TESTING & INTEGRATION GROUP SOLUTION GUIDE

TESTING & INTEGRATION GROUP SOLUTION GUIDE Radware AppDirector optimizing the delivery of Microsoft Lync 2010 TECHNICAL SOLUTION GUIDE DATE: Sunday, January 01, 2012 Version: 1.0 Author Elad Kurzweil

Contents INTRODUCTION... 3 MICROSOFT LYNC 2010 OVERVIEW... 4 RADWARE APPDIRECTOR... 9 PERFORMANCE ACCELERATION SERVICES... 10 RADWARE APPDIRECTOR AND MICROSOFT LYNC ARCHITECTURE... 11 IMPORTANT IMPLEMENTATION NOTES... 12 CONFIGURATION... 13 APPDIRECTOR INTERNAL ACTIVE CONFIGURATION... 13 CONFIGURATION SETTINGS... 13 APPDIRECTOR INTERNAL ACTIVE... 13 Network Configuration... 13 Farm Configuration... 13 Client NAT Configuration... 14 Extended Farm Configuration... 14 Configuration... 15 Layer 7 Configuration... 16 Compression Configuration... 17 SSL Policy Configuration... 17 Layer 4 Configuration... 18 AppDirector Health Monitoring... 23 VRRP Configuration... 25 Mirroring Configuration... 25 APPDIRECTOR INTERNAL BACKUP... 26 Network Configuration... 26 CONFIGURATION SETTINGS... 26 APPDIRECTOR DMZ ACTIVE... 26 Network Configuration... 26 Farm Configuration... 26 Client NAT Configuration... 27 Extended Farm Configuration... 27 Configuration... 28 Layer 4 Configuration... 29 AppDirector Health Monitoring... 31 VRRP Configuration... 33 Mirroring Configuration... 33 APPDIRECTOR DMZ BACKUP... 34 Network Configuration... 34 2

Introduction The Radware AppDirector and Microsoft Lync joint solution ensures Lync Server customers solution resilience, efficiency and scale. Radware s AppDirector Application Switch guarantees Microsoft Lync Server maximum availability, scalability, performance and security. Managing traffic for both the Web Service content and SIP based Unified Communication services, AppDirector Application Switch provides advanced health monitoring to avoid system down time and advanced traffic management to deliver a best of breed subsystem. With a pay as you grow platform licensing model, AppDirector Application Switch ensures long term investment protection facilitating incremental growth demanded by today s business. 3

Microsoft Lync 2010 Overview Microsoft Lync ushers in a new connected user experience transforming every communication into an interaction that is more collaborative, engaging, and accessible from anywhere. For IT, the benefits are equally powerful, with a highly secure and reliable system that works with existing tools and systems for easier management, lower cost of ownership, smoother deployment and migration, and greater choice and flexibility. Connected End User Experience Users seek communications tools that make their work easier and are available anywhere, anytime including within the context of other applications. Microsoft Lync 2010 provides a single interface that unites voice communications, IM, and audio, video, and Web conferencing into a richer, more contextual offering. Find and communicate with the right person Rich presence including pictures, skill search, location information, and more gives users the context they need to make smart communication choices including built-in instant messaging capability. Users can add and connect with users on Public IM services such as Windows Live, AOL, and Yahoo! and communicate with them using their single work identity. Create a more fun work environment by building social connections The rich experience of Lync 2010 helps workers make connections across time and distance with picture-enhanced presence, automatic frequent contacts lists, and activity feeds for keeping up with co-workers. Make every interaction a near face to face meeting Transform any conversation to include high-resolution video-, application-, and desktop-sharing and be fully present in meetings without making the physical trip. Communicate with context from Microsoft Office applications The visually compelling experience of Lync 2010 is consistent throughout Microsoft Office and other business applications, including color-coded presence icons, pictures, highresolution video, and desktop sharing. Stay connected from virtually anywhere A single experience across the PC, phone, or Web means that users have the choice to connect from many devices. Benefits From controlling costs to managing compliance, Microsoft Lync delivers value that speaks to the needs of today s organizations. 4

Do more. With less. Control costs Voice over IP (VoIP) enables communications among geographically dispersed company locations without long distance charges. Integrated audio, video, and Web conferencing helps reduce travel costs as well as the cost of thirdparty conferencing solutions. Improve productivity Rich presence information helps employees find each other and choose the most effective way to communicate at a given time. Instead of e- mailing documents back and forth for approval, workers can rely on real-time collaboration through enhanced conferencing with desktop, application, and virtual whiteboard sharing or contact a collaborator from within Microsoft Office or other applications. The unified Microsoft Lync 2010 client provides access to enterprise voice, enterprise messaging, and conferencing from one simplified interface. Support the mobile workforce Mobile workers get access to rich Unified Communications tools from practically anywhere with an Internet connection, no VPN needed. An updated Lync Mobile client makes joining and managing conferences, searching the Global Address List, and viewing presence information easy. Rich presence in Lync Server 2010 has been updated with mobile location information, making on-the-go workers easier to find and contact. A single user experience across PC, phone, mobile phone, and browser gives workers more ways to stay in touch. Gain operational efficiencies By integrating Unified Communications and rich presence into business workflows, latency and delays can be reduced or eliminated. For geographically dispersed teams, group chat can enable efficient, topic-specific, multi-party discussions that persist over time. Be more responsive to customers, partners, and employees Enhanced delegation through Lync 2010, one-click call routing and management features in Microsoft Lync 2010 Attendant for receptionists, and rich presence information in both help ensure that opportunities are routed to the right person at the right time. Maintain regulatory compliance Built-in security, encryption, archiving, and call detail records help meet regulatory requirements. By using your own servers and network, you maintain control over sensitive data that would otherwise be transmitted over public telephone networks and third-party conferencing platforms. 5

Joint Solution Topology example: Radware s ADC solution provides high availability and improved performance to the Microsoft Lync 2010 unified communication solution through smart traffic load balancing and redirection. The simplest implementation is done by configuring a virtual IP address on the AppDirector ADC, to which all LYNC traffic will go through, and intelligently distributed to the pool of LYNC servers. The following topology diagram is a generic logical example, demonstrating which Lync server elements can be load balanced by the AppDirector ADCs, i.e. Lync Edge servers and Lync Front End. 6

A more realistic topology would use a single ADC device (or a cluster of two for redundancy), to provide all ADC services to the various Lync server pools, and zones in the network, separating the traffic through VLANs and by using a different virtual IP per VLAN representing a network zone (e.g. DMZ or LAN), and per server pool. Office Communications Server Protocols load balanced by AppDirector Front End Server Front End Lync Server Front- End service 5060 TCP Optionally used by Standard Edition servers and Front End for static routes to trusted services, such as remote call control servers. Front End Front End Front End Front End Front End Front-End service 5061 TCP (TLS) Front-End service 444 HTTPS Lync Server Front- End service Lync Server IM Conferencing service Lync Server Web Conferencing service 135 TCP 5062 TCP DCOM and remote procedure call (RPC) 8057 TCP (TLS) Used by Standard Edition servers and Front End pools for all internal SIP communications between servers (MTLS), for SIP communications between Server and Client (TLS) and for SIP communications between Front End and Mediation (MTLS). Also used for communications with Monitoring Server. Used for HTTPS communication between the Focus (the Lync Server component that manages conference state) and the individual servers. This port is also used for TCP communication between Front End and Survivable Branch Appliances. Used for DCOM based operations such as Moving Users, User Replicator Synchronization, and Address Book Synchronization. Used for incoming SIP requests for instant messaging (IM) conferencing. Used to listen for Persistent Shared Object Model (PSOM) connections from client. 7

Front End Front End Front End Front End Front End Front End Front End Front End Front End Front End Lync Server Audio/Video Conferencing service Lync Server Web Compatibility service Lync Server Application Sharing service Lync Server Conferencing Announcement service Lync Server Call Park service 5063 TCP 443 HTTPS 5065 TCP 5073 TCP 5075 TCP Audio Test service 5076 TCP Lync Server Response Group service Lync Server Bandwidth Policy Service Lync Server Bandwidth Policy Service Lync Server Web Services 5071 TCP 5080 TCP 448 TCP Used for incoming SIP requests for audio/video (A/V) conferencing. Used for communication from Front End to the web farm FQDNs (the URLs used by IIS web components). Used for incoming SIP listening requests for application sharing. Used for incoming SIP requests for the Lync Server Conferencing Announcement service (that is, for dial-in conferencing). Used for incoming SIP requests for the Call Park application. Used for incoming SIP requests for the Audio Test service. Used for incoming SIP requests for the Response Group application. Used for call admission control by the Bandwidth Policy service for A/V Edge TURN traffic. Used for call admission control by the Lync Server Bandwidth Policy Service. 8080 TCP Front End web services Edge External Leg Edge External Leg Load balancer for Edge 443 TCP Used for SIP Access Service (VIP1) Edge External l Leg Load balancer for Edge 5061 TCP Used for Federation mode Edge External Leg Load balancer for Edge 443 TCP Used for Web Conferencing service (VIP2) 8

Edge External Leg Edge External Leg Load balancer for Edge Load balancer for Edge 443 TCP Used for A/V service (VIP3) 3478 UDP STUN/UDP for A/V serivce Edge Internal Leg Edge Internal Leg Edge Internal Leg Edge Internal Leg Edge Internal Leg Load balancer for Edge 443 TCP Used for Web Service Load balancer for Edge 5061 TCP SIP TLS Load balancer for Edge 5062 TCP Internal Edge authentication Load balancer for Edge 3478 UDP STUN/UDP for A/V service CWA Ports CWA Load balancer for CWA 443 TCP Used for Web Service (SSL Offloading) Table 1.0 Office Communications Server Protocols load balanced by AppDirector For more information, please visit: http://lync.microsoft.com/enus/pages/default.aspx Radware AppDirector AppDirector uses advanced Layer 4-7 policies and granular application intelligence for end-to-end business-smart networking. AppDirector aligns server infrastructure operations with application front end requirements to eliminate Traffic surges Server bottlenecks Connectivity disconnects 9

Downtime This assures application access, full application continuity and redundancy. AppDirector enables fine tuning of network behavior based on granular applicationspecific classification of packets to optimize traffic flows for a wide range of enterprise applications such as Microsoft, Oracle, BEA, IBM, SAP and other webbased applications including support for VoIP, streaming media and secure LDAP applications. Performance Acceleration Services AppDirector provides end-to-end performance acceleration of Web- and SSL-based applications for all end-users types such as desktops, PDAs and smart-phones. AppDirector's acceleration technologies include SSL offloading, Web compression, static and dynamic content caching, TCP optimization and bandwidth utilization control for fast application and transaction response times and the best Quality of Experience (QoE) across various media types (e.g., cellular connections, wireless networks, broadband connections). By offloading SSL and persistent functions (processor- and server-intensive operations) from servers, AppDirector frees server CPU to handle additional requests, thus eliminating the need to buy additional hardware to support application processing requirements. AppDirector handles centralized, multi-device application and SSL management which: Reduces the complexity and the cost of managing SSL server infrastructure through centralized, tamper-resistant certificates/key protection and management Significantly reduces Federal Information Processing Standards (FIPS) card deployment costs while preventing attackers from gaining access to sensitive information (e.g., keys and certificates) contained in the module Reduces OPEX of installing and managing certificates on each and every server Simplifies maintenance and troubleshooting Centralizes monitoring of SSL performance Provides complete reporting and auditing of configuration changes required for regulatory compliance 10

Radware AppDirector and Microsoft Lync Architecture Tested Network Drawing 11

Important Implementation Notes 1. There are two pairs of AppDirector Application Switches configured for this deployment. A pair of AppDirectors configured in the DMZ for the Edge and a pair of AppDirectors configured in the LAN for the Front-End. 2. DNS SRV records for the appropriate domain are used to locate the Lync servers for client connectivity. DNS administration is required to bind an A record for the Lync FQDN, where the FQDN resolves the appropriate AppDirector Virtual IP Address (VIP). AppDirector has the ability to become the Authoritative responder for this FQDN, normally used in Disaster Recovery designs; in this case the DNS would use a name server record pointing to the AppDirector for the authoritative response. AppDirector would base the response on the availability, load and proximity information it uses to drive intelligent load distribution. 3. SSL traffic is (TCP.443) can be configured as persistent with SSLID tracking (not configured in this paper) 4. Other traffic is persistent with Source IP LB. 5. Internal legs of the Edge servers routing table for 192.168.1.0/24, 192.168.2.0/24 must be routed statically on the servers to IP 11.1.11.254. Windows command example: route add 192.168.1.0 mask 255.255.255.0 11.1.11.254 p 6. Internal AppDirector leg route for 192.168.1.0/24 will go through 11.1.10.254 (for CWA, Online Meeting, ABS, dialing conferencing and Group Extensions services) 7. Microsoft requires session timeout for 1800 second; Make sure that aging time on the AppDirector is set to 30 minutes. 8. Import the Microsoft Lync certificate to the AppDirectors both internal and external, to understand how to import the Certificate please refer to the AppDriector Manual. 9. The CWA server are doing compression to the web pages by default, the AppDirector cannot do the header and body modification when compression is enabled by the CWA servers. To disable compression we use the compression mechanism that tells the servers not to add compression to the web pages. 12

Software and Hardware The following is a list of hardware and software tested to verify the interoperability of the presented solution: Microsoft Windows 2008 R2 x64bits Radware s AppDirector ODS1 v.2.14.03 build 111 (4 units) Microsoft Lync 2010 Enterprise Microsoft SQL Server 2005 Microsoft Lync Front End and Edge servers Configuration AppDirector Internal Active Configuration Configuration Settings AppDirector Internal Active Network Configuration 1. Create IP 192.168.1.1/24 on port 1 2. Peer Address 192.168.1.2 3. Create default route to 192.168.1.254 Farm Configuration 1. Create a farm named fe.servers in AppDirector -> Farms -> Farm Table with these parameters: - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks 2. Create a farm named edge.internal. in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name edge.internal. - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks 3. Create a farm named director. in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name director. - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks 13

4. Create a farm named cwa. in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name cwa. - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks Client NAT Configuration 1. Enable Client NAT in AppDirector -> NAT -> Client NAT -> Global Parameters with these parameters: 2. Create Client Address IP s in AppDirector -> NAT -> Client NAT -> Client NAT Address Table with these parameters: - From IP 192.168.1.99 to 192.168.1.103 - From IP 192.168.1.201 to 192.168.1.204 3. Create Client NAT Intercept in AppDirector -> NAT -> Client NAT -> Client NAT Intercept Table with these parameters: - From IP 11.1.10.0 to 11.1.10.255 - From IP 11.1.11.1 to 11.1.11.2 - From IP 192.168.0.0 to 192.168.255.255 Extended Farm Configuration 1. Edit farm named fe.servers in AppDirector -> Farms -> Extended Parameters with these parameters: - Client NAT 192.168.1.99 2. Edit farm named cwa. in AppDirector -> Farms -> Extended Parameters with these parameters: - Client NAT 192.168.1.99 3. Edit farm named direcor. in AppDirector -> Farms -> Extended Parameters with these parameters: - Client NAT 192.168.1.99 4. Edit farm named edge.internal. in AppDirector -> Farms -> Extended Parameters with these parameters: - Client NAT 192.168.1.201 14

Configuration 1. Create a server named fe.server.1 and attach it to the farm fe.servers in AppDirector -> -> Application -> Table with these parameters: - Server Name fe.server.1 - Farm Name Fe.servers - Server Address 192.168.1.21 - Client NAT Address Range 192.168.1.99 2. Create a server named fe.server.2 and attach it to the farm fe.servers in AppDirector -> -> Application -> Table with these parameters: - Server Name fe.server.2 - Server Address 192.168.1.22 - Client NAT Address Range 192.168.1.99 3. Create a server named director.server.1 and attach it to the farm direcotr. in AppDirector -> -> Application -> Table with these parameters: - Server Name director.server.1 - Farm Name direcotor. - Server Address 192.168.1.23 - Client NAT Address Range 192.168.1.99 4. Create a server named director.server.2 and attach it to the farm Director. in AppDirector -> -> Application -> Table with these parameters: - Server Name director.server.2 - Farm Name director. - Server Address 192.168.1.24 - Client NAT Address Range 192.168.1.99 5. Create a server named cwa.server.1 and attach it to the farm cwa.servers in AppDirector -> -> Application -> Table with these parameters: - Server Name cwa.server.1 - Farm Name cwa.servers - Server Address 192.168.1.40 - Client NAT Address Range 192.168.1.99 6. Create a server named cwa.server.2 and attach it to the farm cwa.servers in AppDirector -> -> Application -> Table with these parameters: - Server Name cwa.server.2 - Farm Name cwa.servers 15

- Server Address 192.168.1.41 - Client NAT Address Range 192.168.1.99 7. Create a server named edge.server.internal.1 and attach it to the farm edge.internal.servers in AppDirector -> -> Application -> Table with these parameters: - Server Name edge.server.internal.1 - Farm Name edge.internal.servers - Server Address 11.1.11.1 - Client NAT Address Range 192.168.1.201 8. Create a server named edge.server.internal.2 and attach it to the farm edge.internal.servers in AppDirector -> -> Application -> Table with these parameters: - Server Name edge.server.internal.1 - Farm Name edge.internal.servers - Server Address 11.1.11.2 - Client NAT Address Range 192.168.1.201 Layer 7 Configuration 1. Create L7 method named http.condition in AppDirector -> Layer 7 Farm Selection -> Method with these parameters: - Method Name http.condition - Method Type Text - Arguments https 2. Create L7 method named http.modification in AppDirector -> Layer 7 Farm Selection -> Method with these parameters: - Method Name http.modification - Method Type Text - Arguments http 3. Create L7 method named http.cwa in AppDirector -> Layer 7 Farm Selection -> Method with these parameters: - Method Name http.cwa - Method Type Text - Arguments http://cwa.lyncradware.com - 4. Create L7 method named https.cwa in AppDirector -> Layer 7 Farm Selection -> Method with these parameters: - Method Name https.cwa - Method Type Text - Arguments https://cwa.lyncradware.com 5. Create L7 Modification named http.to.https in AppDirector -> Layer 7 Modification -> Rules with these parameters: - Name http.to.https - Index 1 16

- Farm CWA. - Admin Status - Enabled - Modification Scope Header and Body - Direction Request - Header & Body Condition - http.cwa - Header & Body Modification https.cwa 6. Create L7 Modification named https.to.http in AppDirector -> Layer 7 Modification -> Rules with these parameters: - Name https.to.http - Index 2 - Farm CWA. - Admin Status - Enabled - Modification Scope Header and Body - Direction Reply - Header & Body Condition - https.cwa - Header & Body Modification http.cwa 7. Create L7 Modification named all.http in AppDirector -> Layer 7 Modification -> Rules with these parameters: - Name all.http - Index 3 - Farm CWA. - Admin Status - Enabled - Modification Scope Header and Body - Direction Request - Header & Body Condition - http.condition - Header & Body Modification http.modification Compression Configuration 1. Create a compression policy named comp.policy in AppDirector -> -> Layer4 Traffic configuration -> Compression Policy with these parameters: - Policy Name comp.policy - Algorithm GZIP - Compression lever 1 - Minimum Content Length 1 - Maximum Content length - 10485760 SSL Policy Configuration 1. Create an SSL policy in AppDirector -> L4 Traffic Redirection -> SSL Policy with these parameters: - Policy name cwa.pol - Certificate cwa - Listening Server Port 80 - HTTP Redirection Conversion State - Enabled Note: The cwa certificate needs to be imported from the Lync servers. For more information on exporting, importing, or creating a certificate, see the AppDirector User Guide. 17

Layer 4 Configuration 1. Create a Layer 4 policy named directors.5060 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name directors.5060 - Virtual IP 192.168.1.160 - L4 Port 5060 - Farm Name director.servers 2. Create a Layer 4 policy named directors.5061 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name directors.5061 - Virtual IP 192.168.1.160 - L4 Port 5061 - Farm Name director.servers 3. Create a Layer 4 policy named cwa.443 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name cwa.443 - Virtual IP 192.168.1.170 - L4 Port 443 - Farm Name cwa.servers - SSL Policy cwa.pol - Compression Policy comp.policy 4. Create a Layer 4 policy named proxy.to.fe.4443 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name proxy.to.fe.4443 - Virtual IP 192.168.1.200 - L4 Port 4443 5. Create a Layer 4 policy named fe.im.req.8057 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.im.req.8057 - Virtual IP 192.168.1.200 - L4 Port 8057 18

6. Create a Layer 4 policy named fe.dcom.135 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.dcom.135 - Virtual IP 192.168.1.200 - L4 Port 135 7. Create a Layer 4 policy named fe.web.services.8080 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.web.services.8080 - Virtual IP 192.168.1.200 - L4 Port 8080 8. Create a Layer 4 policy named fe.https.443 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.https.443 - Virtual IP 192.168.1.200 - L4 Port 443-9. Create a Layer 4 policy named fe.conf.444 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.conf.444 - Virtual IP 192.168.1.200 - L4 Port 444 10. Create a Layer 4 policy named fe.call.admin.448 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.call.admin.448 - Virtual IP 192.168.1.200 - L4 Port 448 11. Create a Layer 4 policy named fe.sip.5060 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.sip.5060 - Virtual IP 192.168.1.200 - L4 Port 5060 19

12. Create a Layer 4 policy named fe.mtls.5061 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.mtls.5061 - Virtual IP 192.168.1.200 - L4 Port 5061 13. Create a Layer 4 policy named fe.app.share.5065 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.app.share.5065 - Virtual IP 192.168.1.200 - L4 Port 5065 14. Create a Layer 4 policy named fe.monitoring.5069 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.monitoring.5069 - Virtual IP 192.168.1.200 - L4 Port 5069 15. Create a Layer 4 policy named fe.res.group.5071 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.res.group.5071 - Virtual IP 192.168.1.200 - L4 Port 5071 16. Create a Layer 4 policy named fe.sip.req.5072 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.sip.req.5072 - Virtual IP 192.168.1.200 - L4 Port 5072 17. Create a Layer 4 policy named fe.conf.anoun.5073 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: 20

- L4 Policy Name fe.conf.anoun.5073 - Virtual IP 192.168.1.200 - L4 Port 5073 18. Create a Layer 4 policy named fe.sip.req.call.park.5075 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.sip.req.call.park.5075 - Virtual IP 192.168.1.200 - L4 Port 5075 19. Create a Layer 4 policy named fe.audio.test.5076 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.audio.test.5076 - Virtual IP 192.168.1.200 - L4 Port 5076 20. Create a Layer 4 policy named fe.av.age.turn.traff.5080 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name fe.av.age.turn.traff.5080 - Virtual IP 192.168.1.200 - L4 Port 5080 21. Create a Layer 4 policy named edge.replication.4443 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.replication.4443 - Virtual IP 192.168.1.230 - L4 Port 4443 - Farm Name edge.internal.servers 22. Create a Layer 4 policy named edge.int.443 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.int.443 - Virtual IP 192.168.1.230 - L4 Port 443 - Farm Name edge.internal.servers 21

23. Create a Layer 4 policy named edge.int.5061 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.int.5061 - Virtual IP 192.168.1.230 - L4 Port 5061 - Farm Name edge.internal.servers 24. Create a Layer 4 policy named edge.int.5062 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.int.5062 - Virtual IP 192.168.1.230 - L4 Port 5062 - Farm Name edge.internal.servers 25. Create a Layer 4 policy named edge.int.udp.stun.3478 in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.int.udp.stun.3478 - Virtual IP 192.168.1.230 - L4 Protocol UDP - L4 Port 3478 - Farm Name edge.internal.servers 22

AppDirector Health Monitoring 1. Enable Health Monitoring in Health Monitoring -> Global Parameters. 2. Create a check for HTTP on server 192.168.1.40 in Health Monitoring -> Check Table with these parameters: - Check name cwa.server.1 - Method HTTP - Dest IP 192.168.1.40 - Dest Port 80 3. Create a check for HTTP on server 192.168.1.41 in Health Monitoring -> Check Table with these parameters: - Check name cwa.server.2 - Method HTTP - Dest IP 192.168.1.41 - Dest Port 80 4. Create a check for TCP port 5061 on server 192.168.1.23 in Health Monitoring - > Check Table with these parameters: - Check name director.server.1 - Method TCP.Port - Dest IP 192.168.1.23 - Dest Port 5061 5. Create a check for TCP port 5061 on server 192.168.1.24 in Health Monitoring - > Check Table with these parameters: - Check name director.server.2 - Method TCP.Port - Dest IP 192.168.1.24 - Dest Port 5061 6. Create a check for TCP port 5061 on server 11.1.11.1 in Health Monitoring -> Check Table with these parameters: - Check name edge.internal.server.1 - Method TCP.Port - Dest IP 11.1.11.1 - Dest Port 5061 7. Create a check for TCP port 5061 on server 11.1.11.2 in Health Monitoring -> Check Table with these parameters: - Check name edge.internal.server.2 - Method TCP.Port - Dest IP 11.1.11.2 - Dest Port 5061 8. Create a check for TCP port 5061 on server 192.168.1.21 in Health Monitoring - > Check Table with these parameters: - Check name fe.server.1 - Method TCP.Port - Dest IP 192.168.1.21 - Dest Port 5061 9. Create a check for TCP port 5061 on server 192.168.1.22 in Health Monitoring - > Check Table with these parameters: 23

- Check name fe.server.2 - Method TCP.Port - Dest IP 192.168.1.22 - Dest Port 5061 10. Bind the check fe.server.1 to Server fe.servers 192.168.1.21 in Health Monitoring -> Binding Table. 11. Bind the check fe.server.2 to Server fe.servers 192.168.1.22 in Health Monitoring -> Binding Table. 12. Bind the check cwa.server.1 to Server cwa.servers 192.168.1.40 in Health Monitoring -> Binding Table. 13. Bind the check cwa.server.2 to Server cwa.servers 192.168.1.41 in Health Monitoring -> Binding Table. 14. Bind the check director.server.1 to Server director.servers 192.168.1.23 in Health Monitoring -> Binding Table. 15. Bind the check director.server.2 to Server director.servers 192.168.1.24 in Health Monitoring -> Binding Table. 16. Bind the check edge.internal.server.1 to Server edge.internal.servers 11.1.11.1 in Health Monitoring -> Binding Table. 17. Bind the check edge.internal.server.2 to Server edge.internal.servers 11.1.11.2 in Health Monitoring -> Binding Table. 24

VRRP Configuration 1. Enable VRRP in AppDirector -> Redundancy -> Global Configuration with these parameters: - IP Redundancy Admin Status VRRP - Interface Grouping Enable - ARP with interface grouping Send - Backup Fake ARP Enable - Backup Interface Grouping Enable 2. Create Virtual Router interfaces in AppDirector -> Redundancy -> VRRP -> Virtual Router Table with these parameters: - IF Index 1 - VR ID 101 - Priority 255 (Highest number is Active device) - Primary IP 192.168.1.1 - Leave all other options as default 3. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP -> Associated IP Addresses with these parameters: - IF Index 1, VR ID 101, Associated IP 192.168.1.1 - IF Index 1, VR ID 101, Associated IP 192.168.1.99 - IF Index 1, VR ID 101, Associated IP 192.168.1.100 - IF Index 1, VR ID 101, Associated IP 192.168.1.101 - IF Index 1, VR ID 101, Associated IP 192.168.1.102 - IF Index 1, VR ID 101, Associated IP 192.168.1.103 - IF Index 1, VR ID 101, Associated IP 192.168.1.160 - IF Index 1, VR ID 101, Associated IP 192.168.1.170 - IF Index 1, VR ID 101, Associated IP 192.168.1.200 - IF Index 1, VR ID 101, Associated IP 192.168.1.201 - IF Index 1, VR ID 101, Associated IP 192.168.1.202 - IF Index 1, VR ID 101, Associated IP 192.168.1.203 - IF Index 1, VR ID 101, Associated IP 192.168.1.204 - IF Index 1, VR ID 101, Associated IP 192.168.1.230 Mirroring Configuration 4. Enable Mirroring in AppDirector -> Redundancy -> Mirroring -> Active Device Parameters with these parameters: - Client Table Mirroring Enable - Session Id Table Mirroring Enable 5. Add Mirror device in AppDirector -> Redundancy -> Mirroring -> Mirror Device Parameters with these parameters: - Mirror Device IP 192.168.1.2 25

AppDirector Internal Backup The following are the settings for the Backup AppDirector: Network Configuration 1. Create IP 192.168.1.2/24 on port 1 2. Peer Address 192.168.1.1 3. Create default route to 192.168.1.254 Auto Generating the Backup Configuration from the Primary AppDirector 1. From the web interface menu of the Primary AppDirector, select File -> Configuration -> Receive from Device and choose Backup (Active-Backup) save the file on your computer and call it AppDirector.backup.txt. 2. Open the browser on the AppDirector backup device and upload the saved configuration (AppDirector.backup.txt) in File -> Configuration -> Send to Device 3. Reboot the AppDirector Backup device Configuration Settings AppDirector DMZ Active Network Configuration 1. Create IP 11.1.21.10/24 on port 1 - Peer Address 11.1.21.11 2. Create IP 11.1.10.10/24 on port 2 - Peer Address 11.1.10.11 3. Create default route to 11.1.21.254 4. Static route for network 192.168.1.0/24 to 11.1.10.254 Farm Configuration 5. Create a farm named edge.sip.443 in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name edge.sip.443 - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks 6. Create a farm named edge.lm.443 in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name edge.lm.443 - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks 26

7. Create a farm named edge.meeting.443 in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name edge.meeting.443 - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks 8. Create a farm named edge.av.443 in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name edge.av.443 - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks 9. Create a farm named cwa.service.443 in AppDirector -> Farms -> Farm Table with these parameters: - Farm Name cwa.service.443 - Aging Time - 1800 - Session mode RemoveOnSessionEnd-SPS - Dispatch Method Fewest Number of Users - Local - Connectivity checks No Checks Client NAT Configuration 1. Enable Client NAT in AppDirector -> NAT -> Client NAT -> Global Parameters with these parameters: 2. Create Client Address IP s in AppDirector -> NAT -> Client NAT -> Client NAT Address Table with these parameters: - From IP 11.1.10.170 to 11.1.10.170 3. Create Client NAT Intercept in AppDirector -> NAT -> Client NAT -> Client NAT Intercept Table with these parameters: - From IP 10.1.0.0 to 10.1.255.255 Extended Farm Configuration 1. Edit farm named edge.sip.443 in AppDirector -> Farms -> Extended Parameters with these parameters: - Client NAT 11.1.10.170 2. Edit farm named edge.lm.443 in AppDirector -> Farms -> Extended Parameters with these parameters: - Client NAT 11.1.10.170 3. Edit farm named edge.meeting.443 in AppDirector -> Farms -> Extended Parameters with these parameters: 27

- Client NAT 11.1.10.170 4. Edit farm named cwa.service.443 in AppDirector -> Farms -> Extended Parameters with these parameters: - Client NAT 11.1.10.170 Configuration 1. Create a server named edge.sip.server.1 and attach it to the farm edge.sip.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name edge.sip.server.1 - Farm Name edge.sip.443 - Server Address 11.1.10.1 - Client NAT Address Range 11.1.10.170 2. Create a server named edge.sip.server.2 and attach it to the farm edge.sip.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name edge.sip.server.2 - Farm Name edge.sip.443 - Server Address 11.1.10.2 - Client NAT Address Range 11.1.10.170 3. Create a server named lync.content.server and attach it to the farm edge.lm.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name lync.content.server - Farm Name edge.lm.443 - Server Address 192.168.1.200 - Server Port - 4443 - Client NAT Address Range 11.1.10.170 4. Create a server named meeting.server.1 and attach it to the farm edge.meeting.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name meeting.server.1 - Farm Name edge.meeting.443 - Server Address 11.1.10.5 - Client NAT Address Range 11.1.10.170 5. Create a server named meeting.server.2 and attach it to the farm edge.meeting.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name meeting.server.2 28

- Farm Name edge.meeting.443 - Server Address 11.1.10.6 - Client NAT Address Range 11.1.10.170 6. Create a server named av.server.1 and attach it to the farm edge.av.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name av.server.1 - Farm Name edge.av.443 - Server Address 11.1.10.3 - Client NAT Address Range 11.1.10.170 7. Create a server named av.server.2 and attach it to the farm edge.av.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name av.server.2 - Farm Name edge.av.443 - Server Address 11.1.10.4 - Client NAT Address Range 11.1.10.170 8. Create a server named cwa.server and attach it to the farm cwa.service.443 in AppDirector -> -> Application -> Table with these parameters: - Server Name cwa.server - Farm Name cwa.service.443 - Server Address 192.168.1.170 - Client NAT Address Range 11.1.10.170 Layer 4 Configuration 1. Create a Layer 4 policy named cwa.443.service in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name cwa.443.service - Virtual IP 11.1.21.170 - L4 Port 443 - Farm Name cwa.service.443 2. Create a Layer 4 policy named edge.sip.443.service in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.sip.443.service - Virtual IP 11.1.21.200 - L4 Port 443 29

- Farm Name edge.sip.443 3. Create a Layer 4 policy named edge.av.443.service in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.av.443.service - Virtual IP 11.1.21.201 - L4 Port 443 - Farm Name edge.av.443 4. Create a Layer 4 policy named edge.stun.3478.service in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.stun.3478.service - Virtual IP 192.168.1.201 - L4 Protocol UDP - L4 Port 3478 - Farm Name edge.av.443 5. Create a Layer 4 policy named edge.meeting.443.service in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name edge.meeting.443.service - Virtual IP 192.168.1.202 - L4 Port 443 - Farm Name edge.meeting.443 6. Create a Layer 4 policy named content.443.service in AppDirector -> Layer 4 Traffic Redirection -> Layer 4 Policies with these parameters: - L4 Policy Name content.443.service - Virtual IP 192.168.1.203 - L4 Port 443 - Farm Name edge.lm.443 30

AppDirector Health Monitoring 1. Enable Health Monitoring in Health Monitoring -> Global Parameters. 2. Create a check server 192.168.1.170 in Health Monitoring -> Check Table with these parameters: - Check name cwa.server - Method TCP.Port - Dest IP 192.168.1.170 - Dest Port 443 3. Create a check for server 11.1.10.3 in Health Monitoring -> Check Table with these parameters: - Check name edge.av.443.server.1 - Method TCP.Port - Dest IP 11.1.10.3 - Dest Port 443 4. Create a check for server 11.1.10.4 in Health Monitoring -> Check Table with these parameters: - Check name edge.av.443.server.2 - Method TCP.Port - Dest IP 11.1.10.4 - Dest Port 443 5. Create a check for server 11.1.10.5 in Health Monitoring -> Check Table with these parameters: - Check name edge.meeting.server.1 - Method TCP.Port - Dest IP 11.1.10.5 - Dest Port 443 6. Create a check for server 11.1.10.6 in Health Monitoring -> Check Table with these parameters: - Check name edge.meeting.server.2 - Method TCP.Port - Dest IP 11.1.10.6 - Dest Port 443 7. Create a check for server 11.1.10.1 in Health Monitoring -> Check Table with these parameters: - Check name edge.sip.443.server.1 - Method TCP.Port - Dest IP 11.1.10.1 - Dest Port 443 8. Create a check for server 11.1.10.2 in Health Monitoring -> Check Table with these parameters: - Check name edge.sip.443.server.2 - Method TCP.Port - Dest IP 11.1.10.2 - Dest Port 443 9. Create a check for server 192.168.1.200 in Health Monitoring -> Check Table with these parameters: 31

- Check name lm.proxy - Method TCP.Port - Dest IP 192.168.1.200 - Dest Port 4443 10. Bind the check cwa.server to Server cwa.service.443 192.168.1.170 in Health Monitoring -> Binding Table. 11. Bind the check edge.sip.443.server.1 to Server edge.sip.443 11.1.10.1 in Health Monitoring -> Binding Table. 12. Bind the check edge.sip.443.server.2 to Server edge.sip.443 11.1.10.2 in Health Monitoring -> Binding Table. 13. Bind the check edge.av.443.server.1 to Server edge.av.443 11.1.10.3 in Health Monitoring -> Binding Table. 14. Bind the check edge.av.443.server.2 to Server edge.av.443 11.1.10.4 in Health Monitoring -> Binding Table. 15. Bind the check edge.meeting.443.server.1 to Server edge.meeting.443 11.1.10.5 in Health Monitoring -> Binding Table. 16. Bind the check edge.meeting.443.server.2 to Server edge.meeting.443 11.1.10.6 in Health Monitoring -> Binding Table. 17. Bind the check lm.proxy to Server edge.lm.443 192.168.1.200 in Health Monitoring -> Binding Table. 32

VRRP Configuration 1. Enable VRRP in AppDirector -> Redundancy -> Global Configuration with these parameters: - IP Redundancy Admin Status VRRP - Interface Grouping Enable - ARP with interface grouping Send - Backup Fake ARP Enable - Backup Interface Grouping Enable 2. Create Virtual Router interfaces in AppDirector -> Redundancy -> VRRP -> Virtual Router Table with these parameters: - IF Index 1 - VR ID 111 - Priority 255 (Highest number is Active device) - Primary IP 11.1.21.10 - Leave all other options as default 3. Create Virtual Router interfaces in AppDirector -> Redundancy -> VRRP -> Virtual Router Table with these parameters: - IF Index 2 - VR ID 112 - Priority 255 (Highest number is Active device) - Primary IP 11.1.10.10 - Leave all other options as default 4. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP -> Associated IP Addresses with these parameters: - IF Index 1, VR ID 111, Associated IP 11.1.21.170 - IF Index 1, VR ID 111, Associated IP 11.1.21.200 - IF Index 1, VR ID 111, Associated IP 11.1.21.201 - IF Index 1, VR ID 111, Associated IP 11.1.21.202 - IF Index 1, VR ID 111, Associated IP 11.1.21.203 - IF Index 2, VR ID 112, Associated IP 11.1.10.10 - IF Index 2, VR ID 112, Associated IP 11.1.10.170 Mirroring Configuration 5. Enable Mirroring in AppDirector -> Redundancy -> Mirroring -> Active Device Parameters with these parameters: - Client Table Mirroring Enable - Session Id Table Mirroring Enable 6. Add Mirror device in AppDirector -> Redundancy -> Mirroring -> Mirror Device Parameters with these parameters: - Mirror Device IP 11.1.10.11 33

AppDirector DMZ Backup The following are the settings for the Backup AppDirector: Network Configuration 1. Create IP 11.1.21.11/24 on port 1 - Peer Address 11.1.21.10 2. Create IP 11.1.10.11/24 on port 2 - Peer Address 11.1.10.10 3. Create default route to 11.1.21.254 4. Static route for network 192.168.1.0/24 to 11.1.10.254 Auto Generating the Backup Configuration from the Primary AppDirector 4. From the web interface menu of the Primary AppDirector, select File -> Configuration -> Receive from Device and choose Backup (Active-Backup) save the file on your computer and call it AppDirector.backup.txt. 5. Open the browser on the AppDirector backup device and upload the saved configuration (AppDirector.backup.txt) in File -> Configuration -> Send to Device 6. Reboot the AppDirector Backup device 34

Technical Support Radware offers technical support for all of its products through the Radware Certainty Support Program. Please refer to your Certainty Support contract, or the Radware Certainty Support Guide available at: http://www.radware.com/content/support/supportprogram/default.asp. For more information, please contact your Radware Sales representative or: U.S. and Americas: (866) 234-5763 International: +972(3) 766-8666 35