Deploy Load Balancers
Topic Last Modified: 2010-04-16
You use load balancers to distribute incoming connections across multiple Edge Servers. If you are deploying multiple Edge Servers in a site, you must use load balancers both between the perimeter network and your internal network (that is, the internal load balancer), and between the perimeter network and the Internet (that is, the external load balancer). However, on the internal load balancer, you must load balance only the Access Edge services and the A/V Edge services; do not load balance the Web Conferencing Edge services on the internal load balancer.
Although you use a single load balancer for all three edge services in a scaled, consolidated edge topology, we recommend you use separate virtual IP addresses (VIPs) for each edge service. We recommend port 443 for all three server roles, and because a different port/IP combination is required for each server role, separate VIPs support the recommended configuration. The VIP for the external interface for Edge Servers should be set to full-NAT or half-NAT behavior only for traffic to the Edge Servers (for each VIP that is used for Edge Servers and HTTP).
NAT is not supported for the IP address of the external interface of the A/V Edge Server of an Edge Server, so the IP address of the external interface of the A/V Edge service on each Edge Server must be publicly routable.
Note
NAT is supported for the IP address of the external interface of an A/V Edge Server in a single-server Edge deployment only. In this case, for traffic to the IP address of the external interface of the A/V Edge server Destination NAT at the external firewall is supported, but Source NAT is not supported. For more information see Firewall Requirements for External User Access.
For load-balanced Edge Servers in the perimeter network of the data center, outgoing requests are connected directly to a specific Edge Server’s Web Conferencing Edge service or A/V Edge service. These outgoing requests are handled as follows:
- Each time an internal Web Conferencing Server starts up, it looks up the Edge Servers that are configured in its environment, and then it looks up the Domain Name System (DNS) A record of the Web Conferencing Edge service of each Edge Server. Then, the internal Web Conferencing Server initiates four outbound Transmission Control Protocol (TCP) connections to the internal IP and port of each Web Conferencing Edge service.
- The load balancer for the A/V Edge service on the Edge Servers routes each A/V request to one of the Edge Servers, which then manages the connection until the session ends.
- Each edge service on each Edge Server connected to the load balancer must be configured identically, including identical internal and external ports, Allow lists, Block lists, federated partners, internal domain lists, internal server lists, remote user settings, and proxy connections.
- You must install and configure certificates to support load balancing. For details, see Set Up Certificates for the Internal Interface and Set Up Certificates for the External Interface.
- Federated partner Access Edge Servers and remote user clients must target the virtual IP (VIP) address that the Access Edge Server array uses on the external load balancer.
- The internal next hop server (typically, a Director) must target the virtual IP address that the Access Edge Server uses on the internal load balancer. If you are deploying a Director, you do this as part of the Director configuration. For details, see Deploy a Director.
Configuring Your Load Balancer
After configuring Edge Servers in the perimeter network of your data center, verify that they are correctly connected to the load balancer, and then verify that the ports listed in the following tables are open on the internal interface of the load balancer and on the external interface of the load balancer, respectively.
Note
You can use the Office Communications Server Remote Connectivity Analyzer tool to test remote unified communications client connectivity with the external edge interface of your Office Communications Server deployment. This tool can identify DNS name resolution issues for both the manual TLS and automatic client sign-in, including DNS configurations issues, TLS connectivity issues, and NTLM domain credential issues for remote user sign-in. You can access and run the tool from the Office Communications Server Remote Connectivity Analyzer Web site at https://www.testocsconnectivity.com. For details about using the tool, see Validate Edge Server Configuration and Connectivity.
Internal Load Balancer Port Settings
Component | Port |
---|---|
Access Edge Server |
TCP 5061 |
Web Conferencing Edge Server |
N/A |
A/V Edge Server |
TCP 5062 TCP 443, UDP 3478 |
External Load Balancer Port Settings
Component | Port |
---|---|
Access Edge Server |
TCP 5061, 443 |
Web Conferencing Edge Server |
TCP 443 |
A/V Edge Server |
TCP 443, UDP 3478 |