Welcome to 2015! Let’s start the year off with some helpful how-to’s.

The other day I was off-site, and a request came in to update the Web Conferencing branding. (I blogged about this at “Branding Your Lync Server”.)

Normally I’d just log into the server and make the change, either via PowerShell or in Control Panel. But I was off-site. My normal login wouldn’t work! I’d have to log in remotely.

IMG_1270a

Now, all you sysadmins who do work from 3 different locations (office, the couch, the coffee shop), you know what’s required for this: Remote Access to the Lync Front End Server. However, I had discovered that SOMEone on our Lync team had disabled remote access!

(Ordinarily that’s a sensible precaution. Unmonitored remote access to any server is a serious security risk. Keep that in mind when using the following instructions.)

After I returned to the office and re-enabled Remote User Access, I was able to access Management Shell remotely & enter the cmdlets I wanted. I’ve already given you the cmdlets themselves, and what they do (the link above).

Today, I’m talking about the process used to make this possible. Steps to access Lync Server Management Shell remotely.

Remote Management Shell Access, Step 1: Enable Remote User Access on Lync Server

WARNING: The following can leave your Lync Server vulnerable if your security does not address remote access. Check your network security configuration BEFORE attempting.

  1. If your Lync user account is a member of the RTCUniversalServerAdmins group (or is an Administrator), log on to your computer within your company network.
  2. Open a browser window, and then enter your Lync Server Control Panel’s administration URL. (This can be done via Remote Desktop Connection as well, if you prefer.)
  3. In the left navigation bar, click Federation and External Access. Then click Access Edge Configuration.
  4. On the Access Edge Configuration page, click Global / Edit / Show Details.
  5. You should be in Edit Access Edge Configuration.
    1. To enable Remote User Access, check the “Enable remote user access” box.
    2. To disable Remote User Access, clear the “Enable remote user access” box.
  6. Click Commit.

You can also do this via cmdlets (see this page for help: Enable or Disable Remote User Access in Lync Server 2013 – TechNet

I prefer doing so via Control Panel though, as it means you know where to go to enable/disable in the future. And you can switch it off whenever it’s not in use!

Step 2: Configure Policies

Enabling Remote User Access is not enough. You may also need to configure a policy allowing remote users to communicate back to Lync’s Front End.

  1. If you are still logged into Lync Server Control Panel, click External User Access in the left navigation bar.
  2. Click External Access Policy.
  3. Which policy you edit depends on which level you want to use.
    1. For the Global policy to support Remote User Access, click the Global policy. Click Edit, and then click Show details.
    2. To create a new Site policy, click New, and then “Site policy”. Select the appropriate Site from the “Select a Site” list and click OK.
    3. To create a new User policy, click New, and then “User policy”. Create an appropriate name under Name (“AllowRemotePowerShell” for example).
    4. If you want to change an existing policy, click it in the table, click Edit, and click Show details.
  4. To enable Remote User Access for the policy, check the “Enable communications with remote users” box.
  5. To disable Remote User Access for the policy, clear the “Enable communications with remote users” box.
  6. Click Commit.
  7. Exit out of Control Panel and log off.

More information is here: Configure Policies to Control Remote User Access in Lync Server 2013 – TechNet

**NOTE: As the comments below discuss, this step may in fact not be necessary. I will try removing our policy configuration & testing remote access afterward. If you want, you can skip this step and go right to Step 3. If you do experience an error, try configuring policies and see if that resolves it. If not, you’re good.

Step 3: Open PowerShell & Create New Session

Now you’re set on the server-side for remote access. Here’s how to log in via the client side.

  1. Copy down the FQDN of your Front End Server. Take this with you (but keep it secure!).
  2. When at a remote location, connect to the Internet. Open PowerShell.
  3. Enter the following cmdlet using your FQDN:

$session = New-PSSession -ConnectionUri https://lync.domain.com/PowerShell -Credential (Get-Credential)

Make sure you have the correct FQDN for your Front End Server! Otherwise you will see a Connection Failure error like this.

powershellFQDNfailure

You will be prompted to enter your credentials. Enter your login and password.

Once you’re authenticated, enter:

Import-PSSession -Session $session

This will create the new session.

Johan at Lync-Blog.nl has additional details on this page: Multiple Ways to Manage Your Lync Server Environment – Lync-Blog.nl

I also came across a script to speed up the process, here: #Lync and Remote PowerShell – Phyler’s Blog

After this, you should be there! Logged into PowerShell remotely and set to enter cmdlets.

When done, don’t forget to end your sessions with:

Remove-PsSession $session

P.S. – You May Need to Log Into Your Company VPN

Like many businesses, we use a VPN for external access. I was initially rebuffed from my remote PowerShell login. Logging into our VPN corrected this issue.

Depending on your network configuration, you may need to log into your VPN as well. Check with your network administrator for remote access rules.

========

Remote PowerShell access is a great help for admins who travel. Not every cmdlet will work from off-site (Johan mentioned that Enable-CsTopology will not, for instance). But you can create/disable users, get reports and restart some Lync services.

Thank you to everyone in our 2014 end-of-year polls! I’ll share the results next week. If you haven’t voted yet, I’ve extended the polls until Saturday the 10th. Please go here and vote: 2014 Reader Survey: What are Your 2015 Lync Plans?

How do you prefer administering your Lync Server? Please share your thoughts. We’ll see you again next week!

How to Access Lync Server Management Shell Remotely
Facebooktwittergoogle_plusredditlinkedinmail
Tagged on:                     

8 thoughts on “How to Access Lync Server Management Shell Remotely

  • Pingback: How to Access Management Shell Remotely – Lync Insider | JC's Blog-O-Gibberish

  • January 7, 2015 at 12:40 pm
    Permalink

    I am trying hard to understand in your article how does the Lync external access privilege has anything to do with the remote-powershell session enablement?

    Reply
  • January 7, 2015 at 12:45 pm
    Permalink

    Soder,

    I assume you’re talking about Step 2? Configuring the Enabling External Access Policy is needed so Lync Server will accept your remote login to the server. It is possible that this policy was already configured when your Lync Server was installed; if so, you can skip it. Thanks for prompting me to clarify!

    Reply
  • January 7, 2015 at 12:57 pm
    Permalink

    @chris.williams: my concern is Step1 & step2

    Hmm.. now I am totally confused. Does the SIP user’s external access policy have anything to do with the capability of the user user to have remote powershell privileges into the FE server? I havent heard about this before, and I’d say 99% sure these 2 things are totally unrelated topics! The only reason I am not saying 100% that I may be wrong sometimes 🙂

    Reply
  • January 7, 2015 at 1:04 pm
    Permalink

    @Soder
    The TechNet article on configuring policies says:
    “You can configure policies to control remote user access, even if you have not enabled remote user access for your organization. However, the policies that you configure are in effect only when you have remote user access enabled for your organization.
    “Additionally, if you specify a user policy to control remote user access, the policy applies only to users that are enabled for Lync Server and configured to use the policy.”

    However, it also references federation and Public IM Connectivity. So we may both be right here! I’ll revise the post to further clarify.

    Reply
  • January 7, 2015 at 1:19 pm
    Permalink

    I know what remote user access means in Lync. I just dont seem to understand your logic why you would need to first enable the remote access for your SIP account, if the sole purpose of the article is to run PS commands from a workstation remotely against the FE.

    Maybe you just merged 2 completely different topics into 1 article?

    Topic1:how to enable Lync external access, so people can sign into Lync, even from Starbucks, without a VPN
    Topic2: how to enable Lync remote powershell session to manage Lync without logging to the FE server via RDP

    Reply
  • April 26, 2016 at 5:29 am
    Permalink

    This is a super helpful walkthrough, and thanks to Guy Horn for the URI correction!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *