Tag: Server Roles

How the Load Balancer Fits into Skype for Business

Our fourth entry in the “How It Fits” series is…the Load Balancer!

Load balancers show up in every level of a Skype for Business deployment. They’re an integral component of effective Skype for Business Online tenants as well.

If a load balancer does its job right, it’s pretty much invisible. If it doesn’t, it’s a loud and persistent pain. Which it is all depends on your configuration. As such, you’re most likely to work with a load balancer when first deploying Skype for Business.

This post is meant as an overarching take on the load balancer’s function and value. If you’re looking at a new Skype for Business deployment, on-prem or hybrid, this is a quick read that could help a lot!

The Load Balancer’s Primary Role

A load balancer distributes traffic among servers in a pool. In Skype for Business, this means it distributes traffic between role-based server pools. For example, between two Front End Servers.

It’s similar in some ways to a Reverse Proxy. (Some hardware load balancers even include reverse proxy functionality.) But instead of worrying about authenticating traffic from outside the network, it focuses on optimal traffic management inside the network.

Why use load balancing in the first place?Load Balancing Diagram from F5

  • Bolsters reliability. The load balancer helps prevent any one server from becoming overwhelmed.
  • Increases overall Skype for Business stability. Smart traffic management helps avoid traffic bottlenecks.
  • Some Skype for Business services require load balancing to function (e.g. managing HTTP traffic).

Main Components of a Load Balancer

At its core, a load balancer consists of:

  • A Distribution algorithm, and
  • A server pool monitor/health check

The distribution algorithm determines to which server it should send traffic requests. The server pool monitor, well, monitors the assigned server pool’s health and traffic responses.

What kind of traffic are we talking about? All kinds: HTTP/HTTPS, SIP, TCP, UDP. Basically, if you use server pools for any of the Skype4B Server Roles, you should use a load balancer for each.

Other Servers a Load Balancer Communicates With

In Skype for Business, you can load balance any Server Role which has (or can have) multiple servers in a pool. That includes:

  1. Edge Server
  2. Front End Server
  3. Director
  4. Office Web Apps Server

Load Balancers must communicate not only with the servers they’re balancing, but with the servers sending traffic to them. That means they’ll talk with the Mediation Server, PSTN Gateways, and our last “How it Fits” role, the Reverse Proxy.

What about Office 365? If you’re running a hybrid deployment, you’ll need load balancing on the on-prem side. From Plan for Network Devices that Connect to Office 365 Services:

Your organization needs to use a hardware load balancer (HLB) or a Network Load Balancing (NLB) solution to distribute requests to your Active Directory Federation Services (AD FS) servers and/or your Exchange hybrid servers.

In other words, load balancing between Office 365’s servers and your network!

What Kind of Load Balancer Should You Use?

Two types of load balancing exist in Skype for Business.

  1. DNS load balancing, and
  2. Hardware load balancing

This is an important distinction. It’s also the source of most load balancing grief.

DNS Load Balancing:
This is more a technique than a device. It involves mapping server pool names to not one, but a set of IP addresses in DNS.

Let’s say you have a Front End pool named “Headquarters.” The Headquarters pool has three IP addresses mapped to it – 10.10.10.1, 10.10.10.2, and 10.10.10.3.

When your Skype for Business client tries to connect to “Headquarters,” DNS sends it all three IPs. The client tries connecting to the first IP, 10.10.10.1. But this IP already has another client connected and cannot respond. So the client tries 10.10.10.2. That works.

Connections stable. Traffic load balanced.

DNS Load Balancing – Microsoft Docs

Hardware Load Balancers:
A hardware load balancer is a dedicated device which distributes traffic requests to a server pool. I think of these like a “Traffic Cop” inside your network.

We use an F5 hardware load balancer for our Skype for Business Server. Cost us a bit, but wow did it help with call quality!

Since hardware load balancers actively listen to incoming & outgoing traffic, they can mitigate traffic bottlenecks. Preventing call drops, static, and external connection troubles.

===============

When setting up load balancing in your topology, keep these restrictions in mind:

  • If your Edge pool uses load balancing, the internal Edge interface and external Edge interface must use the same type. Can’t use DNS load balancing on one, and hardware on the other. You’ll experience some serious traffic errors!
  • Some traffic types require a hardware load balancer (e.g. HTTP traffic). DNS load balancing does not work with client-to-server web traffic either.

Our experience confirms these restrictions. In Skype for Business Server’s early days, we observed that combining both load balancing types in one deployment caused havoc. Inconsistent delays, strange errors with no apparent cause, bottlenecks, etc. When we standardized on one load balancing type topology-wide, these issues evaporated.

Traffic Load Balancing

Traffic, nice and organized.
Photo by Fahrul Azmi on Unsplash.

Here’s a nice setup/overview video from A10 Networks if you’d like more.

Load Balancers Reduce TCO By Easing the Burden on Skyep4B Server Pools

Which load balancing method should you choose? There’s no universal standard. But we go by this rule of thumb: The larger the deployment, the more a hardware load balancer is necessary. They are more powerful, more intelligent, and more reliable.

It does add to up-front deployment cost. But it reduces TCO. Once load balancing is in place, configured, and running properly, it helps the Server Roles function at peak. Even (especially) under heavy load.

What kind of load balancing do you run in your Skype for Business topology?

Facebooktwitterlinkedinmail

Read Up on Lync, SharePoint, Office 365 and More with Free Microsoft eBooks

It’s happened again. Microsoft released a trove of ebooks about their various software products:
Largest collection of FREE Microsoft eBooks ever, including: Windows 8.1, Windows 8, Windows 7, Office 2013, Office 365, Office 2010, SharePoint 2013, Dynamics CRM, PowerShell, Exchange Server, Lync 2013, System Center, Azure, Cloud, SQL Server, and much more
(Yes, that’s the post’s real title!)readingbook

I think this is the third time such a giveaway has occurred in the past 2 years? Fourth? Either way, I’m grateful to Microsoft for releasing all these titles. And to Mr. Ligman for compiling them.

This latest collection is huge – and it contains more than enough Lync Insider-relevant books for me to mention it. Here’s a list of what I downloaded right away for brushing up.

  1. Office 365 Midsize Business Quick Deployment Guide (DOCX)
  2. Quick Start to Office 365 for Small to Medium Businesses (ZIP)
  3. The Wiki Ninjas Guide to SharePoint 2013 (PDF)
  4. The Wiki Ninjas Guide to SharePoint 2013 – Part II (PDF)
  5. Windows PowerShell 4.0 Language Quick Reference (PDF)
  6. The Big Book of PowerShell Gotchas
  7. Lync Server 2013 Stress Testing Guide
  8. Microsoft Lync Server 2013 Step By Step for Anyone (PDF)
  9. Microsoft Lync Server 2013: Basic Administration – Release 2.1 (PDF)

There’s a couple more Lync-related books in the post, so go check it out. But I’d like to talk about these last 3 today.

Microsoft Lync Server 2013 Step by Step for Anyone
Written by Matt Landis
Matt’s on the list! Looks like he has converted a series of posts on setting up Lync Server 2013 from his blog into an ebook. We’ve covered this material here in the past.

The book walks you through a Lync Server 2013 Standard Edition install. It also has several additional how-to’s, such as “Using Microsoft Lync Server with SonicWall Firewalls” and “How to Configure Lync Server 2013 Live Messenger PIC to Enable Skype Federation.”

At 258 total pages, it’s too big to print out. But it’s a great reference to have on hand if you’re running an installation offline (e.g. for a test project). Maybe put it on a tablet while you install Lync Server.

Microsoft Lync Server 2013 Basic Administration
Written by Fabrizio Volpe
This is a basic overview of Lync Server 2013 for administrators. It has a narrative approach, which would make it great for those newer to Lync and potentially unfamiliar with the scope of its capabilities. Good high-level detail on Lync’s structure and workings.

What I do like about it is that it includes information on:

  • Cost mindfulness when deploying server roles (p. 15)
  • Firewall rules & access requirements (p. 82)
  • Verification tools [which include TRIPP and Remote Connectivity Analyzer!] (p. 90)

It would make a good catching-up reference for new hires entering a Lync environment.

Lync Stress Testing Guide
Written by the Lync Server 2013 Virtualization Team
This one is just fun. It talks about conducting stress tests on your Lync installation with the Lync Server 2013 Stress and Performance Tool (LSS). Since this guide focuses on one toolset and one purpose, it’s very focused & heavily detailed. (I didn’t even know it could do some of these tests!)

It does recommend you run stress tests in a lab environment. NOT on a live deployed Lync Server system. If you do run it while live, don’t be surprised if you knock everyone offline!

I’ll do a full post on stress testing later. The contributors did a thorough job documenting the process; it deserves more attention. Pick this guide up and see for yourself.

Go Forth and Download – But Come Back for More Details!

Both the strength and the weakness of Microsoft free ebooks are that they are basic guides. Intended to introduce you to software, how to run it, how to work efficiently with it. Nothing at all wrong with that – in fact I think it’s a great way to foster knowledge – but it has its limits.

In books like these, gritty-details administration, troubleshooting, advanced modifications & developments are not usually covered. You need to rely on experience, more specialized manuals, and online resources. Like this blog!

Is there an upcoming Microsoft software release you’re waiting for? New version, an update or a fix? Please comment or email me. Let’s see what’s coming soon for all of us.

Facebooktwitterlinkedinmail

Reverse Proxies 101

Technically, Reverse Proxy is not a Lync Server role. It’s more like a helping hand, guiding Lync’s communications to where you want them to go.

I haven’t focused much on reverse proxies here in the past. Which is why today’s Lync Insider post is dedicated to their explanation and understanding. Let’s get started.

What is a reverse proxy? What does it do?

Definition of a reverse proxy from Wikipedia:

“In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though they originated from the server itself (or servers themselves). While a forward proxy acts as an intermediary for its (usually nearby) associated clients and returns to them resources accessible on the Internet, a reverse proxy acts as an intermediary for its (usually nearby) associated servers and only returns resources provided by those associated servers.”

So a reverse proxy is a type of intermediary. Like a regular proxy, it stands between your computer and a server, passing messages between them when appropriate. The function serves to aid privacy, keep security tight and balance network resources.Reverse Proxy as a Way Out

There is an excellent diagram of how a reverse proxy operates (as well as a regular ‘forward’ proxy) at StackOverflow.com:
Difference between Proxy Server and Reverse Proxy Server – StackOverflow

Is this process the same when you use a Reverse Proxy Server in Lync?

Primarily, yes. The Reverse Proxy Server sits in the perimeter network, like your Edge Servers do. There it processes certain messages you send via your Lync 2013 client. The difference is in what those messages ask for.

When do we need to use a reverse proxy in Lync Server?

The Reverse Proxy’s function in Lync is to facilitate client access to the Lync Web Services. These are optional services, but the list is long and very useful. From TechNet:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.
  • Enabling mobile applications to automatically discover and use the mobility (Mcx) URLs from the Internet.
  • Enabling the Lync 2013 client, Lync Windows Store app and Lync 2013 Mobile client to locate the Lync Discover (autodiscover) URLs and use Unified Communications Web API (UCWA).

Please note: None of these are critical, necessary functions! Lync users can get by just fine without a reverse proxy. IM/Presence, Enterprise Voice, & Persistent Chat all work without one.

It’s only when you want to provide those Web services to external users (normal users on mobile devices, telecommuters, non-users such as customers) that you’ll want to put in a reverse proxy.

How do I set up a Reverse Proxy in Lync?

In the past, the standard software choice for running a Reverse Proxy Server with Lync was the ForeFront Threat Management Gateway 2010 (TMG). However Microsoft discontinued TMG in November 2012.

Since then, the standard has been Internet Information Server Application Request Routing (IIS ARR). There are other options you can try – see “Additional Resources” below for one such option – but we’d normally recommend using IIS ARR.

You’ll find setup instructions linked on the Setting Up Reverse Proxy Servers page. The Vytru Blog also has a good tutorial: Installing Lync 2013 Reverse Proxy IIS ARR – Vytru Blog.

The basic steps are:

  1. Install PowerShell prerequisites
  2. In Lync Topology Builder, configure Web Services FQDNs
  3. In IIS Manager, create a server farm in Application Request Routing
  4. Add application servers to the farm (minimum 1, more if you need redundancy or load balancing)
  5. Configure the new servers
  6. Request & install a certificate on the reverse proxy
  7. Configure Web Publishing Rules
  8. Create DNS Records
  9. Test your new reverse proxy!

I encourage you to read the above links before attempting to install a reverse proxy. The process has many steps–and many steps means many places where we can miss or skip something by accident.

Ideally, the best time to install a reverse proxy is right after you install a fresh instance of Lync Server 2013. But so long as you have the Web Services URLs, you can install one at any time.

What’s your experience with Reverse Proxy? If you have a story – or a question – please comment or email it to us.

Additional Resources:
Configuring Reverse Proxy Access to Microsoft Lync Server 2013 using KEMP LoadMaster – NextHop
Lync Edge Server Best Practices – Jeff Schertz’s Blog

Facebooktwitterlinkedinmail

2 Results From (and 2 Warnings About) Monitoring Your Lync Servers

Byron Spurlock has put up a post about Lync Monitoring at WindowsITPro.com.
Why Should You Monitor Microsoft Lync Server 2013? – Windows IT Pro

The post is very well-detailed. It makes a solid case for deploying the Monitoring Server role in just about every Lync Server 2013 installation.

I insist that everyone read his post. Really, I can’t do a better job of explaining why admins should monitor Lync Server.

All I’ll do in this week’s post is list a couple ways Monitoring Reports have helped us out. And a couple warnings to keep in mind with regards to Monitoring.

2 Results Monitoring Helped With

RESULT #1: After we installed Lync Server 2013 earlier this year, some users reported trouble connecting remotely on their phones. We checked Monitoring Reports, and determined that remote access had enough bandwidth. In-office calls worked well.

Maybe it was a version problem? Sure enough, people with Lync 2010 on their phones couldn’t connect, while people with Lync 2013 could. We updated the Client Version Policy to encourage 2013 adoption, and everyone was fine.

RESULT #2: At a client site this summer, phone calls were frequently dropped. When they did connect, call quality was terrible. We checked the usual issues – low Enterprise Voice bandwidth, configuration – but it seemed okay. The client did not have Monitoring Server installed.

We added it to their Front End, and checked back a week later. The Monitoring Reports revealed that jitter was horrible – over 30ms, I think. The problem was in one of their wireless routers – it just wasn’t up to the job of VoIP. We replaced it and their jitter problems went away.

2 Warnings to Keep in Mind with Monitoring

WARNING #1: Adding Monitoring does increase the hardware requirements on your Front End server. And you’ll need to put SQL Server Reporting Services (SSRS) on your DB server. More server roles, more processing & memory power needed. It isn’t much more, but factor this in when laying out your topology.

WARNING #2: Monitoring doesn’t cover everything. In 2011 I wrote What Monitoring Server Monitors – and What It Doesn’t. In the post I mentioned that Monitoring Server does not report on the Windows Server Lync is hosted on, nor on non-Lync applications. This was in reference to 2010, but it still holds true.

(Hmm. I should write an updated version of that.)

That’s all I want to add. Byron, you did a great job with your post. Now that you’ve read mine, make sure to go read his!

Do you have Monitoring Server installed right now? What do you use its reports for the most?

Facebooktwitterlinkedinmail

How Many SQL Servers Do You Need to Run Lync?

Front End, Mediation, Monitoring, Archiving, Edge, Chat…with all these servers running, Lync Server 2013 must need a lot of database storage.

But how much is required? How many SQL Servers should a Lync administrator deploy?

Some of Lync requires a SQL Server database; some does not. But you’ll need to decide how many beforehand, because each SQL Server instance must be installed and available PRIOR to setting up their databases (via Topology Builder or PowerShell).

So let’s go through, server by server, and figure it out.

STANDARD EDITION

Standard Edition Front End Server

We start off easy. Standard Edition Server comes with its own database – SQL Server 2012 Express. It’s even auto-configured when you install Standard Edition Server.

SQL Server Instances Required (Minimum): 0

ENTERPRISE EDITION

Enterprise Edition Front End Server

Of course, Front End requires a SQL Server instance. It needs a place to store the back-end database. Next!

Mediation Server

A critical server, many admins debate whether to collocate Mediation Server on a Front End Pool, or place it standalone. However, you don’t need a separate SQL Server instance for it.

Monitoring & Archiving

Since both the Monitoring and Archiving Servers can be collocated on Front End in Lync Server 2013, they can use the same SQL Server as Front End. They will each have a database to themselves (and you should install SQL Server Reporting Services too, for Monitoring).
–Placing these databases on their own SQL server instead would provide an extra security layer, if properly configured. But for most small or mid-size deployments, it’s not necessary.

Director

Our friend the Director, standing guard against the tide of harmful access attempts. Since it has no users homed on it, it doesn’t really need its own database.

Persistent Chat

Persistent Chat stores your chat history, configuration and user provisions in a SQL database. You can install a second database to store compliance data, if you like. Both of these databases can reside in the same SQL Server instance as the Front End Server’s.

Edge Server

Remote access, enabling mobility…Edge Server must require a separate SQL Server for itself, right? To protect all that important connection data?

Well…Yes and No. Edge Server runs SQL Express Edition for a local CMS. Another instance of SQL Server is not required.

SQL Server Instances Required (Minimum): 1

(Reference: Server Collocation in an Enterprise Edition Front End Pool Deployment – TechNet Library)

Of course you can create multi-system SQL Server pools if you like.  Or use mirroring, or clustering for higher availability. I’ll cover those later on.

Oh, one last thing! Remember that Lync Server 2013 requires you use Microsoft SQL Server 2008 R2 SP1, or Microsoft SQL Server 2012. Don’t forget!

How many SQL Server databases are you running in your Lync pools?

Facebooktwitterlinkedinmail

Visual Aids for Lync Server 2013 Ins and Outs

Some exciting new releases in the Lync world!

We have two training/education resources for Lync Server 2013, released this week. Both are new versions of previous training aids, issued for Lync Server 2010.

They’re great for training, mapping out your own Lync architecture, or just brushing up on the ins and outs of Lync Server. Let’s see what we have.

Poster from NextHop Illustrates How Messages Flow Through Protocols

NextHop has released the new 2013 version of their Protocol Workloads poster.

Poster includes several visual representations of server setup, traffic routes and protocols used for specific Lync services. You can see how Conferencing clients connect through the Edge Server, which locations an Instant Message hits on its way to you, and more.

In my humble opinion, this version is much clearer than the 2010 version. A listing of required certificates and DNS entries helps make administration clearer.

“Test Drive” Lync on a Virtual Machine

John Policelli has pointed out a group of VHDs (Virtual Hard Disks) Microsoft added to its Downloads Center. These VHDs contain pre-configured virtual machines for Lync Server 2013, Exchange 2013, SharePoint 2013, and some UC developer APIs.

Microsoft is calling them a “Test Drive” platform. Use these to evaluate a full version of Lync Server 2013, with all capabilities, before installing it live in your network.

John has linked to all three downloads on his blog: Pre-Configured VHDs to Test Drive Lync 2013 Available – John Policelli’s Blog
Part 1 has full details on system requirements and installation process.

I’d consider these two resources absolutely essential for anyone who is:

  • Studying Lync Server for implementation in their office
  • Still on Lync Server 2010 or an alternate VoIP solution
  • Prepping for the new Lync Server 2013 Certifications (like me!)

Both downloads are free. The poster is a simple PDF (or VSD file), though you’ll need a server-grade computer with Hyper-V installed for the “Test Drive”.

If you’ve created a new resource for Lync training, please let me know! I love to collect & showcase Lync Server training aids.

Facebooktwitterlinkedinmail

Moving to Lync Server 2013: A Guide to the Installation Process (Part 1)

Starting this week, I’m participating in a Lync Server 2013 install. I’m doing some of the install work, and recording the details step-by-step. I’ll blog about the entire process.

This post and the next few will form a guide, to help others see what’s involved in a Lync setup, so you can prepare for your own!

What to Expect: Reference Guide for Your Own Lync 2013 Install

I’m documenting each step in the setup process. Including the errors we encountered, why they occurred & how we fixed them.

This series is much like the “Path to Lync Server” posts I wrote in 2011.  With more screenshots!

Initial Prep: Server Hardware is Prepared

I’ll start with some talk about our preparations made before beginning Setup.
The office already has Lync Server 2010 running. It’s a 2010 Standard Edition, with Mediation Server (not collocated) and a PSTN gateway from Dialogic. Archiving and Monitoring were not enabled. Federation is active.

We’re installing Lync Server 2013 while 2010 is still active. On a fresh (virtualized) server, under the same domain. Once install is complete, we’ll migrate users over.

For Lync Server 2013, we’re expanding the available feature set. Archiving and Monitoring will be added, as will Web Apps Server and XMPP Federation. We’ll redirect the PSTN Gateway to the 2013 servers once the backend is fully in place.

We added 4 cores, and 32GB more RAM to the server. This is listed in the TechNet documentation, as the optimum values for a clean install. (We did it mostly because it speeds up the process.)

Coming Soon: The Install Path to Lync Server 2013!

So far, we’re still in the process. Next post will contain the reference links we consulted, and the beginning steps.

I may move to 2 posts a week for this series…so be sure to check back soon!

In the meantime, a question for my readers: Are you preparing for a Lync Server 2013 install or upgrade soon? If so, what obstacles (if any) are you encountering?

Facebooktwitterlinkedinmail

Will we need to upgrade SQL Server for Lync Server 2013?

Welcome back everyone! It’s a new year, and time for new Lync Insider posts.

We’ll start today with a short one on Lync Server 2013 (because I have many, many emails to catch up on!)

Last month I asked a quick question – is SQL Server 2012 required to run Lync Server 2013?

If you’re wondering too, the answer is…No. But a 64-bit edition of SQL Server IS required.

Step Right Up and Pick Your Database Version, All Accepted

Lync Server 2013 (Enterprise Edition) can use the following versions of SQL Server:

  • SQL Server 2008 R2 Enterprise Edition
  • SQL Server 2008 R2 Standard Edition
  • SQL Server 2012 Enterprise Edition
  • SQL Server 2012 Standard Edition

But no matter which version you choose, it must be 64-bit. Like the rest of Lync Server.

(There’s also SQL Server Express, but it comes with Standard Edition so you don’t need to worry about it.)

And make sure you stay consistent! Don’t try to use a SQL Server 2008 database for the backend, and then install SQL Server 2012 for Monitoring. You’ll end up with DB issues aplenty (and I don’t even think mirroring will work!).

Can You Upgrade? Then Go For It! If Not, Wait a While

In our Lync Server installations, we’ve been moving toward SQL Server 2012 most of the time. Even on servers running Windows Server 2008. The performance is just smoother.

So if you can work a SQL upgrade in, by all means! It’ll do nothing but help. But if it’s too early in the year and you need to wait, that’s okay too.

Here is some reference documentation for you, on configuring SQL Server for use with Lync Server 2013.
Configure SQL Server for Lync Server 2013 – Microsoft TechNet

Which database server are you using (or planning to use) for Lync Server 2013?

Facebooktwitterlinkedinmail

Custom Administrative Roles in Lync Server 2013: Now With Cmdlet Control!

Role-based Access Control (RBAC) was a big security improvement for Lync Server 2010. You’d expect further improvement in Lync’s next version, right?

Lync Server 2013 delivers on improving RBAC in two ways. Some new predefined access roles…and an extremely valuable ability.

The ability to assign cmdlets to a custom access role. (Including LIMITING the cmdlets that role can use.)

Let’s talk about why that’s so valuable.

Background: What RBAC is There For

The standard roles predefined in Lync 2010 are:

  • CsAdministrator
  • CsUserAdministrator
  • CsVoiceAdministrator
  • CsServerAdministrator
  • CsViewOnlyAdministrator
  • CsHelpDesk
  • CsArchivingAdministrator
  • CsResponseGroupAdministrator
  • CsLocationAdministrator

(A list of tasks allowed for each of these roles is available here.)

Lync 2010 DID have the ability to create custom roles, using the New-CsAdminRole cmdlet. Essentially, this cmdlet allowed you to copy the rights of a predefined role and subsequently change the scope it could affect.

With this you could create roles for things like:

  1. Designating an administrator for a specific location (Location Scope)
  2. Limit administrative access to selected server roles (Server Scope)
  3. Assign users to admins, to make support process faster (User Scope)

Mike at the Interface Technical Training Blog wrote up a how-to post in April on creating custom Lync admin roles:
Creating a Custom RBAC Role with the Lync Server Management Shell – Interface Technical Training Blog

But these roles came with a limitation: No ability to assign cmdlets to the custom role. When you copied a predefined role to create a custom one, it received full access to every cmdlet the predefined role could use.

What if you mistyped the cmdlet and instead of typing (emphasis on bolded):

New-CsAdminRole -Identity NewLyncAdmins -Template CsUserAdministrator

You accidentally typed:

New-CsAdminRole -Identity NewLyncAdmins -Template CsAdministrator

See the problem? The custom admin role has full access to all the CsAdministrator cmdlets. All thanks to a typo. BAD security risk!

And an avoidable risk, if you had the ability to set which cmdlets a custom role could use…

2013 Lets You Assign Only the Cmdlets You Want Admins to Use for their Role

Unfortunately Lync Server 2010 just doesn’t have the ability to custom-assign cmdlets. Instead of adding the functionality in a Cumulative Update, Microsoft opted to build it into Lync Server 2013.

Assigning cmdlets means not only can you customize a new access role by location or server scope…you can also define their role by function.

Say you want to create a custom role for Rob. Rob is not a Lync administrator; he’s your Support Lead. He doesn’t need administrative access to the Lync servers.

But he IS in charge of backup maintenance. So he wants to export Lync configurations for regular offsite backup.

Let’s create Rob a custom admin role to do this (so he doesn’t have to bug anyone for config backups). We’ll grant him access to only 3 cmdlets: Export-CsArchivingData, Export-CsConfiguration, and Export-CsLisConfiguration.

The format is the same as in Lync Server 2010, with the -Cmdlets parameter added. Here’s what you’d enter into PowerShell:

New-CsAdminRole -Identity BackupMan -Template CsHelpDesk -Cmdlets “Export-CsArchivingData”,”Export-CsConfiguration”,”Export-CsLisConfiguration”

(You’ll see I used the CsHelpDesk predefined role for my template. That might be a higher role than Rob needs, but it’ll do for this example.)

Lync Server 2013 RBAC: Defined By Role Security Limitations You Set

I almost forgot the other RBAC improvement in Lync Server 2013. It adds two more predefined roles:

  • Response Group Manager, for managing specific Response Group queues.
  • Persistent Chat Manager, for managing specific Persistent Chat rooms.

Limited, but useful managerial access roles. Narrowing the focus of admin roles, whether through predefined access level or custom cmdlet assignment, is the big RBAC change coming in Lync Server 2013.

What are the custom administrative roles you’ve set in Lync Server 2010? How would you whittle their access down using custom cmdlet assignment in 2013?

Facebooktwitterlinkedinmail

Should You Install Lync Server 2010 Now, or Wait for Lync Server 2013?

Marc, a reader, asked a very timely question of me:

“My firm is planning on deploying Lync 2010 in about two months. Do you think it would be worth waiting for 2013? Or is the upgrade from 2010 to 2013 not that big a deal?”

Lync Server 2010 has been around for a couple years now. We’re in a transitory period right now – very soon, we’ll have an updated Lync Server on the market.

That means if your office isn’t running Lync Server yet, you have a choice.

A. Install Lync Server 2010 now.
OR
B. Wait for Lync Server 2013 to be released, and install it then.

We must take into account a couple of prime considerations here. The infrastructure requirements for both versions are fairly similar – at least according to current documentation, which lists the hardware requirements for running Lync Server 2010 here and running the Lync Server 2013 Preview here.

It really comes down to what type of Lync Server deployment you want, and the timing involved. So let’s consider those.

Consideration #1: On-Premises, Cloud-Based or Hybrid Deployment?

Lync Server 2013 has three deployment options.

On-Premises – All servers are placed in your network. The preferred deployment if you want to use Enterprise Voice, Call Admission Control, multi-national coverage or 3rd-party applications.
Online/Cloud-Based – All Lync services run in the cloud, using Office 365. Quick to set up and no hardware cost, but some services are not available (particularly Voice). I’ve mentioned the limitations of Lync Online before.
Hybrid Deployment – A combination of the above. Some users are on Office 365; others are based in your network. Useful for branch offices or a migration.

This is a little better flexibility than Lync Server 2010 originally had (mostly because Office 365 wasn’t around when it was introduced!). However, because Lync Online is now available, you could build a hybrid version of Lync Server 2010.

Recommendation:

If you’re planning on a hybrid deployment, there’s no reason not to install Lync Server 2010 now. The setup cost is lower than on-premises, though configuring both Lync Online and on-site Lync Server 2010 may pose some challenges.

Want to go cloud-based? Wait for Lync Server 2013. You’ll have the latest Lync version to work with, and the Online deployment option doesn’t require servers in-house.

If you want the full Lync feature set and plan to deploy on-premises, read Consideration #2 below. There’s a second factor to consider between installing Lync Server 2010 and waiting for Lync Server 2013 – hardware upgrades.

Consideration #2: Which server upgrades will you do first?

Do you already have the necessary hardware for Lync? Or will you need to upgrade before installing Lync Server?

Both systems require 64-bit servers. If you don’t have them now, you’ll need to install them.

Both versions have similar hardware requirements. At least the upgrade path is easier on the hardware side.

(Caveat: Lync 2013’s RTM may have higher requirements than its preview release.)

And there’s the matter of foundational server software. Lync Server 2010 runs on Windows Server 2008 and SQL Server 2008.

Lync Server 2013 will run on Windows Server 2008 R2 with SP1. But it will also run on Windows Server 2012, due out between Q3 2012 and early 2013.

Likewise, Lync 2013 will run on SQL Server 2008 R2, but SQL Server 2012 is around the corner as well. All three of these server applications are due out at about the same time.

Recommendation:

I’d say wait for Lync Server 2013 if either of these is true:

  • You need to install 64-bit servers in preparation for Lync.
  • You’re planning to install Windows Server 2012 when it’s released.

Otherwise, if you already have the 64-bit hardware and you’re planning to stay with Windows Server 2008 for now, then go ahead with Lync Server 2010!

Planning a Lync Install? Tell Us About It!

In the future I’ll talk about upgrading from Lync Server2010 to Lync Server 2013. (We’re all wringing our hands in 2013 anticipation at the office!)

Is your organization debating which version of Lync Server to setup? Which factors are you concerned with? I’d love to hear them!

Facebooktwitterlinkedinmail