Lync Edge server is what you need to give your Lync Infrastructure external access, unless you one of those guys or companies that prefer using VPN, Lync Edge is designed to provide the following features:

  • Lync Access for Remote users
  • Connection with Federated companies
  • Connection with Public IM

Prerequisites & Considerations:

There are a number of things you need to consider and do on the machine that will be running the Lync Edge role:

  1. Lync Edge machine should not be joined to the Domain.
  2. Lync Edge machine should have two network cards, external NIC (eNIC) that is connected to the internet, and an internal NIC (iNIC) that is connected to the Internal network.
  3. eNIC should have a gateway and DNS configured on it.
  4. iNIC should NOT have gateway configured on it.
  5. Add your Domain Controller and Lync Front ends FQDN and IP-addresses to the host file in the Lync Edge machine.
  6. Your DNS suffix should be added to you Lync Edge machine.

IP Requirements:

This part depend on your infrastructure, so most common two scenarios most secure one and recommended one is where you have eDMZ and iDMZ then your internal network, so in my lab I have 3 subnets

  • Internal Server VLAN
  • Internal DMZ (iDMZ)
  • External DMZ (eDMZ)

So I have my DC and Lync Front end in the subnet isolated from the DMZ by the firewall, and I will deploy the Lync edge in the DMZ so that the iNIC is connected to the iDMZ and the eNIC is connected to the eDMZ.

I will have on the eNIC that is connected to the eDMZ 3 IP-addresses on the subnet, and will NAT them to 3 Public IP-addresses, also on iNIC that is connected to the iDMZ, I have 1 IP-address on the subnet.:

Service iDMZ IP-address eDMZ IP-address Public IP-address
Access.lyncdude.net XX.171.195.167
Av.lyncdude.net XX.171.195.168
Webconf.lyncdude.net XX.171.195.169

And this is a diagram for more understanding about my deployment


Certificate Requirements:

On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.

Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.

Number of things to consider when ordering your Public Certificate:

  • Subject name of the certificate need to be the name of the Access edge service e.g.  access.lyncdude.net or sip.lyncdude.net
  • The first SAN  should be also the name of the Access Edge service, then the other services follows.
  • Create the certificate with Exportable private Key
  • Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment

The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.

I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.

Internal Certificate:


External Certificate


Your certificates should be something similar to those two 🙂

so my lab crashed 🙂 I’m rebuilding it to take the required screenshots, so we have to wait for part 2