Lync 2010 deep dive edge

Microsoft® Lync ™ Server 2010Edge Deep Dive
Byron SpurlockFounder Architect - Quadrantechnologies
Byrons@Quadrantechnologies.com
http://Quadrantechnologies.wordpress.com/2011/

Agenda
Architecture
Edge Scenarios – Users point of view
Interoperability Federation
Certificates
Edge Scenario – DNS Load Balancing
Authentication
Discovery
Federation
2

Architecture Overview
3

Architecture Considerations
(Scaled) consolidated Edge only
Multiple Access Edge (pools) for remote users
SRV record points to only one Edge Server (pool)
Single Access Edge Server (pool) for Federation
Used Edge Server
SIP traffic
Federation traffic: Federation Route
Remote users: Edge server used for sign in
AV traffic
AV Edge assigned to pool
Use localized Edge Servers to optimize media path
4

Edge Scenarios
5

Interoperability Federation Partners
PIC
MSN
AOL
Yahoo!
IBM Lotus Sametime
Cisco Presence
Extensible Messaging and Presence Protocol (XMPP)
Jabber
Google Talk
6

Interoperability: How to
All scenarios require Edge Server
PIC
Licenses
AOL certificate
XMPP
XMPP Gateway
Cisco Unified Presence
Unified Presence Server 7.0 and Adaptive Security Appliance 8.0.4.X
IBM Lotus Sametime
Sametime 8.0.2 with Hot-Fix One (HF1)
Sametime Gateway
7

Certificates Simplified
Single public certificate
Access Edge Server
Web Conferencing Edge Server
AV Edge Server
Private certificates
Internal Edge Interface
8

Ports 50,000-59,999
Required for federated media traffic
Federation with OCS 2007
Open UDP and TCP in- and out-bound
Federation with OCS 2007 R2/Lync Server 2010
Open TCP outbound
11

Lync Server Edge scenarios
External User Access
Lync clients can transparently connect to the Lync Server deployment over the public Internet
PIC
Connecting with public IM providers
Federation
Federation with other Enterprises
IM&P only, or
All modalities A/V and Application Sharing

NAT Traversal

Terms & Acronyms
Candidate
Possiblecombinationof IP addressandportformediachannel
NAT
Network Address Translation
TURN
TraversalUsing Relay NAT
STUN
Simple Traversal of UDP through NAT
Session Traversal Utilities for NAT

Home NATs
General NAT/Firewall behavior
Allow connections from the private network
Blocks connection from the Internet
Security/usability tradeoff
Blocks attackers from harming your system
PROBLEM: Also blocks incoming signaling and media
Home
Internet
Home NAT

Corporate Firewalls
Though more scrutinized, goals are similar
Sharing of IP addresses
Controlling data traffic from the internet
Two firewalls isolate via perimeter network
Work
Perimeter
Network
Internet
Inner FW
Outer FW

Why is NAT Traversal a problem?
SIP signaling over TCP uses Access Edge
UDP media flows over separate channel
Pre-ICE endpoints uses local IPs & ports
No media can be sent between (a) and (w)
UDP
TCP
INVITE
m/c = a
200 OK
m/c = w
Access
Edge
Home
Work
a
w
Outer FW
Inner FW
Home NAT

Solution – STUN, TURN, ICE
Add a Media Relay (aka A/V Edge Server)
STUN reflects NAT addresses (b) and (e)
TURN relays media packets (c) (d) (x) (y)
ICE exchanges candidates (cand) and determines optimal media path
All three protocols based IETF standards
UDP
TCP
INVITE
m/c = a
200 OK
m/c = w
Access
Edge
Home
Work
cand=a,b,c,d,e
cand=w,x,y
c
b
a
STUN
TURN Server
(AV Edge)
w
d
e
x
y
Inner FW
Outer FW
Home NAT

Edge Topologies

Single IP address Edge
Edge Server
edge-int.contoso.com
172.25.33.10
SIP: 5061
Web Conf: 8057
A/V Conf: 443, 3478
edge.contoso.com
131.107.155.10
SIP: 5061
Web Conf: 444
A/V Conf: 443, 3478
Internal
External

Multiple IP address Edge
Edge Server
access.contoso.com
131.107.155.10 443, 5061
External SIP
edge-int.contoso.com
172.25.33.10
SIP: 5061
Web Conf: 8057
A/V Conf: 443, 3478
webcon.contoso.com
131.107.155.20 443
Internal
External Web Conf
av.contoso.com
131.107.155.30 443, 3478
External AV

Edge using NAT IP addresses
Public IP space
NAT
Edge Server
IP1
IP1’
External SIP
Lync Server does not need
to know translated SIP and
Web Conf IP
IP2’
IP2
Client
Int
External Web Conf
Clients connect to
IP for A/V traffic
Translated AV IP must
be configured in Lync
Server
IP3’
IP3
External AV

What Load Balancing options are available?
DNS Load Balancing using NAT
Hardware Load Balancing (HLB)

DNS Load Balanced Edge
Public IP space
Edge Server 1
IP1
DNS A records
access.contoso.com IP1 and IP4
webcon.contoso.com IP2 and IP5
av.contoso.com IP3 and IP6
Int
IP2
IP3
Edge Server 2
IP4
Client
Int
IP5
Client can retrieve and handle multiple IP
addresses and can fail over
DNS server returns randomized IP address
IP6

DNS Load Balanced Edge using NAT
NAT
Public IP space
Edge Server 1
IP1
IP1’
DNS A records
access.contoso.com IP1’ and IP4’
webcon.contoso.com IP2’ and IP5’
av.contoso.com IP3’ and IP6’
Int
IP2
IP2’
IP3
IP3’
Translated AV IP addresses must
be configured in Lync Server individually
IP3 to IP3’
IP6 to IP6’
Edge Server 2
IP4
IP4’
Int
IP5
IP5’
IP6
IP6’

Hardware Load Balanced Edge
HLB
Public IP space
Edge Server 1
IP1
DNS A records
access.contoso.com VIP1
webcon.contoso.com VIP2
av.contoso.com VIP3
Int
IP2
IP3
VIP1
VIP2
AV client connections are initiated over the VIP.
Subsequent client AV traffic (UDP) connect directly to Edge.
TCP traffic continues to use VIP.
NAT and HLB is not possible
Edge Server 2
VIP3
IP4
Int
IP5
IP6

DNS Load Balancing and Interop/Migraion
Co-existence/Side-by-Side
OCS 2007 OR OCS 2007 R2 pool and Edge Server can co-exist with Lync Server pool and Lync Edge Server
Only a single Edge (server/pool) for Federation is possible
DNS Load Balancing
Legacy components do not support DNS LB
If co-existence time is short: DNS LB
If co-existence time is long: Hardware LB

Reverse Proxy

Reverse Proxy and external access
Forwards External HTTPS and HTTP traffic to Front End and Director Pool
HTTPS
Simple URLs (Join Launcher URL)
Address Book (download and/or web service) ABS
Distribution List Expansion DLX
Web Ticket (Web Auth)
HTTP
Device Updates (Firmware)
Device Update logs upload

Reverse Proxy and external access
Simple URL forward to Director (recommended)
Forwarding rule for Simple URL to a single Director (or Pool); port 443
Reverse Proxy certificate’s SAN to contain base FQDN of each Simple URL
Web External Pool traffic forwarded to pools by Reverse Proxy
Reverse Proxy requires a forwarding rule each Web External FQDN (Front End Pool and Director); port 443
If external Phone Devices are implemented, Reverse Proxy rule for port 80 is required
Reverse Proxy certificate’s SAN to contain base FQDN of all configured Web external Pools (Front End Pool and Director)

Reverse Proxy
Front End Pool1
Reverse Proxy
Front End Pool2
Client
Director
join.contoso.com to Director
meet.fabrikam.com to Director
webext1.contoso.com to Pool 1
webext2.contoso.com to Pool 2
DNS LB not supported for HTTP/S traffic
SAN in Reverse Proxy Certificate

Authentication

Credentials for remote client
MTLS
MRAS
A/V
Edge
SIP Subscribe
200 OK
Access
Edge
ms-user-logon-data: RemoteUser
<mrasUri>sip:Mras.contoso.com
OCS FE
Server
SIP Service
<location>internet</location>
200 OK
<hostName>avedge.contoso.com
<udpPort>3478
<tcpPort>443
<username> 77qq8yXccBc2lwOmFy
<password> Wnujl0eo00YkV/5dg=
<duration>480
Service
200 OK
Inner
Firewall
Outer
Firewall
Endpoint

02/09/2011|10:00:41.608 1B9C:A24 INFO :: Sending Packet - 208.115.110.XXX:443 (From Local Address: 192.168.1.138:54415) 1334 bytes:
02/09/2011|10:00:41.608 1B9C:A24 INFO :: SERVICE sip:edegeinternalfqdn.contoso.com@Contoso.com;gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA SIP/2.0
Via: SIP/2.0/TLS 192.168.1.138:54415
Max-Forwards: 70
From: <sip:<userName>@contoso.com>;tag=6adfd24c1b;epid=92a17ee2ce
To: <sip:edgeinternalfqdn.contoso.com@Contoso.com;gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA>
Call-ID: 0ba8a0c30bf74534a7d94a182b4d72f8
CSeq: 1 SERVICE
Contact: <sip: <userName>@contoso.com;opaque=user:epid:1dRPOJppUlG-Qszig4EXYgAA;gruu>
User-Agent: UCCAPI/4.0.7577.108 OC/4.0.7577.108 (Microsoft Lync 2010)
Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="6436AC83", targetname="edgeinternalfqdn.contoso.com", crand="eee9b681", cnum="7", response="63d56f98d452b3e25266ba340e88dfb47e96c7de"
Content-Type: application/msrtc-media-relay-auth+xml
Content-Length: 478
<request requestID="128326152" version="2.0" to="sip: EDGEINTERNALFQDN.Contoso.com@Contoso.com;gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA" from="sip: user@contoso.com " xmlns="http://schemas.microsoft.com/2006/09/sip/mrasp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><credentialsRequest credentialsRequestID="128326152"><identity>sip: <userName>@contoso.com </identity><location>internet</location><duration>480</duration></credentialsRequest></request>

<?xml version="1.0"?>
<response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" requestID="128326152" version="2.0" serverVersion="2.0" to="sip:edgeinternalfqdn.contoso.com@contoso.com;gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA" from="sip:<userName>@contoso.com" reasonPhrase="OK" xmlns="http://schemas.microsoft.com/2006/09/sip/mrasp">
<credentialsResponsecredentialsRequestID="128326152">
<credentials>
<userName>AgAAJEqlo9QBy8itWiOmR2d4zw8ZJqfwTPDagP7i95AAAAAAbdyNu23CueVPKAjFdxLksF0ihSk=</userName>
<password>eulmSPLxOMZZAYZvkq78HBo2uSk=</password>
<duration>480</duration>
</credentials>
<mediaRelayList>
<mediaRelay>
<location>internet</location>
<hostName>AVEDGEEXTERNAL.contoso.com</hostName>
<udpPort>3478</udpPort>
<tcpPort>443</tcpPort>
</mediaRelay>
</mediaRelayList>
</credentialsResponse>
</response>
02/09/2011|10:00:41.873 1B9C:A24 INFO :: End of Data Received - 208.115.110.143:443 (To Local Address: 192.168.1.138:54415) 1727 bytes

Credentials for Conferencing
SIP Invite
OCS FE
Server
200 OK
Access
Edge
<hostName>avedge.contoso.com
<udpPort>3478
<tcpPort>443
<username> 77qq8yXccBc2lwOmFy
<password> Wnujl0eo00YkV/5dg=
<duration>480
3CP: Add User
200 OK
{MRAS Credentials}
Service
MTLS
A/V
MCU
200 OK
A/V Auth
A/V
Edge
Outer
Firewall
Inner
Firewall
Endpoint

Direction: incoming;source="external edge";destination="internal edge"
Peer: 76.187.107.231:54385
Message-Type: request
Start-Line: INVITE sip:bob@contoso.com;gruu;opaque=app:conf:audio-video:id:FZG8SYVR SIP/2.0
From: <sip:bob@contoso.com>;tag=75336413c0;epid=3821b40476
To: <sip:bob@contoso.com;gruu;opaque=app:conf:audio-video:id:FZG8SYVR>;tag=a4f2e92356;epid=0B08BA10A9
CSeq: 3 INVITE
m=audio 50743 RTP/SAVP 9 111 0 8 97 13 118 101
a=ice-ufrag:cGUT
a=ice-pwd:eUrBEAMFNrwFGgroXuUMaLtS
a=candidate:4 1 UDP 16648703 97.75.78.122 50743 typ relay raddr 76.187.107.231 rport 31602
a=cryptoscale:1 client AES_CM_128_HMAC_SHA1_80 inline:FU4Gl7hGYS894KJYhEvNq72Jo7ADq2e0gkLUzPV1|2^31|1:1
a=remote-candidates:1 192.168.32.102 53622 2 192.168.32.102 53623
a=maxptime:200
a=rtcp:55309
a=rtpmap:9 G722/8000
a=rtpmap:111 SIREN/16000
a=fmtp:111 bitrate=16000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:97 RED/8000
a=rtpmap:13 CN/8000
a=rtpmap:118 CN/16000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=encryption:required
m=video 56786 RTP/SAVP 121 34
a=ice-ufrag:eQIo

Security

Secure Communications in LyncCan someone sniff the packets and access my IM/audio/video/data?

Edge Validation
Public Web Service Tool available for Edge Validation
Supports OCS 2007 R2 and Lync Server 2010
https://www.testocsconnectivity.com

Auto Discovery

More Terms
Internal IP address
The IP address assigned to the network interface of the client computer.
Reflexive IP address
IP address of the public address assigned to the home router.
Media relay address
The public IP address of the Audio/Video Edge service that is associated with the internal Lync 2010 user’s pool.

nic
a
c
default
MRAS
a
b
b
c
Allocate UDP
candidate list
c
Media
Relay
Allocate TCP
d
e
d
e
UDP
TCP
local
remote
Endpoint
NAT/Firewall
AddressDiscovery (AV)

c
Address Discovery (Desktop Sharing)
nic
a
default
a
MRAS
b
c
candidate list
Media
Relay
Allocate TCP
c
b
UDP
TCP
local
remote
Endpoint
NAT/Firewall

Address Exchange
TURN
TURN
nic
nic
a
b
w
x
SIP INVITE
c :: a,b,c,d
local
remote
local
remote
y
y
c
c
default
default
183 Session Progress
y :: w,x,y,z
w
a
a
w
200 OK
y :: w,x,y,z
x
b
b
x
candidate list
candidate list
y
c
c
y
z
d
d
z
c
y
d
z
SIP
NAT/Firewall
Endpoint
NAT/Firewall
Endpoint
45

Address Exchange (Caller-Invite)
05/31/2011|16:55:25.856 2D7C:1FF8 INFO :: Sending Packet - 208.115.110.143:443 (From Local Address: 10.180.181.223:62230) 7439 bytes:
05/31/2011|16:55:25.856 2D7C:1FF8 INFO :: INVITE sip:alice@contoso.com SIP/2.0
Via: SIP/2.0/TLS 10.180.181.223:62230
Max-Forwards: 70
From: <sip:bob@contoso.com>;tag=c4a189acf6;epid=92a17ee2ce
To: <sip:alice@contoso.com>
Call-ID: eb472e8ebc384c68a07b1e5beb70be38
CSeq: 1 INVITE
m=audio 55336 RTP/AVP 114 9 112 111 0 8 116 115 4 97 13 118 101
a=ice-ufrag:6QrA
a=ice-pwd:LColjpNYVTQVn6KK6Bg7D9k1
a=candidate:5 2 UDP 2130703870 10.180.181.223 25743 typ host
a=candidate:6 1 TCP-PASS 6556159 208.115.110.145 50162 typ relay raddr 166.248.0.235 rport 30907
a=candidate:8 1 UDP 1694233599 166.248.0.235 52259 typsrflxraddr 10.180.181.223 rport 11252
a=candidate:9 1 TCP-ACT 7074303 208.115.110.145 50162 typ relay raddr 166.248.0.235 rport 30907
a=candidate:10 1 TCP-ACT 1684795391 166.248.0.235 30907 typsrflxraddr 10.180.181.223 rport 15645

Address Exchange (Callee-Response)
05/31/2011|16:55:28.485 2D7C:1FF8 INFO :: Data Received - 208.115.110.143:443 (To Local Address: 10.180.181.223:62230) 3093 bytes:
05/31/2011|16:55:28.485 2D7C:1FF8 INFO :: SIP/2.0 183 Session Progress
From: "bob"<sip:bob@contoso.com>;tag=c4a189acf6;epid=92a17ee2ce
To: <sip:alice@contoso.com>;epid=73f1df72ee;tag=ed247c795f
Call-ID: eb472e8ebc384c68a07b1e5beb70be38
CSeq: 1 INVITE
Record-Route: <sip:LYNCFE.contoso.com:5061;transport=tls;opaque=state:T:F;lr;received=10.0.1.62;ms-received-cid=73BB7E00>
Contact: <sip:alice@contoso.com;opaque=user:epid:bEfyhOYmMVynmDXlgp2D6gAA;gruu>
User-Agent: UCCAPI/4.0.7577.256 OC/4.0.7577.280 (Microsoft Lync 2010)
m=audio 57501 RTP/SAVP 114 9 112 111 0 8 116 115 4 97 13 118 101

Federation

Port Requirements for Audio/Video
Lync 2010
UDP 3478, TCP 443
UDP/TCP 50,000-59,999 inbound/outbound
Enables federation with OCS 2007 Edges
OCS 2007 R2
UDP 3478, TCP 443
No additional ports needed for remote access only
TCP 50,000-59,999 outbound
Enables federation with R2 Edges
Enables federation with OCS 2007 Edges
OCS 2007
UDP 3478, TCP 443

A/V Federation 2007-2007
Access
Proxy
Access
Proxy
Work2
OC/Console
A/V MCU
w2
w1
Work1
OC/Console
A/V MCU
UDP
3478
TCP
443
UDP
3478
TCP
443
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
w2
w1
w2
w1
2007
Edge
2007
Edge
Outer FWs
(no NAT)
Inner FW
Inner FW

A/V Federation R2 Tunnel Mode
Access
Proxy
Access
Proxy
Work2
OC/Console
A/V MCU
w2
Work1
OC/Console
A/V MCU
w1
UDP
3478
TCP
443
UDP
3478
TCP
443
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
w2
w1
w2
w1
R2
Edge
R2
Edge
Outer FWs
(no NAT)
Inner FW
Inner FW

A/V Federation R2-2007 Interop
Access
Proxy
Access
Proxy
Work2
OC/Console
A/V MCU
w2
Work1
OC/Console
A/V MCU
w1
UDP
3478
TCP
443
UDP
3478
TCP
443
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
w2
w1
w2
w1
2007
Edge
R2
Edge
Outer FWs
(no NAT)
Inner FW
Inner FW

A/V Federation Lync
Access
Proxy
Access
Proxy
Work2
OC/Console
A/V MCU
w2
Work1
OC/Console
A/V MCU
w1
UDP
3478
TCP
443
UDP
3478
TCP
443
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
UDP/TCP
50000
.
.
.
.
.
.
.
.
.
UDP/TCP
59999
Lync
Edge
Lync
Edge
Outer FWs
(no NAT)
Inner FW
Inner FW

Summary
Architecture
Edge Scenarios – Users point of view
Interoperability Federation
Certificates
Edge Scenario – DNS Load Balancing
Authentication
Discovery
Federation
54

Lync 2010 deep dive edge

by Harold Wong on Sep 29, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Lync 2010 deep dive edge — Presentation Transcript