Share via

Configure Citrix Netscaler VPX as Reverse Proxy for Lync Server 2013

  • Article

Introduction

The following article will provide the steps to configure a Citrix Netscaler VPX for publishing Lync Web Services. This provides an alternate solution to Microsoft ForeFront TMG

Note: The steps below are for a Citrix VPX 1000 (Platinum Edition 10.1) They should work on other Citrix units (this has also been tested on a VPX 200), however menu structure may differ slightly.

Requirements

  • An available public IP address (this can be NATed)
  • A Netscaler that either straddles the LAN or has access to the Lync Front-End Servers
  • An SSL certificate issued by a public CA with the following names/SANs
    • lyncpoolname.domain.com (CN) (where this is the external name of your Web Services as specified in topology builder)
    • lyncdiscover.domain.com 
    • meet.domain.com
    • dialin.domain.com
    • If you plan to publish your Office WebApp Server a SAN for it can also be added.

Check Features

Check that the load balancing feature is enabled on your Netscaler.

  • Login to your Netscaler and click Settings | Configure Basic Features.
  • Ensure that** Load Balancing** is enabled.

Install the SSL Certificate

Next you need to install the SSL certificate for the web services, if you requested this on your Windows server and have it issued, it will most likely be a PFX file. Make sure you exported it with the private key.

Load the PFX/PEM File

  • Select Traffic Management | SSL | Import PKCS#12
  • Enter an output file name with a .pem extension (this can be any file name, I used sip_lync_cert.pem) and browse to your PFX file. You will need to enter the password you specified when exporting your PFX file. 
  • Click OK

Verify the PEM file

  • To Verify the certificate is installed, click Manage Certificates / Keys / CSRs
  • Verify that you certificate is listed. Click Close

Install the Certificate

  • Enter a Certificate-Key Pair Name (this can be anything and is how it will display on other screens when you select it). 
  • Browse and select the same pem file for both theCertificate File Name and the Key File Name
  • Click Create.

The certificate should now be installed.

Publish the Servers

Create Server Objects

  • Select Traffic Management | Servers and click Add.
  • Enter the Server Name and the IP address of one of your Lync Front End Servers.
  • Click Create.
  • Repeat this for all the Front-Ends in your Pool

Create Monitors

  • Select Traffic Management |  Monitors | Add
  • Enter a Name and select HTTP for the Type. Also set the Destination Port for **8080.Click Create **(this step is optional, if you don't intend to publish HTTP, then skip)
  • Click Add again. Enter a Name and select HTTP for the Type. Also set the Destination Port for 4443. 
  • Click** Create**
  • Verify the monitors have been created.

Create Services

  • Select Traffic Management | Services | Add
  • Select HTTP for the Protocol, select the first Server, set the Port to 8080. Find the monitor for the HTTP that you created earlier and click Add. Click Create. Repeat this for the additional Lync Front End servers *(you can skip this if you don't intend to publish HTTP) *
  • Click Add again. Select SSL for the Protocol, select the first Server, set the Port to 4443. Find the monitor for the HTTPS that you created earlier and click Add
  • Click Create
  • Repeat this for the additional Lync Front End servers
  • Verify all the services have been created and that they are Up.

Create Virtual Servers

  • Click Traffic Management | Virtual Servers | Add
  • Enter a Name for the virtual server. Select HTTP for Protocol. Enter an IP address(this is the public IP address or  NAT'd public IP address, depending on your setup). Select the services for HTTP that you created earlier.
  • Switch to the Method and Persistence tab. Set the method to Least Connection, and the Persistence to SOURCEIP. Set the Time-out (min) to 20. Click Create.
  • Click Add again and Enter a Name for the virtual server. Select SSL for Protocol. Enter an IP address (this is the public IP address or  NAT'd public IP address, depending on your setup, it will most likely be the same IP you entered in creating the HTTP one). Select the services for HTTPS/SSL that you created earlier.
  • Switch to the Method and Persistence tab. Set the method to Least Connection, and the Persistence to SOURCEIP. Set the Time-out (min) to 20.
  • Switch to the SSL settings tab and select the SSL certificate you installed earlier. click Add. Click Create.
  • Verify that the new Virtual Servers are Up

Test Configuration You can now test the configuration by browsing to your Lync Web Services on the external interface of your Netscaler. For example visiting https://lyncdiscover.domain.com/autodiscover/autodiscover.svc/root should return something similar to below:

<resource xmlns="http://schemas.microsoft.com/rtc/2012/03/ucwa" rel="root" href="https://lyncext.domain.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=domain.com">

<link rel="user" href="https://lyncext.domain.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=domain.com"/>

<link rel="xframe" href="https://lyncext.domain.com/Autodiscover/XFrame/XFrame.html"/>

</resource>

The Microsoft Lync Connectivity Analyzer can also be used to verify correct publishing of the Lync Web Services

http://www.microsoft.com/en-us/download/details.aspx?id=36536  

For my original post with pictures visit my blog http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html