The point of this post is to help those that can’t have 2 NIC on 2 separated not routable subnets. I have already encountered some customers whose security team stated that it was technically impossible to deploy an additional subnet on their current security/network infrastructure.
Many of you know that Lync Edge Requirements have the following statement:
The internal and external subnets must not be routable to each other.
In http://technet.microsoft.com/library/gg412847.aspx
To meet this requirement we need two subnets on our DMZ, as showed in the following example:
Since we can only have one default gateway, the routes to the internal address should look like this:
route ADD 10.0.0.0 MASK 255.255.255.0 172.20.0.254 METRIC 1
route ADD 10.1.0.0 MASK 255.255.255.0 172.20.0.254 METRIC 1
route ADD 10.2.0.0 MASK 255.255.255.0 172.20.0.254 METRIC 1
What about those deployments that only have one subnet for the Lync Edge Network Interfaces?
In this example, we have 2 interfaces with the same gateway. It’s common to create a route as in the previous example — although this can work in some cases, what can happen is that Lync Edge will use External NIC to reach internal address.
Firewall will block all communications from the external NIC to internal address. Also, Lync Front End isn’t expecting External NIC to reach it.
The workaround is to specify how Lync Edge NIC should be used to reach internal address. This can be achieved by following 2 simple steps:
Step 1 – Find Edge Internal interface number
Command Prompt
First we need to know the internal interface name:
ipconfig /all
Note: We already know that 172.16.0.30 is the internal interface IP address.
After getting the interface name, let’s get the Interface Index — 15 in this case:
route print -4
PowerShell (only in Windows Server 2012/2012R2)
The following Cmdlet — which is only available on Windows 8/8.1, Server 2012/2012R2 — displays the Interface Index more quickly than the Command Prompt method.
Get-NetIPAddress -AddressFamily IPv4 | Select ifIndex,IPAddress | ft -Autosize
Step 2 – Create the proper routes in the IP routing table
Now all we need to do is create the routes that specify the Interface Index:
Command Prompt
route ADD 10.0.0.0 MASK 255.255.255.0 172.16.0.254 METRIC 1 IF 15 -p
route ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.254 METRIC 1 IF 15 -p
route ADD 10.2.0.0 MASK 255.255.255.0 172.16.0.254 METRIC 1 IF 15 -p
PowerShell (only in Windows Server 2012/2012R2)
New-NetRoute -AddressFamily IPv4 -DestinationPrefix “10.0.0.0/24” -NextHop 172.16.0.254 -RouteMetric 1 -ifIndex 15
New-NetRoute -AddressFamily IPv4 -DestinationPrefix “10.1.0.0/24” -NextHop 172.16.0.254 -RouteMetric 1 -ifIndex 15
New-NetRoute -AddressFamily IPv4 -DestinationPrefix “10.2.0.0/24” -NextHop 172.16.0.254 -RouteMetric 1 -ifIndex 15
After these changes, the Lync Edge will use internal NIC for all communications to the Front End(s) and Clients. Do remember this workaround should only be used if you can’t have 2 not routable subnets on Lync Edge Server.
TIP: If you want, you can create routes to all possible internal addresses, as long as your company follows what is described in RFC1918 regarding private IP address:
Command Prompt
route ADD 10.0.0.0 MASK 255.0.0.0 172.16.0.254 METRIC 1 IF 15 -p
route ADD 172.16.0.0 MASK 255.240.0.0 172.16.0.254 METRIC 1 IF 15 -p
route ADD 192.168.0.0 MASK 255.255.0.0 172.16.0.254 METRIC 1 IF 15 -p
PowerShell (only in Windows Server 2012/2012R2)
New-NetRoute -AddressFamily IPv4 -DestinationPrefix “10.0.0.0/8” -NextHop 172.16.0.254 -RouteMetric 1 -ifIndex 15
New-NetRoute -AddressFamily IPv4 -DestinationPrefix “172.16.0.0/12” -NextHop 172.16.0.254 -RouteMetric 1 -ifIndex 15
New-NetRoute -AddressFamily IPv4 -DestinationPrefix “192.168.0.0/16” -NextHop 172.16.0.254 -RouteMetric 1 -ifIndex 15
UC Lobby 
Do you have any information on the reverse proxy setup in this scenario. I don’t have the option to have two seperate IP’s and a DMZ. I only have the local subnet.
Reverse Proxy (RP) configuration is more flexible, you can use one or two NICs, also RP only connects to Front End.
Don’t forget that you need, at least, one public IP to the Edge and another to the Reverse Proxy.
You can follow this article to configure ARR: https://uclobby.com/2013/08/02/configuring-arr-for-lync-server/
I have a question/scenario. First some information on our setup. We only have an internal network with one firewall to get out to the internet. We do not have a DMZ of any sort. Because of our network setup I have to have my Lync Edge server joined to the domain. So right now my configuration looks like this: Lync front end server: 1 NIC-IP address of 10.1.1.*. Lync Edge server IP address of 10.1.1.*. Both of these servers are in the same subnet, both joined to our AD domain. Our firewall is internally in a different internal subnet with an IP address of 10.0.10.*. So my question is, which I have done with other servers, couldn’t I just do something like this. Setup Lync Edge access using one public IP address for the sip.domain.com external DNS record. Make a rule in the firewall pointing all traffic on port 443 going to that public IP/DNS recond to the internal 10.1.1.* address of the Edge server? From there the Edge server would just send the traffic to the Lync FE server? Wouldn’t this theoretically work?
If not, if I do have to use an second NIC on the Lync Edge server, would I want to give that NIC an address in the same subnet as the firewall and then point the public IP traffic to that IP address using NATing? I have read many people write about using a domain joined Edge server successfully, so my main question out of all of this, is what are my options for setup given that we have a domain joined Edge server? Thanks for taking the time to read this and I appreciate any help.
Thanks!
Option 2, you need to use 2 NICs. One on 10.0.10.* subnet with NAT for the public IP address and the other on the 10.1.1.* for the internal communication.
Edge can be domain joined but for security reasons you shouldn’t join it to the domain.
Thanks! I have a lot clients with this same enviroment and your configuration helped me for EDGE and Reverse Proxy implementations!
Is this scenario supported?
Not supported, however is a workaround when you cannot have 2 distinct subnets.
Is it necessary to place Front-End server and Edge server in one subnet? I am experiencing trouble with deploying Edge, and discovered that SIP-traffic goes fine only if both servers in same subnet. If I place Edge to different subnet, there will be completely no traffic on port 5061, just configuration replication (uses port 4443). Greatly surprised by Wireshark )))
my thread on MS forum:
https://social.technet.microsoft.com/Forums/office/en-US/a2ec22df-155c-4fe7-89a8-cf2a9bf85487/sfb-2015-edge-server-sip20-504-server-timeout?forum=lyncprofile
Help please, If you can.
Actually you should deploy the Edge Server on a different subnet from the Front End.
When you move the Edge to another subnet you need to make sure that you check the following:
1. Update the Edge IP address in the Topology Builder – You might need to manually update the topology, https://uclobby.com/2017/02/24/lync-sfb-server-manually-update-the-edge-server-configuration/
2. Make sure that the Front End is aware of the new ip address – check internal DNS or the host file.
3. Add a persistent route on the Edge so the traffic to the Front End will use Edge Internal interface.