Configuring an External watcher node for Lync 2013 and SCOM

Summary

Recently, I’ve been asked to configure an external Lync watcher node. The documentation doesn’t do a good, IMHO, in describing such a scenario in detail and doesn’t comment on ports. If you don’t want to go through all the steps below, please make sure you are using 443 when creating the configuration. Port 5061, which is mentioned in the original doc is only usable internally. Port 5061, in the Edge server, seems to be in use for Federation,so, no good.

Pre-requisites

Create accounts and enable Lync with Enterprise voice
Steps, according to the original Lync guide

To configure a computer to act as a watcher node, you must first complete the following prerequisites:

  • Install System Center Operation Manager and import the Lync Server 2013 management packs. You must also first verify that the watcher node computer meets all prerequisites for installing Lync Server 2013.
  • Install the following items on the watcher node computer:
    • The full version of .NET Framework 4.5
    • Windows Identity Foundation
    • Windows PowerShell 3.0

After the prerequisites are met, you can configure the watcher node by following these steps:

  • Install the Lync Server 2013 core files on the watcher node computer.
  • Install System Center Operations Manager agent on the watcher node computer.
  • Run the Watchernode.msi executable file.
  • Use the CsWatcherNodeConfiguration cmdlet to configure test user accounts to be employed by the watcher node.
Installing the Lync Server 2013 Core Files and the RTCLocal Database

To install the Microsoft Lync Server 2013 core files on a computer, complete the following procedure. The RTCLocal database will automatically be installed when you install the core files. Note that you do not need to install SQL Server on the watcher nodes. SQL Server Express Edition will be automatically installed.

To install the Lync Server 2013 core files and the RTCLocal database:

1. On the watcher node computer, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. In the console window, type the following command and press ENTER. Be sure to enter the appropriate path to your Lync Server setup files:

D:\Setup.exe /BootstrapLocalMgmt

clip_image001[4]

First, near the end…

clip_image002[4]

After rebooting, all good:

clip_image003[4]

To verify that the core Lync Server components are successfully installed, click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell. In the Lync Server 2013 Management Shell, type the following Windows PowerShell command and press ENTER:

Get-CsWatcherNodeConfiguration

clip_image005[4]

Note: The first time you run this command, no data will be returned because you have not yet configured any watcher node computers. If the command runs without returning an error, you can assume that the Lync Server setup completed successfully.

If you see information about your PIN policies, the core components have been successfully installed.

SCOM Agent with certificate

Your agent won’t be part of the domain, so you’ll need a certificate (or a gateway server) to allow for communication.

Agent Ports

Network flow

All you should need between your agent and the EDGE server is 443.

Set as proxy

clip_image007[4]

Authentication Type: Credential

Step by step

If your watcher node computer lies outside the perimeter network then you must follow a slightly different procedure in order to configure that watcher node to run synthetic transactions: in particular, you should not create a trusted application pool or a trusted application. That means that you will need to complete two separate tasks:

  • Update the membership in the computer’s RTC Local Read-only Administrators Group
  • Install the watcher node configuration files
Updating Membership in the RTC Local Read-Only Administrators Group

If your watcher node lies outside the perimeter network, you must add the Network Service account to the RTC Local Read-only Administrators group on the watcher node computer by completing the following procedure on the watcher node:

1. Click Start, right-click Computer, and then click Manage.

2. In Server Manager, expand Configuration, expand Local Users and Groups, and then click Groups.

3. In the Groups pane, double-click RTC Local Read-only Administrators.

4. In the RTC Local Read-only Administrators Properties dialog box, click Add.

5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Locations.

6. In the Locations dialog box, select the name of the watcher node computer, and then click OK.

7. In the Enter object names to select box, type Network Service, and then click OK.

8. In the RTC Local Read-only Administrators Properties dialog box, click OK, and then close Server Manager.

9.

clip_image008[4]

You must then restart the watcher node computer.

Installing the Watcher Node Configuration Files

Your next step is to run the file Watchernode.msi:

(Download from http://www.microsoft.com/en-ca/download/details.aspx?id=35842)

1. Open the Microsoft Lync Server 2013 Management Shell. Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.

2. In Lync Server Management Shell, type the following command, and then press ENTER (be sure to specify the actual path to your copy of Watchernode.msi):

c:\Tools\Watchernode.msi Authentication=Negotiate

Note: As mentioned previously, Watchernode.msi can also be run from a command window. To open a command window, click Start, right-click Command Prompt, and then click Run as administrator. When the command window opens, type the same command shown in step 2, above.

The Negotiate mode is used any time the watcher node cannot be set up as a trusted application pool. In this mode, administrators will need to manage test user passwords on the watcher node.

clip_image009[4]

Configuring Watcher Node Test Users and Configuration Settings

After configuring the computer that will act as a watcher node, you must:

1. Create the test accounts to be used by these watcher nodes. If you are using the Negotiate authentication method, you must also use the Set-CsTestUserCredential cmdlet to enable these test accounts for use on the watcher node.

2. Update the watcher node configuration settings.

This section covers the following procedures:

Configuring Test User Accounts

Configuring a Basic Watcher Node with the Default Synthetic Transactions

Configuring Extended Tests

Adding and Removing Synthetic Transactions

Viewing and Testing the Watcher Node Configuration

Configuring Test User Accounts

Test accounts do not need to represent actual people, but they must be valid Active Directory accounts. In addition, these accounts must be enabled for Microsoft Lync Server 2013, they must have valid SIP addresses, and they should be enabled for Enterprise Voice (to use the Test-CsPstnPeerToPeerCall synthetic transaction). If you are using the TrustedServer authentication method, all you need to do is to make sure that these accounts exist and configure them as noted. You should assign at least three test users for each pool that you want to test.

If you are using the Negotiate authentication method, you must also use the Set-CsTestUserCredential cmdlet and the Lync Server Management Shell in the watcher node as Administrator to enable these test accounts to work with the synthetic transactions. Do this by running a command similar to the following (these commands assume that the three Active Directory user accounts have been created and that these accounts are enabled for Lync Server 2013):

Set-CsTestUserCredential –SipAddress “sip:watcher1@domain.com” –UserName “domain\watcher1” –Password “P@ssw0rd”

Set-CsTestUserCredential –SipAddress “sip:watcher2@ domain.com” –UserName “domain\watcher2” –Password “P@ssw0rd”

Set-CsTestUserCredential –SipAddress “sip:watcher3@domain.com” –UserName “domain\watcher3” –Password “P@ssw0rd”

You must include not only the SIP address, but also the user name and password. If you do not include the password, the Set-CsTestUserCredential cmdlet will prompt you to enter that information. The user name can be specified by using the domain name\user name format shown in the preceding code block, or by using this format: user name@domain name. For example:

-UserName “watcher3@domain.com”

To verify that the test user credentials were created, run these commands from the Lync Server Management Shell:

Get-CsTestUserCredential -SipAddress “sip:watcher1@domain.com”

Get-CsTestUserCredential -SipAddress “sip:watcher2@domain.com”

Get-CsTestUserCredential -SipAddress “sip:watcher3@domain.com”

Information similar to this will be returned for each user:

UserName Password

——– ——–

domain\watcher1 System.Security.SecureString

Configuring a Basic Watcher Node with the Default Synthetic Transactions

After the test users have been created, you can create a watcher node by using a command similar to this:

New-CsWatcherNodeConfiguration –TargetFqdn “sip.domain.com” –PortNumber 443 –TestUsers @{Add= “sip:watcher1@domain.com”,”sip:watcher2@domain.com “, “sip:watcher3@domain.com”}

TargetFqdn is the address of your Lync pool, accessible from the watcher node or internet, which in this case will be your Edge server. Note port 443! That’s the important part!

clip_image011

This command creates a new watcher node that uses the default settings and runs the default set of synthetic transactions. The new watcher node also uses the test users watcher1@domain.com, watcher2@domain.com, and watcher3@domain.com. If the watcher node uses TrustedServer authentication, the three test accounts can be any valid user accounts enabled for Active Directory and Lync Server. If the watcher node uses the Negotiate authentication method, these user accounts must also be enabled for the watcher node by using the Set-CsTestUserCredential cmdlet.

Viewing and Testing the Watcher Node Configuration

If you want to view the tests that have been assigned to a watcher node, use a command similar to this:

Get-CsWatcherNodeConfiguration –Identity “sip.domain.com” | Select-Object –ExpandProperty Tests

Restart the SCOM agent (Microsoft Monitoring Agent)

In a few minutes, the watcher node should be discovered and visible in the SCOM console.