load balancing lync 2013 - · pdf fileload balancing lync 2013 •welke workload wil je op...
TRANSCRIPT
Load Balancing Lync 2013
Jaap Wesselius
Agenda
• Introductie
• Interne Load Balancing
• Externe Load Balancing
• Reverse Proxy
• Samenvatting & Best Practices
Introductie
Load Balancing Lync 2013
• Waarom Load Balancing?
• Wat zijn belangrijke items bij load balancing?
• VIP & Real Server• Extern adres vs Intern adres
• Affinity of Persistence• Source IP, Cookie
• Scheduling• Round Robin, Least Connections
Load Balancing Lync 2013
• Welke workload wil je op de load balancer?• Server to server verkeer?
• Dat is ‘topology aware’ dus geen load balancer nodig
• Client to server verkeer?• DNS load balancing voor front-end verkeer (SIP)
• DNS load balancing voor Edge verkeer (SIP)
• DNS load balancing werkt NIET voor web services
• Port translation nodig voor extern web verkeer
Load Balancing Lync 2013
ROLE HIGH AVAILABILITY LOAD BALANCER
DNS LOAD BALANCING
Standard Edition Server Not Available N/A N/AEnterprise Edition Server Deploy Multiple Servers in a Pool and use Load
BalancingYes Yes
Back End Server SQL Server uses Windows Clustering for High Availability
No No
A/V Conferencing Server Deploy Multiple Servers in a Pool and Use Load Balancing
N/A N/A
Edge Server Deploy Multiple Servers in a Pool and Use Load Balancing
Yes Yes
Mediation Server Deploy Multiple Servers in a Pool and Use Load Balancing
Yes Yes
Monitoring Standby Server (MSMQ on the Front-End queues messages in the event of the failure)
No No
Archiving Standby Server (MSMQ on the Front-End queues messages in the event of the failure)
No No
Director Deploy Multiple Servers in a Pool and Use Load Balancing
Yes Yes
File Server Use Windows Clustering or Distributed File System No No
Interne Load Balancing
Lync 2013 Front-End & Director Pool
Lync 2013 Mobile Client
Windows 8 Lync App
Lync 2013 Desktop client
Load Balancer
Internet DMZ Internal Network
Active Directory
Lync 2013 Mobile Client Lync 2013 Desktop client
Lync Front-End Pool
Mirrored Back-End Servers
Office Web Apps Server
Load Balancer
Lync Edge Pool
Reverse Proxy
Lync 2013 Front-End & Director Pool
• Microsoft aanbevelingen:• DNS load balancing voor SIP verkeer
• Web services override FQDN voor interne web services
• Load balancen TCP poorten 80, 8080, 443 en 4443
• Tevens TCP poort 444 bij gebruik Director Pool
Lync 2013 Front-End & Director Pool
• Source IP persistence kan worden gebruikt maar erzijn wat beperkingen:
• Achter NAT 1 enkel source IP
• Onevenredige distributie van connecties
• Health check op TCP/5061 or gebruik van hardware load balancer monitoring port (vinkje in Topology Builder)
• Eventueel /meet/blank.htm ipv TCP/5061 om tebepalen of IIS goed werkt
Lync 2013 Front-End & Director Pool
• Gebruik van cookie is ook mogelijk:• Moet MS-WSMAN heten
• Geen ‘expiration’
• Niet ‘httpOnly’
• Geen gebruik cookie optimalisatie
• Er is geen negatieve impact bij gebruik cookie
• TCP sessie time-out: 20 minuten
• TCP idle time-out: 1800 seconden
Lync 2013 Front-End & Director Pool
• Zonder DNS RR, dus een load balancer only omgeving:• Load balance de volgende TCP poorten
• 5061, 444, 135, 80, 8080, 443, 4443, 448, 5070-5073, 5075, 5076, 5080
• Aantal poorten neemt aanzienlijk toe ivm SIP verkeerwat door LB gaat
• Meer info op http://bit.ly/LyncPorts
Lync 2013 Mediaton pool
• DNS load balancing is voldoende
• Bij gebruik load balancer, alleen TCP poorten 5067, 5068 en 5070 door de load balancer
Externe Load Balancing
Load balancing Edge Pool
Lync 2013 Mobile Client
Windows 8 Lync App
Lync 2013 Desktop client
Load Balancer
Internet DMZ Internal Network
Active Directory
Lync 2013 Mobile Client Lync 2013 Desktop client
Lync Front-End Pool
Mirrored Back-End Servers
Office Web Apps Server
Load Balancer
Lync Edge Pool
Reverse Proxy
DNS load balancing Edge Pools
• DNS is beperkt bruikbaar ivm verlies bij fail-over• Federation met oudere OCS omgeving
• PIM connectivity met Skype, Windows Live, AOL, Yahoo and XMPP partners
• UM Play on Phone
• Call transfer van UM Auto Attendant
(Hardware) Load balancer Edge Pool
• Externe interfaces• Access Edge Interface
• SIP (Externe client): TCP/443• SIP (Federation): TCP/5061• XMPP: TCP/5269
• Web Conferencing Interface• Source NAT kan gebruikt worden• PSOM: TCP/443
• AV Edge Interface• NAT kan *niet* gebruikt worden• STUN/MSTURN: TCP/443• STUN/MSTRUN: UDP/3478
(hardware) Load balancer Edge Pool
• Externe Interfaces:• Gebruik Access VIP als default gateway op alle Edge
Interfaces
• AV Edge Interface:• Disable TCP nagling voor TCP/443 voor alle interface
• Disable TCP nagling voor poorten 50000-59999
• Gebruik publiek routeerbaar IP zonder NAT of port translation
(hardware) Load balancer Edge Pool
• Interne Interfaces• Access SIP: TCP/5061
• Gebruikt door Director & Front-End
• AV authentication SIP: TCP/5062• Gebruikt door Front-End pool & SBA
• AV Media Transfer: UDP/3478• Preferred path voor AV media transfer
• AV Media Transfer: TCP/443• Fallback voor AV Media transfer
• File Sharing
• Desktop Sharing
Reverse Proxy
Reverse Proxy (Web Services)
Lync 2013 Mobile Client
Windows 8 Lync App
Lync 2013 Desktop client
Load Balancer
Internet DMZ Internal Network
Active Directory
Lync 2013 Mobile Client Lync 2013 Desktop client
Lync Front-End Pool
Mirrored Back-End Servers
Office Web Apps Server
Load Balancer
Lync Edge Pool
Reverse Proxy
Reverse Proxy?
• Device tussen servers en clients (vaak in DMZ) die server services publiceert
• Wordt vaak gebruik als ‘load balancing’ device
• Schermt interne servers af voor externe invloeden
• Full reverse proxy Layer 7• SSL acceleration, content inspection, intruder
detection…
Reverse Proxy
• Reverse proxy = 2e VIP op de load balancer
• Load balance op poort 80 en 443
• Publiceert poort 8080 en 4443
• Persistence is niet noodzakelijk
• Pre-authentication niet mogelijk
• Health check op poort 5061 of hardware load balancer port (in Topology Builder)
• of /meet/blank.htm ipv poort 5061
Testen Reverse Proxy
• https://meet.exchangelabs.nl/Reach/Client/WebPages/ReachClient.aspx (Silverlight client!)
• https://dialin.exchangelabs.nl/dialin/conference.aspx
• https://lyncweb.exchangelabs.nl/Scheduler/Default.aspx
Office Web Apps server
• Load balance poort 443
• Reencrypt van verkeer
• SSL Offloading is ook mogelijk
• Source IP voor persistence met 30 minuten time-out
• Healthcheck op /hosting/discovery middelsHTTP/GET
• Web Apps blog: http://bit.ly/13uQqXe
Samenvatting en Best Practices
DNS Load Balancing of Hardware?
HLB Pros HLB Cons DNS LB Pros DNS LB Cons
App Awareness Extra step for server draining
Simpler Server Draining Some 3rd party apps don’t understand DNS LB
Easy to take partially working server offline
Additional setup work required
Less overall complexity Many PBXs can’t talk to pool of DNS LB mediation Servers
Supports all level clients
Adds significantly to deployment (myth)
Minimal LB expertise required
Down level clients don’t support DNS LB
HA for PIC/XMPP and legacy federation
Adds substantial latency (myth)
Over-complicatestroubleshooting (myth)
Best Practices
• Use same load balancing method forinternal/external Edge interfaces
• Don’t leave timeout at default: TCP idle timeoutshould be set to 1800 sec
• Turn off TCP Nagling for AV Edge ports 50k-59,999 and internal/external 443
• Use SNAT for general services, DNAT for AV Edge
• Ensure load balancer and Lync failover scenariosare tested… BEFORE you need it
• Avoid using DSR – not supported
Best Practices
• Create an independent virtual service for each edge service (access/webconf/AV)
• User cookie-based persistence for external Lync web services and source-address persistence for internal Lync web services
• Cookie-based persistence required for Lync Mobility services - Marked http Only, named MS-WSMAN and no expiration
• Always use a HLB if HA for XMPP/PIC/legacy Federation is important
• Edge internal interface must be on different network than Edge external interface with routing between them disabled
• Edge Server External interface running A/V must use routable IP – no NAT/PAT