Lync Server 2013 & Office WebApp: Configure F5 Big-IP as Reverse Proxy
This article provides the steps for configuring an F5 Big-IP LTM (prior to version 11, which is now made simple with the iApps) to act as a reverse proxy for Microsoft Lync Server 2013 and Microsoft Office WebApp Server 2013 (WAC).
You will need software version 10.2 or later or you may run into issues.
One public IP address has been used to publish these services along with a single UCC SAN SSL Certificate with the following SANs
- poolname.domain.com
- lyncdiscover.domain.com
- meet.domain.com
- dialin.domain.com
- externalwacname.domain.com
You will also need to make sure that the following firewall rules are created if applicable:
Source |
Destination |
Port |
Public |
External Lync IP on F5 |
443 |
Public |
External Lync IP on F5 |
80 (optional) |
F5 |
Front End Pool |
4443 |
F5 |
Front End Pool |
8080 |
F5 |
Office Web App Server |
443 |
Information you will need
Here is a list of the configuration information you will need to configure the device.
URL of WAC server |
|
IP address of external interface for publishing |
|
IP address of Lync Front End server(s) |
|
IP address of Office WebApp Server(s) |
|
Names of Lync Front End server(s) |
|
Names of Office WebApp Server(s) |
Summary of Steps
- Install SSL Certificates
- Create SSL Profiles
- Create Monitors
- Create Nodes
- Create Pool
- Create iRules
- Create Virtual Server
Install SSL Certificates
Exporting a certificate from Windows.
You will require a PFX file, which contains the public certificate purchased as well as it’s corresponding private key. This can be exported from a Windows system by following the steps below:
· Open MMC
· Press Ctrl+M
· Select Certificates and press Add
· Select Computer Account and press Next
· Select Local Computer
· Click Finish and then OK
· Navigate to Certificates | Personal |Certificates
· Right-Click the certificate to export
· Select All Tasks | Export
· Follow the Wizard and ensure you select “Yes, export the private key” and specify a password.
· It will save as a** PFX** file.
Import the Certificate on to the F5
Under Local Traffic, select SSL Certificates | Import
Choose PKCS 12 (IIS) as the import type and name the certificate appropriately (i.e lync.domain.com)
Browse to the PFX file that was exported and enter the password used when exporting the PFX.
Click Import.
Create SSL Profiles
Create a Client SSL Profile
Under Local Traffic, select Profiles | SSL Client and click** Create**
Enter a name for the client profile (i.e LyncSSL_client). The Parent Profile should be clientssl
Check the Custom box to the right of Certificate and Key and select the certificate imported in the previous step for both values.
Click Finished.
Create a Server SSL Profile
Under Local Traffic, select Profiles | SSL Server and click** Create**
Enter a name for the client profile (i.e LyncSSL_server). The Parent Profile should be serverssl
Check the Custom box to the right of Certificate and Key and select the certificate imported in the previous step for both values.
Click Finish.
Create Monitors
Under Local Traffic select Monitors and click Create.
Enter a name for the monitor (i.e Lync_TCP_monitor)
Leave the remaining values as default and click Finished.
Note that a TCP monitor will only check to see if a port is responding, it is possible to use other monitors (such as HTTP/HTTPS and verify what data is received to see if the service is responding properly)
Create Nodes
Under Local Traffic select Nodes and click Create
Enter the Internal IP Address and *Internal Name *of the Lync Front End/Office Web App servers. Repeat for each server.
Leave other values as default and click Finished.
Create Pool
Create a HTTPS pool for Lync
Under Local Traffic select** Pools** and click Create.
Enter a name for the pool (i.e Lync_2013_https_pool)
Select the Health monitor created under the monitors steps and click <<.
Under** Load Balancing Method**, select** Least Connections (member)**.
Enter the IP address of your Lync Front End Servers, enter 4443 for the Service Port and click Add for each one.
Click Finished
Create HTTP pool for Lync (optional)
It isn’t normally necessary to create a HTTP pool as the Lync client will try HTTPS and it is a more secure method of publishing. However for backwards compatibility it can be created.
Repeat the process as in the previous step using a different name (I,e Lync_2013_http_pool), however substitute 4443 for 8080
Create HTTPS pool for Office WebApp Server WAC
To publish the Office WAC, follow the same steps as in Create a HTTPS pool for Lync with a different name (i.e WAC_2013_https_pool)
However use your Office WebApp Servers IP address as the Address and use **443 **as the Service Port.
Create iRules
In order to be able to use the single IP address, certificate and virtual server to publish both the Lync Web Services and the Office Web App services, an iRule needs to be created to route traffic.
Under Local Traffic select** iRules** and click Create.
Name the iRule (i.e Office_WAC_iRule)
And use the following for the** Definition**.
when HTTP_REQUEST {
if { [HTTP::host] contains "wacexternalurl.domain.com" } {
pool officewebapps_pool
} else {
pool lync_2013_pool
persist none
}
}
Click Finished
Create Virtual Server
The final step is to create the virtual server
Under Local Traffic select Virtual Servers and click Create
Enter a name (i.e Lync_2013_VS)
Destination Address is the External IP address to be used on the F5 for publishing
Service Port is 443 (or 80 of publishing HTTP also)
Select https for **HTTP Profile **(http if created the HTTP publishing rule)
Select the SSL Profile (Client) and SSL Profile (Server) created earlier (ignore this section if HTTP)
Select Auto Map for SNAT Pool
Select the** iRule **Created earlier
Select the Lync Pool as the Default Pool
Click** Finished**
Testing
From an external computer navigate to the following address:
- https://lyncdiscover.domain.com/autodiscover/autodiscover.svc/root
- https://wacexternalurl.domain.com/hosting/discovery/
They should both return XML documents
The Microsoft Lync Connectivity Analyzer can also be used to verify correct publishing of the Lync Web Services
For my original post with pictures visit my blog http://www.lynced.com.au/2014/01/configure-f5-big-ip-as-reverse-proxy.html