Lync 2013 Deployment Help
We are in the process of deploying a new Lync 2013 environment. Our setup consist of a pair of LTM's setup as an HA pair in the DMZ (no internal LTM), which has a trunk and default route pointing to the firewall interface. Using the latest iAPP for Lync 2010-2013 I followed all steps to complete the setup. Creating the Front End VIP with a pool of servers on our internal network. Then created the edge servers Access, Web Conf and A/V with VIPS using public IPs, then added 2 external pool members with public IP's on the external interface. The VIP and Pool members for the edge servers are on different external subnets. Then created the Edge servers Internal VIP with pool members sitting on the DMZ and public IP's. We have not gone into testing phase yet, so I have not been able to test the functionality of the iAPP configuration. Before doing this I have scoured the DevCentral forums for any gotchas other folks may have had. One of the big things I have found is pointing the edge servers to the F5 floating IP. Which I will have our server team account for. The other was the creation of a forwarding IP VIP and this is where I am a little confused. Since my edge servers have 3 VIP's and 6 pool members on different subnets how would the forwarding VIP be created? Would I create 9 individual forwarding VIP's for each IP? Can one forwarding VIP be used with maybe an I rule, or can the forwarding VIP be created without impacting other VIPs? All help would be greatly appreciated. Thanks
Exclude Lync Traffic From SSL VPN
I am trying to exclude Lync traffic from resolving over the VPN tunnel when established using split tunnling. Basically as this site describes: http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx Looking under network access, and the network profile I have options to Exclude IP Addresses and DNS Addresses. I have done this for all of our external/internal connections but we still see Lync re-connect when VPN is started and stopped using internal address?? As a side note, our lync servers are on a subnet with other servers that need to be reached over the VPN a /24. I was able to subnet this out so that the lync servers are not even in the routing table. However the F5 has VIP address that directly connect to that subnet so I added thous address to the excluded space. I cannot see what else I am missing or is there some other place or setting this should be set?
Lync 2013/2010 External Mobility Issues
I've read through a number of others issues but havent found anything that fits my case. We deployed Lync through the latest iApp for Lync on two F5s. One is in a DMZ and the other internal. The basic topology is: External user uses lyncdiscover.company.com > NAT external address to a DMZ Reverse Proxy VIP on port 443 > Irule translates the URL and sends directly to one of the Internal FE servers on 4443. User gets back the .JSON file with the additional URLs. User sends request to onprem-webext.company.com (which is the same external address) > NATS to the same DMZ VIP > iRule translates that URL to the same pool on the DMZ F5 > Pool sends the traffic directly to one of the internal front end servers > get a few response code 200s and a response code 401. We have a cert on the DMZ F5 VIP that appears to work using external tools. I am using an iRule applied to the DMZ VIP to give me the traffic path and status codes. Internally, Lync works fine. After reading quite a bit about Lync, I am wondering if it doesnt like the server side cert and if I should just use the default server SSL profile, since internally the servers would be using internal PKI certs from our own CA. Thanks in advance. Jim
Lync 2013 using iApp - Reverse Proxy Issues
Using iApp f5.microsoft_lync_server_2010_2013.v1.2.0 with a new Lync 2013 deployment. Having some problems getting internal mobile clients working. We are currently testing with the Microsoft Lync Analyzer tool as well as Ipads and a Windows 8 tablet. We have 2 F5. One is in our DMZ the other is internal. On the DMZ f5 we have set it up as the Reverse Proxy and given it an IP of 10.10.10.244. It has the cert with all the correct SANs. In the next section of the iApp it asks for the IP address of the internal side of the Reverse Proxy along with certs and we have it set up with 10.10.20.60 and the correct certs. This is where things get a little confusing for me. The instruction in the iApp ask: What is the port 443 virtual server IP address that forwards traffic to the Front End Servers? I cant telnet to 10.10.20.60 over port 443, but I think that's expected because it should be using 4443 correct? It is doing a reverse proxy from 443 to 4443. So is the wording wrong in the iApp instruction or am I reading it wrong? The error from the testing tool is: *An error occurred while sending the request. The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. * That leads me to believe that the Reverse Proxy External IP is accepting the connection, trying to send it on to its next hop, the internal IP and then failing. Possibly a cert issue so I ran tcpdump on the DMZ F5 and I see no attempt of it trying to traffic back out. Thoughts?
Lync 2013 iApp template
Hey all, I am in the planning stages of deploying Lync 2013 with the Edge servers load balanced and the Front End servers reverse proxied using LTM. I am a little confused with the verbiage in the template, specifically around the public IP's necessary for the edge server services. My plan was to have 2 protected subnets in a DMZ, one for the externally accessible services (3 IP's per edge server) and one for the internal connection to our internal network where the FE servers will be. The externally accessible services would be NAT'd to (Destination NAT for A/V) so the actual "public" interfaces would have non-routable addresses assigned to them, their public addresses on the external Interface of the Firewall. In the section, Edge Server Pools-External Interface, it references each service per edge server and adds that "Note these addresses should be publically routable". So are these the actual IP addresses of my edge interfaces on the servers themselves? Or is it really asking for the public NAT'd addresses at the firewall? I can explain further and provide a basic network diagram if this is confusing (it sure is to me, this is my first lync implementation and even without the F5 it is a bit confusing). -GR
Inline load balancing and "Loose Initiation" & "Loose Close"
Hi People, We have a inline load balancing design for Lync (and other applications) where we configure the Lync_edge servers inline (behind the LTM). Therefore this demands a fastl4 profile with Reset on Timeout enabled, ok. But i was suggested to enable also "Loose Initiation" & "Loose Close" but not really sure if we need it. topology is as follow: Internet ---- Checkpoint FW --- extLAN --- LTM (11.4.1) --- intVLAN (with Lync_edge servers) ---- Cisco router---- Internal subets I read this statement in the forum and i got more confused...becasue in the extVLAN there is also a Cisco Router 6500 which leads to a bunch of other internal subnets.. If a different router exists on any directly connected network, you may need to create a custom fastL4 profile with "Loose Initiation" & "Loose Close" enabled to prevent LTM from interfering with forwarded conversations traversing an asymmetrical path.Lync 2013 - Why is web conferencing set to port 443 instead of 444?
Hi, I've deployed the latest Lync iApp on our F5 appliance, and it is marking my web conferencing service as down. Upon further inspection, it looks like it is trying to communicate to my webconf service node on port 443. However, in the Lync topology builder the service defaults to port 444. I'd prefer not to make changes like this in Lync because there are so many moving parts to the system. It looks that I'm not able to change the port in the F5 without setting up another node outside of the iApp. Can somebody tell me 1) Why it defaults to port 443 and 2) How to change it on the F5 without manually creating a new node?