IMPORTANT: This guide has been archived. While the content in this guide is still valid for theproducts and version listed in the document, it is no longer being updated and mayrefer to F5 or 3rd party products or versions that have reached end-of-life orend-of-support. See https://support.f5.com/csp/article/K11163 for more information.What’s inside:5 Configuring the BIG-IPLTM using the Lync2010 iApp6 Configuring the BIG-IPGTM11 Creating a DistributedApplication for LyncWelcome to the F5 and Microsoft Lync Server Deployment Guide for site resiliency. This guidecontains instructions on configuring F5 Global Traffic Manager (GTM) and BIG-IP Local TrafficManager (LTM) modules to support site resiliency for Microsoft Lync Server 2010 and 2013.For more information on the F5 devices in this guide, see http://www.f5.com/products/big-ip/.You can also visit the Microsoft page of F5’s online developer community, DevCentral, forMicrosoft forums, solutions, blogs and more: http://devcentral.f5.com/Microsoft/.Why F5Microsoft Lync Server supports DNS Load Balancing for distributing non-HTTP based connectionsto Lync Front End, Edge, and Mediation Servers. However, there are advantages to using the BIGIP system to load balance these connections in certain scenarios:Ar12 Document RevisionHistoryDeploying the BIG-IP System with MicrosoftLync Server 2010 and 2013 for Site Resiliencychived2 Configuration example ou are using legacy clients or servers (Office Communication Server (OCS), pre-2010 SP1YExchange Unified Messaging). ou are federated with an organization using legacy clients or servers (see examples in theYprevious bullet) or public IM services/XMPP. ou want to use intelligent logic (such as pool member status, least connection loadYbalancing, and more) to make the initial client connection to the Front End, Edge, orMediation pool. You want to use the F5 iApp template to deploy Lync Server rapidly. ou use F5 GTM in your environment and would like to take advantage of F5’s Lync SiteYResiliency solution.Advantages The BIG-IP system does not interfere with Lync client registration/deregistration. isabling BIG-IP system pool members is effectively the same as (and can be used inDconjunction with) Lync Server Draining. The BIG-IP is a certified ICSA firewall, providing security over deploying your Lync Serversdirectly on the Internet. E ven if you are using DNS Load Balancing, Microsoft requires hardware load balancing forLync Web Services.
DEPLOYMENT GUIDEMicrosoft Lync ServerProducts and versions testedProductVersionsBIG-IP system11.0, 11.0.1, 11.1, 11.2, 11.3, 11.4Microsoft Lync Server2010 and 2013Important: M ake sure you are using the most recent version of this deployment guide, available at ite-resiliency-dg.pdf.To provide feedback on this deployment guide or other F5 solution documents, contact us at [email protected] and configuration notesThe following are general prerequisites and configuration notes for this guide:hh F or this deployment guide, the BIG-IP system must be running version 11.0 or later. The configuration described in this guide doesnot apply to previous versions.hh T his document is written with the assumption that you are familiar with both F5 devices and Microsoft Lync Server. For moreinformation on configuring these devices, consult the appropriate documentation.hh This guide assumes that you have configured the Lync Server Simple URLs in the following format:»» http://meet.mydomain.com»» http://dialin.mydomain.comhh W e strongly recommend performing the BIG-IP LTM portion of this configuration using the downloadable iApp template, asdescribed in Downloading, importing, and running the Lync Server iApp on page 5.Arhh Y ou must have your internal name resolution configured properly. For example, every Lync Edge server needs to be able to resolveevery Front End and Director server, and vice versa. Additionally, the FQDNs of all Lync Server pools (Edge, Front End, and Director)must resolve to the IP addresses of the corresponding BIG-IP LTM virtual servers.hh You must have a minimum of two BIG-IP GTM devices to perform the configuration in this guide.Configuration exampleIn this guide, we configure the BIG-IP GTM with two data centers. Lync Server 2010 is configured with a “stretched” VLAN where all LyncFront End and Director Servers reside on the same layer 2 network, while Lync Server 2013 is configured with paired Front End pools foreach data center (for more information on pairing pools, see 3.aspx).BIG-IP GTM uses topology load balancing to direct internal clients to Lync Front End Server resources, and external clients to Edge Serverand Reverse Proxy resources. The BIG-IP system monitors the availability of the internal Lync services, and marks the external services downshould the health check fail. Resiliency for file shares and Microsoft SQL Server instances are beyond the scope of this document.Logical configuration examples with traffic flow callouts for internal and external clients are on the following pages.2
DEPLOYMENT GUIDEMicrosoft Lync ServerExternal clients15Internet26BIG-IP GTMBIG-IP GTMData Center BData Center ALync ReverseProxy Server(optional)BIG-IP LTM37BIG-IP LTM9Lync ReverseProxy Server(optional)ClusteredFile Share4810Lync EdgeServersLync EdgeServerschivedClusteredSQL databaseHighly availableActive Directory11Lync 2010: Pool(s) Stretched Over Same L2 VLANLync 2013: Paired Front End PoolsLync DirectorServersLync Front EndServersLync DirectorServersLync Front EndServersFigure 1: Logical configuration example: External ClientsThe following describes the traffic flow for external clients:An external client issues a DNS request for sip.example.com.2.T he BIG-IP GTM receives the request, and based on Topology or other intelligent load balancing calculations, responds with theexternal IP address of the Lync Access Service LTM virtual server in Data Center A.3.T he client connects to the Access Service virtual server on the BIG-IP LTM. The BIG-IP LTM sends the request to the Edge Server runningthe Access Service with the fewest connections.4. The Access Service responds with External Web Services (Front End or Director) and Edge Services FQDNs.5.The client issues a DNS request for Web Services and Edge Services FQDNs.6. The BIG-IP GTM responds with the IP addresses of Reverse Proxy and Edge BIG-IP LTM virtual servers.7. The client connects to the BIG-IP LTM Reverse Proxy for External Web Services and Edge Service virtual servers when appropriate.8. The Edge Servers establish direct connection with the client using a local public IP address.9. The external LTM forwards the Reverse Proxy traffic to the Front End or Director virtual servers on internal LTM.Ar1.10. Edge Servers forward Access/Conferencing/AV traffic to Lync Front End or Director Servers where applicable.11. T he internal BIG-IP LTM sends requests for simple URLs, Lync Mobility, and the Lync Address Book Service to Front End or DirectorServers with the fewest connections.3
DEPLOYMENT GUIDEMicrosoft Lync ServerExternal clients1265812 1713 189BIG-IP GTMBIG-IP GTMData Center BData Center ABIG-IP LTMBIG-IP LTM14ClusteredFile Share15Lync EdgeServersClusteredSQL database37 10 16 19114Lync ReverseProxy Server(optional)Lync EdgeServersHighly availableActive DirectorychivedLync ReverseProxy Server(optional)Lync 2010: Pool(s) Stretched Over Same L2 VLANLync 2013: Paired Front End PoolsLync DirectorServersFigure 2:Lync Front EndServersLync DirectorServersLync Front EndServersLogical configuration example: Internal ClientsThe following is the traffic flow for internal clients, and is broken up into three sections. Each is represented in a different color.Internal Clients connecting to Lync services and each other internally:An internal client issues a DNS request for director.example.com.2. The BIG-IP GTM responds with the internal IP address of the Director virtual server on the internal BIG-IP LTM.3.The BIG-IP LTM sends the request to the Director Server with the fewest connections.4. The Director server responds to the client with Internal Web Services FQDN (frontend.example.com).5.The client issues a DNS request for frontend.example.com.6. The BIG-IP GTM responds with the IP address of the Front End virtual server on the LTM.7.The client connects to the Front End virtual server on the internal BIG-IP LTM.Ar1.Internal mobile clients connecting to the Lync Mobility service:8. Internal DNS request for lyndiscoverinternal.example.com (internal Lync Mobility URL).9. The BIG-IP GTM responds with the IP address of the Front End or Director virtual server on the BIG-IP LTM.10. The client connects to the Front End or Director virtual server.11. If external Lync Mobility is enabled, Front End or Director responds with lyncdiscover.example.com (external Lync Mobility URL).12. The client issues a DNS request for lyncdiscover.example.com.13. The GTM responds with IP address of the external Reverse Proxy virtual server on the External BIG-IP LTM, or directly to the server.14. The client connects to external Reverse Proxy virtual server or server.15. The external BIG-IP LTM, or reverse proxy server, forwards traffic to the internal LTM Reverse Proxy virtual servers.16. The internal BIG-IP LTM forwards traffic to Front End or Director Servers.Internal clients initiating connections to external resources (remote clients or federated IM):17. The internal client issues DNS request for internal Edge FQDN (edge.example.com).18. The BIG-IP GTM responds with the IP address of the Edge Internal virtual server.19. The client connects to Edge Internal virtual server.4
DEPLOYMENT GUIDEMicrosoft Lync ServerConfiguring the BIG-IP LTM using the Lync iAppThe first task is to configure the BIG-IP LTM for Lync using the downloadable iApp available on DevCentral. For instructions on configuringthe iApp, see the deployment guide t-lync-iapp-dg.pdf.Downloading, importing, and running the Lync Server iAppDownload the latest iApp for Microsoft Lync from DevCentral and import it onto the BIG-IP LTM. This version contains numerousenhancements and fixes to the version shipping with the product.To download and import the iApp from DevCentral1. Open a web browser and go c-Server-2010-Updated-iApp.ashx2. Download the microsoft lync server latest-version .zip file to a location accessible from your BIG-IP system.chivedYou must download the file, and not copy and paste the contents. F5 has discovered the copy paste operation does not work reliably.3.Extract (unzip) the microsoft lync server latest-version .tmpl file.4.Log on to the BIG-IP system web-based Configuration utility.5.On the Main tab, expand iApp, and then click Templates.6.Click the Import button on the right side of the screen.7.Click a check in the Overwrite Existing Templates box.8.Click the Browse button, and then browse to the location you saved the iApp file.9.Click the Upload button. The iApp is now available for use.10. On the Main tab, under iApp, click Application Services.11. Click Create. The Template Selection page opens.Ar12. In the Name box, type a name. In our example, we use Lync-server .13. F rom the Template list, select f5.microsoft lync server. latest version .The new Microsoft Lync Server template opens.14. C onfigure the iApp as applicable for your configuration, however, you must answer Yes to the question: “Would you like to monitorthe health of the internal SIP virtual servers, and mark the Edge Access service down if monitoring fails?”Post iApp configurationAfter completing the BIG-IP LTM iApp configuration, run the Lync Topology Builder and then publish the topology. Once the topology hasbeen published verify the availability of the Lync services through the BIG-IP LTM before continuing with the GTM configuration.5
DEPLOYMENT GUIDEMicrosoft Lync ServerConfiguring the BIG-IP GTMUse the following tables for guidance on configuring the BIG-IP GTM. These tables contain a list of BIG-IP configuration objects you shouldconfigure as a part of this deployment. The options for the individual objects depend on your configuration. The settings we show inthe following tables are provided as an example. For specific instructions on configuring individual objects, see the online help or productmanuals.F5 recommends configuring GTM Links and associating them with Data Centers. When a GTM Link associated with a Data Center ismarked down, GTM no longer sends responses for resources located in that Data Center. For more information about configuring GTMLinks, see the BIG-IP GTM documentation.BIG-IP GTM ObjectNon-default settings/NotesNameData CenterType a unique name. All other fields are optional.(Global Traffic -- Data Centers)Important: Create a GTM Data Center for each location in your Lync environmentDNS ProfileName(Local Traffic -- Profiles-- Services-- DNS)Use BIND Server on BIG-IPchivedType a unique name.Disabled.Internal ListenersDestinationType the IP address on which the Global Traffic Manager listens for network traffic.VLAN TrafficSelect Enabled On from the list, and then select the Internal VLAN(s) and add them to the Selected list.ProtocolUDPDNS ProfileSelect the DNS profile you created above.ListenersCreate a second internal Listener using Protocol TCP; all other settings are the same.(Global Traffic -- Listeners)External ListenersDestinationType the IP address on which the Global Traffic Manager listens for network traffic.VLAN TrafficSelect Enabled On from the list, and then select the External VLAN(s) and add them to the Selected list.ProtocolUDPDNS ProfileSelect the DNS profile you created above.ArCreate a second External Listener using Protocol TCP; all other settings are the same.GTM ServerNameType a unique name.Address listType the Self IP address of this GTM system.Data CenterSelect the Data Center where this GTM resides.Virtual Server DiscoveryEnabledLTM ServersServers(Global Traffic -- Servers)NameType a unique name.ProductSelect BIG-IP System (Single) or BIG-IP System (Redundant) as applicable.Address listType the Self IP address of this GTM system.Data CenterSelect the Data Center where this LTM resides.Health MonitorbigipVirtual Server DiscoveryEnabledRepeat for each BIG-iP LTM system on which you deployed the Lync iApp template.Important: After creating all of the LTM Servers, go to Enabling connectivity with remote BIG-IP systems on page 9 and perform thecommands before continuing.6
DEPLOYMENT GUIDEMicrosoft Lync ServerAdding to the Dependency listFor three of the pools (Edge External Reverse Proxy, Web Conferencing service and A/V service), you must add the Access Edge virtual serverto the Dependency list of each member. This dependency ensures that all of the external virtual servers from the corresponding data centerare marked down if no Front End servers from that data center are available to respond to SIP requests. The additional monitor you createdwhen configuring the Lync iApp template disables the Access Edge virtual server if this health check fails, causing all other virtual serversdependent on the Access Edge virtual server to be disabled.To add to the member Dependency List On the Main tab, under Global Traffic, click Servers. The Server list opens.2. From the list, find the row of the appropriate BIG-IP system, and click the numbered link in the Virtual Server column.3. From the Virtual Server list, click the appropriate virtual server as described in the Dependency List section in the following table.4. In the Dependency List section, select the Access Edge virtual servers from the specific Region as described in the following table.5.Click the Add button.6.Repeat Steps 4 and 5 for each virtual server you need to add to the list.7.Click Finished.8.Repeat this procedure as necessary.chived1.The following section of the table contains BIG-IP GTM Pool and Wide IP configuration information.Common settings for the GTM PoolsThe following settings are the same across all GTM Pools in our example. Use the settings appropriate for your configuration:Name: Give each GTM Pool a unique nameLoad Balancing Modes: Preferred: TopologyAlternate: Global AvailabilityFallback: Return to DNS Verify Virtual Server Availability: Enabled (this is the default, but must be enabled) Do not assign a GTM monitor to the pools.Ar Common settings for the GTM Wide IPsThe following setting is the same across all GTM Wide IPs: Load Balancing Mode: TopologyLync ServiceNon-default settings/NotesPoolMember List: Virtual ServerAccess ServiceSelect all LTM Access Service virtual servers on port 5061Wide IPNameType the SIP domain FQDN (such as sip.example.com)Pool List: PoolSelect the Pool you created abovePoolWebConferencingServiceMember List: Virtual ServerSelect all LTM Web Conferencing Service virtual servers on port 443Dependency ListFor each Pool member, add the Access Edge virtual servers on port 5061 or 443 from the same GTM DataCenter to the Dependency List. See Adding to the Dependency list on page 7 for instructions.Wide IPNameType the Web Conferencing Service FQDN (such asconf.example.com)Pool List: PoolSelect the Pool you created above7
DEPLOYMENT GUIDEMicrosoft Lync ServerLync ServiceNon-default settings/NotesPoolMember List: Virtual ServerSelect all LTM A/V Service virtual servers on port 443Dependency ListFor each Pool member, add the Access Edge virtual servers on port 5061 or 443 from the same GTM DataCenter to the Dependency List. See Adding to the Dependency list on page 7 for instructions.A/V ServiceWide IPNameType the A/V Service FQDN (such as av.example.com)Pool List: PoolSelect the Pool you created abovePoolSelect all LTM XMPP virtual servers on port 5269Dependency ListFor each Pool member, add the Access Edge virtual servers on port 5269 from the same GTM Data Centerto the Dependency List. See Adding to the Dependency list on page 7 for instructions.Wide IPNamechivedXMPPFederationMember List: Virtual ServerType the XMPP Service FQDN (such as xmpp.example.com)Pool List: PoolSelect the Pool you created abovePool (Internal Front End or Director port 5061)Member List: Virtual ServerMeetSimple URLSelect all LTM Internal Front End or Director virtual servers on port 5061Pool (External Edge Reverse Proxy)Member List: Virtual ServerWide IPNameSelect all LTM External Edge Reverse Proxy virtual serversType the Meet Simple URL FQDN (such as meet.example.com)Pool List: PoolSelect both of the Pools you created abovePool (Internal Front End or Director port 5061)Member List: Virtual ServerMember List: Virtual ServerWide IPSelect all LTM External Edge Reverse Proxy virtual serversArDialinSimple URLSelect all LTM Internal Front End or Director virtual servers on port 5061Pool (External Edge Reverse Proxy)NameType the Dialin Simple URL FQDN (such as dialin.example.com)Pool List: PoolSelect both of the Pools you created abovePoolMember List: Virtual ServerExternal LyncMobilitySelect all LTM External Edge Reverse Proxy virtual serversWide IPNameType the Internal Lync Mobility FQDN(such as: lyncdiscover.example.com)Pool List: PoolSelect the Pool you created abovePoolMember List: Virtual ServerEdge PoolSelect all LTM Internal Edge virtual serversWide IPNameType the Edge Pool FQDN (such as edge.example.com)Pool List: PoolSelect the Pool you created abovePool (Internal Director Web Services)Member List: Virtual ServerSelect all LTM Director virtual servers on port 5061Pool (Reverse Proxy)Director (5061)Member List: Virtual ServerSelect all LTM External Edge Reverse Proxy virtual serversWide IPNameType the Director FQDN (such as dir.example.com)Pool List: PoolSelect both of the Pools you created above8
DEPLOYMENT GUIDEMicrosoft Lync ServerLync ServiceNon-default settings/NotesPool (Front End port 5061)Member List: Virtual ServerSelect all LTM Internal Front End virtual servers on port 5061Pool (Reverse Proxy port 5061)Front EndWeb Services(5061)Member List: Virtual ServerSelect all LTM External Edge Reverse Proxy virtual servers.Dependency ListFor each Pool member, add the Access Edge virtual servers on port 5061 or 443 from the same GTM DataCenter to the Dependency List. See Adding to the Dependency list on page 7 for instructions.Wide IPNameType the Web Services domain FQDN (such as chat.example.com)Pool List: PoolSelect both of the Pools you created abovePoolInternal LyncMobilityWide IPNameSelect all LTM Front End or Director virtual servers on port 443chivedMember List: Virtual ServerType the Internal Lync Mobility FQDN(such as: lyncdiscoverinternal.example.com)Pool List: PoolSelect the Pool you created aboveEnabling connectivity with remote BIG-IP systemsAfter creating the LTM Servers on the BIG-IP GTM, open a command prompt from the BIG-IP GTM, and then run the following commandsfor each BIG-IP LTM.From the GTM command line, typebig3d install IP address of target system where the target system is the LTM that you want to add as a server on the GTM. This pushes out the newest version of big3d.ArNext, typebigip addto exchange SSL keys with the LTM. Type the password at the prompt, and then typeiqdump ip address of remote box .If the boxes are communicating over iQuery, you see a list of configuration information from the remote BIG-IP.The bigip add command must be run for every BIG-IP in the configuration.The following Topology Regions and Records should be configured as appropriate for your configuration. The entries in the table areexamples from our configuration.BIG-IP GTM ObjectNon-default settings/NotesInternalTopology Regions( Global Traffic -- Topology-- Regions)NameType a unique name. We recommend using Internal.Region MembersAdd Internal region members. In our example we use IP Subnet as the Member Type, and is, and then add themembers of our internal subnet.ExternalNameType a unique name. We recommend using External.Region MembersAdd External region members. In our example we use IP Subnet as the Member Type, and is not, and then addthe members of our External subnet.Record for internal Front End Web services requestsTopology Records( Global Traffic -- Topology-- Records)NameType a unique name.Request SourceFrom the lists, select the appropriate values. In our example, we use “Region” “is” “internal”DestinationFrom the lists, select: “Pool” “is” and then select your Internal Front End Web Services Pool.9
DEPLOYMENT GUIDEMicrosoft Lync ServerBIG-IP GTM ObjectNon-default settings/NotesRecord for internal Director Web services requestsNameType a unique name.Request SourceFrom the lists, select the appropriate values. In our example, we use: “Region” “is” “internal”DestinationFrom the lists, select: “Pool” “is” and then select your Internal Director Web Services Pool.Record for Reverse Proxy requestsNameType a unique name.Request SourceFrom the lists, select the appropriate values. In our example, we use: “Region” “is” “External”DestinationFrom the lists, select: “Pool” “is” and then select your Internal Reverse Proxy Pool.Record for Reverse Proxy requests( Continued)NameType a unique name.Request SourceFrom the lists, select the appropriate values. In our example, we use: “Region” “is” “internal”DestinationFrom the lists, select: “Pool” “is” and then select your Internal Front End Web Services Pool.chivedTopology RecordsGeographical RecordsNameType a unique name.Request SourceFrom the lists, select the appropriate values. In our example, we use: “State” “is” “United States” / “NewYork”DestinationFrom the lists, select the appropriate values. In our example, we use: “Data Center” “is” “New York DC”.Geographical RecordsNameType a unique name.Request SourceFrom the lists, select the appropriate values. In our example, we use: “State” “is” “United States” / “NewJersey”DestinationFrom the lists, select the appropriate values. In our example, we use: “Data Center” “is” “New Jersey DC”.ArCreating a Distributed Application for LyncIn this section, we create a Distributed Application on the BIG-IP GTM for Lync.To create a Distributed Application, on the Main tab, expand Global Traffic, click Distributed Applications, and then click the Createbutton. Use the following table for guidance on the settings.SettingNon-default settings/NotesNameType a unique nameDependency LevelNonePersistenceCheck the box to enable persistence. Configure the persistence settings as applicable for your configuration. We leavethe default settings.Member ListFrom the Wide IP list, select a Wide IP you created as a part of this configuration and then click the Add button.Repeat for all Wide IPs.All Data Centers, Links, and Server objects associated with the GTM deployment for Lync are automatically added to the properties of theDistributed Application.Manually failing over to Lync resources in another Data CenterUse the following procedure to manually fail over to Lync resources on another Data Center.10
DEPLOYMENT GUIDEMicrosoft Lync ServerTo manually fail over to Lync resources in another Data Center1.On the Main tab, expand Global Traffic, and then click Distributed Applications.2.On the Menu bar, click Data Centers.3. Click a check in the box next to the name of the Data Center for which you would like GTM to stop sending DNS responses.4.Click Disable Distributed Application Traffic.You can also use this method to prevent traffic to a Data Center that has automatically failed over using the monitor dependenciespreviously created in this guide. Once the Data Center or failed Lync Servers have recovered, highlight the Data Center’s DistributedApplication object and click Enable Distributed Application to resume sending responses.chivedLync Server Connection DrainingArLync Server includes a feature known as Server Draining. This setting prevents new connections to the server while allowing existingconnections to terminate gracefully. If you are using Server Draining with Lync 2010, F5 recommends disabling the BIG-IP pool member(s)associated with that server prior to selecting the Prevent new sessions for all services option for that server from the Lync ControlPanel. When the server is ready for traffic, reverse the process by enabling new sessions for the Lync server, and then enabling its associatedpool member(s) on the BIG-IP system.11
12DEPLOYMENT GUIDEMicrosoft Lync ServerDocument Revision HistoryVersionDescriptionDate1.0New document05/01/20121.1Added the “Why F5?” section to the first page, explaining the scenarios and advantages of using BIG-IP GTM for DNS loadbalancing.05/10/2012- Added support for Lync 2013, updated configuration example and diagrams for Lync 2013.1.2- Added a Wide IP for the port 5269 virtual server, dependent on the Access Service Wide IP.11/05/2013Archived- Added support for BIG-IP versions 11.2 - 11.4F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119888-882-4447www.f5.comF5 Networks, Inc.Corporate HeadquartersF5 NetworksAsia-PacificF5 Networks Ltd.Europe/Middle-East/AfricaF5 NetworksJapan [email protected] 2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks areidentified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.
Lync Reverse Proxy Server (optional) Lync Reverse (optional) BIG-IP GTM Data Center A Data Center B BIG-IP GTM. Figure 1: Logical configuration example: External Clients. The following describes the traffic flow for external clients: 1. An external client issues a DNS request for sip.example.com. 2.File Size: 1MB