TMG2F5 Series: BIG-IP LTM as the Lync Reverse Proxy
Quite a few of our customers who have been using the BIG-IP(s) to provide load balancing of the Lync Edge Servers have also been using the same BIG-IP(s) to act as the Lync Reverse Proxy as well. Now that TMG has been EOS’d, even more customers have expressed interest in leveraging their F5 investment to fill this void that TMGs demise has left. The good news is that BIG-IP has been widely deployed as the Lync Reverse Proxy for years now at numerous customer sites, and with its advanced traffic management engine, has proven to be a very capable next generation alternative.
Lync Edge Servers will allow corporate (domain joined) users the ability to leverage a majority of the Lync functionality while they are outside of the office, such as instant messaging, presence, and web conferencing. However the Edge Servers will not be able to provide those remote users with access to the internal web based services, such as meeting content downloads and device updates. This is where the Lync Reverse Proxy comes into play. It is designed to allow your remote users to have access to the web based services by acting as a gateway between the internet and the Lync Front Ends.
Since the Lync Reverse Proxy was only providing access to the HTTP based services for remote users, quite a few customers decided to deploy without it. However the Lync Reverse Proxy is actually required for functionality that was released after the initial Lync 2010 launch, Lync Mobility. Since Lync Mobility is definitely something that enterprise customers are deploying, the percentage of deployments that include the Lync Reverse Proxy has increased significantly, to the point that it could be argued that it should be a considered a required role.
Architecture:
Let’s take a look at a typical enterprise Lync deployment leveraging TMG as the Lync Reverse Proxy and F5 BIG-IP as the load balancer. Nothing too surprising here in the graphic below….
In the next diagram you can see how the architecture doesn’t really change at all by using F5 BIG-IP LTM as the Lync Reverse Proxy, plus you simplify the architecture by removing the TMG servers.
Configuration:
Fortunately, configuring the BIG-IP LTM to act as the Lync Reverse Proxy has been made extremely easy with the latest release of our wizard driven configuration engine, known as iApp. If you download our latest Lync Server 2010 / 2013 iApp and import it into the BIG-IP LTM, creating the Reverse Proxy configuration is as easy as typing out a few answers regarding your external IP Addresses and hostnames. The iApp is definitely the recommended way to configure your BIG-IP LTM as the Lync Reverse Proxy.
Additional Information:
Whenever I talk about using BIG-IP as the Lync Reverse Proxy, customers tend to seem very interested, and the following topics tend to always come up…..
1. All you need from F5 is the BIG-IP LTM to act as the Lync Reverse Proxy. No other modules are necessary, and F5 APM is not needed, as no authentication is being done.
2. BIG-IP LTM can do everything TMG was doing as the Lync Reverse Proxy, and more, such as URL manipulation and sanitization.
3. Using BIG-IP LTM as the Lync Reverse Proxy is absolutely a supported configuration. It always has been. Supported by F5, Supported by Microsoft.
- Ferenc_Juhasz_1NimbostratusHello, Any documentation I found about revers proxy publishing with BIG IP says: "The certificate you select here MUST match the certificate used in your Lync web services configuration"- (I might need to search for other documentation) while TMG was able to publish the external web sites using a different certificate configured on the TMG listener. Could you confirm that this is not a limitation in the BIG IP and publish the Lync web services through reverse proxy with a publicly trusted certificate? (On the Lync servers internally issued certificates are in use.) Thank you for your help in advance! BR, Ferenc