Home > Lync > Lync 2010 Edge Server – OCS R2 FE Pool Problems

Lync 2010 Edge Server – OCS R2 FE Pool Problems

Let me premise this by saying you should follow Microsoft support guidance when migrating from OCS 2007 R2 to Microsoft Lync Server 2010. It is recommended that you migrate internal services and users to Microsoft Lync Server 2010 before migrating the Edge services to a Lync 2010 Edge Pool. (Migrating from OCS 2007 R2 to Lync Server 2010 – http://technet.microsoft.com/en-us/library/gg413057.aspx)

Sometimes however you want to add new features to your environment that were not previously available. This was the case when I began to assist a colleague today with an interesting issue. Existing OCS 2007 R2 users were amazed that when they took their laptops home with Communicator R2 running that they were able to connect without VPN. They did not previously have this capability and this was due to corporate policy. In an attempt to resolve this issue, user policy was updated to remove “External Remote User Access”

This however did not resolve the issue. Communicator R2 users were still able to login via the Lync Edge Server. The topology was as follows for external user connectivity: Lync Edge Pool next hop = Lync FE Pool, Lync FE Pool and OCS R2 Pool Federation Route = Lync Edge Pool.

We logged SIPStack on the OCS FE server and Edge Servers and identified that the flag ms-edge-proxy-message-trust is being set. A call to PSS and our engineer was able to easily replicate the issue in less than 15 minutes. The important part about this post isn’t that OCS R2 clients are able to log in when remote user access is disabled, that is understandable given that it isn’t supported. The problem is that when you add a Lync Edge Pool to the environment and merge the topologies it adds the edge server as the federation route for OCS 2007 R2. Regardless of your policies you have in place, users will be able to connect via edge services during this time until they are either migrated to Lync and disabled for external user access or you remove the Edge server from the OCS 2007 R2 environment.

Categories: Lync
  1. Brian
    March 13, 2012 at 10:39 am

    I noticed the same thing in our environment. OCS 2007 R2 was 2 Enterprise FE servers only and no edge. After deploying Lync Edge pool and merging topology OCS pool users can login externally via the Lync edge (we don’t want this). I removed the lync edge pool from the global settings of the OCS topology but users are still able to connect. What am I missing? I thought maybe it would take some time for the settings to replicate so I also tried to invoke-csmanagementstorereplication but no luck so far.

    • May 9, 2012 at 4:03 pm

      Removing the Lync Edge pool from the OCS Front-End servers won’t work as the message is proxied through the Lync Front-End servers/pool. So the outbound path is OCS FE –> Lync FE –> Lync Edge. Because of this there’s no way to block the clients with out breaking Lync / OCS interop. Checkout the MSPL script I posted as it should be able to provide that short term fix for you.

  2. April 30, 2012 at 2:44 pm

    Found this post last week when I ran into this issue myself. I managed to create a workaround for it though with a MSPL script that can be found here http://emptymessage.com/?p=85 Just thought I’d let you know.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: