This article provides the steps for configuring an F5 Big-IP LTM (prior to version 11, which is now made simple with the iApps) to act as a reverse proxy for Microsoft Lync Server 2013 and Microsoft Office WebApp Server 2013 (WAC).

You will need software version 10.2 or later or you may run into issues.

One public IP address has been used to publish these services along with a single UCC SAN SSL Certificate with the following SANs   


You will also need to make sure that the following firewall rules are created if applicable:





External Lync IP on F5



External Lync IP on F5

80 (optional)


Front End Pool



Front End Pool



Office Web App Server


Information you will need

Here is a list of the configuration information you will need to configure the device.

URL of WAC server

IP address of external interface for publishing

IP address of Lync Front End server(s)

IP address of Office WebApp Server(s)

Names of Lync Front End server(s)

Names of Office WebApp Server(s)

Summary of Steps

  •        Install SSL Certificates
  •        Create SSL Profiles
  •        Create Monitors
  •        Create Nodes
  •        Create Pool
  •        Create iRules
  •        Create Virtual Server

Install SSL Certificates

Exporting a certificate from Windows.

You will require a PFX file, which contains the public certificate purchased as well as it’s corresponding private key. This can be exported from a Windows system by following the steps below:

·       Open MMC

·       Press Ctrl+M

·       Select Certificates and press Add

·       Select Computer Account and press Next

·       Select Local Computer

·       Click Finish and then OK

·       Navigate to Certificates | Personal |Certificates

·       Right-Click the certificate to export

·       Select All Tasks | Export

·       Follow the Wizard and ensure you select “Yes, export the private key” and specify a password.

·       It will save as a PFX file.

Import the Certificate on to the F5

Under Local Traffic, select SSL Certificates | Import

Choose PKCS 12 (IIS) as the import type and name the certificate appropriately (i.e

Browse to the PFX file that was exported and enter the password used when exporting the PFX.

Click Import.

Create SSL Profiles

Create a Client SSL Profile

Under Local Traffic, select Profiles | SSL Client and click Create

Enter a name for the client profile (i.e LyncSSL_client). The Parent Profile should be clientssl

Check the Custom box to the right of Certificate and Key and select the certificate imported in the previous step for both values.

Click Finished.

Create a Server SSL Profile

Under Local Traffic, select Profiles | SSL Server and click Create

Enter a name for the client profile (i.e LyncSSL_server). The Parent Profile should be serverssl

Check the Custom box to the right of Certificate and Key and select the certificate imported in the previous step for both values.

Click Finish.

Create Monitors

Under Local Traffic select Monitors and click Create.

Enter a name for the monitor (i.e Lync_TCP_monitor)

Leave the remaining values as default and click Finished.

Note that a TCP monitor will only check to see if a port is responding, it is possible to use other monitors (such as HTTP/HTTPS and verify what data is received to see if the service is responding properly)

Create Nodes

Under Local Traffic select Nodes and click Create

Enter the Internal IP Address and Internal Name of the Lync Front End/Office Web App servers. Repeat for each server.

Leave other values as default and click Finished.

Create Pool

Create a HTTPS pool for Lync

Under Local Traffic select Pools and click Create.

Enter a name for the pool (i.e Lync_2013_https_pool)

Select the Health monitor created under the monitors steps and click <<.

Under Load Balancing Method, select Least Connections (member).

Enter the IP address of your Lync Front End Servers, enter 4443 for the Service Port and click Add for each one.

Click Finished

Create HTTP pool for Lync (optional)

It isn’t normally necessary to create a HTTP pool as the Lync client will try HTTPS and it is a more secure method of publishing. However for backwards compatibility it can be created.

Repeat the process as in the previous step using a different name (I,e Lync_2013_http_pool), however substitute 4443 for 8080

Create HTTPS pool for Office WebApp Server WAC

To publish the Office WAC, follow the same steps as in Create a HTTPS pool for Lync with a different name (i.e WAC_2013_https_pool)

However use your Office WebApp Servers IP address as the Address and use 443 as the Service Port.

Create iRules

In order to be able to use the single IP address, certificate and virtual server to publish both the Lync Web Services and the Office Web App services, an iRule needs to be created to route traffic.

Under Local Traffic select iRules and click Create.

Name the iRule (i.e Office_WAC_iRule)

And use the following for the Definition.


 if { [HTTP::host] contains "" } {

 pool officewebapps_pool

 } else {

 pool lync_2013_pool

 persist none



Click Finished

Create Virtual Server

The final step is to create the virtual server

Under Local Traffic select Virtual Servers and click Create

Enter a name (i.e Lync_2013_VS)

Destination Address is the External IP address to be used on the F5 for publishing

Service Port is 443 (or 80 of publishing HTTP also)

Select https for HTTP Profile (http if created the HTTP publishing rule)

Select the SSL Profile (Client) and SSL Profile (Server) created earlier (ignore this section if HTTP)

Select Auto Map for SNAT Pool

Select the iRule Created earlier

Select the Lync Pool as the Default Pool

Click Finished


From an external computer navigate to the following address:

They should both return XML documents

The Microsoft Lync Connectivity Analyzer can also be used to verify correct publishing of the Lync Web Services

For my original post with pictures visit my blog