Best Practice installing Lync CU4 and Lync Mobility

Lync Mobility was released som time ago, and after several installations and configuration I decided to write this article to describe steps needed to successfully install and configure Lync Mobility.

Lync CU’s are updates that comes in a cumulative form, that means they include older CU’s and new fixes. They are like a service pack, but yet again so different.

Prerequisites

Before starting on any installation, it should be wise to have downloaded needed software. I have included links to official documentation and software.

• Microsoft Lync Server 2010 Mobility Guide
• Lync Server 2010 Hotfix KB 2493736 (Cumulative Update 4)
• Microsoft Lync Server 2010 Mobility Service and Microsoft Lync Server 2010 Autodiscover Service

A very important requirement, is that Lync Mobility service isn’t supported on a Lync FrontEnd server with a collocated Lync Mediation server when the server has two NIC’s.

Prepare the Lync environment

There are certain configurations that are required, and I’ll describe them here.

Internal DNS

We need to create internal DNS record for each defined SIP domain in Lync topology. We can utilize both CNAME and A records, and I have choosen to create them as following:

CNAME record for lyncdiscoverinternal pointing to Lync FrontEnd Server or to the Lync Director server (If deployed)
A record for lyncdiscover pointing to  reverse proxy public IP.

External DNS

Create the following record:

A record for lyncdiscover pointing to  reverse proxy public IP.

CU4 Installation

Start the update process by logging into your Lync Server, and start the Lync Management Shell. Before the update installation starts, it would be nice to s check if there are some ongoing calls or meetings. By running Get-CsWindowsServer, we get a glimpse of whats going on with out Lync Infrastructure.

After we have checked for ongoing sessions, there would be great to prevent any new further sessions. This can be done with – Stop-CsWindowsService -Graceful, or if it’s a planned downtime, services can be stopped by – Stop-CsWindowsService.

Next thing would be to stop the World Wide Web service, do this by –  net stop w3svc

Once all services has been stopped, launch LyncServerUpdateInstaller.exe package, and select Install Updates. Once th update package has run, verify that all installed versions is checked green.

If a restart is required, please restart the server.

Run the CU4 installer on any other Lync Servers in the environment, so that all Lync Servers run with the same versions.

The next stage, very important and almost always forgotten, is the update the Lync databases. The CU’s release notes should be read, to check if a database update is required or not.
To update the databases, follow these steps:

• Start Lync Management Shell
• If Enterprise Edition Back End Server databases are not collocated with any other databases, such as Archiving or Monitoring databases, at the command line, type the following:
  Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN>
• If Enterprise Edition Back End Server databases are collocated with other databases, such as Archiving or Monitoring databases, at the command line, type the following:
  Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN> –ExcludeCollocatedStores
• For Standard Edition, type the following:
  Install-CsDatabase –Update –LocalDatabases

The database is now updated, and we are ready to start Lync Services and IIS again. At the command line, type:

• net start w3svc
• Start-CsWindowsService

 Lync Mobility Listening Ports

Before installing the Lync Mobility, we ned to update the topology with internal and external listening ports. This configuration is needed on ALL Lync FrontEnd servers in the environment.

• Start Lync Management Shelland issue the following commands:
  • Set-CsWebServer -Identity <Lync Pool FQDN> -McxSipPrimaryListeningPort 5086
  • Set-CsWebServer -Identity <Lync Pool FQDN> -McxSipExternalListeningPort 5087
• Publish the topology changes:
  • Enable-CsTopology

Mobility Server Installation

Even though the same installation package is used on all Lync FrontEnd and Director servers, the installation will only install services required for that role. FrontEnd server will have both Autodiscover and Mobility, but Director Server will only have the Autodiscover parts.

IIS Requirements

Mobility requires some additional IIS services on the FrontEnd servers only.
On Windows 2008 R2 use the Lync Management Shell to install the required.

• Import-Module ServerManager
• Add-WindowsFeature Web-Server, Web-Dyn-Compression

Mobility and Autodiscover Installation

The Lync Mobility installation package isn’t a ordinary installation package, even if it’s an MSI package.
Put the downloaded McxStandalone.msi into the following directory on each server

• C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577\setup\

Use the Lync Management Shell to issue the following commands:

• cd “C:\Program Files\Microsoft Lync Server\Deployment\”
• .\Bootstrapper.exe

The Bootstrapper will verify prerequisites and install needed components.
For FrontEnd it will install both Feature_WebComponent_Autodiscover and Feature_WebComponent_Mcx components.
For Director it will only install Feature_WebComponent_Autodiscover component.

Certificates Updates

Since the Mobility installation uses new DNS entries, both internal and external, we need to update both the internal and the external certificates.

Internal Certificates

To complete the installation and configuration of internal Lync Mobility, we need to update the internal certificates. We update the certificates by running the Lync Server Update wizard. Run “Install or Update Lync Server System” – “Request, Install, or Assign Certificates” and click Run Again.

Expand the “Default Certificate”, and select Request. This will start the Certificate Request Wizard.

Run through the wizard and verify that lyncdiscoverinternal and lyncdiscover is included as SAN Names in the certificate.

Once the wizard completes, verify that Assign this certificate to Lync Server is selected. This will automatic and immediately assign the newly created certificate.

At this point the internal installation is complete, and it’s good practice to reboot the server.

External Access

To complete the installation/configuration for external access, we need to rerequest the external certificate and update what ever publishing rule that is used to publish Lync Web Components.

External Certificate

Request new certificate to be used on the Reverse Proxy, and make sure that lyncdiscover is included in the certificate.

Use whatever routine you use to request this certificate.

If you would like to use TMG to request this certificate, use the following guide:

• http://cmcgreanor.wordpress.com/2011/07/06/create-standalone-certificate-request-for-lynctmg-2010-reverse-proxy/

Thanks to Chad McGreanor for this greate article.

TMG Publishing

Update whatever publishing rule to reflect the additional lyncdiscover as a public name.

Push Notification

Push Notification is used by Windows and iOS mobile devices which do not support traditional application backgrounding like the Android client does. Federation services between an on-premises Lync deployment and Office 365’s Lync Online are used as the conduit between Lync and the online Push Notification services for Microsoft.

Configuration

• Use the Lync Management Shell to create new entry for HostingProvider
  • New-CsHostingProvider -Identity “LyncOnline” -Enabled $true -ProxyFqdn “sipfed.online.lync.com” -VerificationLevel UseSourceVerification
• Use the Lync Management Shell to create new entry for new SupportedDomain
  • New-CsAllowedDomain -Identity push.lync.com -Comment “Mobile Push Notification”

Push notification isn’t enabled by default, so we need to enable them for both services.

•  Use the Lync Management Shell to enable one or both services.
  • Set-CsPushNotificationConfiguration -EnableApplePushNotificationService $true -EnableMicrosoftPushNotificationService $true

If federation services for some reason hasn’t been enabled, we enable this with the following Lync Management Shell command:

• Set-CsAccessEdgeConfiguration -AllowFederatedUsers $true

Test Federation

To verify that federation is working as expected, we can use the following Lync Management Shell command:

• Test-CsFederatedPartner -TargetFqdn <Edge Pool FQDN> -Domain push.lync.com -ProxyFqdn sipfed.online.lync.com

Firewall

Official documentation discusses the requirement of traffic over TCP port 5223 for push notification.
To make sure that internal mobile devices should be able to use push notifications, the outbound firewall must be configured to allow outbound traffic over TCP port 5223 from Wireless network.

Verify Connectivity

To verify that autodiscover service is working as expected, use a normal browser to access http://lyncdiscover.”SIP Domain”
Open the file downloaded with a TXT reader, and inspect to content of the file.

Make sure that requests are redirected into the Reverse Proxy published url.