Forum Discussion
NimbostratusLync 2010 iApp Problems
Old Environment:
2 x LTM 6400 Series
New Environment:
2 x LTM 4000 Series
Migration:
We are currently starting to configure our new environment in preparation of migrating over in the next few months.
Issue:
I am trying to deploy Lync 2010 using the current iApp. I have run through the template and everything comes back healthy, VIP, Pools, Nodes are all green and look good. When I have my messaging administrator try to connect to the VIP it just hangs and tells him that he cannot logon. If he points his lync client back to the VIP on the old environment it works as expected. Now in the old environment we did have to create some SNAT pools in order to get this working. Using the iApp template it sounds like that is only needed if your going to have over 64,000 connections or something along those lines. We will not have that many users. However, I went ahead and created SNAT pools manually anyway and added them (trying to duplicate the current setup) but he still could not connect. Before I start mucking around with changes, I though it best to reach out to the community for some guidance. I am hoping something can steer me in the right directions with this. Thank you in advance.
19 Replies
- Hi Jerome, I have never seen that problem before, but it sounds like it might be a product bug in BIG-IP. What format was the cert/key in when you imported it onto the BIG-IP?
thanks
Mike 
J_LE_42749Hi Mike & thanks for your fast answer.
I cannot recollect to be honest (done a couple of months already)...
any way I can check that?
thanks
Jérôme- Hmmm, not really. The quickest thing to do would be to go back to the Lync servers and re-export the certificates as .pfx files, which contain both the cert and private key. Then you can re-import those into the BIG-IP and try again.
- J_LE_42749Hi Mike,
Thanks for your feedback - sorry it took me a couple of days to get the .pfx file from the right people...
Now, I'm in! iApp is working okay. Thanks so much!!
Question there: is there any way to protect against brute force attack (with ASM) for Lync, specifically?
It seems quite easy to download Lync mobile App from public Store and lock accounts trying many user/password combination...
Furthermore I did notice that some Web services (such as DialIn) are asking for user authentication (http/401), hence another entry to lock accounts...
Does anyone implement such WAF protection with Lync?
Thank you
Best Regards
Jérome 
Michael_61190Reviving this old thread to see if folks have implemented any iRules or other controls to prevent password guessing at the network perimeter. All I get from Microsoft is a recommendation to use a filter produced for TMG. :O
- Looking for the same solution. TMG is now EOL, and Enterprises deploying MS Lync client on Mobile devices want to protect against brute force attacks and locking out the AD accounts.
Mike_HoCirrus
Reviving this old thread to see if folks have implemented any iRules or other controls to prevent password guessing at the network perimeter. All I get from Microsoft is a recommendation to use a filter produced for TMG. :O
- Looking for the same solution. TMG is now EOL, and Enterprises deploying MS Lync client on Mobile devices want to protect against brute force attacks and locking out the AD accounts.
- J_LE_42749
Hi Michael, I saw the same article :D I personally did not succeed in protecting the DialIn login page with ASM because it used SAML to send credentials to the back-end servers (the POST request does not send username & password as parameters but an XML content). RFE 388564 was opened a couple of months ago to add this feature into ASM.
