Forum Discussion

david_baumgart_'s avatar
Jul 27, 2016

Completely Lost Trying to Set Up SSL For the Skype for Business Reverse Proxy iApp

Hey All. Doing my first ever Skype for Business deployment and I have most everything working properly (Internal/External IM/Presence and AV calls all work great for the desktop client). Now I am trying to set up my two Big-IP's to do reverse proxy traffic and I am honestly completely lost. Allow me to explain.

 

I have a dual Big-IP setup in my test lab. I have one in my DMZ which is set using the iApp to forward reverse proxy traffic to my internal which is set through the same iApp to receive reverse proxy traffic. I have given it it's own public IP which is NAT'd to the DMZ F5 DMZ address. The DMZ F5 also has a self IP on the DMZ subnet for which I have opened 443, 80, 4443, and 8080 up to the VIP of the F5 on my internal lab subnet. The iApp on the DMZ Big IP shows green for the internal server so it looks like they're talking to eachother ok.

 

Here's where I start beating my head against the wall, and before I go into detail I am going to come out and say that I have not yet configured a SSL profile on either Big IP which may be my issue here. If I download the Skype for Business app on my phone and try to sign into Skype with my SIP address and username, I get a certificate warning that comes from the DMZ Big IP so I know that my device at least makes it through the public/NAT IP address to the DMZ Big IP. But then after I click continue on the certificate warnings it will say signing in for a second and then juts kick me back to the logon screen. This has me wondering if the traffic is getting stuck somewhere in the chain of F5's, if it is a SSL issue, or if it is a configuration issue on my Skype Frent Ends somewhere and was hoping someone could provide some guidance.

 

A followup question that I have to this is regarding what certificate to import and set up on my Big IP units. On my edge servers, I have a public certificate issued by a CA. On my FE servers I have a certificate assigned by my internal CA per Microsoft best practices. I would imagine that I should use the public cert, but the iApp states that "The certificate you select here MUST match the certificate you used in your Skype web services configuration." This would indicate that I would need to use the certificate from my FE servers, but then no mobile devices are not going to trust this certificate. Any advice here on exactly what I should do here would be greatly appreciated. Thanks!

 

No RepliesBe the first to reply