Microsoft Skype for Business Server 2015

Problem this snippet solves:

New release candidate iApp template and deployment guide for Microsoft Skype for Business Server 2015 (formerly Lync Server 2010/2013). For more information and complete guidance on configuring the iApp template, see the associated deployment guide: http://www.f5.com/pdf/deployment-guides/microsoft-skype-for-business-dg.pdf

f5.microsoft_skype_server_2015.v1.0.0rc9: posted to downloads.f5.com in 11/2017

RC-9 was posted to downloads.f5.com (as will most new versions of this template). It contained the following changes: new BIG-IP AFM IP Intelligence threat categories to support BIG-IP v13.1 and support for route domain 0 from non-Common partitions.

f5.microsoft_skype_server_2015.v1.0.0rc7: posted 09/21/2016

RC-7 provides additional SIP domain support within reverse proxy, a monitor schema change for reverse proxy to make use of the 200 OK response when querying lyncdiscover/lyncdiscoverinternal, support for the director service standalone use case(separate LTM from Front End service), added support to ask for the IP phone update url to allow connections through reverse proxy and added a port 80 Virtual Server in addition to the existing 443 Virtual Server for reverse proxy.

RC 5 and 6 were never released to the public, this includes changes as a part of those RC's

f5.microsoft_skype_server_2015.v1.0.0rc4: posted 02/16/2016

RC-4 Fixes a security log profile error when deploying on versions of BIG-IP earlier than 11.4, where AFM is not available.

f5.microsoft_skype_server_2015.v1.0.0rc3: posted 01/22/2016

RC-3 attaches a supplemental ICMP monitor to the Edge internal UDP virtual server. See https://support.f5.com/kb/en-us/solutions/public/6000/100/sol6143.html for more information.

f5.microsoft_skype_server_2015.v1.0.0rc2: posted 01/11/2016

RC-2 contains only a small correction to the iRule produced by the iApp template. The iApp will now always force the FQDN written to lowercase in the iRule, even if the user enters CAPITAL letters.

f5.microsoft_skype_server_2015.v1.0.0rc1: posted 07/06/2015

New iApp template for Skype for Business.

Code :

70782
Published Jul 06, 2015
Version 1.0
application delivery
devops
iApps
LTM
lync
  • James_Dastrup's avatar
    James_Dastrup
    Icon for Nimbostratus rankNimbostratus
    Dec 23, 2015
    Mike, looks like we were hit with the bug described in SOL14104 during a previous upgrade. Thanks for pointing us in the right direction.
  • Rox_Cornette_22's avatar
    Rox_Cornette_22
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2016
    can we add the capability to add a password for the certificate to this iapp? without it the wizard doesn't finish. and even when i use the default cert and key and attempt to add the cert after i use the default to finish, it still fails because there is no place to put the password.
  • Steve_A_130918's avatar
    Steve_A_130918
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2016
    Loaded the template onto a v11.3 LTM and got the following error : Error parsing template:can't eval proc: "script::run" iapp_get_items -norecursive -filter NAME !~ ca-bundle.crt|f5-irule.crt sys file ssl-cert: extra characters after close-quote while executing "error "$error_msg $err"" invoked from within "subst $rval($do_binary,$tmsh_rval,$nocomplain)" (procedure "iapp_get_items" line 76) invoked from within "iapp_get_items -norecursive -filter NAME !~ ca-bundle.crt|f5-irule.crt sys file ssl-cert" invoked from within "tmsh::run_proc f5.iapp.1.4.0.cli:iapp_get_items -norecursive -filter NAME !~ ca-bundle.crt|f5-irule.crt sys file ssl-cert" (procedure "script::run" line 3) invoked from within "script::run" line:1 Any thoughts?
  • Joe_Jordan's avatar
    Joe_Jordan
    Ret. Employee
    Jan 13, 2016
    Hello Rox, in the current iteration of the iApp, the way to include a certificate/key that requires a password is to create a Client SSL profile outside of the iApp template (Local Traffic > Profiles > SSL > Client) There you can include the passphrase. When you are in the iApp, simply select the profile you created from the question "Do you want to create a new client SSL profile for Front End services, or use an existing one?"
  • Fred_Slater_856's avatar
    Fred_Slater_856
    Historic F5 Account
    Jan 13, 2016
    Steve A- I am able to load and run the template on 11.3 without issue. The error message that you posted seems to indicate that the iapp is having trouble listing your ssl certificate names. Do any of your cert files have a name with quotes or spaces or special characters in it? Are any of them in a partition other then /Common?
  • Mgullia_176222's avatar
    Mgullia_176222
    Icon for Nimbostratus rankNimbostratus
    Feb 16, 2016
    Hi to all. I've just tryed to deploy this iAPP in a guest running 11.2.1 (LTM module only)...so no AFM. and i'm facing this error script did not successfully complete: ("security-log-profiles" unknown property while executing "tmsh::create [string range $args 7 end] " ("create" arm line 1) invoked from within "switch -exact -- [string range $args 0 5] { create { tmsh::create [string range $args 7 end] } modify { tmsh::modify [string r..." (procedure "iapp_conf" line 14) invoked from within "iapp_conf create "/ ltm virtual" "$vs_name destination $destination $snat_action pool none profiles none profiles replace-all-with \{ $http_profile_na..." (procedure "configure_microsoft_skype_server_reverse_proxy_deployment" line 145) invoked from within "configure_microsoft_skype_server_reverse_proxy_deployment" invoked from within "if { $provisioned } { if { $::front_end_ip__deploying_front_end_ip == $::YES_ANSWER } { configu..." line:1424) I think the problem is the lack of AFM. How can i fix that? I'm not intrested to use AFM,
  • JonHarro_182076's avatar
    JonHarro_182076
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2016
    Hi Folks. I am playing around with trying to make this work at the moment. (rc4 template) It seems even if you answer NO to the question "Should the system monitor the internal SIP virtual servers?" it still creates the monitors and adds them to the _reverse_proxy_front_end_4443_pool... Disabling strict updates and removing the monitor from the pool sorts that out but I figured I'd share what I've found.We only have firewall rules from the edge server to the front end servers on 5061, not from the self IP's to the front end servers on 5061. Had us scratching our heads for a while but we worked it out. I'll have a look at the template more closely and see if I can work out what's amiss. If I have the wrong end of the stick here and we really do need the firewalls opened on 5061 to the front end pools from the self-ip's please let me know. Anyway I'm off to see if it all wants to play nicely now. :-)
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Mar 02, 2016
    Jon, that is expected behavior. We need to mark every FE service down if 5061 is unreachable, so because of that you will need the firewall open for 5061 between the self-IPs and FE.
  • ChristianH_1903's avatar
    ChristianH_1903
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2016
    Hi, we encountered a missing SSL client profile when trying to use this template for the Microsoft Skype Server Edge Virtual Servers: External Interface. The virtual servers are all created correctly but the one listening on port 443 does not use HTTPS. When creating and assigning an additional SSL client profile to this server it worked as expected.