server 2003
Note: see the TechNet post Active Directory Infrastructure Requirements
http://technet.microsoft.com/en-us/library/gg412955.aspx for additional information
77

For a user that is connected to the internal LAN, all the Lync services are available
directly on the Front End (Apollo). A part of the aforementioned Lync services (like
dialin and meet) will be deployed through the locally installed Internet Information
Services (IIS) feature and will be reachable on port 80 and 443 of Apollo. Additionally,
the internal IIS will be listening on port 80 also for Lync Phone Edition.
On Apollo we will have a second group of web services, similar to the aforementioned
ones, but listening on TCP port 8080 and 4443. It is easy to distinguish them using the
default names Internal Web Site (listening on TCP port 80 and 443) and External
Web Site (listening on TCP port 8080 and 4443). The aforementioned separation is
driven by a security motivation, separating the resources for the clients coming from an
external network from the ones for users on the internal network.

Figure 6.3 The IIS configuration on a Lync Server 2013 Front End
The External Web Site will be used to grant the services to the external users using a
reverse proxy
In figure 6.4 I have expanded the Internal Web Site of Lync

Figure 6.4 The IIS Internal site on a Lync Server 2013 Front End
78

As soon as we share a PowerPoint presentation, during a meeting, we will be redirected
to the TCP port 443 (or 80) of the Office Web App Server (Demeter).
Note: Lync clients for mobile will always require access to the Lync services as they are
coming from the Internet, also if they are connected to an internal network (see next
paragraphs). Their internal request have to be re-routed from the internal LAN through
the Reverse Proxy back to the published external Web Site. This is regarding moving
mobile clients between Wi-Fi (internal) and 3G/ Wi-Fi (external) and their need to hold
the initiated server session.
Servers located in the DMZ

To make Lync Server 2013 available to external users, we will publish the services from
the single Front End through two different servers that we will locate in a
Demilitarized Zone (DMZ). The servers should be standalone (or, at least, not part
of the internal Active Directory Domain).
Note: it is a commonly used solution to match the internal Active Directory DNS zone
as primary DNS suffix in the Lync Edge. This makes the deployment of the
aforementioned server a little easier.
Both servers should have two different network interfaces (NICs), one dedicated to
talk with the internal LAN and the other one to be published on the Internet, in our case
here for both, with Network Address Translation (NAT). I have also physically
segregated the two logical networks using VLANs, so that communication from one NIC
to the other one will never mix. VLAN2 will be connected to the internal LAN through a
back-end firewall, while VLAN3 will be connected to the Internet using a front-end
firewall.
Web services of the Lync Front End will be published using a reverse proxy (Ares)
that will answer on a public Internet IP on TCP port 443 and will proxy the requests to
the port 4443 of the Front End (or on TCP port 80 to proxy on port 8080 of the Front
End).
If we share a PowerPoint presentation in a meeting that contains external users, the
reverse proxy will redirect them to the TCP port 443 of the Office Web Application
Server. ANY reverse proxy solution should work, including Windows Server 2012 R2
Web Application Proxy (as long you are deploying ONLY a SINGLE SIP Domain). (I
have shown how to configure it for Lync 2013 on this video:
http://www.youtube.com/watch?v=iKpi8UomRDo ).
79

Forefront Threat Management Gateway is also a solution that many companies
used over the past years (please consider that the whole Forefront family of products is
ending its life).
All the remaining services will be deployed using a dedicated Lync server role, the Lync
Edge Server (Dionysus) that has to be defined and published using the Lync
Topology Builder (more details on Edge Server and Topology Builder will be added in
further chapters). Three network addresses will be required to publish the Edge services.
Lync supports two different configurations on your front-end firewall and Lync Edge
Server:
A single public IP and a single public name for the three services, Access
Edge, Web Conferencing Edge and A/V Edge (with three different TCP ports
listening)
Note: this will create issues and limitations for Web Conferencing Services. The
TCP port 444 suggested by default (or your custom defined port) normally are
not open on corporate firewalls.
A simple deploy with three public addresses, one for each one of the
aforementioned network addresses.
In figure 6.5 you can see the option that enable the use of a single public name and IP

Figure 6.5 The Use a single FQDN and IP address option in the Topology Builder
In figure 6.6 I have shown the two different configuration you while building the Lync
Topology. On the left, the scenario if we selected single IP and single FQDN. On the
right scenario with multiple IPs and FQDNs
80


Figure 6.6 on the left, Use a single FQDN and IP address enabled. On the right multiple FQDNs and addresses
Note: It is easy to understand that the solution using a single IP will be less costly, but
will be more prone to problems with external firewall, moving the services from a
standard TCP port 443 to a group of custom TCP ports.
Try it now

Add information about a Lync deployment (you could use the one I have just described,
for example) and feed them inside the Detailed Design Calculator. Look at the firewall
rules and try to understand why they are required. Then, take the Workload Poster and
use it to identify the feature that requires the rules you were not able to recognize at first
sight.
Infrastructure requirements

Now that I have outlined the building blocks of a Lync infrastructure, there are three
more topics to understand if we want to have a working infrastructure:
Firewall rules required to allow communications for Lync clients, Lync servers
and for the aforementioned non-Lync servers with additional services we need
DNS settings to make Lync services available both on the internal network and
from the Internet
Structure of the certificates. Lync is secure by design and digital certificates are
mandatory for every Lync 2013 infrastructure
Internet facing systems need to be configured, in most cases, with a default
gateway on their external Network Adapter and with static route to all internal
networks, where Lync Server and Clients are located.
81


Note: on Lync Edge Server, for security reason, best-practice is deploying an external
DNS server on the external network card and use hosts file for internal Lync server. You
can use an internal DNS only which is able resolving external DNS zones. But should an
Edge server be compromised the attacker could have access and knowledge of your
internal infrastructure.
Firewall Rules Required for Lync Server 2013

A deep dive about firewall rules for Lync Server 2013 should include the already quoted
TechNet article Port Requirements and the Lync 2013 Protocol Workloads poster (i.e.
to check the requirements for the different scenarios). However to make the topic easier
to understand, I have tried to create an explanation based on some assumptions.
The first assumption I will make here is that your network has a segregated DMZ
to make services available to the Internet in a secure manner. Possible solutions
for such a deployment are:

o Using two firewalls.
Note: usually the technology used for the firewalls is not
important. However if a SIP trunk is required in our scenario, it is
important to have a SIP Application-level gateway (ALG),
especially if you are going to use NAT for SIP trunks.
o A three-legged firewall that will create a logical demilitarized zone

There is no difference in the result, from a functionality standpoint, going for the
first option or the second one. A single firewall would imply a single point of
failure and higher security risk, because a single Internet-connected device will
be exposed both on the DMZ and on the internal network. Having two different
firewalls, a front (FW2) and a back firewall (FW1), as shown in figure 6.7, is
more secure, especially if we are going to use two different platforms or solutions
for security. In the aforementioned scenario, an exploitable security vulnerability
on a single technology will not affect the second firewall.
82


Figure 6.7 layout including only firewalls and networks that will have an impact on our Lync deployment

The second assumption will be that we will not deploy High Availability or load
balancing systems (including Enterprise Edition pools of Lync Front Ends).
Although you may require them in a real-world design, they add configuration
overhead that will not help understanding the fundamentals of Lync Server 2013
network traffic requirements
The third assumption is that we will use NAT every time a public IP is required.
Exposing directly a server to the Internet usually is not the best security solution
available
Fourth assumption is that the Edge Server will use three addresses on the
"external" network interface card to expose services to the Internet. The
addresses are the ones we have already seen:

Last assumption: no integration or connection with Office Communications
Server 2007 deployments or clients is required
We will have to grant the following types of network traffic:
6.1 From servers in the DMZ to servers in the internal network
6.2 From servers in the DMZ to the external network
6.3 From the external network to servers in the DMZ
6.4 From servers in the internal network to servers in the DMZ
6.5 Network traffic related to Lync clients in the internal network
Note: point 6.5 of the list only applies if you have firewalls (or end-point firewalls)
separating the networks containing the Lync clients and the Lync servers.
83

6.1 Network Traffic from servers in The DMZ to Servers in the
Internal Network

On the Back-End firewall, FW1, for traffic starting from the reverse proxy, the following
ports will be required:

Reverse proxy Rules on Back-End firewall (FW1)
Source Interface Protocol Source
Port
Destination
Port
Destination Service
Internal NIC of the
reverse proxy
TCP
(HTTPS)
Any 4443 Lync Front End Web Services on
the Lync Front
End
Internal NIC of the
reverse proxy
TCP
(HTTPS)
Any 443 Office Web Apps
Server
PowerPoint
presentation
sharing

On the Back-End firewall, FW1, for traffic starting from the Edge Server, the following
ports will be required:
Lync Edge Server Rules on Back-End firewall (FW1)
Source
Interface
Protocol Source
Port
Destination
Port
Destination Service
Internal NIC
of the Edge
TCP
(SIP/MTLS)
Any 5061 Lync Front
End
Inbound SIP
traffic
Internal NIC
of the Edge
TCP Any 80 Internal C.A. CRL
download or
check

6.2 Network Traffic from the Servers in the DMZ to the External
Network

On the Front firewall, FW2, from the Edge Server, the following ports will be required.
It is helpful to remind you the fourth assumption: we have three different IPs on the
external network interface of the Lync Edge Server: Access, Webconf and AV. The
84

firewall rules for network traffic from the external network to the Edge will have to point
to one of the three IPs, as explained in the following table:
Lync Edge Server Rules on Front-End firewall (FW2)
Source
Interface
Protocol Source
Port
Destination
Port
Destination Service
External
NIC of the
Edge
(Access IP)
TCP
(XMPP)
Any 5269 To federated
XMPP
partners
Standard server-
to-server
communication
port for XMPP
External
NIC of the
Edge
(Access IP)
TCP
(SIP/MTLS)
Any 5061 Federation
Services and
Partners
Lync and Skype
Federation using
SIP
External
NIC of the
Edge (AV
IP)
UDP
(Stun/Turn)
Any 3478 Any Stun/Turn
negotiation for
candidates
External
NIC of the
Edge (AV
IP)
TCP
(Stun/Turn)
Any 443 Any Stun/Turn
negotiation for
candidates

Note: The dynamic port range is recommended for backward compatibility to OCS
2007 as Microsoft writes. This is only half of the truth. Also Lync 2013 makes use of
dynamic ports, but if they were closed on firewall, the ICE protocol will do a client
redirect to the static ports. If you have deployed an Edge Pool, also here it is
recommended opening the dynamic port between those servers. See the Thomas
Binders speech Lync Deep Dive: Edge Media Connectivity with ICE here
http://channel9.msdn.com/Events/TechEd/Europe/2012/EXL412
6.3 Network Traffic from the External Network to the Servers in
the DMZ

On the Front firewall, FW2, traffic from the external network to the reverse proxy, the
following ports will be required
85

To the reverse proxy from the external network on Front-End firewall (FW2)
Source
Interface
Protocol Source
Port
Destination
Port
Destination Service
Any TCP
(HTTPS)
Any 443 Reverse proxy
external network
interface
Access to the web
services on the
Lync Front End

Note: TCP port 80 could be required, for example, if you decide to publish
Lyncdiscover (used by Lync clients for autodiscovery) using HTTP and not HTTPS.
On the Front firewall, FW2, traffic from the external network to the Edge Server, the
following ports will be required

To the Lync Edge from the external network on Front-End firewall (FW2)
Source Interface Protocol Source
Port
Destination
Port
Destination Service
Any TCP
(SIP/TLS)
Any 443 External NIC of the Edge
(Webconf IP)
Web Conferencing
Media
Any TCP
(SIP/TLS)
Any 443 External NIC of the Edge
(Access IP)
Client-to-server SIP
traffic for external user
access
Federated XMPP
partners
TCP
(XMPP)
Any 5269 External NIC of the Edge
(Access IP)
Standard server-to-
server communication
port for XMPP
Federation Services
and Partners
TCP
(SIP/MTLS)
Any 5061 External NIC of the Edge
(Access IP)
Lync and Skype
Federation using SIP
Any UDP
(Stun/Turn)
Any 3478 External NIC of the Edge
(AV IP)
Stun/Turn negotiation
for candidates
Any TCP
(Stun/Turn)
Any 443 External NIC of the Edge
(AV IP)
Stun/Turn negotiation
for candidates


86

6.4 Network Traffic from the Servers in the Internal Network to the
Servers in the DMZ

On the Back-End firewall, FW1, for traffic starting from the internal network, the
following ports will be required
To the Lync Edge from the internal network on Back-End firewall (FW1)
Source
Interface
Protocol Source
Port
Destination
Port
Destination Service
Lync
Front End
TCP
(XMPP/MTLS)
Any 23456 Internal NIC
of the Edge
Outbound
XMPP traffic
Lync
Front End
TCP
(SIP/MTLS)
Any 5061 Internal NIC
of the Edge
Outbound SIP
traffic
Lync
Front End
TCP
(PSOM/MTLS)
Any 8057 Internal NIC
of the Edge
Web
conferencing
traffic
Lync
Front End
TCP
(SIP/MTLS)
Any 5062 Internal NIC
of the Edge
Authentication
of A/V users
Lync
Front End
TCP (HTTPS) Any 4443 Internal NIC
of the Edge
Replication of
CMS on the
Lync Edge
Lync Front
End
TCP
(Stun/Turn)
Any 443 Internal NIC
of the Edge
Stun/Turn
negotiation for
candidates







87

6.5 Network Traffic Related to Lync Clients in the Internal
Network

The following rules are required on any end-point firewall and on any internal
firewall that controls traffic coming from the Lync clients on the internal network.
From To Feature Protocol Port Bidirectional Note
Internal
Client
Lync Front
End
Presence and IM
AV and Web
Conferencing
Application
Sharing
Enterprise Voice
SIP/TLS 5061


Presence and IM
AV and Web
Conferencing
STUN/TCP
Enterprise Voice STUN/TCP 443
AV and Web
Conferencing
Application
Sharing
SRTP/UDP
/TCP
49152-
65535

AV and Web
Conferencing
PSOM/TLS 8057
Enterprise Voice TURN/TCP 448
Internal
Client A
Internal
Client B
AV and Web
Conferencing
Application
Sharing
SRTP/UDP 1024-
65535
Yes Peer to
Peer
Sessions
Internal
Client
Lync Edge AV and Web
Conferencing
Application
Sharing
STUN/TCP 443
Enterprise Voice TURN/TCP 443
AV and Web
Conferencing
UDP 3478
Internal
Client
Exchange
UM
Enterprise Voice SRTP/RTCP 60000-
64000
Yes
Internal
Client
Voice
Gateway
Enterprise Voice SRTP/RTCP 30000-
39999
With Media
Bypass
Internal
Client
Director Presence and IM SIP/TLS 5061




88

Notes Related to the Firewall Rules Required for Lync Server 2013

Lync Server 2013 Edge Server requires DNS resolution and http access to revocation
lists of certificates. Depending from your network design, the aforementioned services
could be on the Internet or could be available using services on the internal network
(like a proxy). The following rule is to be adapted to your network layout
Additional Lync Edge Server Rules on Front-End firewall (FW2) or on Back-End firewall
(FW1)
Source
Interface
Protocol Source
Port
Destination
Port
Destination Service
External NIC of
the Edge
(Access IP)
TCP Any 53 DNS servers for DMZ DNS
resolution
External NIC of
the Edge
(Access IP)
UDP Any 53 DNS servers for DMZ DNS
resolution
External NIC of
the Edge
(Access IP)
TCP
(HTTP)
Any 80 Depends on the
HTTP navigation
service available
CRL
verifications

Note: TCP and UDP port 53 are used on the external NIC as long as the required
records for the internal resources are in the HOSTS file of the Lync Edge. Another
solution could be using the internal DNS to resolve both private and public FQDN. In
this situation open TCP and UDP port 53 from the edge to the internal DNS servers.
Centralized Logging Service (a new feature in Lync Server 2013) requires additional
ports on the back-end firewall (for more details see the TechNet article Using the
Centralized Logging Service http://technet.microsoft.com/en-us/library/jj688101.aspx






89

Lync Edge Server Rules on Back-End firewall (FW1) for centralized logging
Source
Interface
Protocol Source
Port
Destination
Port
Destination Service
Centralized
Logging Service
TCP
(MTLS)
Any 50001 Internal NIC of
the Edge
Centralized
Logging Service
Centralized
Logging Service
TCP
(MTLS)
Any 50002 Internal NIC of
the Edge
Centralized
Logging Service
Centralized
Logging Service
TCP
(MTLS)
Any 50003 Internal NIC of
the Edge
Centralized
Logging Service

Verifying a Lync Deployment in the Right Way: Tools You Will Love
(Part 2)

Now that you have configured all the required rules, you need some instrument to check
your deployment.
Lync Edge Port Tester Tool: From James Cussen (@mylynclab )
Despite the name, the tool is good to test internal server ports and client
ports too http://www.mylynclab.com/2014/02/lync-edge-testing-suite-
part-1-lync.html
Remote Connectivity Analyzer: this one requires ALSO that digital
certificates are working in the right manner. However, it is a great test to
check your firewall ports from an external internet source
https://testconnectivity.microsoft.com/
Transport Reliability IP Probe: if you are going to use Lync Online,
this tool could give you useful hints regarding your deployment
http://tripphkn.online.lync.com/


90

Verifying a Lync Deployment in the Right Way: Some High-Level
Debugging Steps if Lync Clients on the External Network Are Not
Working

In my experience over the last years, a large part of the issues related to Lync
deployments are connected with the firewall configurations. Here I will give some high-
level suggestions on how to troubleshoot a deployment that is not working correctly.
Even if you are pretty sure that the firewall is not configured correctly, I always suggest
to start the process in this listed order:
1. Check the external DNS zone and make sure the clients have nothing in the
naming cache.
a. Delete the user Lync profile under:
C:\Users\<your_alias>\AppData\Local\Microsoft\Office\15.0\Lync\Traci
ng\
b. Clear the DNS cache: ipconfig /flushdns
c. With ipconfig /displaydns check if the correct DNS resolution occurred
2. Use netstat ano on the Edge Server to verify all required ports are listening, else
check the Lync services.
Note: to perform the next two steps (3 and 4) the Remote Connectivity Analyzer can
be very useful. However, like any tool, it does not cover any scenario and maybe you
will have to manually perform all the analysis.
3. Use a port scanner and query the ports defined in the firewall configuration
4. Check the certificate applied to the Reverse Proxy and Edge Server
5. Only now it is a good idea using OCSLogger and Snooper. Do not trace
immediately on the Edge server, start with the client log:
C:\Users\<your_alias>\AppData\Local\Microsoft\Office\15.0\Lync\Tracing\Ly
nc-UccApi-0.UccApilog
Note: Definitely you will find in the aforementioned folder also the most
interesting information about the causes why a client cant login.
Lab

A Lync deployment with a single public IP available would require some
modification to the firewall rules you have seen in this chapter. Try to draw a schema
of the rules required for the aforementioned scenario
91

Try to explain if using a single, three-legged firewall would give some advantage
when going to manage firewall rules? Why?
Write down the hosts file that would be required on the Lync Edge servers,
supposing that you are using the deployment in figure 6.2