Lync Edge servers provide remote users with IM, Voice, and other services. However, without a reverse proxy, remote users can’t access the functionality provided by Lync Web Services. That functionality includes access to meeting content and the Lync Web Access client. For these reasons, a Lync reverse proxy should be considered critical to every enterprise or multitenant deployment of Lync. Traditionally, customers leveraged Forefront Threat Management Gateway (TMG) to act as the Lync reverse proxy. Now that TMG is discontinued, customers are looking for alternatives. BIG-IP Local Traffic Manager (LTM) from F5 can be that alternative.
F5 Networks: Ryan Korock, Michael Shimkus, James Hendergart
Microsoft Corporation: Stephane Taine, Yves Pitsch, Rick Kingslan
Technical Reviewer: Rick Kingslan
Editor: Susan S. Bradley
Publication date: February 22, 2013
Product version: Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010, Lync Server 2013, Lync Server 2013 Multitenant Hosting Pack, Lync Server 2010, Multitenant Hosting Pack
NOTE: Microsoft reviewed this document for technical accuracy to ensure that it meets the reverse proxy requirements for Lync only. This is a partner example of how to deploy reverse proxy functions for Lync. Additional partner examples that achieve similar functionality may be published at a later time.
Many Microsoft Lync Server deployments make use of what is referred to as a reverse proxy. A reverse proxy provides corporate users who are outside the office (remote users not connected by VPN) access to the same Lync functionality that a corporate user inside the local area network has. A reverse proxy is required if you plan to support users leveraging Lync Mobility services.
Lync Edge servers provide remote users with IM, Voice, and other services. However, without a reverse proxy, remote users can’t access the functionality provided by Lync Web Services. That functionality includes access to meeting content and the Lync Web Access client. For the complete list of features that are enabled by the reverse proxy, see the Microsoft TechNet article titled, Setting Up Reverse Proxy Servers. For these reasons, a Lync reverse proxy should be considered critical to every enterprise or multitenant deployment of Lync.
Traditionally, customers leveraged Forefront Threat Management Gateway (TMG) to act as the Lync reverse proxy. Now that TMG is discontinued, customers are looking for alternatives. BIG-IP Local Traffic Manager (LTM) from F5 can be that alternative. For most customers, LTM currently load balances Lync Edge Servers, enabling them to deploy a reverse proxy for Lync without incremental capital expense.
Let’s consider two scenarios. In the first scenario, TMG is the reverse proxy. In the second scenario, BIG-IP LTM is the reverse proxy. In Figure 1 below, the external BIG-IP LTM device load balances the Edge Servers in the perimeter network and TMG acts as the reverse proxy.
Figure 1. TMG acting as the reverse proxy
In Figure 2 below, TMG is removed, and BIG-IP LTM acts as the reverse proxy.
Figure 2. BIG-IP LTM acting as the reverse proxy
This simplifies deployment by removing the need for more servers and replacing them with a firewall-class, high performance, hardware-based, traffic management system.
Use the F5 Deployment Guide for Microsoft Lync as the foundation for deployment, and customize based on how these three questions are answered for a given Lync reverse proxy configuration:
- Traditional enterprise or multitenant deployment?
- 1 or 2 tier approach?
- Automated or manual configuration?
Traditional enterprise versus multitenant deployment
Traditional enterprise deployments have a single instance of Lync deployed, and customers are the only tenant. Client traffic originates from the internal network or an external source. For enterprises, the perimeter network protects the enterprise from external connections.
Multitenant deployments, by design, host multiple tenants simultaneously. The semantics of what is internal versus external are unique in a multitenant deployment hosted by a third-party service provider. This is because, in essence, every client for every tenant is external. Although the basic Lync / Lync Edge topology fits traditional enterprise and multitenant deployments, all client traffic originates from external networks and enters through either the reverse proxy or Lync Edge servers.
Figure 3. Placement of reverse proxy devices with respect to multitenant network zones
1 or 2 tier approach
Because Lync deployment spans both the perimeter network and the internal network, customers must decide whether or not to deploy BIG-IP devices in one tier or two tiers. A tier is defined as a high availability pair of BIG-IP devices. The two-tier design includes a pair of devices in the perimeter and another in the internal network. Physical device separation is often a security requirement and clearly demarks traffic by network zone. A one-tier design consists of one pair of BIG-IP devices configured with VLANs to separate perimeter traffic from internal network traffic. In this case, the BIG-IP device spans multiple network zones. Traffic is secured through VLAN configuration.
If using a one-tier approach, see page 17 of the F5 Deployment Guide for Microsoft Lync, and follow the steps listed.
Automated versus manual configuration
Customers using BIG-IP v11 or later can automate configuration and reduce or eliminate errors using the F5 iApp for Lync. This iApp is pre-set to configure BIG-IP LTM, including reverse proxy settings, IP addresses, and SSL Cert/Key names by asking the administrator a few questions and then automatically building the configuration in seconds.
To acquire the latest F5 iApp for Microsoft Lync and learn more about how this powerful technology can reduce your operational costs and deployment time, see page 2 of the F5 Deployment Guide for Microsoft Lync.
The F5 iApp for Lync is a customizable extension of BIG-IP for Lync that includes reverse proxy functionality. The operational integrity of iApps enables customers to reduce common configuration errors by encapsulating all pertinent network settings for Lync into a discreet, manageable object. This object can be saved, moved, and reused across all types of BIG-IP devices. Thus, the BIG-IP platform is automatically configured for Lync in the same way as for your network, over and over—a feature particularly helpful for multitenant deployments.
iApps are customizable, so as improvements are made to the environment, the current, best BIG-IP configuration is always carried forward. The F5 iApp for Lync is a flexible, effective feature unique to the BIG-IP platform, and there is no easier way to reliably automate device configuration for Lync. Figure 4 below illustrates the simplicity of the Lync iApp user interface.
Figure 4. F5 iApp automates Lync reverse proxy configuration
If using the iApp, refer to page 4, and then pages 9 and 14, of the F5 Deployment Guide for Microsoft Lync, and follow the steps listed there. Be sure to note the additional steps required after applying the F5 iApp. If manually configuring BIG-IP, refer to the manual configuration tables on pages 22-25. See Table 1 below for a quick reference to the iApp and reverse proxy sections of the F5 deployment guide (based on Version 2.6 of the guide).
Using a single BIG-IP system for reverse proxy
Getting the latest iApp for Lync
iApp for reverse proxy on Lync Edge servers – internal interface
iApp for reverse proxy on Lync Edge servers – external interface
Table 1. Pointers to sections in the F5 Deployment Guide for Lync
There are options for the reverse proxy. Here are some considerations when deciding which technology to use.
Reuse what you already have
BIG-IP LTM is already in your network, and the same LTMs may be able to act as the reverse proxy, without any additional hardware/software costs.
Make sure that your solution is scalable
The reverse proxy will do some IP/Port translation, as well as URL filtering, and it must be able to scale appropriately. BIG-IP LTM ships with custom hardware designed for doing this type of traffic manipulation at speeds that are unmatched in other solutions that use commodity computer hardware architectures.
NOTE: A computer-based solution can be a typical application server running reverse proxy software (such as TMG). It can also be a hardware appliance with network traffic features based on a client computer architecture. This latter solution lacks the fundamental hardware design (bus architecture, chip sets and integrated circuits) and firmware that provide the computing speeds and capacity required for real-time communications workloads, such as Lync.
Make sure that your solution is secure
The reverse proxy lets external users inside your corporate (internal) network! TMG is a certified firewall, and so its replacement must also be a certified firewall. This is CRITICAL. BIG-IP LTM is ICSA certified as a firewall, and it includes the proper firewall functionality to help secure the network. If the firewall is not certified, it should not be your reverse proxy.
Make sure that your solution is easy to configure
Without an iApp engine, any Lync load balancing/reverse proxy solution will be complex, difficult to configure, and prone to misconfiguration. BIG-IP LTM solves this problem.
Configuring BIG-IP Local Traffic Manager as a reverse proxy for Microsoft Lync can be accomplished by following the F5 Deployment Guide for Microsoft Lync . This guidance includes load balancing and reverse proxy features for internal Lync servers, as well as Lync Edge servers that reside in a perimeter network.
For multitenant deployments, every client is external to the network hosting Lync application services. Therefore, every client must pass its traffic through the reverse proxy or Lync Edge servers when using any server-based feature.
Using this high-level configuration guide, enterprises and service providers can quickly determine which sections of the the F5 Deployment Guide for Microsoft Lync to use for their deployment. Using the F5 iApp for Lync will speed and simplify the configuration.
To learn more, check out the following resources:
- F5 Deployment Guide for Lync
- Best Practice for Lync Edge Server Network Design
- Balancing Lync Edge Servers with a Hardware Load Balancer
- Ready to talk to F5? Email firstname.lastname@example.org or call 206-272-5555.
Lync Server Resources
We Want to Hear from You
Keywords: Lync Web Access, Lync Web Services, Lync reverse proxy, Forefront Threat Management Gateway, multitenant, Lync Server Multitenant Hosting Pack, F5, Big-IP