8/7/2016 Skype for Business Edge & Reverse Proxy Md Shaifullah Mozide Palash
Table of Contents Introduction... 2 Edge Server:... 2 Access Edge Service:... 2 Web Conferencing Edge Service:... 2 A/V Edge Service:... 2 XMPP Proxy Service:... 2 Sample Topology... 3 Edge Server Basics... 4 Internal DNS Requirements... 5 External DNS Requirements... 5 Access Edge Service... 5 Web Conferencing Edge Service... 5 Audio Video Edge Service... 5 SRV Records... 5 Firewall Requirements... 6 Reverse Proxy... 7 Meeting URL... 7 Discovery URL... 7 Office Web Apps URL... 8 Firewall Requirements... 8 1
Introduction You need an edge server, if you want to let external users (Not logged into your organizations internal network) to be able to interact with internal users. These external users could be, Authenticated remote users Anonymous remote users Federated users (from different organizations) Mobile clients When discussing the Edge Server environment, we're referencing components that are, for the most part, deployed in a perimeter network (that's to say it's either in a workgroup or a domain that's outside your Skype for Business Server domain structure). Keeping that in mind, these are the components you're going to need to keep in mind for deploying your Edge successfully: Edge Server Reverse Proxy We have more detail on each of these below: Edge Server: These are the Skype for Business Servers deployed in your perimeter environment. Their role is to send and receive network traffic to external users for the services offered by your internal Skype for Business Server deployment. To do this successfully, each Edge Server runs: Access Edge Service: Provides a single, trusted connection point for both outbound and inbound Session Initiation Protocol (SIP) traffic. Web Conferencing Edge Service: Enables external users to join meetings that are hosted on your internal Skype for Business Server environment. A/V Edge Service: Makes audio, video, application sharing and file transfer available to external users. XMPP Proxy Service: Accepts and sends extensible messaging and presence protocol (XMPP) messages to and from configured XMPP Federated partners. Authorized external users can use your Edge Servers to connect to your internal Skype for Business Server deployment, but otherwise, they provide no other access to your internal network for anyone. There are four types of roles in Skype for Business Edge Server Access Edge Authenticates external connections Allows remote connection Allows federation Connection Web Conferencing Handles SIP Traffic Handles Data Conferencing Packets 2
Allows external users to join SFB meetings Allows external users to use whiteboard Allows external users to use Poll Allows external users to use QnA A/V Conferencing Extends audio to external users Extends video to external users Extends app sharing to external users Allows file transfer to external users Handles A/V Conferencing Packets XMPP Proxy Handles XMPP packets Allows XMPP based server\client to connect Earlier, it was a different role (no colocation) Usually used to federate with google users Sample Topology 3
This is just a reference topology. Your edge design should be based on various design factors; external features, location, security concern, high availability etc. You need to configure two interfaces of the edge server; internal and external. Internal interface would interact with the internal servers (front end\director etc.). External interface needs ip address and port configuration for each of the edge services (access, web, av). A single default gateway should be defined only on the external interface. This would force all traffic to go to internet, except the internal ones. For which you need to define static route. Edge Server Basics If you ve worked with OCS, Lync 2010, Lync 2013 or Skype for Business 2015 you are aware that there are some cardinal rules when installing an Edge server in a supported configuration and following Best Practices: You need to assign three (3) Public IP addresses for each Edge server. This is true whether you have a single Edge server or multiple Edge servers. It is true in a multiple Edge server Edge pool whether you choose to use DNS Load Balancing or Hardware Load Balancing. If you use Hardware Load Balancing, you will need three (3) more Public IP addresses above those you have pulled for the Edge servers themselves. These additional IP addresses are used for the Edge s virtual IP addresses (VIPs) The Edge server has to have two (2) network interface cards (NIC), four (4) is better but two (2) works fine! On a 2 NIC Edge, each one of the NICs has to be connected to a separate subnet. One of the subnets is defined as being connected to the internal side of the Edge with the other connected to the external side. On a four (4) NIC Edge you would have one (1) NIC on the internal side and the remaining three (3) on the external side. You also need four (4) IP addresses, one (1) on the internal NIC and its subnet and the remaining three (3) on the external side NIC(s) and their subnet The required firewall rules are split up between those for the external side of the Edge server and those for the internal side. Rules for the external side prescribe ports that should be opened between the Internet and the external side of the Edge. While rules for the internal side prescribe ports that should be opened between the internal user and Skype for Business 2015 server subnets and the internal side of the Edge. This implies that the external side of the Edge should only be able to hear traffic coming in from the Internet while the internal side of the Edge should only be able to hear traffic coming from the internal users or the internal Skype for Business 2015 servers. Unfortunately, this is only implied and not called out explicitly in the documentation; but we are calling these rules out here: 4
1. There should never be routing that allows traffic to get directly from either the internal user subnets or the internal Skype for Business 2015 servers to the external side of the Edge servers. 2. There should never be routing that allows traffic to get directly from the Internet or the external side of the Edge server to the internal user subnets or the internal Skype for Business 2015 servers Internal DNS Requirements Edge servers are not domain joined machines. You need to create a DNS entry for each of the Edge servers using internally used domain names. Let s assume, Skype for Business pool FQDN is sfbpool.contoso.com, and Edge server hostname is edge01. DNS entry should be created as below (internal DNS server) edge01.contoso.com 172.30.40.42 (IP address of internal interface) External DNS Requirements You need to create external DNS records for the external IP addresses you have configured on the edge servers. DNS entries would look like as below. These records need to be created on public DNS servers. Access Edge Service A sip.oviwin.com 202.202.1.10 (External IP address configured for Access Edge Service) Web Conferencing Edge Service A wconf.oviwin.com 202.202.1.11 (External IP address configured for Web Conf Edge Service) Audio Video Edge Service A av.oviwin.com 202.202.1.12 (External IP address configured for Web Conf Edge Service) SRV Records Name Host Port Reason _sip.tls.oviwin.com sip.oviwin.com 443 Auto login for external client _sipfederationtls._tcp.oviwin.com sip.oviwin.com 5061 Federation discovery _xmpp._tcp.oviwin.com sip.oviwin.com 5269 XMPP gateway locator 5
Firewall Requirements ONE TWO 6
THREE Reverse Proxy A reverse proxy (RP) server has no Skype for Business Server role, but is an essential component of an Edge Server deployment. A reverse proxy allows external users to: Connect to meetings or dial-in conferences using simple URLs. Download meeting content. Expand distribution groups. Get user-based certificates for client certificate based authentication Download files from the Address Book Server, or to submit queries to the Address Book Web Query service. Obtain updates to client and device software. And for mobile devices: It lets them automatically discover Front End Servers offering mobility services. It enables push notifications from Office 365 to mobile devices. Meeting URL A meet.oviwin.com 202.202.1.13 (External IP address configured for RP) Discovery URL A lyncdiscover.oviwin.com 202.202.1.13 (External IP address configured for RP) 7
Office Web Apps URL A owaent.oviwin.com 202.202.1.13 (External IP address configured for RP) Firewall Requirements 8