Forum Discussion

Thijs_van_Ham's avatar
Thijs_van_Ham
Icon for Nimbostratus rankNimbostratus
Sep 07, 2014

Lync 2013 Access Edge unreachable using iApp

Recently I deployed the Lync 2010/2013 iApp (v1.3.0rc1) but I am a bit confused why certain features are not working. The current configuration is built up on BIG-IP LTM 11.4 and Lync has worked before using manual rules and virtual servers.

 

For now, the first problem is that we can't sign into Lync. Using the connectivity analyzer looking up the lyncdiscover information works without any problems. Meet, dialin and the front-end pool can be reached by HTTPS, which basically tells me the reverse proxy settings are all correct.

 

If I check online (Event Zero Federation Tester) to see if federation is working, it does respond normally on both the IM and Voice test. All test pass successfully. But I am not quite sure how reliable this test is.

 

However, when I want to login using any Lync client, or by using the connectivity analyzer I receive the error that SSL negotiation was not successful. This is a problem with the '[appname]__edge_external_ip_access' VS I guess. I have double-checked the external IP address on this rule several times and it corresponds with the DNS settings (externally). Also the pool members are correct and all of the health checks are OK. We are using Edge services, so the pool members have their 'external access edge' IP address linked to this pool. It matches the Lync configuration in the topology.

 

Even though I couldn't find anything about this problem, I tried modifying the VS and linking a SSL Client Profile. In that case it passes the SSL check, but gives a timeout after 60-100 seconds with the error 'Unable to establish a connection. ConnectionFailureException'.

 

I assumed that there is no need for the SSL Client Profile, since the iApp never asked for this information, but that means I am stuck at the first case, where SSL negotiation fails. When I point the the external access edge server port to 5061 manually in the connectivity analyzer, it does retrieve the certificate from the edge server (without F5 settings), but eventually fails at the same point with a timeout and the 'Unable to establish a connection. ConnectionFailureException'.

 

Any ideas where to look? I have wasted several days now trying to figure it out, but I can't seem to make it function properly. Maybe I missed something obvious ..

 

APM
application delivery
deployment
devops
iApps
LTM
microsoft
security

3 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 07, 2014
    some things to check, does it work without the big-ip? have you tried packet captures to see if the traffic reaches the servers? this can be something very small or very big, but it is difficult to trouble shoot via a forum.
  • MVA's avatar
    MVA
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2014

    My Edge lync VIP doesn't have a client SSL profile associated either, so it's terminating SSL on the Edge server and working fine for us. I would double-check the certs on the Edge server - the above suggestion of bypassing the BigIP is a good idea.

     

    I'm not a Lync expert, but I do believe external log connectivity might go through the "[appname]_edge_external_ip_reverse_proxy_443" VIP and this does have the SSL Client/Server profile associated with it.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Sep 08, 2014

    Are you SNATing the connections to the Edge servers? If not, do the servers have a route back to the clients?

     

    There's no need for a client SSL profile for the Edge VIPs since we can't do anything with that decrypted traffic. The configuration created by the iApp will do SSL "pass-through" mode for that traffic.

     

    Mike