high availability and web publishing for uc deployments load balancing & reverse proxy october...
TRANSCRIPT
High Availability and Web Publishing for UC Deployments
Load Balancing & Reverse ProxyOctober 24, 2013
Bhargav ShuklaDirector – Product Research and InnovationKEMP TechnologiesTwitter: @bhargavs
Load Balancing Lync 2013
• What should you load balance?– For Server to Server traffic• Topology aware, no load balancing needed
– For Client to Server traffic• DNS load balancing for pool (SIP traffic)• DNS load balancing does not work for web traffic• Port translation is required for external web services
traffic
Load Balancing Lync 2013
• Visual ReferenceROLE HIGH AVAILABILITY LOAD
BALANCERDNS LOAD BALANCING
Standard Edition Server Not Available N/A N/A Enterprise Edition Server Deploy Multiple Servers in a Pool and use Load
BalancingYes Yes
Back End Server SQL Server uses Windows Clustering for High Availability
No No
A/V Conferencing Server Deploy Multiple Servers in a Pool and Use Load Balancing
N/A N/A
Edge Server Deploy Multiple Servers in a Pool and Use Load Balancing
Yes Yes
Mediation Server Deploy Multiple Servers in a Pool and Use Load Balancing
Yes Yes
Monitoring Standby Server (MSMQ on the Front-End queues messages in the event of the failure)
No No
Archiving Standby Server (MSMQ on the Front-End queues messages in the event of the failure)
No No
Director Deploy Multiple Servers in a Pool and Use Load Balancing
Yes Yes
File Server Use Windows Clustering or Distributed File System No No
Load Balancing Lync 2013• Load Balancing Front End/Director Pools
Lync 2013 Mobile Client
Windows 8 Lync App
Lync 2013 Desktop client
Load Balancer
Internet DMZ Internal Network
Active Directory
Lync 2013 Mobile Client Lync 2013 Desktop client
Lync Front-End Pool
Mirrored Back-End Servers
Office Web Apps Server
Load Balancer
Lync Edge Pool
Reverse Proxy
Load Balancing Lync 2013
• Load Balancing Front End/Director Pools• Microsoft recommended method– Use DNS Load Balancing for SIP traffic– Configure Web services override FQDN for internal
web services– Load balance TCP port 80, 8080, 443 and 4443– Also Load balance TCP port 444 if Director is
deployed
Load Balancing Lync 2013
• Load Balancing Front End/Director Pools– Source IP Persistence can be used, but should
you?• Clients from behind NAT device shows up as single IP• Can result in uneven connection distribution
– Health check on TCP port 5061, or use hardware load balancer monitoring port from topology if defined
– Alternatively check /meet/blank.html instead of 5061 to ensure IIS is working
Load Balancing Lync 2013
• Load Balancing Front End/Director Pools– There is no negative impact if you use cookie• If you use cookie, it must be named MS-WSMAN• Must not expire• Must not be marked httpOnly• Turn off cookie optimization
– Use 20 minute TCP session timeout– Use 1800 seconds TCP idle timeout
Load Balancing Lync 2013
• Load Balancing Front End/Director Pools– Load balancer only configuration, DNS RR not used
for SIP• Load balance the following ports (all TCP)• 5061, 444, 135, 80, 8080, 443, 4443, 448, 5070-5073,
5075-5076, 5080• Hardware Load Balancer Ports if Using Only Hardware
Load Balancing - http://bit.ly/1185Yvq
Load Balancing Lync 2013
• Load Balancing Mediation Pools– DNS only load balancing is sufficient– If using load balancer instead of DNS, load balance
only TCP 5070
Load Balancing Lync 2013• Load Balancing Edge Pools
Lync 2013 Mobile Client
Windows 8 Lync App
Lync 2013 Desktop client
Load Balancer
Internet DMZ Internal Network
Active Directory
Lync 2013 Mobile Client Lync 2013 Desktop client
Lync Front-End Pool
Mirrored Back-End Servers
Office Web Apps Server
Load Balancer
Lync Edge Pool
Reverse Proxy
Load Balancing Lync 2013
• Load Balancing Edge Pools using DNS– Loss of failover in following scenarios• Federation with organizations running OCS versions
older than Lync 2010• PIM connectivity with Skype, Windows Live, AOL,
Yahoo! and XMPP partners• UM Play on Phone functionality• Transferring calls from UM Auto Attendant
Load Balancing Lync 2013
• Load Balancing Edge Pools using Load Balancer– External Interfaces
• Access Edge Interface– Source NAT can be used– SIP (External Client) – TCP 443– SIP (Federation/PIM) – TCP 5061– XMPP –TCP 5269
• Web Conferencing Interface– Source NAT can be used– PSOM – 443
• AV Edge Interface– NAT can’t be used here– STUN/MSTURN – TCP 443– STUN/MSTURN – UDP 3478
Load Balancing Lync 2013
• Load Balancing Edge Pools using Load Balancer– External Interfaces• Use Access VIP as default gateway on all Edge interfaces• AV Edge Interface considerations
– Turn off TCP nagling for both internal and external TCP 443 VIP
– Turn off TCP nagling for external port range 50000 - 59,999– Must use publicly routable IP with no NAT or port translation
Load Balancing Lync 2013
• Load Balancing Edge Pools using Load Balancer– Internal Interfaces
• Access SIP – TCP 5061– Used by Directors, FE Pools
• AV Authentication SIP – TCP 5062– Any FE Pool and SBA
• AV Media Transfer – UDP 3478– Preferred path for A/V media transfer
• AV Media Transfer – TCP 443– Fallback path for A/V media transfer– File Transfer– Desktop Sharing
Load Balancing Lync 2013• Reverse Proxy
Lync 2013 Mobile Client
Windows 8 Lync App
Lync 2013 Desktop client
Load Balancer
Internet DMZ Internal Network
Active Directory
Lync 2013 Mobile Client Lync 2013 Desktop client
Lync Front-End Pool
Mirrored Back-End Servers
Office Web Apps Server
Load Balancer
Lync Edge Pool
Reverse Proxy
• Device deployed between clients and servers, usually in the DMZ and interacts with servers and services on behalf of the client
• Commonly used to provide load balancing for availability and scalability• Terminates TCP traffic• Protects internal HTTP servers by providing a single point of access to the internal
network• Full reverse proxies provide advanced Layer 7 features such as SSL acceleration,
traffic management, intrusion prevention, content acceleration, etc.• More than NAT
Reverse Proxy – What is It
Load Balancer Reverse Proxy
=
Load Balancing Lync 2013
• Reverse Proxy – a separate VIP on Load Balancer– Load balance port 80 and 443– Translate to server ports 8080 and 4443– Can not use pre-authentication– No persistence is required– Use 20 minute TCP session timeout– Use 1800 seconds TCP idle timeout– Health check on port 5061, or use hardware load balancer
monitoring port from topology if defined– Alternatively check /meet/blank.html instead of 5061 to
ensure IIS is working
Hardware Load Balancing - Edge
• Requires N+1 Public IP addresses• Reference - http://bit.ly/164jI3m & http://
bit.ly/13Hgsaw
Load Balancing Lync 2013
• Load Balancing Office Web Apps Servers– Load balance port TCP/443– Enable and Reencrypt SSL– Use Source IP for persistence with 30 minute
timeout, use other methods if NAT or concentrators are involved
– Use 1800 seconds Idle timeout– Perform healthcheck on /hosting/discovery, using
HTTP GET
DNS or Hardware?HLB Pros HLB Cons DNS LB Pros DNS LB Cons
App Awareness Extra step for server draining
Simpler Server Draining Some 3rd party apps don’t understand DNS LB
Easy to take partially working server offline
Additional setup work required
Less overall complexity Many PBXs can’t talk to pool of DNS LB mediation Servers
Supports all level clients
Adds significantly to deployment (myth)
Minimal LB expertise required
Down level clients don’t support DNS LB
HA for PIC/XMPP and legacy federation
Adds substantial latency (myth)
Over-complicates troubleshooting (myth)
Best Practices-Use same load balancing method for internal/external Edge interfaces
-Don’t leave timeout at default: TCP idle timeout should be set to 1800 sec
-Turn off TCP Nagling for AV Edge ports 50k-59,999 and internal/external 443
-Use SNAT for general services, DNAT for AV Edge
-Ensure load balancer and Lync failover scenarios are tested… BEFORE you need it
-Avoid using DSR – not supported
-Create an independent virtual service for each edge service (access/webconf/AV)
-User cookie-based persistence for external Lync web services and source-address persistence for internal Lync web services
-Cookie-based persistence required for Lync Mobility services - Marked http Only, named MS-WSMAN and no expiration
-Always use a HLB if HA for XMPP/PIC/legacy Federation is important
-Edge internal interface must be on different network than Edge external interface with routing between them disabled
-Edge Server External interface running A/V must use routable IP – no NAT/PAT
Thank You!