F5 and Lync

Question

Hello,&nbsp;
&nbsp;  I am working on a new Lync environment.  We have a F5 LTM in front of our Lync edge servers in a DMZ.  We do not have a Microsoft reverse proxy available nor the budget to build one... but we need certain traffic to get routed to the internal Lync servers, bypassing the edge.  Can this be done through an iRule instead of a standalone proxy setup?  Any info would be great.&nbsp;
&nbsp;thanks,
&nbsp;-Luke&nbsp;

mikeshimkus_111 · Answer

Hi,  
&nbsp; We are currently working on guidance for using LTM as the Lync reverse proxy.  Although that guidance is not yet complete, I've successfully used a virtual server on an external BIG-IP to forward reverse proxy traffic to an internal virtual server that has director servers for pool members.  With only one LTM, you could add a self IP to the same network that your Lync servers are on, and create a new external virtual server to grab the reverse proxy traffic and forward it on, which would require changing DNS to point clients at that virtual.  With one virtual server, you could do it with an iRule that catches requests for the meet/dialin URLs and forwards that traffic to the internal server pool rather than the edge.  Something like this might work: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;   if { [HTTP::host] equals"meet.mydomain.com"} { 
&nbsp;    pool my_lync_reverse_proxy_pool 
&nbsp;   } 
&nbsp; }

chad_103287 · Answer

Any ETA on when we might see something?

sipple31_85114 · Answer

Still would love some help on this.  Currently still struggling with using it as a reverse proxy.  We have everything working with external web services and the Lync client or the web client.  The last piece to the puzzle is mobility.  Androids seem happy but iPhones are whining about the cert.  They hit the F5 and immediately fail with cert errors.  It's baffling!

michael_koyfma1 · Answer

Who is your cert issued by? It is possible that clientside SSL profile on the BigIP is not chained correctly - if your certificate requires an intermediate certificate to be chained, some browsers/devices will give you untrusted warning because they don't have the right CA bundle/chain installed on them. I've seen issues where Windows devices would not complain of SSL, but mobile devices such as iPads would - thus I highly recommend verifying proper CA/Chain installed on the BigIP and the clientsideSSL profile.

sipple31_85114 · Answer

Posted By Michael Koyfman on 02/21/2012 10:39 PM
&nbsp;
Who is your cert issued by?  It is possible that clientside SSL profile on the BigIP is not chained correctly - if your certificate requires an intermediate certificate to be chained, some browsers/devices will give you untrusted warning because they don't have the right CA bundle/chain installed on them.  I've seen issues where Windows devices would not complain of SSL, but mobile devices such as iPads would - thus I highly recommend verifying proper CA/Chain installed on the BigIP and the clientsideSSL profile. &nbsp;

&nbsp;The public cert is issued by Thawte.  We've tried doing just the cert and also the entire chain.  Both with the same result.  I guess that is where my knowledge of certs ends...&nbsp;&nbsp;Do you think it should be just cert or entire chain?&nbsp;

Forum Discussion

F5 and Lync

9 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

Microsoft Lync Server

Where are F5's archived deployment guides?

F5 Distributed Cloud - Listener Logic

F5 Python SDK Overview

API Gateway Mapping - Gartner - F5