Lync MVPs Around the World – April 2014 #LyncMVPsMap

Print Friendly

A new round of MVP renewals has just ended.



In addition to the usual map, some considerations:

a) All the existing Lync MVPs, during this cycle, have been confirmed for another year

b) The total of Lync MVPs has reached 73 (6 more than the previous cycle)

c) We welcome Mexico and New Zealand in the list of countries that have at least one Lync MVP. This brings the total to 27 countries

The Dark Side of Writing (Technical) Books

Print Friendly

Disclaimer: during the last two years I wrote a good number of technical book and I am still working on new ones. So what I will write here comes from my experience, and is not intended to discourage other people from writing. Also everything I will write here may be not true for everyone.


I don’t know how it was to write an IT dedicated book a few years ago. I have begun to write a couple of years ago. What I will share with you are some lessons that I learned the hard way, hoping that they will help you in evaluating the downsides of publishing and IT oriented book in 2014 (and to better understand what book authors live and do)

Contents Expiration

As you know, a specific version of a software (including operating systems) now is flanked (replaced?) by the next release in a year. There may be exceptions but they are often in a direction that is the opposite to the one that you could desire when writing a book (i.e. the version you are using lasts less than one year). Service packs and updates are made available often and they may change the available features and the way a product works in a dramatic manner.

This information has a tremendous impact on your work, because your objective is to publish something that is in line with the most recently available release. This means that while you are proofreading or editing a chapter, you could have to rewrite it for a large part.

Not less important, the contents of your book will be “old” in a year (if you are lucky) reducing the timeframe in which it is able to sell the most. If you are lucky, maybe you have access to an early – beta version of the product but, anyway, you take the risk of working on a version that could be really different from the RTM – final one.

Note: the aforementioned situation happens also with hardware. Usually this kind of solution changes less often than software but, anyway, the rate of change for those products is high too.


If you have read in the news the recent decision that Getty Images took about its own contents you have for sure understood that fighting piracy on the Internet is like putting a finger in the dike. Publishers know it better than you, so don’t expect to have any useful help from them, when you identify some site – torrent – whatever that is giving away your work for free. If you have ever used an image or a content without paying the maker, think to it as balancing Karma :-)

Anyway, piracy is going to have perceptible consequences on you book’s revenues.

I made a quick Google search for my one of my own books “Getting Started with Microsoft Lync Server 2013” and easily found sites like this one.


Now, if 10% of the people that “viewed” the page have downloaded the book, I have 50 less copies sold. And this is a single site

P.S. I’ve tested it and it works, so now I have a pirate copy of my own book, including a .epub version :-D


For sure, I don’t know the way ALL the publishers deal with their authors, but talking with people that have worked with different companies, I can share with you my idea. The money you gain is (obviously) tied to the copies that you are able to sell. Usually the publisher will give you advances of the future gains, to encourage you in finishing your job. The advances may be managed in various manner, usually they are based on the delivery and acceptation of a part of your book. You can trust me if I say that often, when you are writing, you will need some kind of incentive to go on with the work. Anyway, your gain will be a percentage (let’s say something between 10% and 16%) of the money the publisher will make from your book. Printed copies will be more profitable, but there will be also a lot of ways to sell your book (like third party sellers, subscriptions and so on) that will lower your gains.

In the Publisher We Trust

So, everything will move around the number of copies you have sold. And here begins the funnier part. You will have NO clear idea of how many copies you are selling. For sure, your publisher will send to you a “royalties statement” but you will have no hard data to say if the numbers are really what they have to be. The only seller that gives you something like an information is Amazon, with its ranking system (and the author’s central site). Amazon ranking gives no direct information on the copies you are selling, however many people have been able to translate it on sold copies. I use Novelrank, a free service that gives to me data about my books (and books other people have wrote) based on Amazon ranking. Please remember that the ranking is also different on the various sites Amazon uses around the World so, for example, an hig ranking on is really not important as one on

Here you can see the results I have for another book of mine, “Getting Started with FortiGate” published on November 25, 2013


If you are interested, the estimate is over 50 copies sold this year.

The aforementioned evaluation is based on the ranking for the Kindle edition. So, what about the printed copies ? Well, if you are the author of the book, you are able to register on Amazon’s Author Central and see how many useful information, including the printed copies you have sold (again, “Getting Started with FortiGate” will be used as an example)


If you are interested also to this information, it is something like 24 printed copies sold in the U.S.

Note: Author Central is available also for, but it will give you less information

And that’s all. The copies sold outside Amazon (and the printed copies not sold from are something that you will know only through the publisher.

Bad Reputation

Now, let’s say that you wrote a really good book and you received a positive feedback from tech reviewers, professional peers and readers. You may thing that you have avoided one of the big risks related to writing a book (i.e. writing something that is not good as it seems). Well, things are not exactly this way. I will state my case but I know a few authors that have received what looks like “targeted” negative reviews, to lower the reputation of their book on Amazon (but it is a problem that you may extend to the Internet in general).

On March 3 the Sun was bright and I was thinking my own business, when I received this review from a guy called “Cranky Buddha” (really)


I have many reasons to think that this review is not exactly a fair one but, anyway, here it is. One star, negative review lowering the reputation of a work you have done (and that received a really good feedback so far). Again there is nothing that you (or the publisher) can fight this kind of situation.

What About Positive Feedbacks?

I had many of them, and usually they are the main reason that will give you the will to publish your contents (and this is a good reason also for blogging, for example). Having the feeling that your work is helping other people is a good incentive. But, also here, keep in mind that the quantity and quality of positive answers to your work may be not the one you expect. Let’s take a look to three free works me, Alessio Giombini and Matt Landis have published on the TechNet Office Gallery (they are the top 3 for popularity)


As you can see in the image, there is a big difference between the number of downloads and the “stars” the works have received. It’s hard to understand why people that are using your work for free do not feel the need to rate it in a positive manner (114,618 Downloads and only 109 ratings… unbelievable).

How Much Time do You Need to Write?

The answer, here, will differ a lot from author to author. Usually it requires to me one hour to write a book page (it’s an average speed calculation). I know people that are able to write more than 100 pages in a month. Anyway, add to the aforementioned work the rewriting of contents after tech review and proofreading, the time required before and after the book is published (preparing the table of contents, summarize the book topics) and so on.

How Much do You Gain?

There is no fixed law, but we can try to play with numbers. Let’s say that a book containing 200 pages requires 100 hours of work for a fast author and that he is able to write them in 2 months. Add 1 month for the reviews and for the publication. After 3 months your book is ready. We can imagine that the Kindle copy will cost around 25$ and that your royalties are 15%. If you sell 500 copies (a good result) your gain will be 1875$. That makes 18,75$ for every hour you dedicated to your book including taxes (and please remember that we are supposing you are really fast in writing and that the book is a good seller).

Final Thoughts

I am sure that if you have an idea for a cool book or if you will be offered the opportunity to write a book you will take it. That’s what I do and I have no regret. The aforementioned list of issues is just to help you in understanding that also an interesting work like writing will have a dark side. Probably if you have a passion for writing you will keep on authoring books like I do, but with a little less wrong ideas than the ones I had a few years ago :-)

Configure Windows 2012 R2 Workplace Join and Enable an IPad

Print Friendly

Active Directory Federation Services (AD FS) in Windows 2012 R2 have reached the release 3.0. In the long list of new features, an interesting one (dedicated to the world of BYOD) is the workplace join. I have configured workplace join in my lab and used it to authenticate an IPad. The following post explains and shows all the required steps.

(Note: the full configuration video is available here )

Before We Start: Introduction to Workplace Join

Workplace join answer to the need, for users to access company resources from their devices without giving the control on them to the network administrators. However it answers also to the need of the IT staff to keep control on what the device is able to do on the corporate resources. Workplace join enables users to register Windows-based and IOS-based devices for single sign-on and access to corporate data. The aforementioned device ado not join Active Directory, but the workplace join process generates a device object in AD and installs a certificate inside the device. From now on the network administrators are able to use this authentication to allow or remove access to network resources for the device, while users enjoy a single sign-on experience.

To realize my lab, I have used as a starting base this good post from Keith Mayer “Why R2? Step-by-Step: Solve BYOD Challenges with Workplace Join in Windows Server 2012 R2 and Windows 8.1

Step by step procedure

First step has been to add the Active Directory Federation Services role to my server Aphrodite (that is also my Domain Controller and Certification Authority).

The configuration of the AD FS role requires a service account, so I created a Group Managed Service Account called FsGmsa with the following cmdlets (adapting the ones used by Keith)

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

New-ADServiceAccount FsGmsa -DNSHostName Aphrodite.lync2013.corp -ServicePrincipalNames http/ Aphrodite.lync2013.corp

An SSL certificate is required too, so I used my beloved DigiCertUtil to create a CSR. Please note that the Common Name must be the FQDN of the AD FS server, and you need the same name as Subject Alternative Name too. In the SAN names, enterpriseregistration.yourdomain is REQUIRED too.

I have used a command line to submit the request and generate the SSL certificate

certreq -submit -attrib “CertificateTemplate:WebServer” C:\Users\Administrator.WIN-VSNVH4NJGUF\Desktop\Aphrodite_lync2013_corp.txt

Then I have imported (and verified) the aforementioned certificate.

With all the requirements satisfied, I have launched the configuration of the AD FS role

I have defined a standard user, Ipaduser, (I will use it to simulate a real world scenario of a domain user joining his/her IPad to the domain).

I have exported my root CA certificate in a .cer file and copied it on Google Drive (because I need to open it from Safari on the IPad later)

Next step is to initialize the Device Registration Service that, by default, is disabled and stopped. I used the Initialize-ADDeviceRegistration cmdlet, using, as ServiceAccount, the previously configured Lync2013\fsgmsa$

Open the .cer file of the root CA inside Safari and import it as a profile

Importing Root CA IPad

Importing Root CA in the IPad

Open the following url https://aphrodite.lync2013.corp/enrollmentserver/otaprofile and Authenticate with Lync2013\IPaduser

Authentication from Safar

Authentication from Safar

Accept the Workplace Join profile

Accepted Workplace Join

Accepted Workplace Join

Then, back to the Aphrodite D.C. I have verified that the device was registered inside A.D.



Giving Away Free Copies of Getting Started with FortiGate

Print Friendly

Getting Started with FortiGate ( ) the book I wrote with Rosato Fabbri, has been published from Packt a few months and is receiving a good feedback.

My way to say thank you to the is to organize a contest to give away TWO printed copies for people residing in the U.S. and in Europe, and TWO e-book copies for people living elsewhere.

Rules are simple: answer with a comment here on the blog (or answering to me on Twitter or LinkedIn) stating why you like FortiGate appliances. I will select the best four answers (with the aforementioned division) and get in touch with the publisher to send the book to you.

I hope that people receiving the free books will also take the time to write a review ;-)

Contest starts today and will end on 08 March 2014

Looking forward to hear from you all.

Book Giveaway

Book Giveaway



Demystifying the News in the Lync Conference 2014 Keynote

Print Friendly

I have followed the keynote by Gurdeep Singh Pall at the Lync Conference 2014 in Las Vegas through the video stream on the conference site. I have no insider news and I am not at the conference, so this list of news (and my comments) are simply based on my personal experience, on information available to the public and on what I have seen.

1. Universal Communications: this one is the new buzzword you will hear a lot in the next months. The Microsoft’s Vision is to reach every person using the platform they prefer including Skype (obviously) but also solutions from other vendors (see points 2, 3 4 and 5 in the following list, especially support for Android tablets and the “videation” role)

2. There will be a Lync app available in the Google Play store (by the end of June 2014), so Microsoft is adding Android tablets to the list of supported devices.

3. JLync : browsers will be extended with voice and video content. Quoting this post from Eric Krapf it is a “Javascript wrapper around Web APIs, which enabled the website to deliver that interactive multimedia session inside the browser”. Also if Microsoft is still working with others on the WebRTC standard, they wanted to deliver this kind of feature without having to wait for WebRTC to be ready for market

4. Lync-Skype video federation: will be in tested in the next two months and delivered in six-eight months. Note: please, don’t misunderstand this point. The Skype software will remain dedicated to personal or home use, while Lync will remain a software for business. Microsoft is keeping them separated also by limiting some interoperability features.

5. “Videation” Role: I use the aforementioned name to indicate something that sounds like the Lync Mediation but dedicated to the video-conferencing systems. Microsoft presented it as a way to integrate Lync with Cisco and Tandberg video teleconferencing systems. IMHO it looks like a software bridge that will replace a lot of hardware we see now on the market. Talking about a software, the capability to expand and update it in the future are really big. It will be available in the next release of Lync (I would bet on names like Lync 2013 R2 or Lync 2014)

6. New features for Lync Online: there will be support for large conferences (up to 1,000 people) and for PSTN calls. The promise is that the aforementioned features are coming later this year. PSTN calls in the Cloud, as everybody knows, are really a game-changer. My opinion, here, is that the prevision is a bit optimistic. However, we will see what happens.

Part 2 of the draft: Chapter 6 DNS, Certificate and Firewall Requirements for Lync Server 2013

Print Friendly

Infrastructure requirements

Now that I have outlined the building blocks of a Lync infrastructure, there are three more topics to understand if we want to have a working infrastructure:

  • Firewall rules required to allow communications for Lync clients, Lync servers and for the aforementioned non-Lync servers with additional services we need
  • DNS settings to make Lync services available both on the internal network and from the Internet
  • Structure of the certificates. Lync is secure by design and digital certificates are mandatory for every Lync 2013 infrastructure

Firewall Rules Required for Lync Server 2013

A deep dive about firewall rules for Lync Server 2013 should include TechNet article Port Requirements and the  Lync 2013 Protocol Workloads poster (i.e. to check the requirements for the different scenarios). However to make the topic easier to understand, I have tried to create an explanation based on some assumption.

  • The first assumption I will make here is that your network has a segregated DMZ to make services available to the Internet in a secure manner. A couple of the possible solutions for such a deployment are
    • Using two firewalls.    Note: usually the technology used for the firewalls is not important. However if a SIP trunk is required in our scenario, it is important to have a SIP Application-level gateway (ALG).
    • A three-legged firewall that will create a logical demilitarized zone

There is no difference in the result, from the functionality point of view, going for the first option or the second one. A single firewall would imply a single point of failure and higher security risk, because a single Internet-connected device will be exposed both on the DMZ and on the internal network. Having two different firewalls, a front (FW2) and a back firewall (FW1), as shown in figure 6.7, is more secure, especially if we are going to use two different platforms or solutions for security. In the aforementioned scenario, an exploitable security vulnerability on a single technology will not affect the second firewall

A layout including only firewalls and networks that will have an impact on our Lync deployment

Figure 6.7 layout including only firewalls and networks that will have an impact on our Lync deployment

  • The second assumption will be that we will not deploy High Availability or load balancing systems (including Enterprise Edition pools of Lync Front Ends). Although you may require them in a real-world design, they add a configuration overhead that will not help understanding the fundamentals of Lync Server 2013 network traffic requirements
  • The third assumption is that we will use NAT every time that a public IP is required. Exposing directly a server to the Internet usually is not the best security solution available
  • Fourth assumption is that the Edge Server will use three addresses on the “external” network interface card to expose services to the Internet. The addresses are the ones we have already seen:


  • Last assumption: no integration or connection with Office Communications Server 2007 deployments or clients is required

We will have to grant the following types of network traffic:

6.1         From servers in the DMZ to servers in the internal network

6.2         From servers in the DMZ to the external network

6.3          From the external network to servers in the DMZ

6.4          From servers in internal network to servers in DMZ

6.5          Network traffic related to Lync clients in the internal network

Note: the point 6.5 of the list is interesting only if you have firewalls (or end-point firewalls) separating the networks containing the Lync clients and the Lync servers.

6.1       Network Traffic from servers in The DMZ to Servers in the Internal Network

On the Back-End firewall, FW1,for traffic starting from the  reverse proxy, the following ports will be required

Reverse proxy Rules on Back-End firewall (FW1)

Source Interface Protocol Source Port Destination Port Destination Service
Internal NIC of the reverse proxy TCP (HTTPS) Any 4443 Lync Front End Web Services on the Lync Front End
Internal NIC of the reverse proxy TCP(HTTPS) Any 443 Office Web Apps Server PowerPoint presentation sharing


On the Back-End firewall, FW1, for traffic starting from the Edge Server, the following ports will be required

Lync Edge Server Rules on Back-End firewall (FW1)

Source Interface


Source Port

Destination Port



Internal NIC of the Edge TCP (SIP/MTLS) Any 5061 Lync Front End Inbound SIP traffic

6.2       Network Traffic from Servers in the DMZ to the External Network

On the Front firewall, FW2, from the Edge Server, the following ports will be required. It is helpful to remind you the fourth assumption: we have three different IPs on the external network interface of the Lync Edge Server: Access, Webconf and AV. The firewall rules for network traffic from the external network to the Edge will have to point to one of the three IPs, as explained in the following table.

Lync Edge Server Rules on Front-End firewall (FW2)

Source Interface Protocol Source Port Destination Port Destination Service
External NIC of the Edge (Access IP) TCP (XMPP) Any 5269 To federated XMPP partners Standard server-to-server communication port for XMPP
External NIC of the Edge (Access IP) TCP (SIP/MTLS) Any 5061 Federation Services and Partners Lync and Skype Federation using SIP
External NIC of the Edge (AV IP) UDP (Stun/Turn) Any 3478 Any Stun/Turn negotiation for candidates
External NIC of the Edge (AV IP) TCP (Stun/Turn) Any 443 Any Stun/Turn negotiation for candidates


6.3       Network Traffic from the External Network to Servers in the DMZ

On the Front firewall, FW2, traffic from the external network to the reverse proxy, the following ports will be required

To the reverse proxy from the external network on Front-End firewall (FW2)

Source Interface Protocol Source Port Destination Port Destination Service
Any TCP (HTTPS) Any 443 Reverse proxy external network interface Access to the web services on the Lync Front End


On the Front-End firewall, FW2, traffic from the external network to the Edge Server, the following ports will be required

To the Lync Edge from the external network on Front-End firewall (FW2)

Source Interface Protocol Source Port Destination Port Destination Service
Any TCP (SIP/TLS) Any 443 External NIC of the Edge (Webconf IP) Web Conferencing Media
Any TCP (SIP/TLS) Any 443 External NIC of the Edge (Access IP) Client-to-server SIP traffic for external user access
Federated XMPP partners TCP (XMPP) Any 5269 External NIC of the Edge (Access IP) Standard server-to-server communication port for XMPP
Federation Services and Partners TCP (SIP/MTLS) Any 5061 External NIC of the Edge (Access IP) Lync and Skype Federation using SIP
Any UDP (Stun/Turn) Any 3478 External NIC of the Edge (AV IP) Stun/Turn negotiation for candidates
Any TCP (Stun/Turn) Any 443 External NIC of the Edge (AV IP) Stun/Turn negotiation for candidates


6.4       Network Traffic from Servers in the Internal Network to Servers in the DMZ

On the Back-End firewall, FW1, for traffic starting from the internal network, the following ports will be required

To the Lync Edge from the internal network on Back-End firewall (FW1)

Source Interface Protocol Source Port Destination Port Destination Service
Lync Front End TCP (XMPP/MTLS) Any 23456 Internal NIC of the Edge Outbound XMPP traffic
Lync Front End TCP (SIP/MTLS) Any 5061 Internal NIC of the Edge Outbound SIP traffic
Lync Front End TCP (PSOM/MTLS) Any 8057 Internal NIC of the Edge Web conferencing traffic
Lync Front End TCP (SIP/MTLS) Any 5062 Internal NIC of the Edge Authentication of A/V users
Lync Front End TCP (HTTPS) Any 4443 Internal NIC of the Edge Replication of CMS on the Lync Edge
Lync Front End TCP (Stun/Turn) Any 443 Internal NIC of the Edge Stun/Turn negotiation for candidates


6.5       Network Traffic Related to Lync Clients in the Internal Network

The following rules are required on any end-point firewall and on any internal firewall that controls traffic coming from the Lync clients on the internal network.

From To Feature


Port Bidirectional Note
Internal Client Lync Front End Presence and IMAV and Web ConferencingApplication SharingEnterprise Voice



Presence and IMAV and Web Conferencing



Enterprise Voice


AV and Web ConferencingApplication Sharing



AV and Web Conferencing



Enterprise Voice



Enterprise Voice



Internal Client A Internal Client B AV and Web ConferencingApplication Sharing




Peer to Peer Sessions
Internal Client Lync Edge AV and Web ConferencingApplication Sharing



Enterprise Voice


AV and Web Conferencing



Internal Client Exchange UM Enterprise Voice




Internal Client Voice Gateway Enterprise Voice



With Media Bypass
Internal Client Director Presence and IM




Notes Related to the Firewall Rules Required for Lync Server 2013

Lync Server 2013 Edge Server requires DNS resolution and http access to revocation lists of certificates. Depending from your network design, the aforementioned services could be on the Internet or could be available using services on the internal network (like a proxy). The following rule is to be adapted to your network layout


Additional Lync Edge Server Rules on Front-End firewall (FW2) or on Back-End firewall (FW1)

Source Interface Protocol Source Port Destination Port Destination Service
External NIC of the Edge (Access IP) TCP Any 53 DNS servers for DMZ DNS resolution
External NIC of the Edge (Access IP) UDP Any 53 DNS servers for DMZ DNS resolution
External NIC of the Edge (Access IP) TCP (HTTP) Any 80 Depends on the HTTP navigation service available CRL verifications


Centralized Logging Service (a new feature in Lync Server 2013) requires additional ports on the back-end firewall (for more details see the TechNet article Using the Centralized Logging Service

Lync Edge Server Rules on Back-End firewall (FW1) for centralized logging

Source Interface Protocol Source Port Destination Port Destination Service
Centralized Logging Service TCP (MTLS) Any 50001 Internal NIC of the Edge Centralized Logging Service
Centralized Logging Service TCP (MTLS) Any 50002 Internal NIC of the Edge Centralized Logging Service
Centralized Logging Service TCP (MTLS) Any 50003 Internal NIC of the Edge Centralized Logging Service

 Part 1 of the draft is available here

How Much do I Have to Spend to Bring Microsoft Lync in My Company?

Print Friendly

I have just published a review dedicated to Microsoft Lync 2013 adoption costs on IT Central Station.

How Much do I Have to Spend to Bring Microsoft Lync in My Company?

Lync Costs

Part 1 of the draft: Chapter 6 DNS, Certificate and Firewall Requirements for Lync Server 2013

Print Friendly

This is the first part of the draft for a new chapter of Microsoft Lync Server 2013: Basic Administration ( ). Feedbacks and suggestions are welcome, especially in this early stage.

In Chapter 2 I have shown a DNS configuration with split name resolution, just because it was required to build your Lync 2013 laboratory. Now it is important to clarify some basic concepts.

What is DNS (in Six Lines)

Machines and human beings have a different logic. So, while a computer is comfortable in finding another computer with a 12 digit hexadecimal value (the MAC address) or using another numeric value like the IP address, you and I have to use names to find a computer (or a specific service) among the others. The DNS server keeps a list of hostnames (or services) paired with one (or more) IP address, so that you are able to access network objects and services in an intuitive manner, with a name that is easy to remember.

Why DNS is Fundamental for Lync Server 2013

With the release of Windows 2000, Microsoft decided that DNS was the right (and only) tool to publish the infrastructure of network services. Authentication, access to data and (of course) unified communications with Lync, are all made available using DNS servers. Fully qualified domain name (FQDN) like Apollo.Lync2013.Dom will be required to build your Lync infrastructure, along with the so called Service Records (SRV records) that identify a network service with a FQDN and a port number (for example a public SRV record, on TCP port 5061 pointing to that is required to enable Lync Dynamic Federation). If a required FQDN or SRV record is misconfigured or not available, a part of the services from Lync Server will not be available.

The Basic Diagram of a Lync Deployment We Will Use in the Chapter

The explanation of Lync requirements will start from a diagram in figure 6.1 (identical to the one shown in figure 2.2), representing the minimal infrastructure required to deploy a Lync server 2013 that is available also for external users

Figure 6.1

Figure 6.1 A minimal working infrastructure of Lync Server 2013 including external users

To explain the Lync infrastructure, as I said, we will need to add names and network addresses (IPs) to our Lync design. To grant the name resolution we will use the same DNS server that is already required for the Active Directory Domain Services (AD DS).

Note: There will be two different DNS names resolutions required, one for the Internet and one for the internal network. The latter is the one that will take advantage of the existing DNS server.

Lync Server 2013: Internal Network

In figure 6.2 I have added names, network address and Virtual LANs (VLANs) to the schema shown in the Previous figure 6.1

Figure 6.2

Figure 6.2 The previous Lync diagram, populated with names, IPs and VLANs

Servers located in the LAN

The Domain Controller, Aphrodite will be in charge of user authentication, permissions and DNS service. Lync is built over Active Directory, so the internal deployment will require a Domain with the following requirements:

  • All domain controllers have to be at least 32-bit or 64-bit versions of the Windows Server 2003 operating system
  • Domain functional level at least Windows Server 2003
  • Forest functional level at least Windows Server 2003

Note: see the TechNet post Active Directory Infrastructure Requirements for additional information

For a user that is connected to the internal LAN, all the services are available directly on the Front End (Apollo). A part of the aforementioned Lync services (like dialin and meet) will be deployed through the locally installed Internet Information Services (IIS) feature and will be reachable on port 80 and 443 of Apollo.

On Apollo we will have a second group of web services, similar to the aforementioned ones, but listening on TCP port 8080 and 4443. It is easy to distinguish them using the default names Internal Web Site (listening on TCP port 80 and 443) and External Web Site (listening on TCP port 8080 and 4443)

Figure 6.3

Figure 6.3 The IIS configuration on a Lync Server 2013 Front End

The External Web Site will be used to grant the services to the external users using a reverse proxy

In figure 6.4 I have expanded the Internal Web Site of Lync

Figure 6.4

Figure 6.4 The IIS “Internal” site on a Lync Server 2013 Front End

As soon as we share a PowerPoint presentation, during a meeting, we will be redirected to the TCP port 443 (or 80) of the Office Web App Server (Demeter).

Note: Lync clients for mobile will always require access to the Lync services as they are coming from the Internet, also if they are connected to an internal network (see next paragraphs)

Servers located in the DMZ

To make Lync Server 2013 available to external users, we will publish the services from the single Front End through two different servers that we will locate in a Demilitarized Zone (DMZ). The servers should be standalone (or, at least, not part of the internal Active Directory Domain). Both servers should have two different network interfaces (NICs), one dedicated to talk with the internal LAN and the other one to be published on the Internet with Network Address Translation (NAT). I have also physically segregated the two logical networks using VLANs, so that communication from one NIC to the other one will never mix. VLAN2 will be connected to the internal LAN through a back-end firewall, while VLAN3 will be connected to the Internet using a front-end firewall.

Web services of the Lync Front End will be published using a reverse proxy (Ares) that will answer on a public Internet IP on TCP port 443 and will proxy the requests to the port 4443 of the Front End (or on TCP port 80 to proxy on port 8080 of the Front End).  If we share a PowerPoint presentation in a meeting that contains external users, the reverse proxy will redirect them to the TCP port 443of the Office Web Application Server. ANY reverse proxy solution should work, including Windows Server 2012 R2 Web Application Proxy (I have shown how to configure it for Lync 2013 on this video: ). Forefront Threat Management Gateway is also a solution that many companies used over the past years (please consider that the whole Forefront family of products is “ending its life”).

All the remaining services will be deployed using a dedicated Lync server role, the Lync Edge Server (Dionysus) that has to be defined and published using the Lync Topology Builder (more details on Edge Server and Topology Builder will be added in further chapters). Three network addresses will be required to publish the Edge services. Lync supports two different configurations on your front-end firewall and Lync Edge Server:

  • A single public IP and a single public name for the three services, Access Edge, Web Conferencing Edge and A/V Edge (with three different TCP ports listening)
  • A simple deploy with three public addresses, one for each one of the aforementioned network addresses.

In figure 6.5 you can see the option that enable the use of a single public name and IP

Figure 6.5

Figure 6.5 The “Use a single FQDN and IP address” option in the Topology Builder

In figure 6.6 I have shown the two different configuration you while building the Lync Topology. On the left, the scenario if we selected single IP and single FQDN. On the right scenario with multiple IPs and FQDNs

Figure 6.6

Figure 6.6 on the left, “Use a single FQDN and IP address” enabled. On the right multiple FQDNs and addresses

Note: It is easy to understand that the solution using a single IP will be less “costly”, but will be more prone to problems with external firewall, moving the services from a “standard” TCP port 443 to a group of custom TCP ports.

Part 2 of the draft is available here

My Review of FortiGate on IT Central Station

Print Friendly

I have just published a short review of the FortiGate appliances on IT Central Station. I have tried to point out five aspects that could interest people that are going to evaluate or buy the Fortinet’s solution.

IT Central Station


Look at it here