Forum Discussion
Pete_L_112517
Nimbostratus
NimbostratusLync 2013 Devices using F5 as Reverse Proxy can't connect
We've just deployed an on premise Lync 2013 environment (upgrade from 2010) using F5 BIG-IP LTM as the Reverse Proxy. This was deployed using the updated Lync 2013 iApp template.
I cannot get an iO...
I have not checked the latest version of the template, but in 1.2.1 it did ask about the chain in the setup, and left me with an ssl profile that had no chain.
You can try and manually set it. Go into the Application Services, click your Lync deployment and go to the Properties tab. Uncheck Strict updates and click update.
From there go to the Client SSL Profile(mine is named Lync2013_edge_external_ip_reverse_proxy_client_ssl) and set the chain(you'll have to have imported it first as a certificate)
If that solves your problem, just be aware that if you modify the iApp config it may overwrite this change and you have to set it back manually.
mimlo_61970
Cumulonimbus
CumulonimbusI have not checked the latest version of the template, but in 1.2.1 it did ask about the chain in the setup, and left me with an ssl profile that had no chain.
You can try and manually set it. Go into the Application Services, click your Lync deployment and go to the Properties tab. Uncheck Strict updates and click update.
From there go to the Client SSL Profile(mine is named Lync2013_edge_external_ip_reverse_proxy_client_ssl) and set the chain(you'll have to have imported it first as a certificate)
If that solves your problem, just be aware that if you modify the iApp config it may overwrite this change and you have to set it back manually.
Pete_L_112517This is exactly the issue. I located this issue yesterday afternoon after posting the question here. Just came here to post the answer. It turned out I need to create a bundle (chain) certificate of: our wildcard external cert -> intermediate DigiCert CA -> DigiCert Root CA Thanks very much for your reply!- mimlo_61970Good to hear. I am in the middle of a 2013 deployment and expect I am about to run into the same problem. All your research into the nature of the problem will end up helping me more than I helped you.
- Hi there, I'm one of the maintainers of the Lync iApp template. There should be no question about intermediate cert in the v1.2.1 template (you can add it by disabling strictness, as you pointed out). This has been added in the v1.3.0 RC-1 version of the template that's up on DevCentral right now, and it does apply the chain cert in my testing. However, it looks like the chain cert is not visible in the web GUI. You can verify this by looking at the properties of the clientssl profile in tmsh. Can you confirm that you didn't see the chain cert in tmsh? thanks
- mimlo_61970I'm trying to import the 1.3.0 RC-1 template to try this out, but am getting an error when I try and use the iapp. Error parsing template:can't eval proc: "script::run" can't find package iapp 1.1.0 while executing "package require iapp 1.1.0" (procedure "script::run" line 2) invoked from within "script::run" line:1 Where do I get this package from? This is on 11.2.1 HF10
Oscar_141263I also get the error about "package require iapp 1.1.0" but running 11.4 and HF4
