deploying array networks apv application delivery

DG-Lync 2010

Deploying Array Networks APV Application Delivery Controllers

for Microsoft Lync Server 2010

Deployment Guide Mar-2012 rev. III

DG-Lync 2010

Table of Contents

1 UIntroductionU .......................................................................................................................................... 4

U1.1U UMicrosoft Lync Server 2010U .......................................................................................................... 4

U1.2U UBenefits of Array Networks APV Application Delivery ControllerU ................................................ 4

2 UArray Networks Solution for Microsoft Lync Server 2010U .................................................................... 6

U2.1U UNetwork TopologyU ........................................................................................................................ 6

U2.2U UDeployment for Lync Server 2010 RolesU ...................................................................................... 8

U2.3U UHigh Availability of Lync Server 2010 RolesU .................................................................................. 9

U2.4U UPrerequisites & AssumptionsU ....................................................................................................... 9

U2.5U UConfiguration Requirement TablesU ............................................................................................ 10

U2.6U UCLI Config Level of Array Networks APVU ..................................................................................... 13

3 UConfiguring APV for Internal Lync Front End ServersU ......................................................................... 14

U3.1U UDefining Real ServicesU ................................................................................................................ 15

U3.2U UDefining GroupsU .......................................................................................................................... 16

U3.3U UAdding Real Services to Defined GroupsU .................................................................................... 17

U3.4U UDefining Virtual ServicesU ............................................................................................................. 18

U3.5U USetting the TCP Idle Timeout of the Virtual ServicesU .................................................................. 19

U3.6U UBinding Virtual Services to Defined GroupsU ............................................................................... 20

4 UConfiguring APV for Lync Internal Edge ServersU ................................................................................. 21







5 UConfiguring APV for Lync External Edge ServersU ................................................................................ 26






DG-Lync 2010


6 UConfiguring APV for Communicator Web Access (CWA)U .................................................................... 30

U6.1U UCWA DeploymentU ....................................................................................................................... 30

U6.2U UPrerequisites and Configuration NotesU ...................................................................................... 30

U6.3U UArray Networks APV Advantages and Network Topology for CWAU ........................................... 31







U6.10U UConfiguring APV for Secure Sockets Layer (SSL) OffloadU ............................................................ 36

U6.10.1U UUsing SSL Certificates and KeysU .......................................................................................... 36

U6.10.2U UImporting keys and certificatesU .......................................................................................... 37

U6.10.3U UDisabling Certificate VerificationU ........................................................................................ 37

U6.10.4U UCreating an SSL Host and Binding It to the Virtual ServiceU ................................................. 37

U6.10.5U UStarting the SSL OffloadU ...................................................................................................... 37

U6.10.6U UCreating an SSL Host and Binding It to Real ServicesU ......................................................... 37

U6.10.7U UStarting the SSL OffloadU ...................................................................................................... 38

7 USummaryU ............................................................................................................................................. 39

UAppendix I Abbreviations and AcronymsU ................................................................................................... 40

UAppendix II Reference Topology Recommended by MicrosoftU .................................................................. 41

DG-Lync 2010

1 0BIntroduction 1.1 9BMicrosoft Lync Server 2010

Microsoft Lync Server 2010 was released on November 2010 as the successor to Microsoft Office Communications Server 2007 R2, commonly known as OCS. Microsoft Lync Server 2010 is an integral component in Microsoft’s Unified Communications platform that makes it much easier for people to communicate, regardless of their locations.

Microsoft Lync Server 2010:

• Features a unified management platform and single management infrastructure.

• Provides a client application that offers rich presence information, file transfer, instant messaging as well as voice and video communications within a single organization.

• Ensures that users get an experience that is consistent and familiar across computers, mobile phones, and IE browsers.

• Delivers new capabilities to increase availability and interoperability with existing systems.

• Is easy to use and works closely with familiar tools including Microsoft SharePoint and Microsoft Outlook, and drives user adoption with powerful features and a streamlined communications experience.

• Meets customer demands for communications tools that make their work easier, and such tools are available anywhere and anytime including within the context of other applications.

For more information about Microsoft Lync Server 2010, visit:

Uhttp://technet.microsoft.com/en-us/library/gg398616.aspxU

1.2 10BBenefits of Array Networks APV Application Delivery Controller

The real-time nature of services provided by Microsoft Lync Server 2010, combined with the business-critical status of the underlying software applications, requires high reliability for IT departments implementing Microsoft Lync Server 2010.

Array Networks APV Application Delivery Controllers (referred to as Array Networks APVs or the APVs hereinafter) provide a strategic point of control for optimizing the availability, security and performance of enterprise applications, IP data services and data center equipment. Leveraging robust and powerful distribution algorithms, health check mechanisms and failover capabilities, Array networks APV maintain connections, ensures persistence, directs traffic away from failed data centers, and intelligently distributes application services between multiple nodes and locations for optimized performance and availability.

http://technet.microsoft.com/en-us/library/gg398616.aspx�

DG-Lync 2010

Array Networks APVs make certain that both end users and administrators obtain the optimal user experience by creating a highly available and scalable platform that achieves the highest levels of reliability through network optimization. Unified client applications are more responsive when supported by Array Networks APVs because application health monitoring, intelligent load balancing, and refined network optimization ensure the most reliable delivery of Microsoft Lync services.

Advantages of enterprises supported by Array Networks APVs:

Scalability

Enterprises can provide Lync services to a large number of employees, load balancing each client to the most optimal Lync server at any given point of time.

High Availability

Lync services provide guaranteed uptime even if a Lync Server goes offline or into maintenance mode.

High Performance

End users are able to access their Lync applications faster due to multiple Lync server optimizations such as HTTP compression.

Security

Services are protected from malicious traffic such as DDoS attacks.

Flexibility

All Lync server accessibility to IM, conferencing, desktop sharing, presence, and voice is optimized with a transparent load balancer.

DG-Lync 2010

2 1BArray Networks Solution for Microsoft Lync Server 2010

This deployment guide contains step-by-step configuration procedures for configuring the APV to support Microsoft Lync Server 2010.

2.1 11BNetwork Topology

Based on the reference topology recommended by Microsoft in Appendix II Reference Topology Recommended by Microsoft, Figure 2-1 shows the network topology designed to support internal and external users with high availability voice, IM, desktop sharing, and conferencing communications.

Figure 2-1 Array Networks Load Balancing Solution for Microsoft Lync Server 2010

DG-Lync 2010

The network topology is deployed with two servers in each application pool and additional servers can be added to the topology as required. The server to be added should possess the same server role configuration as the other servers in the application pool.

Alternatively, you can employ a single APV for all internal and external Lync Server 2010 services and this APV can also work as the reverse proxy. In this way, the APVs and reverse proxy in Figure 2-1 are integrated into one APV.

Figure 2-2 illustrates the logical diagram of the networking where one APV works as the reverse proxy and is used for internal edge servers, external edge servers, and front end servers.

Figure 2-2 Logical Diagram of One APV for All Internal and External Lync Server 2010 Services

DG-Lync 2010

2.2 12BDeployment for Lync Server 2010 Roles The Lync server solution has multiple servers, whose roles are as follows:

Front End Server (Lync Servers) — Front end servers provide such functions as user authentication, registration, presence, IM, web conferencing, and application sharing. Front end servers also provide address book service and distribution list expansion. These servers are provisioned in a front end pool and configured identically to provide scalability and failover capability to Lync users. The font end servers, along with the back end Servers that provide the database, are the only server roles required to be in any Lync Server Enterprise Edition deployment.

Back End Server — A back end server is a Microsoft SQL server that provides database services for the front end pool. The information stored in the SQL server includes user contact lists, presence information, and conferencing details. The SQL server can be configured as a single back end server; however, a cluster of two or more servers is recommended for failover.

Edge Server — The edge server enables the users to communicate and collaborate with users outside an organization’s firewalls. These external users include the organization’s own users who are currently working offsite, users from federated partner organizations, and outside users who have been invited to join conferences hosted on your Lync Server deployment. The edge server also enables connectivity to public IM connectivity services, including Windows Live, AOL, and Yahoo!.

Director — Directors can be used to authenticate Lync Server user requests, but do not home user accounts, or provide presence or conferencing services. Directors are most useful in deployments that enable external user access, where the director can authenticate requests before sending them on to internal servers. Directors can also improve performance in organizations with multiple front end pools.

Reverse Proxy — The reverse proxy is required for multiple services such as to allow users to connect to meetings or dial-in conferences using simple URLs, to enable external users to download meeting content, and to allow a user to obtain a user-based certificate for client certificate based authentication.

Communicator Web Access (CWA) Server — The CWA allows users who do not have the Lync Client to use Lync Server services such as IM, presence, audio conferencing, and desktop sharing. CWA is an extension of Lync Server and cannot be run separately.

Audio Video (AV) Conferencing Server — An AV conferencing server provides the AV conferencing function to the Lync solution.

Monitoring Server — The monitoring server collects data about the quality of the network media, in both Enterprise Voice calls and A/V conferences. This information can help to provide the best possible media experience for the users.

Archiving Server — The archiving server enables archiving of IM communications and meeting content for compliance reasons.

DG-Lync 2010

2.3 13BHigh Availability of Lync Server 2010 Roles

With the exception of the Archiving and Monitoring roles and the standard edition server, all other Lync server roles can be deployed for high availability.

2.4 14BPrerequisites & Assumptions

It is assumed that the reader of this deployment guide is a network administrator or a person otherwise familiar with networking and general computer terminology.

This deployment guide is based on the following conditions:

The APV must be running version ArrayOS TM 8.x or later.

Access to the APV is established.

The APV is already installed in the network with management IP, interface IP, VLANs, and default gateway configured.

The test is performed based on Microsoft Lync Server 2010 Enterprise Server with the 64-bit Microsoft SQL Server Enterprise Edition Version 2008 R2.

Lync Clients are running the Windows 7 Operating System.

All configuration procedures in this document are performed on the APV. For information about how to deploy or configure Microsoft Lync Server 2010, refer to Microsoft documents.

DG-Lync 2010

2.5 15BConfiguration Requirement Tables

The following tables list the internal front end, internal edge, and external edge services required for Microsoft Lync Server 2010 deployment.

Table 1: Internal Front End Services Server Role Port VS Protocol Feature Templates Usage Lync front end servers

135 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP

For DCOM-based operations such as mobile users, address book synchronization, and user replicator synchronization.

Lync front end servers

443 TCP SLB algorithm: pi and lc Health check: TCP

For communication from front end servers to the web farm FQDNs, which are the URLs used by IIS web components.


444 TCP SLB algorithm: pi and lc Health check: TCP

For communication between Lync Server components, which manage the conference status and individual servers.


4443 HTTPS SLB algorithm: ic Health check: TCP

External access using port 443 is converted to access using port 4443.



Front end pools for all internal SIP communications between servers (by MTLS), for SIP communication between server and client (by TLS) and for SIP communication between front end servers and Mediation Servers (by MTLS).

DG-Lync 2010

Table 2: Optional Internal Front End Services Server Role Port VS Protocol Feature Templates Usage Notes Lync front end servers


For front end servers for static routes to trusted services.



For incoming SIP requests for application sharing.



For incoming SIP requests for the response group application.



For incoming SIP requests for Microsoft Lync 2010 attendant (dial-in conferencing).



For incoming SIP requests for Lync Server conferencing announcement service.



For incoming SIP requests for the call park application.

Table 3: Services for the Internal Edge Server Role Port VS Protocol Feature Templates Usage Notes Internal edge server


For communications between the internal edge server farm FQDN that is used by Web components.

Internal edge server

3478 UDP SLB algorithm: pi and lc Health check: ICMP

Preferred path for media transferring between internal and external users (by UDP).



For external ports for SIP/MTLS communications for federation or remote user access.



For authentication of AV users.



For outgoing PSOM traffic to the web conferencing server.

DG-Lync 2010

Table 4: Services for the External Edge Server Role Port VS Protocol Feature Templates Usage Notes External edge — access


For external ports for SIP/TLS communications for remote user access, accessing all internal media communications.

External edge — WebConf External edge — AV

External edge — AV

3478 UDP SLB algorithm: pi and lc Health check: ICMP

For external ports for STUN/UDP inbound and outbound media resources.

External edge — access


Port for external SIP/MTLS communication for remote user access and federation.

DG-Lync 2010

2.6 16BCLI Config Level of Array Networks APV

Two methods are available to configure an APV: Command Line Interface (CLI) — Text-based interface in which users type commands.

Web User Interface (WebUI) — Web-based interface in which users configure or manage the APV by typing or selecting values on configuration or management pages.

In this guide, the CLI is adopted to describe APV configurations.

The APV provides three levels for global configuration and access to the ArrayOS — User, Enable, and Config. Each Level is designated by a unique cursor prompt, which consists of the host name of the APV followed by “>”, “#”, or “(config)#”.

To configure the APV or change configurations, you must obtain the Config level.

To obtain the Config level, do as follows:

1. On a PC connected to a network that can access the APV configuration interface, open an SSH connection to the IP address of the management interface.

2. If the user name and password are valid, the command prompt for the User level of the CLI appears:

AN>

3. Run the Enable command to obtain the Enable level. At the Enable password: prompt,

type the enable password as blank, that is, directly press ”Enter”. If the AN# prompt appears, the Enable level is obtained.

AN>enable Enable password: AN#

4. Type the config terminal command to obtain the Config level. If the AN(config)# prompt

appears, the Config level is obtained.

AN#config terminal AN(config)#

DG-Lync 2010

3 2BConfiguring APV for Internal Lync Front End Servers

A site can consist of one or more application pools, each containing one or several Lync servers. Dedicated services such as AV conferencing and IM (front end) run within each pool. A front end server pool is a collection of Lync servers that process basic IM, presence, and collaboration requests. All servers in a pool must run the same service, avoiding impact of server failures on the pool. Based on Figure 2-1, Figure 3-1 illustrates the appliances involved in APV configurations for internal Lync front end servers.

Figure 3-1 Internal Front End Server Topology

The following sections describe how to configure the APV for internal Lync front end server.

DG-Lync 2010

3.1 17BDefining Real Services

Front End Server 1 Settings

Real Service IP Address Port Protocol

FE135_1 10.3.0.42 135 TCP

FE443_1 10.3.0.42 443 TCP

FE444_1 10.3.0.42 444 TCP

FE5060_1 10.3.0.42 5060 TCP

FE5061_1 10.3.0.42 5061 TCP

FE5065_1 10.3.0.42 5065 TCP

FE5071_1 10.3.0.42 5071 TCP

FE5072_1 10.3.0.42 5072 TCP

FE5073_1 10.3.0.42 5073 TCP

FE5075_1 10.3.0.42 5075 TCP

Front End Server 2 Settings


FE135_2 10.3.0.43 135 TCP

FE443_2 10.3.0.43 443 TCP

FE444_2 10.3.0.43 444 TCP

FE5060_2 10.3.0.43 5060 TCP

FE5061_2 10.3.0.43 5061 TCP

FE5065_2 10.3.0.43 5065 TCP

FE5071_2 10.3.0.43 5071 TCP

FE5072_2 10.3.0.43 5072 TCP

FE5073_2 10.3.0.43 5073 TCP

FE5075_2 10.3.0.43 5075 TCP

At the AN(config)# prompt, type: slb real tcp FE135_1 10.3.0.42 135 1000 tcp 3 3 slb real tcp FE443_1 10.3.0.42 443 1000 tcp 3 3 slb real tcp FE444_1 10.3.0.42 444 1000 tcp 3 3 slb real tcp FE5060_1 10.3.0.42 5060 1000 tcp 3 3 slb real tcp FE5061_1 10.3.0.42 5061 1000 tcp 3 3 slb real tcp FE5065_1 10.3.0.42 5065 1000 tcp 3 3 slb real tcp FE5071_1 10.3.0.42 5071 1000 tcp 3 3

DG-Lync 2010

slb real tcp FE5072_1 10.3.0.42 5072 1000 tcp 3 3 slb real tcp FE5073_1 10.3.0.42 5073 1000 tcp 3 3 slb real tcp FE5075_1 10.3.0.42 5075 1000 tcp 3 3 slb real tcp FE135_2 10.3.0.43 135 1000 tcp 3 3 slb real tcp FE443_2 10.3.0.43 443 1000 tcp 3 3 slb real tcp FE444_2 10.3.0.43 444 1000 tcp 3 3 slb real tcp FE5060_2 10.3.0.43 5060 1000 tcp 3 3 slb real tcp FE5061_2 10.3.0.43 5061 1000 tcp 3 3 slb real tcp FE5065_2 10.3.0.43 5065 1000 tcp 3 3 slb real tcp FE5071_2 10.3.0.43 5071 1000 tcp 3 3 slb real tcp FE5072_2 10.3.0.43 5072 1000 tcp 3 3 slb real tcp FE5073_2 10.3.0.43 5073 1000 tcp 3 3 slb real tcp FE5075_2 10.3.0.43 5075 1000 tcp 3 3

3.2 18BDefining Groups

Group Definition Group SLB Algorithm

g_FE135 pi and lc

g_FE443 pi and lc

g_FE444 pi and lc

g_FE5060 pi and lc

g_FE5061 pi and lc

g_FE5065 pi and lc

g_FE5071 pi and lc

g_FE5072 pi and lc

g_FE5073 pi and lc

g_FE5075 pi and lc

At the AN(config)# prompt, type: slb group method g_FE135 pi 32 lc 10 slb group method g_FE443 pi 32 lc 10 slb group method g_FE444 pi 32 lc 10 slb group method g_FE5060 pi 32 lc 10 slb group method g_FE5061 pi 32 lc 10 slb group method g_FE5065 pi 32 lc 10 slb group method g_FE5071 pi 32 lc 10 slb group method g_FE5072 pi 32 lc 10 slb group method g_FE5073 pi 32 lc 10 slb group method g_FE5075 pi 32 lc 10

DG-Lync 2010

3.3 19BAdding Real Services to Defined Groups

Group Settings

Group Member

g_FE135 FE135_1 FE135_2

g_FE443 FE443_1 FE443_2

g_FE444 FE444_1 FE444_2

g_FE5060 FE5060_1 FE5060_2

g_FE5061 FE5061_1 FE5061_2

g_FE5065 FE5065_1 FE5065_2

g_FE5071 FE5071_1 FE5071_2

g_FE5072 FE5072_1 FE5072_2

g_FE5073 FE5073_1 FE5073_2

g_FE5075 FE5075_1 FE5075_2

At the AN(config)# prompt, type: slb group member g_FE135 FE135_1 1 0 slb group member g_FE443 FE443_1 1 0 slb group member g_FE444 FE444_1 1 0 slb group member g_FE5060 FE5060_1 1 0 slb group member g_FE5061 FE5061_1 1 0 slb group member g_FE5065 FE5065_1 1 0 slb group member g_FE5071 FE5071_1 1 0 slb group member g_FE5072 FE5072_1 1 0 slb group member g_FE5073 FE5073_1 1 0 slb group member g_FE5075 FE5075_1 1 0 slb group member g_FE135 FE135_2 1 0 slb group member g_FE443 FE443_2 1 0 slb group member g_FE444 FE444_2 1 0 slb group member g_FE5060 FE5060_2 1 0 slb group member g_FE5061 FE5061_2 1 0 slb group member g_FE5065 FE5065_2 1 0 slb group member g_FE5071 FE5071_2 1 0 slb group member g_FE5072 FE5072_2 1 0 slb group member g_FE5073 FE5073_2 1 0 slb group member g_FE5075 FE5075_2 1 0

DG-Lync 2010

3.4 20BDefining Virtual Services

Virtual Service Definition

Virtual Service Virtual IP Address Port Protocol

v_FE135 10.8.6.32 135 TCP

v_FE443 10.8.6.32 443 TCP

v_FE444 10.8.6.32 444 TCP

v_FE5060 10.8.6.32 5060 TCP

v_FE5061 10.8.6.32 5061 TCP

v_FE5065 10.8.6.32 5065 TCP

v_FE5071 10.8.6.32 5071 TCP

v_FE5072 10.8.6.32 5072 TCP

v_FE5073 10.8.6.32 5073 TCP

v_FE5075 10.8.6.32 5075 TCP

At the AN(config)# prompt, type: slb virtual tcp v_FE135 10.8.6.32 135 arp 0 slb virtual tcp v_FE443 10.8.6.32 443 arp 0 slb virtual tcp v_FE444 10.8.6.32 444 arp 0 slb virtual tcp v_FE5060 10.8.6.32 5060 arp 0 slb virtual tcp v_FE5061 10.8.6.32 5061 arp 0 slb virtual tcp v_FE5065 10.8.6.32 5065 arp 0 slb virtual tcp v_FE5071 10.8.6.32 5071 arp 0 slb virtual tcp v_FE5072 10.8.6.32 5072 arp 0 slb virtual tcp v_FE5073 10.8.6.32 5073 arp 0 slb virtual tcp v_FE5075 10.8.6.32 5075 arp 0

DG-Lync 2010

3.5 21BSetting the TCP Idle Timeout of the Virtual Services

Virtual Service Settings Virtual Service TCP Idle Timeout

v_FE135 1200

v_FE443 1200

v_FE444 1200

v_FE5060 1200

v_FE5061 1200

v_FE5065 1200

v_FE5071 1200

v_FE5072 1200

v_FE5073 1200

v_FE5075 1200

At the AN(config)# prompt, type: slb timeout v_FE135 1200 slb timeout v_FE443 1200 slb timeout v_FE444 1200 slb timeout v_FE5060 1200 slb timeout v_FE5061 1200 slb timeout v_FE5065 1200 slb timeout v_FE5071 1200 slb timeout v_FE5072 1200 slb timeout v_FE5073 1200 slb timeout v_FE5075 1200

Note: The TCP idle timeout value should be greater than or equal to the timeout value set in

Microsoft Lync.

The unit of the TCP idle timeout value is second.

DG-Lync 2010

3.6 22BBinding Virtual Services to Defined Groups

Binding Relationship Virtual Service Group

v_FE135 g_FE135

v_FE443 g_FE44

v_FE444 g_FE444

v_FE5060 g_FE5060

v_FE5061 g_FE5061

v_FE5065 g_FE5065

v_FE5071 g_FE5071

v_FE5072 g_FE5072

v_FE5073 g_FE5073

v_FE5075 g_FE5075

At the AN(config)# prompt, type: slb policy default v_FE135 g_FE135 slb policy default v_FE443 g_FE443 slb policy default v_FE444 g_FE444 slb policy default v_FE5060 g_FE5060 slb policy default v_FE5061 g_FE5061 slb policy default v_FE5065 g_FE5065 slb policy default v_FE5071 g_FE5071 slb policy default v_FE5072 g_FE5072 slb policy default v_FE5073 g_FE5073 slb policy default v_FE5075 g_FE5075

--End

DG-Lync 2010

4 3BConfiguring APV for Lync Internal Edge Servers

Figure 4-1 illustrates the appliances involved in APV configurations for Lync internal edge servers.

Figure 4-1 Internal Edge Server Topology

The following sections describe how to configure the APV for Lync internal edge server.

DG-Lync 2010


Internal Edge Server 1 Settings


in_Edge443_1 10.3.0.39 443 TCP

in_Edge3478_1 10.3.0.39 3478 UDP

in_Edge5061_1 10.3.0.39 5061 TCP

in_Edge5062_1 10.3.0.39 5062 TCP

in_Edge8057_1 10.3.0.39 8057 TCP

Internal Edge Server 2 Settings


in_Edge443_2 10.3.0.44 443 TCP

in_Edge3478_2 10.3.0.44 3478 UDP

in_Edge5061_2 10.3.0.44 5061 TCP

in_Edge5062_2 10.3.0.44 5062 TCP

in_Edge8057_2 10.3.0.44 8057 TCP

At the AN(config)# prompt, type: slb real tcp in_Edge443_1 10.3.0.39 443 1000 tcp 3 3 slb real tcp in_Edge5061_1 10.3.0.39 5061 1000 tcp 3 3 slb real tcp in_Edge5062_1 10.3.0.39 5062 1000 tcp 3 3 slb real tcp in_Edge8057_1 10.3.0.39 8057 1000 tcp 3 3 slb real tcp in_Edge443_2 10.3.0.44 443 1000 tcp 3 3 slb real tcp in_Edge5061_2 10.3.0.44 5061 1000 tcp 3 3 slb real tcp in_Edge5062_2 10.3.0.44 5062 1000 tcp 3 3 slb real tcp in_Edge8057_2 10.3.0.44 8057 1000 tcp 3 3 slb real udp in_Edge3478_1 10.3.0.39 3478 1000 3 3 60 icmp slb real udp in_Edge3478_2 10.3.0.44 3478 1000 3 3 60 icmp

DG-Lync 2010



g_IN443 pi and lc

g_IN3478 pi and lc

g_IN5061 pi and lc

g_IN5062 pi and lc

g_IN8057 pi and lc

At the AN(config)# prompt, type: slb group method g_IN443 pi 32 lc 10 slb group method g_IN3478 pi 32 lc 10 slb group method g_IN5061 pi 32 lc 10 slb group method g_IN5062 pi 32 lc 10 slb group method g_IN8057 pi 32 lc 10


Group Settings

Group Member

g_IN443 in_Edge443_1 in_Edge443_2





At the AN(config)# prompt, type: slb group member g_IN443 in_Edge443_1 slb group member g_IN3478 in_Edge3478_1 slb group member g_IN5061 in_Edge5061_1 slb group member g_IN5062 in_Edge5062_1 slb group member g_IN8057 in_Edge8057_1 slb group member g_IN443 in_Edge443_2 slb group member g_IN3478 in_Edge3478_2 slb group member g_IN5061 in_Edge5061_2 slb group member g_IN5062 in_Edge5062_2

DG-Lync 2010

slb group member g_IN8057 in_Edge8057_2



Virtual Service Virtual IP Address Port Protocol

v_IN443 10.8.6.33 443 TCP

v_IN3478 10.8.6.33 3478 UDP

v_IN5061 10.8.6.33 5061 TCP

v_IN5062 10.8.6.33 5062 TCP

v_IN8057 10.8.6.33 8057 TCP

At the AN(config)# prompt, type: slb virtual tcp v_IN443 10.8.6.33 443 arp 0 slb virtual tcp v_IN5061 10.8.6.33 5061 arp 0 slb virtual tcp v_IN5062 10.8.6.33 5062 arp 0 slb virtual tcp v_IN8057 10.8.6.33 8057 arp 0 slb virtual udp v_IN3478 10.8.6.33 3478 arp 0



v_IN443 1200

v_IN5061 1200

v_IN5062 1200

v_IN8057 1200

At the AN(config)# prompt, type: slb timeout v_IN443 1200 slb timeout v_IN5061 1200 slb timeout v_IN5062 1200 slb timeout v_IN8057 1200


Microsoft Lync.


DG-Lync 2010



v_IN443 g_IN443

v_IN3478 g_IN3478

v_IN5061 g_IN5061

v_IN5062 g_IN5062

v_IN8057 g_IN8057

At the AN(config)# prompt, type: slb policy default v_IN443 g_IN443 slb policy default v_IN3478 g_IN3478 slb policy default v_IN5061 g_IN5061 slb policy default v_IN5062 g_IN5062 slb policy default v_IN8057 g_IN8057

--End

DG-Lync 2010

5 4BConfiguring APV for Lync External Edge Servers

Figure 5-1 illustrates the appliances involved in APV configurations for Lync external edge servers.

Figure 5-1 External Edge Server Topology

The following sections describe how to configure the APV for Lync external edge server.

DG-Lync 2010


External Edge Server 1 Settings


ex_Edge443_1 10.8.0.241 443 TCP

ex_Edge3478_1 10.8.0.241 3478 UDP

ex_Edge5061_1 10.8.0.241 5061 TCP

External Edge Server 2 Settings


ex_Edge443_2 10.8.0.242 443 TCP

ex_Edge3478_2 10.8.0.242 3478 UDP

ex_Edge5061_2 10.8.0.242 5061 TCP

At the AN(config)# prompt, type: slb real tcp ex_Edge443_1 10.8.0.241 443 1000 tcp 3 3 slb real tcp ex_Edge5061_1 10.8.0.241 5061 1000 tcp 3 3 slb real tcp ex_Edge443_2 10.8.0.242 443 1000 tcp 3 3 slb real tcp ex_Edge5061_2 10.8.0.242 5061 1000 tcp 3 3 slb real udp ex_Edge3478_1 10.8.0.241 3478 1000 3 3 60 icmp slb real udp ex_Edge3478_2 10.8.0.242 3478 1000 3 3 60 icmp



g_EX443 pi and lc

g_EX3478 pi and lc

g_EX5061 pi and lc

At the AN(config)# prompt, type: slb group method g_EX443 pi 32 lc 10 slb group method g_EX3478 pi 32 lc 10 slb group method g_EX5061 pi 32 lc 10

DG-Lync 2010


Group Settings

Group Member

g_EX443 ex_Edge443_1 ex_Edge443_2



At the AN(config)# prompt, type: slb group member g_EX443 ex_Edge443_1 slb group member g_EX3478 ex_Edge3478_1 slb group member g_EX5061 ex_Edge5061_1 slb group member g_EX443 ex_Edge443_2 slb group member g_EX3478 ex_Edge3478_2 slb group member g_EX5061 ex_Edge5061_2



Virtual Service Virtual IP address Port Protocol

v_EX443 10.8.6.34 443 TCP

v_EX3478 10.8.6.34 3478 UDP

v_EX5061 10.8.6.34 5061 TCP

At the AN(config)# prompt, type: slb virtual tcp v_EX443 10.8.6.34 443 arp 0 slb virtual tcp v_EX5061 10.8.6.34 5061 arp 0 slb virtual udp v_EX3478 10.8.6.34 3478 arp 0

DG-Lync 2010



v_EX443 1200

v_EX5061 1200

At the AN(config)# prompt, type: slb timeout v_EX443 1200 slb timeout v_EX5061 1200


Microsoft Lync.




v_EX443 g_EX443

v_EX3478 g_EX3478

v_EX5061 g_EX5061

At the AN(config)# prompt, type: slb policy default v_EX443 g_EX443 slb policy default v_EX3478 g_EX3478 slb policy default v_EX5061 g_EX5061

--End

DG-Lync 2010

6 5BConfiguring APV for Communicator Web Access (CWA)

6.1 35BCWA Deployment

CWA servers can be deployed as follows:

• As a single server, supporting up to 5000 users, for both internal and external users

• As two servers – one for internal users and one for external

• As an array of load-balanced servers, supporting internal and external users o A single load balancer is required

• As two separate load balanced arrays of servers - one for internal and one for external o May be supported with a single load balancer or two separate ones

6.2 36BPrerequisites and Configuration Notes

The requirements for load balancing CWA servers are as follows:

• Session affinity must be supported and enabled on the load balancer. Once a CWA session begins, it must always continue with the same server that it began with. Session affinity ensures this.

• Cookie persistence when configuring Session Affinity must be used. Using cookie persistence, information about the CWA session is stored on the client’s computer.

• SSL acceleration should be supported by the load balancer. By having the load balancer decrypt HTTPS transmissions before they are sent to the CWA server, performance can be noticeably improved.

• A dedicated load balancer should be used for CWA servers. For performance reasons it is not recommended that the same load balancer be used for CWA and Lync Server.

The requirement for the revere proxy is as follows:

• If a reverse proxy is used, set the Forward host header to True in the reverse proxy publishing rule for port 4443. This ensures that the original URL is forwarded to the target web server.

Note: External users do not need a VPN connection to an organization in order to participate in

Lync Server-based communications.

External users who are connected to an organization’s internal network over a VPN bypass the reverse proxy.

DG-Lync 2010

6.3 37BArray Networks APV Advantages and Network Topology for CWA

Array Networks APV offers performance, security and functional advantages that combine versatility with ease-of-use to speed deployment of the Microsoft Lync infrastructure.

Array Networks APVs perfectly support the CWA by:

• Local and global server load balancing with multi-unit clustering for 99.999% application uptime and data center scalability

• SSL acceleration for securing data in transit, offloading compute-intensive processes from servers, and improving application performance

• Reverse-proxy architecture with a stateful packet-inspection firewall for guarding applications without impacting performance

• Hardware-based 1024 and 2048-bit SSL encryption for alignment with NIST and certificate authority security requirements

DG-Lync 2010

Figure 6-1 illustrates the appliances involved in APV configurations for CWA.

Figure 6-1 CWA Topology

As mentioned in section 2.1 Network Topology, you can employ a single APV for all internal and external Lync Server 2010 services and this APV can also work as the reverse proxy, as shown in the following figure:

DG-Lync 2010

Figure 6-2 CWA Topology with One APV Working as the Reverse Proxy and Used for Front End Servers

The following sections describe the configurations of the APV that works as the reverse proxy and provide CWA service for front end servers.

DG-Lync 2010


CWA Server Settings


real_4443 10.8.6.32 4443 TCP

FE4443_1 10.3.0.42 4443 HTTPS

FE4443_2 10.3.0.43 4443 HTTPS

At the AN(config)# prompt, type: slb real tcp real_4443 10.8.6.32 4443 1000 tcp 3 3 slb real https FE4443_1 10.3.0.42 4443 1000 tcp 3 3 slb real https FE4443_2 10.3.0.43 4443 1000 tcp 3 3

Note: If you do not use the APV as the reverse proxy, omit the real_4443 real service, that is,

you do not need to run the “slb real tcp real_4443 10.8.6.32 4443 1000 tcp 3 3” command.



g_icFE4443 ic

At the AN(config)# prompt, type: slb group method g_icFE4443 ic exmfwnrkqvk 0 rr

Note: Keyword “exmfwnrkqvk” is the cookie name. If you do not specify the cookie name, the

APV generates a random one.

DG-Lync 2010


Group Settings

Group Member

g_icFE4443 FE4443_1 FE4443_2

At the AN(config)# prompt, type: slb group member g_icFE4443 FE4443_1 1 0 slb group member g_icFE4443 FE4443_2 1 0



Virtual Service Protocol Virtual IP Address Port

redirect_443_4443 TCP 10.8.6.35 443

v_FE4443 HTTPS 10.8.6.32 4443

At the AN(config)# prompt, type: slb virtual tcp redirect_443_4443 10.8.6.35 443 arp 0 slb virtual https v_FE4443 10.8.6.32 4443 arp 0



redirect_443_4443 1800

At the AN(config)# prompt, type: slb timeout redirect_443_4443 1800

Note:

The TCP idle timeout value should be greater than or equal to the minimum REGISTER refresh or SIP Keep-Alive interval (typically 30 minutes).


DG-Lync 2010


When a user initiates the CWA for the first time, the user’s cookie is not stored on the APV and therefore the default policy takes effect to complete the access. For the user’s later access, because the APV already stores the corresponding cookie, the cookie policy takes effect preferentially.

The configurations on the APV are as follows:

Binding Relationship Virtual Service Group/Real Service

v_FE4443 g_icFE4443

redirect_443_4443 real_4443

At the AN(config)# prompt, type: slb policy icookie policy_icFE4443 v_FE4443 g_icFE4443 0 slb policy default v_FE4443 g_icFE4443 slb policy static redirect_443_4443 real_4443

Note: If you do not use the APV as the reverse proxy, omit the redirect_443_4443 virtual service,

that is, you do not need to run the “slb policy static redirect_443_4443 real_4443” command.

6.10 44BConfiguring APV for Secure Sockets Layer (SSL) Offload

This section describes how to configure the APV to offload SSL traffic for CWA servers.

6.10.1 45BUsing SSL Certificates and Keys

Before you can enable the APV to act as an SSL proxy, you must install an SSL certificate on the virtual server that you use for Lync Server 2010 on the APV. In this deployment guide, it is assumed that you already have obtained an SSL certificate, but it is not yet installed on the APV. For information on generating certificates, or using the APV to generate a request for a new certificate and key from a certificate authority, see the SSL-related chapter in the APV Application Guide.

DG-Lync 2010

6.10.2 46BImporting keys and certificates

After obtaining a certificate, you can import this certificate into the APV using the following commands. For detailed usage, refer to APV Application Guide.

At the AN(config)# prompt, type: ssl import key meet.potest.com ssl import certificate meet.potest.com

6.10.3 47BDisabling Certificate Verification

At the AN(config)# prompt, type: ssl globals verifycert off

6.10.4 48BCreating an SSL Host and Binding It to the Virtual Service

At the AN(config)# prompt, type: ssl host virtual meet.potest.com v_FE4443

6.10.5 49BStarting the SSL Offload

At the AN(config)# prompt, type: ssl start meet.potest.com

6.10.6 50BCreating an SSL Host and Binding It to Real Services

At the AN(config)# prompt, type: ssl host real ssl_rFE4443 FE4443_1 ssl host real ssl_rFE4443 FE4443_2

DG-Lync 2010

6.10.7 51BStarting the SSL Offload

At the AN(config)# prompt, type: ssl start ssl_rFE4443

--End

DG-Lync 2010

7 6BSummary

The preceding sections describe how to configure the APV for Microsoft Lync Server 2010. APV Application Delivery Controllers deliver all required application delivery functions for optimizing Microsoft Lync Server 2010 environments in a single and easy-to-manage appliance.

For more information about Array Networks APVs, please visit:

Uhttp://www.arraynetworks.com/

http://www.arraynetworks.com/�

DG-Lync 2010

7BAppendix I Abbreviations and Acronyms Distributed Denial of Service

Abbreviation/Acronym Full Spelling AV Audio Video CSCP Communication Server Control Panel CWA Communicator Web Access DDoS Distributed Denial of Service FQDN Fully Qualified Domain Name IM Instant Messaging MTLS Mutual Transport Layer Security SIP Session Initiation Protocol TLS Transport Layer Security SSL Secure Sockets Layer VS Virtual Service

DG-Lync 2010

8BAppendix II Reference Topology Recommended by Microsoft The following figure demonstrates the reference topology recommended by Microsoft for most Lync Server deployments and where load balancers can be deployed:

deploying array networks apv application delivery

Documents