Forum Discussion
Josh_41258
Nimbostratus
NimbostratusLync SSL Config
I'm using the newest deployment guide and iApp template for Lync 2010. I have a question regarding the "Front End Virtual Server" configuration in the iApp template. This section creates a VS on TCP/443 for the FE. The pool members are also 443. However, there are no SSL profiles assigned to the VS.
When I browse to the VS via HTTPS, I am presented the internal SSL certificate that IIS on the FE is using. Is this how the VS is supposed to be configured? Shouldn't it be using both client and server SSL profiles instead of just passing the encrypted data back to the FE servers?
Thanks,
Josh
- Hi Josh, actually, because that traffic is SIP over port 443, there is no benefit in decrypting it. So it's more efficient simply to pass it through.
Mike 
Josh_41258Mike,
Ok, that makes sense. What about the actual web service traffic? Which VS does it use? Am I correct that internal clients should hit the FE VIPs directly, and not make use of the reverse proxy?
Thanks- I'm sorry, I got confused for a minute. It's the Edge scenario where the Access service uses port 443 but is really SIP traffic, and web services go through the reverse proxy. Internally, you do want to hit the FE 443 VIP for web services, with the exception of Lync Mobility. If Mobility is configured to allow external clients, internal Mobility clients actually need to get directed to the external reverse proxy VIP.
- Josh_41258Ok, so the "front_end_ip_443" VIP should be configured for pass-through SSL, and not have any SSL profiles assigned to it? No mobility here.
- That's correct. IIRC, because Lync doesn't allow offloading SSL and there's little to gain from decrypt-reencrypt, we pass it through.
- Josh_41258Mike,
Do you know if the edge servers external interfaces also require a copy of the CA signed SSL certificate? I was under the impression that only the BIG-IP needed it, and SSL would be terminated on there. But, MS' documentation is telling me differently.
Thanks! - For the Lync Edge Services, *only* the Edge Servers need the cert/keys, and not the BIG-IP.
- Josh_41258Ryan,
I'm assuming you mean the BIG-IP does not need serverssl profiles, right? The iApp asks you to specify a client side cert and key.
Josh - Josh_41258Would someone mind clarifying the SSL settings on the reverse proxy external and internal VIPs? The iApp assigns serverssl and clientssl profiles to each, but the serverssl profiles don't actually have a key or cert assigned to them. Is this correct? In essence, this means that I could achieve the same effect by not applying any serverssl profile to either VIP, correct?
Thanks. - This is correct. The serverssl profiles do not require a cert or key. They are used by the BIG-IP to open an encrypted "client" connection to the pool members. If your servers are expecting an encrypted connection, the connection will fail unless you assign a serverssl profile to the VIP.
