27 June 2012

Edge Server Quick Reference Guide - install and Troubleshoot

I Use this page to speed up the deployment all the time :-p
#Adding the persistent Route
route add –p <dest net>192.168.99.0 mask 255.255.255.0 <default route>192.168.99.252 if ?

#Get Replication status
Get-CsManagementStoreReplicationStatus

#Force Replication
Invoke-CsManagementStoreReplication

#Exporting for Edge
export-csconfiguration -filename c:\edge.zip

#Importing to Edge
import-csconfiguration -filename c:\LXLSupport\edge.zip -localstore

#Testing the Ext interface - From Internet
telnet public IP/FQDN port 5061, 443

#Testing the Internal interface - From LAN
telnet from:
Lync FE to IP/FQDN port 5061, 5062, 443, 4443 - Used for Replication

#Testing the Internal interface - From DMZ
telnet from:
EDGE to IP/FQDN of Lync FE port 5061


# Ensure the Edge servers of the Federated Partners trust the certificate authority used by the other.

# Check SRV Record for Federation
nslookup -type=SRV _sipfederationtls._tcp.<FederationDomain>


# Test Edge infrastructure with MSTURNPING - Another beauty from the ResKit

It only runs on the Edge server
It needs the Edge Public cert to exist on the FE
If you have multiple Edge pools they will need to have access to each other
And of course they use internal DNS to look each other up

More Edge Stuff...

Make sure you can:-

  • Resolve the Lync server and DC on internal interface (via DNS or Hosts)
  • Resolve the internal CA to verify internal Certificates (via DNS or Hosts)
  • External interface is used for resolving federation traffic.

    Getting the cert from the internal CA...Of course you can add the external cert to both edge interfaces as long as the Lync server trusts the issuing authority.

A little pain I had was that after generating the request I tried connecting to the CA web (https:\\<CA FQDN>\certsrv) with no joy of course. I couldn't even connect from the CA itself, very frustrating.

How to check Lync FE Certificates for CMS from Edge Server
Exported the certificate from the server hosting the CMS (without the private key)
Copy the file to the edge server (C:\tmp\CMSCert.cer).
From a command prompt run:-
Certutil -verify -urlfetch “C:\tmp\CMSCert.cer” > c:\CRL.TXT

Then I found that you can launch the CA management console and request the cert straight from there...awesome! (newbie...)


This command runs a check on the certificate (including accessing the CRLs) and dumps the results to a text file, it may take a few minutes to complete.
Now simply check the CRL.TXT file for errors

No comments:

Post a Comment