locked
Reverse Proxy and multiple pools RRS feed

  • Question

  • Hi,

    We have 2 FE pools and 2 RP.

    Each pool got external web services name and corresponding DNS names.

    But what about meet, dialin and lyncdiscover names?

    Will these public names work if public DNS will point only to one RP?

    Sunday, February 11, 2018 10:13 PM

Answers

  • Hi,

    If Alice in FE Pool A organises a conference, the conference will take place on the FE pool she is homed on, i.e. FE Pool A.

    If Bob is an external conferencing user, in County A (or County B) and ends up connecting to the meet (conferencing) URL in Country B, the Reverse Proxy local to FE Pool B will forward traffic to FE Pool B (as per the Reverse Proxy config), which in turn will lookup the Conference, see it is on the FE Pool in County A, and "redirect" the traffic over the internal network (i.e. into FE Pool in Country B, out via the default route that ultimately gets it to FE Pool in Country A).

    I appreciate the effort involved in adding additional Simple URLs, regenerating certificates, DNS entries, Reverse Proxy config etc., however from a quality of meeting experience and bandwidth point of view, to me I'd always do this.

    • Proposed as answer by Alice-Wang Monday, February 26, 2018 10:09 AM
    • Marked as answer by iron_flower Monday, June 25, 2018 12:55 PM
    Wednesday, February 21, 2018 4:47 PM

All replies

  • Hi iron_flower,

    For your environment, did you mean that you have two SFB pools, each pool has their own reverse proxy, right?

    If this is the situation, the simple URLs need to point their own reverse proxy’s public IP address.


    Best Regards,
    Alice Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, February 12, 2018 7:20 AM
  • Hi Alice,

    I have 2 FE pools (in different countries). We have one sip domain for whole organization.

    The meet, dialin and lyncdiscover public DNS records will point to one public IP address for both coutries.

    What do you mean by writing:

    "the simple URLs need to point their own reverse proxy’s public IP address."

    ?

    Monday, February 12, 2018 9:55 AM
  • For your description, you have one sip domain including two pools, two reverse proxy, did you mean you configure high availability for reverse proxy?


    • Edited by touchtro Monday, February 12, 2018 1:24 PM
    Monday, February 12, 2018 10:08 AM
  • No

    We want to have Reverse Proxy for each pool (different countries).

    Can we configure it that way?

    Monday, February 12, 2018 3:14 PM
  • Hi iron,

    You said you want to deploy RP for each pool, so I understand that RP1 for pool1, and RP2 for poo2.

    For this situation, RP1 and RP2 need to have their own public IP.

    Pool1 and Pool 2 has their own "meet, dial-in and lyncdiscover" records, they should point to their own RP's public IP.

    For example, for pool1, the meet, dial in and lyncdiscover needs to point to RP1's public IP, it's same to pool2. 


    Best Regards,
    Alice Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, February 13, 2018 8:45 AM
  • Hi,

    If you have two separate Front End Pools in different location, with a dedicated Reverse Proxy in each, why don't you assign a unique Meet & Dialin URL for each pool?

    Note I'm assuming you're not pool pairing between the two, as you wouldn't be able to then have a unique URL per pool.

    You can define Simple URLs as per the example below.

    Pool A

    New-CsSimpleUrlConfiguration -id Site:[SITE NAME WHERE Pool A IS]

    $urlEntry = New-CsSimpleUrlEntry -Url "https://poola-meet.x500.co.uk”

    $simpleUrl = New-CsSimpleUrl -Component "Meet" -Domain “x500.co.uk” -SimpleUrl $urlEntry -ActiveUrl "https://poola-meet.x500.co.uk”

    $urlEntry2 = New-CsSimpleUrlEntry -Url "https://poola-dialin.x500.co.uk”

    $simpleUrl2 = New-CsSimpleUrl -Component "Dialin" -Domain "*" -SimpleUrl $urlEntry2 -ActiveUrl "https://poola-dialin.x500.co.uk”

    Set-CsSimpleUrlConfiguration -Identity Site:[SITE NAME WHERE Pool A IS] -SimpleUrl @{Add=$simpleUrl,$simpleUrl2}

    Enable-CsTopology

    Pool B

    New-CsSimpleUrlConfiguration -id Site:[SITE NAME WHERE Pool B IS]

    $urlEntry = New-CsSimpleUrlEntry -Url "https://poolb-meet.x500.co.uk”

    $simpleUrl = New-CsSimpleUrl -Component "Meet" -Domain “x500.co.uk” -SimpleUrl $urlEntry -ActiveUrl "https://poolb-meet.x500.co.uk”

    $urlEntry2 = New-CsSimpleUrlEntry -Url "https://poolb-dialin.x500.co.uk”

    $simpleUrl2 = New-CsSimpleUrl -Component "Dialin" -Domain "*" -SimpleUrl $urlEntry2 -ActiveUrl "https://poolb-dialin.x500.co.uk”

    Set-CsSimpleUrlConfiguration -Identity Site:[SITE NAME WHERE Pool B IS] -SimpleUrl @{Add=$simpleUrl,$simpleUrl2}

    Enable-CsTopology

    • Configure your Reverse Proxies to reflect the new Simple URLs.
    • Run the Skype for Business Server Deployment Wizard on both FE Pools to generate new FE Certificates containing the appropriate Simple URL.  Export and import on the cert on all FE Servers in the pool.
    • Create Public DNS entries for the new Simple URLs.
    • Create Internal DNS entries for the new Simple URLs.
    • Note if users are already homed on the two FE pools in question, when you make this change you'll break the Meeting URLs.  Run the Meeting Update Tool to repair these.

    Hope this helps.

    Tuesday, February 13, 2018 11:27 PM
  • Hi,

    Thanks for response. 

    Meet, dialin, External Web services will different for each pool.

    What about lyncdiscover and mobility access?

    Thursday, February 15, 2018 9:49 AM
  • Hi, For lyncdiscover, do DNS round robin in public dns. For the public SRV records, add an entry pointing to each Access Edge. And for your External Web Services, you could have a different URL per pool. Thanks, Steve
    Thursday, February 15, 2018 10:14 AM
  • Hi Steve,

    Thank you for response. But I do not understand.

    Regarding edge server it is not a problem for Access Edge service.

    If user in Country A gets the SRV record _sip._tls -> sip.domain.com to Country B Edge server it is just signalling traffic, MRAS will be on Edge server in Contry A so media will go proper way.

    Meet, dialin, External Web services will be different for each pool do client hits proper Reverse Proxy (regarding Country and registered FE pool).

    My question was: what about lyncdiscover.domain.com public DNS record and Reverse Proxy configuration for mobility access? 

    Will it work as sip.domain.com? I mean:

    1. lyncdiscover.domain.com DNS record points the RP in Country B (pool FE B).

    2. User from Country A wants to sign in on mobile device so mobile client finds DNS record and hits the RP in Country B

    3. Will the client be informed that he should now hit RP in Country A (based on External Web services record?)

    ?

    Thank you all for your responses?

    Thursday, February 15, 2018 11:53 AM
  • Hi,

    So you'll have DNS round robin for lyncdiscover.

    Regardless of which Reverse Proxy your users hit, the lyncdiscover XML file served up give the client all of the relevant URLs to establish connectivity to.  Therefore if a user homed in County A hits the Reverse Proxy in Country B, the XML file entries will tell the client where they should be connected.

    For example:

    <AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="External">
       <User>
          <SipServerInternalAccess fqdn="pool01.x500.co.uk" port="5061"/>
          <SipClientInternalAccess fqdn=" pool01.x500.co.uk" port="443"/>
          <SipServerExternalAccess fqdn="sip.x500.co.uk" port="5061"/>
          <SipClientExternalAccess fqdn="sip.x500.co.uk " port="443"/>
          <Link token ="External/Autodiscover" href="https://webexternal.x500.co.uk/Autodiscover/AutodiscoverService.svc/root"/>
          <Link token="Internal/Autodiscover" href="https://webinternal.x500internal.co.uk/Autodiscover/AutodiscoverService.svc/root"/>
          <Link token="External/AuthBroker" href="https://webexternal.x500.co.uk/Reach/sip.svc"/>
          <Link token="Internal/AuthBroker" href="https://webinternal.x500internal.co.uk/Reach/sip.svc"/>
          <Link token="External/WebScheduler" href="https://webexternal.x500.co.uk/Scheduler"/>
          <Link token="Internal/WebScheduler" href="https://webinternal.x500internal.co.uk/Scheduler"/>
          <Link token="External/Mcx" href="https://webexternal.x500.co.uk/Mcx/McxService.svc"/>
          <Link token="Internal/Mcx" href="https://webexternal.x500internal.co.uk/Mcx/McxService.svc"/>
          <Link token="External/Ucwa" href="https://webexternal.x500.co.uk/ucwa/v1/applications"/>
          <Link token="Internal/Ucwa" href="https://webinternal.x500internal.co.uk/ucwa/v1/applications"/>
          <Link token="Ucwa" href="https://webexternal.x500.co.uk/ucwa/v1/applications"/>
          <Link token="External/XFrame" href="https://webexternal.x500.co.uk/Autodiscover/XFrame/XFrame.html"/>
          <Link token="Internal/XFrame" href="https://webinternal.x500internal.co.uk/Autodiscover/XFrame/XFrame.html"/>
          <Link token="XFrame" href="https://webexternal.x500.co.uk/Autodiscover/XFrame/XFrame.html"/>
          <Link token="Self" href="https://webexternal.x500internal.co.uk/Autodiscover/AutodiscoverService.svc/root/user"/>
       </User>
    </AutodiscoverResponse>
    Monday, February 19, 2018 9:22 AM
  • Last (I hope so) question.

    If the lyncdiscover works in a way you described. Can't we have the same situation for meet and dialin records?

    What I mean: changing simple urls for both pools is a process of changing DNS records, certificates and sending new invitations for dedicated meetings.

    What if we change only external web services names for pools and save the meet, dialin names, so we would have:

    PoolA

    meet.contoso.com, dialin.contoso.com, ExtWebA.contoso.com, lyncdiscover.contoso.com

    PoolB

    meet.contoso.com, dialin.contoso.com, ExtWebB.contoso.com, lyncdiscover.contoso.com

    What if Alice from PoolA organise the meeting and send it to Bob from PoolA who is in Internet?

    Bob hits Reverse Proxy in Country B (meet.contoso.com). Will the answer from Reverse Proxy show him the way to Reverse Proxy in Country A?

    Wednesday, February 21, 2018 4:14 PM
  • Hi,

    If Alice in FE Pool A organises a conference, the conference will take place on the FE pool she is homed on, i.e. FE Pool A.

    If Bob is an external conferencing user, in County A (or County B) and ends up connecting to the meet (conferencing) URL in Country B, the Reverse Proxy local to FE Pool B will forward traffic to FE Pool B (as per the Reverse Proxy config), which in turn will lookup the Conference, see it is on the FE Pool in County A, and "redirect" the traffic over the internal network (i.e. into FE Pool in Country B, out via the default route that ultimately gets it to FE Pool in Country A).

    I appreciate the effort involved in adding additional Simple URLs, regenerating certificates, DNS entries, Reverse Proxy config etc., however from a quality of meeting experience and bandwidth point of view, to me I'd always do this.

    • Proposed as answer by Alice-Wang Monday, February 26, 2018 10:09 AM
    • Marked as answer by iron_flower Monday, June 25, 2018 12:55 PM
    Wednesday, February 21, 2018 4:47 PM
  • Hi,

    Are there any update?


    Best Regards,
    Alice Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, March 5, 2018 9:33 AM
  • Hi,

    We are during tests. We are waiting for updates.

    Wednesday, March 7, 2018 5:45 PM