Forum Discussion

jwashburn_48359's avatar
jwashburn_48359
Icon for Nimbostratus rankNimbostratus
Nov 14, 2013

Lync 2013 Edge Server Interfaces same F5 pair

We are having a problem with the iApp for Lync. We are using Lync 2013 and having problems with mobile clients connecting from internally. They of course use the reverse proxy to do this, but I am wondering if they also might use some edge services. Here is my design question. Is it possible to use an F5 pair to host both the External and Internal edge interface. Because of our security requirements our Edge servers cannot sit on our internal VLANs where our FE servers are so the Edge Servers sit in two DMZ VLANs. The Red VLAN faces the internet and has our three IPs with the default GW pointing to the BIG IP External EDGE Interface and the Yellow VLAN has no internet access, but has rules to allow connections to the FE pool. Both of those VLANs are served by the same F5 pair, so in the iApp I put the External and Internal interface on the same F5 pair, with our internal F5 pair holding the internal Rverse Proxy role and other roles.

 

Could this be causing the issue with mobile clients? I am wondering if the design is not valid.

 

  • It's possible to deploy all Lync services on one layer of LTM, so this should work if you have your routing correct. Internal clients and FE servers need to be able to route directly to your internal Edge VIPs and the internal interfaces of your Edge servers. The Edge external and internal interfaces must not be able to route to each other.

     

    That said, I think Mobility clients only use HTTP, with all the SIP traffic taking place server-to-server on the back end.

     

    You were having problems with the reverse proxy yesterday, did those get resolved?

     

    thanks

     

    Mike

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    It's possible to deploy all Lync services on one layer of LTM, so this should work if you have your routing correct. Internal clients and FE servers need to be able to route directly to your internal Edge VIPs and the internal interfaces of your Edge servers. The Edge external and internal interfaces must not be able to route to each other.

     

    That said, I think Mobility clients only use HTTP, with all the SIP traffic taking place server-to-server on the back end.

     

    You were having problems with the reverse proxy yesterday, did those get resolved?

     

    thanks

     

    Mike

     

    • jwashburn_48359's avatar
      jwashburn_48359
      Icon for Nimbostratus rankNimbostratus
      I am concerned that the external and internal interfaces being able to route to each other could pose a problem. The edge servers external interface point to the firewall as the default gateway. The internal interface of the edge servers do not have a default gateway, but the firewall also controls that vlan so in theory, I would think they could potentially route to each other. Like I said in my other post and the support ticket it doesn't seem like the traffic is leaving the BIGIP. Almost like a black hole. I don't want to get two posts going on the same topic so thanks for the info on the edge pieces and I will tackle that problem if it pops up
    • jwashburn_48359's avatar
      jwashburn_48359
      Icon for Nimbostratus rankNimbostratus
      Thanks for the info. I am still having reverse proxy problems. Just waiting for support. While I wait, I am looking at every possible issue