lync 2010 deep dive edge
DESCRIPTION
Lync Server 2010 Deep Dive - Edge Services (delivered by Byron Spurlock)TRANSCRIPT
Microsoft® Lync ™ Server 2010Edge Deep Dive
Byron SpurlockFounder \ Architect - [email protected]://Quadrantechnologies.wordpress.com/2011/
Agenda
• Architecture• Edge Scenarios – Users point of view• Interoperability Federation• Certificates • Edge Scenario – DNS Load Balancing• Authentication• Discovery• Federation
2
Architecture Overview
3
Architecture Considerations
• (Scaled) consolidated Edge only
• Multiple Access Edge (pools) for remote users
• SRV record points to only one Edge Server (pool)
• Single Access Edge Server (pool) for Federation
• Used Edge Server
• SIP traffic• Federation traffic: Federation Route
• Remote users: Edge server used for sign in
• AV traffic• AV Edge assigned to pool
• Use localized Edge Servers to optimize media path
4
Edge Scenarios
5
Scenario Remote User
Federated Anonymous PIC/Interop
Presence ü ü üIM 1:1 ü ü üIM conferencing ü ü üCollaboration ü ü üA/V 1:1 ü ü ü (MSN)A/V Conferencing ü ü üFile Transfer ü ü
Interoperability Federation Partners• PIC
• MSN
• AOL
• Yahoo!
• IBM Lotus Sametime
• Cisco Presence
• Extensible Messaging and Presence Protocol (XMPP)
• Jabber
• Google Talk6
Interoperability: How to
• All scenarios require Edge Server
• PIC
• Licenses
• AOL certificate
• XMPP
• XMPP Gateway
• Cisco Unified Presence
• Unified Presence Server 7.0 and Adaptive Security Appliance 8.0.4.X
• IBM Lotus Sametime
• Sametime 8.0.2 with Hot-Fix One (HF1)
• Sametime Gateway
7
Certificates Simplified
• Single public certificate• Access Edge Server• Web Conferencing Edge Server• AV Edge Server
• Private certificates• Internal Edge Interface
8
9
9
10
10
Ports 50,000-59,999
• Required for federated media traffic• Federation with OCS 2007
• Open UDP and TCP in- and out-bound
• Federation with OCS 2007 R2/Lync Server 2010• Open TCP outbound
11
Lync Server Edge scenarios
– External User Access• Lync clients can transparently connect to the Lync Server
deployment over the public Internet
– PIC• Connecting with public IM providers
– Federation• Federation with other Enterprises• IM&P only, or• All modalities A/V and Application Sharing
NAT Traversal
Terms & Acronyms
• Candidate– Possible combination of IP address and port for
media channel• NAT
– Network Address Translation• TURN
– Traversal Using Relay NAT• STUN
– Simple Traversal of UDP through NAT– Session Traversal Utilities for NAT
Home NATs
• General NAT/Firewall behavior– Allow connections from
the private network– Blocks connection from
the Internet• Security/usability tradeoff
– Blocks attackers from harming your system
– PROBLEM: Also blocks incoming signaling and media
Home
Home NAT
Internet
Corporate Firewalls
• Though more scrutinized, goals are similar– Sharing of IP addresses– Controlling data traffic from the internet
• Two firewalls isolate via perimeter network
Inner FW
PerimeterNetwork
Outer FW
Work
Internet
Why is NAT Traversal a problem?
• SIP signaling over TCP uses Access Edge• UDP media flows over separate channel• Pre-ICE endpoints uses local IPs & ports• No media can be sent between (a) and (w)
Inner FW
Home
Outer FW
Work
Home NAT
AccessEdge
a
w
INVITEm/c = a
200 OKm/c = w
UDPTCP
Solution – STUN, TURN, ICE
• Add a Media Relay (aka A/V Edge Server)– STUN reflects NAT addresses (b) and (e)– TURN relays media packets (c) (d) (x) (y)
• ICE exchanges candidates (cand) and determines optimal media path
• All three protocols based IETF standards
Inner FW
Home
Outer FW
Work
AccessEdge
INVITEm/c = a
200 OKm/c = w
d
cb
eSTUN
TURN Server
(AV Edge)
y
x
w
cand=a,b,c,d,e cand=w,x,y
UDPTCP
Home NAT
a
Edge Topologies
Single IP address Edge
Edge ServerExternal
edge.contoso.com131.107.155.10
SIP: 5061 Web Conf: 444A/V Conf: 443, 3478
Internal
edge-int.contoso.com172.25.33.10
SIP: 5061 Web Conf: 8057A/V Conf: 443, 3478
Multiple IP address Edge
Edge Server
External SIP
access.contoso.com131.107.155.10 443, 5061
Internal
edge-int.contoso.com172.25.33.10
SIP: 5061 Web Conf: 8057A/V Conf: 443, 3478
External Web Conf
External AV
webcon.contoso.com131.107.155.20 443
av.contoso.com131.107.155.30 443, 3478
Edge using NAT IP addresses
Edge Server
External SIP
IP1
IntExternal Web Conf
External AV
NATIP2
IP3
Public IP space
IP2’
IP1’
IP3’
Client
Clients connect to IP for A/V traffic
Translated AV IP mustbe configured in LyncServer
Lync Server does not needto know translated SIP andWeb Conf IP
What Load Balancing options are available?
DNS Load Balancing using NAT Hardware Load Balancing (HLB)
DNS Load Balanced Edge
Edge Server 1
IP1
IntIP2
IP3
Public IP space
Client
Client can retrieve and handle multiple IPaddresses and can fail overDNS server returns randomized IP address
DNS A records access.contoso.com IP1 and IP4webcon.contoso.com IP2 and IP5av.contoso.com IP3 and IP6
Edge Server 2
IP4
IntIP5
IP6
DNS Load Balanced Edge using NAT
Edge Server 1
IP1
IntIP2
IP3
Public IP space
DNS A records access.contoso.com IP1’ and IP4’webcon.contoso.com IP2’ and IP5’av.contoso.com IP3’ and IP6’
Edge Server 2
IP4
IntIP5
IP6
NAT
IP1’
IP2’
IP3’
IP4’
IP5’
IP6’
Translated AV IP addresses mustbe configured in Lync Server individuallyIP3 to IP3’IP6 to IP6’
Hardware Load Balanced Edge
Edge Server 1
IP1
IntIP2
IP3
Public IP space
DNS A records access.contoso.com VIP1webcon.contoso.com VIP2av.contoso.com VIP3
Edge Server 2
IP4
IntIP5
IP6
HLB
VIP1
VIP2
VIP3
AV client connections are initiated over the VIP. Subsequent client AV traffic (UDP) connect directly to Edge.TCP traffic continues to use VIP.
NAT and HLB is not possible
DNS Load Balancing and Interop/Migraion
• Co-existence/Side-by-Side– OCS 2007 OR OCS 2007 R2 pool and Edge
Server can co-exist with Lync Server pool and Lync Edge Server
– Only a single Edge (server/pool) for Federation is possible
• DNS Load Balancing – Legacy components do not support DNS LB– If co-existence time is short: DNS LB– If co-existence time is long: Hardware LB
Reverse Proxy
Reverse Proxy and external access
– Forwards External HTTPS and HTTP traffic to Front End and Director Pool
– HTTPS• Simple URLs (Join Launcher URL)• Address Book (download and/or web service) ABS• Distribution List Expansion DLX• Web Ticket (Web Auth)
– HTTP• Device Updates (Firmware)• Device Update logs upload
Reverse Proxy and external access
– Simple URL forward to Director (recommended)• Forwarding rule for Simple URL to a single Director (or
Pool); port 443• Reverse Proxy certificate’s SAN to contain base FQDN of
each Simple URL
– Web External Pool traffic forwarded to pools by Reverse Proxy• Reverse Proxy requires a forwarding rule each Web
External FQDN (Front End Pool and Director); port 443• If external Phone Devices are implemented, Reverse
Proxy rule for port 80 is required • Reverse Proxy certificate’s SAN to contain base FQDN of
all configured Web external Pools (Front End Pool and Director)
Reverse Proxy
Front End Pool1
Front End Pool2
Director
Reverse ProxyClient
join.contoso.com to Directormeet.fabrikam.com to Directorwebext1.contoso.com to Pool 1webext2.contoso.com to Pool 2
SAN in Reverse Proxy Certificate
DNS LB not supported for HTTP/S traffic
Authentication
Credentials for remote client
SIP Subscribe
OuterFirewall
EndpointInner
Firewall
OCS FEServer
<location>internet</location>
SIP Service
200 OK
<hostName>avedge.contoso.com<udpPort>3478<tcpPort>443<username> 77qq8yXccBc2lwOmFy<password> Wnujl0eo00YkV/5dg=<duration>480
AccessEdge
A/VEdge
MRAS
MTLS
ms-user-logon-data: RemoteUser<mrasUri>sip:Mras.contoso.com
200 OK
Service
200 OK
Credentials for remote client
02/09/2011|10:00:41.608 1B9C:A24 INFO :: Sending Packet - 208.115.110.XXX:443 (From Local Address: 192.168.1.138:54415) 1334 bytes:02/09/2011|10:00:41.608 1B9C:A24 INFO :: SERVICE sip:[email protected];gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA SIP/2.0ms-user-logon-data: RemoteUserVia: SIP/2.0/TLS 192.168.1.138:54415Max-Forwards: 70From: <sip:<userName>@contoso.com>;tag=6adfd24c1b;epid=92a17ee2ceTo: <sip:[email protected];gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA>Call-ID: 0ba8a0c30bf74534a7d94a182b4d72f8CSeq: 1 SERVICEContact: <sip: <userName>@contoso.com;opaque=user:epid:1dRPOJppUlG-Qszig4EXYgAA;gruu>User-Agent: UCCAPI/4.0.7577.108 OC/4.0.7577.108 (Microsoft Lync 2010)Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="6436AC83", targetname="edgeinternalfqdn.contoso.com", crand="eee9b681", cnum="7", response="63d56f98d452b3e25266ba340e88dfb47e96c7de"Content-Type: application/msrtc-media-relay-auth+xmlContent-Length: 478<request requestID="128326152" version="2.0" to="sip: [email protected];gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA" from="sip: [email protected] " xmlns="http://schemas.microsoft.com/2006/09/sip/mrasp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><credentialsRequest credentialsRequestID="128326152"><identity>sip: <userName>@contoso.com </identity><location>internet</location><duration>480</duration></credentialsRequest></request>
Credentials for remote client
<?xml version="1.0"?><response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" requestID="128326152" version="2.0" serverVersion="2.0" to="sip:[email protected];gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA" from="sip:<userName>@contoso.com" reasonPhrase="OK" xmlns="http://schemas.microsoft.com/2006/09/sip/mrasp"> <credentialsResponse credentialsRequestID="128326152"> <credentials> <userName>AgAAJEqlo9QBy8itWiOmR2d4zw8ZJqfwTPDagP7i95AAAAAAbdyNu23CueVPKAjFdxLksF0ihSk=</userName> <password>eulmSPLxOMZZAYZvkq78HBo2uSk=</password> <duration>480</duration> </credentials> <mediaRelayList> <mediaRelay> <location>internet</location> <hostName>AVEDGEEXTERNAL.contoso.com</hostName> <udpPort>3478</udpPort> <tcpPort>443</tcpPort> </mediaRelay> </mediaRelayList> </credentialsResponse></response>02/09/2011|10:00:41.873 1B9C:A24 INFO :: End of Data Received - 208.115.110.143:443 (To Local Address: 192.168.1.138:54415) 1727 bytes
Credentials for Conferencing
SIP InviteOCS FEServerAccess
Edge
A/VMCU
A/VEdge
A/V Auth
MTLS
Endpoint OuterFirewall
InnerFirewall
{MRAS Credentials}
200 OK
3CP: Add User
Service
200 OK
<hostName>avedge.contoso.com<udpPort>3478<tcpPort>443<username> 77qq8yXccBc2lwOmFy<password> Wnujl0eo00YkV/5dg=<duration>480
200 OK
Credentials for remote client
Direction: incoming;source="external edge";destination="internal edge"Peer: 76.187.107.231:54385Message-Type: requestStart-Line: INVITE sip:[email protected];gruu;opaque=app:conf:audio-video:id:FZG8SYVR SIP/2.0From: <sip:[email protected]>;tag=75336413c0;epid=3821b40476To: <sip:[email protected];gruu;opaque=app:conf:audio-video:id:FZG8SYVR>;tag=a4f2e92356;epid=0B08BA10A9CSeq: 3 INVITE
m=audio 50743 RTP/SAVP 9 111 0 8 97 13 118 101a=ice-ufrag:cGUTa=ice-pwd:eUrBEAMFNrwFGgroXuUMaLtSa=candidate:4 1 UDP 16648703 97.75.78.122 50743 typ relay raddr 76.187.107.231 rport 31602 a=candidate:4 2 UDP 16648702 97.75.78.122 55309 typ relay raddr 76.187.107.231 rport 31603 a=cryptoscale:1 client AES_CM_128_HMAC_SHA1_80 inline:FU4Gl7hGYS894KJYhEvNq72Jo7ADq2e0gkLUzPV1|2^31|1:1a=remote-candidates:1 192.168.32.102 53622 2 192.168.32.102 53623a=maxptime:200a=rtcp:55309a=rtpmap:9 G722/8000a=rtpmap:111 SIREN/16000a=fmtp:111 bitrate=16000a=rtpmap:0 PCMU/8000a=rtpmap:8 PCMA/8000a=rtpmap:97 RED/8000a=rtpmap:13 CN/8000a=rtpmap:118 CN/16000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-16a=encryption:requiredm=video 56786 RTP/SAVP 121 34a=ice-ufrag:eQIo
Security
Secure Communications in LyncCan someone sniff the packets and access my IM/audio/video/data?
Edge Validation
• Public Web Service Tool available for Edge Validation
• Supports OCS 2007 R2 and Lync Server 2010• https://www.testocsconnectivity.com
Auto Discovery
More Terms
• Internal IP address– The IP address assigned to the network
interface of the client computer.• Reflexive IP address
– IP address of the public address assigned to the home router.
• Media relay address– The public IP address of the Audio/Video Edge
service that is associated with the internal Lync 2010 user’s pool.
c
c
UDPTCP
e
nic a
a
b
c
d
b
NAT/FirewallEndpoint
local remote
can
dida
te li
stde
faul
t
MediaRelay
de
MRAS
Address Discovery (AV)
Allocate UDP
Allocate TCP
c
Address Discovery (Desktop Sharing)
c
nic a
a
b
NAT/FirewallEndpoint
local remote
can
dida
te li
stde
faul
t
MediaRelay
b
c
MRAS
UDPTCP
Allocate TCP
Address Exchange
c
c
d
nic a
a
b
c
d
b
NAT/FirewallEndpoint
local remote
can
dida
te li
stde
faul
t y
y
z
nicw
w
x
y
z
x
NAT/Firewall Endpoint
localremote
can
dida
te li
stde
faul
t
SIP INVITE
c :: a,b,c,d
c
a
b
c
d
183 Session Progress
y :: w,x,y,z
y
w
x
y
z
200 OK
y :: w,x,y,z
SIP
TURN TURN
45
Address Exchange (Caller-Invite)
05/31/2011|16:55:25.856 2D7C:1FF8 INFO :: Sending Packet - 208.115.110.143:443 (From Local Address: 10.180.181.223:62230) 7439 bytes:05/31/2011|16:55:25.856 2D7C:1FF8 INFO :: INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/TLS 10.180.181.223:62230Max-Forwards: 70From: <sip:[email protected]>;tag=c4a189acf6;epid=92a17ee2ceTo: <sip:[email protected]>Call-ID: eb472e8ebc384c68a07b1e5beb70be38CSeq: 1 INVITE
m=audio 55336 RTP/AVP 114 9 112 111 0 8 116 115 4 97 13 118 101a=ice-ufrag:6QrAa=ice-pwd:LColjpNYVTQVn6KK6Bg7D9k1a=candidate:5 2 UDP 2130703870 10.180.181.223 25743 typ host a=candidate:6 1 TCP-PASS 6556159 208.115.110.145 50162 typ relay raddr 166.248.0.235 rport 30907 a=candidate:6 2 TCP-PASS 6556158 208.115.110.145 50162 typ relay raddr 166.248.0.235 rport 30907 a=candidate:7 1 UDP 16648703 208.115.110.145 55336 typ relay raddr 166.248.0.235 rport 52259 a=candidate:7 2 UDP 16648702 208.115.110.145 54267 typ relay raddr 166.248.0.235 rport 52282 a=candidate:8 1 UDP 1694233599 166.248.0.235 52259 typ srflx raddr 10.180.181.223 rport 11252 a=candidate:8 2 UDP 1694232062 166.248.0.235 52282 typ srflx raddr 10.180.181.223 rport 11253 a=candidate:9 1 TCP-ACT 7074303 208.115.110.145 50162 typ relay raddr 166.248.0.235 rport 30907 a=candidate:9 2 TCP-ACT 7073790 208.115.110.145 50162 typ relay raddr 166.248.0.235 rport 30907 a=candidate:10 1 TCP-ACT 1684795391 166.248.0.235 30907 typ srflx raddr 10.180.181.223 rport 15645 a=candidate:10 2 TCP-ACT 1684794878 166.248.0.235 30907 typ srflx raddr 10.180.181.223 rport 15645
Address Exchange (Callee-Response)
05/31/2011|16:55:28.485 2D7C:1FF8 INFO :: Data Received - 208.115.110.143:443 (To Local Address: 10.180.181.223:62230) 3093 bytes:05/31/2011|16:55:28.485 2D7C:1FF8 INFO :: SIP/2.0 183 Session Progressms-user-logon-data: RemoteUserFrom: "bob"<sip:[email protected]>;tag=c4a189acf6;epid=92a17ee2ceTo: <sip:[email protected]>;epid=73f1df72ee;tag=ed247c795fCall-ID: eb472e8ebc384c68a07b1e5beb70be38CSeq: 1 INVITERecord-Route: <sip:LYNCFE.contoso.com:5061;transport=tls;opaque=state:T:F;lr;received=10.0.1.62;ms-received-cid=73BB7E00>Contact: <sip:[email protected];opaque=user:epid:bEfyhOYmMVynmDXlgp2D6gAA;gruu>User-Agent: UCCAPI/4.0.7577.256 OC/4.0.7577.280 (Microsoft Lync 2010)
m=audio 57501 RTP/SAVP 114 9 112 111 0 8 116 115 4 97 13 118 101a=candidate:2 1 TCP-PASS 6556159 208.115.110.145 55275 typ relay raddr 75.98.19.251 rport 4523 a=candidate:2 2 TCP-PASS 6556158 208.115.110.145 55275 typ relay raddr 75.98.19.251 rport 4523 a=candidate:3 1 UDP 16648703 208.115.110.145 57501 typ relay raddr 75.98.19.251 rport 32250 a=candidate:3 2 UDP 16648702 208.115.110.145 56075 typ relay raddr 75.98.19.251 rport 32251 a=candidate:4 1 UDP 1694235647 75.98.19.251 32250 typ srflx raddr 10.104.72.9 rport 32250 a=candidate:4 2 UDP 1694234110 75.98.19.251 32251 typ srflx raddr 10.104.72.9 rport 32251 a=candidate:5 1 TCP-ACT 7076351 208.115.110.145 55275 typ relay raddr 75.98.19.251 rport 4523 a=candidate:5 2 TCP-ACT 7075838 208.115.110.145 55275 typ relay raddr 75.98.19.251 rport 4523 a=candidate:6 1 TCP-ACT 1684797439 75.98.19.251 4523 typ srflx raddr 10.104.72.9 rport 4523 a=candidate:6 2 TCP-ACT 1684796926 75.98.19.251 4523 typ srflx raddr 10.104.72.9 rport 4523
Federation
Port Requirements for Audio/Video
• Lync 2010• UDP 3478, TCP 443
– UDP/TCP 50,000-59,999 inbound/outbound• Enables federation with OCS 2007 Edges
• OCS 2007 R2– UDP 3478, TCP 443
• No additional ports needed for remote access only
– TCP 50,000-59,999 outbound• Enables federation with R2 Edges
– UDP/TCP 50,000-59,999 inbound/outbound• Enables federation with OCS 2007 Edges
• OCS 2007– UDP 3478, TCP 443– UDP/TCP 50,000-59,999 inbound/outbound
A/V Federation 2007-2007
w2
w2
Inner FW2007Edge
Work2OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w2
w1
w1
Inner FW 2007Edge
Work1OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w1
Outer FWs(no NAT)
A/V Federation R2 Tunnel Mode
w2
w2
Inner FWR2Edge
Work2OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w2
w1
w1
Inner FW R2Edge
Work1OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w1
Outer FWs(no NAT)
A/V Federation R2-2007 Interop
w2
w2
Inner FW2007Edge
Work2OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w2
w1
w1
Inner FW R2Edge
Work1OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w1
Outer FWs(no NAT)
A/V Federation Lync
Inner FWLyncEdge
Work2OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w2
Inner FW LyncEdge
Work1OC/ConsoleA/V MCU
AccessProxy
UDP3478
TCP443
UDP/TCP50000.........UDP/TCP59999
w1
Outer FWs(no NAT)
Summary
• Architecture• Edge Scenarios – Users point of view• Interoperability Federation• Certificates • Edge Scenario – DNS Load Balancing• Authentication• Discovery• Federation
54
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
55