page 1 of 26 - avi networks€¦ · client used with skype for business server or with skype for...

Avi Networks — Technical Reference (17.1)Integrating Skype for Business 2015 with Avi Vantage

Copyright © 2018 Avi Networks, Inc. of 26

view onlineIntegrating Skype for Business 2015 with Avi Vantage

This document discusses configuring Avi Vantage to optimize Microsoft Skype for Business 2015 deployment. Avi Vantage can make intelligent load balancing decisions and improve the performance, security, reliability, and integrity of traffic in this environment.

Skype for BusinessSkype for Business (formerly Microsoft Office Communicator and Microsoft Skype for Business) is an instant-messaging client used with Skype for Business Server or with Skype for Business Online (available with Microsoft Office 365). Skype for Business is an enterprise software and has distinctive features for business enterprises. Skype for Business replaces Windows Messenger, which ran with Microsoft Exchange Server. For more information on deployment and operation details, refer to

.Skype for Business Server 2015

Topology

Skype for Business supports the following server topologies: - Standard Edition topologyThis topology is recommended for small organizations and for pilot projects in large organizations. It hosts many features such as instant messaging (IM), presence, conferencing, and Enterprise Voice. It also facilitates necessary databases to run on a single server. It is made available at a lower cost but does not provide high availability. - Enterprise Edition topologyApart from the features available in Standard Edition, this topology supports high availability by allowing multiple Front End servers to be deployed into a pool, and the SQL servers to be mirrored.

For specific information on server roles and other topology details, refer to Topology Basics for Skype for Business Server .2015

Workload Protocols in Skype for Business

Skype for Business supports the following workload protocols: - Instant Messaging and PresenceInstant messaging (IM) enables users to communicate with each other in real time on their computers using text-based messages. IM supports both two-party and multi-party sessions. Presence provides information to users about the status of other users on the network. The presence icon represents the user?s current availability and willingness to communicate.

Audio and video (A/V) and Web ConferencingWeb conferencing allows users to share and collaborate on documents during meetings and conference sessions. Additionally, users can share their desktop or specific application with others in real time.

Enterprise VoiceSkype for Business supports multiple Mediation servers and gateways. This uses inter-trunk routing to connect an IP PBX to a public switched telephone network (PSTN) gateway or to interconnect multiple IP PBX systems.

For specific information on workload protocols and voice solutions, refer to Technical diagrams for Skype for Business Server .2015

Benefits of deploying Skype for Business 2015 with Avi Vantage

Avi Vantage provides the following benefits for Skype for Business deployment: - Single Point of Management and ControlAvi Controller provides a single point of management and control while providing traffic and resource isolation for heightened

https://avinetworks.com/docs/17.1/skype-for-business-2015/

https://technet.microsoft.com/en-us/library/gg398616.aspx

https://technet.microsoft.com/en-in/library/dn933894.aspx

https://technet.microsoft.com/en-in/library/dn933894.aspx

https://technet.microsoft.com/en-us/library/dn594589.aspx

https://technet.microsoft.com/en-us/library/dn594589.aspx



security. Typical Skype for Business deployment requires four separate load balancing units. This number is doubled to eight units when high availability is required. Unlike other ADC solutions, IT organizations can deploy an Avi Controller cluster for central management instead of four or eight independently managed ADC units.

Built-in TCP SecurityAvi Vantage inspects TCP connections and drops malicious connection attempts such as TCP SYN flooding or TCP segment with an invalid sequence number.

Skype for Business reverse proxy Service Avi Vantage supports HTTPS proxy with easy-to-use security and HTTP policies. Along with this, full visibility and end-to-ending timing information are provided for HTTPS transactions which enables IT to detect and analyze problems quickly.

Cloud Optimized Deployment and High Availability Avi Controller automatically discovers available resources, such as networks and servers in the virtual infrastructure. Thus, IT administrators are less vulnerable to human errors. The Avi Controller detects a problem when its Service Engine or a hypervisor has a problem. It automatically looks for the best available hypervisor and launches a Service Engine to recover. Unlike other ADC solutions, this approach does not require a redundant device.



DeploymentArchitecture

Figure 1. Deployment Architecture

The following server types are used during the deployment of Skype for Business with Avi Vantage: - Front End serverProvides all core features such as authentication, instant messaging, web conferencing, A/V conferencing, address book services, etc. These servers are recommended to host Director pool and can optionally accommodate other services such as persistent chat, monitoring, and media mediation. In this document, the Director pool is assumed to be present in the Front End pool.

Edge serverEnables on-premise users to communicate and collaborate with off-premise users. These servers do not provide any web-based services or Skype for Business discovery mechanism. To support these two functions, a reverse proxy server should be configured. Edge pool servers are not part of the active directory domain of an organization.

Reverse proxy serverPublishes web services provided by the Front End pool to the internet. These servers relay HTTP requests coming from the Internet to the Front End servers. The reverse proxy should not be configured to join the active directory domain of an organization.

Outlook Web App serverDelivers browser-based versions of Word, PowerPoint, Excel, and OneNote. A single Office Web App server farm can support users who access Office files through Skype for Business 2015, SharePoint 2013, Lync Server 2013, shared folders, and websites.

Requirements for Deployment

The following is the checklist for deploying Avi Vantage for Skype for Business:

Table 1. Server requirements

<th> <center>Server type</center> </th>

<th> <center>Hardware requirements</center> </th>

<th> <center>Software requirements</center> </th>

<th> <center>Recommended number of servers</center> </th>

<td>Front End server</td>

<td>64-bit dual processor 

Eight-core CPU 

32GB RAM 

100GB disk capacity 

Dual-port network adapter </td>

<td> Windows 2012 R2 

<td>Three</td>

<td>OWA server </td>

<td> Eight-core CPU

<td> Windows 2012 R2 

<td>One</td>

Windows PowerShell 3.0 Microsoft .NET Framework 4.5 Windows Identity Foundation Remote Server Administration Tools Internet Information Services (IIS) Windows Media Format Runtime .NET Framework 3.5 Silverlight8GB RAM 100GB disk capacity Windows PowerShell 3.0 Microsoft .NET Framework 4.5 Windows Identity Foundation Remote Server Administration Tools Internet Information Services (IIS) Windows Media Format Runtime .NET Framework 3.5 Silverlight

Exchange 2016 server

Eight-core CPU8GB RAM100GB disk capacityDual-port network adapter



SQL 2014 server

Two-core CPU1GB RAM6GB disk capacity

Reverse proxy server

Two-core CPU1GB RAM6GB disk capacity



Edge server

64-bit dual processorEight-core CPU16GB RAM100GB disk capacityDual-port network adapter

Note: In Windows 2012 server, the disk should be partitioned into four drives for OS, logs, database, and Exchange Install Directory.

For more information on server requirements, refer to .Skype for Business Server 2015

Certificates: Any Windows server can act as a certificate authority. In this document, we use Windows Server 2012 R2 as the certificate authority. For complete information on the certificate requirements, refer to Figure 2.

https://technet.microsoft.com/en-us/library/gg398616.aspx



(source: technet.microsoft.com)Figure 2. Certificate requirements for Skype for Business 2015

DNS: For complete DNS information, refer to Figure 3.

(source: technet.microsoft.com)Figure 3. DNS configuration for Skype for Business 2015

Policies for Deployment

All ports and services required for deploying load balancing are mentioned in Figure 4. In this deployment example, the Front End servers assume the role of Director server and Mediation server. Set up your active directory and DNS servers based on the information provided.



1. 2. 3.

Figure 4. Required ports for SFB load balancing

Note: It is recommended to configure source IP-based persistence and TCP idle timeout of 1800 seconds for all the load balancing virtual services.

ConfigurationInitial SetupExternal and Internal Edge virtual service and poolReverse proxyOffice Web App

Initial Setup

Virtual service placementImport Front End server certificateFront End virtual service and pool

Virtual service placement

Create one Service Engine (SE) group each for reverse proxy (RP), External Edge, Internal Edge, and Front End server. These SE groups are created to place related Skype for Business virtual services into the same SE groups, depending on its role.

Navigate to > > > . Click on to specify Applications Virtual Service Create Virtual Service Advanced Setup Switch to Advancedthe virtual service.



Under Advanced tab, navigate to to specify the respective SE group. This step will ensure that a SE does not Other Settingsaccommodate virtual services of different Skype for Business roles.

Import Front End server certificate

For the reverse proxy and Office Web App servers, you need to import the certificate. The SSL certificate associated with the virtual service must be the same as the one used by the Front End server. The FQDN of the reverse proxy server must be on the list of the Subject Alternate Name of the certificate.

To import a copy of the Front-end server certificate, navigate to > > > .Templates Security SSL/ TLS Certificates Create

Choose Root/Intermediate CA Certificate



Front End virtual service and pool

One virtual IP address is shared across all the ports. This virtual IP address must be configured as the Skype for Business Front End pool IP in the setup. This IP address is selected at the time of the virtual service creation.

In the virtual IP address section, by toggling the switch from Basic Setup to Advanced Setup, you can see the list of existing virtual services and the respective IP addresses.

Navigate to > > > .Applications Virtual Service Create Virtual Service Advanced Setup



Configure Layer 4 Application Profile with TCP proxy for all ports except for port 80 and 8080 as shown below. Use HTTP load balancing for port 80 and port 8080.

Navigate to > . Click on Edit option for under . Set the Applications Virtual Service System-TCP-Proxy TCP-UDP profile Idle value to as shown below. The Idle Duration value is in seconds.Duration 1800



Note: Use TCP health monitor for all ports. Skype for Business Front End server has an option to allow an external load balancer to perform SIP health check on unencrypted SIP port, 5060.

Navigate to the > > . Provide the pool name, select as Applications Pools Create Pool Load Balance method Least Connectionsand select as as shown below.Persistence System-Persistence-Client-IP

Navigate to > . Choose the pool you created in the previous step. Click on > > Applications Pools Edit Settings Add Active .Monitor



To add Front End server IP addresses or FQDN, navigate to > . Choose the pool that you want to edit, click Applications Poolson edit option. Navigate to and choose IP Address, Range, or DNS Name option as shown below.Servers

Follow all the steps mentioned above for all the ports that are described in Figure 4. On completion, you will have 16 virtual services, 16 pools, and 16 health monitors configured.

External and Internal Edge Virtual Service and Pool

Three public virtual IP addresses and one private virtual IP address is required for External and Internal Edge pools, respectively.



The three public IP addresses must be registered as access, web conferencing, and A/V Edge service point in the Skype for Business topology builder.

The internal virtual IP address must be configured as the SFB Edge pool IP address.

Navigate to > > > .Applications Virtual Service Create Virtual Service Advanced Setup

Configure Layer 4 application profile using TCP proxy for all the required ports.

Navigate to the > > . Provide the pool name, select as Applications Pools Create Pool Load Balance method Least Connectionsand select as as shown below.Persistence System-Persistence-Client-IP



For the virtual service on port 3478, you need to select as . Click on > System-UDP-Fast-Path TCP/UDP Profile Applications > and choose option as shown below.Virtual Service Create Virtual Service Advanced Setup

Provide the virtual service name, select as the option and as the .3478 Service Port System-UDP-Fast-Path TCP/UDP Profile

Use UDP health monitor for port 3478 and TCP health monitor for the other ports. The UDP health monitor verifies if the application is listening on a given UDP port. If an ICMP port unreachable message is received, the virtual service associated with the application will be down, otherwise it shows as up. Navigate to > and choose the pool that you Applications Poolswant to edit. Click on the edit option available on the right side.

Click on as shown below.Create Health Monitor



Choose type and set the values of the other parameters as shown below.UDP

Follow all the steps mentioned above for all the ports that are described in Figure 4. On completion, you will have 12 virtual services, 12 pools, and 12 new health monitors configured.



Reverse Proxy

Reverse proxy requires one public IP address that is configured as a virtual service?s IP address. The connections from clients to the virtual service, and from the virtual service to the servers must all be secure or encrypted. Unlike other Skype of Business virtual servers, the reverse proxy (RP) server must translate incoming port numbers as shown in Figure 4.

In a typical deployment scenario, reverse proxy does not have any direct Layer 2 connectivity to the Front End pool. To implement a similar setup, Avi Controller requires additional configuration, as it assumes that the server is directly accessible by default. This additional configuration includes SSL profile on a virtual service and a pool and choosing a HTTP profile. With this configuration, HTTPS traffic is decrypted when received and re-encrypted before it is sent to the server. You can configure HTTP security policies based on your organization requirements.

Note: SSL certificate associated with the virtual service must be the same as the one used by the Front End server. This implies that the reverse proxy FQDN must be listed on the subject alternate name of the certificate.

Click on > > . Check option and change port value to . Select Applications Virtual Service Create Virtual Service SSL 4443Service Port as SSL, the default SSL Profile (System Standard) and choose the same SSL Certificate that you created in the Import Server End Certificate section.

Click on > . Select as and as Applications Create Pool Least Connections Load Balance method System-Persistence-Client-IPthe .Persistence method



Configure the Skype for Business Front End pool virtual service IP as a member of the pool. Navigate to > Applications Pooland select the pool that you want to edit. Select the option and add IP address of the Front End server.Servers

Use HTTP health monitor and expect HTTP status code 403 in response for successful health check. Click on > Applications and select pool for Reverse proxy. Click on the edit option available on the right side and choose Pools Edit Health Monitor

option.



Follow all the steps mentioned above for the other port (Port 80) as described in Figure 4.

Office Web App

Office Web App virtual service requires one public IP address configured as virtual IP address. The connections from clients to the virtual service and from the virtual service to servers must be secure or encrypted.

Configure a on both virtual server and pool and choose a profile. The HTTPS traffic is decrypted when SSL Profile HTTPreceived and re-encrypted before it is sent to a server. You can configure HTTP security policies based on your organization requirements.

Note: The SSL certificate associated with the virtual server must be the same as the one used by the Front End server.



Navigate to > > . Choose option as , as Applications Pools Create Pool Load Balance Least Connections Persistence System-, as (default), and (Created in Import Server Persistence-HTTP Cookie SSL Profile System-Standard SSL Key and Certificate

End Certificate section).

Navigate to > and select the pool that you have created in the previous step. Select the option and Applications Pool Serversadd IP address of the Office Web Apps server.

Click on > and select pool for the Office web app servers. Click on the edit option available on the right Applications Poolsside of the UI and choose option. Click on and select the type as .Edit Health Monitor Add Active Monitor HTTPS



Click on the HTTPS Settings in the same window pane for Health Monitor. Select as (default). SSL Profile System-StandardChoose SSL key and certificate that were created in the section.Import Server End Certificate

Follow all the steps mentioned above for the other port (Port 80) as described in Figure 4.

Verifying the ConfigurationHealth Monitors

Once all configuration steps are completed, navigate to > , to view all the health monitors.Templates Health Monitor



Pools

Navigate to > , to verify all the configured pools.Applications Pools



Virtual Services

Navigate to > , to check the list of all virtual services created.Applications Pools

page 1 of 26 - avi networks€¦ · client used with skype for business server or with skype for...

Documents