Load Balancing Lync 2013. Jaap Wesselius

Load Balancing Lync 2013 Jaap Wesselius

Agenda Introductie Interne Load Balancing Externe Load Balancing Reverse Proxy Samenvatting & Best Practices

Introductie

Load Balancing Lync 2013 Waarom Load Balancing? Wat zijn belangrijke items bij load balancing? VIP & Real Server Extern adres vs Intern adres Affinity of Persistence Source IP, Cookie Scheduling Round Robin, Least Connections

Load Balancing Lync 2013 Welke workload wil je op de load balancer? Server to server verkeer? Dat is topology aware dus geen load balancer nodig Client to server verkeer? DNS load balancing voor front-end verkeer (SIP) DNS load balancing voor Edge verkeer (SIP) DNS load balancing werkt NIET voor web services Port translation nodig voor extern web verkeer

Load Balancing Lync 2013 ROLE HIGH AVAILABILITY LOAD BALANCER DNS LOAD BALANCING Standard Edition Server Not Available N/A N/A Enterprise Edition Server Deploy Multiple Servers in a Pool and use Load Yes Yes Balancing Back End Server SQL Server uses Windows Clustering for High No No Availability A/V Conferencing Server Deploy Multiple Servers in a Pool and Use Load N/A N/A Balancing Edge Server Deploy Multiple Servers in a Pool and Use Load Yes Yes Balancing Mediation Server Deploy Multiple Servers in a Pool and Use Load Yes Yes Balancing Monitoring Standby Server (MSMQ on the Front-End queues No No messages in the event of the failure) Archiving Standby Server (MSMQ on the Front-End queues No No messages in the event of the failure) Director Deploy Multiple Servers in a Pool and Use Load Yes Yes Balancing File Server Use Windows Clustering or Distributed File System No No

Interne Load Balancing

Lync 2013 Front-End & Director Pool Internet DMZ Internal Network Lync 2013 Mobile Client Lync Edge Pool Active Directory Lync Front-End Pool Mirrored Back-End Servers Windows 8 Lync App Load Balancer Load Balancer Office Web Apps Server Reverse Proxy Lync 2013 Desktop client Lync 2013 Mobile Client Lync 2013 Desktop client

Lync 2013 Front-End & Director Pool Microsoft aanbevelingen: DNS load balancing voor SIP verkeer Web services override FQDN voor interne web services Load balancen TCP poorten 80, 8080, 443 en 4443 Tevens TCP poort 444 bij gebruik Director Pool

Lync 2013 Front-End & Director Pool Source IP persistence kan worden gebruikt maar er zijn wat beperkingen: Achter NAT 1 enkel source IP Onevenredige distributie van connecties Health check op TCP/5061 or gebruik van hardware load balancer monitoring port (vinkje in Topology Builder) Eventueel /meet/blank.htm ipv TCP/5061 om te bepalen of IIS goed werkt

Lync 2013 Front-End & Director Pool Gebruik van cookie is ook mogelijk: Moet MS-WSMAN heten Geen expiration Niet httponly Geen gebruik cookie optimalisatie Er is geen negatieve impact bij gebruik cookie TCP sessie time-out: 20 minuten TCP idle time-out: 1800 seconden

Lync 2013 Front-End & Director Pool Zonder DNS RR, dus een load balancer only omgeving: Load balance de volgende TCP poorten 5061, 444, 135, 80, 8080, 443, 4443, 448, 5070-5073, 5075, 5076, 5080 Aantal poorten neemt aanzienlijk toe ivm SIP verkeer wat door LB gaat Meer info op http://bit.ly/lyncports

Lync 2013 Mediaton pool DNS load balancing is voldoende Bij gebruik load balancer, alleen TCP poorten 5067, 5068 en 5070 door de load balancer

Externe Load Balancing

Load balancing Edge Pool Internet DMZ Internal Network Lync 2013 Mobile Client Lync Edge Pool Active Directory Lync Front-End Pool Mirrored Back-End Servers Windows 8 Lync App Load Balancer Load Balancer Office Web Apps Server Reverse Proxy Lync 2013 Desktop client Lync 2013 Mobile Client Lync 2013 Desktop client

DNS load balancing Edge Pools DNS is beperkt bruikbaar ivm verlies bij fail-over Federation met oudere OCS omgeving PIM connectivity met Skype, Windows Live, AOL, Yahoo and XMPP partners UM Play on Phone Call transfer van UM Auto Attendant

(Hardware) Load balancer Edge Pool Externe interfaces Access Edge Interface SIP (Externe client): TCP/443 SIP (Federation): TCP/5061 XMPP: TCP/5269 Web Conferencing Interface Source NAT kan gebruikt worden PSOM: TCP/443 AV Edge Interface NAT kan *niet* gebruikt worden STUN/MSTURN: TCP/443 STUN/MSTRUN: UDP/3478

(hardware) Load balancer Edge Pool Externe Interfaces: Gebruik Access VIP als default gateway op alle Edge Interfaces AV Edge Interface: Disable TCP nagling voor TCP/443 voor alle interface Disable TCP nagling voor poorten 50000-59999 Gebruik publiek routeerbaar IP zonder NAT of port translation

(hardware) Load balancer Edge Pool Interne Interfaces Access SIP: TCP/5061 Gebruikt door Director & Front-End AV authentication SIP: TCP/5062 Gebruikt door Front-End pool & SBA AV Media Transfer: UDP/3478 Preferred path voor AV media transfer AV Media Transfer: TCP/443 Fallback voor AV Media transfer File Sharing Desktop Sharing

Reverse Proxy

Reverse Proxy (Web Services) Internet DMZ Internal Network Lync 2013 Mobile Client Lync Edge Pool Active Directory Lync Front-End Pool Mirrored Back-End Servers Windows 8 Lync App Load Balancer Load Balancer Office Web Apps Server Reverse Proxy Lync 2013 Desktop client Lync 2013 Mobile Client Lync 2013 Desktop client

Reverse Proxy? Device tussen servers en clients (vaak in DMZ) die server services publiceert Wordt vaak gebruik als load balancing device Schermt interne servers af voor externe invloeden Full reverse proxy Layer 7 SSL acceleration, content inspection, intruder detection

Reverse Proxy Reverse proxy = 2e VIP op de load balancer Load balance op poort 80 en 443 Publiceert poort 8080 en 4443 Persistence is niet noodzakelijk Pre-authentication niet mogelijk Health check op poort 5061 of hardware load balancer port (in Topology Builder) of /meet/blank.htm ipv poort 5061

Testen Reverse Proxy https://meet.exchangelabs.nl/reach/client/webpages/reac hclient.aspx (Silverlight client!) https://dialin.exchangelabs.nl/dialin/conference.aspx https://lyncweb.exchangelabs.nl/scheduler/default.aspx

Office Web Apps server Load balance poort 443 Reencrypt van verkeer SSL Offloading is ook mogelijk Source IP voor persistence met 30 minuten timeout Healthcheck op /hosting/discovery middels HTTP/GET Web Apps blog: http://bit.ly/13uqqxe

Samenvatting en Best Practices

DNS Load Balancing of Hardware? HLB Pros HLB Cons DNS LB Pros DNS LB Cons App Awareness Extra step for server draining Simpler Server Draining Some 3 rd party apps don t understand DNS LB Easy to take partially working server offline Additional setup work required Less overall complexity Many PBXs can t talk to pool of DNS LB mediation Servers Supports all level clients Adds significantly to deployment (myth) Minimal LB expertise required Down level clients don t support DNS LB HA for PIC/XMPP and legacy federation Adds substantial latency (myth) Over-complicates troubleshooting (myth)

Best Practices Use same load balancing method for internal/external Edge interfaces Don t leave timeout at default: TCP idle timeout should be set to 1800 sec Turn off TCP Nagling for AV Edge ports 50k-59,999 and internal/external 443 Use SNAT for general services, DNAT for AV Edge Ensure load balancer and Lync failover scenarios are tested BEFORE you need it Avoid using DSR not supported

Best Practices Create an independent virtual service for each edge service (access/webconf/av) User cookie-based persistence for external Lync web services and source-address persistence for internal Lync web services Cookie-based persistence required for Lync Mobility services - Marked http Only, named MS-WSMAN and no expiration Always use a HLB if HA for XMPP/PIC/legacy Federation is important Edge internal interface must be on different network than Edge external interface with routing between them disabled Edge Server External interface running A/V must use routable IP no NAT/PAT

Vragen? Dank voor uw tijd. mail@jaapwesselius.com @jaapwess