1. Planning for Hardware and Software
Although many implementations of Lync Server 2010 for non-voice
deployments will be virtualized, both physical and virtual servers used
for Lync Server 2010 must meet a few standards. Keep these in mind when
planning a Lync Server 2010 deployment:
• Lync Server 2010 only runs as a 64-bit application and must have 64-bit hardware.
• Lync Server 2010 does not support Intel Itanium processors.
From an operating perspective, plan to use one of the following operating systems to support Lync Server 2010:
• Windows Server 2008 R2 Standard operating system
• Windows Server 2008 R2 Enterprise operating system
• Windows Server 2008 R2 Datacenter operating system
• Windows Server 2008 x64 Standard operating system with Service Pack 2 (SP2)
• Windows Server 2008 x64 Enterprise operating system with SP2
• Windows Server 2008 x64 Datacenter operating system with SP2
Warning
Installation of any Lync Server 2010 role on
a computer running Windows Server 2008 x64 Datacenter or Windows Server
2008 R2 Datacenter that has multiple processor groups configured is not
supported. This is due to an incompatibility with SQL Server 2008
Express and multiple processor groups.
Although the Lync Server 2010 roles are limited
to the previous operating systems, the Planning Tool can be run on any
of the following operating systems:
• The 32-bit version of Windows 7 operating system
• The 64-bit version of Windows 7 operating system using the WOW64 x86 emulator
• The 32-bit edition of Windows Vista with SP2 operating system
• The 64-bit edition of Windows Vista with SP2 operating system using the WOW64 x86 emulator
• The 32-bit edition of Windows XP with SP3 operating system
• The 64-bit edition of Windows XP with SP3 operating system using WOW64 x86
• The 32-bit edition of Windows Server 2008 operating system
• The 64-bit edition of Windows Server 2008 operating system using WOW64 x86
• The 32-bit edition of Windows Server 2008 R2 operating system
• The 64-bit edition of Windows Server 2008 R2 operating system using WOW64 x86
Also, plan for a somewhat standardized build for the operating
system for Lync Server 2010 systems. By planning what software and
features will and won’t be present on the system, it is easier to
understand the security implication of the systems and they become
easier to support as their configuration is well known to the group
supporting them.
2. Planning for Network Infrastructure Requirements
When planning a non-voice Lync Server 2010 deployment, don’t forget
to take into account the needs you will have of the network. Each Lync
Server 2010 server should have at least one network interface rated for
1Gb per second of throughput. It should be connected to a low-latency,
high-speed local area network (LAN).
Take into consideration plans for how servers will be logically
deployed when planning for their physical deployment. For example, if
multiple Front End Servers are load balanced for redundancy, consider
placing them into different physical racks and connecting them to
independent power circuits.
Caution
Placing all the load-balanced systems into a
single rack only increases the possibility of a single event taking out
all the systems, thus negating the benefits of load balancing for
redundancy.
When planning the requirements for the LAN or
WAN (wide area network), there might be some deviation between
predicted loads and actual observed loads. Take this under
consideration when evaluating whether existing network connections will
handle the added load of Lync Server 2010.
Use the following rules of thumb for Lync Server 2010 when planning network usage:
• Plan for 65 Kbps per audio stream and 500 Kbps per video stream as peak values.
• Bidirectional audio and video sessions count as two streams.
• Lync Server media endpoints can adapt
to varying network conditions and can usually handle oversubscriptions
of up to 3 times. Although an audio stream peaks its usage at 65 Kbps,
you can typically run three audio streams in the same 65 Kbps without
users noticing a drop in quality.
• If a site lacks the capacity to comfortably run video streams, consider disabling video for that site.
• Expect degraded audio and video performance between endpoints separated by more than 150 ms of latency.
3. Planning for Active Directory Dependencies
Like most Microsoft applications, Lync Server 2010 depends heavily
on Active Directory to authenticate users, find server pools, and
generally keep data flowing. As such, it is critical to account for
this when planning a Lync Server 2010 deployment of any kind. Plan to
upgrade legacy domain controllers and be aware that Windows Server 2003
mixed mode is not supported by Lync Server 2010.
One of the best things you can do prior to a large deployment into
Active Directory is to perform an Active Directory health check. This
involves reviewing event logs, running tools such as DCDiag and
NetDiag, and checking replication health to ensure that the directory
itself is healthy and operating correctly.
Caution
Failure to realize that the directory itself
is unstable or unhealthy greatly increases the chances of running into
problems during a deployment of an application such as Lync Server 2010.
4. Planning for Certificates
One of the more difficult decisions when using Public Key
Infrastructure (PKI)-enabled applications, such as Lync Server 2010, is
the decision to use internal or public certificates. In this context, internal is defined as coming from a Certificate Authority that is not automatically trusted by the operating system, whereas public means one coming from a Certificate Authority that is already present in the trusted root store of operating systems.
Lync Server 2010 uses certificates for the following purposes:
• External or remote user access to audio/video sessions as well as conferencing and application sharing
• Remote user access for instant messaging
• Federation using automatic DNS discovery of partners
• Mutual Transport Layer Security (MTLS) connections between servers
• Transport Layer Security (TLS) connections between client and server
Regardless of whether internal or public certificates are used, the following requirements must be met:
• All server certificates must support server authentication (Server EKU [1.3.6.1.5.5.7.3.1])
• All server certificates must contain a valid and reachable Certificate Revocation List (CRL) Distribution Point (CDP)
• Key lengths must be either 1024, 2048, or 4096
• All server certificates must use one of the following hashes:
• ECDH_P256
• ECDH_P384
• ECDH_P512
• RSA
Various Lync Server 2010 roles have specific needs around the names
contained in the certificates. Luckily for administrators, the
Certificate Wizard builds the certificate request automatically and
accounts for pool names, fully qualified domain names of hosts, as well
as simple URLs such as meet or dialin that are created as a result of
roles and features. The Lync Server 2010 administrator should ensure
that the Certificate Authority to be used, whether internal or public,
supports subject alternate names.
Note
In general, subject alternate name
or SAN certificates are more expensive than traditional single-name
certificates. Many public certificate providers charge the same price
per name as they do a normal single-name certificate. Other providers
offer a flat rate for a SAN certificate and allow the purchaser to
insert as many names as will fit into the SAN certificate because there
is a fixed amount of space available to fit names. The shorter the
names, the more will fit. Some providers place arbitrary limits on the
number of SAN entries that go into the certificate.
