For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gerald_Cheminan's avatar
Gerald_Cheminan
Icon for Nimbostratus rankNimbostratus
Jan 14, 2016

Lync Server 2013 HLB

Hi all, At first I describe my environnement :

 

  • AD Local domain = internal.ad
  • Public domain = SMTP domain = SIP domain = publicdomain.com
  • Lync Server Enterprise Pool PoolEE.internal.ad FE01.internal.ad FE02.internal.ad FE03.internal.ad
  • Simple URL Meet.publicdomain.com dialin.publicdomain.com

I would like to know if it's possible to use F5 BIG IP LTM in full HLB internal deployement (I mean without DNS Round Robin) using public certificate. The goal is to allow all computer to connect and use Lync services (SIP and Web) without trusted PKI in certificate container. In others words : * TLS/SSL (SIP and HTTPS): connections between client and F5 : public certificate * TLS/SSL (SIP and HTTPS): connections between F5 and Front End : PKI certificate

 

If it's possible what sort of certificate I neeed on F5 ? Can I use iAPP ?

 

According to Microsoft deployement guide, the certificates on each Front End must be such below.

 

Default: * PoolEE.internal.ad * FE01.internal.ad * FE02.internal.ad * FE03.internal.ad * publicdomain.com

 

Web Internal: * lyncwebinternal.internal.ad * dialin.publicdomain.com * meet.publicdomain.com

 

Web External: * lyncwebexternal.publicdomain.com * dialin.publicdomain.com * meet.publicdomain.com * lyncdiscover.publicdomain.com

 

Thanks you for your help

 

Best regards Gérald

 

application delivery
BIG-IP
iApps

6 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 18, 2016

    Hi Gerald, not sure I understand the question completely, but you should be able to use any certificate you've configured for the Lync web services in the Lync iApp. BIG-IP doesn't decrypt the SIP traffic, so this only applies to the Lync web services connections.

     

  • Gerald_Cheminan's avatar
    Gerald_Cheminan
    Icon for Nimbostratus rankNimbostratus
    Jan 19, 2016

    Hi Mickael, Thanks you for your answer. I'm sorry that my question is not very clear.

     

    To avoid installing the root certificate from the PKI on computers that are not in the Active Directory domain, I wanted to use the BIG IP as SIP Proxy to do on the internal network and use a public certificate. I could redirect the connections to the external network through the Lync Edge but it is difficult to redirect only the computers that are not in the Active Directory domain and keep the other on the internal network.

     

    If I understand your answer :

     

    If I use BIG to distribute SIP connections and therefore I do not use the Round Robin DNS function, it means that BIG IP balance and redirects connections to Lync Front End ? So the traffic SIP / TLS / SRTP is established directly between the client and Lync Front End? In this case I can not use a public certificate because the Front End and Pool FQDN are private (internal.ad) and not public.

     

    Thanks for your help Gérald

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 19, 2016

    That is correct, BIG-IP will load balance the first request to the Front End servers, but after that the clients will communicate directly to them.

     

    • Gerald_Cheminan's avatar
      Gerald_Cheminan
      Icon for Nimbostratus rankNimbostratus
      Jan 20, 2016
      Hi Mickael, Again thank a lot for your quick and quality answer. To complete my questions, I find very good articles by Thomas Poett about HLB, certificates.. I wanted to share with you and confirm your analysis. https://gallery.technet.microsoft.com/office/Lync-2013-internal-3ac7ddfb https://gallery.technet.microsoft.com/office/HLB-and-DNS-Load-Balancing-3cb98ec4 Have a nice year 2016 ! !
    • Sohaib_Atta_251's avatar
      Sohaib_Atta_251
      Oct 30, 2016

      Hi mikeshimkus,

       

      Why is the first request directed to the FrontEnd VS and the subsequent client communication directly with with front end servers? Why aren't the subsequent requests directed towards the F5 FrontEnd Virtual Server and based on persistence records forwarded to the Actual front end server? Shouldn't all communication take place via F5?

       

      If this it the normal working behavior can you please direct me to exact resource of documents which specifies this. The point is if F5 is also acting for the first request only and subsequent connections are directly to the FrontEnd Servers it's more or less similar to DNS load balancing.

       

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Oct 31, 2016

      Sohaib, I am unable to locate any Microsoft documentation about this, but both HLB and DNS LB work similarly. When you resolve the Front End server's IP via DNS or connect to it via the VIP, it returns you a list of pool members which the client then uses to connect (and caches for future reference).

       

      The only real difference here is that unlike DNS, the BIG-IP will NEVER forward the initial request to a Front End server that is not responding, which should improve response time and eliminate the need for manual updating of DNS records.

       

      Hardware load balancing is only required for Lync/Skype web services, BTW.