LYNC - Use F5 LTM as reverse proxy?

Question

I have set up all the Lync pools and Virtual servers for LYNC as described in the F5 deployment guide on 10.2. We do not run TMG and don not want to so I need details on using the F5 to handle this process. I created a VS for port 8080 and another for 4443, configured them to pass traffic to the port 80 and 443 pools on my LYNC FE servers. Do I need an iRule to handle the URL "intelligence"? What else is needed as far as Certs or anything else?

Configuration is as follows, (all VLANS are on the one F5 LTM)

Firewall

|

F5 Untrusted DMZ Vlan (Edge server external interface)

|

Consolidated Edge servers

|

F5 Trusted DMZ Vlan (Edge server internal interface)

|

F5 Production Server Vlan

|

Front End Servers

Thanks

mikeshimkus_111 · Answer

Hi Chris, this guide includes the steps you need to follow to use BIG-IP as a reverse proxy for Lync.  It's for version 11 but the manual steps should be the same: 
&nbsp;  
&nbsp; http://www.f5.com/pdf/deployment-guides/microsoft-lync-iapp-dg.pdf 
&nbsp;  
&nbsp; You will need to create a clientssl profile that uses the cert you created for Lync Web Services. 
&nbsp; thanks 
&nbsp; Mike

chris_16805 · Answer

The guide asks for an internal and external IP for the reverse proxy. Can I just create an external virtual server and forward the ports to the individual FE servers in the pool? 
&nbsp; I have it set up this way now and am getting a cert error from the testocsconnectivity website. Doesn't seem like a useful error though  
&nbsp;  
&nbsp; "Additional Details  
&nbsp;   If you are using a Reverse Proxy to get to the Access Edge Server, this could possibly be an issue with Reverse Proxy configuration.: Exception Details: Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. Type: System.IO.IOException Stack Trace: at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost) at TestOCSConnectivity.Tests.SSLCertificateTest.PerformTestReally() Exception Details: Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. Type: System.IO.IOException Stack Trace: at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost) at TestOCSConnectivity.Tests.SSLCertificateTest.PerformTestReally() "

mikeshimkus_111 · Answer

You'd never go through the reverse proxy VIP on LTM to get to the Edge server, so I'm not sure why you're seeing that message. 
&nbsp;  
&nbsp; Forwarding RP traffic from the external LTM to the FE servers will probably work, as long as you're OK with punching holes in the firewall for those ports.

chris_16805 · Answer

no longer getting this error, but my meeting and dialin urls still don't work. When i go to my meet URL externally it redirects to the https url and then i get "the webpage cannot be displayed". 
&nbsp; I have a VS created for both port 80 and 443, these have default pools defined that goto the IPs of the FE servers on port 8080 and 4443. I also have irules set up on each VS to send the urls to the same pools defined as the default.  
&nbsp;  
&nbsp; What else could I be missing? Is this something I can/should open a support case for? &nbsp;

mikeshimkus_111 · Answer

I assume you are using the same cert and key on the external 443 VIP that you have configured in Lync for your web services, the Lync servers can connect to the Certification Authority and validate the cert, and that this external VIP is using a serverssl profile as well.   
&nbsp;  
&nbsp; Have you tried running the Lync logging tool on the FE servers?  This is usually pretty helpful, and would tell you right off the bat if the connection is even making it to the FE.   
&nbsp;  
&nbsp; I recommend opening a support case.  This will help track issues with the solution and allow us to have a look at your config.

Forum Discussion

LYNC - Use F5 LTM as reverse proxy?

9 Replies

Recent Discussions

CITRIX remote desktop solution using F5 APM

BIG-IP rseries license

F5 iRule to route traffic based on AS2 headers doesnt work

Trouble with TCP::option set 28

LDAPS: intermittent login issues

Related Content

Troubleshooting Lync/Skype for Business Reverse Proxy

F5 Reverse Proxy setup

Setup a Reverse Proxy that redirects to internal port

Reverse Proxy With Basic SSO

TMG2F5 Series: BIG-IP LTM as the Lync Reverse Proxy