I have configured the Lync iApp on a F5 LTM in our DMZ behind a Cisco firewall. The client AV traffic goes through the firewall, hits the F5, which sends it on to one of the edge servers (in the same network as the F5) but when the edge server then replies direct to the client the firewal drops the packet as it hasnt seen a SYN packet from the client to the edge (the original SYN went from the client to the F5). Am I configuring something wrong here, shouldnt the F5 tell the client to re-connect to the edge directly? Any help appreciated. Thanks Richard

Hi Richard, this is one reason we recommend using public IPs for your external Lync Edge services: https://devcentral.f5.com/blogs/us/the-hopefully-definitive-guide-to-load-balancing-lync-edge-servers-with-a-hardware-load-balancer You should be able to solve this problem by enabling SNAT on the A/V virtual servers; however it's not ideal, since the Edge servers won't be able to set up peer-to-peer connections between Lync clients. thanks Mike

Thanks Mike. We do have the edge servers on public addresses, however they sit behind a firewall for security reasons. There is no nat on the firewall for the edge and F5 services. I dont really want to enable SNAT for the AV service, as you say, as it means peer to peer connections suffer. The only other option is not to use the F5s iApp template for the AV and SIP side (which seems a waste of the F5s!) RIchard

Richard, did you happen to configure the default gateway on the Edge servers' external interfaces to use the self-IP address of the BIG-IP, and set up a default route on the BIG-IP that points to the firewall? Also, you would need a forwarding virtual server to receive internet-bound traffic from the Edge servers.

Hi Mike, I configured the edge servers with their default gateway as the firewall and then in the iApp specified No to the section 'Do the Microsoft Lync Server Edge Servers have a route back to application clients via this BIG-IP system? ' If I change the gateway of the edges to point to the F5s, then doesnt this put more load on the F5s and possible latency for the av traffic? Thanks Richard

I wouldn't think there would be any load/latency problems. You're not proxying that traffic with LTM, just routing it, so there's really nothing being done to it that might put load on the BIG-IP.

F5 Lync iApp with Cisco firewalls

22 Replies

What_Lies_Bene1
Cirrostratus
May 21, 2013
Would you mind reminding us what the desired paths are please, I'm getting a bit confused.

e.g Inbound: Client > F5 > Server etc. etc. but for each direction
MVA
Nimbostratus
May 22, 2013
Outbound traffic from Edge server to external client.

Edge server ->F5 -> Firewall ->External client.

Edge server, F5 self-ip, and firewall are all on same vlan. We do not have a route on the Firewall to send return traffic back thru the F5, not sure if this is a requirement...?
What_Lies_Bene1
Cirrostratus
May 23, 2013
OK, and the inbound path please?
MVA
Nimbostratus
May 23, 2013
Inbound = External client ->Firewall -> Edge server
What_Lies_Bene1
Cirrostratus
May 23, 2013
Now I'm confused, sorry. Here's what you've described;

Inbound: External client ->Firewall -> Edge server

Outbound: Edge server ->F5 -> Firewall ->External client

Doesn't the client initiate and thus wouldn't the F5 be used?
MVA
Nimbostratus
May 23, 2013
It's my understanding the Edge server can initiate a connection to an external client and that's the scenario I'm having an issue with. If that's not the case, this is a moot point :). The F5 iApp says the Edge server needs a route to external clients, we've taking the path of edge server's default GW is F5 and setup a forwarding IP VS.
farache_28983
Nimbostratus
May 31, 2013
Hey guys , sorry for bringing this thread back to life but i am facing a similar situation.

currently when the client tries to connect to the Edge, I see the packet reaching the server with the real IP ( the edge has default GW the Bigip floating IP). The Edge has an internal interface going out back to a FW and back to the BIGIP for reaching the internal Frontend servers. The Bigip has a Forward VIP for routing the traffic from this source.

When I do a dump in the Front end server, I see the packet reaching but with an IP of the BigIP interface.... Which is weird.. Either way at this point the server is killing the connection with a RST,

In the documentation, is not clear to me if the Front end and Edge have to live in the same network...

can someone clarify? I did all above but did not work for me expect for the connection from external to Edge
MVA
Nimbostratus
Jun 05, 2013
Ok, resolved my issue, turns out we had a "Global SNAT" enabled on the F5, so Address Translation setting on the Forwarding IP VS wasn't being honored. Deleted Global SNAT and this is working as expected now.

Farache, don't forget to setup routes on your F5 to the networks the Edge servers need to reach. On ours, we setup specific routes for internal networks and default route as external FW for external clients.
PJG_71968
Nimbostratus
Jun 20, 2013
All, I just thought I would add what we found to be the final piece to the jigsaw of Lync Edge Server Load Balancing.

We were seeing odd behavoir whereby we were seeing full traffic in and out to one of the external interfaces by the other two were receiving Syn packets, but were not sending Syn Acks back to the source.

So it transpires that each of the 3 public facing interfaces requires a default gateway set to be the self ip of the big-ip. This is odd, as we thought that a server only ever has one Default gateway. Anyway, as soon as we set it as such... Voila.

So just to confirm:

1 – Set the default gateways on each of the Lync Public Interfaces to be the Big-IP Self IP (obviously in the network your working in!).

2 – Assign a forwarding VIP on the Big-IP. (See above for the details).

3 – Set a FL4 profile to the Forwarding VIP with Loose Connections and Loose Close enabled.

Cheers... Phil
Brian_Vest_1225
Nimbostratus
Aug 01, 2013
I was also dumbfounded by this until I found this thread and set the Big-IP as the Edge server external interface default gateway. Thanks for the info!

Since doing this I've noticed ALL A/V traffic is passing in and out of the VIP setup for the edge a/v services. It works but is not exactly ideal from a networking perspective. Is this additional forwarding VIP needed to enable direct communication with the Edge servers? I read the instructions in this thread:

1. Create a New protocol profile based off of the FastL4 template profile. Enable 'Loose Initiation' and 'Loose Close' on this new profile.

2. Create a new VIP with the following characteristics (Network, Destination = 0.0.0.0, Netmask = 0.0.0.0, Forwarding(IP), and the new client profile you created above.

Being new to F5, I'm somewhat unclear on the second step. Are there any additional configuration options that have to be set; how does this get associated with the Edge servers IP's. Apologies if I'm not understanding this properly.

Thanks for any help

Brian