Lync 2013 iApp template

Question

Hey all, I am in the planning stages of deploying Lync 2013 with the Edge servers load balanced and the Front End servers reverse proxied using LTM. I am a little confused with the verbiage in the template, specifically around the public IP's necessary for the edge server services. &nbsp;
My plan was to have 2 protected subnets in a DMZ, one for the externally accessible services (3 IP's per edge server) and one for the internal connection to our internal network where the FE servers will be. The externally accessible services would be NAT'd to (Destination NAT for A/V) so the actual "public" interfaces would have non-routable addresses assigned to them, their public addresses on the external Interface of the Firewall.&nbsp;
In the section, Edge Server Pools-External Interface, it references each service per edge server and adds that "Note these addresses should be publically routable". So are these the actual IP addresses of my edge interfaces on the servers themselves? Or is it really asking for the public NAT'd addresses at the firewall? I can explain further and provide a basic network diagram if this is confusing (it sure is to me, this is my first lync implementation and even without the F5 it is a bit confusing). &nbsp;
-GR&nbsp;

mikeshimkus_111 · Answer

Hi Greg, check out this post by Ryan Korock:  https://devcentral.f5.com/articles/the-hopefully-definitive-guide-to-load-balancing-lync-edge-servers-with-a-hardware-load-balancer.U1bTrvld_0Q&nbsp;
It explains why we recommend using public IPs for the Edge services.  &nbsp;

greg_130338 · Answer

I have read through this a few times before. In it he mentions, "NAT awareness was built into Lync 2010 to help in environments in which Edge Servers are deployed behind NATs. By enabling the NAT awareness, Edge Servers will refer clients to their respective NAT address in order to route the users in correctly." Which is how I intended on building this out.

In his example he used routable IP addresses for all the external edge services but I'd like to put them on a DMZ private subnet and NAT through our firewall using the nat-aware capabilities of Lync 2010 and later (exposing a windows server by bypassing our firewall just doesn't sit well with me). Has anyone built a similar solution?

If so, my real confusion still resides in the iApp where it asks about adding the edge server pools and using the publicly routed IP address.

This might help to make sense of how I envision this working. Technet documentation for NAT'd A/V service. http://technet.microsoft.com/en-us/library/gg425882.aspx

mikeshimkus_111 · Answer

I've never tested this scenario using the iApp, which was built around the "public IPs for all" recommendation. I have heard that others have successfully it this way. I would think you'd need to use your DMZ addresses for the VIPs and Edge servers in place of public IPs, and make sure you have SNAT enabled for the VIPs, including A/V. As long as your Edge servers know to hand back the correct public IP to the clients, it should work.

Forum Discussion

Lync 2013 iApp template

3 Replies

Recent Discussions

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

Microsoft Lync Server 2013/2010 iApp template

Microsoft SharePoint 2013/2010 iApp template

Microsoft Exchange 2010 and 2013 iApp Template

External Monitor Information and Templates

Microsoft Lync Server v1.4.0 iApp Template