Deliver Secure, Highly Available Microsoft

Applications with 3 Key Load Balancer Services

Alex Lewis !Principal Consultant and VP at Modality Systems and Author of Lync 2010/2013 Unleashed !Lync MVP

Jon Braunhut !Chief Scientist at KEMP Technologies

Bhargav Shukla !Director of Product Research and Innovation at KEMP Technologies !Exchange MVP

Exchange 2013 Load Balancing

Exchange 2013 Reverse Proxy

and KEMP Edge Security Pack

Q&A

Lync 2013 Web Services… and other Services

Load Balancing

Lync 2013 Reverse Proxy

Office Web Apps

Publishing

Agenda

Why Load Balance Lync?

Even with DNS LB, web services must be load balanced using an external load balancer

Often simplifies PBX integration with multiple mediation servers

External applications often don’t understand DNS LB or treat it as DNS RR

HA for Lync edge services including legacy, PIC and XMPP federation

1

2

3

4

Load Balancer Requirements

RoleHigh Availability

LoadBalancer

DNSBalancing

Standard edition server Not available N/A N/A

Enterprise edition front end server

Deploy multiple server in a pool and use load balancing

Yes Yes

Back end serverSQL server uses windows clustering for high availability No No

A/V conferencing server

Deploy multiple servers in a pool. Load balancing not required N/A N/A

Edge Server Deploy multiple servers in a pool and use load balancing

Yes Yes

Mediation server Deploy multiple servers in a pool and use load balancing

Yes Yes

MonitoringStandby server (MSMQ) on the front-end queues messages in the event of a failure No No

ArchivingStandby server (MSMQ) on the front-end queues messages in the event of a failure No No

Director Deploy multiple servers in a pool and use load balancing

Yes Yes

File sever Use Windows cluster or distributed file system Yes Yes

Basic HTTPS Load Balancing

No more cookie insertion for mobile!

Lync 2013 Web Services

Be sure to turn on HTTP->HTTPS

Redirection

Separate Virtual IPs for Internal & External Web

Services

Create a virtual service on port 443 for Lync Edge External Conferencing

Set HTTP 302 Redirect with redirect URL set to https://%h%s

In the virtual service status menu you will see “Redirect”

HTTP to HTTPS Redirection

Load Balancing Mediation Pools

Required for most ITSPs for direct connectivity without an SBC

Required for IP PBXs that don’t support DNS-LB – and that’s almost all of them

Ensure equal load balancing

Easier maintenance and testing

1

2

3

4

SNAT Load Balancing (Full-NAT) for gateway/PBX side of Mediation Server Pool

Use if Gateway doesn’t support DNS LB to simplify Gateway/PBX configuration

Best Practices for LB Mediation

Lync  2013  Mobile  Client

Windows  8  Lync  App

Lync  2013  Desktop  client

Load  Balancer

Internet DMZ Internal  Network

Active  Directory

Lync  2013  Mobile  Client Lync  2013  Desktop  client

Lync  Front-­‐End  Pool

Mirrored  Back-­‐End  Servers

Office  Web  Apps  Server

Load  Balancer

Lync  Edge  Pool

Reverse  Proxy

Lync 2013 Reverse Proxy

Device deployed between clients and servers, usually in the DMZ, and interacts with servers and services on behalf of the client

Commonly used to provide load balancing for availability and scalability

Terminates TCP traffic

Protects internal HTTP servers by providing a single point of access to the internal network

Full reverse proxies provide advanced Layer 7 features such as SSL acceleration, traffic management, intrusion prevention, content acceleration, etc.

More than NAT

Reverse Proxy – What is it?

1

2

3

4

5

6

Reverse Proxy – What is it?

="

Load balance port 80 and 443

Translate to server ports 8080 and 4443

Can not use pre-authentication

No persistence is required

Alternatively check /meet/blank.html instead of 5061 to ensure IIS is working

Use 20 minute TCP session timeout

Use 1800 seconds TCP idle timeout

Health check on port 5061, or use hardware load balancer monitoring port from topology if defined

Lync 2013 Web Services Reverse Proxy

1

2

3

4

5

6

7

8

Enable and Reencrypt SSL

Load balance port TCP/443

Office Web Apps Publishing

Use Source IP for persistence with 30 minute timeout, use other methods if NAT or concentrators are involved

Perform healthcheck on /hosting/discovery, using HTTP GET

1

Use 1800 seconds Idle timeout

2

3

4

5

• CAS Array is no more!

• Client Access is stateless proxy

• Load balancing requirements are simplified

• SSL Termination at load balancer isn’t required

• Session affinity isn’t required enabling even distribution of connections

• Service Pack 1

• SSL Offloading is now possible

• MAPI/HTTP is new transport mechanism

What’s new in Exchange 2013

Exchange 2013 Publishing/Load Balancing/Security• Provide high availability for client

connections

• Pre-authenticate external clients

• Layered security with vDir filtering and IP filtering

• Single Sign-on with other applications (i.e. SharePoint)

• Relay SMTP for external apps w/domain filtering

• Content switching for publishing on shared public IP address

Managed Availability • Monitors end user Experience • Provides health state of Exchange components • Each component has dynamic healthcheck.htm

Load Balancing at Layer 4 • No SSL termination on Load Balancer • No advanced configuration (i.e. cookie affinity)

Load Balancing at Layer 7 • More advanced configuration • Requires SSL termination at Load Balancer • More granular health checks with single namespace • Granular control over failures

Load Balancing in Exchange 2013

DMZ Internal Network

Edge Security and ReverseProxy for Exchange

Load Balancer /Reverse Proxy

Exchange CAS

Exchange CAS

Exchange CAS

Recap of Key Load Balancer Services

Awareness(Application &

Resource)

Reverse Proxy Replacement

Security Services

About KempKEMP Designs & Develops Load Balancer and ADC Software

Enabling our customers to achieve optimal application performance w/: • High Availability • Scalability • Acceleration • Security

KEMP – Fastest Growing ADC Vendor, #3 WW Units Shipped

Cloud ADCs Bare Metal ADCs Virtual ADC Appliances ADC H/W Appliances

Price/Performance leader with ubiquitous platform deployments : • 20,000+ WW customer deployments • Microsoft Gold Certified Partner –

Messaging and Communications • Pricing starts at $1,990 • Free Trial - http://bit.ly/KEMPWebinar

(case sensitive)

More info on KEMP athttp://www.KEMPTechnologies.com !Follow KEMP at: @KEMPtech More on Modality Systems athttp://www.modalitysystems.com alex.lewis@modalitysystems.com @modalitysystems @alexlewis

Watch our other webinars here:http://kemptechnologies.com/en/load-balancing-webinars-and-videos