Lync 2010 with an F5 BIG-IP LB

I recently received the opportunity to setup and use a F5 BIG-IP LTM Hardware Load Balancer version 11.1 and have since configured it for Lync Web Services including Mobility. The configuration does not have to be complex, and while the Load Balancer does much more than I am demonstrating here, incorporating the changes below into your own configuration should prove successful.

Requirements

The example I am showing below is based on version 11.1 of the LB code. If you are using an older version (and at some point a newer version) the exact screenshots and options may be slightly different - but the concepts remain the same. Like mysetup and configuration of my KEMP HLB, I have opted to use two VIPs so that I can pass internal traffic directly back to the external pool rather than hair-pinning through a Reverse Proxy.

Load Balancer

Because I am using two VIPs the setup and configuration concept which was used in the KEMP setup remains the same. The configuration once again would look something like this:

Internal Web Services VIP

10.10.10.10:443 --> 10.10.10.50:443
10.10.10.10:80 --> 10.10.10.50:80

External Web Services VIP
10.10.10.20:443 --> 10.10.10.50:4443
10.10.10.20:80 --> 10.10.10.50:8080

With this configuration, the port address translation happens on the HLB so the Reverse Proxy or Firewall can send the external traffic unchanged. Internally, the communication is always bound for HTTP/HTTPS and then changed depending on the destination IP.

Data Flow

I have already expressed the Data Flow in previous posts, so suffice it say I am not changing those concepts at all - inbound/outbound traffic comes in on 80/443 and the Load Balancer (based of the VIP) determines if it goes to 80/443 or 8080/4443. Because the port address translation happens on the VIP of the Load balancer when needed, the hair-pinning back to the Reverse Proxy is unnecessary. That also means when deploying the RP, make sure you do not change the ports.

Configuring the Load Balancer

Configuration of the Load Balancer includes the initial setup (not addressed here), the importing of the External Web Services certificate (required for Cookies), Configuring Profiles and Virtual Servers (including Pools and Nodes).

CERTIFICATE

There are multiple places to start, but the Certificate is as good as any. If this is not correct, iOS machines will fail to connect and Android and WP7 will take longer to authenticate. To start, and assuming the external web services certificate is marked as exportable (it should be if defaults were accepted), navigate to one of the Lync 2010 FE servers and launch the MMC (Start | Run | mmc). Add the local Computer Certificate Store to access your certificates (File | Add/Remove Snap-in | Certificates).

 

Expand Certificate | Personal | Certificates and in the right select your external certificate. Right-click the certificate and select All Tasks | Export. This will launch the Certificate Export Wizard. Select Yes, export the private key and select Next.

 

 

In the export options select Include all Certificates in the certification path if possible and Export all extended properties. This will include the root chain in the certificate path preventing trust issues on the BIG-IP.

 

Enter and confirm a password when prompted (you need this password to import the private key), select a file location and name, and click Finish.

Copy the exported file to a location you have access to from you local web browser. Launch the BIG-IP web configuration page, expand Local Traffic | SSL Certificate List. In the upper-right select Import to launch the import process. The correct import type is PKCS 12 (IIS) and should be selected from the drop-down menu. Enter a name for to reference the certificate, browse to the previously exported certificate PFX file and enter the password created when the certificate was exported. Click Import to bring the certificate into the BIG-IP.

 

You will see the certificate in the SSL Certificate List and if you select the certificate name, you will see not only your Web Services certificate but the entire certificate chain in the Certificate Subject(s) field.

PERSISTENCE PROFILES

Now that the certificate has been imported, the cookie persistence may be created. Back in the BIG-IP web interface, select Local Traffic | Virtual Servers | Profiles | Persistence. Two persistence profiles will be created - one for the external web services and one for the internal web services. In the upper-right select Create to being the profile creation process. Enter a name for the Profile, and select Cookiefor the Persistence Type. Under Configuration, mark the Custom box to allow configuration of the various properties. Match the settings to the picture setting thecookie name to MS-WSMANalways send cookie, and set the expiration to 3 days. Click Repeat to create the persistence profile and start the process over.

 

Next create a new Source-Based persistence profile. Enter a name for the profile, and select Source Address Affinity for the Persistence Type. Under configuration, mark the Custom box to allow configuration of the properties. Match the settings to the picture below setting the timeout to 1800 seconds and click Finished to create the second custom persistence profile.

 

SSL PROFILE

Next we move onto the SSL Profile. The SSL profile specifies which certificate to present to incoming connections. There are two types of SSL profiles, Client and Server. For Lync we need to worry about the Client certificate and will create a new profile based of the clientssl profile. Select Local Traffic | Virtual Servers | Profiles | SSL | Client. In the upper right select Create to begin the profile creation process. Enter a name and make sure clientssl is selected as the parent profile.  Under configuration, mark the Custom box to allow configuration of the properties. Match the settings to the picture below setting the certificate and key to the name previously setup and created when the SSL Certificate was imported. ClickFinished creating the new profile.

 

SERVER NODES

The Nodes selection under Local Traffic specifies which real servers will be participating in the pool. Select Local Traffic | Virtual Servers | Nodes | Node List. Just as in previous steps, we are going to click Create to start the process. Enter a name (typically the server name but whatever you want) and the IP address under Address. The base health monitor is for the server and may be individually configured here or simply use the default. Click Repeat to add the additional nodes in the same manner. When the last node has been created, clickFinished.

 

To configure the default node monitor, select Local Traffic | Virtual Servers | Nodes | Default Monitor. Select ICMP and click the << to add it to the list. This monitor will do a simple PING up/down test to validate the server is running. We will create an optional monitor for the pool members to validate the services are running.

 

LYNC MONITORS (OPTIONAL BUT RECOMMENDED)

The Lync Monitor port verifies the Lync Front-End service is running. While the server may be running, if the pool is not up and functioning it really does not help us. In addition, it is important IIS is up and functioning; we can use the built-in monitors for the internal websites but must create new ones for the external websites.

Start by navigating to Local Traffic | Monitors. Click Create to start the process; we will begin with the Pool Monitor. Enter a name for the monitor and select TCPfrom the Type drop-down. We will need to change the Configuration from Basic toAdvanced to expose the port. The port is located at the bottom of the list and is represented by default with an asterisk. Update the aterisk to the custom port you would have already configured in the Lync Topology Builder. In my case I have set it to 5150 but this is whatever your Pool is set to.

 

Click Repeat to save the monitor and start the process over. Enter a name for the External SSL (port 4443) monitor and select HTTPS as the Type. Advanced Configuration should already be exposed; just like the Pool monitor at the bottom of the options is the port. Here enter 4443 and click Repeat.

 

The last monitor we will create is for port 8080, the External Web Services re-direct port.  Enter a name for the External (port 8080) monitor and select HTTP as theType. Advanced Configuration should already be exposed; just like the Pool monitor at the bottom of the options is the port. Here enter 8080 and click Finished.

 

POOLS

Pools represent the collection of services that will be tied to a Virtual Server (and its corresponding VIP). We will be creating four pools - Internal 80, 443 and External 8080, 4443.

Start by selecting Local Traffic | Virtual Servers | Pools | Pool List. Click Createto start begin - we will start with the Internal Web Services 443. Enter a Name for the Pool. Select the Lync Pool Monitor previously created and click << to add it to the list. Scroll down the monitor list and select https_443 and once again select <<. Change the Load Balancing Method to Least Connections (member) and clickNode List. The various nodes already created will be listed. Select the first node, enter 443 for the service port, and click AddRepeat for the remaining nodes. Once all the nodes are listed click Repeat to continue the process.

 

Create the three additional pools, one for Internal 80, one for External 4443, and one for External 8080 replacing only the service ports and the monitors per the pictures below (make sure to Click Repeat until the final pool to speed up the process and remove and re-add the members to get the new port definition).

 

VIRTUAL SERVERS

The final step in the process is the creation of the Virtual Servers. The Virtual Servers tie the pools to a Virtual IP (VIP) and expose the desired port. There will be two VIPs two per pool (internal and external). Navigate to Local Traffic | Virtual Servers | Virtual Server List to begin.

Click Create to define the Virtual Server and VIP. Start by entering a name and entering the VIP address in Name and Destination. We will start with the Internal 443 SSL VS. In the service port enter 443. On the internal SSL web site we will be using IP source-based persistence so there is no need to decrypt the information - we simply want to pass traffic. Configure the settings as shown below making sure that no HTTP or SSL profile is selected and SNAT Pool is set to Auto Map. Change the Default pool to your Internal 443 Pool previously created, set yourDefault Persistence to your Internal Source IP Persistence profile also previously created and click Repeat.

 

Three additional Virtual Servers will need to be created as shown below. Make sure the Pools are correct as well as the Persistence. When creating the External 4443 Virtual Server you will need to select the basic HTTP Profile and the previously create SSL Profile. The configuration is shown below.

 

Click Finished after the last Virtual Server has been created. The final steps are to simply update DNS to point the various A and CNAME records of MEET, DIALIN, INTERNALMEETINGS, and EXTERALMEETINGS VIPs.