Forum Discussion
Lync 2013 iApp template
Hey all, I am in the planning stages of deploying Lync 2013 with the Edge servers load balanced and the Front End servers reverse proxied using LTM. I am a little confused with the verbiage in the template, specifically around the public IP's necessary for the edge server services.
My plan was to have 2 protected subnets in a DMZ, one for the externally accessible services (3 IP's per edge server) and one for the internal connection to our internal network where the FE servers will be. The externally accessible services would be NAT'd to (Destination NAT for A/V) so the actual "public" interfaces would have non-routable addresses assigned to them, their public addresses on the external Interface of the Firewall.
In the section, Edge Server Pools-External Interface, it references each service per edge server and adds that "Note these addresses should be publically routable". So are these the actual IP addresses of my edge interfaces on the servers themselves? Or is it really asking for the public NAT'd addresses at the firewall? I can explain further and provide a basic network diagram if this is confusing (it sure is to me, this is my first lync implementation and even without the F5 it is a bit confusing).
-GR
- mikeshimkus_111Historic F5 Account
Hi Greg, check out this post by Ryan Korock: https://devcentral.f5.com/articles/the-hopefully-definitive-guide-to-load-balancing-lync-edge-servers-with-a-hardware-load-balancer.U1bTrvld_0Q
It explains why we recommend using public IPs for the Edge services.
- Greg_130338NimbostratusI have read through this a few times before. In it he mentions, "NAT awareness was built into Lync 2010 to help in environments in which Edge Servers are deployed behind NATs. By enabling the NAT awareness, Edge Servers will refer clients to their respective NAT address in order to route the users in correctly." Which is how I intended on building this out. In his example he used routable IP addresses for all the external edge services but I'd like to put them on a DMZ private subnet and NAT through our firewall using the nat-aware capabilities of Lync 2010 and later (exposing a windows server by bypassing our firewall just doesn't sit well with me). Has anyone built a similar solution? If so, my real confusion still resides in the iApp where it asks about adding the edge server pools and using the publicly routed IP address. This might help to make sense of how I envision this working. Technet documentation for NAT'd A/V service. http://technet.microsoft.com/en-us/library/gg425882.aspx
- mikeshimkus_111Historic F5 Account
I've never tested this scenario using the iApp, which was built around the "public IPs for all" recommendation. I have heard that others have successfully it this way. I would think you'd need to use your DMZ addresses for the VIPs and Edge servers in place of public IPs, and make sure you have SNAT enabled for the VIPs, including A/V. As long as your Edge servers know to hand back the correct public IP to the clients, it should work.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com