Skype for Business and all public IPs - Front End Pool redirection

Question

We are trying to get Skype for Business up and running with all public IPs and are running into a problem with the front end pool.&nbsp;
Say we have serverA and serverB in the front end pool with half of our staff accounts using each one as their primary (set up by MS automatically).&nbsp;
If I log into a front end service and get load balanced (least connections-node) to my primary server (serverA) then my services work and there isn't an issue.&nbsp;
If I log into a front end service and get load balanced to serverB then I am logged in successfully but then serverB tells my client I should be talking to serverA as it is my primary and I get redirected to the IP of serverA which bypasses the load balancer. We can open up the ACLs so that this traffic is allowed but we would rather have all traffic flow going through the loadbalancer.&nbsp;
This results in intermittent success for us since you have a fifty percent chance of hitting your home server.&nbsp;
Has anyone run into this behaviour and how did they get around it?&nbsp;
Has anyone set up Skype for Business with all public IPs on their pool servers?&nbsp;
I have read the white paper on the F5/MS Skype for Business set up and don't see a section that we feel covers this behaviour.&nbsp;

rossvermette · Answer

Ran into a similar situation with our deployment.  You cannot use SNATs for the Edge server AV traffic piece.  You can use SNATs for the web conf, access and reverse proxy for skype services.  What we ended up with is on the edge servers assigning it 3x different private IPs for the external interface, and using a static NAT to the IP that is used for AV. 
1. EXT-Access (with NAT to F5 VIP/SNAT -- pool member)
2. EXT-WebC (with new NAT to new F5 VIP/SNAT-- pool member)
3. EXT-Audio/Video (NAT to IP on edge ext server AV interface)&nbsp;
The first two addresses (EXT-Access + EXT-WebC) we have the F5 fronting the service with a separate VIP/SNAT.  The 3rd IP(EXT-Audio/video) we have a static NAT assigned.  The reason for the NAT to the 3rd IP on edge AV is to make the STUN/TURN protocol work.  Apparently it will not work if you're using "source address translations", the clients will not be able to discover each other correctly.  What you will see is that clients that end up on the same Edge server are able to function, but when on different edge servers IM will work but no AV.  We have this setup in 2x seperate DCs.  When we decide to add a third/fourth Edge server, we follow the same pattern.  Assign 3x different private IPs and one NAT to the new IP that will be used for AV.  The other 2x IPs get assigned/configured into the access/webc exiting F5 pools as members.&nbsp;
We also use the F5 for the Skype Reverse proxy Service.  In our case we have 2x FE servers.  The F5 vip for the skype Reverse proxy function we have redirecting all http traffic to https.  The F5 HTTPS vip for skype reverse proxy has an irule that will forward traffic to specific pool based on http host header.  We have 3x pools defined for the FE service.  1st pool has all the Skype FE servers in and is used for the names (meet.domain.name, dialin.domain.name, lyncdiscover.domain.name).  The second pool only has one member and it is one of the FE servers(ext-FE1.domain.name host header)  .  The third pool as the other FE Server(ext-FE2.domain.name host header) as a member.   
&nbsp;
Firewall Rules/F5vs ports, 
1.  Access (tcp/443, tcp/5061) (source: external clients to destination of F5 vip for Access)
2.  WebC (tcp/443) (source: external clients to destination: F5 vip for WebC)
3.  Audio/Video (tcp/443, udp/3478, tcp/50,000-59,999, udp/50,000-59,000) (bi-dir between edge AV interfaces)
4.  Reverse proxy (tcp/443, tcp/80) (Source is external client: Destination F5 vip for Skype RP)  F5 has irule to redir traffic from 80 to 443, and irule to FWD traffic based on HTTP host header to specific pools for FE servers. &nbsp;
Hope this helps.&nbsp;

doublem_268889 · Answer

Hi  Ross,
as far I understood, you configure a static NAT for each IP address you reserve for AV services on your SFB edge servers. In this way the traffic from external clients goes "directly" to the edge servers. I do not figure out how if these NATs are balanced. Are you using DNS round robin for SFB AV services? Or maybe SKFB does not need that an "unique" public DNS record is set up for AV services?
Regards
MM&nbsp;

rossvermette_14 · Answer

The S4B client will use TURN/STUN protocol to find the "best" AV server it can communicate with. The NAT is used to make TURN/STUN protocol to work directly with the AV host. The load balancing decisions are done in your Skype AV pool topology(within the skype topology itself and directs the client to a specific AV server.)

doublem_268889 · Answer

Great news Ross,
Maybe I'll forward it to the guys that are setting up S4B ....
Regards
MM&nbsp;

Forum Discussion

Skype for Business and all public IPs - Front End Pool redirection

4 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Enriching AFM with public domain Threat Intelligence

SSLO in public cloud: Azure inbound L3 use case

Public Cloud Simplified with F5 NGINXaaS for Azure

F5 High Availability - Public Cloud Guidance

Public IP address display