The Lync Server Edge Server enables remote access to the internal Lync Server infrastructure. In addition to providing feature parity for external or remote users, the Edge Server can also enhance a deployment by federating with partner organizations or public IM providers. These federation features help organizations use rich communication methods securely with each other across the Internet.
The Edge Server role in Lync Server comprises three separate subroles just as in previous versions of the product: Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server role. Each role provides slightly different functionality and depending on the organization’s requirements it might not be necessary to use all three services. With Lync Server 2010, all three roles are deployed together as opposed to individually like in previous product versions. Unlike many of the internal roles, the Edge Server does not require database or file shares because it does not store data other than the Local Configuration Store replica from the Central Management Store. Because the Edge Server is designed to be deployed in a perimeter or DMZ network, it runs a limited set of services to make it as secure as possible. Edge Servers are also typically not joined to the internal Active Directory domain, but can be if necessary. The reverse proxy server also provides some external services through the Front-End pool.
Access Edge
The Access Edge role serves as the core of the Edge Server and is responsible for all of the signaling functionality. Without the Access Edge role deployed, the Web Conferencing Edge and A/V Edge roles cannot function. The Access Edge also serves a few distinct purposes including remote access, federation, and Public IM Connectivity.
Remote Access
One function of the Access Edge Server is to provide remote access capabilities to a Lync Server infrastructure. After an internal deployment of pools is complete, an Access Edge Server can be provisioned to enable users to sign in and use their endpoints across the Internet. As long as the appropriate SRV records exist in DNS or the client is manually configured correctly, a user can travel in and out of the office without ever making a change to an endpoint. This enables users to have full access to their internal features regardless of location.
Federation
The Access Edge Server also provides the capability to federate with other organizations that have deployed Lync Server, meaning the two organizations can communicate with each other as if it were a single deployment. Users have different feature sets available when using federation, depending on the version of Lync Server a partner has deployed. The feature set is the lowest common denominator between the two organizations. For example, if a partner runs Live Communications Server 2005, only IM and presence will be available. However, if a partner organization is running Office Communications Server 2007 R2, A/V and Desktop Sharing features can be used through federation. The largest feature set is available if both organizations are running Lync Server. Access Edge Servers use certificates and mutual TLS (MTLS) to secure the SIP signaling used across the Internet with each other. This ensures that instant messaging and presence traffic is completely secure and never transmitted in plain text.
Public IM Connectivity
A special form of federation is the capability to use Lync Server to communicate with contacts on the public IM networks, referred to as Public IM Connectivity (PIC). The AOL, Yahoo!, and MSN networks are the native Public IM Connectivity providers to Lync Server. To communicate with these contacts, users simply need to add the address to a contact list. Lync Server users can see presence and exchange instant messages with their contacts when Public IM Connectivity is provisioned. The conversations are limited to peer-to-peer, though, and they cannot include three or more participants as users are accustomed to within the organization or with federated contacts. Audio and video support with the MSN or Windows Live networks is a new feature in Lync Server. The A/V conversations are performed using the same RTAudio and RTVideo codecs native to both platforms, but are also limited to two-party calls. As of this writing, only the Yahoo! network requires additional licensing, which is done on a per-user monthly subscription fee. As long as users have a Lync Server Standard CAL, the AOL and MSN Public IM Connectivity are provided at no extra cost.
Web Conferencing Edge
When joining a web conference, users first authenticate to the Access Edge Server before the client joins using the Web Conferencing Edge Server role. The Web Conferencing Edge Server enables remote users to participate in web conferences with internal users or other remote workers. Organizations may also elect to enable anonymous or unauthenticated users to join web conferences with their own users. This functionality is similar to what many hosted web conferencing services offer. However, it is provided by the organization’s own Lync Server infrastructure. Web conferencing uses Microsoft’s Proprietary Shared Object Model (PSOM) protocol to facilitate the meetings and data. Like the Access Edge traffic, all Web Conferencing Edge traffic is conducted over HTTPS port 443, so it is secure and resilient to proxy servers.
A/V Edge
The A/V Edge role is responsible for providing audio and video media exchanges among internal, external, and federated contacts. The A/V Edge role uses the Interactive Connectivity Establishment (ICE), Simple Traversal Utilities for NAT (STUN), and Traversal Using Relay NAT (TURN) methods to enable endpoints to communicate even if behind a NAT device. When possible, endpoints attempt to use a peer-to-peer connection for media streams, but when an endpoint is behind a NAT device such as a home router, the A/V Edge role can act as a relay point between the endpoints to facilitate communication. The A/V Edge service uses a combination of HTTPS port 443 and UDP port 3478 to negotiate and provide the media stream. To support media traffic between internal and external users, an additional service exists on the A/V Edge Server called the A/V Edge Authentication Service. This service is responsible for authenticating media requests from internal users to external contacts. When a user wants to initiate an external A/V conversation, she is provided with a temporary media token that she uses to authenticate to this service before media is allowed to flow.
Collocation
The Edge Server roles cannot be collocated with any other role in Lync Server. Although many of the other roles depend on access to Active Directory, Edge Servers are typically placed in a perimeter network and might not even be joined to the corporate domain for security reasons. In previous versions of Communications Server, it was possible to install only specific Edge roles. However, in Lync Server, the three roles are always installed together. This change cuts down on confusion of deployment models, which required knowing which Edge roles were safe to collocate together.
Reverse Proxy
In addition to the Edge Server roles that provide remote access, federation, web conferencing, and A/V conferencing, a reverse proxy is required to publish the web components services that don’t run through an Edge Server. The reverse proxy provides remote access to the web components running on Front End Servers or Edge Servers. This includes the following features:
. Address Book
. Distribution Group Expansion
. Device Updates
. Web Conferencing Content (Whiteboards and PowerPoint File Uploads)
Source of Information : Pearson-Microsoft Lync Server 2010 Unleashed
The Edge Server role in Lync Server comprises three separate subroles just as in previous versions of the product: Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server role. Each role provides slightly different functionality and depending on the organization’s requirements it might not be necessary to use all three services. With Lync Server 2010, all three roles are deployed together as opposed to individually like in previous product versions. Unlike many of the internal roles, the Edge Server does not require database or file shares because it does not store data other than the Local Configuration Store replica from the Central Management Store. Because the Edge Server is designed to be deployed in a perimeter or DMZ network, it runs a limited set of services to make it as secure as possible. Edge Servers are also typically not joined to the internal Active Directory domain, but can be if necessary. The reverse proxy server also provides some external services through the Front-End pool.
Access Edge
The Access Edge role serves as the core of the Edge Server and is responsible for all of the signaling functionality. Without the Access Edge role deployed, the Web Conferencing Edge and A/V Edge roles cannot function. The Access Edge also serves a few distinct purposes including remote access, federation, and Public IM Connectivity.
Remote Access
One function of the Access Edge Server is to provide remote access capabilities to a Lync Server infrastructure. After an internal deployment of pools is complete, an Access Edge Server can be provisioned to enable users to sign in and use their endpoints across the Internet. As long as the appropriate SRV records exist in DNS or the client is manually configured correctly, a user can travel in and out of the office without ever making a change to an endpoint. This enables users to have full access to their internal features regardless of location.
Federation
The Access Edge Server also provides the capability to federate with other organizations that have deployed Lync Server, meaning the two organizations can communicate with each other as if it were a single deployment. Users have different feature sets available when using federation, depending on the version of Lync Server a partner has deployed. The feature set is the lowest common denominator between the two organizations. For example, if a partner runs Live Communications Server 2005, only IM and presence will be available. However, if a partner organization is running Office Communications Server 2007 R2, A/V and Desktop Sharing features can be used through federation. The largest feature set is available if both organizations are running Lync Server. Access Edge Servers use certificates and mutual TLS (MTLS) to secure the SIP signaling used across the Internet with each other. This ensures that instant messaging and presence traffic is completely secure and never transmitted in plain text.
Public IM Connectivity
A special form of federation is the capability to use Lync Server to communicate with contacts on the public IM networks, referred to as Public IM Connectivity (PIC). The AOL, Yahoo!, and MSN networks are the native Public IM Connectivity providers to Lync Server. To communicate with these contacts, users simply need to add the address to a contact list. Lync Server users can see presence and exchange instant messages with their contacts when Public IM Connectivity is provisioned. The conversations are limited to peer-to-peer, though, and they cannot include three or more participants as users are accustomed to within the organization or with federated contacts. Audio and video support with the MSN or Windows Live networks is a new feature in Lync Server. The A/V conversations are performed using the same RTAudio and RTVideo codecs native to both platforms, but are also limited to two-party calls. As of this writing, only the Yahoo! network requires additional licensing, which is done on a per-user monthly subscription fee. As long as users have a Lync Server Standard CAL, the AOL and MSN Public IM Connectivity are provided at no extra cost.
Web Conferencing Edge
When joining a web conference, users first authenticate to the Access Edge Server before the client joins using the Web Conferencing Edge Server role. The Web Conferencing Edge Server enables remote users to participate in web conferences with internal users or other remote workers. Organizations may also elect to enable anonymous or unauthenticated users to join web conferences with their own users. This functionality is similar to what many hosted web conferencing services offer. However, it is provided by the organization’s own Lync Server infrastructure. Web conferencing uses Microsoft’s Proprietary Shared Object Model (PSOM) protocol to facilitate the meetings and data. Like the Access Edge traffic, all Web Conferencing Edge traffic is conducted over HTTPS port 443, so it is secure and resilient to proxy servers.
A/V Edge
The A/V Edge role is responsible for providing audio and video media exchanges among internal, external, and federated contacts. The A/V Edge role uses the Interactive Connectivity Establishment (ICE), Simple Traversal Utilities for NAT (STUN), and Traversal Using Relay NAT (TURN) methods to enable endpoints to communicate even if behind a NAT device. When possible, endpoints attempt to use a peer-to-peer connection for media streams, but when an endpoint is behind a NAT device such as a home router, the A/V Edge role can act as a relay point between the endpoints to facilitate communication. The A/V Edge service uses a combination of HTTPS port 443 and UDP port 3478 to negotiate and provide the media stream. To support media traffic between internal and external users, an additional service exists on the A/V Edge Server called the A/V Edge Authentication Service. This service is responsible for authenticating media requests from internal users to external contacts. When a user wants to initiate an external A/V conversation, she is provided with a temporary media token that she uses to authenticate to this service before media is allowed to flow.
Collocation
The Edge Server roles cannot be collocated with any other role in Lync Server. Although many of the other roles depend on access to Active Directory, Edge Servers are typically placed in a perimeter network and might not even be joined to the corporate domain for security reasons. In previous versions of Communications Server, it was possible to install only specific Edge roles. However, in Lync Server, the three roles are always installed together. This change cuts down on confusion of deployment models, which required knowing which Edge roles were safe to collocate together.
Reverse Proxy
In addition to the Edge Server roles that provide remote access, federation, web conferencing, and A/V conferencing, a reverse proxy is required to publish the web components services that don’t run through an Edge Server. The reverse proxy provides remote access to the web components running on Front End Servers or Edge Servers. This includes the following features:
. Address Book
. Distribution Group Expansion
. Device Updates
. Web Conferencing Content (Whiteboards and PowerPoint File Uploads)
Source of Information : Pearson-Microsoft Lync Server 2010 Unleashed
|
0 comments
Post a Comment