Load Balancer, Gateway and Session consideration

-
Untitled Document Generally Load Balancer in Lync must be used along with DNS load balancing or in an entire configuration.
If you make used of DNS load balancing, the HLB will be used for HTTP/ HTTPS traffic (Pool Web Services).
Using DNS LB has both sites, an advantage and disadvantage.

Positive is, you can scale a HLB much higher if you only use it for HTTP traffic. The HLB can fully be utilized for SSL offloading.

Negative is, you are depending on availability of your DNS infrastructure. Other disadvantage is, DNS based load balancing will never consider the real load on a Lync Server, since the algorithm cannot be aware about the real load. The Client make the decision which server it will connect to. Other is, if you want to make use of PIC, you still need a Load Balancer.

Sum:
It depends all on your feature set, load calculation, the server count and sure your budget ;)
----------------------------

Gateway consideration (keep in mind):
There are differences for internal and external Setup of HLB.

Internal means, all internal Server or Interfaces, e.g. FE, Director, internal Edge Server NIC.

External is the NIC on an Edge Server communicating with the Default Internet Route.
While the Traffic on all internal Interfaces will be controlled by a static route itself, the Default Gateway is always the Internet Gateway itself.
Again, on the EDGE Server internal interface, it must be a persistent route to all involved LYNC Server only!



Next I'm giving three examples (FE fully HLB, FE DNS + HLB Web Services and the EDGE external HLB) configuration:

Front-End Server fully load balanced:


These services must be included:

Service Name		Proto-colPortVirtual IP AddressReal Server PersistenceSchedulingSNATLayerNotes
DCOMTCP135Pool IPServer IPSource IPLeast ConnectionYesL7RPC /DCOM based operation
SIPTCP5061Pool IPServer IPSource IPLeast ConnectionYesL7SIP/ TLS
App ShareTCP5065Pool IPServer IPSource IPLeast ConnectionYesL7Application Sharing
QoETCP5069Pool IPServer IPSource IPLeast ConnectionYesL7QoE Agent
ConfTCP444Pool IPServer IPSource IPLeast ConnectionYesL7Conferencing
Web IntTCP443Pool IPServer IPSource IPLeast ConnectionYesL7HTTPS internal Web Services
Web ExtTCP4443Pool IPServer IPSource IPLeast ConnectionYesL7HTTPS external Web Services

optional Services for Front-End:

Service Name		Proto-colPortVirtual IP AddressReal Server PersistenceSchedulingSNATLayerNotes
WEBTCP80Pool IPServer IPSource IPLeast ConnectionYesL7HTTP Root Cert Retrieval for UC Phones & int/ext Web Services
CACTCP448Pool IPServer IPSource IPLeast ConnectionYesL7Call Admission Control
SIPUTCP5060Pool IPServer IPSource IPLeast ConnectionYesL7SIP unsecured
MEDTCP5067Pool IPServer IPSource IPLeast ConnectionYesL7Mediation Server SIP/ TLS
MEDTCP5068Pool IPServer IPSource IPLeast ConnectionYesL7Mediation Server SIP/ TCP
MEDTCP6070Pool IPServer IPSource IPLeast ConnectionYesL7Median Server FE
RSGTCP6071Pool IPServer IPSource IPLeast ConnectionYesL7Response Groups
CAATCP 6072Pool IPServer IPSource IPLeast ConnectionYesL7Conferencing Attendant
CATCP 6073Pool IPServer IPSource IPLeast ConnectionYesL7Conferencing Announcement
OVTCP 6074Pool IPServer IPSource IPLeast ConnectionYesL7Outside Voice Control
TCP 6075Pool IPServer IPSource IPLeast ConnectionYesL7
TCP 6076Pool IPServer IPSource IPLeast ConnectionYesL7
TCP 6080Pool IPServer IPSource IPLeast ConnectionYesL7
WEB 8080TCP 8080Pool IPServer IPSource IPLeast ConnectionYesL7HTTP external WEbServices





Front-End Server DNS load balanced, WebServices Hardware load balanced:

Service NameProto-colPortVirtual IP AddressReal Server PersistenceSchedulingSNATLayerNotes
Web IntTCP443Pool IPServer IPSource IPLeast ConnectionYesL7HTTPS internal Web Services
Web ExtTCP4443Pool IPServer IPSource IPLeast ConnectionYesL7HTTPS external Web Services


Edge Server fully load balanced (with out RevProxy):

Edge Server external Interface:

Service Name		ProtocolPortVirtual IP AddressReal Server PersistenceSchedulingSNATLayerNotes
SIP AccessTCP5061Pool IPServer IPSource IPLeast ConnectionNOL7SIP/ TLS
Remote AccessTCP443Pool IPServer IPSource IPLeast ConnectionNOL7Remote User
ConfTCP443Pool IPServer IPSource IPLeast ConnectionNOL7Conferencing
AV TCPTCP443Pool IPServer IPSource IPLeast ConnectionNOL7Fallback port TCP A/V, Sharing & File
AV UDPUDP3479Pool IPServer IPSource IPLeast ConnectionNOL4Audio/ Video

Edge Server external Interface optional:

Service Name		ProtocolPortVirtual IP AddressReal ServerPersistenceSchedulingSNATLayerNotes
AV TCP HighTCP50.000-59.999Pool IPServer IPSource IPLeast ConnectionNOL7Fallback port
Audio/Video High
port Range.
Desktop Sharing /
CWA
AV UDP HighUDP50.000-59.999Pool IPServer IPSource IPLeast ConnectionNO L4Audio/Video High
port Range.
Federation/Remot
e Users

Edge Server internal Interface:
Service NameProtocolPortVirtual IP AddressReal ServerPersistenceSchedulingSNATLayerNotes
SIPTCP5061Pool IPServer IPSource IPLeast ConnectionYesL7SIP/ TLS
AuthTCP5062Pool IPServer IPSource IPLeast ConnectionYesL7A/V Authentication
HTTPTCP443Pool IPServer IPSource IPLeast ConnectionYesL7TCP Audio, Video, Sharing & Files
CONFUDP3478Pool IPServer IPSource IPLeast ConnectionYesL7Audio/ Video





Director Server internal Interface:

Service Name		ProtocolPortVirtual IP AddressReal ServerPersistenceSchedulingSNATLayerNotes
SIPTCP5061Pool IPServer IPSource IPLeast ConnectionYesL7SIP/ TLS
SIPUTCP5060Pool IPServer IPSource IPLeast ConnectionYesL7SIP unsecured

------------

General Statement MSFT Planning for external User Access:

The Skype for Business, Lync Server 2013/ 2010 scaled consolidated Edge topology is optimized for DNS load balancing for new deployments federating primarily with other organizations. If high availability is required for any of the following scenarios, a hardware load balancer must be used for the following:
  • Federation with organizations using Office Communications Server 2007 R2 or Office Communications Server 2007
  • Exchange UM for remote users (only older than Exchange 2007 SP1) 
  • Connectivity to public IM users and SKYPE
(Office 365 is aware about DNS load balancing)
Important:
You cannot use DNS load balancing on one interface and hardware load balancing on another. You must use hardware load balancing on both interfaces or DNS load balancing for both. A combination is not supported.
Regardless of whether you use hardware load balancing for your Edge Server pool, you will need a hardware load balancer if there are two or more reverse proxy servers deployed.

Comments

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modify the AD hide at
Read more

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, unique FQDN fo
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more