Hardware Load Balanced Web Traffic - What does that mean exactly? RRS feed

  • Question

  • I am looking for a breakdown of this:

    • The internal Edge interface and external Edge interface must use the same type of load balancing. You cannot use DNS load balancing on one interface and hardware load balancing on the other.

    • Some types of traffic require a hardware load balancer. For example, HTTP traffic requires a hardware load balancer instead of DNS load balancing. DNS load balancing does not work with client-to-server web traffic.


    And as indicated by the IM&P diagram from this workloads document:


    Ports to load balance by HLB: - 80 - 8080 - 443 - 4443 - 5061 [can use DNS load balancing] --- note on the FE pool

    Within the context of HLB, I interpret this to mean the HLB is only required for client to FE Pool web traffic - so, requests to the Internal Web Services, and to download conferencing content, including Powerpoint files and sharing. Not 443 to Edge. Is that correct?

    My question is, if we load balance 443 from client to FE pool, that will also include SRTP and ICE, which will traverse TCP 443. Is that OK?

    Also, judging from this page:


    Hardware Load Balancer Ports if Using DNS Load Balancing

    Load Balancer Port Protocol

    Front End Server load balancer



    Front End Server load balancer



    Front End Server load balancer


    TCP - Client and device retrieval of root certificate from Front End Server – clients and devices authenticated by NTLM

    Front End Server load balancer


    HTTPS (from reverse proxy)

    Director load balancer




    Director load balancer


    HTTPS (from reverse proxy)

    It seems to indicate we do NOT want to HLB the protocols SRTP and ICE(STUN/TURN)... But those are on 443... Does the HLB require some kind of layer 4 or layer 7 load balancing? How does that work when the stream is encrypted, as this will be?

    Thank you.

    Friday, February 24, 2017 7:03 PM

All replies

  • I think I have one of my questions answered -- SRTP and ICE(STUN/TURN) will prefer 3478 UDP, so they won't be caught in this HLB configuration.

    Can someone confirm the above, and can someone confirm that 443 HLB for Edge is not required?

    Friday, February 24, 2017 7:36 PM
  • I found this great article, which clearly states the "HTTP traffic" that requires HLB is the Internal Web Services and External Web Services:


    DNS Load Balancing:

    If you decide for DNS based load balancing, this setup make use of Lync application only. Due to the point we discussed more early, even if we decide for DNS based load balancing, the web services required a hardware load balancer.

    For session based load balancing, it is a must that we have a look into the HTTPS data stream, which than require a SSL off-load to be configured.

    If we do so, the shared pool server certificate must be copied and used on the hardware load balancer.

    Web Services must be HLB, it is necessary to change the INTERNAL and EXTERNAL Web Services to a dedicated name. Example: PoolName: FEPOOL01.<ad fqdn>, internal Web Services:intFEPOOL01.<sip domain>, external Web Services: extFEPOOL01.<sip domain>

    • Use TCP idle timeout of 1800 seconds

    Web Services External
    • Ports 8080 and 4443 for external web traffic
    • set cookie-based persistence on a per port basis
      • Cookies must not be marked httpOnly.
      • Cookies must not have an expiration time.
      • Cookies must be named MS-WSMAN.
    Web Services Internal
    • Ports 80 and 443 for internal web traffic
    • set source_addr persistence
    • Exception for internal Lync Mobile clients » use cookie persistence instead

    Friday, February 24, 2017 7:52 PM
  • Hi Cross,

    You are correct, SRTP and ICE(STUN/TURN) will prefer 3478 UDP. You could refer to the third link which you have posted in the original thread.

    Best Regards,
    Jim Xu
    TechNet Community Support

    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by jim-xu Friday, March 3, 2017 9:02 AM
    Monday, February 27, 2017 8:27 AM