Tuesday, June 30, 2015

KEMP LoadMaster as Reverse Proxy for Lync/Skype4B Server



In this articleI will show how to configure KEMP LoadMaster HLB to act as Reverse Proxy for Lync  / Skype for Business server.

The topic of Reverse Proxy always have been the “weakest links” in the entire Lync/Skype4B installation journey for two reasons. First, people have a hard time grasping the basic concept why Reverse Proxy is necessary and second – what solution to use. Let’s take on each topic.

Reverse Proxy


Lync (Front End and Director role) have two web sites – Internal and External.


In Topology, the two web sites are bind to different ports


There is good reason for that – a request for web service might come from Inside (LAN) or Outside (Internet) and the server must respond accordingly. Think about meeting join – when we click Join Lync/Skype meeting link, a DNS query for meet.contoso.com will be made, and an IP address will be returned – either internal or public depending of which DNS we query. Based on our location, the server will “answer” with internal or external pool web services FQDN where the meeting will be hosted and we will join the meeting. So, the only way to “let” the server know where we are coming from is to… land on the appropriate web site. We cannot “choose” where to make the request (to the internal site if we are on LAN or the External site, if we were on Internet). Since in Meeting Invite we see only one web link https://meet.contoso.com/user/meeting (and HTTPS implies use of port 443), the only way we “land” on port 4443 (where the external site is bind) is to “flip” the traffic arriving on port 443 to port 4443.

One might say – but we can do that on our firewall with port forwarding. While true, it is not recommended for many reasons. To state one – certificates. Think about it – internal web services are bind to certificate issued by Internal CA. If we just do port forwarding, the HTTP request will be terminated with this internal certificate and unless the workstation have the Internal CA Trusted Root, and eventually internal Intermediate certificate(s), the SSL request will fail. In this case, how someone can join meeting from non-corporate laptop? Simple answer – it cannot.

So, to recoup - Reverse Proxy is the place where we terminate the SSL request with Public certificate, “flip” the port from 443 to 4443 and “proxy” the connection to Lync server. Server replies to RP on port 4443, RP “flips” the port again to 443 and replies to our request.

What software to use as Reverse Proxy


There are many "solutions" out there. I must emphasize on one thing – always use product from this list: https://technet.microsoft.com/en-us/office/dn788945. Only qualified products are thoroughly tested and any future Lync/S4B Cumulative Update and/or Product update will be aligned and validate prior to release. I have seen many cases where non-qualified product is updated and some or all  functionality is no broken, causing grief with both users and administrators.


Kemp LoadMaster



As I said in the beginning, this article is about KEMP. The primary reason – as of now, Kemp Technologies offers free LoadMaster: http://freeloadbalancer.com. Be not confused by the name “loadbalancer” – every HLB can act as reverse proxy and this is what we will do today.

First, of course, we need to register for KEMP ID. We will use this ID later to license the appliance and unlock the features. Once done, we are taken to the Download page.



Here, for this exercise I will use VMware OVF, but KEMP offers Virtual Alliance for many different platforms.


While deploying the OVF template, make sure the network adapter mapped to your DMZ subnet..


Here is the original settings after the VM was added. Note that both network adapters are on DMZ


We want the second network adapter on our server network


We are now ready to power the VM


As we see, the VM is configured with default IP 192.168.1.101, user name - bal and password - 1fourall.


Before we access the appliance via web browser, let's do some initial configuration. Login to the console with the default credentials. Change the IP address (if you wish to do so). I will use 192.168.1.111


Configure default gateway


and DNS



We are now ready to complete the configuration via web browser.



Accept the EULA, on the next screen select “Free LoadMaster”and click Allow.



Now we are taken to the licensing screen. Here we will use our KEMP ID.





We must change the password.


...and now our KEMP is licensed and features are unlocked.

Configuration


There are three steps involved – Install Templates (for automatic configuration), Install public certificate (to provide connectivity to non-corporate devices) and configure Virtual Service (the actual Reverse ProxyP)

KEMP Templates

When comes to Lync web services and HLB/RP, we have very specific requirements that must fulfill. The list can be found here: https://technet.microsoft.com/en-us/library/jj656815%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

From my past experience, I can tell you that 99% of the issues were around missing/misconfigured parameters. Luckily for us, KEMP does offers the so called Templates: http://kemptechnologies.com/loadmaster-documentation/#c7842 – which, when used, will configure your new Virtual Service with all parameters as per TechNet. We will see this in the next step.

Download Lync 2013 Templates http://kemptechnologies.com/files/assets/templates/Lync2013.tmpl to your computer. In KEMP GUI, navigate to Virtual Services -> Manage Templates





Browse to the file we downloaded on the previous step and click Add New Template




As we can see, we have templates for all possible scenarios this Virtual Appliance can be used in our Lync environment.

Certificates


As I mention above, we will configure Reverse Proxy to serve request from Internet and so, we need to configure KEMP with Public certificate in order Mobile devices to trust. I will use Wild Card certificate for my domain issued by DigiCert. I already have the certificate exported in .pfx format (private key included).

In KEMP, navigate to Certificates -> SSL Certificates



Click Import Certificate



Browse to the .pfx file, enter password and make sure Certificate Identifier is one word (KEMP does not like white spaces) and Save.



***Next step is very important. Since this certificate is issued by Public Authority, we must also import any intermediate certificates that could be in the certificate chain. To do so, open the certificate in MMC and go to Certification Path tab. Here we see one Intermediate and one root – both must be imported.



I will find the root and the intermediate in my Local Computer Certificate store and export them in Base-64 encoded format (DER will not work on KENP). Then I will import those by clicking Add Intermediate button. Here is the final result




Configuring Virtual Service

In the initial configuration steps I have configured the appliance with IP address from DMZ. However, the Virtual Service must be able to connect to our Real Servers and so, I must configure the second virtual NIC with IP from the server subnet.

Go to System Configuration, Interfaces, eth1 and configure IP address/Subnet (don't forget to click Set Address)



Now we can create new virtual service using Template. Navigate to Virtual Service, Add New. Give it an IP address, select Lync Reverse Proxy 2013 from the “Use template” drop-down menu and click “Add this Virtual Service”. The IP address is any available IP on our DMZ network. At the end, this DMZ VS IP wil be mapped 1:1 to Public IP address.




You will be taken to the configuration screen for the 443 service (there was one more for port 80 which we don’t see right now) where we will complete the configuration.



What’s left is to configure the service with certificate and add the Lync servers. Expand SSL Properties, highlight the certificate you want to assign and move it to the “Assigned Certificates”. Don’t forget to click Set Certificates button or the change will not be applied.



Expand “Real Servers”



Click “Add New” and enter the IP address of the Lync server, make sure the Port is set to 4443 (remember, we have to hit the External web site which runs on 4443) and click “Add This Real Server” button.



 Repeat for all servers in your pool if you have EE pool.

Now click View/Modify Services on left...


...and you should see the Status as Up (green.) This indicates the the Virtual Service connected to the Lync servers and it is ready to go.


The service for port 80 is Down (red) because we have not added "real Servers" yet. Click Modify under Action column, Add New under Real Servers...



...add the IP addresses of the Lync servers again (make sure Port is set to 8080)


and the final result should be - all Green.


That's all, folks. Really! Configure your NAT, Firewall and DNS and test your new Reverse Proxy. I guarantee it will work.

If or when time permits, I will show you how you can use KEMP to serve multiple services with one  IP address. In my lab I use for Exchange, two EE pools and one SE Lync pools, ADFS and more with one single IP address.

234 comments:

«Oldest   ‹Older   201 – 234 of 234
Aadhya said...

Myself so glad to establish your blog entry since it's actually quite instructive. If it's not too much trouble continue composing this sort of web journal and I normally visit this blog. Examine my administrations.
Go through these Salesforce Lightning Features course. Found this Salesforce CRM Using Apex And Visualforce Training worth joining. Enroll for SalesForce CRM Integration Training Program and practice well. 

Radley Co Tad said...

Great Article
Cloud Computing Projects


Networking Projects

Final Year Projects for CSE


JavaScript Training in Chennai

JavaScript Training in Chennai

The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

meritstep Technology said...

Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
blockchain online training
best blockchain online training
top blockchain online training

jeni said...

Wow, amazing weblog format! How lengthy have you been running a blog for? you make running a blog look easy. The total glance of your website is wonderful, let alone the content!
data science training in chennai

data science training in velachery

android training in chennai

android training in velachery

devops training in chennai

devops training in velachery

artificial intelligence training in chennai

artificial intelligence training in velachery

shiny said...

great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...Thank you very much for this one.


hadoop training in chennai

hadoop training in annanagar

salesforce training in chennai

salesforce training in annanagar

c and c plus plus course in chennai

c and c plus plus course in annanagar

machine learning training in chennai

machine learning training in annanagar

Vennala said...

I am so happy to found your blog post because it's really very informative. Please keep writing this kind of blogs and I regularly visit this blog. Have a look at my services.
I have found this Salesforce training in India worth joining course. Try this Salesforce training in Hyderabad with job assistance. Join Salesforce training institutes in ameerpet with certification. Enroll for Salesforce online training in hyderabad with hands on course.  

hrithiksai said...

This Was An Amazing ! I Haven't Seen This Type of Blog Ever ! Thankyou For Sharing, data science certification

New x said...

I like this article. I was searching over search engines and found your blog and it’s really helps thank you so much:
AGT 2020 Vote Online
How to vote in AGT 2020 Vote Online
AGT 2020 Vote Online Text Details Numbers Website
America’s Got Talent 2020 Winner Name Spoiler Episodes
Dancing with the Stars 2020 Winner Name Spoiler Episodes
World of Dance 2020 Winner Name Spoiler Episodes
America’s Got Talent Voting Votes though app Website Xfinity Online

New x said...

I like this article. I was searching over search engines and found your blog and it’s really helps thank you so much:
AGT 2020 Vote Online
How to vote in AGT 2020 Vote Online
AGT 2020 Vote Online Text Details Numbers Website
America’s Got Talent 2020 Winner Name Spoiler Episodes
Dancing with the Stars 2020 Winner Name Spoiler Episodes
World of Dance 2020 Winner Name Spoiler Episodes
America’s Got Talent Voting Votes though app Website Xfinity Online

priyash said...

Amazing Article ! I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
Simple Linear Regression
Correlation vs covariance
data science interview questions
KNN Algorithm

Priyanka said...

Attend The Business Analytics Course From ExcelR. Practical Business Analytics Course Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analytics Course.
Business Analytics Course

sandeep rathod said...

Hello! Hope you are doing well, thank you very much for sharing this information. I myself have been searching for Best college for MPC in hyderabad to start preparing for the exams. I found this institute that offers both online classes as well as recorded video lectures for all courses. Fellow aspirants please do check it out! All the best!

hrithiksai said...

This Was An Amazing ! I Haven't Seen This Type of Blog Ever ! Thankyou For Sharing, best online data science courses

sandeep rathod said...

It’s really great information for becoming a better Blogger. Keep sharing, Thanks. For more details to visit Best college for BiPC in hyderabad

ek said...

I have express a few of the articles on your website now, and I really like your style of blogging. I added it to my favorite’s blog site list and will be checking back soon…
Machine Learning Courses in Pune I really enjoy reading and also appreciate your work.
I have bookmarked your website because this site contains valuable information in it. I am really happy with articles quality and presentation. Thanks a lot for keeping great stuff. I am very much thankful for this site.

Data Science Training said...

Really interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
Data Science Course Training in Hyderabad

sandeep rathod said...

It’s really great information for becoming a better Blogger. Keep sharing, Thanks. For more details to visit Top junior college in hyderabad

priyash said...

Amazing Article ! I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
Simple Linear Regression
Correlation vs covariance
data science interview questions
KNN Algorithm
Logistic Regression explained

Pankaj Singh said...

Thank you so much for providing this amazing blog. Visit Ogen Infosystem for creative Website Design and PPC Services in Delhi.
Web Design Company in Delhi

New x said...

I like this article. I was searching over search engines and found your blog and it’s really helps thank you so much:
AGT 2020 Winner Name Announced
Who Won the AGT 2020
AGT 2020 who will win the Show
AGT 2020 Winner Name Spoiler Episodes
DWTS 2020 Voting Votes online Text Number
World of Dance 2020 Winner Name
America’s Got Talent All Episode Schedule Details Coverage

New x said...

I like this article. I was searching over search engines and found your blog and it’s really helps thank you so much:
AGT 2020 Vote Online
How to vote in AGT 2020 Vote Online
AGT 2020 Vote Online Text Details Numbers Website
America’s Got Talent 2020 Winner Name Spoiler Episodes
Dancing with the Stars 2020 Winner Name Spoiler Episodes
World of Dance 2020 Winner Name Spoiler Episodes
America’s Got Talent Voting Votes though app Website Xfinity Online
Who will win The Voice 2020
Who will win The Voice 2020 Season 19

priyanka said...

Amazing Article ! I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
Correlation vs Covariance
Simple Linear Regression
data science interview questions
KNN Algorithm
Logistic Regression explained

meritstep Technology said...

Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
workday studio online training
best workday studio online training
top workday studio online training

hrithiksai said...

Very nice blogs!!! i have to learning for lot of information for this sites…Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing, data science training

meritstep Technology said...

Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
workday online training
best workday online training
top workday online training

John said...


فرزاد فرخ
Attend The Data Analyst Course From ExcelR. Practical Data Analyst Course Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analyst Course.
حجت اشرف زاده

meritstep Technology said...

Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
workday hcm online training
best workday hcm online training
top workday hcm online training

priyanka said...

very well explained. I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
Correlation vs Covariance
Simple Linear Regression
data science interview questions
KNN Algorithm
Logistic Regression explained

Digital Zug said...

Clipping Xpert
Clipping Xpert India
Paragon Clipping Path
Clipping Path Service
Image Editing Company
Ecommerce Image Editing Service
Clipping path company
Clipping Path Service
Image Editing Company
Ecommerce Image Editing Service
Clipping path company
Clipping Path Service
Image Editing Company
Ecommerce Image Editing Service
Clipping path company

EXCELR said...

Very interesting to read this article.I would like to thank you for the efforts. I also offer Data Scientist Courses data scientist courses

Rohini said...


This post is very simple to read and appreciate without leaving any details out. Great work!
data science courses

Priyanka said...

Attend The Data Science Training Bangalore From ExcelR. Practical Data Science Training Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Science Training Bangalore.
Data Science Training Bangalore

priyanka said...

very well explained .I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
Simple Linear Regression
Correlation vs covariance
data science interview questions
KNN Algorithm
Logistic Regression explained

hrithiksai67 said...

Very nice blogs!!! i have to learning for lot of information for this sites…Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing, data sciecne course in hyderabad

«Oldest ‹Older   201 – 234 of 234   Newer› Newest»