We have now come to the final part in the Lync Server 2013 High Availability series, which is Hardware Load Balance the external Nic on the Acccess Edge Servers.
We have defined the Edge server setup in part 11 – so this part will only focus on the HLB setup.
As for my previous posts, I will use Kemp Load Balancers for the External network, which is placed in a special DMZ zone where I’m not using NAT for the Edge servers.
This means that I have public IP Addresses on my edge servers and will have it on my HLB’s as well.
The network looks like this:
The HLB’s that I am using is setup in an Active/Passiv Setup – see part 14 on how to deploy the HLB’s. Best practices from Microsoft is to deploy separate HLB’s for each network, which means that you will have 6 HLB’s in a fully HA environment.
The HLB’s will have two nics – one placed in the DMZ public zone and one on the internal network. The nic on the internal network is only used for management.
You could skip this extra nic and go for at setup where the management is done on the nics in the DMZ public zone.
When you configure the External HLB’s you must set enable SNAT (that parameter is disabled on the internal HLB and edge internal HLB).
If you look at the deployment guide from Kemp, it is not quite clear how you place the HLB’s and configure the network. The drawings in the guide shows that you, on the edge servers should use the HLB’s Virtual IP as gateway, so that all traffic will go through the HLB.
I have not been able to get that to work in real life, because I place the HLB’s on the same subnet as the Edge servers. Should this work I believe that a separate ip segment must be placed behind the firewall and the edge servers, so that all traffic must be routed though the HLB’s. But as I said I have not got this to work – so my edge servers have the “normal” default gateway on the DMZ Public network (which is my firewall). And that setup works fine.
I even created a support case at Kemp on this – and it also turns out that if you are using Transparency together with SNAT on the virtual services, media traffic to Office 365 will fail (in my setup I uses Office 365 as my voicemail).
On the HLB’s we need to load balance, the three services, Sip, web conference and audio/video.
The rules that you should load balance is the below (see part 17 for how to configure a generic service):
The two last rules is a little bit speciel because they are used for the media traffic. Lync uses 443/tcp and 3478/udp when it communicates with federated Lync 2010/2013 partners, but if you want to federated with Skype and/or OCS 2007 partners you will also need 50.000 – 59.999 TCP and UDP for the media traffic. But when if you try to make this range on the Kemp (like adding extra ports on a rule), it will fail with an error that you only can add 1024 ports per rule. So the trick is to use * which means that it will listen to all ports and forward it to the Edge servers. (Got the trick from a Kemp technician).
When the virtual services has been configured you done, and now has a an edge server which is load balanced with an HLB, and therefor is a truly HA solution.
This was the last post in this Lync 2013 High Availability series – which I hope you have enjoyed and learned how to make an HA environment.