Tuesday, March 20, 2012

Publishing Lync Simple URLs with F5 Big IP as Reverse Proxy

While working with customer to publish their Lync Simple URLs through a F5 Big IP running v. 10.2.0, we were having some issues with getting the page to come up externally.   DNS entries all seemed to be correct and pointing to the proper external IP addresses.  We had verified the firewall rules were configured correctly to perform Port Address Translation from the Public IP on port 443 to the Internal/DMZ F5 VIP on port 4443, and we could see the traffic getting passed all the way through to the Front End server(s).  Wireshark captures confirmed this as well.

From the F5 Lync Deployment Guide, found here, the virtual server was configured as follows:

NOTE: Under the Profiles column, the certificate used by the Big IP must be the same certificate installed on the client.  Since this is externally facing, it should also be a Public Certificate from one of the approved CA vendors. (http://support.microsoft.com/kb/929395)

To ensure the SSL tunnel could be maintained back to the Front End(s), we had generated the CSR on one of the Front Ends for the External Web Services.  We then exported it with the private key (and the root certificate chain separately) and installed it on all of the other Front Ends in the pool, as well as F5 Big IP.

We kept comparing the settings and everything look like it was configured correctly.  However, we were missing one setting - the SSL Profile (Server) was set to None.  Setting this to the profile with the correct certificate(s) installed got everything working again.  Below are some screen captures of the final working settings that were applied to both the Virtual Server and the Pool.

Virtual Server: 

Server Pool:

One last important thing to note, specifically around Lync Mobility.  There is a bug in firmware 10.2.2 and earlier which drops connections which try to use TLS 1.1 & 1.2.  Make sure you upgrade to resolve this, especially if you are supporting Apple iOS devices.

Feel free to comment below.


  1. The title says F5 without a reverse proxy but the first graphic says "this virtual server is only necessary when using a reverse proxy"
    This seems to conflict

    1. Though I don't see it very often, Lync can be deployed internally only (no external access, no external web conferencing). In that case, a reverse proxy isn't needed and therefore the configuration would not be required on the F5. I think that is all the note from the deployment guide is indicating.


  2. Do you have a seperate Virtual server with a public IP that forwards the traffic on to this VS? Are you using an iRule for URLs?
    I currently have a VS for 443 and one for 80 traffic, they forward to pools of 4443 and 8080 (internal FE). this does not work and I am trying to figure out where my problem is.

    1. Chris,

      In this case, we have a firewall sitting in front of the F5. On the firewall we are doing a PAT from (outside/Internet) 443 -> 4443 (inside) which then lands on the FE VIP.

      It's hard to tell the network layout from your description, but I'm not sure that this can be accomplished by a single F5.

      Following the F5 Deployment Guide, you'll see that 80/443 are required to publish the Lync Internal Web Services, while 8080/4443 are used to publish the Lync External Web Services. This means that for the Lync Front End VIP, a VS will exist for all the ports already mentioned (80,443,8080,4443). You will need another device doing PAT from 443 -> 4443 for traffic from the outside, or use a different VIP to redirect traffic if landing on the same F5 which hosts the Front End VIP.

      Authentication settings are different between the Lync Internal and External web sites, so using 1 Front End VIP and forwarding 80/443 to 8080/4443 will not work.

      Sorry for the long (and possibly confusing) response, but hopefully that clears things up.