deploying array networks apv application delivery
TRANSCRIPT
DG-Lync 2010 Page 1
Deploying Array Networks APV Application Delivery Controllers
for Microsoft Lync Server 2010
Deployment Guide Mar-2012 rev. III
DG-Lync 2010 Page 2
Table of Contents
1 UIntroductionU .......................................................................................................................................... 4
U1.1U UMicrosoft Lync Server 2010U .......................................................................................................... 4
U1.2U UBenefits of Array Networks APV Application Delivery ControllerU ................................................ 4
2 UArray Networks Solution for Microsoft Lync Server 2010U .................................................................... 6
U2.1U UNetwork TopologyU ........................................................................................................................ 6
U2.2U UDeployment for Lync Server 2010 RolesU ...................................................................................... 8
U2.3U UHigh Availability of Lync Server 2010 RolesU .................................................................................. 9
U2.4U UPrerequisites & AssumptionsU ....................................................................................................... 9
U2.5U UConfiguration Requirement TablesU ............................................................................................ 10
U2.6U UCLI Config Level of Array Networks APVU ..................................................................................... 13
3 UConfiguring APV for Internal Lync Front End ServersU ......................................................................... 14
U3.1U UDefining Real ServicesU ................................................................................................................ 15
U3.2U UDefining GroupsU .......................................................................................................................... 16
U3.3U UAdding Real Services to Defined GroupsU .................................................................................... 17
U3.4U UDefining Virtual ServicesU ............................................................................................................. 18
U3.5U USetting the TCP Idle Timeout of the Virtual ServicesU .................................................................. 19
U3.6U UBinding Virtual Services to Defined GroupsU ............................................................................... 20
4 UConfiguring APV for Lync Internal Edge ServersU ................................................................................. 21
U4.1U UDefining Real ServicesU ................................................................................................................ 22
U4.2U UDefining GroupsU .......................................................................................................................... 23
U4.3U UAdding Real Services to Defined GroupsU .................................................................................... 23
U4.4U UDefining Virtual ServicesU ............................................................................................................. 24
U4.5U USetting the TCP Idle Timeout of the Virtual ServicesU .................................................................. 24
U4.6U UBinding Virtual Services to Defined GroupsU ............................................................................... 25
5 UConfiguring APV for Lync External Edge ServersU ................................................................................ 26
U5.1U UDefining Real ServicesU ................................................................................................................ 27
U5.2U UDefining GroupsU .......................................................................................................................... 27
U5.3U UAdding Real Services to Defined GroupsU .................................................................................... 28
U5.4U UDefining Virtual ServicesU ............................................................................................................. 28
U5.5U USetting the TCP Idle Timeout of the Virtual ServicesU .................................................................. 29
DG-Lync 2010 Page 3
U5.6U UBinding Virtual Services to Defined GroupsU ............................................................................... 29
6 UConfiguring APV for Communicator Web Access (CWA)U .................................................................... 30
U6.1U UCWA DeploymentU ....................................................................................................................... 30
U6.2U UPrerequisites and Configuration NotesU ...................................................................................... 30
U6.3U UArray Networks APV Advantages and Network Topology for CWAU ........................................... 31
U6.4U UDefining Real ServicesU ................................................................................................................ 34
U6.5U UDefining GroupsU .......................................................................................................................... 34
U6.6U UAdding Real Services to Defined GroupsU .................................................................................... 35
U6.7U UDefining Virtual ServicesU ............................................................................................................. 35
U6.8U USetting the TCP Idle Timeout of the Virtual ServicesU .................................................................. 35
U6.9U UBinding Virtual Services to Defined GroupsU ............................................................................... 36
U6.10U UConfiguring APV for Secure Sockets Layer (SSL) OffloadU ............................................................ 36
U6.10.1U UUsing SSL Certificates and KeysU .......................................................................................... 36
U6.10.2U UImporting keys and certificatesU .......................................................................................... 37
U6.10.3U UDisabling Certificate VerificationU ........................................................................................ 37
U6.10.4U UCreating an SSL Host and Binding It to the Virtual ServiceU ................................................. 37
U6.10.5U UStarting the SSL OffloadU ...................................................................................................... 37
U6.10.6U UCreating an SSL Host and Binding It to Real ServicesU ......................................................... 37
U6.10.7U UStarting the SSL OffloadU ...................................................................................................... 38
7 USummaryU ............................................................................................................................................. 39
UAppendix I Abbreviations and AcronymsU ................................................................................................... 40
UAppendix II Reference Topology Recommended by MicrosoftU .................................................................. 41
DG-Lync 2010 Page 4
1 0BIntroduction 1.1 9BMicrosoft Lync Server 2010
Microsoft Lync Server 2010 was released on November 2010 as the successor to Microsoft Office Communications Server 2007 R2, commonly known as OCS. Microsoft Lync Server 2010 is an integral component in Microsoft’s Unified Communications platform that makes it much easier for people to communicate, regardless of their locations.
Microsoft Lync Server 2010:
• Features a unified management platform and single management infrastructure.
• Provides a client application that offers rich presence information, file transfer, instant messaging as well as voice and video communications within a single organization.
• Ensures that users get an experience that is consistent and familiar across computers, mobile phones, and IE browsers.
• Delivers new capabilities to increase availability and interoperability with existing systems.
• Is easy to use and works closely with familiar tools including Microsoft SharePoint and Microsoft Outlook, and drives user adoption with powerful features and a streamlined communications experience.
• Meets customer demands for communications tools that make their work easier, and such tools are available anywhere and anytime including within the context of other applications.
For more information about Microsoft Lync Server 2010, visit:
Uhttp://technet.microsoft.com/en-us/library/gg398616.aspxU
1.2 10BBenefits of Array Networks APV Application Delivery Controller
The real-time nature of services provided by Microsoft Lync Server 2010, combined with the business-critical status of the underlying software applications, requires high reliability for IT departments implementing Microsoft Lync Server 2010.
Array Networks APV Application Delivery Controllers (referred to as Array Networks APVs or the APVs hereinafter) provide a strategic point of control for optimizing the availability, security and performance of enterprise applications, IP data services and data center equipment. Leveraging robust and powerful distribution algorithms, health check mechanisms and failover capabilities, Array networks APV maintain connections, ensures persistence, directs traffic away from failed data centers, and intelligently distributes application services between multiple nodes and locations for optimized performance and availability.
DG-Lync 2010 Page 5
Array Networks APVs make certain that both end users and administrators obtain the optimal user experience by creating a highly available and scalable platform that achieves the highest levels of reliability through network optimization. Unified client applications are more responsive when supported by Array Networks APVs because application health monitoring, intelligent load balancing, and refined network optimization ensure the most reliable delivery of Microsoft Lync services.
Advantages of enterprises supported by Array Networks APVs:
Scalability
Enterprises can provide Lync services to a large number of employees, load balancing each client to the most optimal Lync server at any given point of time.
High Availability
Lync services provide guaranteed uptime even if a Lync Server goes offline or into maintenance mode.
High Performance
End users are able to access their Lync applications faster due to multiple Lync server optimizations such as HTTP compression.
Security
Services are protected from malicious traffic such as DDoS attacks.
Flexibility
All Lync server accessibility to IM, conferencing, desktop sharing, presence, and voice is optimized with a transparent load balancer.
DG-Lync 2010 Page 6
2 1BArray Networks Solution for Microsoft Lync Server 2010
This deployment guide contains step-by-step configuration procedures for configuring the APV to support Microsoft Lync Server 2010.
2.1 11BNetwork Topology
Based on the reference topology recommended by Microsoft in Appendix II Reference Topology Recommended by Microsoft, Figure 2-1 shows the network topology designed to support internal and external users with high availability voice, IM, desktop sharing, and conferencing communications.
Figure 2-1 Array Networks Load Balancing Solution for Microsoft Lync Server 2010
DG-Lync 2010 Page 7
The network topology is deployed with two servers in each application pool and additional servers can be added to the topology as required. The server to be added should possess the same server role configuration as the other servers in the application pool.
Alternatively, you can employ a single APV for all internal and external Lync Server 2010 services and this APV can also work as the reverse proxy. In this way, the APVs and reverse proxy in Figure 2-1 are integrated into one APV.
Figure 2-2 illustrates the logical diagram of the networking where one APV works as the reverse proxy and is used for internal edge servers, external edge servers, and front end servers.
Figure 2-2 Logical Diagram of One APV for All Internal and External Lync Server 2010 Services
DG-Lync 2010 Page 8
2.2 12BDeployment for Lync Server 2010 Roles The Lync server solution has multiple servers, whose roles are as follows:
Front End Server (Lync Servers) — Front end servers provide such functions as user authentication, registration, presence, IM, web conferencing, and application sharing. Front end servers also provide address book service and distribution list expansion. These servers are provisioned in a front end pool and configured identically to provide scalability and failover capability to Lync users. The font end servers, along with the back end Servers that provide the database, are the only server roles required to be in any Lync Server Enterprise Edition deployment.
Back End Server — A back end server is a Microsoft SQL server that provides database services for the front end pool. The information stored in the SQL server includes user contact lists, presence information, and conferencing details. The SQL server can be configured as a single back end server; however, a cluster of two or more servers is recommended for failover.
Edge Server — The edge server enables the users to communicate and collaborate with users outside an organization’s firewalls. These external users include the organization’s own users who are currently working offsite, users from federated partner organizations, and outside users who have been invited to join conferences hosted on your Lync Server deployment. The edge server also enables connectivity to public IM connectivity services, including Windows Live, AOL, and Yahoo!.
Director — Directors can be used to authenticate Lync Server user requests, but do not home user accounts, or provide presence or conferencing services. Directors are most useful in deployments that enable external user access, where the director can authenticate requests before sending them on to internal servers. Directors can also improve performance in organizations with multiple front end pools.
Reverse Proxy — The reverse proxy is required for multiple services such as to allow users to connect to meetings or dial-in conferences using simple URLs, to enable external users to download meeting content, and to allow a user to obtain a user-based certificate for client certificate based authentication.
Communicator Web Access (CWA) Server — The CWA allows users who do not have the Lync Client to use Lync Server services such as IM, presence, audio conferencing, and desktop sharing. CWA is an extension of Lync Server and cannot be run separately.
Audio Video (AV) Conferencing Server — An AV conferencing server provides the AV conferencing function to the Lync solution.
Monitoring Server — The monitoring server collects data about the quality of the network media, in both Enterprise Voice calls and A/V conferences. This information can help to provide the best possible media experience for the users.
Archiving Server — The archiving server enables archiving of IM communications and meeting content for compliance reasons.
DG-Lync 2010 Page 9
2.3 13BHigh Availability of Lync Server 2010 Roles
With the exception of the Archiving and Monitoring roles and the standard edition server, all other Lync server roles can be deployed for high availability.
2.4 14BPrerequisites & Assumptions
It is assumed that the reader of this deployment guide is a network administrator or a person otherwise familiar with networking and general computer terminology.
This deployment guide is based on the following conditions:
The APV must be running version ArrayOS TM 8.x or later.
Access to the APV is established.
The APV is already installed in the network with management IP, interface IP, VLANs, and default gateway configured.
The test is performed based on Microsoft Lync Server 2010 Enterprise Server with the 64-bit Microsoft SQL Server Enterprise Edition Version 2008 R2.
Lync Clients are running the Windows 7 Operating System.
All configuration procedures in this document are performed on the APV. For information about how to deploy or configure Microsoft Lync Server 2010, refer to Microsoft documents.
DG-Lync 2010 Page 10
2.5 15BConfiguration Requirement Tables
The following tables list the internal front end, internal edge, and external edge services required for Microsoft Lync Server 2010 deployment.
Table 1: Internal Front End Services Server Role Port VS Protocol Feature Templates Usage Lync front end servers
135 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For DCOM-based operations such as mobile users, address book synchronization, and user replicator synchronization.
Lync front end servers
443 TCP SLB algorithm: pi and lc Health check: TCP
For communication from front end servers to the web farm FQDNs, which are the URLs used by IIS web components.
Lync front end servers
444 TCP SLB algorithm: pi and lc Health check: TCP
For communication between Lync Server components, which manage the conference status and individual servers.
Lync front end servers
4443 HTTPS SLB algorithm: ic Health check: TCP
External access using port 443 is converted to access using port 4443.
Lync front end servers
5061 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
Front end pools for all internal SIP communications between servers (by MTLS), for SIP communication between server and client (by TLS) and for SIP communication between front end servers and Mediation Servers (by MTLS).
DG-Lync 2010 Page 11
Table 2: Optional Internal Front End Services Server Role Port VS Protocol Feature Templates Usage Notes Lync front end servers
5060 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For front end servers for static routes to trusted services.
Lync front end servers
5065 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For incoming SIP requests for application sharing.
Lync front end servers
5071 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For incoming SIP requests for the response group application.
Lync front end servers
5072 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For incoming SIP requests for Microsoft Lync 2010 attendant (dial-in conferencing).
Lync front end servers
5073 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For incoming SIP requests for Lync Server conferencing announcement service.
Lync front end servers
5075 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For incoming SIP requests for the call park application.
Table 3: Services for the Internal Edge Server Role Port VS Protocol Feature Templates Usage Notes Internal edge server
443 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For communications between the internal edge server farm FQDN that is used by Web components.
Internal edge server
3478 UDP SLB algorithm: pi and lc Health check: ICMP
Preferred path for media transferring between internal and external users (by UDP).
Internal edge server
5061 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For external ports for SIP/MTLS communications for federation or remote user access.
Internal edge server
5062 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For authentication of AV users.
Internal edge server
8057 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For outgoing PSOM traffic to the web conferencing server.
DG-Lync 2010 Page 12
Table 4: Services for the External Edge Server Role Port VS Protocol Feature Templates Usage Notes External edge — access
443 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
For external ports for SIP/TLS communications for remote user access, accessing all internal media communications.
External edge — WebConf External edge — AV
External edge — AV
3478 UDP SLB algorithm: pi and lc Health check: ICMP
For external ports for STUN/UDP inbound and outbound media resources.
External edge — access
5061 TCP SLB algorithm: pi and lc TCP idle timeout: 1200 Health check: TCP
Port for external SIP/MTLS communication for remote user access and federation.
DG-Lync 2010 Page 13
2.6 16BCLI Config Level of Array Networks APV
Two methods are available to configure an APV: Command Line Interface (CLI) — Text-based interface in which users type commands.
Web User Interface (WebUI) — Web-based interface in which users configure or manage the APV by typing or selecting values on configuration or management pages.
In this guide, the CLI is adopted to describe APV configurations.
The APV provides three levels for global configuration and access to the ArrayOS — User, Enable, and Config. Each Level is designated by a unique cursor prompt, which consists of the host name of the APV followed by “>”, “#”, or “(config)#”.
To configure the APV or change configurations, you must obtain the Config level.
To obtain the Config level, do as follows:
1. On a PC connected to a network that can access the APV configuration interface, open an SSH connection to the IP address of the management interface.
2. If the user name and password are valid, the command prompt for the User level of the CLI appears:
AN>
3. Run the Enable command to obtain the Enable level. At the Enable password: prompt,
type the enable password as blank, that is, directly press ”Enter”. If the AN# prompt appears, the Enable level is obtained.
AN>enable Enable password: AN#
4. Type the config terminal command to obtain the Config level. If the AN(config)# prompt
appears, the Config level is obtained.
AN#config terminal AN(config)#
DG-Lync 2010 Page 14
3 2BConfiguring APV for Internal Lync Front End Servers
A site can consist of one or more application pools, each containing one or several Lync servers. Dedicated services such as AV conferencing and IM (front end) run within each pool. A front end server pool is a collection of Lync servers that process basic IM, presence, and collaboration requests. All servers in a pool must run the same service, avoiding impact of server failures on the pool. Based on Figure 2-1, Figure 3-1 illustrates the appliances involved in APV configurations for internal Lync front end servers.
Figure 3-1 Internal Front End Server Topology
The following sections describe how to configure the APV for internal Lync front end server.
DG-Lync 2010 Page 15
3.1 17BDefining Real Services
Front End Server 1 Settings
Real Service IP Address Port Protocol
FE135_1 10.3.0.42 135 TCP
FE443_1 10.3.0.42 443 TCP
FE444_1 10.3.0.42 444 TCP
FE5060_1 10.3.0.42 5060 TCP
FE5061_1 10.3.0.42 5061 TCP
FE5065_1 10.3.0.42 5065 TCP
FE5071_1 10.3.0.42 5071 TCP
FE5072_1 10.3.0.42 5072 TCP
FE5073_1 10.3.0.42 5073 TCP
FE5075_1 10.3.0.42 5075 TCP
Front End Server 2 Settings
Real Service IP Address Port Protocol
FE135_2 10.3.0.43 135 TCP
FE443_2 10.3.0.43 443 TCP
FE444_2 10.3.0.43 444 TCP
FE5060_2 10.3.0.43 5060 TCP
FE5061_2 10.3.0.43 5061 TCP
FE5065_2 10.3.0.43 5065 TCP
FE5071_2 10.3.0.43 5071 TCP
FE5072_2 10.3.0.43 5072 TCP
FE5073_2 10.3.0.43 5073 TCP
FE5075_2 10.3.0.43 5075 TCP
At the AN(config)# prompt, type: slb real tcp FE135_1 10.3.0.42 135 1000 tcp 3 3 slb real tcp FE443_1 10.3.0.42 443 1000 tcp 3 3 slb real tcp FE444_1 10.3.0.42 444 1000 tcp 3 3 slb real tcp FE5060_1 10.3.0.42 5060 1000 tcp 3 3 slb real tcp FE5061_1 10.3.0.42 5061 1000 tcp 3 3 slb real tcp FE5065_1 10.3.0.42 5065 1000 tcp 3 3 slb real tcp FE5071_1 10.3.0.42 5071 1000 tcp 3 3
DG-Lync 2010 Page 16
slb real tcp FE5072_1 10.3.0.42 5072 1000 tcp 3 3 slb real tcp FE5073_1 10.3.0.42 5073 1000 tcp 3 3 slb real tcp FE5075_1 10.3.0.42 5075 1000 tcp 3 3 slb real tcp FE135_2 10.3.0.43 135 1000 tcp 3 3 slb real tcp FE443_2 10.3.0.43 443 1000 tcp 3 3 slb real tcp FE444_2 10.3.0.43 444 1000 tcp 3 3 slb real tcp FE5060_2 10.3.0.43 5060 1000 tcp 3 3 slb real tcp FE5061_2 10.3.0.43 5061 1000 tcp 3 3 slb real tcp FE5065_2 10.3.0.43 5065 1000 tcp 3 3 slb real tcp FE5071_2 10.3.0.43 5071 1000 tcp 3 3 slb real tcp FE5072_2 10.3.0.43 5072 1000 tcp 3 3 slb real tcp FE5073_2 10.3.0.43 5073 1000 tcp 3 3 slb real tcp FE5075_2 10.3.0.43 5075 1000 tcp 3 3
3.2 18BDefining Groups
Group Definition Group SLB Algorithm
g_FE135 pi and lc
g_FE443 pi and lc
g_FE444 pi and lc
g_FE5060 pi and lc
g_FE5061 pi and lc
g_FE5065 pi and lc
g_FE5071 pi and lc
g_FE5072 pi and lc
g_FE5073 pi and lc
g_FE5075 pi and lc
At the AN(config)# prompt, type: slb group method g_FE135 pi 32 lc 10 slb group method g_FE443 pi 32 lc 10 slb group method g_FE444 pi 32 lc 10 slb group method g_FE5060 pi 32 lc 10 slb group method g_FE5061 pi 32 lc 10 slb group method g_FE5065 pi 32 lc 10 slb group method g_FE5071 pi 32 lc 10 slb group method g_FE5072 pi 32 lc 10 slb group method g_FE5073 pi 32 lc 10 slb group method g_FE5075 pi 32 lc 10
DG-Lync 2010 Page 17
3.3 19BAdding Real Services to Defined Groups
Group Settings
Group Member
g_FE135 FE135_1 FE135_2
g_FE443 FE443_1 FE443_2
g_FE444 FE444_1 FE444_2
g_FE5060 FE5060_1 FE5060_2
g_FE5061 FE5061_1 FE5061_2
g_FE5065 FE5065_1 FE5065_2
g_FE5071 FE5071_1 FE5071_2
g_FE5072 FE5072_1 FE5072_2
g_FE5073 FE5073_1 FE5073_2
g_FE5075 FE5075_1 FE5075_2
At the AN(config)# prompt, type: slb group member g_FE135 FE135_1 1 0 slb group member g_FE443 FE443_1 1 0 slb group member g_FE444 FE444_1 1 0 slb group member g_FE5060 FE5060_1 1 0 slb group member g_FE5061 FE5061_1 1 0 slb group member g_FE5065 FE5065_1 1 0 slb group member g_FE5071 FE5071_1 1 0 slb group member g_FE5072 FE5072_1 1 0 slb group member g_FE5073 FE5073_1 1 0 slb group member g_FE5075 FE5075_1 1 0 slb group member g_FE135 FE135_2 1 0 slb group member g_FE443 FE443_2 1 0 slb group member g_FE444 FE444_2 1 0 slb group member g_FE5060 FE5060_2 1 0 slb group member g_FE5061 FE5061_2 1 0 slb group member g_FE5065 FE5065_2 1 0 slb group member g_FE5071 FE5071_2 1 0 slb group member g_FE5072 FE5072_2 1 0 slb group member g_FE5073 FE5073_2 1 0 slb group member g_FE5075 FE5075_2 1 0
DG-Lync 2010 Page 18
3.4 20BDefining Virtual Services
Virtual Service Definition
Virtual Service Virtual IP Address Port Protocol
v_FE135 10.8.6.32 135 TCP
v_FE443 10.8.6.32 443 TCP
v_FE444 10.8.6.32 444 TCP
v_FE5060 10.8.6.32 5060 TCP
v_FE5061 10.8.6.32 5061 TCP
v_FE5065 10.8.6.32 5065 TCP
v_FE5071 10.8.6.32 5071 TCP
v_FE5072 10.8.6.32 5072 TCP
v_FE5073 10.8.6.32 5073 TCP
v_FE5075 10.8.6.32 5075 TCP
At the AN(config)# prompt, type: slb virtual tcp v_FE135 10.8.6.32 135 arp 0 slb virtual tcp v_FE443 10.8.6.32 443 arp 0 slb virtual tcp v_FE444 10.8.6.32 444 arp 0 slb virtual tcp v_FE5060 10.8.6.32 5060 arp 0 slb virtual tcp v_FE5061 10.8.6.32 5061 arp 0 slb virtual tcp v_FE5065 10.8.6.32 5065 arp 0 slb virtual tcp v_FE5071 10.8.6.32 5071 arp 0 slb virtual tcp v_FE5072 10.8.6.32 5072 arp 0 slb virtual tcp v_FE5073 10.8.6.32 5073 arp 0 slb virtual tcp v_FE5075 10.8.6.32 5075 arp 0
DG-Lync 2010 Page 19
3.5 21BSetting the TCP Idle Timeout of the Virtual Services
Virtual Service Settings Virtual Service TCP Idle Timeout
v_FE135 1200
v_FE443 1200
v_FE444 1200
v_FE5060 1200
v_FE5061 1200
v_FE5065 1200
v_FE5071 1200
v_FE5072 1200
v_FE5073 1200
v_FE5075 1200
At the AN(config)# prompt, type: slb timeout v_FE135 1200 slb timeout v_FE443 1200 slb timeout v_FE444 1200 slb timeout v_FE5060 1200 slb timeout v_FE5061 1200 slb timeout v_FE5065 1200 slb timeout v_FE5071 1200 slb timeout v_FE5072 1200 slb timeout v_FE5073 1200 slb timeout v_FE5075 1200
Note: The TCP idle timeout value should be greater than or equal to the timeout value set in
Microsoft Lync.
The unit of the TCP idle timeout value is second.
DG-Lync 2010 Page 20
3.6 22BBinding Virtual Services to Defined Groups
Binding Relationship Virtual Service Group
v_FE135 g_FE135
v_FE443 g_FE44
v_FE444 g_FE444
v_FE5060 g_FE5060
v_FE5061 g_FE5061
v_FE5065 g_FE5065
v_FE5071 g_FE5071
v_FE5072 g_FE5072
v_FE5073 g_FE5073
v_FE5075 g_FE5075
At the AN(config)# prompt, type: slb policy default v_FE135 g_FE135 slb policy default v_FE443 g_FE443 slb policy default v_FE444 g_FE444 slb policy default v_FE5060 g_FE5060 slb policy default v_FE5061 g_FE5061 slb policy default v_FE5065 g_FE5065 slb policy default v_FE5071 g_FE5071 slb policy default v_FE5072 g_FE5072 slb policy default v_FE5073 g_FE5073 slb policy default v_FE5075 g_FE5075
--End
DG-Lync 2010 Page 21
4 3BConfiguring APV for Lync Internal Edge Servers
Figure 4-1 illustrates the appliances involved in APV configurations for Lync internal edge servers.
Figure 4-1 Internal Edge Server Topology
The following sections describe how to configure the APV for Lync internal edge server.
DG-Lync 2010 Page 22
4.1 23BDefining Real Services
Internal Edge Server 1 Settings
Real Service IP Address Port Protocol
in_Edge443_1 10.3.0.39 443 TCP
in_Edge3478_1 10.3.0.39 3478 UDP
in_Edge5061_1 10.3.0.39 5061 TCP
in_Edge5062_1 10.3.0.39 5062 TCP
in_Edge8057_1 10.3.0.39 8057 TCP
Internal Edge Server 2 Settings
Real Service IP Address Port Protocol
in_Edge443_2 10.3.0.44 443 TCP
in_Edge3478_2 10.3.0.44 3478 UDP
in_Edge5061_2 10.3.0.44 5061 TCP
in_Edge5062_2 10.3.0.44 5062 TCP
in_Edge8057_2 10.3.0.44 8057 TCP
At the AN(config)# prompt, type: slb real tcp in_Edge443_1 10.3.0.39 443 1000 tcp 3 3 slb real tcp in_Edge5061_1 10.3.0.39 5061 1000 tcp 3 3 slb real tcp in_Edge5062_1 10.3.0.39 5062 1000 tcp 3 3 slb real tcp in_Edge8057_1 10.3.0.39 8057 1000 tcp 3 3 slb real tcp in_Edge443_2 10.3.0.44 443 1000 tcp 3 3 slb real tcp in_Edge5061_2 10.3.0.44 5061 1000 tcp 3 3 slb real tcp in_Edge5062_2 10.3.0.44 5062 1000 tcp 3 3 slb real tcp in_Edge8057_2 10.3.0.44 8057 1000 tcp 3 3 slb real udp in_Edge3478_1 10.3.0.39 3478 1000 3 3 60 icmp slb real udp in_Edge3478_2 10.3.0.44 3478 1000 3 3 60 icmp
DG-Lync 2010 Page 23
4.2 24BDefining Groups
Group Definition Group SLB Algorithm
g_IN443 pi and lc
g_IN3478 pi and lc
g_IN5061 pi and lc
g_IN5062 pi and lc
g_IN8057 pi and lc
At the AN(config)# prompt, type: slb group method g_IN443 pi 32 lc 10 slb group method g_IN3478 pi 32 lc 10 slb group method g_IN5061 pi 32 lc 10 slb group method g_IN5062 pi 32 lc 10 slb group method g_IN8057 pi 32 lc 10
4.3 25BAdding Real Services to Defined Groups
Group Settings
Group Member
g_IN443 in_Edge443_1 in_Edge443_2
g_IN3478 in_Edge3478_1 in_Edge3478_2
g_IN5061 in_Edge5061_1 in_Edge5061_2
g_IN5062 in_Edge5062_1 in_Edge5062_2
g_IN8057 in_Edge8057_1 in_Edge8057_2
At the AN(config)# prompt, type: slb group member g_IN443 in_Edge443_1 slb group member g_IN3478 in_Edge3478_1 slb group member g_IN5061 in_Edge5061_1 slb group member g_IN5062 in_Edge5062_1 slb group member g_IN8057 in_Edge8057_1 slb group member g_IN443 in_Edge443_2 slb group member g_IN3478 in_Edge3478_2 slb group member g_IN5061 in_Edge5061_2 slb group member g_IN5062 in_Edge5062_2
DG-Lync 2010 Page 24
slb group member g_IN8057 in_Edge8057_2
4.4 26BDefining Virtual Services
Virtual Service Definition
Virtual Service Virtual IP Address Port Protocol
v_IN443 10.8.6.33 443 TCP
v_IN3478 10.8.6.33 3478 UDP
v_IN5061 10.8.6.33 5061 TCP
v_IN5062 10.8.6.33 5062 TCP
v_IN8057 10.8.6.33 8057 TCP
At the AN(config)# prompt, type: slb virtual tcp v_IN443 10.8.6.33 443 arp 0 slb virtual tcp v_IN5061 10.8.6.33 5061 arp 0 slb virtual tcp v_IN5062 10.8.6.33 5062 arp 0 slb virtual tcp v_IN8057 10.8.6.33 8057 arp 0 slb virtual udp v_IN3478 10.8.6.33 3478 arp 0
4.5 27BSetting the TCP Idle Timeout of the Virtual Services
Virtual Service Settings Virtual Service TCP Idle Timeout
v_IN443 1200
v_IN5061 1200
v_IN5062 1200
v_IN8057 1200
At the AN(config)# prompt, type: slb timeout v_IN443 1200 slb timeout v_IN5061 1200 slb timeout v_IN5062 1200 slb timeout v_IN8057 1200
Note: The TCP idle timeout value should be greater than or equal to the timeout value set in
Microsoft Lync.
The unit of the TCP idle timeout value is second.
DG-Lync 2010 Page 25
4.6 28BBinding Virtual Services to Defined Groups
Binding Relationship Virtual Service Group
v_IN443 g_IN443
v_IN3478 g_IN3478
v_IN5061 g_IN5061
v_IN5062 g_IN5062
v_IN8057 g_IN8057
At the AN(config)# prompt, type: slb policy default v_IN443 g_IN443 slb policy default v_IN3478 g_IN3478 slb policy default v_IN5061 g_IN5061 slb policy default v_IN5062 g_IN5062 slb policy default v_IN8057 g_IN8057
--End
DG-Lync 2010 Page 26
5 4BConfiguring APV for Lync External Edge Servers
Figure 5-1 illustrates the appliances involved in APV configurations for Lync external edge servers.
Figure 5-1 External Edge Server Topology
The following sections describe how to configure the APV for Lync external edge server.
DG-Lync 2010 Page 27
5.1 29BDefining Real Services
External Edge Server 1 Settings
Real Service IP Address Port Protocol
ex_Edge443_1 10.8.0.241 443 TCP
ex_Edge3478_1 10.8.0.241 3478 UDP
ex_Edge5061_1 10.8.0.241 5061 TCP
External Edge Server 2 Settings
Real Service IP Address Port Protocol
ex_Edge443_2 10.8.0.242 443 TCP
ex_Edge3478_2 10.8.0.242 3478 UDP
ex_Edge5061_2 10.8.0.242 5061 TCP
At the AN(config)# prompt, type: slb real tcp ex_Edge443_1 10.8.0.241 443 1000 tcp 3 3 slb real tcp ex_Edge5061_1 10.8.0.241 5061 1000 tcp 3 3 slb real tcp ex_Edge443_2 10.8.0.242 443 1000 tcp 3 3 slb real tcp ex_Edge5061_2 10.8.0.242 5061 1000 tcp 3 3 slb real udp ex_Edge3478_1 10.8.0.241 3478 1000 3 3 60 icmp slb real udp ex_Edge3478_2 10.8.0.242 3478 1000 3 3 60 icmp
5.2 30BDefining Groups
Group Definition Group SLB Algorithm
g_EX443 pi and lc
g_EX3478 pi and lc
g_EX5061 pi and lc
At the AN(config)# prompt, type: slb group method g_EX443 pi 32 lc 10 slb group method g_EX3478 pi 32 lc 10 slb group method g_EX5061 pi 32 lc 10
DG-Lync 2010 Page 28
5.3 31BAdding Real Services to Defined Groups
Group Settings
Group Member
g_EX443 ex_Edge443_1 ex_Edge443_2
g_EX3478 ex_Edge3478_1 ex_Edge3478_2
g_EX5061 ex_Edge5061_1 ex_Edge5061_2
At the AN(config)# prompt, type: slb group member g_EX443 ex_Edge443_1 slb group member g_EX3478 ex_Edge3478_1 slb group member g_EX5061 ex_Edge5061_1 slb group member g_EX443 ex_Edge443_2 slb group member g_EX3478 ex_Edge3478_2 slb group member g_EX5061 ex_Edge5061_2
5.4 32BDefining Virtual Services
Virtual Service Definition
Virtual Service Virtual IP address Port Protocol
v_EX443 10.8.6.34 443 TCP
v_EX3478 10.8.6.34 3478 UDP
v_EX5061 10.8.6.34 5061 TCP
At the AN(config)# prompt, type: slb virtual tcp v_EX443 10.8.6.34 443 arp 0 slb virtual tcp v_EX5061 10.8.6.34 5061 arp 0 slb virtual udp v_EX3478 10.8.6.34 3478 arp 0
DG-Lync 2010 Page 29
5.5 33BSetting the TCP Idle Timeout of the Virtual Services
Virtual Service Settings Virtual Service TCP Idle Timeout
v_EX443 1200
v_EX5061 1200
At the AN(config)# prompt, type: slb timeout v_EX443 1200 slb timeout v_EX5061 1200
Note: The TCP idle timeout value should be greater than or equal to the timeout value set in
Microsoft Lync.
The unit of the TCP idle timeout value is second.
5.6 34BBinding Virtual Services to Defined Groups
Binding Relationship Virtual Service Group
v_EX443 g_EX443
v_EX3478 g_EX3478
v_EX5061 g_EX5061
At the AN(config)# prompt, type: slb policy default v_EX443 g_EX443 slb policy default v_EX3478 g_EX3478 slb policy default v_EX5061 g_EX5061
--End
DG-Lync 2010 Page 30
6 5BConfiguring APV for Communicator Web Access (CWA)
6.1 35BCWA Deployment
CWA servers can be deployed as follows:
• As a single server, supporting up to 5000 users, for both internal and external users
• As two servers – one for internal users and one for external
• As an array of load-balanced servers, supporting internal and external users o A single load balancer is required
• As two separate load balanced arrays of servers - one for internal and one for external o May be supported with a single load balancer or two separate ones
6.2 36BPrerequisites and Configuration Notes
The requirements for load balancing CWA servers are as follows:
• Session affinity must be supported and enabled on the load balancer. Once a CWA session begins, it must always continue with the same server that it began with. Session affinity ensures this.
• Cookie persistence when configuring Session Affinity must be used. Using cookie persistence, information about the CWA session is stored on the client’s computer.
• SSL acceleration should be supported by the load balancer. By having the load balancer decrypt HTTPS transmissions before they are sent to the CWA server, performance can be noticeably improved.
• A dedicated load balancer should be used for CWA servers. For performance reasons it is not recommended that the same load balancer be used for CWA and Lync Server.
The requirement for the revere proxy is as follows:
• If a reverse proxy is used, set the Forward host header to True in the reverse proxy publishing rule for port 4443. This ensures that the original URL is forwarded to the target web server.
Note: External users do not need a VPN connection to an organization in order to participate in
Lync Server-based communications.
External users who are connected to an organization’s internal network over a VPN bypass the reverse proxy.
DG-Lync 2010 Page 31
6.3 37BArray Networks APV Advantages and Network Topology for CWA
Array Networks APV offers performance, security and functional advantages that combine versatility with ease-of-use to speed deployment of the Microsoft Lync infrastructure.
Array Networks APVs perfectly support the CWA by:
• Local and global server load balancing with multi-unit clustering for 99.999% application uptime and data center scalability
• SSL acceleration for securing data in transit, offloading compute-intensive processes from servers, and improving application performance
• Reverse-proxy architecture with a stateful packet-inspection firewall for guarding applications without impacting performance
• Hardware-based 1024 and 2048-bit SSL encryption for alignment with NIST and certificate authority security requirements
DG-Lync 2010 Page 32
Figure 6-1 illustrates the appliances involved in APV configurations for CWA.
Figure 6-1 CWA Topology
As mentioned in section 2.1 Network Topology, you can employ a single APV for all internal and external Lync Server 2010 services and this APV can also work as the reverse proxy, as shown in the following figure:
DG-Lync 2010 Page 33
Figure 6-2 CWA Topology with One APV Working as the Reverse Proxy and Used for Front End Servers
The following sections describe the configurations of the APV that works as the reverse proxy and provide CWA service for front end servers.
DG-Lync 2010 Page 34
6.4 38BDefining Real Services
CWA Server Settings
Real Service IP Address Port Protocol
real_4443 10.8.6.32 4443 TCP
FE4443_1 10.3.0.42 4443 HTTPS
FE4443_2 10.3.0.43 4443 HTTPS
At the AN(config)# prompt, type: slb real tcp real_4443 10.8.6.32 4443 1000 tcp 3 3 slb real https FE4443_1 10.3.0.42 4443 1000 tcp 3 3 slb real https FE4443_2 10.3.0.43 4443 1000 tcp 3 3
Note: If you do not use the APV as the reverse proxy, omit the real_4443 real service, that is,
you do not need to run the “slb real tcp real_4443 10.8.6.32 4443 1000 tcp 3 3” command.
6.5 39BDefining Groups
Group Definition Group SLB Algorithm
g_icFE4443 ic
At the AN(config)# prompt, type: slb group method g_icFE4443 ic exmfwnrkqvk 0 rr
Note: Keyword “exmfwnrkqvk” is the cookie name. If you do not specify the cookie name, the
APV generates a random one.
DG-Lync 2010 Page 35
6.6 40BAdding Real Services to Defined Groups
Group Settings
Group Member
g_icFE4443 FE4443_1 FE4443_2
At the AN(config)# prompt, type: slb group member g_icFE4443 FE4443_1 1 0 slb group member g_icFE4443 FE4443_2 1 0
6.7 41BDefining Virtual Services
Virtual Service Definition
Virtual Service Protocol Virtual IP Address Port
redirect_443_4443 TCP 10.8.6.35 443
v_FE4443 HTTPS 10.8.6.32 4443
At the AN(config)# prompt, type: slb virtual tcp redirect_443_4443 10.8.6.35 443 arp 0 slb virtual https v_FE4443 10.8.6.32 4443 arp 0
6.8 42BSetting the TCP Idle Timeout of the Virtual Services
Virtual Service Settings Virtual Service TCP Idle Timeout
redirect_443_4443 1800
At the AN(config)# prompt, type: slb timeout redirect_443_4443 1800
Note:
The TCP idle timeout value should be greater than or equal to the minimum REGISTER refresh or SIP Keep-Alive interval (typically 30 minutes).
The unit of the TCP idle timeout value is second.
DG-Lync 2010 Page 36
6.9 43BBinding Virtual Services to Defined Groups
When a user initiates the CWA for the first time, the user’s cookie is not stored on the APV and therefore the default policy takes effect to complete the access. For the user’s later access, because the APV already stores the corresponding cookie, the cookie policy takes effect preferentially.
The configurations on the APV are as follows:
Binding Relationship Virtual Service Group/Real Service
v_FE4443 g_icFE4443
redirect_443_4443 real_4443
At the AN(config)# prompt, type: slb policy icookie policy_icFE4443 v_FE4443 g_icFE4443 0 slb policy default v_FE4443 g_icFE4443 slb policy static redirect_443_4443 real_4443
Note: If you do not use the APV as the reverse proxy, omit the redirect_443_4443 virtual service,
that is, you do not need to run the “slb policy static redirect_443_4443 real_4443” command.
6.10 44BConfiguring APV for Secure Sockets Layer (SSL) Offload
This section describes how to configure the APV to offload SSL traffic for CWA servers.
6.10.1 45BUsing SSL Certificates and Keys
Before you can enable the APV to act as an SSL proxy, you must install an SSL certificate on the virtual server that you use for Lync Server 2010 on the APV. In this deployment guide, it is assumed that you already have obtained an SSL certificate, but it is not yet installed on the APV. For information on generating certificates, or using the APV to generate a request for a new certificate and key from a certificate authority, see the SSL-related chapter in the APV Application Guide.
DG-Lync 2010 Page 37
6.10.2 46BImporting keys and certificates
After obtaining a certificate, you can import this certificate into the APV using the following commands. For detailed usage, refer to APV Application Guide.
At the AN(config)# prompt, type: ssl import key meet.potest.com ssl import certificate meet.potest.com
6.10.3 47BDisabling Certificate Verification
At the AN(config)# prompt, type: ssl globals verifycert off
6.10.4 48BCreating an SSL Host and Binding It to the Virtual Service
At the AN(config)# prompt, type: ssl host virtual meet.potest.com v_FE4443
6.10.5 49BStarting the SSL Offload
At the AN(config)# prompt, type: ssl start meet.potest.com
6.10.6 50BCreating an SSL Host and Binding It to Real Services
At the AN(config)# prompt, type: ssl host real ssl_rFE4443 FE4443_1 ssl host real ssl_rFE4443 FE4443_2
DG-Lync 2010 Page 38
6.10.7 51BStarting the SSL Offload
At the AN(config)# prompt, type: ssl start ssl_rFE4443
--End
DG-Lync 2010 Page 39
7 6BSummary
The preceding sections describe how to configure the APV for Microsoft Lync Server 2010. APV Application Delivery Controllers deliver all required application delivery functions for optimizing Microsoft Lync Server 2010 environments in a single and easy-to-manage appliance.
For more information about Array Networks APVs, please visit:
Uhttp://www.arraynetworks.com/
DG-Lync 2010 Page 40
7BAppendix I Abbreviations and Acronyms Distributed Denial of Service
Abbreviation/Acronym Full Spelling AV Audio Video CSCP Communication Server Control Panel CWA Communicator Web Access DDoS Distributed Denial of Service FQDN Fully Qualified Domain Name IM Instant Messaging MTLS Mutual Transport Layer Security SIP Session Initiation Protocol TLS Transport Layer Security SSL Secure Sockets Layer VS Virtual Service
DG-Lync 2010 Page 41
8BAppendix II Reference Topology Recommended by Microsoft The following figure demonstrates the reference topology recommended by Microsoft for most Lync Server deployments and where load balancers can be deployed: