lync 2013
11 TopicsInline load balancing and "Loose Initiation" & "Loose Close"
Hi People, We have a inline load balancing design for Lync (and other applications) where we configure the Lync_edge servers inline (behind the LTM). Therefore this demands a fastl4 profile with Reset on Timeout enabled, ok. But i was suggested to enable also "Loose Initiation" & "Loose Close" but not really sure if we need it. topology is as follow: Internet ---- Checkpoint FW --- extLAN --- LTM (11.4.1) --- intVLAN (with Lync_edge servers) ---- Cisco router---- Internal subets I read this statement in the forum and i got more confused...becasue in the extVLAN there is also a Cisco Router 6500 which leads to a bunch of other internal subnets.. If a different router exists on any directly connected network, you may need to create a custom fastL4 profile with "Loose Initiation" & "Loose Close" enabled to prevent LTM from interfering with forwarded conversations traversing an asymmetrical path.799Views0likes5CommentsLync 2013 using iApp - Reverse Proxy Issues
Using iApp f5.microsoft_lync_server_2010_2013.v1.2.0 with a new Lync 2013 deployment. Having some problems getting internal mobile clients working. We are currently testing with the Microsoft Lync Analyzer tool as well as Ipads and a Windows 8 tablet. We have 2 F5. One is in our DMZ the other is internal. On the DMZ f5 we have set it up as the Reverse Proxy and given it an IP of 10.10.10.244. It has the cert with all the correct SANs. In the next section of the iApp it asks for the IP address of the internal side of the Reverse Proxy along with certs and we have it set up with 10.10.20.60 and the correct certs. This is where things get a little confusing for me. The instruction in the iApp ask: What is the port 443 virtual server IP address that forwards traffic to the Front End Servers? I cant telnet to 10.10.20.60 over port 443, but I think that's expected because it should be using 4443 correct? It is doing a reverse proxy from 443 to 4443. So is the wording wrong in the iApp instruction or am I reading it wrong? The error from the testing tool is: *An error occurred while sending the request. The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. * That leads me to believe that the Reverse Proxy External IP is accepting the connection, trying to send it on to its next hop, the internal IP and then failing. Possibly a cert issue so I ran tcpdump on the DMZ F5 and I see no attempt of it trying to traffic back out. Thoughts?640Views0likes26CommentsExclude Lync Traffic From SSL VPN
I am trying to exclude Lync traffic from resolving over the VPN tunnel when established using split tunnling. Basically as this site describes: http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx Looking under network access, and the network profile I have options to Exclude IP Addresses and DNS Addresses. I have done this for all of our external/internal connections but we still see Lync re-connect when VPN is started and stopped using internal address?? As a side note, our lync servers are on a subnet with other servers that need to be reached over the VPN a /24. I was able to subnet this out so that the lync servers are not even in the routing table. However the F5 has VIP address that directly connect to that subnet so I added thous address to the excluded space. I cannot see what else I am missing or is there some other place or setting this should be set?415Views0likes4CommentsLync 2013 Edge Server Interfaces same F5 pair
We are having a problem with the iApp for Lync. We are using Lync 2013 and having problems with mobile clients connecting from internally. They of course use the reverse proxy to do this, but I am wondering if they also might use some edge services. Here is my design question. Is it possible to use an F5 pair to host both the External and Internal edge interface. Because of our security requirements our Edge servers cannot sit on our internal VLANs where our FE servers are so the Edge Servers sit in two DMZ VLANs. The Red VLAN faces the internet and has our three IPs with the default GW pointing to the BIG IP External EDGE Interface and the Yellow VLAN has no internet access, but has rules to allow connections to the FE pool. Both of those VLANs are served by the same F5 pair, so in the iApp I put the External and Internal interface on the same F5 pair, with our internal F5 pair holding the internal Rverse Proxy role and other roles. Could this be causing the issue with mobile clients? I am wondering if the design is not valid.Solved411Views0likes3Commentsf5.microsoft_lync_server_2010_2013.v1.2.1
Hi folks. Im deploying Ms Lync 2013 with single redundant pair BigIp 4000 BIG-IP 11.4.1 Build 637.0 Hotfix HF3 using the f5.microsoft_lync_server_2010_2013.v1.2.1 iapp template. There is one thing that I cannot quite understand. In the section: "Microsoft Lync Server Edge Virtual Servers: Internal Interface Certificate" it ask for what certificate and key I want to use, so I choose the cert and key I want to use, but it never used. When I look at the virtual-servers MyAppName_edge_internal_ip_* none of them utilize the certificate from the template. Is it something I don't understand here?Solved313Views0likes2CommentsLync 2013/2010 External Mobility Issues
I've read through a number of others issues but havent found anything that fits my case. We deployed Lync through the latest iApp for Lync on two F5s. One is in a DMZ and the other internal. The basic topology is: External user uses lyncdiscover.company.com > NAT external address to a DMZ Reverse Proxy VIP on port 443 > Irule translates the URL and sends directly to one of the Internal FE servers on 4443. User gets back the .JSON file with the additional URLs. User sends request to onprem-webext.company.com (which is the same external address) > NATS to the same DMZ VIP > iRule translates that URL to the same pool on the DMZ F5 > Pool sends the traffic directly to one of the internal front end servers > get a few response code 200s and a response code 401. We have a cert on the DMZ F5 VIP that appears to work using external tools. I am using an iRule applied to the DMZ VIP to give me the traffic path and status codes. Internally, Lync works fine. After reading quite a bit about Lync, I am wondering if it doesnt like the server side cert and if I should just use the default server SSL profile, since internally the servers would be using internal PKI certs from our own CA. Thanks in advance. Jim244Views0likes2CommentsLync 2013 - Why is web conferencing set to port 443 instead of 444?
Hi, I've deployed the latest Lync iApp on our F5 appliance, and it is marking my web conferencing service as down. Upon further inspection, it looks like it is trying to communicate to my webconf service node on port 443. However, in the Lync topology builder the service defaults to port 444. I'd prefer not to make changes like this in Lync because there are so many moving parts to the system. It looks that I'm not able to change the port in the F5 without setting up another node outside of the iApp. Can somebody tell me 1) Why it defaults to port 443 and 2) How to change it on the F5 without manually creating a new node?232Views0likes1CommentLYNC 2013 Edge SErver in DMZ with F5. Error connecting externally (www.testocsconnectivity.com)
I have deployed Lync 2013 edge server and it is in a DMZ with F5 BIG-IPs. I have used the Lync 2013 iApp. The reverse proxy 'appears' to be working (externally I can connect to my Front End External Web Service and get a challenge response: (https://webext.domain.com/abs) The certificates have been installed on the Edge servers and F5 RP. When I send out a 'Meet Now' request to my external user, they get page can't be displayed and I am tryingn to work out how to test where it is breaking down. Internally all this works fine. I can telnet on 443 my two Edge Services; Access (sip.domain.com), Web Conf (webconf.domain.com) but not A/V (av.doman.com) Not sure how to test where it is breaking down? This is the OCS error: Couldn't sign in. Error: Error Message: Unable to establish a connection.. Error Type: ConnectionFailureException.229Views0likes1CommentLync 2013 iApp template
Hey all, I am in the planning stages of deploying Lync 2013 with the Edge servers load balanced and the Front End servers reverse proxied using LTM. I am a little confused with the verbiage in the template, specifically around the public IP's necessary for the edge server services. My plan was to have 2 protected subnets in a DMZ, one for the externally accessible services (3 IP's per edge server) and one for the internal connection to our internal network where the FE servers will be. The externally accessible services would be NAT'd to (Destination NAT for A/V) so the actual "public" interfaces would have non-routable addresses assigned to them, their public addresses on the external Interface of the Firewall. In the section, Edge Server Pools-External Interface, it references each service per edge server and adds that "Note these addresses should be publically routable". So are these the actual IP addresses of my edge interfaces on the servers themselves? Or is it really asking for the public NAT'd addresses at the firewall? I can explain further and provide a basic network diagram if this is confusing (it sure is to me, this is my first lync implementation and even without the F5 it is a bit confusing). -GR217Views0likes3Comments