TESTING & INTEGRATION GROUP SOLUTION GUIDE

(1)

T

ESTING

&

I

NTEGRATION

G

ROUP

S

OLUTION

G

UIDE

Radware AppDirector optimizing the delivery of Microsoft Lync

2010

TECHNICAL SOLUTION GUIDE

DATE: Sunday, January 01, 2012

Version: 1.0

(2)

INTRODUCTION ... 3

MICROSOFT LYNC 2010 OVERVIEW ... 4

RADWARE APPDIRECTOR ... 9

PERFORMANCE ACCELERATION SERVICES ... 10

RADWARE APPDIRECTOR AND MICROSOFT LYNC ARCHITECTURE ... 11

IMPORTANT IMPLEMENTATION NOTES ... 12

CONFIGURATION ... 13

APPDIRECTOR INTERNAL ACTIVE CONFIGURATION ... 13

CONFIGURATION SETTINGS ... 13

APPDIRECTOR INTERNAL ACTIVE ... 13

Network Configuration ... 13

Farm Configuration ... 13

Client NAT Configuration ... 14

Extended Farm Configuration ... 14

Servers Configuration ... 15

Layer 7 Configuration ... 16

Compression Configuration ... 17

SSL Policy Configuration ... 17

Layer 4 Configuration ... 18

AppDirector Health Monitoring ... 23

VRRP Configuration ... 25

Mirroring Configuration ... 25

APPDIRECTOR INTERNAL BACKUP ... 26

Network Configuration ... 26

CONFIGURATION SETTINGS ... 26

APPDIRECTOR DMZ ACTIVE ... 26

Network Configuration ... 26

Farm Configuration ... 26

Client NAT Configuration ... 27

Extended Farm Configuration ... 27

Servers Configuration ... 28

Layer 4 Configuration ... 29

AppDirector Health Monitoring ... 31

VRRP Configuration ... 33

Mirroring Configuration ... 33

APPDIRECTOR DMZ BACKUP ... 34

(3)

Introduction

(4)

Microsoft Lync 2010 Overview

Microsoft® Lync™ ushers in a new connected user experience transforming every

communication into an interaction that is more collaborative, engaging, and

accessible from anywhere. For IT, the benefits are equally powerful, with a highly

secure and reliable system that works with existing tools and systems for easier

management, lower cost of ownership, smoother deployment and migration, and

greater choice and flexibility.

Connected End User Experience

Users seek communications tools that make their work easier and are available

anywhere, anytime—including within the context of other applications. Microsoft

Lync 2010 provides a single interface that unites voice communications, IM, and

audio, video, and Web conferencing into a richer, more contextual offering.

Find and communicate with the right person Rich presence including pictures, skill

search, location information, and more gives users the context they need to make

smart communication choices including built-in instant messaging capability. Users

can add and connect with users on Public IM services such as Windows Live, AOL,

and Yahoo! and communicate with them using their single work identity.

Create a more fun work environment by building social connections The rich

experience of Lync 2010 helps workers make connections across time and distance

with picture-enhanced presence, automatic frequent contacts lists, and activity

feeds for keeping up with co-workers.

Make every interaction a near face to face meeting Transform any conversation to

include high-resolution video-, application-, and desktop-sharing and be fully

present in meetings without making the physical trip.

Communicate with context from Microsoft Office applications The visually

compelling experience of Lync 2010 is consistent throughout Microsoft Office and

other business applications, including color-coded presence icons, pictures,

high-resolution video, and desktop sharing.

Stay connected from virtually anywhere A single experience across the PC, phone,

or Web means that users have the choice to connect from many devices.

Benefits

(5)

Do more. With less.

Control costs Voice over IP (VoIP) enables communications among geographically

dispersed company locations without long distance charges. Integrated audio,

video, and Web conferencing helps reduce travel costs as well as the cost of

third-party conferencing solutions.

Improve productivity Rich presence information helps employees find each other

and choose the most effective way to communicate at a given time. Instead of

e-mailing documents back and forth for approval, workers can rely on real-time

collaboration through enhanced conferencing with desktop, application, and virtual

whiteboard sharing—or contact a collaborator from within Microsoft Office or other

applications. The unified Microsoft Lync 2010 client provides access to enterprise

voice, enterprise messaging, and conferencing from one simplified interface.

Support the mobile workforce Mobile workers get access to rich Unified

Communications tools from practically anywhere with an Internet connection, no

VPN needed. An updated Lync Mobile client makes joining and managing

conferences, searching the Global Address List, and viewing presence information

easy. Rich presence in Lync Server 2010 has been updated with mobile location

information, making on-the-go workers easier to find and contact. A single user

experience across PC, phone, mobile phone, and browser gives workers more ways

to stay in touch.

Gain operational efficiencies By integrating Unified Communications and rich

presence into business workflows, latency and delays can be reduced or eliminated.

For geographically dispersed teams, group chat can enable efficient, topic-specific,

multi-party discussions that persist over time.

Be more responsive to customers, partners, and employees Enhanced delegation

through Lync 2010, one-click call routing and management features in Microsoft

Lync 2010 Attendant for receptionists, and rich presence information in both help

ensure that opportunities are routed to the right person at the right time.

Maintain regulatory compliance Built-in security, encryption, archiving, and call

detail records help meet regulatory requirements. By using your own servers and

network, you maintain control over sensitive data that would otherwise be

(6)

Joint Solution Topology example:

Radware’s ADC solution provides high availability and improved performance to the

Microsoft Lync 2010 unified communication solution through smart traffic load

balancing and redirection. The simplest implementation is done by configuring a

virtual IP address on the AppDirector ADC, to which all LYNC traffic will go through,

and intelligently distributed to the pool of LYNC servers.

(7)

A more realistic topology would use a single ADC device (or a cluster of two for

redundancy), to provide all ADC services to the various Lync server pools, and

zones in the network, separating the traffic through VLANs and by using a different

virtual IP per VLAN – representing a network zone (e.g. DMZ or LAN), and per

server pool.

Office Communications Server Protocols load balanced by

AppDirector

Front End Server

Front

End

Servers

Lync Server

Front-End service

5060 TCP

Optionally used by Standard Edition servers and

Front End Servers for static routes to trusted

services, such as remote call control servers.

Front

End

Servers

Front-End service

5061 TCP (TLS)

Used by Standard Edition servers and Front End

pools for all internal SIP communications

between servers (MTLS), for SIP

communications between Server and Client

(TLS) and for SIP communications between

Front End Servers and Mediation Servers

(MTLS). Also used for communications with

Monitoring Server.

Front

End

Servers

Front-End service

444 HTTPS

Used for HTTPS communication between the

Focus (the Lync Server component that

manages conference state) and the individual

servers.

TCP

This port is also used for TCP communication

between Front End Servers and Survivable

Branch Appliances.

Front

End

Servers

Lync Server

Front-End service

135 DCOM and

remote

procedure

call (RPC)

Used for DCOM based operations such as

Moving Users, User Replicator Synchronization,

and Address Book Synchronization.

Front

End

Servers

Lync Server IM

Conferencing

service

5062 TCP

Used for incoming SIP requests for instant

messaging (IM) conferencing.

Front

End

Servers

Lync Server Web

Conferencing

service

(8)

Front

End

Servers

Lync Server

Audio/Video

Conferencing

service

5063 TCP

Used for incoming SIP requests for audio/video

(A/V) conferencing.

Front

End

Servers

Lync Server Web

Compatibility

service

443 HTTPS

Used for communication from Front End

Servers to the web farm FQDNs (the URLs used

by IIS web components).

Front

End

Servers

Lync Server

Application

Sharing service

5065 TCP

Used for incoming SIP listening requests for

application sharing.

Front

End

Servers

Lync Server

Conferencing

Announcement

service

5073 TCP

Used for incoming SIP requests for the Lync

Server Conferencing Announcement service

(that is, for dial-in conferencing).

Front

End

Servers

Lync Server Call

Park service

5075 TCP

Used for incoming SIP requests for the Call Park

application.

Front

End

Servers

Audio Test service

5076 TCP

Used for incoming SIP requests for the Audio

Test service.

Front

End

Servers

Lync Server

Response Group

service

5071 TCP

Used for incoming SIP requests for the

Response Group application.

Front

End

Servers

Lync Server

Bandwidth Policy

Service

5080 TCP

Used for call admission control by the

Bandwidth Policy service for A/V Edge TURN

traffic.

Front

End

Servers

Lync Server

Bandwidth Policy

Service

448 TCP

Used for call admission control by the Lync

Server Bandwidth Policy Service.

Front

End

Servers

Lync Server Web

Services

8080 TCP

Front End web services

Edge Servers External Leg

Edge Servers

External Leg

Load balancer for Edge

Servers

443 TCP Used for SIP Access Service (VIP1)

Edge Servers

External l

Leg

Load balancer for Edge

Servers

5061 TCP Used for Federation mode

Edge Servers

External Leg

Load balancer for Edge

Servers

443 TCP

(9)

Edge Servers

External Leg

Load balancer for Edge

Servers

443 TCP Used for A/V service (VIP3)

Edge Servers

External Leg

Load balancer for Edge

Servers

3478 UDP STUN/UDP for A/V serivce

Edge Servers Internal Leg

Edge Servers

Internal Leg

Load balancer for Edge Servers 443

TCP Used for Web Service

Edge Servers

Internal

Leg

Load balancer for Edge Servers 5061 TCP SIP TLS

Edge Servers

Internal

Leg

Load balancer for Edge Servers 5062 TCP Internal Edge authentication

Edge Servers

Internal Leg

Load balancer for Edge Servers 3478 UDP STUN/UDP for A/V service

CWA Ports

CWA

Load balancer for CWA Servers

443 TCP

Used for Web Service

(SSL Offloading)

Table 1.0 – Office Communications Server Protocols load balanced by

AppDirector

For more information, please visit:

http://lync.microsoft.com/en-us/Pages/default.aspx

Radware AppDirector

AppDirector uses advanced Layer 4-7 policies and granular application intelligence

for end-to-end business-smart networking. AppDirector aligns server infrastructure

operations with application front end requirements to eliminate



Traffic surges



Server bottlenecks

(10)



Downtime

This assures application access, full application continuity and redundancy.

AppDirector enables fine tuning of network behavior based on granular

application-specific classification of packets to optimize traffic flows for a wide range of

enterprise applications such as Microsoft, Oracle, BEA, IBM, SAP and other

web-based applications including support for VoIP, streaming media and secure LDAP

applications.

Performance Acceleration Services

AppDirector provides end-to-end performance acceleration of Web- and SSL-based

applications for all end-users types such as desktops, PDAs and smart-phones.

AppDirector's acceleration technologies include SSL offloading, Web compression,

static and dynamic content caching, TCP optimization and bandwidth utilization

control for fast application and transaction response times and the best Quality of

Experience (QoE) across various media types (e.g., cellular connections, wireless

networks, broadband connections).

By offloading SSL and persistent functions (processor- and server-intensive

operations) from servers, AppDirector frees server CPU to handle additional

requests, thus eliminating the need to buy additional hardware to support

application processing requirements.

AppDirector handles centralized, multi-device application and SSL management

which:

Reduces the complexity and the cost of managing SSL server infrastructure

through centralized, tamper-resistant certificates/key protection and

management

Significantly reduces Federal Information Processing Standards (FIPS) card

deployment costs while preventing attackers from gaining access to sensitive

information (e.g., keys and certificates) contained in the module

Reduces OPEX of installing and managing certificates on each and every server

Simplifies maintenance and troubleshooting

Centralizes monitoring of SSL performance

(11)

Radware AppDirector and Microsoft Lync Architecture

(12)

Important Implementation Notes

1. There are two pairs of AppDirector Application Switches configured for this deployment. A pair of AppDirectors configured in the DMZ for the Edge Servers and a pair of AppDirectors configured in the LAN for the Front-End Servers.

2. DNS SRV records for the appropriate domain are used to locate the Lync servers for client connectivity. DNS administration is required to bind an A record for the Lync FQDN, where the FQDN resolves the appropriate AppDirector Virtual IP Address (VIP). AppDirector has the ability to become the Authoritative responder for this FQDN, normally used in Disaster Recovery designs; in this case the DNS would use a name server record pointing to the AppDirector for the authoritative response. AppDirector would base the response on the availability, load and proximity information it uses to drive intelligent load distribution.

3. SSL traffic is (TCP.443) can be configured as persistent with SSLID tracking (not configured in this paper)

4. Other traffic is persistent with Source IP LB.

5. Internal legs of the Edge servers routing table for 192.168.1.0/24, 192.168.2.0/24 must be routed statically on the servers to IP 11.1.11.254. Windows command example: ‘route add 192.168.1.0 mask 255.255.255.0 11.1.11.254 –p’

6. Internal AppDirector leg route for 192.168.1.0/24 will go through 11.1.10.254 (for CWA, Online Meeting, ABS, dialing conferencing and Group Extensions services)

7. Microsoft requires session timeout for 1800 second; Make sure that aging time on the AppDirector is set to 30 minutes.

8. Import the Microsoft Lync certificate to the AppDirectors both internal and external, to understand how to import the Certificate please refer to the AppDriector Manual.

(13)

Software and Hardware

The following is a list of hardware and software tested to verify the interoperability of the presented solution:

Microsoft Windows 2008 R2 x64bits

Radware’s AppDirector ODS1 v.2.14.03 build 111 (4 units) Microsoft Lync 2010 Enterprise

Microsoft SQL Server 2005

Microsoft Lync Front End and Edge servers

Configuration

AppDirector Internal Active Configuration

Configuration Settings

AppDirector Internal Active

Network Configuration

1. Create IP 192.168.1.1/24 on port 1 2. Peer Address 192.168.1.2

3. Create default route to 192.168.1.254

Farm Configuration

1. Create a farm named “fe.servers” in AppDirector -> Farms -> Farm Table with these parameters:

- Farm Name – fe.servers - Aging Time - 1800

- Session mode – RemoveOnSessionEnd-SPS

- Dispatch Method – Fewest Number of Users - Local - Connectivity checks – No Checks

- Leave all other fields as default

2. Create a farm named “edge.Internal.Servers” in AppDirector -> Farms -> Farm

Table with these parameters:

- Farm Name – edge.Internal.Servers - Aging Time - 1800

3. Create a farm named “director.Servers” in AppDirector -> Farms -> Farm Table with these parameters:

- Farm Name – director.Servers - Aging Time - 1800

(14)

4. Create a farm named “cwa.Servers” in AppDirector -> Farms -> Farm Table with these parameters:

- Farm Name – cwa.Servers - Aging Time - 1800

Client NAT Configuration

1. Enable Client NAT in AppDirector -> NAT -> Client NAT -> Global Parameters with these parameters:

- Client NAT – Enabled

2. Create Client Address IP’s in AppDirector -> NAT -> Client NAT -> Client NAT

Address Table with these parameters:

- From IP – 192.168.1.99 to 192.168.1.103 - From IP – 192.168.1.201 to 192.168.1.204

3. Create Client NAT Intercept in AppDirector -> NAT -> Client NAT -> Client

NAT Intercept Table with these parameters:

- From IP – 11.1.10.0 to 11.1.10.255 - From IP – 11.1.11.1 to 11.1.11.2

- From IP – 192.168.0.0 to 192.168.255.255

Extended Farm Configuration

1. Edit farm named “fe.servers” in AppDirector -> Farms -> Extended

Parameters with these parameters:

- Client NAT – 192.168.1.99 - Leave all other fields as default

2. Edit farm named “cwa.Servers” in AppDirector -> Farms -> Extended

3. Edit farm named “direcor.Servers” in AppDirector -> Farms -> Extended

4. Edit farm named “edge.Internal.Servers” in AppDirector -> Farms -> Extended

(15)

Servers Configuration

1. Create a server named “fe.Server.1” and attach it to the farm “fe.servers” in

AppDirector -> Servers -> Application Servers -> Table with these

parameters:

- Server Name – fe.Server.1 - Farm Name – Fe.servers

- Server Address – 192.168.1.21 - Client NAT – Enabled

- Client NAT Address Range – 192.168.1.99 - Leave all other fields as default

2. Create a server named “fe.Server.2” and attach it to the farm “fe.servers” in

parameters:

- Server Name – fe.Server.2 - Farm Name – fe.servers

3. Create a server named “director.Server.1” and attach it to the farm

“direcotr.Servers” in AppDirector -> Servers -> Application Servers -> Table with these parameters:

- Server Name – director.Server.1 - Farm Name – direcotor.Servers - Server Address – 192.168.1.23 - Client NAT – Enabled

4. Create a server named “director.Server.2” and attach it to the farm

“Director.Servers” in AppDirector -> Servers -> Application Servers -> Table with these parameters:

- Server Name – director.Server.2 - Farm Name – director.Servers - Server Address – 192.168.1.24 - Client NAT – Enabled

5. Create a server named “cwa.server.1” and attach it to the farm “cwa.servers” in

parameters:

- Server Name – cwa.server.1 - Farm Name – cwa.servers - Server Address – 192.168.1.40 - Client NAT – Enabled

6. Create a server named “cwa.server.2” and attach it to the farm “cwa.servers” in

parameters:

(16)

7. Create a server named “edge.server.internal.1” and attach it to the farm

“edge.internal.servers” in AppDirector -> Servers -> Application Servers ->

- Server Name – edge.server.internal.1 - Farm Name – edge.internal.servers - Server Address – 11.1.11.1

8. Create a server named “edge.server.internal.2” and attach it to the farm

“edge.internal.servers” in AppDirector -> Servers -> Application Servers ->

- Server Name – edge.server.internal.1 - Farm Name – edge.internal.servers - Server Address – 11.1.11.2

Layer 7 Configuration

1. Create L7 method named “http.condition” in AppDirector -> Layer 7 Farm

Selection -> Method with these parameters:

- Method Name – http.condition - Method Type – Text

- Arguments – https

2. Create L7 method named “http.modification” in AppDirector -> Layer 7 Farm

- Method Name – http.modification - Method Type – Text

- Arguments – http

3. Create L7 method named “http.cwa” in AppDirector -> Layer 7 Farm Selection

-> Method with these parameters:

- Method Name – http.cwa - Method Type – Text

- Arguments – http://cwa.lyncradware.com -

4. Create L7 method named “https.cwa” in AppDirector -> Layer 7 Farm

- Method Name – https.cwa - Method Type – Text

- Arguments – https://cwa.lyncradware.com

5. Create L7 Modification named “http.to.https” in AppDirector -> Layer 7

Modification -> Rules with these parameters:

(17)

- Farm – CWA.Servers - Admin Status - Enabled

- Modification Scope – Header and Body - Direction – Request

- Header & Body Condition - http.cwa - Header & Body Modification – https.cwa

6. Create L7 Modification named “https.to.http” in AppDirector -> Layer 7

Modification -> Rules with these parameters:

- Name – https.to.http - Index – 2

- Modification Scope – Header and Body - Direction – Reply

- Header & Body Condition - https.cwa - Header & Body Modification – http.cwa

7. Create L7 Modification named “all.http” in AppDirector -> Layer 7 Modification

-> Rules with these parameters:

- Name – all.http - Index – 3

- Modification Scope – Header and Body - Direction – Request

- Header & Body Condition - http.condition - Header & Body Modification – http.modification

Compression Configuration

1. Create a compression policy named “comp.policy” in AppDirector -> Servers ->

Layer4 Traffic configuration -> Compression Policy with these parameters:

- Policy Name – comp.policy - Algorithm – GZIP

- Compression lever – 1 - Minimum Content Length – 1

- Maximum Content length - 10485760 - Leave all other fields as default

SSL Policy Configuration

1. Create an SSL policy in AppDirector -> L4 Traffic Redirection -> SSL Policy with these parameters:

- Policy name – cwa.pol - Certificate – cwa

- Listening Server Port – 80

- HTTP Redirection Conversion State - Enabled - Leave all other fields as default

Note: The cwa certificate needs to be imported from the Lync servers. For

(18)

Layer 4 Configuration

1. Create a Layer 4 policy named “directors.5060” in AppDirector -> Layer 4

Traffic Redirection -> Layer 4 Policies with these parameters:

- L4 Policy Name – directors.5060 - Virtual IP – 192.168.1.160 - L4 Protocol – TCP

- L4 Port – 5060 - Application - any

- Farm Name – director.servers - Leave all other fields as default

2. Create a Layer 4 policy named “directors.5061” in AppDirector -> Layer 4

- L4 Policy Name – directors.5061 - Virtual IP – 192.168.1.160 - L4 Protocol – TCP

- Farm Name – director.servers - Leave all other fields as default

3. Create a Layer 4 policy named “cwa.443” in AppDirector -> Layer 4 Traffic

Redirection -> Layer 4 Policies with these parameters:

- L4 Policy Name – cwa.443 - Virtual IP – 192.168.1.170 - L4 Protocol – TCP

- Farm Name – cwa.servers - SSL Policy – cwa.pol

- Compression Policy – comp.policy - Leave all other fields as default

4. Create a Layer 4 policy named “proxy.to.fe.4443” in AppDirector -> Layer 4

- L4 Policy Name – proxy.to.fe.4443 - Virtual IP – 192.168.1.200

- L4 Protocol – TCP - L4 Port – 4443 - Application - any

- Farm Name – fe.servers

5. Create a Layer 4 policy named “fe.im.req.8057” in AppDirector -> Layer 4

- L4 Policy Name – fe.im.req.8057 - Virtual IP – 192.168.1.200 - L4 Protocol – TCP

(19)

6. Create a Layer 4 policy named “fe.dcom.135” in AppDirector -> Layer 4 Traffic

- L4 Policy Name – fe.dcom.135 - Virtual IP – 192.168.1.200 - L4 Protocol – TCP

7. Create a Layer 4 policy named “fe.web.services.8080” in AppDirector -> Layer 4

- L4 Policy Name – fe.web.services.8080 - Virtual IP – 192.168.1.200

8. Create a Layer 4 policy named “fe.https.443” in AppDirector -> Layer 4 Traffic

- L4 Policy Name – fe.https.443 - Virtual IP – 192.168.1.200 - L4 Protocol – TCP

- Leave all other fields as default -

9. Create a Layer 4 policy named “fe.conf.444” in AppDirector -> Layer 4 Traffic

- L4 Policy Name – fe.conf.444 - Virtual IP – 192.168.1.200 - L4 Protocol – TCP

10. Create a Layer 4 policy named “fe.call.admin.448” in AppDirector -> Layer 4

- L4 Policy Name – fe.call.admin.448 - Virtual IP – 192.168.1.200

11. Create a Layer 4 policy named “fe.sip.5060” in AppDirector -> Layer 4 Traffic

- L4 Policy Name – fe.sip.5060 - Virtual IP – 192.168.1.200 - L4 Protocol – TCP

(20)

- Application - any

12. Create a Layer 4 policy named “fe.mtls.5061” in AppDirector -> Layer 4 Traffic

- L4 Policy Name – fe.mtls.5061 - Virtual IP – 192.168.1.200 - L4 Protocol – TCP

13. Create a Layer 4 policy named “fe.app.share.5065” in AppDirector -> Layer 4

- L4 Policy Name – fe.app.share.5065 - Virtual IP – 192.168.1.200

14. Create a Layer 4 policy named “fe.monitoring.5069” in AppDirector -> Layer 4

- L4 Policy Name – fe.monitoring.5069 - Virtual IP – 192.168.1.200

15. Create a Layer 4 policy named “fe.res.group.5071” in AppDirector -> Layer 4

- L4 Policy Name – fe.res.group.5071 - Virtual IP – 192.168.1.200

16. Create a Layer 4 policy named “fe.sip.req.5072” in AppDirector -> Layer 4

- L4 Policy Name – fe.sip.req.5072 - Virtual IP – 192.168.1.200 - L4 Protocol – TCP

17. Create a Layer 4 policy named “fe.conf.anoun.5073” in AppDirector -> Layer 4

(21)

- L4 Policy Name – fe.conf.anoun.5073 - Virtual IP – 192.168.1.200

18. Create a Layer 4 policy named “fe.sip.req.call.park.5075” in AppDirector ->

Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters:

- L4 Policy Name – fe.sip.req.call.park.5075 - Virtual IP – 192.168.1.200

19. Create a Layer 4 policy named “fe.audio.test.5076” in AppDirector -> Layer 4

- L4 Policy Name – fe.audio.test.5076 - Virtual IP – 192.168.1.200

20. Create a Layer 4 policy named “fe.av.age.turn.traff.5080” in AppDirector ->

- L4 Policy Name – fe.av.age.turn.traff.5080 - Virtual IP – 192.168.1.200

21. Create a Layer 4 policy named “edge.replication.4443” in AppDirector -> Layer 4

- L4 Policy Name – edge.replication.4443 - Virtual IP – 192.168.1.230

- Farm Name – edge.internal.servers - Leave all other fields as default

22. Create a Layer 4 policy named “edge.int.443” in AppDirector -> Layer 4 Traffic

- L4 Policy Name – edge.int.443 - Virtual IP – 192.168.1.230 - L4 Protocol – TCP

(22)

25. Create a Layer 4 policy named “edge.int.udp.stun.3478” in AppDirector -> Layer

4 Traffic Redirection -> Layer 4 Policies with these parameters:

- L4 Policy Name – edge.int.udp.stun.3478 - Virtual IP – 192.168.1.230

- L4 Protocol – UDP - L4 Port – 3478 - Application - any

(23)

AppDirector Health Monitoring

1. Enable Health Monitoring in Health Monitoring -> Global Parameters.

2. Create a check for HTTP on server 192.168.1.40 in Health Monitoring -> Check

- Check name – cwa.server.1 - Method – HTTP

- Dest IP – 192.168.1.40 - Dest Port – 80

3. Create a check for HTTP on server 192.168.1.41 in Health Monitoring -> Check

- Check name – cwa.server.2 - Method – HTTP

- Dest IP – 192.168.1.41 - Dest Port – 80

4. Create a check for TCP port 5061 on server 192.168.1.23 in Health Monitoring

-> Check Table with these parameters:

- Check name – director.server.1 - Method – TCP.Port

- Dest IP – 192.168.1.23 - Dest Port – 5061

- Check name – director.server.2 - Method – TCP.Port

- Dest IP – 192.168.1.24 - Dest Port – 5061

6. Create a check for TCP port 5061 on server 11.1.11.1 in Health Monitoring ->

Check Table with these parameters:

- Check name – edge.internal.server.1 - Method – TCP.Port

- Dest IP – 11.1.11.1 - Dest Port – 5061

7. Create a check for TCP port 5061 on server 11.1.11.2 in Health Monitoring ->

Check Table with these parameters:

- Check name – edge.internal.server.2 - Method – TCP.Port

- Dest IP – 11.1.11.2 - Dest Port – 5061

- Check name – fe.server.1 - Method – TCP.Port

- Dest IP – 192.168.1.21 - Dest Port – 5061

(24)

- Check name – fe.server.2 - Method – TCP.Port

- Dest IP – 192.168.1.22 - Dest Port – 5061

10. Bind the check fe.server.1 to Server ‘fe.servers – 192.168.1.21’ in Health Monitoring -> Binding Table.

11. Bind the check fe.server.2 to Server ‘fe.servers – 192.168.1.22’ in Health Monitoring -> Binding Table.

12. Bind the check cwa.server.1 to Server ‘cwa.servers – 192.168.1.40’ in Health Monitoring -> Binding Table.

13. Bind the check cwa.server.2 to Server ‘cwa.servers – 192.168.1.41’ in Health Monitoring -> Binding Table.

14. Bind the check director.server.1 to Server ‘director.servers – 192.168.1.23’ in Health Monitoring -> Binding Table.

15. Bind the check director.server.2 to Server ‘director.servers – 192.168.1.24’ in Health Monitoring -> Binding Table.

16. Bind the check edge.internal.server.1 to Server ‘edge.internal.servers – 11.1.11.1’ in Health Monitoring -> Binding Table.

(25)

VRRP Configuration

1. Enable VRRP in AppDirector -> Redundancy -> Global Configuration with these parameters:

- IP Redundancy Admin Status – VRRP - Interface Grouping – Enable

- ARP with interface grouping – Send - Backup Fake ARP – Enable

- Backup Interface Grouping – Enable - Leave all other fields as default

2. Create Virtual Router interfaces in AppDirector -> Redundancy -> VRRP ->

Virtual Router Table with these parameters:

- IF Index – 1 - VR ID – 101

- Priority – 255 (Highest number is Active device) - Primary IP – 192.168.1.1

- Leave all other options as default

3. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP ->

Associated IP Addresses with these parameters:

- IF Index – 1, VR ID – 101, Associated IP 192.168.1.1 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.99 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.100 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.101 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.102 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.103 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.160 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.170 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.200 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.201 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.202 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.203 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.204 - IF Index – 1, VR ID – 101, Associated IP 192.168.1.230

Mirroring Configuration

4. Enable Mirroring in AppDirector -> Redundancy -> Mirroring -> Active

Device Parameters with these parameters:

- Client Table Mirroring – Enable - Session Id Table Mirroring – Enable - Leave all other fields as default

5. Add Mirror device in AppDirector -> Redundancy -> Mirroring -> Mirror

(26)

AppDirector Internal Backup

The following are the settings for the Backup AppDirector:

Network Configuration

1. Create IP 192.168.1.2/24 on port 1 2. Peer Address 192.168.1.1

3. Create default route to 192.168.1.254

Auto Generating the Backup Configuration from the Primary AppDirector

1.

From the web interface menu of the Primary AppDirector, select File -> Configuration

-> Receive from Device and choose Backup (Active-Backup) save the file on your

computer and call it AppDirector.backup.txt.

2.

Open the browser on the AppDirector backup device and upload the saved configuration (AppDirector.backup.txt) in File -> Configuration -> Send to Device

3.

Reboot the AppDirector Backup device

Configuration Settings

AppDirector DMZ Active

Network Configuration

1. Create IP 11.1.21.10/24 on port 1 - Peer Address 11.1.21.11 2. Create IP 11.1.10.10/24 on port 2 - Peer Address 11.1.10.11 3. Create default route to 11.1.21.254

4. Static route for network 192.168.1.0/24 to 11.1.10.254

Farm Configuration

5. Create a farm named “edge.sip.443” in AppDirector -> Farms -> Farm Table with these parameters:

- Farm Name – edge.sip.443 - Aging Time - 1800

6. Create a farm named “edge.lm.443” in AppDirector -> Farms -> Farm Table with these parameters:

- Farm Name – edge.lm.443 - Aging Time - 1800

(27)

7. Create a farm named “edge.meeting.443” in AppDirector -> Farms -> Farm

- Farm Name – edge.meeting.443 - Aging Time - 1800

8. Create a farm named “edge.av.443” in AppDirector -> Farms -> Farm Table with these parameters:

- Farm Name – edge.av.443 - Aging Time - 1800

9. Create a farm named “cwa.service.443” in AppDirector -> Farms -> Farm Table with these parameters:

- Farm Name – cwa.service.443 - Aging Time - 1800

Client NAT Configuration

1. Enable Client NAT in AppDirector -> NAT -> Client NAT -> Global Parameters with these parameters:

2. Create Client Address IP’s in AppDirector -> NAT -> Client NAT -> Client NAT

Address Table with these parameters:

- From IP – 11.1.10.170 to 11.1.10.170

3. Create Client NAT Intercept in AppDirector -> NAT -> Client NAT -> Client

NAT Intercept Table with these parameters:

- From IP – 10.1.0.0 to 10.1.255.255

Extended Farm Configuration

1. Edit farm named “edge.sip.443” in AppDirector -> Farms -> Extended

2. Edit farm named “edge.lm.443” in AppDirector -> Farms -> Extended

3. Edit farm named “edge.meeting.443” in AppDirector -> Farms -> Extended

(28)

4. Edit farm named “cwa.service.443” in AppDirector -> Farms -> Extended

Servers Configuration

1. Create a server named “edge.sip.server.1” and attach it to the farm

“edge.sip.443” in AppDirector -> Servers -> Application Servers -> Table with these parameters:

- Server Name – edge.sip.server.1 - Farm Name – edge.sip.443 - Server Address – 11.1.10.1 - Client NAT – Enabled

2. Create a server named “edge.sip.server.2” and attach it to the farm

“edge.sip.443” in AppDirector -> Servers -> Application Servers -> Table with these parameters:

- Server Name – edge.sip.server.2 - Farm Name – edge.sip.443 - Server Address – 11.1.10.2 - Client NAT – Enabled

3. Create a server named “lync.content.server” and attach it to the farm

“edge.lm.443” in AppDirector -> Servers -> Application Servers -> Table with these parameters:

- Server Name – lync.content.server - Farm Name – edge.lm.443

- Server Address – 192.168.1.200 - Server Port - 4443

4. Create a server named “meeting.server.1” and attach it to the farm

“edge.meeting.443” in AppDirector -> Servers -> Application Servers ->

- Server Name – meeting.server.1 - Farm Name – edge.meeting.443 - Server Address – 11.1.10.5 - Client NAT – Enabled

5. Create a server named “meeting.server.2” and attach it to the farm

“edge.meeting.443” in AppDirector -> Servers -> Application Servers ->

(29)

- Farm Name – edge.meeting.443 - Server Address – 11.1.10.6 - Client NAT – Enabled

6. Create a server named “av.server.1” and attach it to the farm “edge.av.443” in

parameters:

- Server Name – av.server.1 - Farm Name – edge.av.443 - Server Address – 11.1.10.3 - Client NAT – Enabled

7. Create a server named “av.server.2” and attach it to the farm “edge.av.443” in

parameters:

- Server Name – av.server.2 - Farm Name – edge.av.443 - Server Address – 11.1.10.4 - Client NAT – Enabled

8. Create a server named “cwa.server” and attach it to the farm “cwa.service.443” in

parameters:

- Server Name – cwa.server - Farm Name – cwa.service.443 - Server Address – 192.168.1.170 - Client NAT – Enabled

Layer 4 Configuration

1. Create a Layer 4 policy named “cwa.443.service” in AppDirector -> Layer 4

- L4 Policy Name – cwa.443.service - Virtual IP – 11.1.21.170

- Farm Name – cwa.service.443 - Leave all other fields as default

2. Create a Layer 4 policy named “edge.sip.443.service” in AppDirector -> Layer 4

- L4 Policy Name – edge.sip.443.service - Virtual IP – 11.1.21.200

(30)

- Farm Name – edge.sip.443 - Leave all other fields as default

3. Create a Layer 4 policy named “edge.av.443.service” in AppDirector -> Layer 4

- L4 Policy Name – edge.av.443.service - Virtual IP – 11.1.21.201

- Farm Name – edge.av.443 - Leave all other fields as default

4. Create a Layer 4 policy named “edge.stun.3478.service” in AppDirector -> Layer

4 Traffic Redirection -> Layer 4 Policies with these parameters:

- L4 Policy Name – edge.stun.3478.service - Virtual IP – 192.168.1.201

- L4 Protocol – UDP - L4 Port – 3478 - Application - any

- Farm Name – edge.av.443 - Leave all other fields as default

5. Create a Layer 4 policy named “edge.meeting.443.service” in AppDirector ->

- L4 Policy Name – edge.meeting.443.service - Virtual IP – 192.168.1.202

- Farm Name – edge.meeting.443 - Leave all other fields as default

6. Create a Layer 4 policy named “content.443.service” in AppDirector -> Layer 4

- L4 Policy Name – content.443.service - Virtual IP – 192.168.1.203

(31)

AppDirector Health Monitoring

1. Enable Health Monitoring in Health Monitoring -> Global Parameters.

2. Create a check server 192.168.1.170 in Health Monitoring -> Check Table with these parameters:

- Check name – cwa.server - Method – TCP.Port

- Dest IP – 192.168.1.170 - Dest Port – 443

3. Create a check for server 11.1.10.3 in Health Monitoring -> Check Table with these parameters:

- Check name – edge.av.443.server.1 - Method – TCP.Port

- Dest IP – 11.1.10.3 - Dest Port – 443

- Check name – edge.av.443.server.2 - Method – TCP.Port

- Dest IP – 11.1.10.4 - Dest Port – 443

- Check name – edge.meeting.server.1 - Method – TCP.Port

- Dest IP – 11.1.10.5 - Dest Port – 443

- Check name – edge.meeting.server.2 - Method – TCP.Port

- Dest IP – 11.1.10.6 - Dest Port – 443

- Check name – edge.sip.443.server.1 - Method – TCP.Port

- Dest IP – 11.1.10.1 - Dest Port – 443

- Check name – edge.sip.443.server.2 - Method – TCP.Port

- Dest IP – 11.1.10.2 - Dest Port – 443

(32)

- Check name – lm.proxy - Method – TCP.Port - Dest IP – 192.168.1.200 - Dest Port – 4443

10. Bind the check cwa.server to Server ‘cwa.service.443 – 192.168.1.170’ in Health

Monitoring -> Binding Table.

11. Bind the check edge.sip.443.server.1 to Server ‘edge.sip.443 – 11.1.10.1 in

Health Monitoring -> Binding Table.

12. Bind the check edge.sip.443.server.2 to Server ‘edge.sip.443 – 11.1.10.2 in

Health Monitoring -> Binding Table.

13. Bind the check edge.av.443.server.1 to Server ‘edge.av.443 – 11.1.10.3 in Health

14. Bind the check edge.av.443.server.2 to Server ‘edge.av.443 – 11.1.10.4 in Health

15. Bind the check edge.meeting.443.server.1 to Server ‘edge.meeting.443 – 11.1.10.5 in Health Monitoring -> Binding Table.

16. Bind the check edge.meeting.443.server.2 to Server ‘edge.meeting.443 – 11.1.10.6 in Health Monitoring -> Binding Table.

17. Bind the check lm.proxy to Server ‘edge.lm.443 – 192.168.1.200 in Health

(33)

VRRP Configuration

1. Enable VRRP in AppDirector -> Redundancy -> Global Configuration with these parameters:

- IP Redundancy Admin Status – VRRP - Interface Grouping – Enable

- ARP with interface grouping – Send - Backup Fake ARP – Enable

- Backup Interface Grouping – Enable - Leave all other fields as default

- IF Index – 1 - VR ID – 111

- IF Index – 2 - VR ID – 112

4. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP ->

Associated IP Addresses with these parameters:

- IF Index – 1, VR ID – 111, Associated IP 11.1.21.170 - IF Index – 1, VR ID – 111, Associated IP 11.1.21.200 - IF Index – 1, VR ID – 111, Associated IP 11.1.21.201 - IF Index – 1, VR ID – 111, Associated IP 11.1.21.202 - IF Index – 1, VR ID – 111, Associated IP 11.1.21.203 - IF Index – 2, VR ID – 112, Associated IP 11.1.10.10 - IF Index – 2, VR ID – 112, Associated IP 11.1.10.170

Mirroring Configuration

5. Enable Mirroring in AppDirector -> Redundancy -> Mirroring -> Active

- Client Table Mirroring – Enable - Session Id Table Mirroring – Enable - Leave all other fields as default

6. Add Mirror device in AppDirector -> Redundancy -> Mirroring -> Mirror

(34)

AppDirector DMZ Backup

The following are the settings for the Backup AppDirector:

Network Configuration

1. Create IP 11.1.21.11/24 on port 1 - Peer Address 11.1.21.10 2. Create IP 11.1.10.11/24 on port 2 - Peer Address 11.1.10.10 3. Create default route to 11.1.21.254

4. Static route for network 192.168.1.0/24 to 11.1.10.254

Auto Generating the Backup Configuration from the Primary AppDirector

4.

From the web interface menu of the Primary AppDirector, select File -> Configuration

-> Receive from Device and choose Backup (Active-Backup) save the file on your

computer and call it AppDirector.backup.txt.

5.

Open the browser on the AppDirector backup device and upload the saved configuration (AppDirector.backup.txt) in File -> Configuration -> Send to Device

(35)

Technical Support

Radware offers technical support for all of its products through the Radware Certainty Support Program. Please refer to your Certainty Support contract, or the Radware Certainty Support Guide available at:

http://www.radware.com/content/support/supportprogram/default.asp.

For more information, please contact your Radware Sales representative or: U.S. and Americas: (866) 234-5763

TESTING & INTEGRATION GROUP SOLUTION GUIDE

T

ESTING

&

I

NTEGRATION

G

ROUP

S

OLUTION

G

UIDE

Radware AppDirector optimizing the delivery of Microsoft Lync

2010

TECHNICAL SOLUTION GUIDE

Contents

INTRODUCTION ... 3

MICROSOFT LYNC 2010 OVERVIEW ... 4

RADWARE APPDIRECTOR ... 9

PERFORMANCE ACCELERATION SERVICES ... 10

RADWARE APPDIRECTOR AND MICROSOFT LYNC ARCHITECTURE ... 11

IMPORTANT IMPLEMENTATION NOTES ... 12

CONFIGURATION ... 13

APPDIRECTOR INTERNAL ACTIVE CONFIGURATION ... 13

CONFIGURATION SETTINGS ... 13

APPDIRECTOR INTERNAL ACTIVE ... 13

Network Configuration ... 13

Farm Configuration ... 13

Client NAT Configuration ... 14

Extended Farm Configuration ... 14

Servers Configuration ... 15

Layer 7 Configuration ... 16

Compression Configuration ... 17

SSL Policy Configuration ... 17

Layer 4 Configuration ... 18

AppDirector Health Monitoring ... 23

VRRP Configuration ... 25

Mirroring Configuration ... 25

APPDIRECTOR INTERNAL BACKUP ... 26

Network Configuration ... 26

CONFIGURATION SETTINGS ... 26

APPDIRECTOR DMZ ACTIVE ... 26

Network Configuration ... 26

Farm Configuration ... 26

Client NAT Configuration ... 27

Extended Farm Configuration ... 27

Servers Configuration ... 28

Layer 4 Configuration ... 29

AppDirector Health Monitoring ... 31

VRRP Configuration ... 33

Mirroring Configuration ... 33

APPDIRECTOR DMZ BACKUP ... 34

Introduction

Microsoft Lync 2010 Overview

Microsoft® Lync™ ushers in a new connected user experience transforming every

communication into an interaction that is more collaborative, engaging, and

accessible from anywhere. For IT, the benefits are equally powerful, with a highly

secure and reliable system that works with existing tools and systems for easier

management, lower cost of ownership, smoother deployment and migration, and

greater choice and flexibility.

Connected End User Experience

Users seek communications tools that make their work easier and are available

anywhere, anytime—including within the context of other applications. Microsoft

Lync 2010 provides a single interface that unites voice communications, IM, and

audio, video, and Web conferencing into a richer, more contextual offering.

Find and communicate with the right person Rich presence including pictures, skill

search, location information, and more gives users the context they need to make

smart communication choices including built-in instant messaging capability. Users

can add and connect with users on Public IM services such as Windows Live, AOL,

and Yahoo! and communicate with them using their single work identity.

Create a more fun work environment by building social connections The rich

experience of Lync 2010 helps workers make connections across time and distance

with picture-enhanced presence, automatic frequent contacts lists, and activity

feeds for keeping up with co-workers.

Make every interaction a near face to face meeting Transform any conversation to

include high-resolution video-, application-, and desktop-sharing and be fully

present in meetings without making the physical trip.

Communicate with context from Microsoft Office applications The visually

compelling experience of Lync 2010 is consistent throughout Microsoft Office and

other business applications, including color-coded presence icons, pictures,