lync mobility deployment
DESCRIPTION
Presented by Justin Morris and Tom Arbuthnot at MUCUGL January 2012TRANSCRIPT
Lync Mobility Deployment
Tom ArbuthnotConsultant, Modality Systems and Lync MVP
@tomarbuthnot
http://www.lyncdup.com
Justin MorrisConsultant, Modality Systems
@jm_deluxe
http://www.justin-morris.net
Microsoft Unified Communications User Group London (MUCUGL) 2
Agenda
• Step by Step Deployment Guide– Prerequisites, DNS, Certificates– Reverse Proxy, Push Notifications
• The Lync Mobile Sign-In Process• Top 5 Issues• Do I need lyncdiscoverinternal?• Monitoring Performance of Mobility• Questions
19/01/2012
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 3
Mobility Service Deployment in 7 slides
• Cumulative Update 4 on all Servers• Mobility DNS Requirements• New FE listening ports and IIS changes• Install the MCX Service• Certificate Updates• Reverse Proxy Rule Update• Add Lync Online Federation for Push
Notifications
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 4
Cumulative Update 4 First
• CU4 on all servers
• CU4 DB Update• Install-CsDatabase -Update -
ConfiguredDatabases -SqlServerFqdn <EEBE.Fqdn> -UseDefaultSqlPaths
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 5
DNS Requirements
• Lync Mobile uses two DNS records to discover the server to register to, lyncdiscover and lyncdiscoverinternal
• CNAME and Host (A) records are supported• Internal DNS: Lyncdiscoverinteral.domain.com points to
Lync pool/Director DNS record• External DNS: Lyncdisover.domain.com, external (and
reachable internal), points to External Reverse Proxy• Lync discover returns proxy FQDN. This needs to be
resolvable internally
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 6
New FE Listening Ports and IIS changes
• Set-CsWebServer -Identity lync.domain.com -McxSipPrimaryListeningPort 5086
• Set-CsWebServer -Identity lync.domain.com -McxSipExternalListeningPort 5087
• Re enable the topology to enact these IIS changes– Enable-CsTopology
• There is also an additional IIS feature Requirement– Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-Dyn-Compression
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 7
Install the MCX Service
• Download the McxStandalone.msi installation package and save it into the following existing directory on each Lync server where it will be installed.
• C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup\
• C:\Program Files\Microsoft Lync Server2010\Deployment\Bootstrapper.exe
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 8
Certificate Updates – Internal and External
• Internal FE certs– Set-CsCertificate –Type
Default,WebServicesInternal,WebServicesExternal –Thumbprint <Certificate Thumbprint>
– This will add the lyncdiscover and lyncdiscoverinternal names to the FE cert
• Externally, discovery can be done http(80) or https(443), if using https the external cert requires lyncdiscover.domain.com SAN name
• Both required for each supported SIP domain on the system
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 9
New Reverse Proxy Rule
• To allow access from the outside for the mobile clients• It can be added to your
existing reverse proxy rule set for Lync
• Full Reverse Proxy setup steps on Adam’s imaucblog.com
• Port 80 required for httpdiscovery
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 10
Federation to Lync Online for Push
• New-CsHostingProvider –Identity "LyncOnline" –Enabled $true –ProxyFqdn "sipfed.online.lync.com" –VerificationLevel UseSourceVerification
• New-CsAllowedDomain –Identity push.lync.com –Comment “Mobile Push Notifications”
• Set-CsPushNotificationConfiguration –EnableApplePushNotificationService $true –EnableMicrosoftPushNotificationService $true
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 11
Summary: Mobility Service Deployment
• Cumulative Update 4 on all Servers• Mobility DNS Requirements• New FE listening ports and IIS changes• Install the MCX Service• Certificate Updates• Reverse Proxy Rule Update• Add Lync Online Federation for Push
Notifications
10/04/2023 Microsoft Unified Communications User Group London (MUCUGL) 12
Handover to Justin
Microsoft Unified Communications User Group London (MUCUGL) 1319/01/2012
Lync Mobile Sign-In ProcessInternal
1. Mobile device locates lyncdiscoverinternal.<SIPFQDN> record via internal DNS
2. External MCX URL is returned
3. Lync Mobile client communicates with external web service (4443 MCX virtual directory) by hair-pinning the reverse proxy
Microsoft Unified Communications User Group London (MUCUGL) 1419/01/2012
Lync Mobile Sign-In ProcessExternal
1. Mobile device locates lyncdiscover.<SIPFQDN> record via external DNS
2. External MCX URL is returned
3. Lync Mobile client communicates with external web service (4443 MCX virtual directory) via the reverse proxy
Microsoft Unified Communications User Group London (MUCUGL) 15
Lync Mobile Sign-In ProcessAuthentication and In-Band Provisioning
1. Web ticket request is made for a client certificate for authentication.
2. SIP REGISTER packet comes from the Lync Front End on the listening port e.g. 5087.
3. Do I have a mobility policy granted to me?4. In-band provisioning occurs:– Voicemail URI, ABS URL, dial plan, voice policy.
5. Contact list and contact cards are retrieved.
19/01/2012
Microsoft Unified Communications User Group London (MUCUGL) 16
Top Mobile Client Issues
• Account details (domain\username) required if UPN is different to SIP URI e.g. UPN - [email protected] SIP URI – [email protected]
• Check EWS connectivity – requires same as desktop client.
• URL filtering in IM breaks push notifications.• McxStandalone.msi must be run using
Bootstrapper.19/01/2012
Microsoft Unified Communications User Group London (MUCUGL) 17
Do I need lyncdiscoverinternal?
19/01/2012
• Mobile clients won’t trust your internal CA, who has a public certificate on their FEs?• Deploying root CA certificate to all mobile devices is unlikely to happen.• Solution: route all internal lyncdiscover.sipdomain traffic to the external interface
of the Reverse Proxy.
Microsoft Unified Communications User Group London (MUCUGL) 18
Monitoring Performance of Mobility
• Why do we do this?– Ensuring we have the
capacity to support users.– Predicting when extra
capacity is required.• How do we do this?
– Can be monitored from within IIS -> Worker Processes.
– CsIntMcxAppPool and CxExtMcxAppPool CPU% should be under 15%
19/01/2012
Microsoft Unified Communications User Group London (MUCUGL) 19
Questions?
19/01/2012
Sources: Brendan Carius - http://blog.kloud.com.au/2011/12/12/lync-2010-mobility-do-i-need-lyncdiscoverinternal/ http://blog.kloud.com.au/2011/12/12/lync-2010-mobility-sign-in-internals/