WordPress Websites for Engineers: Elevate Your Brand
Lync Mobility Deployment Guide
1. Lync Mobility Deployment
Tom Arbuthnot Justin Morris
Consultant, Modality
Systems and Lync MVP Consultant, Modality Systems
@tomarbuthnot @jm_deluxe
http://www.lyncdup.com http://www.justin-morris.net
tom.arbuthnot@modalitysystems.com justin.morris@modalitysystems.com
2. Agenda
• Step by Step Deployment Guide
– Prerequisites, DNS, Certificates
– Reverse Proxy, Push Notifications
• The Lync Mobile Sign-In Process
• Top 5 Issues
• Do I need lyncdiscoverinternal?
• Monitoring Performance of Mobility
• Questions
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 2
3. Mobility Service Deployment in 7 slides
• Cumulative Update 4 on all Servers
• Mobility DNS Requirements
• New FE listening ports and IIS changes
• Install the MCX Service
• Certificate Updates
• Reverse Proxy Rule Update
• Add Lync Online Federation for Push
Notifications
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 3
4. Cumulative Update 4 First
• CU4 on all servers
• CU4 DB Update
• Install-CsDatabase -Update -
ConfiguredDatabases -SqlServerFqdn
<EEBE.Fqdn> -UseDefaultSqlPaths
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 4
5. DNS Requirements
• Lync Mobile uses two DNS records to discover the
server to register to, lyncdiscover and
lyncdiscoverinternal
• CNAME and Host (A) records are supported
• Internal DNS: Lyncdiscoverinteral.domain.com
points to Lync pool/Director DNS record
• External DNS: Lyncdisover.domain.com, external
(and reachable internal), points to External
Reverse Proxy
• Lync discover returns proxy FQDN. This needs to
be resolvable internally
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 5
6. New FE Listening Ports and IIS changes
• Set-CsWebServer -Identity lync.domain.com -
McxSipPrimaryListeningPort 5086
• Set-CsWebServer -Identity lync.domain.com -
McxSipExternalListeningPort 5087
• Re enable the topology to enact these IIS changes
– Enable-CsTopology
• There is also an additional IIS feature
Requirement
– Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-Dyn-
Compression
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 6
7. Install the MCX Service
• Download the McxStandalone.msi installation package and
save it into the following existing directory on each Lync
server where it will be installed.
• C:ProgramDataMicrosoftLync
ServerDeploymentcache4.0.7577.0setup
• C:Program FilesMicrosoft Lync Server
2010DeploymentBootstrapper.exe
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 7
8. Certificate Updates – Internal and External
• Internal FE certs
– Set-CsCertificate –Type
Default,WebServicesInternal,WebServicesExternal –
Thumbprint <Certificate Thumbprint>
– This will add the lyncdiscover and lyncdiscoverinternal
names to the FE cert
• Externally, discovery can be done http(80) or
https(443), if using https the external cert
requires lyncdiscover.domain.com SAN name
• Both required for each supported SIP domain on
the system
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 8
9. New Reverse Proxy Rule
• To allow access from the outside for the mobile clients
• It can be added to your
existing reverse proxy rule
set for Lync
• Full Reverse Proxy setup steps
on Adam’s imaucblog.com
• Port 80 required for http
discovery
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 9
10. Federation to Lync Online for Push
• New-CsHostingProvider –Identity "LyncOnline" –Enabled $true –
ProxyFqdn "sipfed.online.lync.com" –VerificationLevel
UseSourceVerification
• New-CsAllowedDomain –Identity push.lync.com –Comment “Mobile Push
Notifications”
• Set-CsPushNotificationConfiguration –EnableApplePushNotificationService
$true –EnableMicrosoftPushNotificationService $true
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 10
11. Summary: Mobility Service Deployment
• Cumulative Update 4 on all Servers
• Mobility DNS Requirements
• New FE listening ports and IIS changes
• Install the MCX Service
• Certificate Updates
• Reverse Proxy Rule Update
• Add Lync Online Federation for Push
Notifications
20/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 11
13. Lync Mobile Sign-In Process
Internal
1. Mobile device locates
lyncdiscoverinternal.<SIP
FQDN> record via
internal DNS
2. External MCX URL is
returned
3. Lync Mobile client
communicates with
external web service
(4443 MCX virtual
directory) by hair-
pinning the reverse
proxy
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 13
14. Lync Mobile Sign-In Process
External
1. Mobile device locates
lyncdiscover.<SIPFQDN>
record via external DNS
2. External MCX URL is
returned
3. Lync Mobile client
communicates with
external web service
(4443 MCX virtual
directory) via the reverse
proxy
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 14
15. Lync Mobile Sign-In Process
Authentication and In-Band Provisioning
1. Web ticket request is made for a client
certificate for authentication.
2. SIP REGISTER packet comes from the Lync
Front End on the listening port e.g. 5087.
3. Do I have a mobility policy granted to me?
4. In-band provisioning occurs:
– Voicemail URI, ABS URL, dial plan, voice policy.
5. Contact list and contact cards are retrieved.
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 15
16. Top Mobile Client Issues
• Account details (domainusername) required
if UPN is different to SIP URI e.g.
UPN - justin.morris@contoso.int
SIP URI – justin.morris@contoso.com
• Check EWS connectivity – requires same as
desktop client.
• URL filtering in IM breaks push notifications.
• McxStandalone.msi must be run using
Bootstrapper.
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 16
17. Do I need lyncdiscoverinternal?
• Mobile clients won’t trust your internal CA, who has a public certificate on their FEs?
• Deploying root CA certificate to all mobile devices is unlikely to happen.
• Solution: route all internal lyncdiscover.sipdomain traffic to the external interface
of the Reverse Proxy.
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 17
18. Monitoring Performance of Mobility
• Why do we do this?
– Ensuring we have the
capacity to support users.
– Predicting when extra
capacity is required.
• How do we do this?
– Can be monitored from
within IIS -> Worker
Processes.
– CsIntMcxAppPool and
CxExtMcxAppPool CPU%
should be under 15%
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 18
19. Questions?
Sources: Brendan Carius - http://blog.kloud.com.au/2011/12/12/lync-2010-mobility-do-i-need-lyncdiscoverinternal/
http://blog.kloud.com.au/2011/12/12/lync-2010-mobility-sign-in-internals/
19/01/2012 Microsoft Unified Communications User Group London (MUCUGL) 19