Tag Archives: TMG

Exchange 2013 Hybrid Prerequisites (Part I)

Edited: November 11, 2015

In a hybrid environment the on-premises Exchange organization (which can be either Exchange 2010 or Exchange 2013) is integrated with Exchange Online. In a hybrid configuration you basically create one ‘virtual’ Exchange organization with the following features:

  • One cross-premises Address Book;
  • Secure cross-premises mail flow;
  • Cross-premises Free/Busy information, mail tips and out-of-office features;
  • Seamless migration to Exchange Online and vice versa;
  • No recreation of OST file;
  • Automatic reconfiguration of Outlook profile;
  • OWA URL Redirect.

To create a Hybrid environment you need at least one Exchange hybrid server on-premises. This can be an Exchange 2010 server but I always recommend using an Exchange 2013 server for this because of the improved hybrid connectivity in Exchange 2013. For redundancy purposes (and performance for larger environments) you better use multiple Exchange 2013 Hybrid servers.

Another prerequisite for creating a Hybrid environment is that you must have Directory Synchronization in place, so DirSync is used for synchronization user accounts, groups and contacts, all other communication is handled by the Exchange 2013 hybrid servers as shown in the following picture:


Continue reading Exchange 2013 Hybrid Prerequisites (Part I)

Kemp Edge Security Pack for Exchange 2013

Now that Microsoft TMG2010 no longer is available it’s time to look for other alternatives. Reverse proxy solutions is not a problem, there are various solutions for this. Microsoft itself has the ARR (Application Request Routing) on top of IIS available. This can perform reverse proxy, but for load balancing you still have to rely on NLB. Another drawback is that ARR does not do pre-authentication.

With the new software version for the Kemp LoadMaster series (V7) it is now possible to do reverse proxy and pre-authentication out of the box. The new module is called ESP or Edge Security Pack. The idea is the same as before, clients hit the Kemp LoadMasters and the requests are distributed across multiple Exchange Client Access Servers. But before the requests are sent to the Client Access Servers they are authenticated. Kemp uses an authentication provider for this, in a normal scenario this would an Active Directory Domain Controller.


The advantage of pre-authentication is evident. In case of a (brute force) attack the CAS servers are only bothered with normal authentication traffic, the attacks are handled by the Kemp and these never reach the CAS servers. ESP is specifically designed to handle this kind of traffic. With ESP the CAS servers only handle normal user authentication.

Continue reading Kemp Edge Security Pack for Exchange 2013

Installing Lync Server 2013 Mediation Server

Updated: November 30, 2014 with new SIP trunk provider, Lync 2013 Standard Edition, Lync Servers running on Windows 2012 R2 and TMG disclaimer.

An enterprise voice deployment of a Lync 2013 environment means you have to connect to some sort of PBX solution and a (direct) SIP trunk is such a solution. The Lync server connects to the servers (SBC) of your provider, making it possible to make calls and receive calls from every phone line in the world.

To support this another Lync 2013 server role needs to be installed, the so called Mediation server. The mediation server is connected to the internal network (to connect to the Lync 2013 Front-End server) and to the external network (i.e. the internet) to connect to the SIP trunk provider network.

Not all SIP trunk providers are supported to work with Lync Server 2013 (or 2010). For an overview you can check the Infrastructure qualified for Microsoft Lync pages (check the services tab) on the Microsoft website. In my lab environment I will use a SIP trunk from OneXS, based out of Amsterdam, The Netherlands. I have one Lync 2013 Standard Edition Front-End server, one Lync 2013 Edge server and a dedicated Lync 2013 Mediation server as shown in the following figure:


The first step is to configure the Lync 2013 mediation server. This is a normal domain joined server connected to the internal network. A 2nd NIC is configured with direct internet connectivity so it has a public IP address.

Note. My Mediation server is connected directly to the Internet, behind a Juniper firewall. This firewall has IP based restrictions and only the necessary ports are open. I have been trying to get the SIP trunk to work via TMG2010 but wasn’t successful and I don’t know a lot of consultants that got this configuration working properly. Therefore I do not recommend using a TMG2010 server between the Mediation Server and the SIP trunk provider.


The following prerequisite software needs to be installed on the Lync 2013 Mediation Server:

Installing and configuring the mediation server

Before installing the Lync 2013 mediation server it has to be created in the Lync Topology. On the Lync Front-End server open the Topology Builder, download the topology from existing deployment and save the topology file on the local hard disk.

In the Topology Builder navigate to the Mediation pools under Lync Server 2013, right click Mediation pools and select New Mediation Pool.

Enter the name of the Pool FQDN (in case of Lync 2013 Standard Edition this should be the FQDN of the Mediation server) and select the Single computer pool radio button.


The Mediation pool is uses the lyncpool we’ve created earlier as the next hop server, so select this pool in the Next hop pool drop down box.


Select the Edge pool we’ve created earlier in the Edge pool drop-down box:


Click Finish to end the New Edge Pool wizard and to save all information in the local file. The configuration is now ready to be published into the CMS:


The mediation pool with the mediation server is now stored in the configuration database and we can continue installing the actual Lync 2013 mediation server.

The installation of the Lync 2013 mediation server is not very different than other Lync server roles. Install the Lync 2013 core components from the DVD and once installed start the Deployment Wizard. In the Deployment Wizard select Install or Update Lync Server System.

Step 1: install Local Configuration Store and select Retrieve directly from the Central Management Store will install an instance of SQL Express on the mediation server and the contents of the CMS database will be copied into this SQL Express instance.


Step 2: Setup or Remove Lync Server Components will install the actual Lync server 2013 Mediation Server based on the configuration found in the CMS.

Step 3: Request, Install or Assign Certificates will let you request an internal SSL certificate using the Active Directory Certificate Authority. Click Run and on the certificate wizard click Request. The certificate wizard is started, select Send the request immediately to an online certification authority (this is the default) and select the CA that will issue the certificate (it will find the CA in Active Directory):


Follow the wizard, enter a friendly name (something like Lync Mediation Certificate), enter the name of the organization and the department and enter the country, state/province and city/locality information. The wizard will automatically come up with the name of the mediation pool (FQDN of the Lync Front End server). If needed you can add additional names for the Subject Alternative Names field.

When the wizard is finished an SSL certificate is automatically requested at the internal Active Directory Certificate Authority, issued and downloaded to the local certificate store of the mediation server.


When you click Finish the Certificate Assignment wizard is automatically started. Nothing to configure here, just informational windows. Finish the wizard and close the certificate wizard.

Note. The SSL Certificate is only used for internal network communication. Communications with the SIP Trunk provider is typically not encrypted and thus no SSL certificate is used for external communications.

Select Step 4: Start Services to start the Lync 2013 mediation services on this server and use Service Status (Optional) to check if the services are running. There are only three services:

  • Lync Server Mediation;
  • Lync Server Centralized Logging Service;
  • Lync Server Replica Replicator Agent;


Note. Make sure you got your name resolution right so all servers can find each other, especially when using both external names and internal names. For example, have a look at this blog post: A call to a PSTN number failed due to non availability of gateways in Lync 2013. Also check the binding order of the network interfaces. If set in the wrong order the mediation server will look for the front-end pool via the external interface instead of the internal network interface!

When you logon to the Front-End server and open the Lync Control Panel you’ll that the Mediation Server is up-and-running and that replication is running fine.


So far the installation and configuration hasn’t been that different from other Lync server roles. Now it’s time to connect the Mediation Server to the SIP trunk!

Configuring the SIP trunk

The SIP trunk I will use is from OneXS, based out of Amsterdam, The Netherlands. After signing up for a subscription you get more details, including access to their management portal.

The Mediation Server sets up multiple connections to the SIP trunk provider. The SIP trunk at the provider listens on port TCP/5060, please note that mediation server is listening on port TCP/5068. Besides these ports the Mediation Server uses port 60.000~65.536 (UDP) for the audio stream. You have to open these firewall ports between the Mediation Server and the server of the SIP trunk provider.

To configure the SIP trunk, logon to the Front-End Server and open the Topology Builder. Download the latest topology from the CMS and store it on the local hard disk.

In the Topology Builder, expand the Mediation pools and select the properties on the mediation pool. In the PSTN Gateway properties, check the Enable TCP port and make sure the TCP port is on 5068, but remember, this depends on the settings of your provider!


Click OK to continue. In the Topology Builder, expand the Shared Components, right-click PSTN gateways and select New IP/PSTN Gateway. In the Define New IP/PSTN Gateway enter the IP address of the PSTN Gateway, this is the IP address of the server (or Session Border Controller, SBC) at the SIP trunk provider. This is provided to you by the provider when you signed up for the service.


For the communication between the mediation server and the SIP trunk provider I limit the service usage to the external network interface of the mediation server.


When the PSTN Gateway is created in the topology a SIP trunk is automatically created in the Topology Builder. Depending of your SIP trunk provider you may have to change the SIP Transport Protocol from TLS to TCP. In our environment the listening port also has to be changed from 5066 to 5060.


The wizard is now finished and when you click OK you will return to the Topology Builder and you can publish the topology to the CMS.

Configure voice routing

Wait a minute or two to have the configuration replicated from the CMS to the various servers, and when you open the Lync 2013 Control Panel the new configuration is clearly visible:


The last steps are configuring the voice routing and creating a dial plan.

In the left hand menu click Voice Routing, select the Route tab and delete the default LocalRoute and create a new Route. Give the new route an appropriate name and scroll down. In the associated trunks section click Add and select the trunk that was created in the previous steps.


Click OK and scroll down, in Associated PSTN Usages click Select and select Long Distance.


Click OK twice, click Commit, select Commit All and in the Uncommitted Voice Configuration Settings dialog box click OK. On the confirmation dialog box click Close.

A dial plan in Lync is how dialed numbers are converted to E.164 numbers. For example, you can enter a local number like 555-1234 and this will automatically be translated to +12125551234 or when you dial 206-222-1234 it will automatically be translated to +12062221234. Here in The Netherlands I would enter a number of 020-1234567 which would be translated to +31201234567.

In the voice routing menu click the dial plan tab and open the global plan. By default there’s one normalization rule available. Scroll down to the associated normalization rules section, click New and fill in the properties.


Scroll a bit down to the dialed number to test field and enter a phone number. When you enter a local phone number it should be translated to the corresponding E.164 number:


Click OK twice, click commit, select commit all and click OK. In the Successfully published voice routing configuration pop-up window click close.

The last step is configure a voice policy. In the Voice Routing menu click the Voice Policy tab and open the Global Policy. In the associated PSTN usages click select and select the Long Distance PSTN Usage Record that was configured in the previous steps.


Click OK, click Commit, select Commit All, click OK and on the Successfully published voice routing configuration pop-up click Close.

The Lync enterprise voice configuration is now complete and we can enterprise voice enable users in the Lync 2013 control panel. In the Lync control panel select a user and open its properties. In the Telephony drop down box select Enterprise Voice and in the Line URI enter a telephone number (in the SIP trunk range of course). This phone number should be in the tel:+31201234567 format.


When you logon with the Lync client (works with Lync 2010 and Lync 2013 clients) you’ll see a new phone button in the menu ribbon with a dial pad. You should now be able to make phone calls via the SIP trunk.


In the previous posting I explained how to setup a Lync front-end server, and edge server and how to configure a SIP trunk using a mediation server. One more option remains, the Exchange Unified Messaging role to have voicemail functionality. This is the topic of this blog: Lync 2013 and Exchange 2013 Unified Messaging.

On the Lync team blog there’s also an excellent blog post written by Brian Ricks on how to configure a IntelePeer SIP trunk on Lync Server 2010, including more detailed information on create multiple (US based) normalization rules: http://blogs.technet.com/b/drrez/archive/2011/04/21/configuring-an-intelepeer-sip-trunk-solution-in-lync-server-2010.aspx

Publish Lync 2013 Services in TMG 2010

In an earlier blog post I explained how to setup a Lync 2013 environment with a Front-End server and an Edge Server. This way you can use Lync 2013 internally and externally, including federation with other Lync 2010/2013 or OCS 2007 R2 organizations. You also might want to implement publishing rules on your Threat Management Server (TMG) 2010 to implement the following additional services:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.

Continue reading Publish Lync 2013 Services in TMG 2010

TMG 2010 Console fails on startup

I ran into this issue several times now. After installing a new Forefront Threat Management Gateway (TMG) 2010 when the TMG Console is started the first time it fails with the following error:

An error has occurred in the script on this page.
Line: 283
Char: 13
Error: invalid argument
Code: 0
URL:file:///C:/Program%20Files/Microsoft%20/Forefront%20Threat%20 Management %20Gateway/UI_HTMLs/Generic.htm?guid=%7B43E06AFC-729B-8BC2-33A9E35BB12D%7D
Do you want to continue running scripts on this page?


This is a small bug in HTML interface code. To solve it, navigate to the C:\Program Files\Microsoft Forefront Threat Management Gateway\UI_HTMLs\TabsHandler\ directory and open the TabsHandler.htc file.

There are 3 lines containing “paddingTop” causing this issue. Find the lines and disable them by adding // at the beginning of the line.


Save the file and the console opens as expected.