In my previous blog I wrote about publishing Lync services using IIS/ARR as a replacement for TMG 2010. It is also possible to use a hardware load balancer to publish these Lync web services to the internet. In this blog I’ll talk about using a Kemp LoadMaster LM2600 for publishing Lync web services.
In my lab I have a Lync 2013 Enterprise Edition, in the perimeter network I have a Lync 2013 Edge Server, but instead of IIS/ARR I now have a hardware load balancer.
The following FQDN’s are web services internally running on port 4443 and port 8080, so they need Port Translation to publish them to the internet using port 443 and port 80 on the Internet:
Note. The internal name of the Lync Front-End pool is lyncpool.exchangelabs.nl but the external name is lyncweb.exchangelabs.nl. This can be configured using the Topology Builder.
The load balancer will be running on Layer 4 so the SSL connection is terminated on the Load Master. Therefore you need to import the SSL certificate that’s on the Lync 2013 Front-End server into the Load Master. You can find the import function under Certificates | SSL Certificates | Import Certificate in the Load Master.
To configure the Kemp load balancer more easily you can download all sorts of templates from the Kemp website at http://kemptechnologies.com/nl/loadmaster-documentation. Click the Templates hyperlink and you can download the Lync 2013 templates (just under the Exchange 2013 templates). Store the template file on your local disk and import the template file in the Load Master. You can find the import option under Virtual Services | Manage Templates.
Once you have installed the templates we can configure the Load Master. To create a new VIP naviate to Virtual Services | Add New. In the Use Template drop down box select Lync Reverse Proxy 2013 and add the IP address in the Virtual Address box and click Add this Virtual Service.
The VIP will now be created and shown. Expand the SSL Properties (Acceleration Enabled) option and in the Certificates box select the proper UC certifcate, click on the right arrow and click on the Set Certificates box.
Since everything is preconfigured in the template you can expand the Real Servers option to add the Real Servers (i.e. the Lync 2013 Front-End servers) to the VIP. Be aware that you have to change the Real Servers Port number from the default port 443 to the Lync FE server’s port 4443. Add the Real Server’s IP address and click Add this Real Server.
After you return to the main menu select Virtual Services | View/Modify Services. The Lync Reverse Proxy HTTPS will show up as Up, but the Lync Reverse Proxy HTTP will show as down. That’s because it doesn’t have a Real Server proxying to port 8080. Click Modify next to the red down message and add the Lync 2013 Front-End server as a Real Server, but this time enter 8080 in the Port number box. Click Add this Real Server. When you select Virtual Services | View/Modify Services you’ll both VIPs with a status Up.
When you open the new VIP, for example the HTTPS VIP you can see the predefined values. Persistence is set to Source IP, time-out is set to 20 minutes. The Scheduling is set to Round Robin and the Idle Connection time-out is set to 1800 seconds (30 minutes). Nothing fancy to be honest.
The Load Master checks for the Lync Front-End server’s health by doing a check on TCP port 5061, i.e. the SIP communications port on the Lync Front-End server. This is the default setting in the template, as an alternative you can check the /meet/blank.html page to ensure IIS is running.
Just like in the previous blog you can navigate to the following URL’s to test the Reverse Proxy:
- https://meet.exchangelabs.nl/Reach/Client/WebPages/ReachClient.aspx (you need Silverlight on your client to do this)
And you’ll see the following figure (shown for the meeting URL):
It is relatively easy to use a hardware load balancer for reverse proxy in Lync 2013, especially when you use the predefined templates. Download the template, create a new VIP based on the template and you’re ready to go.