Lync 2010 with an F5 BIG-IP LB

23 January 2012 Brian-Ricks

I recently received the opportunity to setup and use a F5 BIG-IP LTM Hardware Load Balancer version 11.1 and have since configured it for Lync Web Services including Mobility. The configuration does not have to be complex, and while the Load Balancer does much more than I am demonstrating here, incorporating the changes below into your own configuration should prove successful.

Requirements

The example I am showing below is based on version 11.1 of the LB code. If you are using an older version (and at some point a newer version) the exact screenshots and options may be slightly different - but the concepts remain the same. Like mysetup and configuration of my KEMP HLB, I have opted to use two VIPs so that I can pass internal traffic directly back to the external pool rather than hair-pinning through a Reverse Proxy.

Load Balancer

Because I am using two VIPs the setup and configuration concept which was used in the KEMP setup remains the same. The configuration once again would look something like this:

Internal Web Services VIP

10.10.10.10:443 --> 10.10.10.50:443
10.10.10.10:80 --> 10.10.10.50:80

External Web Services VIP
10.10.10.20:443 --> 10.10.10.50:4443
10.10.10.20:80 --> 10.10.10.50:8080

With this configuration, the port address translation happens on the HLB so the Reverse Proxy or Firewall can send the external traffic unchanged. Internally, the communication is always bound for HTTP/HTTPS and then changed depending on the destination IP.

Data Flow

I have already expressed the Data Flow in previous posts, so suffice it say I am not changing those concepts at all - inbound/outbound traffic comes in on 80/443 and the Load Balancer (based of the VIP) determines if it goes to 80/443 or 8080/4443. Because the port address translation happens on the VIP of the Load balancer when needed, the hair-pinning back to the Reverse Proxy is unnecessary. That also means when deploying the RP, make sure you do not change the ports.

Configuring the Load Balancer

Configuration of the Load Balancer includes the initial setup (not addressed here), the importing of the External Web Services certificate (required for Cookies), Configuring Profiles and Virtual Servers (including Pools and Nodes).

CERTIFICATE

There are multiple places to start, but the Certificate is as good as any. If this is not correct, iOS machines will fail to connect and Android and WP7 will take longer to authenticate. To start, and assuming the external web services certificate is marked as exportable (it should be if defaults were accepted), navigate to one of the Lync 2010 FE servers and launch the MMC (Start | Run | mmc). Add the local Computer Certificate Store to access your certificates (File | Add/Remove Snap-in | Certificates).


Expand Certificate | Personal | Certificates and in the right select your external certificate. Right-click the certificate and select All Tasks | Export. This will launch the Certificate Export Wizard. Select Yes, export the private key and select Next.


In the export options select Include all Certificates in the certification path if possible and Export all extended properties. This will include the root chain in the certificate path preventing trust issues on the BIG-IP.

Enter and confirm a password when prompted (you need this password to import the private key), select a file location and name, and click Finish.

Copy the exported file to a location you have access to from you local web browser. Launch the BIG-IP web configuration page, expand Local Traffic | SSL Certificate List. In the upper-right select Import to launch the import process. The correct import type is PKCS 12 (IIS) and should be selected from the drop-down menu. Enter a name for to reference the certificate, browse to the previously exported certificate PFX file and enter the password created when the certificate was exported. Click Import to bring the certificate into the BIG-IP.


You will see the certificate in the SSL Certificate List and if you select the certificate name, you will see not only your Web Services certificate but the entire certificate chain in the Certificate Subject(s) field.

PERSISTENCE PROFILES

Now that the certificate has been imported, the cookie persistence may be created. Back in the BIG-IP web interface, select Local Traffic | Virtual Servers | Profiles | Persistence. Two persistence profiles will be created - one for the external web services and one for the internal web services. In the upper-right select Create to being the profile creation process. Enter a name for the Profile, and select Cookiefor the Persistence Type. Under Configuration, mark the Custom box to allow configuration of the various properties. Match the settings to the picture setting thecookie name to MS-WSMANalways send cookie, and set the expiration to 3 days. Click Repeat to create the persistence profile and start the process over.


Next create a new Source-Based persistence profile. Enter a name for the profile, and select Source Address Affinity for the Persistence Type. Under configuration, mark the Custom box to allow configuration of the properties. Match the settings to the picture below setting the timeout to 1800 seconds and click Finished to create the second custom persistence profile.


SSL PROFILE

Next we move onto the SSL Profile. The SSL profile specifies which certificate to present to incoming connections. There are two types of SSL profiles, Client and Server. For Lync we need to worry about the Client certificate and will create a new profile based of the clientssl profile. Select Local Traffic | Virtual Servers | Profiles | SSL | Client. In the upper right select Create to begin the profile creation process. Enter a name and make sure clientssl is selected as the parent profile.  Under configuration, mark the Custom box to allow configuration of the properties. Match the settings to the picture below setting the certificate and key to the name previously setup and created when the SSL Certificate was imported. ClickFinished creating the new profile.


SERVER NODES

The Nodes selection under Local Traffic specifies which real servers will be participating in the pool. Select Local Traffic | Virtual Servers | Nodes | Node List. Just as in previous steps, we are going to click Create to start the process. Enter a name (typically the server name but whatever you want) and the IP address under Address. The base health monitor is for the server and may be individually configured here or simply use the default. Click Repeat to add the additional nodes in the same manner. When the last node has been created, clickFinished.


To configure the default node monitor, select Local Traffic | Virtual Servers | Nodes | Default Monitor. Select ICMP and click the << to add it to the list. This monitor will do a simple PING up/down test to validate the server is running. We will create an optional monitor for the pool members to validate the services are running.


LYNC MONITORS (OPTIONAL BUT RECOMMENDED)

The Lync Monitor port verifies the Lync Front-End service is running. While the server may be running, if the pool is not up and functioning it really does not help us. In addition, it is important IIS is up and functioning; we can use the built-in monitors for the internal websites but must create new ones for the external websites.

Start by navigating to Local Traffic | Monitors. Click Create to start the process; we will begin with the Pool Monitor. Enter a name for the monitor and select TCPfrom the Type drop-down. We will need to change the Configuration from Basic toAdvanced to expose the port. The port is located at the bottom of the list and is represented by default with an asterisk. Update the aterisk to the custom port you would have already configured in the Lync Topology Builder. In my case I have set it to 5150 but this is whatever your Pool is set to.


Click Repeat to save the monitor and start the process over. Enter a name for the External SSL (port 4443) monitor and select HTTPS as the Type. Advanced Configuration should already be exposed; just like the Pool monitor at the bottom of the options is the port. Here enter 4443 and click Repeat.


The last monitor we will create is for port 8080, the External Web Services re-direct port.  Enter a name for the External (port 8080) monitor and select HTTP as theType. Advanced Configuration should already be exposed; just like the Pool monitor at the bottom of the options is the port. Here enter 8080 and click Finished.


POOLS

Pools represent the collection of services that will be tied to a Virtual Server (and its corresponding VIP). We will be creating four pools - Internal 80, 443 and External 8080, 4443.

Start by selecting Local Traffic | Virtual Servers | Pools | Pool List. Click Createto start begin - we will start with the Internal Web Services 443. Enter a Name for the Pool. Select the Lync Pool Monitor previously created and click << to add it to the list. Scroll down the monitor list and select https_443 and once again select <<. Change the Load Balancing Method to Least Connections (member) and clickNode List. The various nodes already created will be listed. Select the first node, enter 443 for the service port, and click AddRepeat for the remaining nodes. Once all the nodes are listed click Repeat to continue the process.


Create the three additional pools, one for Internal 80, one for External 4443, and one for External 8080 replacing only the service ports and the monitors per the pictures below (make sure to Click Repeat until the final pool to speed up the process and remove and re-add the members to get the new port definition).


VIRTUAL SERVERS

The final step in the process is the creation of the Virtual Servers. The Virtual Servers tie the pools to a Virtual IP (VIP) and expose the desired port. There will be two VIPs two per pool (internal and external). Navigate to Local Traffic | Virtual Servers | Virtual Server List to begin.

Click Create to define the Virtual Server and VIP. Start by entering a name and entering the VIP address in Name and Destination. We will start with the Internal 443 SSL VS. In the service port enter 443. On the internal SSL web site we will be using IP source-based persistence so there is no need to decrypt the information - we simply want to pass traffic. Configure the settings as shown below making sure that no HTTP or SSL profile is selected and SNAT Pool is set to Auto Map. Change the Default pool to your Internal 443 Pool previously created, set yourDefault Persistence to your Internal Source IP Persistence profile also previously created and click Repeat.


Three additional Virtual Servers will need to be created as shown below. Make sure the Pools are correct as well as the Persistence. When creating the External 4443 Virtual Server you will need to select the basic HTTP Profile and the previously create SSL Profile. The configuration is shown below.


Click Finished after the last Virtual Server has been created. The final steps are to simply update DNS to point the various A and CNAME records of MEET, DIALIN, INTERNALMEETINGS, and EXTERALMEETINGS VIPs.

Lync Mobile iOS Certificate Errors

20 December 2011 Brian-Ricks

I ran into an issue (which I didn't with Android and WP7) where I was unable to login to the iPad and iPhone iOS Lync client. It turns out this error was two separate certificate errors. The first was immediately upon signing internal to the domain (because my Apple devices did not trust my internal CA). The second (internal or externally) was an issue with the intermediate certificate not being present on my KEMP Hardware Load Balancer.

Internal Root Certificate

The error I was seeing on my iPad was "Can't connect to the server. It might be unavailable. Also please check your network connection, sign-in address and server addresses". Again, the WP7 and Android devices were not experiencing this issue! (As a side, the Android devices did realize there was an untrusted certificate but I had the option of saying it was okay and move on. Eventually I simply emailed myself the root and intermediate certificates which installed with a simple click).


My Internal CA is comprised of a Root, Intermediate, and an Issuing CA yet the Apple devices only seem to care about the root. To add the certificate to the device, the Apple iPhone Configuration Tool is used. It is true that you could send yourself an email with the certificate, but I have found that the device does not fully trust that method. If you do not already have the Configuration Tool (it is not part of iTunes) download it from Apple here. There is a Mac version of the tool as well but I will show the Windows version.

Once the application is installed, launch the tool and navigate on the right to Configuration Profiles.


In the upper-right click New to create a Configuration Profile. The Configuration Profile can be used to set and configure all types of settings; however, I am only interested in adding a trusted root certificate to the device. Start by naming the profile. In my example, I have named it BriComp Root Certificate and set my unique identifier to com.bricomp.cert.profile. Complete the General settings by entering your company name and optionally a description.


Next, navigate down the list to the certificate icon labeled Credentials and click Configure.


After clicking Configure a list of certificates found on your local computer will be displayed. Assuming your computer trsuts your internal LAN certificates your root certificate will be shown here. Scroll to the correct certificate and click OK.


The certificate will be shown in the Credential window and all changes are immediate (i.e. there is no 'save' option). For small/single installs connect your device to your computer using the USB cable. The device will be displayed in the Configuration Tool under DEVICES. Select the device and then the Configuration Profile Tab.


You will notice there is an option to install the profile directly. Click Install to begin the process. On your device, a Install Profile window is shown where you must click Install followed by Install Now confirming the installation of the Root Certificate. If you have a passcode you will need to enter it and then click Done.


For mass installs, you can export the configuration profile using the tool and email it to all that need it.

External Certificate Error

Once I got past my internal certificate issue I was then receiving the error "Can't verify the certificate from the server. Please contact your support team".


This error was the same inside and outside my network but again, only on my Apple iOS devices. Puzzled for days I nearly gave up when I thought maybe...just maybe the Hardware Load Balancer needed the intermediate certificate loaded for DigiCert - the issuer of my web services external certificate. This is an easy process and if you followed my past blog on configuring the KEMP HLB for Lync this step may be required as well.

In the KEMP LB web configuration page navigate to Certificates | Intermediate Certs.


In this section you have the option of managing the intermediate certificates on your Load Balancer. Click Add New to display the New dialog. Here you need to paste the public certificate DigiCertHighAssuranceCA-3.cer into the text box and provide a name. The certificate can be downloaded from DigiCert's website athttps://www.digicert.com/digicert-root-certificates.htm. Save the file to your local computer and open it with Notepad. The certificate will look like a text file that is created when you are requesting a new certificate for yourself. Copy and paste the entire content unaltered into the KEMP website and name the certificate DigiCertHA3.

Click Add to complete the installation of the Intermediate Certificate.  That's it - once the LB trusts the DigiCert Intermediate and your device trusts your internal CA your client will be able to login.