Forum Discussion

jameshendergart's avatar
jameshendergart
Historic F5 Account
Oct 05, 2011

Lync Server 2010 Deployment Guide Update

The TMOS v11 iApp for Lync 2010 is here! http://bit.ly/r3NSup Use this new iApp for faster, easier configuration of LTM for Lync.

 

 

Thanks!

 

James

29 Replies

  • Josh,

     

     

    The article is correct but states using DNS load balancing at the edge which is a supported configuration. What I don't get is why DNS load balancing works with NAT but if you want to use HW load balancing you need publically routed addresses.

     

     

    That said I have set it up will all NAT and HW load balancers and it worked, but this was with an older version/clients. (Well I kind of understand why but don't think it's legit)

     

     

    Bob James
  • Ryan_Korock_46's avatar
    Ryan_Korock_46
    Historic F5 Account
    From a supportability perspective, Microsoft has stated that using your HLB to perform DNAT is an unsupported configuration on the external side of the edge server for A/V services.

     

     

    From a purely functional perspective, there is NOTHING that breaks by doing so, and we have plenty of customers who have deployed in this fashion.

     

  • Ryan,

     

     

    Sorry change the subject a bit. Are you by chance using a reverse proxy on your LTM for Lync? If so, can you tell me if you are using both clientssl and serverssl profiles on the internal side of the reverse proxy (the one on TCP/4433)?

     

     

    Thanks,

     

     

    Josh
  • Ryan,

     

     

    Sorry change the subject a bit. Are you by chance using a reverse proxy on your LTM for Lync? If so, can you tell me if you are using both clientssl and serverssl profiles on the internal side of the reverse proxy (the one on TCP/4433)?

     

     

    Thanks,

     

     

    Josh
  • Ryan,

     

     

    Sorry change the subject a bit. Are you by chance using a reverse proxy on your LTM for Lync? If so, can you tell me if you are using both clientssl and serverssl profiles on the internal side of the reverse proxy (the one on TCP/4433)?

     

     

    Thanks,

     

     

    Josh
  • This Lync design is killing me, following MS guidelines the Edge server outside interface should be publically routable. Does this mean it needs to be on the same segment as the Internet ans use SNAT with the F5's?, or can I use non public IP's and route through the LTM's that have an interface on the Internet?

     

    Another question is if they are public IP's on the edge, do I need another internet subnet and point that subnet through the F5 On the internet? Can I have the same subnet on the Internet as well as on the Edge server outside itnerface yet still point back through the LTM's to get to the Internet?

     

     

    It was so much easier just to NAT through firewalls....

     

     

    Thanks

     

     

    Bob James
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Robert, the Edge servers really should have public IP addresses and you should not use SNAT on the LTM. That makes it possible for the Edge servers to set up direct sessions between external clients. If you SNAT, the clients' real IP addresses will be obscured and so the Edge servers will need to proxy all those connections.

     

     

    The answer to the second question, if I understand it, is that you can have the Edge server interfaces and Edge virtual servers on the same network segment, and use the public self-IP address of the BIG-IP as the gateway for outbound traffic from your Edge servers.

     

     

    Does that help?

     

    Mike
  • OK so I need two subnets (public) and two interfaces (inline) right? If so I will assume it works as poorly as Lync inside wherein, when the user is directed to the server directly the outside (Internet) must point to the selfIP which will then end it through to the internal subnet...right??

     

     

    Thanks Mike!
  • 2 Revesrse Proxies?

     

     

    Why does th iApp create two reverse proxies in the configuration one external and one internal? I understand the need for different certs but can't it just be two armed rather that two reverse proxies?

     

     

    A little confused with with

     

     

    Thanks,

     

     

    Bob James