A Unified Communication Blog
Get Adobe Flash player

We have now come to the final part in the Lync Server 2013 High Availability series, which is Hardware Load Balance the external Nic on the Acccess Edge Servers.


We have defined the Edge server setup in part 11 – so this part will only focus on the HLB setup.

As for my previous posts, I will use Kemp Load Balancers for the External network, which is placed in a special DMZ zone where I’m not using NAT for the Edge servers.

This means that I have public IP Addresses on my edge servers and will have it on my HLB’s as well.

The network looks like this:


The HLB’s that I am using is setup in an Active/Passiv Setup – see part 14 on how to deploy the HLB’s. Best practices from Microsoft is to deploy separate HLB’s for each network, which means that you will have 6 HLB’s in a fully HA environment.


The HLB’s will have two nics – one placed in the DMZ public zone and one on the internal network. The nic on the internal network is only used for management.

You could skip this extra nic and go for at setup where the management is done on the nics in the DMZ public zone.


When you configure the External HLB’s you must set enable SNAT (that parameter is disabled on the internal HLB and edge internal HLB).

If you look at the deployment guide from Kemp, it is not quite clear how you place the HLB’s and configure the network. The drawings in the guide shows that you, on the edge servers should use the HLB’s Virtual IP as gateway, so that all traffic will go through the HLB.

I have not been able to get that to work in real life, because I place the HLB’s on the same subnet as the Edge servers. Should this work I believe that a separate ip segment must be placed behind the firewall and the edge servers, so that all traffic must be routed though the HLB’s. But as I said I have not got this to work – so my edge servers have the “normal” default gateway on the DMZ Public network (which is my firewall). And that setup works fine.

I even created a support case at Kemp on this – and it also turns out that if you are using Transparency together with SNAT on the virtual services, media traffic to Office 365 will fail (in my setup I uses Office 365 as my voicemail).


On the HLB’s we need to load balance, the three services, Sip, web conference and audio/video.

The rules that you should load balance is the below (see part 17 for how to configure a generic service):


The two last rules is a little bit speciel because they are used for the media traffic. Lync uses 443/tcp and 3478/udp when it communicates with federated Lync 2010/2013 partners, but if you want to federated with Skype and/or OCS 2007 partners you will also need 50.000 – 59.999 TCP and UDP for the media traffic. But when if you try to make this range on the Kemp (like adding extra ports on a rule), it will fail with an error that you only can add 1024 ports per rule. So the trick is to use * which means that it will listen to all ports and forward it to the Edge servers. (Got the trick from a Kemp technician).

When the virtual services has been configured you done, and now has a an edge server which is load balanced with an HLB, and therefor is a truly HA solution.


This was the last post in this Lync 2013 High Availability series – which I hope you have enjoyed and learned how to make an HA environment.


Lync 2013 High Availability

Part 1: http://exchangepro.dk/2013/08/28/install-a-sql-2012-mirroring-cluster-for-use-with-lync-2013-part-1/

Part 2: http://exchangepro.dk/2013/08/29/install-a-sql-2012-witness-server-for-use-with-lync-2013-part-2/

Part 3: http://exchangepro.dk/2013/09/01/configure-a-sql-2012-mirroring-cluster-for-use-with-lync-2013-part-3/

Part 4: http://exchangepro.dk/2013/09/14/deploy-a-lync-2013-file-store-part-4/

Part 5: http://exchangepro.dk/2013/09/19/prepare-your-servers-for-lync-server-2013-ha-part-5/

Part 6: http://exchangepro.dk/2013/09/21/creating-the-lync-server-2013-ha-topology-part-6/

Part 7: http://exchangepro.dk/2013/09/30/install-the-first-frontend-server-part-7/

Part 8: http://exchangepro.dk/2013/10/06/update-the-frontend-server-part-8/

Part 9: http://exchangepro.dk/2013/10/13/install-the-office-web-servers-part-9/

Part 10: http://exchangepro.dk/2013/10/21/deploy-the-director-servers-in-lync-2013-ha/

Part 11: http://exchangepro.dk/2013/10/25/install-the-access-edge-ha-servers-part-11/

Part 12: http://exchangepro.dk/2013/11/05/deploy-reverse-proxy-using-kemp-hardware-load-balancer-part-12/

Part 13: http://exchangepro.dk/2013/11/14/adding-additional-frontend-servers-to-lync-ha-part-13/

Part 14: http://exchangepro.dk/2013/11/26/setup-load-balancers-for-the-internal-lync-servers-part-14/

Part 15: http://exchangepro.dk/2013/11/26/load-balance-the-office-web-apps-server-part-15/

Part 16: http://exchangepro.dk/2013/11/26/load-balance-the-lync-frontend-web-services-part-16/

Part 17: http://exchangepro.dk/2013/11/28/load-balance-the-lync-frontend-services-part-17/

Part 18: http://exchangepro.dk/2013/12/15/load-balance-the-lync-director-servers-part-18/

Part 19: http://exchangepro.dk/2013/12/15/load-balance-lync-access-edge-internal-nic-part-19/

7 Responses to Load Balance Lync Access Edge External Nic – Part 20

  • Hi Joachim,

    In the overview Rules that you should load balance you have a couple of real servers. The EXT Edge ip addresses. and
    Did you configured one ip on the edge external servers. i’m wondering because you use the same ip addresses in the real servers kolom of the overview. Shouldn’t this be:
    for SIP: .2 and .5
    for WebConf: .3 and .6
    for AV: .4 and .7

    i’m i missing something?

    Thanks in advance.


    Johan van der Stelt

    • Hi Johan

      You are absolutely right, the table is wronge. The edge servers has three IP addresses each – thanks for notice – I have updated the table with the right values :-)


  • I use NAT on my Edge servers and am using DNS LB. Is this a supported scenario? When both servers are online, external Lync calls fails. When only 1 Edge server is online, external Lync calls are fine. Below is the error message. Thank you.

    24; reason=”Call failed to establish due to a media connectivity failure when both endpoints are remote”;CalleeMediaDebug=”application-sharing:ICEWarn=0x4000320,LocalSite=x.x.x.1:60076,LocalMR=x.x.x.1:57027,RemoteSite=x.x.x.2:60156,RemoteMR=x.x.x.2:56681,PortRange=60000:60199,LocalMRTCPPort=57027,RemoteMRTCPPort=56681,LocalLocation=1,RemoteLocation=1,FederationType=0,NetworkName=domain,Interfaces=0x22,BaseInterface=0x20,BaseAddress=″;LyncAppSharingDebug=”SharerChannel:0x0; Memory Usage: totalUsedVirtual=701, availableVirtual=1346;StartupTime: 2013-12-03T11:07:42.066Z;

    • Yes it’s supported to use DNS LB with two edge servers and also use NAT.
      I suppose you have defined both edge servers in an enterprise pool.
      Have you defined the sip, webconf and av dns records for both servers in the public DNS ?
      I haven’t tried using NAT with two edge servers – but you must make sure that each internal IP has it’s own public ip – so you will need to use 6 ip addresses. Also have a look how you NAT these IP addresses – so that when internal IP1 gets NAT’ed to Public IP1 and internal ip 1 gets NAT’ed to Public IP2 and so on. It important that you don’t have a Global NAT in the firewall, so that when internal ip1 – 6 communicates with the internet, that they appear as the same public IP on the internet – dos it makes sense what I’m writing? This is especially important for the AV service, which you define in the topology builder.
      The bottom IP address in the topology builder for the NAT service is the public IP address which the AV service will use:
      So if the Internal IPv4 address for AV is:
      And the NAT enabled Public IP: is (the public IP address for the AV service) – double check that the AV services uses this public IP address when it communicates – this goes for both servers.
      You said that if you close one server it works – it that for both servers ? (meaning if you close server A, then server B works, and the other way around)

      Also make sure that the firewall is configured correctly – see this post for the firewall rules.

      Hope this will help you – otherwise let me know.

      • The answer is Yes to all your questions. I am missing the 443/TCP (PSOM/TLS) FW rule. Will apply that and let you know the result. Thank you.

      • All FW rules are in place and the issue still persist. When both EDGE servers are online, the call fails only when the call comes in on EDGE AV1 and try to leave on EDGE AV2 or vice versa. Here’s another error message.

        23; source=”mediationserver.company.com”; reason=”Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote”; component=”MediationServer”; Exception=”Proxy side ICE connectivity check failed.”; ICEWarningFlags=”ICEWarn=0x2a0,LocalSite=:56758,LocalMR=,RemoteSite=192.168.x.x:49168,PortRange=49152:57500,LocalMRTCPPort=59676,LocalLocation=2,RemoteLocation=0,FederationType=0″

        • Hi Thomas

          This error is usually when the Edge AV address is having a wrong NAT address so that 443/tcp and 3478/udp can’t be setup.
          The NAT must be a one-to-one NAT like:
          Internal < -> External
 < -> (SIP)
 < -> (Webconf)
 < -> 89.89..89.4 (AV)

          I’m almost sure that it’s either the NAT, Firewall Config (AV) or the wrong IP in the topology builder (the last line).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 77 other subscribers

Follow me on Twitter