Lync servers provide both local and remote access to enterprise Unified Messaging and Voice workloads such as IM, Conferencing, Voice calls and Application Sharing. When it comes to remotely accessing workloads such as Join a meeting, find local dial-in phone numbers, access to address book and meeting content such as PowerPoint presentations, a reverse proxy is required to provide such functionality. Since Forefront Threat Management Gateway (TMG) was discontinued in 2012, customers have been looking for alternatives. KEMP LoadMaster products can be that alternative which not only acts as a load balancer for your Lync workloads but can also serve as much needed reverse proxy for abovementioned workloads.
Author: Bhargav Shukla - Director – Product Research and Innovation, KEMP Technologies Inc.
Note: KEMP is actively engaged with Microsoft UCOIP team to complete certification process. Upon completion, both load balancing and reverse proxy solutions from KEMP are expected to be approved.
Let’s take a look at Lync 2013 architecture with Lync 2013 Front-End Pool, Office Web Apps Server farm and other components deployed (see diagram below). When we consider Reverse Proxy requirements, we can divide incoming Lync traffic into two distinct groups. One group of requests are addressed to Lync Web Services which provides access to Meet and Dial-in functionality, address book downloads and such. Another group of requests are destined to Office Web Apps Server farm, to gain access to PowerPoint presentations being shared by presenter during a Lync meeting. Reverse Proxy is needed to address both workloads and can either use a single Virtual service running on a single IP or two distinct virtual services requiring two public IP addresses. In this article we will deploy two virtual services requiring two public IP addresses.
The diagram above shows two separate devices in DMZ; one for load balancing and one for Reverse Proxy functionality. This is logical representation of services which could be physically handled by single device. KEMP LoadMaster ADCs are capable of performing both load balancing and reverse proxy functionality as it pertains to Lync Server workloads.
There are two possible ways you can configure KEMP LoadMaster to perform Reverse Proxy functionality. One is to manually perform configuration steps and second is to use templates. Templates are great way to avoid errors and allows for rapid configuration of required workloads.
Let’s download Lync 2013 template from KEMP Technologies website:
Next, we will import the template to KEMP LoadMaster:
Since both Lync Web Services and Office Web Apps Server use encryption, you have an option to install SSL certificate on Reverse Proxy with benefit of managing certificates from single device and is recommended.
Once you have installed required SSL certificates on the device, the next step is to configure virtual services for reverse proxy functionality.
Reverse Proxy for Lync Web Services
First, let’s create virtual service for Lync Web Services. Lync Server 2013 front-end servers will be servicing the requests coming through this virtual service. Since we are using template, this becomes a simple task. All you need is publishing IP address commonly known as VIP or Virtual IP Address and name of the template “Lync Reverse Proxy 2013” in this case. We will add Lync servers to the virtual service once created.
Once you add the virtual service, you are left with two tasks: add correct SSL certificate to the service and add Lync Front-End servers. All the other parameters such as health check, persistence, scheduling and others are set to recommended configuration. You, however, have complete control over all parameters should you decide to change it for any reason after creating the virtual service.
It’s also important to point out that for Lync Web Services, you need to create two services, one listening on port 80 and one listening on TCP port 443. If you use template, both will be created for you. Don’t forget to create both should you decide to create them manually.
When adding the servers to the virtual service for Lync Web Services, let’s not forget that the clients are external and will be accessing external website on Lync Front-End servers which listens on TCP ports 8080 and 4443. When adding the servers, make sure correct port is used.
Once all Lync Front-End servers from given pool are added to the virtual service, you should see the health check pass for healthy servers and virtual service status change to up and start servicing clients:
Reverse Proxy for Office Web Apps Servers
Next, let’s setup Reverse Proxy for Office Web Apps Servers. While using the template, process is not different, it’s important to draw differences between Lync Web Services and Office Web Apps Server virtual services.
First one is, unlike Lync Web Services, Office Web Apps servers listen to TCP port 443 if configured for HTTPS. You have an option to configure them to listen on TCP port 80 if SSL isn’t used but that’s not security best practice. For this article we will assume the Office Web Apps servers are configured for HTTPS. Only one virtual service needs to be configured for Office Web Apps servers.
Second is health check. For Office Web Apps servers, we can perform health check on /hosting/discovery URL for given farm members. We can send requests from clients to any Office Web Apps server that passes this health check.
With that distinction, let’s create virtual service using the template:
Once created, all you need to do is add your Office Web Apps servers for given farm to the virtual service we just created. Unlike, Lync Web Services, we don’t need to change listening port on real server being added to virtual service:
We will also need to make sure that correct SSL certificate is assigned to the virtual service in order to avoid connectivity issues and certificate warnings on client machines. If you need details steps or would like to manually create these services, you can refer to detailed instructions provided in “LoadMaster Deployment Guide for Microsoft Lync 2013” located here: http://kemptechnologies.com/files/downloads/documentation/7.0/Deployment_Guides/Deployment_Guide-Lync_2013.pdf
KEMP LoadMaster provides secure, scalable and cost effective way to meet the load balancing needs for your Lync Server 2013 deployment. They also double as reverse proxy solution for Lync Server 2013 as well as Office Web Apps servers required for Lync meetings and presentations.
KEMP LoadMaster products are easy to configure using templates while providing you full control over configuration of given virtual services regardless of method of their creation (template or manual). You can configure KEMP LoadMaster products for your Lync environment using LoadMaster Deployment Guide for Microsoft Lync 2013.
To learn more, check the following resources:
Need to talk to someone from KEMP? Call 631-345-5292 or Email firstname.lastname@example.org
Lync Server Resources