Tuesday, June 30, 2015

KEMP LoadMaster as Reverse Proxy for Lync/Skype4B Server



In this articleI will show how to configure KEMP LoadMaster HLB to act as Reverse Proxy for Lync  / Skype for Business server.

The topic of Reverse Proxy always have been the “weakest links” in the entire Lync/Skype4B installation journey for two reasons. First, people have a hard time grasping the basic concept why Reverse Proxy is necessary and second – what solution to use. Let’s take on each topic.

Reverse Proxy


Lync (Front End and Director role) have two web sites – Internal and External.


In Topology, the two web sites are bind to different ports


There is good reason for that – a request for web service might come from Inside (LAN) or Outside (Internet) and the server must respond accordingly. Think about meeting join – when we click Join Lync/Skype meeting link, a DNS query for meet.contoso.com will be made, and an IP address will be returned – either internal or public depending of which DNS we query. Based on our location, the server will “answer” with internal or external pool web services FQDN where the meeting will be hosted and we will join the meeting. So, the only way to “let” the server know where we are coming from is to… land on the appropriate web site. We cannot “choose” where to make the request (to the internal site if we are on LAN or the External site, if we were on Internet). Since in Meeting Invite we see only one web link https://meet.contoso.com/user/meeting (and HTTPS implies use of port 443), the only way we “land” on port 4443 (where the external site is bind) is to “flip” the traffic arriving on port 443 to port 4443.

One might say – but we can do that on our firewall with port forwarding. While true, it is not recommended for many reasons. To state one – certificates. Think about it – internal web services are bind to certificate issued by Internal CA. If we just do port forwarding, the HTTP request will be terminated with this internal certificate and unless the workstation have the Internal CA Trusted Root, and eventually internal Intermediate certificate(s), the SSL request will fail. In this case, how someone can join meeting from non-corporate laptop? Simple answer – it cannot.

So, to recoup - Reverse Proxy is the place where we terminate the SSL request with Public certificate, “flip” the port from 443 to 4443 and “proxy” the connection to Lync server. Server replies to RP on port 4443, RP “flips” the port again to 443 and replies to our request.

What software to use as Reverse Proxy


There are many "solutions" out there. I must emphasize on one thing – always use product from this list: https://technet.microsoft.com/en-us/office/dn788945. Only qualified products are thoroughly tested and any future Lync/S4B Cumulative Update and/or Product update will be aligned and validate prior to release. I have seen many cases where non-qualified product is updated and some or all  functionality is no broken, causing grief with both users and administrators.


Kemp LoadMaster



As I said in the beginning, this article is about KEMP. The primary reason – as of now, Kemp Technologies offers free LoadMaster: http://freeloadbalancer.com. Be not confused by the name “loadbalancer” – every HLB can act as reverse proxy and this is what we will do today.

First, of course, we need to register for KEMP ID. We will use this ID later to license the appliance and unlock the features. Once done, we are taken to the Download page.



Here, for this exercise I will use VMware OVF, but KEMP offers Virtual Alliance for many different platforms.


While deploying the OVF template, make sure the network adapter mapped to your DMZ subnet..


Here is the original settings after the VM was added. Note that both network adapters are on DMZ


We want the second network adapter on our server network


We are now ready to power the VM


As we see, the VM is configured with default IP 192.168.1.101, user name - bal and password - 1fourall.


Before we access the appliance via web browser, let's do some initial configuration. Login to the console with the default credentials. Change the IP address (if you wish to do so). I will use 192.168.1.111


Configure default gateway


and DNS



We are now ready to complete the configuration via web browser.



Accept the EULA, on the next screen select “Free LoadMaster”and click Allow.



Now we are taken to the licensing screen. Here we will use our KEMP ID.





We must change the password.


...and now our KEMP is licensed and features are unlocked.

Configuration


There are three steps involved – Install Templates (for automatic configuration), Install public certificate (to provide connectivity to non-corporate devices) and configure Virtual Service (the actual Reverse ProxyP)

KEMP Templates

When comes to Lync web services and HLB/RP, we have very specific requirements that must fulfill. The list can be found here: https://technet.microsoft.com/en-us/library/jj656815%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

From my past experience, I can tell you that 99% of the issues were around missing/misconfigured parameters. Luckily for us, KEMP does offers the so called Templates: http://kemptechnologies.com/loadmaster-documentation/#c7842 – which, when used, will configure your new Virtual Service with all parameters as per TechNet. We will see this in the next step.

Download Lync 2013 Templates http://kemptechnologies.com/files/assets/templates/Lync2013.tmpl to your computer. In KEMP GUI, navigate to Virtual Services -> Manage Templates





Browse to the file we downloaded on the previous step and click Add New Template




As we can see, we have templates for all possible scenarios this Virtual Appliance can be used in our Lync environment.

Certificates


As I mention above, we will configure Reverse Proxy to serve request from Internet and so, we need to configure KEMP with Public certificate in order Mobile devices to trust. I will use Wild Card certificate for my domain issued by DigiCert. I already have the certificate exported in .pfx format (private key included).

In KEMP, navigate to Certificates -> SSL Certificates



Click Import Certificate



Browse to the .pfx file, enter password and make sure Certificate Identifier is one word (KEMP does not like white spaces) and Save.



***Next step is very important. Since this certificate is issued by Public Authority, we must also import any intermediate certificates that could be in the certificate chain. To do so, open the certificate in MMC and go to Certification Path tab. Here we see one Intermediate and one root – both must be imported.



I will find the root and the intermediate in my Local Computer Certificate store and export them in Base-64 encoded format (DER will not work on KENP). Then I will import those by clicking Add Intermediate button. Here is the final result




Configuring Virtual Service

In the initial configuration steps I have configured the appliance with IP address from DMZ. However, the Virtual Service must be able to connect to our Real Servers and so, I must configure the second virtual NIC with IP from the server subnet.

Go to System Configuration, Interfaces, eth1 and configure IP address/Subnet (don't forget to click Set Address)



Now we can create new virtual service using Template. Navigate to Virtual Service, Add New. Give it an IP address, select Lync Reverse Proxy 2013 from the “Use template” drop-down menu and click “Add this Virtual Service”. The IP address is any available IP on our DMZ network. At the end, this DMZ VS IP wil be mapped 1:1 to Public IP address.




You will be taken to the configuration screen for the 443 service (there was one more for port 80 which we don’t see right now) where we will complete the configuration.



What’s left is to configure the service with certificate and add the Lync servers. Expand SSL Properties, highlight the certificate you want to assign and move it to the “Assigned Certificates”. Don’t forget to click Set Certificates button or the change will not be applied.



Expand “Real Servers”



Click “Add New” and enter the IP address of the Lync server, make sure the Port is set to 4443 (remember, we have to hit the External web site which runs on 4443) and click “Add This Real Server” button.



 Repeat for all servers in your pool if you have EE pool.

Now click View/Modify Services on left...


...and you should see the Status as Up (green.) This indicates the the Virtual Service connected to the Lync servers and it is ready to go.


The service for port 80 is Down (red) because we have not added "real Servers" yet. Click Modify under Action column, Add New under Real Servers...



...add the IP addresses of the Lync servers again (make sure Port is set to 8080)


and the final result should be - all Green.


That's all, folks. Really! Configure your NAT, Firewall and DNS and test your new Reverse Proxy. I guarantee it will work.

If or when time permits, I will show you how you can use KEMP to serve multiple services with one  IP address. In my lab I use for Exchange, two EE pools and one SE Lync pools, ADFS and more with one single IP address.

462 comments:

«Oldest   ‹Older   401 – 462 of 462
DataCharge said...

Very wonderful informative article. I appreciated looking at your article. Very wonderful reveal. I would like to twit this on my followers. Many thanks! .
Data Analytics training in Bangalore

Unknown said...

Amazingly by and large very interesting post. I was looking for such an information and thoroughly enjoyed examining this one. Keep posting. An obligation of appreciation is all together for sharing.data science training in delhi

DataCharge said...

Very wonderful informative article. I appreciated looking at your article. Very wonderful reveal. I would like to twit this on my followers. Many thanks! .
<a href="https://360digitmg.com/india/data-analytics-certification-training-course-in-bangalore>Data Analytics training in Bangalore</a>

Sarika said...

Thanks for sharing useful information. We have learned so much information from your blog. Keep sharing. We are also providing the best services click on below links to visit our website.
Oracle Fusion HCM Training
Workday Training
Okta Training
Palo Alto Training
Adobe Analytics Training

Maneesha said...

Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing.
aws certification cost hyderabad

Unknown said...

Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here.machine learning training in gurgaon

seo freelancer in bangalore said...

Thanks for sharing the post.
SEO Freelancer in Bangalore ,naveedadigital.com offers best SEO freelancing services
in Bangalore for all kinds of businesses

https://naveedadigital.com/
https://naveedadigital.com/social-media-marketing-freelancer-in-bangalore/
https://naveedadigital.com/seo-freelancer-in-bangalore/

Unknown said...

Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.data science institute in delhi

Credo Systemz said...

very informative article. AWS Training in Chennai

Unknown said...

I am truly getting a charge out of perusing your elegantly composed articles. It would seem that you burn through a ton of energy and time on your blog. I have bookmarked it and I am anticipating perusing new articles. Keep doing awesome.data science institute in gurgaon

Unknown said...

Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.data scientist course in bhubaneswar

Anonymus said...

It is critical to have high-quality content in terms of attracting people to come see the website, and that is exactly what this website provides.
Filmora Scrn Crack

Unknown said...

Fantastic article I ought to say and thanks to the info. Instruction is absolutely a sticky topic. But remains one of the top issues of the time. I love your article and look forward to more.
Data Science Course in Bangalore

Tamil Typing said...

Thanks for sharing informative post. Are looking for best Tamil typing tool online, make use of our Tamil typing software to make translation faster. Thirumana Porutham in Tamil | Samacheer Kalvi Books PDF

Unknown said...

I truly appreciate just perusing the entirety of your weblogs. Just needed to educate you that you have individuals like me who value your work. Unquestionably an extraordinary post. Caps off to you! The data that you have given is exceptionally useful.data scientist course in bhopal

Data Science said...

Amazingly by and large very interesting post. I was looking for such an information and thoroughly enjoyed examining this one. Keep posting. An obligation of appreciation is all together for sharing.data science training in gwalior

Data Science said...

Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing.business analytics course in warangal

Unknown said...

Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!data analytics course in bhubaneswar

Excelr Tuhin said...

Hi! This is my first visit to your blog! We are a team of volunteers and new initiatives in the same niche. Blog gave us useful information to work. You have done an amazing job!

sattamatka

satta matka

Data Science said...

Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing.data science course in warangal

Maneesha said...

It was a wonderful chance to visit this kind of site and I am happy to know. Thank you so much for giving us a chance to have this opportunity..
data science online training in hyderabad

Unknown said...

This is an excellent post I seen thanks to share it. It is really what I wanted to see hope in future you will continue for sharing such a excellent post. data science course in mysore

Defence Force Jobs said...

How To Delete Aol Email Account

AOL New Account said...

Thanks for sharing an amazing and informative post. The information shared by you is really useful for me. Keep it up to do great work and hope to see more of your posts in the near future
Aol Homepage

Unknown said...

I'm genuinely getting a charge out of scrutinizing your richly formed articles. Apparently you consume a huge load of energy and time on your blog. I have bookmarked it and I am expecting scrutinizing new articles. Continue to do amazing.business analytics course in ghaziabad

Defence Force Jobs said...

Forward AOL Mail To Gmail
Make Aol my Homepage

AOL New Account said...

How To Block Emails on AOL

Aastha Agarwal said...

Incredible Blog it is very much disclosed and straightforward particularly through the captions of the blog. Me and my group at PPC Company In Chandigarh truly love your content.

Defence Force Jobs said...

AOL Gold Sign In
AOL download for Windows 10

Defence Force Jobs said...

How to change my AOL password
AOL sign in helper

pamela said...

aol customer service number
aol support number

Mallela said...

Thanks for posting the best information and the blog is very good.data science course in rajkot

Mallela said...

Thanks for posting the best information and the blog is very good.data analytics course in udaipur

Mallela said...

Thanks for posting the best information and the blog is very good.data science training in rajkot

Unknown said...

What a really awesome post this is. Truly, one of the best posts I've ever witnessed to see in my whole life. Wow, just keep it up. data science course in surat

Howell Daniel said...

کرج همانند تهران و دیگر استان های کشور از محله های لوکس بالا نشین و محله های متوسط و پایین نشین تشکیل شده است. محله های اعیان نشینی همچون عظیمیه، مهرشهر، شهرک بنفشه جزء محله هایی هستند که جهت خرید مسکن می بایست هزینه های بالایی را پرداخت کنید. بنابراین جهت خرید آپارتمان در کرج در چنین محله هایی نیازمند سرمایه گذاری زیادی می باشید. در این محله ها یافتن خانه هایی با متراژ کم به ندرت یافت می شود. از این رو خرید آپارتمان هایی با متراژ بالا نیاز به بودجه و درآمد بالایی را می طلبد.
فروش آپارتمان کرج

Unknown said...

I'm genuinely getting a charge out of scrutinizing your richly formed articles. Apparently you consume a huge load of energy and time on your blog. I have bookmarked it and I am expecting scrutinizing new articles. Continue to do amazing.data analytics course in ghaziabad

Unknown said...

Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.business analytics course in bhubaneswar

Unknown said...

Amazingly by and large very interesting post. I was looking for such an information and thoroughly enjoyed examining this one. Keep posting. An obligation of appreciation is all together for sharing.data science course in bhubaneswar

Unknown said...

Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up. business analytics course in surat

data science bangalore said...

Amazingly by and large very interesting post. I was looking for such an information and thoroughly enjoyed examining this one. Keep posting. An obligation of appreciation is all together for sharing.data analytics course in rohtak

liftndriftpaperplane said...

Much obliged for sharing this brilliant substance. its extremely fascinating. Numerous web journals I see these days don't actually give whatever pulls in others however the manner in which you have plainly clarified everything it's truly awesome. There are loads of posts But your method of Writing is so Good and Knowledgeable. continue to post such helpful data and view my site too...
How to make a paper airplane | Origami paper plane | Boomerang Airplane

Da Italia said...

DA Italia is one of the fastest growing company in India. We make leather goods like Wallet, Bag, Belt and Other Accessories. We are leather goods manufacturer in india.
leather wallet manufacturer in india

Unknown said...

Great to become visiting your weblog once more, it has been a very long time for me. Pleasantly this article i've been sat tight for such a long time. I will require this post to add up to my task in the school, and it has identical subject along with your review. Much appreciated, great offer.business analytics course in ghaziabad

Unknown said...

It is perfect time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you could write next articles referring to this article. I want to read more things about it! data scientist course in mysore

Unknown said...

I am very enjoyed for this blog. Its an informative topic. It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy. business analytics course in surat

Unknown said...

I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. business analytics course in surat

Unknown said...

I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.best data science course in bhubaneswar

pamela said...

How to Delete AOL Account, You cannot delete your AOL mail account without the last of all AOL accounts, which means you lose access to all AOL services and products, including AIM instant messengers. Additionally, your email and address guidelines will be completely deleted after 90 days; you cannot restore your account after 90 days. If you log in with your AOL username and password, you can reactivate AOL and get deals with eBooks again. For More Link Below_ How to Delete AOL Account

Unknown said...

Genuinely very charming post. I was looking for such an information and thoroughly enjoyed examining this one. Keep on posting. An obligation of appreciation is for sharing.business analytics course in bhubaneswar

360DigiTMG said...

Very nice article, I enjoyed reading your post, very nice share, I want to twit this to my followers. Thanks!.
data analytics course in hyderabad

hasaokı said...

İnstagram takipçi satın al! İnstagram takipçi sitesi ile takipçi satın al sende sosyal medyada fenomen olmaya bir adım at. Sende hemen instagram takipçi satın almak istiyorsan tıkla:

1- takipçi satın al

2- takipçi satın al

3- takipçi satın al

Peter Johnson said...

Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end. best micronutrients for plants

data science bangalore said...

I really like reading a post that can make people think. Also, thank you for permitting me to comment!|data science training in jodhpur

Data Science said...

Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one.
Continue posting. A debt of gratitude is in order for sharing.data science course in warangal

traininginstitute said...

Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
full stack developer course with placement

Anamika said...

If you are having an issue then there can be lots of nice and great platforms to discuss and have the rights out here.
Delhi High Profile Girls

Vidhyamenon said...

Great blog with good information.

Appium Training in Chennai
Appium Training Online
Appium Training in Coimbatore

Harshan said...

Great blog with useful information.

Mobile App Development Courses in Chennai
Mobile App Development Course Online
Mobile App Development Courses in Bangalore

Muzhumathi said...

Informative content, thanks for sharing this.

Mobile App Development with Ionic
Ionic Mobile App Development

Dtat science Course said...

Glad to chat your blog, I seem to be forward to more reliable articles and I think we all wish to thank so many good articles, blog to share with us.data science course in chennai

Sruthi Karan said...

Nice article! It was very innovative thing with unique title and keep it up...
Abogado De Divorcio En Virginia
Abogado De Trafico En Virginia

«Oldest ‹Older   401 – 462 of 462   Newer› Newest»