1- step by step how to configure publish rules at TMG for the SIP,WC and AV and how to import the certificate and which certificate I should import is it the external edge certificate?

2- when I published through Fortigate with 4 rules ( one from ext port 443 to 1st ext edge ip port 4443, one from ext port 443 to 1st ext edge ip port 443, one for WC from ext port 441 to 2nd ext edge ip port 443, last for AV from ext port 442 to 3rd ext edge ip port 443), and tried to login from external with sign name x.x at public domain, it asked me for login and password, when write local domain\x.x and the password, the following errors appeared "lync couldn't find a lync server for (ext domain) there might be an issue with DNS configuration for your domain please contact your support team.

any one can support me , be informed I bought public certificate from Digecert, and SAN names including each URL even meet, dial, lyncdiscover,WC,AV,SIP, the external web site which is Connect.publicdomain

Hi,

you have edge server in your Deployment?

For external Lync External access you required Lync edge server.

You have to open these ports from your Edge server

Protocol	Source	Destination	Description
Sip/TCP/443	Any Internet address	Ip public service for the SIP  Edge Server	SIP traffic between client-server for external users
Sip/TCP/5061	Any Internet address	Ip public service for the SIP  Edge Server
Sip/TCP/5061	Ip public service for the SIP  Edge Server	Any Internet address
PSOM/TCP/443	Any Internet address	Web Conferencing Service  Edge Server	Media Web conferencing
STUN/UDP/3478	Ip public service for the A / V  Edge Server	Any Internet address	Traffic used by the client to determine the version of the Edge Server.
STUN/UDP/3478	Any Internet address	Ip public service for the A / V  Edge Server	Traffic trading connection over UTP
STUN/TCP/443	Any Internet address	Ip public service for the A / V  Edge Server	Traffic trading connection on TCP/443
STUN/TCP/443	Ip public service for the A / V  Edge Server	Any Internet address	Traffic trading connection on TCP/443

Here is the Link for installing Edge server.

http://social.technet.microsoft.com/wiki/contents/articles/16931.installing-lync-2013-edge-server.aspx

http://www.orcsweb.com/blog/cory-granata/installing-lync-2013-edge-server/

Reverse Proxy is responsible for Mobility Traffic and the Meeting content download etc..

in the Reverse proxy you have to publish 80 to 8080 and 443 to 4443.

here is the link for Installing Reverse Proxy 

TMG Installation 

http://jaapwesselius.com/2012/12/21/publish-lync-2013-services-in-tmg-2010/

IIS ARR

http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx

http://jaapwesselius.com/2014/03/16/using-arr-for-reverse-proxy-with-lync-2013/

thanks for your reply, I have edge server

have I publish from TMG or fortigate should work also?

I opened all ports for external to internal for test , and do the following at fortigate   as test because we didnt configure the TMG for publish we did the following

-          NAT from firewall (x.x.12.245 public IP port 443 to 192.168.100.13 SIP IP at external NIC of Edgeport 4443)

-          (x.x.12.245 public IP port 443 to 192.168.100.13 SIP IP at external NIC of Edgeport 443)

-          (x.x.12.245 public IP port 442 to 192.168.100.14 WC IP at external NIC of Edgeport 443)

-          (x.x.12.245 public IP port 441 to 192.168.100.15 VA IP at external NIC of Edgeport 443)

-          Open all ports

Problems:

-          When tried from mobile cannot access.

-          When tried from laptop write at sign name the account mail, like X.X at  domain.ae, then credential username and password required which is local domain\x.x , after 1-2 min the error below appeared

                "lync couldn't find a lync server for (ext domain) there might be an issue with DNS configuration for your domain please contact your support team

We didnt built any rules at TMG, just NAT from Fortigate Firewall to external edge NIC IPs, with all ports opened

Requirements

If you have any documents to publish the lync 2013 to be able to publish AV, WC, and SIP please send to me,

Also need to know  should I build 3 rules at TMG to publish lync for SIP, AV and WC, or it is just one rule, and if it will be one rule how transfer traffic to each edge IP

Also will TMG  need certificate? This certificate is the external edge certificate or another certificate?

Is there is anything missing in DNS records?

1-      External DNS records: x.x.12.245 is the public IP

Public   DNS	Record   Type	Linked   IP
Sip.   public domain.ae	A	x.x.12.245
Wc.   public domain.ae	A	x.x.12.245
Av.   public domain.ae	A	x.x.12.245
Lyncdiscover.   public domain.ae	A	x.x.12.245
connect.   public domain.ae	A	x.x.12.245
Sip	SRV   (tls,443)	Sip.   public domain.ae

2-     

Internal DNS, they have 2 forward Zones( domain.local, public domain.ae)

-          domain.local (10.0.30.37 lyncFE01.domain. local) , (10.0.30.43 is lyncFE02.domain.local)

Internal   DNS	Record   Type	Linked   IP
lyncfe01.domain.local	A	10.0.30.37
Meet.domain.local	A	10.0.30.37
Dialin.domain.local	A	10.0.30.37
Admin.domain.local	A	10.0.30.37
_sipinternaltls	SRV   (_tcp, port 5061,   priority 0)	lyncFE01.domain.local
Lyncdiscoverinternal.domain.local	A	10.0.30.37
lyncfe02.domain.local	A	10.0.30.43
_sipinternaltls	SRV   (_tcp, port 5061,   priority 10)	10.0.30.43

-          public domain.ae

DNS	Record	Linked   IP
Sip.   public domain.ae	A	10.0.30.37
Lyncdiscover.   public   domain.ae	A	10.0.30.37

ofcourse I   Enabled remote and public access from security at lync control

if you have email send to me and I will send you file have the whole data and digram

• Edited by hany_saleh Friday, February 06, 2015 4:38 PM

thanks for your reply, I have edge server

have I publish from TMG or fortigate should work also?

I opened all ports for external to internal for test , and do the following at fortigate   as test because we didnt configure the TMG for publish we did the following

-          NAT from firewall (x.x.12.245 public IP port 443 to 192.168.100.13 SIP IP at external NIC of Edgeport 4443)

-          (x.x.12.245 public IP port 443 to 192.168.100.13 SIP IP at external NIC of Edgeport 443)

-          (x.x.12.245 public IP port 442 to 192.168.100.14 WC IP at external NIC of Edgeport 443)

-          (x.x.12.245 public IP port 441 to 192.168.100.15 VA IP at external NIC of Edgeport 443)

-          Open all ports

Problems:

-          When tried from mobile cannot access.

-          When tried from laptop write at sign name the account mail, like X.X at  domain.ae, then credential username and password required which is local domain\x.x , after 1-2 min the error below appeared

                "lync couldn't find a lync server for (ext domain) there might be an issue with DNS configuration for your domain please contact your support team

We didnt built any rules at TMG, just NAT from Fortigate Firewall to external edge NIC IPs, with all ports opened

Requirements

If you have any documents to publish the lync 2013 to be able to publish AV, WC, and SIP please send to me,

Also need to know  should I build 3 rules at TMG to publish lync for SIP, AV and WC, or it is just one rule, and if it will be one rule how transfer traffic to each edge IP

Also will TMG  need certificate? This certificate is the external edge certificate or another certificate?

Is there is anything missing in DNS records?

1-      External DNS records: x.x.12.245 is the public IP

Public   DNS	Record   Type	Linked   IP
Sip.   public domain.ae	A	x.x.12.245
Wc.   public domain.ae	A	x.x.12.245
Av.   public domain.ae	A	x.x.12.245
Lyncdiscover.   public domain.ae	A	x.x.12.245
connect.   public domain.ae	A	x.x.12.245
Sip	SRV   (tls,443)	Sip.   public domain.ae

2-     

Internal DNS, they have 2 forward Zones( domain.local, public domain.ae)

-          domain.local (10.0.30.37 lyncFE01.domain. local) , (10.0.30.43 is lyncFE02.domain.local)

Internal   DNS	Record   Type	Linked   IP
lyncfe01.domain.local	A	10.0.30.37
Meet.domain.local	A	10.0.30.37
Dialin.domain.local	A	10.0.30.37
Admin.domain.local	A	10.0.30.37
_sipinternaltls	SRV   (_tcp, port 5061,   priority 0)	lyncFE01.domain.local
Lyncdiscoverinternal.domain.local	A	10.0.30.37
lyncfe02.domain.local	A	10.0.30.43
_sipinternaltls	SRV   (_tcp, port 5061,   priority 10)	10.0.30.43

-          public domain.ae

DNS	Record	Linked   IP
Sip.   public domain.ae	A	10.0.30.37
Lyncdiscover.   public   domain.ae	A	10.0.30.37

ofcourse I   Enabled remote and public access from security at lync control

if you have email send to me and I will send you file have the whole data and digram

• Edited by hany_saleh Friday, February 06, 2015 4:38 PM

Hi,

check this link to test the Lync environment. check you are getting any errors.

https://testconnectivity.microsoft.com/ 

I did the test many times and get problem in certificate chain at the intermediate, I fixed it many times but the same error everytimes, I did the test without ssl certificate , it is ok

Hi,

Please double check the Lync Edge Server certificate, make sure the SANs in the Edge external interface, such as the following:

webcon.contoso.com

sip.contoso.com

From your description above, you use only one public IP to deploy Edge Server. You can use single IP and FQDN for Access Edge, Web Conferencing Edge service and A/V Edge services.

When you use a single IP and FQDN for Access Edge, Web Conferencing Edge service and A/V Edge services, you must specify a different port number for each of the edge services (recommended port settings: 5061 for Access Edge service, 444 for Web Conferencing Edge service, and 443 for A/V Edge service). In this case, the port 443 may not be used for Access edge server, and you must change the port number of the SRV record for external automatic sign in to specific port that you typed in Access Edge service.

Best Regards,
Eason Huang