none
F5 Reverse Proxy + Single Edge Server

    Question

  • No doubt a silly question,

    Anyone set up Lync 2013 SE EDGE Server behind an F5 (LTM / GTM)

    I am wondering with setting up a Lync 2013 Edge SErver and it will sit along side/ behind an F5, I still need to configure an internal and external nic with an internal and external certificate?

    or, I can I get away with one nic on the edge as everything (ssl offloading and lync services) will be handled / published  by the F5?

    Of have I got this wrong and the F5 is simply another device like TMG and you need to have two nics + int/ext cert on the edge server?

    Thanks

    Wednesday, September 04, 2013 4:39 PM

All replies

  • You will still need two nics on the Edge server and an internal and external certificate. Using an F5 doesn't change that.  Take a look at: http://technet.microsoft.com/en-us/library/gg425891.aspx
    Wednesday, September 04, 2013 7:59 PM
  • Right, perhaps I have got the function of the F5 a little wrong. I know it is there to handle the web service traffic from the Lync Front end and lyncdiscover.domain.com.

    The Lync Edge handles its 3 services (Access, A/V, WebConf) but I thought this ALSO goes through the F5? or is this separate and straight to the internet (via firewall)

    • Edited by SCCM4EVA Thursday, September 05, 2013 9:07 AM
    Thursday, September 05, 2013 8:50 AM
  • Hi SCCM4EVA,

    Yes, you still need to configure an internal and external NIC with an internal and external certificate.

    You cannot use NAT on the internal or external firewall if Hardware Load Balancer is deployed.

    Here are the links about network for Edge server:

    Network Interfaces for Edge Servers

    http://technet.microsoft.com/en-us/library/gg412847.aspx

    Hardware Load Balancer Requirements

    http://technet.microsoft.com/en-us/library/jj656815.aspx

    Make sure the external certificate use a public certificate, it is recommended to use a private certificate issued by an internal CA for internal interface.

    You can refer to the link of “Certificate Requirements for External User Access”:

    http://technet.microsoft.com/en-us/library/gg398920.aspx

    Best Regards,

    Eason Huang

    Thursday, September 05, 2013 10:47 AM
    Moderator
  • Thanks Eason,

    Yes, I know about the cert requirements, my question was more around information flow and what (external) deivces hit what servers (F5 / Edge / Front End) in what order.

    Does all traffic hit the F5 first THEN the EDGE server and THEN the Front End Server, or, as as I mentioned before does SOME traffic hit the F5 and OTHER traffic hit the Edge server directly.

    Thursday, September 05, 2013 10:51 AM
  • I believe ur F5 is working as a load balancer rit??does it has web publishing capabilities to work as RP??

    if yes, the web and Mobility traffic will go thru F5 and Access, WC and AV traffic thru Edge and then FE.

    In either case u have to have 2 legs for Lync Edge server.


    Praveen | MCSE Messaging 2003

    Thursday, September 05, 2013 1:13 PM
  • Right, I think I am almost there, thanks for the great help so far. Last question around this.

    As it stands, on my Front End Server I have lync.domain.com configured as external settings for Access / A/V and WEb Conf for my Edge Server. That name is also the Common name / SAN on my Edge External certificate.

    I am now looking to configure the Reverse Proxy (F5) external cert / name. Given it handles the web services from the Front End server, I was going to use the name WebExt.domain.com as the common name (it will be in the SAN also along with dialin, meet etc)

    Now, when external (anonymous, external laptop-using emplyees not on VPN, on a VPN, federated, XMPP, mobility etc) clients connect, other than lyncdiscover.domain.com, what address will they need to know to connect into our network?

    lync.domain.com? or webext.domain.com? or none?

    Many Thanks
    Friday, September 06, 2013 9:53 AM
  • They will need lync.domain.com and not webext.domain.com

    webext.domain.com is only for RP whose job are mentioned as below including Mobility.

     http://technet.microsoft.com/en-us/library/gg398069.aspx


    Praveen | MCSE Messaging 2003

    Friday, September 06, 2013 11:16 AM
  • OK, and if I then decided not to have a sinlge IP and go with 'best practice' and have three IP's for Access, WebConf and A/V. what address would clients need then?

    IS there a best practice around naming convention for these services?

    Shertz.blog has Access: sip.domain.com / web Conferecning: WEbConf.domain.com / A/V : av.domain.com

    ..and..not sure if this is a problem, but we have multiple SIP domains based on our country location; domain.fr, domain.co.uk AND domain.com....so can I use domain.com in the above External Services or should I create a whole new DNS FLZ for Lync?

    thanks so much

    • Edited by SCCM4EVA Friday, September 06, 2013 11:32 AM
    Friday, September 06, 2013 11:28 AM