Microsoft Skype for Business Server 2015

Problem this snippet solves:

New release candidate iApp template and deployment guide for Microsoft Skype for Business Server 2015 (formerly Lync Server 2010/2013). For more information and complete guidance on configuring the iApp template, see the associated deployment guide: http://www.f5.com/pdf/deployment-guides/microsoft-skype-for-business-dg.pdf

f5.microsoft_skype_server_2015.v1.0.0rc9: posted to downloads.f5.com in 11/2017

RC-9 was posted to downloads.f5.com (as will most new versions of this template). It contained the following changes: new BIG-IP AFM IP Intelligence threat categories to support BIG-IP v13.1 and support for route domain 0 from non-Common partitions.

f5.microsoft_skype_server_2015.v1.0.0rc7: posted 09/21/2016

RC-7 provides additional SIP domain support within reverse proxy, a monitor schema change for reverse proxy to make use of the 200 OK response when querying lyncdiscover/lyncdiscoverinternal, support for the director service standalone use case(separate LTM from Front End service), added support to ask for the IP phone update url to allow connections through reverse proxy and added a port 80 Virtual Server in addition to the existing 443 Virtual Server for reverse proxy.

RC 5 and 6 were never released to the public, this includes changes as a part of those RC's

f5.microsoft_skype_server_2015.v1.0.0rc4: posted 02/16/2016

RC-4 Fixes a security log profile error when deploying on versions of BIG-IP earlier than 11.4, where AFM is not available.

f5.microsoft_skype_server_2015.v1.0.0rc3: posted 01/22/2016

RC-3 attaches a supplemental ICMP monitor to the Edge internal UDP virtual server. See https://support.f5.com/kb/en-us/solutions/public/6000/100/sol6143.html for more information.

f5.microsoft_skype_server_2015.v1.0.0rc2: posted 01/11/2016

RC-2 contains only a small correction to the iRule produced by the iApp template. The iApp will now always force the FQDN written to lowercase in the iRule, even if the user enters CAPITAL letters.

f5.microsoft_skype_server_2015.v1.0.0rc1: posted 07/06/2015

New iApp template for Skype for Business.

Code :

70782
Published Jul 06, 2015
Version 1.0
application delivery
devops
iApps
LTM
lync
  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account
    Sep 27, 2016

    Hello LH, As far as the reverse proxy deployment goes, those objects are still tied together. The reason being is it is presenting the reverse proxy section as a whole. The objects created for reverse proxy are the same whether director role is enabled or not, the only difference is if director role is enabled then a pool is created based on the director pool member IP field in the iApp and the iRule attached to the 80/443(on external) VIP passes the majority of the traffic through to the director pool/big ip instead of the front end. Now the exception is when using split LTM's(as you are) where different sets of objects are created in different places. But in either case the only "dummy" fields would be including a front end fake pool member ip potentially, and depending on single/split some unnecessary LTM objects. But for reverse proxy this is not on our roadmap to break out.

     

    In the case of the reverse proxy the best practice is to terminate SSL, this is for various reasons. So the iApp does require a valid cert and for ssl ports will use that cert selected.

     

    For the 4443 objects not getting created, please download a slightly newer version of the rc posted here and retry, thanks! I was not able to reproduce the error you got about illegal sharing so if it still occurs with the new template then could you provide more details on the errors received?

     

  • LH_55870's avatar
    LH_55870
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2016

    Hi James, I have tried the latest version of the RC7 and with the version from afternoon 27.9.2016 everything seems to be OK. Both the missing Director 4443 issue and the illegal sharing issue while creating separate iApp just for the reverse proxy are gone.

     

    It looks like I will split the config in 4 iApps (director, director_RP, frontend and frontend_RP), director iApps in one traffic group and frontend iApps in another one, which allows me the flexibility I wanted achieve.

     

    thanks

     

    LH

     

  • LH_55870's avatar
    LH_55870
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2016

    I was too fast :( the dummy FE IPs allowed to create the iApp for the director_RP config. But when I have tried to create the frontend_RP iApp, I got following error:

     

    01070333:3: Virtual Server /Common/frontend_RP.app/frontend_RP_reverse_proxy_front_end_8080 illegally shares destination address, source address, and service port with Virtual Server /Common/frontend.app/frontend_front_end_ip_8080.

     

    So I checked the frontend iApp and there is really an 8080 VS and pool, which isn't supposed to be there, unless I would have chosen to configure the reverse proxy section of the template, right?

     

    regards

     

    LH

     

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account
    Oct 03, 2016

    The front end section of the iApp does in fact create a port 80 and port 8080 set of VS's and pools as part of the front end server services. So if you are trying to use the same IP for your front end VIP as well as the same IP for your RP reverse proxy virtual server in the secondary iApp then it will throw the error you got. You need to make sure each service has a unique IP preferably. Does that explain your issue?

     

  • LH_55870's avatar
    LH_55870
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2016

    Hi James, I think I understood the issue and that another IP would solve that. What I don't understand is why there is 8080 being created as part of the reverseproxy-less frontend iApp. IMHO the 8080 is supposed to be used just in the reverse proxy scenario.

     

    regards

     

    LH

     

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account
    Oct 06, 2016

    Hello LH, If you take a look at the following link that shows the HLB ports for front end services it has 8080 on there for client/device retrieval of root certs. https://technet.microsoft.com/en-us/library/gg398833.aspx

     

    So that is why the port exists, however the sharing issue you ran into is also fixed, please download the template and retry with shared IP's.

     

    Thanks,

     

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Oct 08, 2016

    Hello James would it be possible to make the SIP monitor optional in future version? Some customers do use the iApp exclusively for Reverse Proxy and do not run sip services on their pool, which makes them remove the strict update and remove that monitor.

     

    Thanks

     

    Alex

     

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account
    Oct 08, 2016

    Hello Amolari, This is not in our roadmap as of now... thanks for bringing this edge case to our attention though and we will log it for possible inclusion in future versions of the iApp as suggested.

     

    Thanks,

     

  • LH_55870's avatar
    LH_55870
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2016

    Hello James, finally I have used the latest template, so I can confirm, there is no more a ilegal sharing error. But I have noticed that the name of the Virtual server is ending with _reverse_proxy_front_end_8081. Is this the solution or a typo? Also there is a double underscore in both the pool names.

     

    thanks

     

    LH

     

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account
    Nov 08, 2016

    Correct, to fix the port sharing issue the solution(in this scenario of split LTM's and shared IP) will use 8081 in between the LTM's to carry that traffic, but front end and back end ports will stay as expected. Thanks for pointing out the double underscore.