Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure When installed in front of Microsoft Lync Server 2010 Enterprise Edition, Brocade ServerIron ADX Application Delivery Controllers increase application uptime, maximize server utilization, and shield the and applications from malicious attacks.
CONTENTS Unified Communications Application Delivery... 3 Deployment Architecture... 5 General Requirements... 7 Affinity... 8 Cookie-Based Persistence... 8 Source IP Port Persistence... 8 Further Design Considerations for the Lync Server 2010 Solution... 9 High Availability... 9 Application Affinity Options... 9 Security... 9 Brocade ServerIron ADX Configuration... 10 Appendix A: High Availability and Redundancy... 15 Setting Up Active-Hot Standby Redundancy... 15 Setting Up Active-Standby VIP Redundancy... 16 Setting Up Active-Active Redundancy... 16 Appendix B: Running Configuration... 17 Appendix C: Microsoft Lync Server 2010... 21 Appendix D: Brocade ServerIron ADX... 22 Application Performance... 22 Application Availability... 22 Application and Server Farm Security... 23 Application and Server Farm Scalability... 23 Higher Return on Investment (ROI)... 23 Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 2 of 23
UNIFIED COMMUNICATIONS APPLICATION DELIVERY Microsoft Lync Server 2010 technologies use the power of software to deliver complete communications, including messaging, voice, and video, across the applications and devices that people use every day. Integrating the experiences associated with the telephone---phone calls, voice-mail, and conferencing---into the work performed on a computer---documents, spreadsheets, instant messaging, e-mail, and calendars--- has the power to fundamentally change the way the world works. Microsoft Lync Server 2010 is the first Microsoft product to combine enterprise-ready Private Branch Exchange (PBX), Voice over IP (VoIP) telephony, Instant Messaging (IM), presence, and video conferencing in a fully integrated unified communications solution. Lync Server 2010 provides richer presence capabilities, enhanced support for group IM, and improved deployment and management than its predecessor, Microsoft Office Communications Server 2007. To existing features, such as federation and public IM connectivity, Lync Server 2010 adds real-time conferencing hosted on inside the firewall and a full-featured, software-powered VoIP solution, integrated with a powerful PBX infrastructure. Microsoft Lync Server 2010 extends the architecture of Office Communications Server 2007 to include Private Branch Exchange Pool configurations Front-end Conferencing components VoIP components Perimeter network configuration and components Conference protocols Conference call flow For more details on the Microsoft Lync Server 2010, see Appendix C. For technical overview and deployment and implementation details, visit: http://www.microsoft.com/en-us/lync/default.aspx. Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 3 of 23
Active Directory Enterprise Pool SQL Back-end server HTTP/HTTPS SIP HTTP/HTTPS HTTP reverse proxy SIP HTTP/HTTPS SIP Microsoft Office Meeting Console SRTP SRTP SIP PSOM Access edge server Web conferencing edge server Director PSOM SRTP Focus Web Conferencing Server Hardware load balancer IM Conferencing Server Telephony Conferencing Server Microsoft Office Communica tor External DNS A/V conferencing edge server Internal DNS A/V Conferencing Server IIS Servers External firewall Peripheral Network Internal firewall Internal Network Internet Enterprise Network Figure 1. Reference architecture Brocade ServerIron ADX deployed in front of Microsoft Lync Server 2010 increases application uptime, maximizes server farm utilization, and shields and applications from malicious attacks. The switches receive all client requests and distribute them efficiently to the most available server in the pool. ServerIron ADX switches consider server availability, load, response time, and other user-configured performance metrics when selecting a server for incoming client connections. By performing sophisticated and customizable health checks to all the Lync Server 2010, ServerIron ADX quickly identifies resource outages in real time and redirects client connections to other available. Server capacity can be increased or decreased on demand without impacting applications and client connections. When demand grows, IT engineers can simply add new server resources on the fly without service interruption, and then configure ServerIron ADX to use the new for client connections. Brocade ServerIron ADX is application aware and can inspect many types of application-level content to perform intelligent switching of client requests to appropriate. Application switching eliminates the need to replicate content and application functions on all and optimizes overall resource utilization, application performance, and availability. ServerIron ADX supports Layer 7 switching based on broad content types including URL, HTTP headers, HTTP cookies, SSL session IDs, and XML tags. For implementations in which session persistence across multiple TCP ports on the same server is a key requirement, the ADX supports the industry s most advanced and easily customizable load balancing interface. In addition, the performance delivered by ServerIron ADX ensures that applications provide optimal enduser response time and immense scalability even when enabled for Layer 4 7 switching. Using sticky sessions and track-group switching, a group of transactions from a given client are sent to the server that created the original session when the client first connected. A crucial benefit of using ServerIron ADX is its ability to ensure the client stays with one real server so that all real-time information is preserved as the client continues to communicate across several application ports. Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 4 of 23
Another benefit of Brocade ServerIron ADX is its ability to protect server farms and applications from malicious attack. ServerIron ADX switches are proven to defeat wire-speed gigabit-rate Denial of Service (DoS) attacks, while maintaining peak application performance. They also provide high-performance content inspection and filtering for malicious content, including viruses and worms, which are distributed through application-level messages to cripple and take down applications. Brocade ServerIron ADX solutions provide immediate Return on Investment (ROI), while improving the ROI of the Lync Server 2010 infrastructure. They support significantly higher application traffic and number of user connections on existing server resources by maximizing utilization. On-demand and unlimited virtual server farm scalability eliminates the need for forklift upgrades and dramatically improves the ROI on the server infrastructure. Downtime associated with security breaches and scheduled maintenance is eliminated, resulting in improved availability, which in turn saves customers tens of thousands to millions of dollars a year. Application delivery has become a technology of choice to improve the scalability, availability, and security of IP applications. Brocade ServerIron ADX switches, with networking and application intelligence, provide the rich features and high performance required for building massively scalable and highly secure application infrastructure. DEPLOYMENT ARCHITECTURE A Microsoft Lync Server 2010 pool consists of one or more front-end, which provide IM, presence, and conferencing services and are connected to a Microsoft SQL Server database for storing user and conference information. Depending on the pool configuration, the database might reside on the same server. In addition, certain conferencing components might be deployed on the same physical computer, depending on the chosen pool configuration. Lync Server 2010 offers two pool configurations: one Standard Edition configuration and one consolidated Enterprise Edition configuration. The Enterprise Edition configuration consists of front-end, which are connected to a separate dedicated SQL Server backend database. NOTE: In an Enterprise pool, the back-end database must run on a dedicated server, separate from other Enterprise Edition. Active Directory Hardware IP load balancer SQL Server back-end database Focus IM conferencing server Web conferencing server Telephony conferencing server A/V conferencing server IIS Enterprise Pool: Consolidated Configuration Figure 2. Consolidated configuration Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 5 of 23
Active Directory Front-end SQL Server back-end database Web con ferencing Focus IM conferencing server Telephony conferencing server Enterprise Pool: Expanded Configuration Hardware IP load balancer Load balancer A/V con ferencing Web co mponents se rvers (Servers running IIS) Figure 3. Expanded configuration Also the access edge, HTTP reverse proxy, and A/V edge server can be load balanced in the perimeter network. In addition, the Communicator Web Access and Director can be deployed on multiple, which are load balanced. The scenario is shown in Figure 4. MSN Yahoo AOL Public IP HTTP reverse proxy Load Balancer Communicator Web access (App server) Communicator Communicator Mobile UC Endpoints Live Meeting Communicator Phone Edition Active Directory Identity MIIS Federated Networks Load Balancer Web conferencing edge server Access sdge Load Balancer Load Balancer Director(s) Load Balancer Inbound Router Outbound Router ABS Front-end (Registration/ presence server) Pool Passive Back End SQL Server Active Interactive Apps Exchange UM (Voice-mail) Speech server Archiving PSTN Load Balancer A/V Edge Server(s) Media Gateway(s) Mediation server(s) IIS Pool Conferencing (A/V, Data, IM) IM CDR Monitoring Fax PBX CTI server (RCC Gateway) MMC MOM External Perimeter Network Internal SIP PSTN protocol HTTP Media Archive EnterpriseVoice Component Figure 4. Load balancing on multiple Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 6 of 23
GENERAL REQUIREMENTS A front-end server requires a hardware load balancer. If you are deploying a Standard Edition Server or a single Enterprise Edition Front End Server, a load balancer is not required. A hardware load balancer is also required for arrays of Lync Server 2010 edge or an array of Standard Edition Servers configured as a Director. These requirements are summarized in the Table 1. Table 1. Microsoft recommended hardware load balancer requirements for Lync Server 2010 Deployment A single Standard Edition Server Enterprise pool with multiple front-end Array of directors Array of edge Load Balancer Requirement Load balancer not required Hardware load balancer required Hardware load balancer required Hardware load balancer required Table 2. Hardware load balancer ports required for Lync Server 2010 Port Required Virtual IP Port Use 5060 (TCP) Load balancer VIPs used by frontend and Director 5061 (TCP) Load balancer VIPs used by frontend, Director, and internal and external interfaces used by edge 5062 (TCP) Load balancer VIP used by Internal facing interface for the edge 5065 (TCP) Load balancer VIP used by the front-end 5069 (TCP) Load balancer VIP used by frontend 5071 (TCP) Load balancer VIP used by frontend Client-to-server SIP communication over TCP Client-to- server SIP communication over TLS and SIP communication between the front-end over MTLS Used for internal ports for SIP /MTLS authentication of IM communications flowing outbound through the internal firewall Used for incoming SIP listening requests for applications sharing Used by the QoE Agent on the front-end Used for incoming SIP listening requests for Response Group Service 5072(TCP) Load balancer VIP used by frontend Used for incoming SIP listening requests for Conferencing Attendant 5073 (TCP) Load balancer VIP used by frontend 5074 (TCP) Load balancer VIP used by frontend 135 Load balancer VIP used by frontend 3478 (UDP) Load balancer VIP used by the internal and external interfaces of the edge Used for incoming SIP listening requests for Conferencing Announcement Service Used for incoming SIP listening requests for Outside Voice Control To move users and perform other pool-level WMI operations over DCOM Used for internal and external ports for STUN/UDP inbound and outbound media communications Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 7 of 23
Port Required Virtual IP Port Use 444 Load balancer VIP used by frontend 443 Load balancer VIP used by the Web components server Communication between the internal components that manage conferencing and the conferencing HTTPS traffic to the pool URLs The configurations provided in this document are configured for use to load balance groups of whether they are EE pools, access groups, or Director. The configuration is for a one-arm configuration in which the are not directly connected to ServerIron ADX (which requires source-nat to ensure return communication goes through ServerIron ADX). Affinity Affinity is the ability to associate a client to a specific Client Access Server (CAS) to ensure that all requests sent from that client go to the same edge or front-end server. The following affinity methods are supported on the Brocade ServerIron ADX and are required for Microsoft Lync Server 2010: Cookie-based persistence Source IP port persistence Cookie-Based Persistence This method is very reliable for tying a client session to a Lync Server 2010 edge server. The load balancer inserts a cookie into the client-server protocol that is associated with a Lync Server 2010 edge server. The session continues to forward traffic to the same Lync Server 2010 server until the session is over. The cookie-based persistence method is supported for Microsoft Lync Server 2010 edge server protocols that run on top of HTTP in Lync Server 2010 edge server, but has these limitations: The load balancer needs to have the ability to read and interpret the HTTP stream. With SSL, the load balancer must decrypt traffic to examine its content. To use this method, the client must support receiving arbitrary cookies from the server and then including them in all future requests to that server. Source IP Port Persistence In this method, the load balancer looks at a client IP address and sends all traffic from a certain source/client IP to a given front-end server. However, the source IP method has two limitations: Whenever the IP address of the client changes, the affinity is lost. However, the user impact is acceptable as long as this occurs infrequently. Having a large number of clients from the same IP address leads to uneven distribution. Distribution of traffic among the front-end server then depends on how many clients are arriving from a given IP address. Two things that can cause a lot of clients to arrive from the same IP address are: o Network Address Translators (NATs) or outgoing proxy (for example, Microsoft Forefront Threat Management Gateway, or TMG). In this case the original client IP addresses are masked by the NAT or outgoing proxy server IP addresses. o Front-end to front-end server traffic Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 8 of 23
FURTHER DESIGN CONSIDERATIONS FOR THE LYNC SERVER 2010 SOLUTION High Availability Attached in the Appendix is a section on Redundancy and how to enable this on ADX to ensure failover without session loss. Both ADX switches in an HA pair share a common MAC address known to the clients. Therefore, if a failover occurs, the clients still know ADX by the same MAC address. The active sessions running on the clients continue and the clients and routers do not need to re-arp the ADX MAC address. Application Affinity Options SSL Proxy. Secure Socket Layer (SSL) Proxy is the most secure configuration option available, allowing for end-to-end SSL encryption. It is also more complex as it requires keys and certificates on the Brocade ServerIron ADX, as well as on each real server.ssl Proxy allows the Brocade ServerIron ADX to decrypt HTTPS traffic, run complex HTTP Content SWitching Rules (CSW rules), re-encrypt the traffic, and forward it to the appropriate server. The CWS feature makes sure that existing user sessions are forwarded to the same server to which the session was initially connected. Affinity is handled by the CSW rules, which look at the cookie and determine whether it is a new cookie from a new session or an existing cookie generated by the Brocade ServerIron ADX. The new cookie is stripped from the packet and replaced with a load balancer cookie that has a server ID (server-id) attached to it. The server ID ensures that all traffic from that session is now forwarded to the same server. Source IP Port Persistence. Source IP Port Persistence provides a persistent hashing mechanism for virtual server ports, which evenly distributes hash assignments and enables a client to always be redirected to the same real server. This feature applies to non-http traffic for which cookies are not part of the protocol specification. Security The built-in DoS Protection (when enabled with the ip tcp syn-proxy command) identifies and blocks DoS attacks, protecting the network from service failures and downtime. As a TCP SYN request comes in, a TCP SYN/ACK is returned with a special SEQ number. If a TCP ACK is not returned or if it is incorrect the session is never added to the session table, preventing wasted resources. If the proper TCP ACK is returned with a proper SEQ number, a connection is established and the entry is written to the session table, This method of SYN protection allows Brocade to provide the highest level of DOS protection in the industry mitigating attacks of over 120 million SYN attacks per second, in the case of a fully loaded ServerIron ADX 10000. This equates to thwarting a real time 100 GB line attack in real time without affecting legitimate traffic flows and user connections. Appendix D provides more details about Brocade ServerIron ADX. Any internal host C1 Good client C2 1 2 3 TCP SYN TCP SYN ACK - Special SEQ TCP ACK - Special SEQ Brocade ServerIron ADX Complete TCP connection 4 Host A Bad client 1 2 3 TCP SYN TCP SYN ACK - Special SEQ BAD TCP ACK - Special SEQ No TCP connection Host B Protects internal hosts from attack Figure 5. Brocade ADX DoS attack mitigation Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 9 of 23
BROCADE SERVERIRON ADX CONFIGURATION This configuration is a basic switch configuration for ADX that will work with Enterprise Pool, Access Groups, and Director Pools by utilizing the standard ports used by these for Lync Server 2010 applications. The version of ServerIron ADX software tested is 12.2. Figure 6 provides a logical layout of the ServerIron ADX and Lync Server 2010 layout. Additionally customization must be reviewed against the Microsoft Lync Server 2010 planning guide. Prior to configuring, determine and record server names, IP addresses, and ports required. Brocade ServerIron ADX HA pair Server virtual EDVIP 10.5.57.90 Server virtual DIRVIP 10.10.57.13 Lync Server 2010 edge Server real ED1 10.5.57.11 Server real ED2: 10.5.57.12 Server virtual FEVIP 10.10.57.13 Lync Server 2010 front-end Server real FE1: 10.10.57.11 Server real FE2: 10.10.57.12 Lync Server 2010 Directors Server real DIR1: 10.10.57.8 Server real DUR2: 10.10.57.9 Ports load balanced: Server port 5060 tcp Server port 5061tcp Server port 5063 tcp Server port 135 tcp Server port 80 tcp Server port 443 tcp Server port 444 tcp Server port 5069 tcp Figure 6. Logical Brocade ServerIron ADX for load balancing Lync Server 2010 To manage Brocade ServerIron ADX via the Command-Line Interface (CLI): At the opening CLI prompt, enter enable. ServerIron> enable Access the configuration level of the CLI by entering the following command: ServerIron# config term To assign an IP address, enter the following command: ServerIron (config)# ip address 10.10.58.250 255.255.255.0 To assign a default gateway, enter the following command: ServerIron (config)# ip default-gateway 10.10.58.2 Other optional commands: ServerIron (config)# hostname ADX1 ADX(config)# username admin password ADX(config)# no enable aaa console ADX(config)# telnet server Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 10 of 23
To exit from the configuration level of the CLI, enter the following command: ADX (config)# exit To save the configuration to NVRAM, enter the following command: ADX# write memory Initial configuration: ADX (config)# vlan 999 ADX (config-vlan-1)# untag e16 ADX(config-vlan-1)# no spanning-tree Set up the default server ports used for SIP: ADX(config)# server port 5060 ADX(config)# server port 5061 ADX(config)# server port 5062 ADX(config)# server port 5065 ADX(config)# server port 5071 ADX(config)# server port 5072 ADX(config)# server port 5073 ADX(config)# server port 5074 ADX(config)# server ADX(config)# udpadx(config)# server port 5069 ADX(config)# server port 135 ADX(config)# server port 80 ADX(config)# server port 443 ADX(config)# server port 444 Define the CSW policy: csw-rule "catchall" url exists csw-rule "cookie" header "cookie" search "SERVERID=" case-insensitive csw-rule "lync" url prefix "/LYNC" case-insensitive csw-policy "Cookie1_action" case-insensitive match "cookie" persist offset 0 length 4 group-or-server-id match "catchall" forward 1 match "lync" forward 1 match "lync" rewrite insert-cookie "ServerID" default forward 1 default rewrite insert-cookie "ServerID" Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 11 of 23
Define the SSL profiles (ensure that certificates are loaded into the ServerIron ADX): ssl profile clientside_1 keypair-file cert certificate-file LB1.cer cipher-suite all-cipher-suites verify-client-cert per-connection request session-cache off ssl profile ide_1 cipher-suite all-cipher-suites ca-cert-file contoso.crt session-cache off Define the real : server real ES1 10.10.58.13 port 5062 server real ES2 10.10.58.14 port 5062 server real FE1 10.10.58.16 port http port http url "HEAD /<NULL>" port http l4-check-only port 444 port 135 port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 server real FE2 10.10.58.17 port http port http url "HEAD /" port http l4-check-only port 444 port 135 port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 server real DIR1 10.10.58.21 Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 12 of 23
server real DIR2 10.10.58.22 server real ES_NIC2_EX1 10.10.57.247 server-id 1206 group-id 1 1 server real ES_NIC2_EX2 10.10.57.248 server-id 1205 group-id 1 1 server virtual Internal_ES 10.10.58.12 predictor round-robin no sticky persist-hash ssl-proxy clientside_1 ide_1 port 5062 bind ssl ES1 ssl ES2 ssl bind sips ES1 sips ES2 sips bind 5062 ES1 5062 ES2 5062 bind 3478 ES1 3478 ES2 3478 Virtual server setup: server virtual fevip 10.10.58.15 predictor round-robin port http port http persist-hash port 444 no sticky persist-hash port 135 port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 bind http FE1 http FE2 http bind 444 FE1 444 FE2 444 bind ssl FE1 ssl FE2 ssl bind 135 FE1 135 FE2 135 bind sips FE1 sips FE2 sips bind sip FE1 sip FE2 sip bind 5069 FE1 5069 FE2 5069 bind 5065 FE1 5065 FE2 5065 bind 5071 FE1 5071 FE2 5071 bind 5072 FE1 5072 FE2 5072 bind 5073 FE1 5073 FE2 5073 Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 13 of 23
bind 5074 FE1 5074 FE2 5074 server virtual dirvip 10.10.58.23 predictor least-conn bind sips DIR2 sips DIR1 sips bind sip DIR1 sip DIR2 sip server virtual ES_External 10.10.57.245 predictor round-robin no sticky persist-hash ssl-proxy clientside_1 ide_1 csw-policy "Cookie1_action" csw bind ssl ES_NIC2_EX1 ssl ES_NIC2_EX2 ssl bind sips ES_NIC2_EX1 sips ES_NIC2_EX2 sips bind 3478 ES_NIC2_EX1 3478 ES_NIC2_EX2 3478 One-armed mode setup requirements Source NAT (to ensure that traffic passes back through the ServerIron ADX and not from server to client): server source-nat server source-nat-ip 10.10.58.249 255.255.255.0 0.0.0.0 port-range 2 LAG and VLAN: vlan 102 by port untagged ethe 1 to 4 no spanning-tree interface ethernet 1 link-aggregate configure key 10000 link-aggregate active interface ethernet 2 link-aggregate configure key 10000 link-aggregate active interface ethernet 3 link-aggregate configure key 10000 link-aggregate active interface ethernet 4 link-aggregate configure key 10000 link-aggregate active Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 14 of 23
APPENDIX A: HIGH AVAILABILITY AND REDUNDANCY Having no failover makes configuration and management a little easier because you don t have to configure and manage specific appliances. However, if one server fails, then your entire Unified Communications environment is down, which means no VOIP, no IM, no presence, and/or conferencing. Failover allows another Brocade ServerIron to continually provide access to the in case of a failure. The different methods of deploying a Brocade ServerIron are: Active-Hot Standby. One active ServerIron, another ServerIron in standby (supported only with switch code). Active-Standby VIP. Both ServerIron ADX switches can receive traffic but only the Active VIP handles Layer 4 7 traffic, and the other VIP is in Standby and functions as a standby (supported with router or switch code). Active-Active. Both ServerIron ADX switches are active for the same VIP, the ServerIron ADX that receives the request services that request. In the event of a ServerIron ADX failure, the remaining ServerIron ADX handles all requests (supported with router or switch code). Setting Up Active-Hot Standby Redundancy In a typical hot standby configuration, one Brocade ServerIron is the active device and performs all the Layer 2 switching as well as the Layer 4 SLB switching while the other ServerIron monitors the switching activities and remains in a hot standby role. If the active ServerIron becomes unavailable, the standby ServerIron immediately assumes the unavailable ServerIron switch s responsibilities. The failover from the unavailable ServerIron to the standby ServerIron happens transparently to users. Both ServerIron switches share a common MAC address known to the clients. Therefore, if a failover occurs, the clients still know the ServerIron by the same MAC address. The active sessions running on the clients continue and the clients and routers do not need to re-arp for the ServerIron MAC address. NOTE: All real must be connected to the SeverIron switches via a Layer 2 switch or NIC team directly to the ServerIron switches (active NIC connected to the active ServerIron). Configure port 1 on each ServerIron, enter the following command: ServerIron (config)# server backup Ethernet 16 00e0.1234.1234 vlan-id 999 (This is the same primary MAC address used on both ServerIron switches.) Configure VLAN 999, used for the sync connection between the ServerIron switches. Note you must turn off spanning tree. ServerIron (config)# vlan 999 ServerIron (config)# untagged ethernet 1 ServerIron (config)# no spanning-tree To set the number of minutes on the primary ServerIron that it waits before retaking the primary role back over after an outage, enter the following command (only on the primary ServerIron): (5 minutes is minimum value) ServerIron# server backup-preference 5 To save the configuration to NVRAM, enter the following command: ServerIron# write memory Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 15 of 23
Setting Up Active-Standby VIP Redundancy The configuration use a active and standby VIP for each VIP created. The active VIP and back up VIP is determined by the sym-priority value associated with the VIP. The VIP with the highest sym-priority value is considered the active VIP and the others are standbys. The configuration does not require any changes to spanning-tree and does not require any sync connection between the ServerIron as it will use the network topology. Note that there cannot be a router hop between the two ServerIron switches s and there must be Layer 2 connectivity. The minimum configuration for Active VIP is as follows. Configure the VIP to use sym-priority. ServerIron1 (config)# server virtual vip1 1.1.1.1 ServerIron1 (config)# sym-priority 10 The minimum configuration for Standby VIP is: Serveriron2 (config)# server virtual vip1 1.1.1.1 ServerIron2 (config)# sym-priority 5 Setting Up Active-Active Redundancy Active-active SLB uses session information to ensure that the same ServerIron load balances all requests for a given VIP. The first ServerIron that receives a request for the VIP load balances the request, creates a session table entry for the VIP, and sends the session information to the other ServerIron. Both ServerIron switches in the configuration use the session information so that the same ServerIron is used for subsequent requests for the VIP. In this example, ServerIron A and ServerIron B each have been configured to provide active-active Symmetrical Server Load Balancing (SSLB) for the HTTP port on VIP1 and VIP2. The first ServerIron to receive a request for port HTTP on one of these VIPs load balances the request, creates session entries for the VIP, and sends the session information to the other ServerIron. Both ServerIron switches use the session information for the VIP to ensure that the same ServerIron load balances subsequent requests for the same application port and VIP. Either ServerIron can use session information to forward the server reply back to the client. For example, if ServerIron A is the load balancer for a client request and the server reply comes back through ServerIron B, ServerIron B can use the session information received from ServerIron A through session synchronization to perform the required address translations and send the reply to the client. ServerIron B does not need to forward the reply to ServerIron A for address translation and forwarding. The minimum configuration for active-active is VIP: Configure the VIP to use sym-active: ServerIron (config)# server virtual vip1 1.1.1.1 ServerIron (config)# Port 80 ServerIron (config)# sym-priority 10 ServerIron (config)#sym-active Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 16 of 23
APPENDIX B: RUNNING CONFIGURATION Current configuration : 2572 bytes ver 12.2.00 ssl profile clientside_1 keypair-file cert certificate-file LB1.cer cipher-suite all-cipher-suites verify-client-cert per-connection request session-cache off ssl profile ide_1 cipher-suite all-cipher-suites ca-cert-file contoso.crt session-cache off server backup ethe 16 001b.ed05.80a0 vlan-id 999 server backup-preference 5 server port 5060 tcp server port 5061 tcp server port 5065 tcp server port 5071 tcp server port 5072 tcp server port 5073 tcp server port 5074 tcp server port 135 tcp server port 444 tcp server port 5069 tcp server udp server source-nat server source-nat-ip 10.10.58.249 255.255.255.0 0.0.0.0 port-range 2 context default csw-rule "catchall" url exists csw-rule "cookie" header "cookie" search "SERVERID=" case-insensitive csw-rule "lync" url prefix "/LYNC" case-insensitive csw-policy "Cookie1_action" case-insensitive Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 17 of 23
match "cookie" persist offset 0 length 4 group-or-server-id match "catchall" forward 1 match "lync" forward 1 match "lync" rewrite insert-cookie "ServerID" default forward 1 default rewrite insert-cookie "ServerID" server real ES1 10.10.58.13 port 5062 server real ES2 10.10.58.14 port 5062 server real FE1 10.10.58.16 port http port http url "HEAD /<NULL>" port http l4-check-only port 444 port 135 port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 server real FE2 10.10.58.17 port http port http url "HEAD /" port http l4-check-only port 444 port 135 port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 server real DIR1 10.10.58.21 server real DIR2 10.10.58.22 server real ES_NIC2_EX1 10.10.57.247 server-id 1206 Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 18 of 23
group-id 1 1 server real ES_NIC2_EX2 10.10.57.248 server-id 1205 group-id 1 1 server virtual Internal_ES 10.10.58.12 predictor round-robin no sticky persist-hash ssl-proxy clientside_1 ide_1 port 5062 bind ssl ES1 ssl ES2 ssl bind sips ES1 sips ES2 sips bind 5062 ES1 5062 ES2 5062 bind 3478 ES1 3478 ES2 3478 server virtual fevip 10.10.58.15 predictor round-robin port http port http persist-hash port 444 no sticky persist-hash port 135 port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 bind http FE1 http FE2 http bind 444 FE1 444 FE2 444 bind ssl FE1 ssl FE2 ssl bind 135 FE1 135 FE2 135 bind sips FE1 sips FE2 sips bind sip FE1 sip FE2 sip bind 5069 FE1 5069 FE2 5069 bind 5065 FE1 5065 FE2 5065 bind 5071 FE1 5071 FE2 5071 bind 5072 FE1 5072 FE2 5072 bind 5073 FE1 5073 FE2 5073 bind 5074 FE1 5074 FE2 5074 server virtual dirvip 10.10.58.23 predictor least-conn bind sips DIR2 sips DIR1 sips bind sip DIR1 sip DIR2 sip Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 19 of 23
server virtual ES_External 10.10.57.245 predictor round-robin no sticky persist-hash ssl-proxy clientside_1 ide_1 csw-policy "Cookie1_action" csw bind ssl ES_NIC2_EX1 ssl ES_NIC2_EX2 ssl bind sips ES_NIC2_EX1 sips ES_NIC2_EX2 sips bind 3478 ES_NIC2_EX1 3478 ES_NIC2_EX2 3478 vlan 1 name DEFAULT-VLAN by port vlan 2 by port vlan 999 by port untagged ethe 16 no spanning-tree vlan 102 by port untagged ethe 1 to 4 no spanning-tree aaa authentication web-server default local boot sys fl sec no enable aaa console hostname ADX1 ip address 10.10.58.250 255.255.255.0 ip default-gateway 10.10.58.2 telnet server username admin password 8 $1$F24..pm4$BCF.gmzFo3V3gj7dj9Ej60 no-asm-block-till-bootup interface management 1 ip address 192.168.1.2 255.255.255.0 interface ethernet 1 link-aggregate configure key 10000 link-aggregate active interface ethernet 2 link-aggregate configure key 10000 link-aggregate active interface ethernet 3 link-aggregate configure key 10000 link-aggregate active interface ethernet 4 link-aggregate configure key 10000 link-aggregate active end NOTE: If there is a backup ServerIron ADX, the configuration will be similar to the primary. In the following case, two commands are different: 1) No command server backup-preference 5 is entered on the secondary and 2) the command for server source NAT should reflect server source-nat-ip 32.254.0.231 255.255.255.0 32.254.0.230 port-range 1 Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 20 of 23
APPENDIX C: MICROSOFT LYNC SERVER 2010 Brocade ServerIron ADX switches have been certified for server load balancing in Microsoft Lync Server 2010 interoperability labs: http://office.microsoft.com/en-us/communicationsserver Lync Server 2010 is the next version of Microsoft Office Communications Server 2007. Lync Server 2010 builds on the foundation of Presence and Instant Messaging, Federated Communications and Remote Call Control delivered by Office Communications Server 2007. Key new features include improvements to Instant Messaging and Presence capability such as integration with Microsoft Exchange Server distribution lists as well as the addition of software-powered VoIP and PBX, allowing users to make, receive, and manage voice (phone) calls using Office Communicator 2007 running on their computer and multi-party on-premise audio/video and Web conferencing. Lync Server 2010 also supports the ICE framework of protocols, allowing users to take advantage of these communications capabilities from wherever they are without needing to establish a VPN connection. Microsoft designed Lync Server 2010 to interoperate with Office Communications Server 2007. The migration process involves deploying Lync Server 2010 infrastructure in parallel to a Office Communications Server 2007 deployment and then easily migrating users across the new infrastructure. For migration details, read the Microsoft Lync Server 2010 product documentation found in the Microsoft technical library at the link provided at the beginning of this appendix. Load balancing technology has become the technology of choice to improve the scalability, availability, and security of IP applications. Brocade ServerIron ADX switches, with the networking and application intelligence, rich features, and high performance required for building massively scalable and highly secure application infrastructure. See the Microsoft Lync Server 2010 planning guide. Access edge server and Web conferencing edge server Active Directory SQL Database A/V Edge Server Front-end Web con ferencing HTTP Reverse Proxy Load balancer Load balancer A/V con ferencing Indicates existing infrastructure Enterprise Pool: Expanded Configuration Web Co mponents Se rvers (Servers running IIS) Internal Users Figure 6. High-scalability, high-availability deployment supporting IM and conferencing for internal and external users Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 21 of 23
APPENDIX D: BROCADE SERVERIRON ADX The Brocade ADX switches receive all client requests, and distribute them efficiently to the best server among the available pool. ADX switches consider server availability, load, response time, and other userconfigured performance metrics when selecting a server for incoming client connections. The ADX performs sophisticated and customizable health checks to the Lync 2010, quickly identifying resource outages in real time and re-direct client connections to other available. ADX provides a highly scalable solution that allows server capacity to be increased or decreased on demand without impacting the applications and client connections. When demand grows, IT engineers can simply slide in new server resources and configure the ADX switch to use the new for client connections. ADX switches are application aware and can inspect many types of application level content to perform intelligent switching of client requests to appropriate. Application switching eliminates the need to replicate content and application functions on all, and optimizes overall resource utilization, application performance and availability. ADX switches support switching based on broad content types including URL, HTTP headers, HTTP cookies, SSL session IDs, and XML tags. For implementations where session persistence across multiple TCP ports on the same server is a key requirement, ADX supports the industry s most advanced and easily customizable load balancing interface. In addition, the performance delivered by ADX ensures that applications provide the best end-user response time and immense scalability even when enabled for Layer 4 through 7 switching. Using sticky sessions and track-group switching, a group of transactions from a given client are sent to the server originally selected and has the session created when the client first connected. Application Performance ADX switches, with their intelligent application-aware load balancing and content switching, significantly improve overall performance by optimally utilizing server resources. Using customizable load balancing methods and metrics, application performance can be tuned to achieve best response time and maximum throughput. By taking advantage of HTTP1.1 protocol mechanisms, ADX supports Server Connection Offload, eliminating connection overhead from and providing robust security. Server resources are truly dedicated to maximize application performance and user response time. Application Availability High-performance load balancing using ADX switches ensures always-on applications by intelligently distributing application traffic among all available, and dynamically monitoring the ability of and applications running on them to deliver optimal performance. Using customizable health checks at various levels of granularity like host, port, application and transaction. ADX switches instantaneously and transparently react to increases and decreases in server resources by redirecting client traffic as needed. To protect applications from catastrophic failures, the switches can be deployed in multiple high-availability modes with stateful session failover. Applications are completely transparent to switch failures, and continue to function uninterrupted. Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 22 of 23
Application and Server Farm Security Security is a critical challenge for all businesses, but particularly for applications where regulatory compliance is a risk factor. As reliance on the network to deliver mission-critical applications increases, so does the threat posed by network-based attacks. ADX has many intelligent features and superior performance to reliably protect against many forms of DoS, Virus and worm attacks. They protect application infrastructure and server farms against wire-speed Gigabit rate DoS attacks, which translates to 120 million attacks per second in the case of a fully configured ADX 10000. Application and Server Farm Scalability Scaling applications and server farms is one of the most fundamental requirements for continued business growth, and is easily and permanently met by the ServerIron load balancers. ADX provides unlimited scalability to any IP-based application, allowing businesses to leverage commodity to build highly sophisticated and secure application infrastructure. Massive scalability is achieved with complete transparency to existing clients and without downtime. Higher Return on Investment (ROI) Brocade ADX application delivery controllers provide immediate ROI, and also improve the ROI of application and server infrastructure. By implementing the new Server Connection Offload feature in existing server farm and application deployments, customers can immediately improve the overall capacity by an average of 20 to 40%. ADX switches support significantly higher application traffic and clients with existing resources through efficient utilization. Downtime associated with security breaches, and server and application maintenance is eliminated, resulting in improved availability. Load balancers also simplify application and server farm management, which improves productivity and helps conserve valuable capital to address other critical problems in the network. 2010 Brocade Communications Systems, Inc. All Rights Reserved. 11/10 GA-SG-355-00 Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 23 of 23