In Part 1 we covered the basic physical, virtual machine and networking setup. In this section we will build the domain, install certificate services, office web apps server and exchange 2013. Please note that these setup processes will not be a deep dive step by step guide and will expect you to have a base knowledge of all technologies discussed.
Building the Domain
On the VM DC01 install Active Directory Domain Services and DNS roles. Once installed promote DC01 to a domain controller. Remember to name your Active Directory Domain the same as your external Public domain name. Once promoted reboot the server and continue to configure DNS. There are several DNS records internally required for Lync 2013 and these need creating manually in the AD DNS Zone. Add the following DNS records to the AD Zone:
|Name||Type||IP / Destination|
Once these have been created, the next stage is to install the Active Directory Certification Authority role. When you install this role, select only the Certificate Authority and Certificate Web Enrollment feature. Other features are not required for the purpose of this lab. Once installed, configure the Certificate Authority to complete the installation. There will be some additional work on the CA required to ensure that we have the correct certificate templates required for the reverse proxy and external interface of the edge server. We will also be changing the CRL distribution point to a web server publicly available so that external clients can properly process the certificate revocation checks. I have had issues where this is not done, so for the purpose of this lab we will be covering this in a little more detail. It appears that the Lync Client (especially the mobile client) perform a certificate revocation check against any certificate, internal or otherwise. By default ADCS publishes its CRLs to Active Directory only. This gives internal domain joined machines the ability to perform these lookups, but the problem starts when you try and use internal CA certificates outside the domain either on workgroup machines or internet machines. In order to provision certificates to meet both internal and external certificate validation demands, we need to publish the internal CA CRLs to a publicly available web server. In this lab guide you may have noticed we have made a port forward rule in our firewall for port 80 to NAT to the IP address of the DC. Yes, I know this would be domain suicide in the real world but as it is a lab – who cares! Strangely revocation checks can only be performed over http (80) and not https. If you are using port 80 already, then you may need to reverse proxy this service.
Revocation List Gotchas
Before we go ahead and configure the CA for this, be aware that any certificates issued by the CA up to this point will need re-issuing. Also be aware that CRL URLs need to be in http://FQDN/CAName.crl format. You cannot have a CRL in a subfolder of the FQDN like http://FQDN/Certs/YourCA.crl For whatever reason I don’t know whenever I tried this the CRL point would not write properly into the certificates when issued.
Configuring the CA CRL Web Distribution Point
- Open the IIS on the DC and create a new website, separate to the default website. When choosing bindings enable http only and choose port 80. In the hostname box on bindings enter “crl.domain.com” (without quotes and subbing the domain.com to your domain name). This will configure IIS to redirect web requests with this url in its header to this website.
- Store the Website Directory in C:\Inetpub\wwwroot\ and call the directory CertServices. Make sure that DC01$ computer account has full control
- On the website you created Open Request Filtering, Select the Rules tab and choose the Edit Feature Option from the right control pane. Check the box that says “Allow Double Escaping” and commit the changes
- Exit IIS
- Now open the Certificate Authority MMC Snapin and right click on the certificate authority name and select properties
- Click on the extensions tab and make sure that CRL Distribution Point (CDP) is the selected extension
- I chose at this point to remove AD as a published CRL point, so you can remove all the point locations from the list at this time
- Click on add
- In the location box enter http://crl.domain.com/<Your CA Name> then choose <CRL Name Suffix> from the variable select box and press insert. Then choose <DeltaCRLAllowed> from the same selection box and press insert. Then go back to the location box and append “.crl” at the end. <Your CA Name> is the name you gave to your CA. so the location should look something like this:
- Check the boxes Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
- Click on add again
- This time we need to add the file location where the CRL files will be published to. This will be the folder you created in wwwroot. In the location box enter c:\inetpub\wwwroot\CertServices\<Your CA Name><CRLNameSuffix><DeltaCRLAllowed>.crl following the same principal as before. This location should look something similar to this
- Check the box that says Publish CRLs to this Location and Publish Delta CRLs to this Location
- Press OK to finish and restart certificate services
- Next right click on Revoked Certificates and select All Tasks > Publish and choose New CRL and press Ok
At this point if you check the folder CertServices you should notice 2 files being created. One says DOMAIN-CA.crl and the other DOMAIN-CA+.crl These are your revocation lists. Browse to http://crl.domain.com/DOMAIN-CA.crl to ensure you can download these as a test it is working as expected.
Creating a Web Certificate Template for Reverse Proxy and Edge External Certificates
In order to enroll these servers with Subject Alternative Names and exportable private keys we need to create a duplicate template of the built in Web Server certificate template. In the CA MMC snapin right click on templates and slect Manage
- Right click on the Web Server template and click Duplicate Template
- Click on the General Tab and rename to Website Certificates
- Click on Request Handling and check the box to allow the private key to be exported
- Click on the Security tab and change the permission of authenticated users to Enroll and Auto Enroll
- Press OK
- Exit Certificate Template Manager
Exit the CA MMC snapin. This completes the CA setup
Create the Lync File Share
On DC01 create a simple folder in the root of C:\ called LyncShare. Share this folder giving the group Everyone full control on both share and NTFS permissions. This will be used to hold conference and user shared data when we come to install Lync, you cannot install without this share being in place already.
Installing Exchange 2013
You will need to install Exchange 2013 in your lab if you want to configure and explore Unified Messaging, IM and Presence in OWA, Unified Contacts Store and Calendar Free/Busy features of the Lync Client. You will need to install Exchange 2013 on the VM EX01 Copy the exchange service pack 1 file you downloaded in Part 1 to EX01. You will need to install the server role prerequisites for both the CAS and Mailbox roles on this server before launching exchange setup. You can find the powershell commands to install these roles and features in another blog post of mine here. Once the server is ready you can run the setup file on the exchange service pack folder extraction to install exchange. This is not a best practice approach to installing exchange here. The goal of this install is to get exchange installed with the minimum most basic configuration in order to explore the features it brings to Lync 2013. For a more in depth deployment of exchange please visit my blog in the future for a deep dive into exchange best practices coming soon.
Once exchange is installed the first thing you will need to do is generate a certificate from your internal CA to use for IIS, SMTP and UM services. Open MMC and add the local computer certificate snapin. Request a new certificate and choose the Website Certificates template. You will need to fill out some additional information. Add the common name (CN) to the issued to field as the following mail.domain.com (replacing domain.com with your own). Add this as a DNS name to the subject alternative name field. Add an additional DNS name for autodiscover.domain.com and a 3rd DNS name called EX01.domain.com Click the general tab and rename the certificate friendly name to ExchangeCertificate and press OK. Enroll the certificate to complete the request.
Your generated certificate should now be issued to mail.domain.com and have the following Subject Alternative Names:
The CRL Distribution Point URL on the certificate should state the following:
If this is correct open Exchange Management Shell. We need to apply this certificate to Exchange and its services
Run the following command in EMS
This will produce an output showing the installed certificates that can be used for exchange. Identify the one you have made and copy the certificate thumbprint into the clipboard. Next run the following command to assign the certificate
Enable-ExchangeCertificate -Thumbprint <cert thumbprint> -Services IIS,SMTP
Accept the overwrite prompt with a Y
We will need to assign this certificate to the UM and UM Call Router service later, but we cannot do that at this moment because we have no DialPlans. This will come in a later part of the Lab Guide.
Now we need to set the Exchange Web Services URLs we can do this in EMS like so
Get-WebservicesVirtualDirectory -Server EX01 | Set-WebservicesVirtualDirectory -InternalURL https://mail.domain.com/EWS/Exchange.asmx -ExternalURL https://mail.domain.com/EWS/Exchange.asmx Get-OwaVirtualDirectory -Server EX01 | Set-OwaVirtualDirectory -InternalURL https://mail.domain.com/owa -ExternalURL https://mail.domain.com/owa Get-ecpVirtualDirectory -Server EX01 | Set-ecpVirtualDirectory -InternalURL https://mail.domain.com/ecp -ExternalURL https://mail.domain.com/ecp Get-ActiveSyncVirtualDirectory -Server EX01 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.domain.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.domain.com/Microsoft-Server-ActiveSync Get-OABVirtualDirectory -Server EX01 | Set-OABVirtualDirectory -InternalUrl https://mail.domain.com/OAB -ExternalURL https://mail.domain.com/OAB Set-ClientAccessServer EX01 -AutodiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml Set-OutlookAnywhere -Identity “EX01\Rpc (Default Web Site)” -InternalHostname mail.domain.com -ExternalHostName $mail.domain.com -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod NTLM -ExternalClientsRequireSsl:$True
Now once this has been done we need to restart IIS by running this command
Exchange is now configured for Free/Busy status using the Lync Client. Unified Contacts Store and IM and Presence features will be covered in the UM section of this guide.
Installing Office Web Apps Server
Next we need to install the Office Web App Server to VM WA01 On this server you will need to install the required server roles and features. You can do this by using the following Powershell command and also join to domain.
You will need to copy the Office Web Apps Server installation file to the WA01 server you downloaded in Part 1. You will need to download Office Web Apps Service Pack 1 too as I had issues with WAC health statuses and SP1 fixed these. Install WACServer first and reboot. Then install Service Pack 1 and reboot.
Once these are installed open MMC and add the local machine certificates snapin. Under Personal > Certificates right click and request a new certificate. Choose the Website Certificates template and add the principal common name in the subject field of wa01.domain.com and add this as a DNS name to the Subject Alternative Name. Under general tab name the certificate OWACert and complete the request.
Next open Powershell and run the following commands to create the WAC server farm
Import-Module OfficeWebApps New-OfficeWebAppsFarm -InternalURL https://wa01.domain.com -ExternalURL https://webapp.domain.com -CertificateName OWACert -SSLOffloaded:$true
Press Y to confirm AllowHTTP as we are offloading SSL requirements to the Reverse Proxy Server for external connections
Run the following command to test the health of the WAC server
Once it reports healthy the server is good to use with Lync. I found that if you do not get this server to report a healthy status powerpoint sharing does not work properly with Lync so this is important.
Installing the Reverse Proxy Server
For reverse proxying https web requests we are going to use IIS ARR which is an extension you install to IIS. On the RP01 server you will need to join to the domain (makes easier for certs – although in production this would be workgrouped in a DMZ). Install IIS role using the following powershell
Import-Module ServerManager Add-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,NET-Win-CFAC,NET-Non-HTTP-Activ,NET-HTTP-Activation,RSAT-Web-Server
Next download the ARR module here: http://www.iis.net/downloads/microsoft/application-request-routing and install it
Once it is installed we need to create a certificate for the web services. The certificate we are going to use will contain all the SANs for Lync, Exchange and Web App so we don’t need to mess around with IIS too much. Open the local machine certificates MMC snapin and right click on personal certificates and request a cert from your internal CA.
- Choose the Website Certificates template and customise the properties
- Add the subject CN name of lyncweb.domain.com
- In the Subject Alternative Name add the following DNS SANs
- Choose the general tab and provide a certificate friendly name and complete enrolment
Next open IIS and expand the default website, add a binding for https port 443 and choose the certificate you created
Next we need to create the server farms for Lync, Exchange and Webapp services
- On the server home page in IIS open Request Filtering and select Edit Feature settings from the right hand navigation pane
- Change the value of the Maximum allowed content length to 4294967295 and press OK. Exit the request filtering feature
- Right click on server farms and create a new server farm. Name this autodiscover.domain.com
- Add the exchange server EX01.domain.com as the backend server and press Ok
- Under this server farm disable caching
- Under Proxy settings for this farm increase the timeout to 240 seconds
- Under Routing rules enable Use URL Rewrite to inspect incoming requests and disable SSL Offloading. Click Apply
- IIS will prompt to autocreate the re-write rules, press yes.
- Repeat steps 3 to 8 using mail.domain.com as the farm name and EX01.domain.com as the backend server
- Repeat steps 3 to 8 using webapp.domain.com as the farm name and WA01.domain.com as the backend server
- Next create one more server farm called ls01.domain.com and then we need to add ls01.domain.com as the backend server. however, before we add this server select advanced settings from add a back end server page and change the ports from 80 and 443 to 8080 and 4443, then add the server.
- Once the server farms have been created, we need to create the rewrite rules. To do this click on the server home page and select URL Rewrite feature
- Remove all HTTP auto created rules
- Edit each HTTPS rule to match for the specific URLs for each server farm. like so
- Ensure the rewrite rule for ls01.domain.com is the last rule to be applied
Once this has been done, test your web urls from a remote connection or by using the hosts file to redirect URLs to the IP address of the Reverse Proxy server.
Now that this has been done, the next task is to build the PBX system. In Part 3 we will discuss this.
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale