Here are some quick screenshots walking through the setup of a UX1000 with the SBA module for Lync. From a setup point of view you can think of Gateways with SBA’s as 2 devices in one. Where net particularly excels is making it nice and easy to setup both the “gateway” and “SBA” from one Web interface. As you will see on the walkthrough the setup process is pretty fluid.
This walkthrough is on a UX1000, but a UX2000 has the same WebGUI so the steps should be the same.
The gateway as a default management IP of 192.168.128.2. Set your IP to something on the same network and directly connect to the UX.
Connect your laptop directly to the UX management port:
Once you connect and ignore the cert error you will have some basic parameters to set
Once completed, OK, disconnect the laptop and connect the gateway to the network. You should now be able to connect on the IP you specified.
You may want to upgrade to the latest firmware at this point. See this blog post for the steps.
When you get past the login screen, it will want to load a Java app for the live port monitoring
Software version information
System Information
Set the time on the UX1000
Domain and Lync Topology Setup for Survivable Branch Appliance
First we’ll create a computer object for the SBA, you must do this before setting up the SBA or adding it to the Lync topology. On a DC create a new computer object.
At this point you could change the user/group to RTCUniversalSBATechnicians if you want that group to manage the SBA/join it to the domain, but we’ll leave it as domain admins
Once you have created the account, you need to make an edit in ADSI
Add this value, where domain.int is replaced with your domain giving the SBA FQDN
Once set you can ok and exit ADSI
We also need to add a DNS record for the gateway
You can now add the SBA to the Lync Topology
Once you click finish your new Branch site will show in the topology, you can now publish the topology
Gateway Setup
First we will setup the “gateway” part of the device. The gateway requires a certificate for TLS
Request your cert from the internal CA
You will also need the Root Cert
Back on the gateway, import the root cert on the Trusted CAs tab (note, IE causes me an issue, here, if you struggle try FireFox). Then upload your created cert.
Continue to run through the Lync setup, choose a setup scenario. In this case we will do SIP to ISDN
Once you have filled in the above setup is complete.
Survivable Branch Appliance Setup
You can now continue to setup the SBA, click Setup SBA and setup an IP. ASM is Application Solutions Module, which is the module the SBA code runs on (think of it as a mini server).
On the UX1000, if you have the SBA module you will get an extra menu on the left
SBA before setup:
The SBA will automatically pickup an IP address from the same single network connection you connect the gateway with (assuming you have DHCP on the network). You will want to set a static IP
Join the SBA to the domain:
In order, prepare the SBA, Start replication and Activate the SBA.
At each setup this is running the PowerShell commands on the SBA to take these actions:
Next we will setup a certificate for the SBA. If your internal CA is setup to take automatic submissions you can choose auto submit and not have to manually go to the SBA. In this case I had to get the cert signed manually.
Again we take the CSR and get it signed and upload it to the SBA
Once we have uploaded the cert we are ready to start the services:
Once services are started you can deploy a hardening security template to the SBA
That’s it, you should have a fully functioning SBA
Updating the Survivable Branch Appliance
You can also update the SBA from the Web interface. You can download the updates from the net support pages
Extract and apply the individual msp’s
Once updated you can check version numbers from the web interface:
You can see all the installed packages and version numbers on the SBA
Connecting to the Survivable Branch Appliance via Remote Desktop
Note: If you want to, but it shouldn’t normally be required, you can get onto the SBA via Remote Desktop:
Here are some screen captures of the SBA via remote desktop for those who are interested:
Hey Tom,
Great walkthrough :-)
How long would you say it takes to stage / setup a UX1000 that typically would serve 50 users or so?
Any tips on staging / vs finishing the config at the destiantion remote site?
I was thinking of staging it for 95% (including syning the SBA etc…) in a staging center that has access to the Lync server farm and as a last step change the IP@ in DNS from the staging LAN to the remote site LAN.
Then ship to destination site, plug in PSTN connections and test.
Or would you recommend another approach (goal is to minimize work on the remote site)
Feedback woudl be great!
Hi,
I wouldn’t bother to pre-stage them generally. Setup is pretty quick and if you are using the wizard you need access to the proper certificate authority. It can pretty much all be done remotely too.
Putting in the gateway is easy (in the hours range) but getting it to work with PSTN/PBX can take more time.
thanks
We’re trying to use MessageStats to get better reporting from our Lync environment and we’ve come across a problem polling our SBA. There is no OCSPOWERSHELL virtual directory setup so we cannot connect to this SBA and run Lync powershell commands. Do you know if there is a way to add that functionality to an SBA?
thanks
No, sorry not sure on that one. SBA is a cut down registrar basically
My CA can only accept 512 bits. Is there any way UX1000 can issues key for 512.
I don’t think so. I think the lowest is 1024 due to security concerns. You should try to get your CA up to 2048 or more, as that’s the norm these days
thanks
is the certificate has to be DER or BASE64?
Hi Tom,
I think in recent firmware updates, NET has achieved the automatic domain join. so there’s no need to do the manual configuration on the AD.
I have done many integration for SBA with Lync and automated steps worked great without any interfering of the AD.
have you tried that?
cheers
Thanks for the comment. I’ve not done an SBA for a while, so I wouldn’t be surprised if they have streamlined it a bit.
Tom
Hey Tom,
This guide works great if you use a domain admin account for implementation. But as a lot of my customers do not want to use real life admin accounts in an SBA, you might want to add a step or to, according to the deployment guid at sonus website ;) https://support.net.com/display/UXDOC22/Adding+the+SBA+to+Active+Directory
“Adding the SBA to the RTCUniversalReadOnlyAdmins Group” and “Creating the SBA Installer Account in Active Directory” are two important steps if you want to use “non-Admin” accounts ;)
Great work!
thanks for the tip!
Tom