Deploying Microsoft Lync Server 2010: Best Practices to achieve optimal voice and video quality with Microsoft Lync Server 2010 on Aruba Wireless LAN

(1)

Deploying Microsoft Lync Server 2010:

Best Practices to achieve optimal voice and

video quality with Microsoft Lync Server 2010

on Aruba Wireless LAN infrastructure

(2)

Introduction

3 Unified communications and the mobile workforce

3 Solution components Aruba wireless LAN

3 Microsoft Lync Server 2010 (standard & enterprise)

4 Wireless LAN best practices for Microsoft Unified

Communications

5

Pervasive wireless coverage 5

Managing RF interference 6

Applying correct priority to mixed voice, video and data clients 6 Performance assurance for encrypted Microsoft Lync traffic 6

Microsoft Lync Server 2010 qualification

6

Overview of the topology 7

Hardwre, tools and versions 7

Recommended Aruba configurations 8

Test results

10

Lync data-only over Wi-FI 10

Lync fixed real time (RT)-multimedia over Wi-Fi 10

Lync mobility RT-multimedia over Wi-Fi 10

Conclusion

17

(3)

Introduction

Wi-Fi-enabled mobile devices like laptops, smartphones and tablets are on track to outnumber desktops, and enterprise networks are moving rapidly from wired to wireless as the preferred way to connect.

The enterprise workforce expects unified voice, video, instant messaging (IM) and other applications that run on platforms like Microsoft®_{Lync™ to work on these personal mobile devices. However, the voice and video}

experience on enterprise wireless LANs (WLANs) has been historically unreliable.

Aruba WLANs, based on the Mobile Virtual Enterprise (MOVETM) architecture, deliver secure, application-aware network access, regardless of location, device, wired or wireless. This ensures a reliable, high quality unified communications experience.

Qualified by Microsoft, the Aruba MOVE architecture identifies and prioritizes encrypted Microsoft Lync traffic over the lower priority data traffic. The result with Aruba is an astonishing improvement in communication quality compared to the competition even when there is congestion and RF interference.

Unified communications and the mobile workforce

Microsoft Lync ushers in a new connected user experience in which every communication is transformed into a more collaborative, engaging interaction. With its software-based approach, Microsoft Lync provides a highly secure system that functions reliably irrespective of the user’s location, on top of existing networking. Lync is easy to manage, less expensive to deploy and operate, and uses a single interface to unite voice communications, IM, and audio, video, and Web conferencing into a rich, context-sensitive offering.

To work effectively, Microsoft Lync needs to ride on top of a reliable, high performance, and secure networking infrastructure. One that is capable of deciphering the types of communications in motion and then conditioning the network to securely deliver them using Quality of Service mechanisms to ensure an optimal user experience. Aruba’s 802.11n Wi-Fi solutions accomplish this task by offering connection speeds greater than 100BaseT Ethernet, enterprise-grade security, and multi-media Quality of Service (QoS). The combination of Microsoft Lync Server 2010 with Aruba’s wireless LAN (WLAN) offers significant benefits, both for employees and the corporate IT. Correctly implemented, it delivers communications wherever users need network access inside and outside the enterprise.

Solution components Aruba Wireless LAN

Secure and reliable mobility is the responsibility of the enterprise network, which must support a wide range of converged clients over wireless, wired, and remote access networks. Laptops and smartphones are capable of simultaneously running voice, data, and now video applications, an operating model that breaks traditional

dedicated VLAN and SSID architectures. Delivering the quality of service (QoS), bandwidth, and management tools necessary to accommodate these devices on a grand scale – within a campus environment, to users on the road, and in branch offices – requires a specially tailored system design.

Microsoft Lync Server 2010 uses an encrypted signaling protocol that is highly secure but renders useless the traditional snooping mechanisms of identifying SIP signaling or the consequent real-time traffic. Thus real-time traffic is treated and processed in the same way as competing best-effort traffic, i.e., with lowest priority. The problem is exacerbated when multiple real-time and non-real-time applications run on the same client devices, like laptops and smart phones, because of the challenges of isolating and prioritizing just the real-time traffic.

Aruba’s unique application and device fingerprinting technology can identify Lync streams in session and the devices from which they originate. The network can then be dynamically conditioned to deliver QoS – on an application-by-application, device-by-device basis – as needed to ensure highly reliable application delivery. Aruba’s integrated policy enforcement firewall isolates applications from one another to essentially create multiple dedicated virtual networks, and then allocates the necessary bandwidth for each user and application.

(4)

In addition to identifying the SIP exchange, application fingerprinting also observes the packets as they flow through the WLAN, detecting patterns that match the behavior of Lync voice and video traffic. Once identified, the packets are tagged as media traffic (Class of Service [CoS] and Type of Service [ToS] tags). These QoS tags are translated across the Aruba system to over-the-air WMM-Voice and WMM-Video priority and QoS aware

Adaptive Radio Management behavior to ensure that the packets receive appropriate QoS over the Aruba MOVE WLAN solution.

To ensure reliable application delivery in changing RF environments, Aruba’s Adaptive Radio Management (ARM) technology forces client devices to shift away from the noisy 2.4 GHz band to the quieter 5 GHz band, adjusts radio power levels to blanket coverage areas, load balances by shifting clients between access points, and even

allocates airtime based on the capabilities of each client device. The result is a superb user experience without any user involvement.

These services are complemented by security systems that ensure the integrity of the network. Rogue detection, wireless intrusion and prevention, access control, remote site VPN, content security scanning, end-to-end data encryption, and other services protect the network and users at all times.

Aruba’s extensive portfolio of campus, branch/teleworker, and mobile solutions simplify operations and secure access to unified communications applications and services – regardless of the user’s device, location, or network. This dramatically improves productivity, lowering capital and operational costs while providing a superior

uninterrupted user experience.

Microsoft Lync Server 2010 (standard & enterprise)

Microsoft Lync 2010 enhances enterprise communications with a suite of user productivity features: • Audio, Video and Web conferencing

• Enterprise-grade Voice over IP • One-click communications • Persistent chat

• Integration with leading PBX solutions and SIP Trunking

The Lync architecture is centered on the concept of “sites,” each of which contains Lync Server 2010 components. A typical site consists of computers running Lync software and connected together by one or more high

performance, low-latency local area networks. A “central site” includes at least one Front End pool or Standard Edition server. A “branch site” is associated with a single central site whose servers deliver the Lync functionality used at the branch sites.

Each branch site contains either a Survivable Branch Appliance or local server for supporting unified

communications capabilities for end-users such as PSTN calling and intra-branch IM, video and desktop sharing when the WAN connection to the central site is unavailable.

Every deployment must include at least one central site. If branch sites are deployed then each is affiliated with one central site, which delivers to the branch those Lync services that are not otherwise available at the branch site, i.e., presence and conferencing.

(5)

Every server running Microsoft Lync Server 2010 runs one or more server roles including: Front End Server and Back End Server running basic functions and the system database; A/V Conferencing Server delivering conference mixing functionality; Edge Server to enable users to communicate and collaborate with user’s outside the firewall; Mediation Server for implementing PSTN connectivity; Monitoring Server for collecting statistics and performance data; Archiving Server to archive instant messages and meeting content; and Director to authenticate user requests and provide presence and conferencing services. Pools of servers running the same role can be deployed for high availability, with a load balancer used to spread traffic as necessary.

Figure 1 above shows a typical reference topology with limited high availability. Please refer to Microsoft’s Lync documentation (http://technet.microsoft.com/en-us/lync ) for a library of other deployment scenarios.

Wireless LAN best practices for Microsoft Unified Communications

Mobility presents a number of unique challenges for Unified Communications that are not experienced with wired networks. These challenges must be overcome to ensure an uninterrupted mobile unified communications user experience. These challenges, together with Aruba best practices to alleviate these challenges, are

summarized below.

Pervasive wireless coverage

Real-time services like voice and video are intolerant of poor RF conditions. They demand high signal levels with good signal-to-noise ratios. To support multimedia services, it is important to ensure that WLAN coverage extends pervasively to all parts of the building, with uniformly good signal levels. RF channels must be selected to avoid the interference sources that are present in every modern enterprise.

Figure 1. Reference Topology with high availability and a single data center. (Source: Microsoft http://technet.microsoft.com/en-us/library/gg425939.aspx)

Domain Controller Central Site Branch Site 1 contoso.com } DNS Load Balancing } DNS Load Balancing retail.contoso.com

A/V Conferenceing Pool

PSTN Gateway Parent Domain Child Domain Edge Server Pool HTTP Reverse Proxy CA/DNS Survivable Branch Appliance Exchange UM Server File Share Monitoring Server Director Pool

Front End Pool DNS Load Balancing 800 DNS Load Balancing Back End Servers 800  Branch Site 2 PSTN Gateway WAN PSTN

(6)

Aruba’s ARM technology continually optimizes RF coverage based on measurements of signal strength and interference reported by WLAN access points, ensuring that client devices always enjoy the high signal levels required for good voice and video performance. ARM maximizes coverage and network capacity, while avoiding interference. It is the sum of these features that optimizes voice and video quality.

Managing RF interference

Wireless interference is time varying and can arise unexpectedly. In most cases an Aruba wireless LAN will automatically adapt and mitigate the effects of interference, but sometimes that’s not possible. In these cases the network needs to open a window of visibility into the RF environment, without the expense of a truck roll, to help network engineers understand what’s happening. Aruba’s 802.1n access points incorporate spectrum analyzers that provide on-demand monitoring, logging, and characterization of the RF environment. This feature can be enabled remotely so that distantly located network engineer can assess how best to mitigate issues like continuous high level fixed frequency transmitters that can’t otherwise be addressed automatically by ARM.

Wi-Fi is a broadcast medium in which over-the-air packets collisions are a fact of life. These collisions can result in dropped packets or consume bandwidth by forcing packet retransmission, both of which have detrimental effects on real-time like voice and video traffic.

ARM mitigates these issues by using band steering to redirect 5 GHz-capable clients away from the congested 2.4 GHz band and up to the quieter, higher capacity 5 GHz band. This feature is particularly well suited for PC users running Lync since most modern laptops support 5 GHz operation.

Applying correct priority to mixed voice, video, and data clients

The traditional approach to enterprise VoIP has been to use a separate voice VLAN to segregate and prioritize voice traffic. This model breaks down when a Lync enabled PC or mobile device transmits both voice and data traffic. The device can belong to only a single VLAN – which should it be, voice or data?

Aruba’s application-aware architecture can identify and police individual sessions from a device, dynamically prioritizing them by traffic type without need to relegate them to different VLANs. With this network intelligence, a single WLAN SSID, matched with a single VLAN, can offer full voice control and prioritization in presence of lower priority data traffic. The end result is a better user experience and less IT overhead managing VLANs.

Performance assurance for encrypted Microsoft Lync traffic

The signaling channel for Microsoft Lync is encrypted, and as a call setup and teardown cannot be easily monitored. And yet, without visibility to this information, it is difficult if not impossible to identify and prioritize real-time traffic.

Aruba’s heuristics-based application fingerprinting continuously inspects UDP sessions set up over the WLAN to identify those that are RTP and carry voice or other multimedia traffic. When such streams are identified, they are automatically tagged with the correct voice priority.

Microsoft Lync Server 2010 qualification

This section describes the test configuration and test cases used to test interoperability between Aruba Networks WLAN solution and Microsoft Lync Server 2010.

(7)

Overview of the topology

The Controller and the Access Points communicate with the Lync Server over a Layer 3 network. The Lync server was the Lync W14 RTM CU4 version with Front End Server that routes calls between Lync End Points. Each Access Point was at least 20 feet from the other Access Point Lync End Points 1 and 2 were within 15 feet from Access Point 1 and were associated with Access Point 1. Lync End Points 3 and 4 were within 15 feet from Access Point 2 and were associated with Access Point 2. Lync End Points 5 and 6 were within 15 feet from Access Point 3 and were associated with Access Point 3. The load generator used was the Chariot load generator from Ixia and was used to pump background TCP or UDP traffic in the upstream or downstream direction to simulate channel congestion.

Hardware, tools and versions

Components Hardware and Software Versions

Aruba 3600 Controller, AOS 6.1.2

Access Point Used: AP-105, AP-135 Airwave Wireless Management Suite

Client Used Wireless: Client machines with Lync 2010 latest CU and Intel Wi-Fi adapter described below Wired: Client machines with Lync 2010 latest CU on the wired LAN

Lync Server Microsoft Lync W14 latest CU Topology that routes calls between Lync End Points Figure 2. Wi-Fi Reference Topology

(Source: Microsoft Lync Server 2010 Open Interoperability Wi-Fi Test Plan)

File transfer server

Load generator Wireless

packet sniffer

Network packet sniffer Controller

Lync server

Lync end point 8 Lync end point 7

Lync end point 3

Lync traffic simulator

AP3 AP1

AP2

Lync end point 4 20 feet 20 feet

LAN LAN

(8)

Recommended Aruba configurations

QoS in an Aruba network is a system-level feature. Over-the-air Wi-Fi QoS is enforced using WMM, while tagging and queuing of the traffic based on traffic type is enforced by the integrated firewall engine. RF-related features like band steering, voice aware scanning, and spectrum load balancing help enforce the QoS settings for the voice and video traffic by ensuring the timely and reliable delivery of the over-the-air traffic.

The following subsections highlight the system configurations required to ensure QoS for Lync. Please see Appendix A for the actual configuration used in Lync validation testing.

Aruba OS

The environment should be running AOS 6.1.3.2 or higher.

Licensing requirements

Ensure that the following licenses are installed and enabled on the Aruba Mobility Controller – • AP licenses corresponding to the number of Aruba APs in the network

• Firewall licenses for all the APs in the network. This is necessary for the QoS and the Media Classify feature to work.

RF design recommendation

• 100% coverage in all areas of Lync use • Minimum RF signal (RSSI) levels of -67 dBm • Minimum Signal-to-noise ration (SNR) of 25 dB • Co-channel separation of 20 dB

Virtual AP design recommendation

• Create SSIDs based on the Encryption used.

• Ex: Employee SSID for all devices that use 802.1x and have employee access. This could include laptops and mobile devices. Mobile SSID with WPA2-PSK for all device that support WPA2-PSK, Guest for all guest users with open or PSK etc.

• Enable dynamic multicast optimization on the SSID

• Enable Band Steering for clients that associate to the SSID.

- Enable “Force 5GHz” only if a predominant number of devices that connect to this SSID are 5 GHz capable.

• On the SSID profile, • Set DTIM to 3

• Enable WMM and set the WMM-vo-dscp to 46

• Set local probe request threshold to 25 (local-probe-req-thresh 25) • Enable mcast-rate-opt

(9)

Access policies and user roles

Lync media traffic is encrypted (SIP-TLS) and the Media classify option in the ACLs should be used to prioritize the media traffic. Session ACL configuration for Lync

• Configure the Lync ACL and ensure that classify multimedia setting is enabled

ip access-list session employee_lync

any network <subnet of Lync clients> <subnet mask> tcp 5223 permit classify-media

alias Lync-servers any tcp 1024 65535 permit classify-media any any tcp 5061 permit classify-media

any any udp 5061 permit classify-media any any any permit

ipv6 any any any permit !

Lync-servers is an alias for all the Lync servers netdestination Lync-servers

host <<ip address of Lync server 1>> host << ip address of Lync server 2>> !

• Assign the policy to the appropriate user roles (to all user roles for Lync capable devices)

User-role Employee

session-acl employee_lync position 1

session acl <<corp access>> // all ACLs to access the corporate network for the Employees.

Adaptive radio management settings

• Enable Adaptive Radio Management on the AP • Enable Voice aware ARM

• Enable ps-aware-scan

Depending on the environment and deployment, the user can choose to limit the min and max tx powers and the basic tx rates. Refer to the Aruba AOS user guide and the Aruba Campus Wireless Networks VRD

Air time fairness

Airtime fairness (ATF) feature enable fair distributions of resources across the clients. Refer to the Optimizing Aruba WLANs for Roaming Devices Solution Guide for more information on how to enable this feature to get optimal results.

(10)

Lync Data-Only over Wi-Fi

Section Test Case# Test Case Description Result

Lync QoE Results

(If multiple calls are being mea-sured, the metrics will be document-ed for each call)

Jitter (ms) Delay(ms) Packet Loss (%) NMOS Degra-dation 4.2 802.11a Certification

4.2.1 Access Point is 802.11a certified Pass

4.2.2 Access Point support 802.11a operation Pass 2 6 0.12 0.09

4.3 802.11G Wi-Fi Certified

4.3.1 Access Point is 802.11g certified Pass

4.3.2 Access point supports 802.11g operation Pass 1 7 0.03 0.04

4.4 802.11N Wi-Fi certified

4.4.1 Access Point is 802.11n certified Pass

4.4.2 Access point supports 802.11n operation (2.4GHz) Pass 2 10 0.25 0.11 4.4.3 Access point supports 802.11n operation (5GHz) Pass 2 8 0.1 0.09

Test results

Microsoft designed three scenarios in their Wi-Fi test plan to mirror real-world conditions of end-users with Microsoft Lync: Data Only, Fixed and Mobility. A series of tests was performed against each of these scenarios to test the infrastructure’s ability to handle the QoS, connectivity and scalability requirements of the three test scenarios. A brief description of the three environments tested under the qualification program is as follows:

Lync data-only over Wi-Fi

The Lync Data-Only over Wi-Fi (Data-Only) category supports environments in which data applications predominate and the density of Wi-Fi clients is modest. While Lync can support a number of modalities; IM, presence, web conferencing & calendaring are predominantly data based modalities that are bursty in nature. Most devices, applications and networks can correctly handle data over Wi-Fi when user and client density is low to moderate.

Lync fixed real time (RT)-multimedia over Wi-Fi

The Lync Fixed RT-Multimedia over Wi-Fi (Fixed) category is a superset of Lync Data-Only over Wi-Fi with the added capabilities of voice mail, video conferencing, telephony and audio conferencing over Wi-Fi. The key added

functionality in this category is that real-time media is supported over Wi-Fi in a fixed setting.

Lync mobility RT-multimedia over Wi-Fi

The Lync Mobility RT-Multimedia over Wi-Fi (Mobility) category is the superset under which both the Data-Only and Fixed categories coexist. It encompasses all features of the other categories and also includes originating,

consuming and terminating Lync services, including RT-Multimedia, while mobile, e.g., a user who has a Lync portable device who uses various Lync workloads, including RT-Multimedia, while mobile. Lync sessions can be originated when fixed or mobile.

(11)

4.5 WPA2 Support

4.5.1 Access point is certified for WPA2 enterprise Pass

4.5.2 Access Point authenticates Lync End Point using WPA2 PSK Pass 0.06 9 0.17 0.06 4.5.3 Access Point authenticates Lync End Point using WPA2

Enterprise Pass 2 8 0.05 0.08

4.5.4 AP supports PMK for roaming Pass 2 18 0.63 0.44

4.6 Wide Channel Operation

4.6.1 AP connectivity with both 20MHz and 40MHz support on 5GHz

band Pass 2 8 0.1 0.09

4.7 Power Over Gigabit Ethernet

4.7.1 AP can be powered using a Power over Gigabit Ethernet

inter-face Pass

4.8 IPv6 Support

4.8.1 AP supports IPv6 in either hardware or software Pass

4.8.2 AP can handle calls when both IPv4 and IPv6 are enabled Pass 2 10 0.25 0.12

4.9 Band Steering

4.9.1 AP can steer dual band clients to 5GHz when Band Steering is

enabled Pass 2.5 8 0.13 0.1

4.10 Spectrum Analysis

4.10.1 AP can detect and display the source of interference on a

chan-nel Pass 1 34 0 0.02

4.10.2 AP can determine the category of interference in English terms Pass 1 34 0 0.02

4.11 Logging

4.11.1 AP generates session logs with session details NA 2 6 0.56 0.13

4.12 RF Coverage

4.12.1 WLAN solution can identify the client’s location (AP it is con-nected to ) and past roaming history archives the movements of the client

Pass 4 9 0.47 0.38

4.12.2 WLAN solution displays RF coverage heat maps in 2.4 GHz Pass 4.12.3 WLAN solution displays RF coverage heat maps in 5 GHz Pass

4.13 Ability to distinguish between voice/video/data sessions

4.13.1 Video session is specified as such in the logs NA 3 6 0.1 0.04 4.13.2 Access Point should be able to distinguish between voice and

video data traffic NA 3 6 0.1 0.04

4.14 Fair distribution of airtime among clients with different

speeds

4.14.1 All 11n clients Pass ATF

dis-abled: 3 ATF en-abled: 1 ATF dis-abled: 19 ATF en-abled: 10 ATF dis-abled: 1.14 ATF en-abled: 0.73 ATF dis-abled: 0.30 ATF en-abled: 0.22

(12)

4.14.2 802.11n capable endpoints have better throughput in a mixed

11n/11g environment when ATF is enabled with fair-access Pass ATF dis-abled: 3 ATF en-abled: 2 ATF dis-abled: 21 ATF en-abled: 15 ATF dis-abled: 16.35 ATF en-abled: 0.48 ATF dis-abled: 1.69 ATF en-abled: 0.08 4.14.3 802.11n capable endpoints have better throughput in a mixed

11n/11a environment when ATF is enabled with fair-access Pass ATF dis-abled: 3 ATF en-abled: 4 ATF dis-abled: 14 ATF en-abled: 18 ATF dis-abled: 36.81 ATF en-abled: 0.09 ATF dis-abled: 2.16 ATF en-abled: 0.09 4.14.4 802.11n clients have better performance in terms of throughput

and MOS in a mixed 11n/11a environment when ATF is enabled with preferred access

Pass ATF dis-abled: 3 ATF en-abled: 9 ATF dis-abled: 14 ATF en-abled: 11 ATF dis-abled: 36.81 ATF en-abled: 0 ATF dis-abled: 2.16 ATF en-abled: 0.02

4.15 Balancing Client across Access Points

4.15.1 AP responds with busy signal when it has reached maximum allowable users

2 67 0.06 0.07

4.15.2 WLAN load balances across APs 4 6 0.11 0.11

4.16 Traffic Classification on a per flow basis

4.16.1 Access Point classifies untagged network inbound video traffic from Lync Server and tags it on the wireless interface to the client

Pass 1 6 0.06 0.13

4.16.2 Access Point classifies untagged network inbound voice only traffic from Lync Server and tags it on the wireless interface to the client

Pass 5 5 0.13 0.02

4.16.3 Access Point classifies untagged wireless inbound video traf-fic from LyncEndPt and tags it on the wired interface to Lync Server

Pass 1 4 0.02 0.04

4.16.4 Access Point classifies untagged wireless inbound voice only traffic from LyncEndPt and tags it on the wired interface to Lync Server

Pass 5 5 0.13 0.02

4.17 Mapping Priority Tags

4.17.1 Access Point remaps incorrect 802.1p and DSCP tags from the network inbound voice traffic to WMM and DSCP tags on wire-less outbound interface

Pass 1 5 0.31 0.09

4.17.2 Access Point remaps incorrect WMM and DSCP tags from wire-less inbound video traffic to 802.1p and DSCP tags on network outbound interface

(13)

4.17.4 Access Point/controller has the ability to retag incorrectly tagged voice only traffic from the wired interface with the cor-rect voice tags on the wired (DSCP tags) and wireless (WMM tags) interfaces

Pass 1 5 0 0.03

4.18 Shaping Data Traffic

4.18.1 Video call quality is not affected with data traffic shaping

en-abled Pass 2 8 0.19 0.1

4.18.2 Voice call quality is not affected with data traffic shaping

en-abled Pass 4 35 0.46 0.17

4.19 Prioritizing SIP-TLS

4.19.1 Access Point prioritizes untagged SIP TLS traffic from the

net-work over any other traffic type under full congestion Pass 1 10 0.37 0.15 4.19.2 Access Point prioritizes untagged SIP TLS traffic from the

WLAN over any other traffic type under full congestion Pass 1 10 0.37 0.15

4.20 Encryption Support

4.20.1 AP supports WPA2-AES encryption Pass 6 19 0.25 0.08

4.20.2 AP supports WPA2-TKIP encryption Pass 1 38 0 0.01

4.20.3 AP supports WPA-AES encryption Pass 1 11 0.13 0.04

4.20.4 AP supports WPA-TKIP encryption Pass 3 10 0.05 0.04

4.21 FIPS Accreditation

4.21.1 140-2 accredited for government applications Pass

4.22 HIPAA Compliance

4.22.1 HIPAA Compliance for healthcare solutions Pass

4.23 PCI Compliance

4.23.1 PCI compliance for applications requiring financial transactions Pass

4.24 ICSA Certified Firewall

4.24.1 Aruba has built-in ICSA certified firewall Pass

4.25 Quarantining Misbehaving Clients

4.25.1 WLAN can detect and quarantine clients that are spoofing IP

addresses Pass

4.25.2 WLAN system can detect and quarantine clients that have multiple authentication failures and clients that try to access restricted network

Pass

4.25.3 WLAN system detects and quarantines clients generating

de-auth attacks Pass 1 9 0.08 0.04

4.25.4 WLAN system can detects and prohibits client from associating to ad-hoc networks

Pass 1 9 0.08 0.04

4.26 Quarantining Misbehaving Clients

4.26.1 Access Point performs rogue Access Point detection while

(14)

Lync fixed real time (RT)-multimedia over Wi-Fi

Section Test

Case# Test Case Description Result

Lync QoE Results

(If multiple calls are being mea-sured, the metrics will be docu-mented for each call)

Jitter (ms) Delay (ms) Packet Loss (%) NMOS Degra-dation 5.2 WMM Certification

5.2.1 AP is certified for WMM Pass

5.3 Spatial Streams

5.3.1 AP must disclose number of supported spatial streams Pass 5.3.2 AP has at least two transmit antennas Pass 5.3.3 AP has at least two receive antennas Pass

5.4 Dual Band Operation

5.4.1 AP can handle calls in the 2.4 GHz band Pass 1 7 0.03 0.04 5.4.2 AP can handle calls in the 5 GHz band Pass 2 6 0.12 0.09 5.4.3 AP can handle simultaneous voice calls between users in

2.4GHz and between users in 5GHz Pass EP1-EP3 0 EP2-EP4 1 EP1-EP4 2 EP2-EP3 1 EP1-EP3 10 EP2-EP4 10 EP1-EP4 9 EP2-EP3 8 EP1-EP3 0.18 EP2-EP4 0.08 EP1-EP4 0.1 EP2-EP3 0 EP1-EP3 0.07 EP2-EP4 0.06 EP1-EP4 0.02 EP2-EP3 0.02

5.5 Dynamic RF Power Management

5.5.1 AP supports RF power management in a voice enabled network Pass

5.6 Dynamic Channel Selection

5.6.1 AP supports dynamic channel selection in a voice enabled

network Pass

5.7 Defer Intrusion Detection and Scanning while processing

Real-Time Traffic

5.7.1 WLAN does not cause jitter of more than 50ms while doing

Intrusion Detection (Rogue AP detection) Pass 2 9 0.15 0.06 5.7.2 WLAN does not cause more than 1% packet loss while doing

Intrusion Detection (Rogue AP detection) Pass 2 9 0.15 0.06 5.7.3 WLAN does not cause more than 3 consecutive lost packets

while doing Intrusion Detection (Rogue Access Point) Pass 2 9 0.15 0.06 5.7.4 Intrusion detection is performed without increasing the RTP

delay by more than 50ms (Rogue Access Point)

Pass 2 9 0.15 0.06

5.7.5 WLAN does not cause degradation of call quality while doing Intrusion Prevention (Rogue Access Point)

(15)

5.9 Prioritizing Traffic

5.9.1 AP can prioritize voice over video and video over data traffic with WMM and 802.1p tagging disabled on end-points and Lync server respectively

Pass 2 6 0.27 0.07

5.9.2 AP can prioritize voice over video and video over data traffic with WMM and 802.1p tagging enabled on end-points and Lync server respectively

Pass 2 6 0.27 0.07

5.9.3 AP can prioritize voice over video and video over data traffic with WMM disabled and 802.1p tagging enabled on end-points and Lync server respectively

Pass 2 6 0.27 0.07

5.9.4 AP can prioritize voice over video and video over data traffic with WMM enabled and 802.1p tagging disabled on end-points and Lync server respectively

Pass 2 6 0.27 0.07

5.10 Protecting Existing Call Quality

5.10.1 Existing call quality is not affected when a new call is made

through a fully loaded Access Point Pass 2 6 0.27 0.07

5.11 Priority Tag Mapping to Tunnel Priority

5.11.1 AP that tunnels all client traffic to controller maps WMM tags to DSCP tunnel priority tags

Pass 1 6 0.16 0.02

5.11.2 AP that tunnels all client traffic to controller maps DSCP tags to DSCP tunnel priority tags

Pass 1 6 0.16 0.02

5.12 Scalability of Wide Band Codec Voice Calls without

Back-ground Traffic

5.12.1 AP must be able to handle at least five Lync video calls (10

clients) with no background traffic Pass 3.1 9.3 0.12 0.15

5.13 Scalability of Video VGA Calls without Background Traffic

5.13.1 AP must be able to handle at least one video call with no back-ground traffic

Pass 3.8 17 0.84 0.22

5.14 Scalability of Wide Band Voice Calls with 100% UDP

Down-stream Background Traffic

5.14.1 AP must be able to handle at least one wide-band codec voice

call with 100% UDP downstream background traffic Pass 3.8 17 0.84 0.22

5.15 Scalability of Wide Band Codec Voice Calls with 100% UDP

Upstream Background Traffic

call with 100% UDP upstream background traffic Pass 4 10 0.88 0.34

5.16 Scalability of Video VGA calls with 100% UDP Downstream

Background Traffic

call with 100% UDP downstream background traffic Pass 3.8 17 0.84 0.22

5.17 Scalability of Video VGA calls with 100% UDP Upstream

call with 100% UDP upstream background traffic Pass 4 10 0.88 0.34

5.18 Scalability of Wide Band Voice Calls with 100% TCP

Down-stream Background Traffic

(16)

Lync mobility RT-multimedia over Wi-Fi

Section Test Case# Test Case Description Result

Lync QoE Results

(If multiple calls are being mea-sured, the metrics will be docu-mented for each call)

Jitter (ms) Delay(ms) Packet Loss (%) NMOS Degra-dation 6 Mobility 6.2 OKC/PMK Caching 6.3 Fast Roaming

6.3.1 AP ensures fast roaming between APs without affecting call

quality when encryption used is 802.1x Pass 3 11 0.44 0.15 6.3.2 AP ensures fast roaming between APs without affecting call

quality when encryption used is PSK Pass 2 11 0.59 0.22 6.3.3 AP ensures fast roaming without affecting call quality when

roaming between controller/APs in different subnets Pass 3 9 0.09 0.07

6.4 Efficient Roaming with AP-assisted Handoff

6.4.1 AP supports efficient roaming with AP-assisted handoff

6.5 Jitter During Roaming

6.5.1 AP causes no more than 50ms jitter while roaming between APs Pass 2 11 0.59 0.22

6.6 Delay During Roaming

6.6.1 AP causes no more than 50ms delay when roaming between APs

Pass 2 11 0.59 0.22

6.6.2 AP causes no more than 100ms delay when roaming between

APs under maximum load Pass 2 11 0.15 0.3

6.7 Packet Loss During Roaming

6.7.1 AP causes no more than 1% packet loss while roaming

be-tween APs Pass 2 11 0.59 0.22

6.7.2 AP causes no more than 3 consecutive lost packets while

roam-ing between APs Pass 2 11 0.59 0.22

5.19 Scalability of Wide Band Codec Voice Calls with 100% TCP

Upstream Background Traffic

call with 100% TCP upstream background traffic Pass 8 23 0.24 0.35

5.20 Scalability of Video VGA calls with 100% TCP Downstream

call with 100% TCP downstream background traffic Pass 8.2 26 0.45 0.38

5.21 Scalability of Video VGA calls with 100% TCP Upstream

(17)

Conclusion

As the migration continues towards mobile computing and smartphones, and away from wired desk connections, a wirelessly connected Microsoft Lync Server platform is an ideal platform through which users can stay connected with the enterprise and one another. Aruba’s wireless infrastructure is the ideal host platform for Lync: application fingerprinting identifies and prioritizes sessions without network configuration, enabling the Microsoft Lync Server to be deployed anywhere within the enterprise WLAN with service assurance.

The combination of Microsoft Lync Server and Aruba’s wireless LAN allows mobile employees to communicate more reliably, securely, and effectively over voice, video, IM, or conferencing than was ever before possible.

References

Aruba

• Aruba OS 6.1 User Guide

• Aruba Checklist for Planning a Voice Over Wi-Fi Network: Quality of Service

• http://airheads.arubanetworks.com/article/checklist-planning-voice-over-wi-fi-network-quality-service

• Optimizing Aruba WLANs for Roaming Devices Solution Guide - http://www.arubanetworks.com/pdf/technology/ DG_Roaming.pdf

• Aruba Campus WLAN networks - http://www.arubanetworks.com/wp-content/uploads/ CampusVRDV8_20110913.pdf

Microsoft

• Microsoft Lync Getting Started Guide – http://lync.microsoft.com/en-us/Pages/default.aspx • Microsoft Lync Planning Guide – http://lync.microsoft.com/en-us/Pages/default.aspx • Microsoft White Paper “Delivering Lync Real-Time Communications over Wi-Fi” –

http://www.microsoft.com/en-us/download/details.aspx?id=35401

6.9 UCI Forum UC Mobility Certified

6.9.1 AP is UCI Forum UC Mobility Certified Pass

6.10 WFA Voice Enterprise (V-E) Certified

(18)

Appendix A: Aruba Controller Configuration

version 6.1 enable secret “e3ff586c01e27d93807bfd01ee7bc8ce628701a4e-b8097e4fc” enable bypass hostname “Aruba3200” clock timezone PST -8 location “Building1.floor1” controller config 318

ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0 ip access-list eth validuserethacl

permit any !

netservice svc-snmp-trap udp 162 netservice svc-netbios-dgm udp 138 netservice svc-pcoip2-tcp tcp 4172 netservice svc-dhcp udp 67 68 netservice svc-smb-tcp tcp 445 netservice svc-https tcp 443 netservice svc-ike udp 500 netservice svc-l2tp udp 1701 netservice svc-syslog udp 514 netservice svc-citrix tcp 2598 netservice svc-pptp tcp 1723 netservice svc-ica tcp 1494 netservice svc-telnet tcp 23 netservice svc-sccp tcp 2000 netservice svc-sec-papi udp 8209 netservice svc-tftp udp 69

netservice svc-kerberos udp 88 netservice svc-sip-tcp tcp 5060 netservice svc-netbios-ssn tcp 139 netservice svc-lpd tcp 515

netservice svc-pop3 tcp 110 netservice svc-adp udp 8200 netservice svc-cfgm-tcp tcp 8211 netservice svc-noe udp 32512

netservice svc-http-proxy3 tcp 8888 netservice svc-pcoip-tcp tcp 50002 netservice svc-pcoip-udp udp 50002 netservice svc-dns udp 53

netservice svc-msrpc-tcp tcp 135 139 netservice svc-rtsp tcp 554

netservice svc-http tcp 80 netservice svc-vocera udp 5002 netservice svc-h323-tcp tcp 1720

netservice svc-h323-udp udp 1718 1719 netservice svc-nterm tcp 1026 1028 netservice svc-sip-udp udp 5060 netservice svc-http-proxy2 tcp 8080 netservice svc-papi udp 8211

netservice svc-noe-oxo udp 5000 alg noe netservice svc-ftp tcp 21

netservice svc-natt udp 4500 netservice svc-svp 119

netservice svc-microsoft-ds tcp 445 netservice svc-gre 47

netservice svc-smtp tcp 25 netservice svc-smb-udp udp 445 netservice svc-sips tcp 5061 netservice svc-netbios-ns udp 137 netservice svc-esp 50

netservice svc-ipp-tcp tcp 631 netservice svc-bootp udp 67 69 netservice svc-snmp udp 161

netservice svc-v6-dhcp udp 546 547 netservice svc-pcoip2-udp udp 4172 netservice svc-icmp 1

netservice svc-ntp udp 123

netservice svc-msrpc-udp udp 135 139 netservice svc-ssh tcp 22

netservice svc-ipp-udp udp 631 netservice svc-http-proxy1 tcp 3128 netservice svc-v6-icmp 58

netservice svc-vmware-rdp tcp 3389 netexthdr default

!

ip access-list session allow-diskservices any any svc-netbios-dgm permit

any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit !

ip access-list session control user any udp 68 deny

any any svc-icmp permit any any svc-dns permit any any svc-papi permit any any svc-sec-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit

(19)

any any svc-natt permit !

ip access-list session v6-icmp-acl ipv6 any any svc-v6-icmp permit !

ip access-list session validuser

network 169.254.0.0 255.255.0.0 any any deny

any any any permit

ip access-list session vocera-acl

any any svc-vocera permit queue high !

ip access-list session v6-https-acl ipv6 any any svc-https permit !

ip access-list session blacklist-acl

host 172.25.20.108 host 172.25.20.105 any deny

send-deny-response blacklist log !

ip access-list session vmware-acl

any any svc-vmware-rdp permit tos 46 dot1p-priority 6

any any svc-pcoip-tcp permit tos 46 dot1p-priority 6

any any svc-pcoip-udp permit tos 46 dot1p-priority 6

any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6

any any svc-pcoip2-udp permit tos 46 dot1p-priority 6

!

ip access-list session icmp-acl any any svc-icmp permit !

ip access-list session lync

any any tcp 5061 permit classify-media queue high

!

ip access-list session captiveportal user alias controller svc-https dst-nat 8081

user any svc-http dst-nat 8080 user any svc-https dst-nat 8081

user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 !

ip access-list session v6-dhcp-acl ipv6 any any svc-v6-dhcp permit !

ip access-list session allowall any any any permit

ip access-list session v6-dns-acl ipv6 any any svc-dns permit !

ip access-list session lync-acl

any any tcp 5061 permit classify-media any any udp 5061 permit classify-media any any svc-sip-udp permit classify-me-dia queue high

any any svc-sip-tcp permit classify-me-dia queue high

!

ip access-list session sip-acl

any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high !

ip access-list session https-acl any any svc-https permit !

ip access-list session dns-acl any any svc-dns permit !

ip access-list session ra-guard

ipv6 user any icmpv6 rtr-adv deny !

ip access-list session citrix-acl

any any svc-citrix permit tos 46 dot1p-priority 6

any any svc-ica permit tos 46 dot1p-pri-ority 6

!

ip access-list session allow-printservices any any svc-lpd permit

any any svc-ipp-tcp permit any any svc-ipp-udp permit !

ip access-list session logon-control user any udp 68 deny

any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit !

ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit !

ip access-list session srcnat user any any src-nat !

ip access-list session skinny-acl any any svc-sccp permit queue high !

(20)

ip access-list session tftp-acl any any svc-tftp permit !

ip access-list session v6-allowall ipv6 any any any permit

!

ip access-list session cplogout

user alias controller svc-https dst-nat 8081

!

ip access-list session background !

ip access-list session captiveportal6

ipv6 user alias controller6 svc-https captive

ipv6 user any svc-http captive ipv6 user any svc-https captive

ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive !

ip access-list session dhcp-acl any any svc-dhcp permit !

ip access-list session http-acl any any svc-http permit !

ip access-list session v6-http-acl ipv6 any any svc-http permit !

ip access-list session ap-uplink-acl any any udp 68 permit

any any svc-icmp permit

any host 224.0.0.251 udp 5353 permit !

ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit

user alias controller svc-ftp permit !

ip access-list session svp-acl

any any svc-svp permit queue high user host 224.0.1.116 any permit !

ip access-list session noe-acl

any any svc-noe permit queue high !

ipv6 user any udp 68 deny

ipv6 any any svc-v6-icmp permit ipv6 any any svc-v6-dhcp permit ipv6 any any svc-dns permit !

vpn-dialer default-dialer

ike authentication PRE-SHARE 8ce8d30b83f-5c47337fa3d5014230c7c70f2441de87d0a04

!

user-role Lync-new

access-list session blacklist-acl access-list session lync-acl access-list session allowall !

user-role ap-role

access-list session control access-list session ap-acl !

user-role lync

access-list session lync access-list session allowall !

user-role default-vpn-role access-list session allowall access-list session v6-allowall !

user-role voice

access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acl !

user-role default-via-role access-list session allowall !

user-role guest-logon

access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6 !

user-role guest

access-list session http-acl access-list session https-acl

(21)

access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acl !

user-role stateful-dot1x !

user-role authenticated

access-list session allowall access-list session v6-allowall !

user-role logon

access-list session logon-control access-list session captiveportal access-list session vpnlogon

access-list session v6-logon-control access-list session captiveportal6 ! ! controller-ip vlan 3 interface mgmt shutdown !

dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777 !

dialer group gsm_us

init-string AT+CGDCONT=1,”IP”,”ISP.CINGU-LAR”

dial-string ATD*99# !

dialer group gsm_asia

init-string AT+CGDCONT=1,”IP”,”internet” dial-string ATD*99***1#

!

dialer group vivo_br

init-string AT+CGDCONT=1,”IP”,”zap.vivo. com.br” dial-string ATD*99# ! vlan 3 interface gigabitethernet 1/0 description “GE1/0” trusted trusted vlan 1-4094 switchport access vlan 3 !

interface gigabitethernet 1/1 description “GE1/1” trusted

trusted vlan 1-4094 switchport access vlan 3 !

trusted vlan 1-4094

port monitor gigabitethernet 1/0 !

trusted vlan 1-4094 switchport access vlan 3 ! interface vlan 3 ip address 172.25.20.3 255.255.255.0 ip helper-address 172.25.20.24 ip nat inside ! interface vlan 1 shutdown ! ip default-gateway 172.25.20.2 uplink disable

ap mesh-recovery-profile cluster Re-coveryWaKoOno5UeUrXKyh wpa-hexkey 0b0047b8cda7c68c5a6fee69c5e8a783840ef- c69b77b8ca868316e32578f05de875a1186811c- 60c1942469a646ea19f808f503f887856986b- 2c581f88323f4bd246b75174275e4477-8e1157f7a4621b5

crypto isakmp policy 20 encryption aes256 !

crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac

(22)

crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac

crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac

crypto dynamic-map default-dynamicmap 10000 set transform-set “default-transform” “default-aes”

!

crypto isakmp eap-passthrough eap-tls crypto isakmp eap-passthrough eap-peap crypto isakmp eap-passthrough eap-mschapv2 vpdn group l2tp ! ip dhcp excluded-address 172.25.20.1 172.25.20.149 ip dhcp pool Pool1 default-router 172.25.20.2 dns-server 172.25.20.24 lease 8 0 0 0 network 172.25.20.0 255.255.255.0 authoritative ! !

syslocation “POC Lab” syscontact “Syed”

snmp-server community aruba123 vpdn group pptp

!

tunneled-node-address 0.0.0.0 adp discovery enable

adp igmp-join enable adp igmp-vlan 0

voice rtcp-inactivity disable

voice sip-midcall-req-timeout disable ap ap-blacklist-time 3600

ssh mgmt-auth username/password

mgmt-user admin root f4e8a0b401de2cd809b-5fa1bb50938a0473ee937d08260383c

database synchronize rf-plan-data ip mobile domain default

hat 172.25.20.0 255.255.255.0 3 10.68.4.10 description “Hat1”

!

ip mobile domain lync description “lync” hat 10.68.4.0 255.255.255.0 1 172.25.20.3 description “lync” hat 172.25.20.0 255.255.255.0 3 10.68.4.10 description “lync” !

ip mobile active-domain Lync ip igmp

!

ipv6 mld !

no firewall attack-rate cp 1024 ipv6 firewall ext-hdr-parse-len 100 !

firewall cp !

firewall cp

packet-capture-defaults tcp disable udp disable sysmsg disable other disable !

ip domain lookup !

country US

aaa authentication mac “default” !

aaa authentication dot1x “default” !

aaa authentication dot1x “lync-dot1x” termination enable

termination eap-type eap-peap

termination inner-eap-type eap-mschapv2 !

aaa server-group “default” auth-server Internal

set role condition role value-of !

aaa profile “default” !

(23)

dot1x-default-role “authenticated” dot1x-server-group “internal” !

aaa authentication captive-portal “default” !

aaa authentication captive-portal “lync-cp” default-role “Lync-new”

server-group “internal” redirect-pause 5

max-authentication-failures 3 !

aaa authentication wispr “default” !

aaa authentication vpn “default” !

aaa authentication vpn “default-rap” !

aaa authentication mgmt !

aaa authentication stateful-ntlm “default” !

aaa authentication stateful-kerberos “de-fault”

!

aaa authentication stateful-dot1x !

aaa authentication wired ! web-server session-timeout 3600 ! papi-security ! guest-access-email ! voice logging !

voice dialplan-profile “default” ! voice real-time-config ! voice sip ! aaa password-policy mgmt ! control-plane-security no cpsec-enable ! ids management-profile ! ids wms-general-profile poll-retries 3 ! ids wms-local-system-profile ! ids ap-rule-matching ! valid-network-oui-profile ! ap system-profile “default” ! ap regulatory-domain-profile “default” country-code US valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 52-56 valid-11a-40mhz-channel-pair 60-64 valid-11a-40mhz-channel-pair 100-104 valid-11a-40mhz-channel-pair 108-112 valid-11a-40mhz-channel-pair 116-120 valid-11a-40mhz-channel-pair 124-128 valid-11a-40mhz-channel-pair 132-136 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161 ! ap wired-ap-profile “default” ! ap enet-link-profile “default” ! ap mesh-ht-ssid-profile “default” ! ap mesh-cluster-profile “default” ! ap wired-port-profile “default” ! ap mesh-radio-profile “default” !

ids general-profile “default” wireless-containment none !

ids rate-thresholds-profile “default” !

ids signature-profile “default” !

(24)

no detect-ap-spoofing !

ids unauthorized-device-profile “default” detect-adhoc-network

no detect-windows-bridge

no detect-unencrypted-valid-client no detect-valid-client-misassociation !

ids signature-matching-profile “default” !

ids dos-profile “default” no detect-disconnect-sta spoofed-deauth-blacklist no detect-omerta-attack no detect-fata-jack-attack no detect-malformed-large-duration no detect-block-ack-dos no detect-power-save-dos-attack !

ids profile “default” ! rf arm-profile “arm-maintain” assignment maintain no scanning ! rf arm-profile “arm-scan” ! rf arm-profile “default” assignment disable ! rf arm-profile “lync” assignment disable max-tx-power 21 min-tx-power 3 voip-aware-scan ps-aware-scan ! rf arm-profile “lync-arm” assignment disable max-tx-power 12 voip-aware-scan ps-aware-scan ! rf arm-profile “lync2-arm” assignment disable voip-aware-scan ! rf optimization-profile “default” ! rf event-thresholds-profile “default” rf dot11a-radio-profile “default” mode spectrum-mode channel 149+ arm-profile “lync” ! rf dot11a-radio-profile “lyn3-a” channel 44+ tx-power 3 slb-update-interval 10 slb-threshold 10 spectrum-load-bal-domain “slb” arm-profile “lync-arm” ! rf dot11a-radio-profile “lync-a” channel 149+ spectrum-load-balancing slb-update-interval 10 slb-threshold 10 spectrum-load-bal-domain “slb” arm-profile “lync-arm” ! rf dot11a-radio-profile “lync2-a” channel 36+ tx-power 3 slb-update-interval 10 slb-threshold 10 spectrum-load-bal-domain “slb” arm-profile “lync-arm” ! rf dot11a-radio-profile “lync4-a” channel 36+ spectrum-load-balancing slb-update-interval 10 slb-threshold 10 spectrum-load-bal-domain “slb” arm-profile “lync-arm” ! rf dot11a-radio-profile “rp-maintain-a” arm-profile “arm-maintain” ! rf dot11a-radio-profile “rp-monitor-a” mode am-mode ! rf dot11a-radio-profile “rp-scan-a” arm-profile “arm-scan” ! rf dot11a-radio-profile “slb-a” channel 157+ tx-power 20.5 slb-update-interval 1

(25)

mode spectrum-mode channel 11 arm-profile “lync” ! rf dot11g-radio-profile “rp-maintain-g” arm-profile “arm-maintain” ! rf dot11g-radio-profile “rp-monitor-g” mode am-mode ! rf dot11g-radio-profile “rp-scan-g” arm-profile “arm-scan” ! rf dot11g-radio-profile “slb-g” no radio-enable channel 6 tx-power 20.5 slb-update-interval 1 arm-profile “lync” ! rf dot11g-radio-profile “slb-g-2” channel 11 spectrum-load-balancing slb-update-interval 1 arm-profile “lync-arm” !

wlan dot11k-profile “default” !

wlan voip-cac-profile “default” !

wlan ht-ssid-profile “default” !

wlan wmm-traffic-management-profile “lync” enable-shaping voice 38 video 60 best-effort 1 background 1 !

wlan edca-parameters-profile station “de-fault”

!

wlan edca-parameters-profile ap “default” !

wlan ssid-profile “default” !

wlan ssid-profile “lync” essid “lync1” opmode wpa2-aes wmm wpa-passphrase 467a8594684544e217b-8873deac82124cf5515e58938c724 qbss-load-enable !

wlan virtual-ap “default” !

wlan virtual-ap “lync” aaa-profile “lync” ssid-profile “lync” vlan 3 blacklist-time 120 auth-failure-blacklist-time 180 vlan-mobility wmm-traffic-management-profile “lync” !

wlan traffic-management-profile “lync” bw-alloc virtual-ap “lync” share 100 shaping-policy fair-access ! ap provisioning-profile “default” ! ap spectrum local-override ! ap-group “default” ! ap-group “lync” virtual-ap “lync” dot11a-radio-profile “slb-a” dot11g-radio-profile “slb-g” dot11a-traffic-mgmt-profile “lync” dot11g-traffic-mgmt-profile “lync” !

logging level warnings security subcat ids logging level warnings security subcat ids-ap

logging facility local7

logging 172.25.20.81 type user severity de-bugging facility local1

snmp-server enable trap

snmp-server host 10.68.1.8 version 2c aru-ba123 udp-port 162

process monitor log remote-node config-id 11 end

(26)

Deploying Microsoft Lync Server 2010: Best Practices to achieve optimal voice and video quality with Microsoft Lync Server 2010 on Aruba Wireless LAN