jetNEXUS ALB-X Lync 2010 & 2013 Deployment Guide

Synopsis

This online guide explains briefly the concept of Lync 2010/2013 and how to use a edgeNEXUS Accelerating Load Balancer (ALB-X) to load balance Lync 2010/2013 traffic.

Overview

Microsoft Lync (previously known as Microsoft Office Communications Server) is a real-time communications server for the enterprise. In response to today’s changing working patterns and the need for real-time collaboration, organisations are looking for integrated productivity tools that enable users to communicate from anywhere in a cost-effective and secure manner.

As with any service-oriented architecture, it is essential that applications run seamlessly with superb performance and robust security. The nature of Lync’s real-time communication and collaboration services, together with its business critical importance demands a high level of service delivery.

Enter edgeNEXUS – Application Delivery Control for Microsoft Lync

The edgeNEXUS Accelerating Load Balancer is specifically developed to improve the performance, scalability, reliability and manageability of Microsoft Lync. Easy to deploy, configure and maintain, the jetNEXUS ALB-X for Lync has the simplicity of a plug-and-play solution, with the performance capabilities to meet even the most demanding traffic profiles.

Pre-requisites

The following are general prerequisites and configuration notes for this guide:

  • It is assumed that the reader is a network administrator or person familiar with networking and general computer terminology
  • You have set-up your Microsoft Lync Enterprise Server 2010 environment and have installed your jetNEXUS ALB-X application delivery controller
  • You have configured your internal and external DNS entries for the Front-End and Edge Pools, and services accessed by Reverse Proxy
  • When Microsoft refer to a hardware load balancer (HLB) it is equivalent to the industry term “Application Delivery Controller”
  • You are running Software Version 4.0.1 (Build 1576) or later on you jetNEXUS ALB-X

Webscheduler

It is advised to create a simple url for webscheduler. This url should map to the same external internet facing IP as meet and dialin.
E.g. you can go to https://ReverseProxyWebfqdnOfPool/scheduler where ReverseProxyWebfqdnOfPool has a separate external internal facing IP or you can create DNS SRV records and forwarding rules for your external interface for external user signin without autodiscover and federation traffic. For further details refer to https://technet.microsoft.com/en-us/library/gg412787.aspx

For user sign-in: _sip._tls. -> your edge external interface FQDN.
For federation: _sipfederationtls._tcp. -> your edge external interface FQDN.

Why jetNEXUS?

  • Server Health Monitoring
Application layer server health checks, detect and route around problems to eliminate downtime
  • Layer 4 & Layer 7 Load Balancing
Speedy layer 4 load balancing with layer 7 health checks ensure the most efficient load balancing is acheived
  • Reverse Proxy
Traffic from external clients is securely proxied by edgeNEXUS ensuring no external client can directly access internal resources
  • Session persistence
edgeNEXUS Lync Reverse Proxy uses specifically named cookies to provide session persistence to the Front End pool
  • Compression
Compression is automatically used to accelerate external web and mobile clients
  • SSL Re-encryption
Enables end to end secure encrypted traffic between client and internal resources whilst still being able to provide acceleration and traffic manipulation with flightPATH
  • flightPATH
Our intelligent application layer traffic manipulation engine can be easily configured to redirect web and mobile clients to the correct services

LAB Environment

This Guide for Load balancing Microsoft Lync 2010/2013 has been designed on the following configuration.

Lync 2010

  • An Enterprise Front End pool, consisting of two nodes. Consolidating Conferencing, Enterprise Voice and Mediation Server features
  • Each Front End server was configured on a Microsoft Windows 2008 R2 Server with a single NIC, on a private IP address. Each NIC has a single IP address.
  • An Edge pool, consisting of two nodes. Consolidating SIP, Web Conferencing and A/V services. Each of these services is configured using a common IP/Hostname and different ports for each service
  • Each Edge server is configured on a Microsoft Windows 2008 R2 Server with two NICs. One on the Private LAN, and another on a DMZ LAN. Each NIC has a single IP address, and the DMZ NIC is configured with a default gateway
  • A single Database Server, configured on a Microsoft Windows 2008 R2 Server running Microsoft SQL 2008 R2

Lync 2013

  • An Enterprise Front End pool, consisting of two nodes. Consolidating Conferencing, Enterprise Voice and Mediation Server features
  • Each Front End server was configured on a Microsoft Windows 2012 Server with a single NIC, on a private IP address. Each NIC has a single IP address.
  • An Edge pool, consisting of two nodes. Consolidating SIP, Web Conferencing and A/V services.
  • Each of these services is configured using a common IP/Hostname and different ports for each service
  • Each Edge server is configured on a Microsoft Windows 2012 Server with two NICs. One on the Private LAN, and another on a DMZ LAN. Each NIC has a single IP address, and the DMZ NIC is configured with a default gateway
  • A single Database Server, configured on a Microsoft Windows 2012 Server running Microsoft SQL 2012

Common to Lync 2010 & 2013

  • A single PSTN Gateway running a configured SIP trunk
  • A Single File Store, a simple file share available on the Private LAN
  • No Director, Archiving or Monitoring Servers were configured

Lync 2010/2013 Description

Server Roles

The Front End Server

Lync Front End pool is an array of load balanced servers that provide services to a common group of users.

Front End server functions are:

  • Client registration and authentication
  • Presence availability information, DL expansion and address book services
  • Web conferencing and app sharing
  • IM services including IM conferences (chat rooms)

Directors

This role can authenticate Lync Server user requests, but they do not home user accounts or provide presence or conferencing services. Directors are most useful to enhance security in deployments that enable external user access. The Director can authenticate requests before sending them on to internal servers. In the case of a denial-of-service attack, the attack ends with the Director and does not reach the Front End servers

Mediation Server

The Mediation Server is a necessary component for implementing VOIP and voice conferencing. This role processes and translates different VOIP codecs. If you already have an existing VOIP system, you will be running a SIP trunk to your VOIP system. This can be collocated with the Front End server role.

A/V Conferencing Server

A/V conferencing server provides A/V services to Lync clients. This can be installed as a single role or with the Front End server.

Edge Server

Lync Edge Server role is one of the most important server roles because it’s a proxy between internal and external clients. This role allows Lync clients to communicate with users outside company firewalls, which includes external users that may not have an account in your company’s Active directory.

Archiving and Monitoring

This server role monitors your Lync Server usage. Archiving IM conversations, Group Chat and conference logs.

What server role can be load balanced by jetNEXUS ALB-X?

Front End Pool

Deploy Multiple Servers in a pool and use jetNEXUS ALB-X to load balance the traffic

Director Pool

Deploy Multiple Director servers in a pool and use jetNEXUS ALB-X to load balance the traffic

Mediation Pool

The Mediation Service is usually collocated on the Front End Servers

Edge Pool

Deploy Multiple Servers in a pool and use jetNEXUS ALB-X to load balance the traffic

Reverse Proxy

The jetNEXUS ALB-X can be used as a reverse proxy to force HTTP traffic to HTTPs and port address translate 443 to 4443 necessary for External Web Services

Standard Lync Deployment

Diagram 1.1
lync

Configuring the FrontEnd Pool

Required Services for the Front End Pool: – Table 1.1

[su_table]

Service Name Port Service Type Connectivity Health Check Persistence Notes
FE DCOM 135 Layer4 TCP Reverse Proxy TCP Connect IP Bound RPC/DCOM
FE SIP 5061 Layer4 TCP Reverse Proxy TCP Connect IP Bound SIP/TLS
FE App Share 5065 Layer4 TCP Reverse Proxy TCP Connect IP Bound Application Sharing
FE QoE 5069 Layer4 TCP Reverse Proxy TCP Connect IP Bound QoE Agent
FE Conf 444 Layer4 TCP Reverse Proxy TCP Connect IP Bound Conferencing
FE Web Int 443 Layer4 TCP Reverse Proxy TCP Connect IP Bound HTTPS Internal Web Services
FE Web Ext 4443 HTTP Reverse Proxy Lync Layer7 Health Check Cookie HTTPS External Web Services

[/su_table]

Optional Services for Front End Pool: – Table 1.2

[su_table]

Service Name Port Service Type Connectivity Health Check Persistence Notes
FE Web Int 80 Layer4 TCP Reverse Proxy 200OK IP Bound HTTP root Cert Retrieval for Lync Phones
FE Web Ext 8080 Layer4 TCP Reverse Proxy 200OK IP Bound HTTP root cert retrieval for Lync Phones
FE CAC 448 Layer4 TCP Reverse Proxy TCP Connection IP Bound Call Admission Control
FE SIP-U 5060 Layer4 TCP Reverse Proxy TCP Connection IP Bound SIP Unsecured
FE MED 5067 Layer4 TCP Reverse Proxy TCP Connection IP Bound Mediation Server SIP/TLS
FE MED 5068 Layer4 TCP Reverse Proxy TCP Connection IP Bound Mediation Server SIP/TCP
FE 5070 Layer4 TCP Reverse Proxy TCP Connection IP Bound Mediation Server
FE RSG 5071 Layer4 TCP Reverse Proxy TCP Connection IP Bound Response Groups
FE CAA 5072 Layer4 TCP Reverse Proxy TCP Connection IP Bound Conferencing Attendant
FE CA 5073 Layer4 TCP Reverse Proxy TCP Connection IP Bound Conferencing Announcement
FE OV 5074 Layer4 TCP Reverse Proxy TCP Connection IP Bound Outside Voice Control
FE CP 5075 Layer4 TCP Reverse Proxy TCP Connection IP Bound Call Park
FE CQ 5076 Layer4 TCP Reverse Proxy TCP Connection IP Bound Call quality test
FE CAC 5080 Layer4 TCP Reverse Proxy TCP Connection IP Bound Call Admission Control

[/su_table]

Configuring a Virtual Service for SIP services on the Lync-Front-End Pool

1. Log on to your jetNEXUS ALB-X https://x.x.x.x and open up the IP-Services page
ipservices

2. Click Add IP and complete each column with the details below taking care to replace the IP addresses here with your own.
addip

3. Click on the Actions – Basic Tab and set each setting as below
basictab

4. Click on the Actions – Advanced Tab and set each setting as below
advancedtab

Configuring a Virtual Service for Additional SIP services on the Front-End Servers

1. Log on to your jetNEXUS ALB-X https://x.x.x.x and open up the IP-Services page
2. Click Add Port and complete the columns as per Table 1.1 & 1.2 as required for your deployment
3. The Actions-Basic settings should be configured the same for all SIP based services

Configuring a Virtual Service for Internal HTTPS-based services for the Front-End servers

1. Log on to your jetNEXUS ALB-X https://x.x.x.x and open up the IP-Services page
ipservices (1)

2. Click Add IP and complete each column with the details below taking care to replace the IP addresses here with your own.
lyncinternalhttps

3. Click on the Actions – Basic Tab and set each setting as below
basictabhttpsinternal

4. Click on the Actions – Advanced Tab and set each setting as below
advancedtab (1)

Configuring a Virtual Service for External HTTPS-based services for the Front-End servers

1. Log on to your jetNEXUS ALB-X https://x.x.x.x and open up the IP-Services page
ipservices (2)

2. Click Add IP and complete each column with the details below taking care to replace the IP addresses here with your own.
lyncexternalhttps

3. Click on the Actions – Basic Tab and set each setting as below
basictabhttps

4. The “Lync Layer 7 Health Check” is configured in the Configure – Real Server Monitor section
lyncabshandler

5. The Cookie name must be set to MS-WSMAN. Please contact pre-sales@edgenexus.io for the Lync 2010 Cookie jetPACK which will change this setting automatically
6. The SSL Certificate must be the same certificate on the Front End Servers and is typically your public certificate with subject alternative names

Export the certificate from your Front End Server (This will be a PKCS#12 and includes the private key and intermediates)
Import this certificate onto the jetNEXUS ALB-X – for details on this please see http://www.edgenexus.io/usercentral/4-0-1/sslcertificates.html#Import_Certificate
The certificate will now be available to choose from the drop down list in the SSL section. Our example above shows “sipjetnexuscom” which is a friendly name for our external certificate

7. Content SSL must be set to Any for SSL Bridging also known as SSL Re-Encryption

Configuring the Edge Pool

External Interface

1. Log on to your jetNEXUS ALB-X https://x.x.x.x and open up the IP Services page
ipservices (3)

2. Click Add IP and complete each column with the details below taking care to replace the IP addresses here with your own.
lyncexternalhttps (1)

3. Click on the Actions – Basic Tab and set each setting as below
basictab (1)

4. In this instance we have one Public IP address 200.200.200.1 for sip.domain.com which will be forwarded to jetNEXUS ALB-X Channel IP of 10.1.2.1 and the three services SIP, AV and Conferencing are split by port consistent with a Lync Consolidated Edge Topology
edgetopology

5. Each Edge Server will need a Public IP address and here we have given Edge Server2 the Public IP address 200.200.200.12. Where Public IP is an internet routable IP address
6. You will then need to create a one to one NAT for this public IP address to the External IP address of each Edge Server. Where External IP is the private IP address of the External interface of the Edge server. In this instance the External Interface IP address of Edge Server 2 is 10.1.2.12
edgeflowdiagram

7. The External Lync Client makes an initial connection to sip.domain.com which is then forwarded to the edgeNEXUS VIP and load balanced to the external interface of one of the Edge Servers

8. The Edge server responds to the client via the load balancer with its Public IP address 200.200.200.12

9. The Lync Client then connects direct with the Edge Server’s public address

10. Ensure you have the correct firewall rules for the Edge Server ports. http://technet.microsoft.com/en-us/library/gg425882.aspx

Edge Internal Interface

1. Log on to your jetNEXUS ALB-X https://x.x.x.x and open up the IP Services page
ipservices (4)

2. Click Add IP and complete each column with the details below taking care to replace the IP addresses here with your own.
intedgeservices

3. Click on the Actions – Basic Tab and set each setting as below
basictab (2)

Configuring the ALB-X as a Reverse Proxy

1. Log on to your jetNEXUS ALB-X https://x.x.x.x and open up the IP Services page
ipservices (5)

2. Click Add IP and complete each column with the details below taking care to replace the IP addresses here with your own.
reverseproxyservices

3. Notice on the 443 Channel we have port address translated to 4443 to the Lync Front End Servers. Now Click for the 443 channel on the Actions – Basic Tab and set each setting as below
basictabhttps (1)
4. The recommended policy is to run a flightPATH rule on the HTTP port 80 channel to redirect all traffic to the secure HTTPS 443 channel.
5. The flightPATH rule flightPATH 1 – Redirect to HTTPS is configured in the Configure—flightPATH section as below. The Condition and Evaluation should be left blank and the Action is detailed below
reverseproxyfprule

jetPACK Quick Installation

  • The jetNEXUS ALB-X can be configured automatically with a Lync 2010/2013 “jetPACK”, template which is fully-tuned with all of the application-specific settings that you need in order to enjoy optimised service delivery from your ALB-X
  • If you supply the virtual IP address and real server IP addresses to support@edgenexus.io we will send you a custom jetPACK that you simply upload to the jetNEXUS ALB-X
  • The upload can be done via the GUI and will be fully configured in less than 1 minute
  • The relevant jetPACK can be applied to multiple jetNEXUS ALB-X appliances saving valuable time and eliminating simple mistakes
  • For more information and to download a jetPACK please go to our website https://appstore.edgenexus.io/jetpack-application-templates-software-version-4-only/jetpack/#microsoftlync

Troubleshooting

Further help can be found on the main edgeNEXUS website

Contact Us

I hope you have found this Deployment Guide informative, but if you need any clarification or further information, please do not hesitate to get in contact with edgeNEXUS Support:

E-mail support@jetNEXUS.com
Phone +44 (0870) 382 5529
Blog http://jetNEXUS.blogspot.com/

Log in with your credentials

or    

Forgot your details?

Create Account