For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Jul 31, 2012

Lync SSL Config

I'm using the newest deployment guide and iApp template for Lync 2010. I have a question regarding the "Front End Virtual Server" configuration in the iApp template. This section creates a VS on TCP...
microsoft
partner
Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012
Mike,

 

 

Thanks for the info. I'm having a fit trying to get the reverse proxy working correctly.. hopefully you may be able to quickly see where my configuration mistake is.

 

 

I have one external reverse proxy VIP:

 

 

Clientssl and serverssl profiles configured correctly.

 

SNAT automap

 

No persistence

 

iRule configured to redirect users to the internal reverse proxy (on 4443)

 

One pool member, the internal reverse proxy VIP (on 4443). The deployment guide says to make the pool member the "IP address of the front end virtual server that you created," but this doesn't really make sense to me?

 

 

I then have one internal reverse proxy VIP:

 

 

Clientssl and serverssl profiles configured

 

SNAT automap

 

Cookie based persistence

 

Two pool members, each of the front-end servers on TCP/4443.

 

 

I can hit the "internal reverse proxy VIP" just fine, and get redirected to Lync web services. However, when I hit the external reverse proxy VIP, the request eventually times out. As a note, both the internal reverse proxy VIP and the external one are on the same network. and on the same BIG-IP. In doing a tcpdump between the internal and external reverse proxy VIPs, I see some strange ARPs:

 

 

15:45:40.543203 arp who-has 172.26.137.54 tell 172.26.137.5

 

15:45:41.543424 arp who-has 172.26.137.54 tell 172.26.137.5

 

15:45:42.543022 arp who-has 172.26.137.54 tell 172.26.137.5

 

15:45:43.543467 arp who-has 172.26.137.54 tell 172.26.137.5

 

15:45:44.543290 arp who-has 172.26.137.54 tell 172.26.137.5

 

 

172.26.137.54 is the internal reverse proxy VIP, and 172.26.137.5 is the floating self-IP address on that particular VLAN. I also see this:

 

 

15:45:46.543046 IP 172.26.137.55 > 172.28.140.64: ICMP host 172.26.137.55 unreachable, length 36

 

15:45:46.543056 IP 172.26.137.55 > 172.28.140.64: ICMP host 172.26.137.55 unreachable, length 36

 

15:45:46.543061 IP 172.26.137.55 > 172.28.140.64: ICMP host 172.26.137.55 unreachable, length 36

 

 

172.26.137.55 is the external reverse proxy VIP, and 172.28.140.64 is the client IP address that is trying to hit the VIP.

 

 

I'm stumped here. Do you have any idea what may be going on?

 

 

I really appreciate any help you can offer.

 

 

Thanks