I've just been setting up Lync 2010 Multitenant, and want to note the following things that I came across:
1 - Since the frontend, director and edge machines need public and private IP addresses, I chose to deploy all of lync into its own zone, and allow traffic to the SQL server and domain controllers on appropriate ports. You do need to open port 445 to the SQL server during the install process.
2 - You need to have official FQDN's for the following machines and pools, both in the topology and in the machine names (eg not using a .local name)
Director machines
Frontend machines
Director pool
Director pool web services
Frontend pool
Frontend pool web services
Edge pool external settings
Edge pool internal name
Default SIP domain
Access URL's
If you have used an internal name for your AD domain, you can fix the machine names using the following process
- Open IPv4 settings for the public IP NIC and under the DNS tab add your public domain name in the dns suffix box
- Open IPv4 settings for the private IP NIC and tick Use this connection's DNS suffix checkbox
- Go to the computer name settings (right-click on Computer->properties). In the computer name page, click on the more button and manually type in the primary domain.
3 - As far as I can see the following machines and farms can use internal FQDN names (untested)
AV Conferencing pool
Mediation pool
Monitoring server
Archive server
4 - Load Balancing
Frontend pool - DNS
Director pool - DNS
Edge pool (external) - DNS
Frontend pool external web - Hardware
Directory pool external web - Hardware
5 - Infrastructure DNS settings
Directory machines public name -> public IP
Frontend machines public name -> public IP
Frontend pool -> one A record for each frontend machine's public IP
Director pool -> one A record for each director machine's public IP
Edge pool (external) -> one A record for each edge machine's public IP
Directory pool web service name -> load balancer IP
Frontend pool web service name -> load balancer IP
Director Redirect Webservice -> public IP (Have a web server that will sent a HTTP 302 temporary redirect response to the requested document on the director-web https port. This public IP should sent a ICMP port unreachable if a connection is attempted on port 443)
6 - Client DNS settings
_sip._tls.customerDomain SRV 0 0 443 director.pool.name.
lyncdiscover.customerDomain CNAME director-redirect-webservice.pool.name.
sip.customerDomain CNAME director.pool.name.
_sipfederationtls._tcp.customerDomain SRV 0 0 5016 sipfed.customerDomain
sipfed.customerDomain CNAME edge.pool.name.
7 - Certificate requirements
You can get away with a single UCC certificate, generated from the edge server with the following entries in the alternate names:
Edge pool external name
Edge pool internal name
One entry per director machine
One entry per frontend machine
dialin.edge.pool.external.name
Director pool external name
Director pool name
Frontend pool external name
Frontend pool name
meet.edge.pool.external.name
sip.edge.pool.external.name
For each customer domain - sipfed.customerDomain
8 - Disable IPV6
On the edge servers run the following and reboot:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0xffffffff