A Unified Communication Blog
Get Adobe Flash player

We have now come to the part where we are going to deploy the reverse proxy servers. Because we are deploying a high availability Lync environment, the reverse proxy servers should of course also be redundant.

In my redundant reverse proxy setup, I will use two virtual hardware load balancer from Kemp Technologies in an active/passive setup.

I will deploy two VLM’s, which is going to be placed in the DMZ Internal zone.

I will later on use the same VLM’s as HLB’s for the Internal Nic on the Access Edge Servers.

One nic is placed on the DMZ internal zone, and the other nic is placed on the internal corp network.

From the internet I will use NAT to the virtual ip addresses on the VLM cluster.

The VLM will have this configuration:


  • 1 GB RAM
  • 32 GB Disk Space



  • 1 GB RAM
  • 32 GB Disk Space

The virtual services on the VLM cluster will be using these ip addresses:

DMZINT DMZ HA VIP: (used for HA checks)

DMZINT LAN HA VIP: (used for HA checks and management)

DMZINT DMZ VIP1: (Used for Reverse Proxy to frontend server)

DMZINT DMZ VIP2: (Used for Reverse Proxy to director server)

DMZINT DMZ VIP3: (Used for Reverse Proxy to Office Web Apps Server)


You can download your own trial version here: http://kemptechnologies.com/da/server-load-balancing-appliances/virtual-loadbalancer/vlm-download, or bye it a your favorite Kemp distributor.

The download is a fully configured virtual machine, which will work for 30 days, until you get a permanent license.

When you have activated your account and downloaded the VLM, it is time to import the virtual machine in Hyper-V.

Extract the Zip file to a folder on you Hyper-V host

From Hyper-V Manager click on “Import Virtual Machine”

Click Next

Browse to the folder where you extracted the files and click Select Folder

Click Next

Click Next


Select “Copy the virtual….” And click Next

Select the folders where you want to place the VLM

Choose a location for the virtual disk

Click Finish

Right Click on the LoadMaster VLM and rename it to VLMINT01

Right click on the VLM you created and select Settings

Edit the nics, and place them on the LAN and on the DMZ Internal zone.

Start the virtual machine

After a minute the VLM is booted up and get a IP address from DHCP.

Open a browser a navigate to the url which is printed on the screen and login with the default username and password.

Use a couple of hours of your life and read the EULA and press Agree if you can agree on the terms – if you can’t stop reading and watch all the Stargate SG1 reruns on Sci-fi Channel J

Type KEMP ID and password (which you created at the download site) and click License Now

Login to the VLM with user and password from the startup screen

Click OK if you have a trial license

Type a new password and click Set Password

Click Continue

Login with the new password

Navigate to System Configuration and Select eth0 – Type the IP address for the INTVLM01 and click Set Address (use the IP from the DMZ zone)

Click OK

You will now be redirected to the new IP address – login again (make sure that https is allowed though the firewall to the VLM).

Navigate to System Configuration and Select eth1 – Type the IP address for the internal Lan nic and click Set Address

Navigate to Local DNS Configuration and select Hostname Configuration and type the name for the VLM and click Set Hostname

Select DNS Configuration and type your DNS servers and internal domain name

Navigate to Route Management, and set the Default gateway (which must be on the nic in the dmz zone)

Navigate to the Additional Routes and type any internal networks and the router for it – if you have some

Navigate to System Administration – Date/Time and set internal NTP servers and your timezone

Navigate to Miscellaneous Options and change the remote admin access to the internal nic.

Navigate to L7 Configuration and make the below configuration

Navigate to Network Options and remove SNAT


We are now done with the first VLM. The next thing is to install VLMINT02, with the exact same configuration (except the ip addresses of course).

When the second VLM is up an run login in to VLMINT01, and navigate to Miscellaneous Options and HA Parameters

Enable HA (First Mode)

Set the VIP on eth0 and the INTVLM02 ip address.

Do the same for eth1 – also check the “use for HA checks”.

Reboot the VLM and make the same configuration on INTVLM02 – this time in HA (second) mode.

Login to both of them navigate to HA parameters and set the HA version to “Legacy (hb).

Reboot both VLM’s.

When they are up and running again, they should now be running in active/passive mode

Now open internet explorer and point it to the virtual IP, and make sure you can connect to it.

Next create the three IP addresses in the internal DNS zone for the domain:


Next we will install certificates on the VLM cluster.

We will need to install a certificate from the internal CA, including the root certificates.

We also need to install public certificates.

First of all: I have created an internal certificate which contains the following names:

Common name: vlmint-v.exchangepro.local

SAN: vlmint01.exchangepro.local

SAN: vlmint02.exchangepro.local

I have exported the certificate with the private key, from the server that I generated it from.


Now login to the virtual IP and navigate to Certificates -> SSL certificates and click on Import Certificate

Browse to the PFX file, type the password and give the certificate a name.

Then click Save

Click on Add Intermediate

Browse to the Internal Root certificate and give it a name, and click Add Certificate (make sure the root certificate is in Base64 format, otherwise the import will fail)

Navigate back to SSL certificates and select the new certificate for the Administrative certificate and local machine.

Next in internet explorer open the FQDN to the virtual IP and make sure you don’t get any certificate warnings.

Now we will install the Public certificates. I have requested certificates from Globalsign, which I normally uses on my UC installations:

The certificate contains these names:

Common name: csweb.exchangepro.dk

SAN Name: meet.exchangepro.dk

SAN Name: cswebdir.exchangepro.dk

SAN Name: cswebapp.exchangepro.dk

SAN Name: dialin.exchangepro.dk

SAN Name: lyncdiscover.exchangepro.dk


Import the certificates like before, and remember to add both the root and intermediate certificate from Globalsign. Remember that the intermediate and root certificate must be in base64 format.

Now that we have installed the certificates, it is time to configure the virtual services (the reverse proxy services).

I will be using three virtual IP’s which points like this:

DMZINT DMZ VIP1: -> Pointing to the Frontend Pool Servers

DMZINT DMZ VIP2: -> Pointing to the Director Server Pool Servers

DMZINT DMZ VIP3: -> Pointing to the Office Web Apps Farm

All three IP addresses is NAT’ed in the firewall with three public ip address.

The firewall rule is like this

The traffic from the Load Balancer must be send to the external web site on the frontend and director on port 4443.

For the Office web apps the traffic is still send to 443 on the farm servers.


So to create the virtual services, navigate to Virtual Services and select Add New.

Type the first IP address and the port that the VLM should listen to, and give the service at name.

Click Add this virtual Services

Remove Layer 7 Transparence and set the below parameters








Navigate to ESP Options and Enable ESP

In the Allowed virtual hosts type:




And in allowed virtual directories type /* – remember to click the buttons

Navigate to Real Servers – and set it like below:

Click Add New

Add all three frontend servers and set the port to 8080. As you remember the topology only has one frontend server, but I will add the IP all three of them now, so I don’t have to do it later.

The real servers will then be marked down, when the VLM can’t reach them at this point, and will not send traffic to them.

Click Back when you have added them

And click back again

You have now created the first virtual service

Now click Add New and add the Director servers VIP














On the ESP options add dialin.exchangepro.dk and cswebdir.exchangepro.dk

On the real servers make the below configuration and click Add New

Add both Director Servers:

Now we will add the https ports which are a little bit different













On SSL Properties click the two check boxes and click on Add New

On the public certificate, select the IP address and click Add VS

The SSL Properties now looks like below:

Navigate to ESP Options and Enable ESP

In the Allowed virtual hosts type:




And in allowed virtual directories type /* – remember to click the buttons

Navigate to Real Servers – and set it like below:

Add the three frontend servers – and set the port to 4443 (the external web site)

Click Back twice, and make the same for the director servers

You should now have four Virtual services (don’t mind that in my setup the directors are down – yours should be up)

The last one we need is the Office Web Apps Server which will look like below:













So now your virtual services look like this (yours should be up except the two missing frontend servers)


We have configured the Reverse Proxy for out Lync Setup.

Before you begin to test you should create the public dns records if haven’t already done that.

Now you are ready to test with external clients, and make meeting invitations and see that participants can access the meetings.

I will in a later post, describe in more detail how to test all parts of the installation.

This is it for now – in the next posts we will continue by adding the two remaining frontend servers, and add more hardware load balancers.


Lync 2013 High Availability

Part 1: http://exchangepro.dk/2013/08/28/install-a-sql-2012-mirroring-cluster-for-use-with-lync-2013-part-1/

Part 2: http://exchangepro.dk/2013/08/29/install-a-sql-2012-witness-server-for-use-with-lync-2013-part-2/

Part 3: http://exchangepro.dk/2013/09/01/configure-a-sql-2012-mirroring-cluster-for-use-with-lync-2013-part-3/

Part 4: http://exchangepro.dk/2013/09/14/deploy-a-lync-2013-file-store-part-4/

Part 5: http://exchangepro.dk/2013/09/19/prepare-your-servers-for-lync-server-2013-ha-part-5/

Part 6: http://exchangepro.dk/2013/09/21/creating-the-lync-server-2013-ha-topology-part-6/

Part 7: http://exchangepro.dk/2013/09/30/install-the-first-frontend-server-part-7/

Part 8: http://exchangepro.dk/2013/10/06/update-the-frontend-server-part-8/

Part 9: http://exchangepro.dk/2013/10/13/install-the-office-web-servers-part-9/

Part 10: http://exchangepro.dk/2013/10/21/deploy-the-director-servers-in-lync-2013-ha/

Part 11: http://exchangepro.dk/2013/10/25/install-the-access-edge-ha-servers-part-11/

Part 13: http://exchangepro.dk/2013/11/14/adding-additional-frontend-servers-to-lync-ha-part-13/

Part 14: http://exchangepro.dk/2013/11/26/setup-load-balancers-for-the-internal-lync-servers-part-14/

Part 15: http://exchangepro.dk/2013/11/26/load-balance-the-office-web-apps-server-part-15/

Part 16: http://exchangepro.dk/2013/11/26/load-balance-the-lync-frontend-web-services-part-16/

Part 17: http://exchangepro.dk/2013/11/28/load-balance-the-lync-frontend-services-part-17/

Part 18: http://exchangepro.dk/2013/12/15/load-balance-the-lync-director-servers-part-18/

Part 19: http://exchangepro.dk/2013/12/15/load-balance-lync-access-edge-internal-nic-part-19/

Part 20: http://exchangepro.dk/2013/12/29/load-balance-lync-access-edge-external-nic-part-20/

6 Responses to Deploy Reverse Proxy using Kemp Hardware Load balancer – Part 12

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 77 other subscribers

Follow me on Twitter