Forum Discussion
NimbostratusF5 Lync iApp with Cisco firewalls
I have configured the Lync iApp on a F5 LTM in our DMZ behind a Cisco firewall.
The client AV traffic goes through the firewall, hits the F5, which sends it on to one of the edge servers (in the same network as the F5) but when the edge server then replies direct to the client the firewal drops the packet as it hasnt seen a SYN packet from the client to the edge (the original SYN went from the client to the F5).
Am I configuring something wrong here, shouldnt the F5 tell the client to re-connect to the edge directly?
Any help appreciated.
Thanks
Richard
22 Replies
- Hi Richard, this is one reason we recommend using public IPs for your external Lync Edge services: https://devcentral.f5.com/blogs/us/the-hopefully-definitive-guide-to-load-balancing-lync-edge-servers-with-a-hardware-load-balancer
You should be able to solve this problem by enabling SNAT on the A/V virtual servers; however it's not ideal, since the Edge servers won't be able to set up peer-to-peer connections between Lync clients.
thanks
Mike 
Richard_22613Thanks Mike.
We do have the edge servers on public addresses, however they sit behind a firewall for security reasons. There is no nat on the firewall for the edge and F5 services.
I dont really want to enable SNAT for the AV service, as you say, as it means peer to peer connections suffer.
The only other option is not to use the F5s iApp template for the AV and SIP side (which seems a waste of the F5s!)
RIchard
Richard, did you happen to configure the default gateway on the Edge servers' external interfaces to use the self-IP address of the BIG-IP, and set up a default route on the BIG-IP that points to the firewall?
Also, you would need a forwarding virtual server to receive internet-bound traffic from the Edge servers.
- Richard_22613Hi Mike,
I configured the edge servers with their default gateway as the firewall and then in the iApp specified No to the section 'Do the Microsoft Lync Server Edge Servers have a route back to application clients via this BIG-IP system? '
If I change the gateway of the edges to point to the F5s, then doesnt this put more load on the F5s and possible latency for the av traffic?
Thanks
Richard - I wouldn't think there would be any load/latency problems. You're not proxying that traffic with LTM, just routing it, so there's really nothing being done to it that might put load on the BIG-IP.
- Richard_22613I am going to give this a try with our spare test Edge server that isnt yet in production.
The only thing I'm not sure about is even if the default gateway of the edge is the F5, the traffic returning to the client will be routed by the F5s wont it ? This would mean the source IP of the packet when it hits the firewall will be the edge and still wont have a session created in order to talk back to the client. I hope I make sense ! - Richard.... one solution would be to point the default gateway of the Edge servers to the BIG-IP Self-IP, and the default gateway of the BIG-IP to the firewall. This will route connections that are being load balanced by the BIG-IP correctly without having to SNAT anything.
You will also have to deal with connections that are being sent directly to the Edge Servers themselves (and not sent to the BIG-IP for LB). The return traffic from the Edge servers will then be sent (assymetrically) to the BIG-IP since that is the DFGW of the Edge servers. To get the BIG-IP to pass this return traffic on through to the firewall, create a forwarding VIP with loose connections enabled. This effectively gets the BIG-IP to act as a stateless router for the return traffic of connections sent directly to the Edge Servers.
Dave_20158Ryan - Thank you so much for this information. We ran into this exact issue with the asymmetric routing and I could not understand why the BIG-IP was not forwarding the traffic. Once I created the new fast-L4 profile and enabled loose initiation and loose close, everything worked perfectly.
- Richard_22613
Ryan
I've configured the edge as suggested and all seems to be working, but I haven't yet configured the forwarding VIP with loose connections. Can you advise where I do this and what settings I should use? The F5s are new to me, slowly building up experience !
Thanks
Richard - Sure Richard... so just to reiterate, we need this forwarding VIP because we want the BIG-IP to forward traffic from the Edge Servers out through the firewall. This creates a bit of an assymetric loop for traffic coming in from remote clients directly to Edge Server (The incoming connection will go from the firewall directly to the Edge Server, however the Edge Server will send all return traffic to the BIG-IP and rely on the BIG-IP to forward it to the firewall). This is why we need to set 'Loose Connections' on this forwarding VIP.
1. Create a New protocol profile based off of the FastL4 template profile. Enable 'Loose Initiation' and 'Loose Close' on this new profile.
2. Create a new VIP with the following characteristics (Network, Destination = 0.0.0.0, Netmask = 0.0.0.0, Forwarding(IP), and the new client profile you created above.
This should be it. Let me know how it goes Richard. 
MVAHi, thanks for the info, especially on the FastL4 profile. I did just that but still don't see return traffic coming to the Edge Server. I see on the F5 the Edge server sending a SYN to the external client and our Firewall logs shows a connection from the Edge server to the External client as allowed. We also do not see the F5 Self-IP being blocked on the Firewall, which we were seeing previously. From my troubleshooting so far, it seems all is in place but for some reason we're still not seeing a return connection to the Edge server. Any suggestions are appreciated.
