You are on page 1of 23

APPLICATION DELIVERY

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure
When installed in front of Microsoft Lync Server 2010 Enterprise Edition, Brocade ServerIron ADX Application Delivery Controllers increase application uptime, maximize server utilization, and shield the servers and applications from malicious attacks.

APPLICATION DELIVERY

SOLUTION GUIDE

CONTENTS
Unified Communications Application Delivery...................................................................................................................................................................... 3 Deployment Architecture.............................................................................................................................................................................................................. 5 General Requirements .................................................................................................................................................................................................................. 7 Affinity ............................................................................................................................................................................. 8 Cookie-Based Persistence ..................................................................................................................................... 8 Source IP Port Persistence .................................................................................................................................... 8 Further Design Considerations for the Lync Server 2010 Solution................................................................................................................................ 9 High Availability .............................................................................................................................................................. 9 Application Affinity Options............................................................................................................................................ 9 Security ........................................................................................................................................................................... 9 Brocade ServerIron ADX Configuration..................................................................................................................................................................................10 Appendix A: High Availability and Redundancy ..................................................................................................................................................................15 Setting Up Active-Hot Standby Redundancy ....................................................................................................... 15 Setting Up Active-Standby VIP Redundancy........................................................................................................ 16 Setting Up Active-Active Redundancy.................................................................................................................. 16 Appendix B: Running Configuration........................................................................................................................................................................................17 Appendix C: Microsoft Lync Server 2010 .............................................................................................................................................................................21 Appendix D: Brocade ServerIron ADX.....................................................................................................................................................................................22 Application Performance ............................................................................................................................................. 22 Application Availability ................................................................................................................................................. 22 Application and Server Farm Security......................................................................................................................... 23 Application and Server Farm Scalability ..................................................................................................................... 23 Higher Return on Investment (ROI) ............................................................................................................................. 23

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

2 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

UNIFIED COMMUNICATIONS APPLICATION DELIVERY


Microsoft Lync Server 2010 technologies use the power of software to deliver complete communications, including messaging, voice, and video, across the applications and devices that people use every day. Integrating the experiences associated with the telephone---phone calls, voice-mail, and conferencing---into the work performed on a computer---documents, spreadsheets, instant messaging, e-mail, and calendars--has the power to fundamentally change the way the world works. Microsoft Lync Server 2010 is the first Microsoft product to combine enterprise-ready Private Branch Exchange (PBX), Voice over IP (VoIP) telephony, Instant Messaging (IM), presence, and video conferencing in a fully integrated unified communications solution. Lync Server 2010 provides richer presence capabilities, enhanced support for group IM, and improved deployment and management than its predecessor, Microsoft Office Communications Server 2007. To existing features, such as federation and public IM connectivity, Lync Server 2010 adds real-time conferencing hosted on servers inside the firewall and a full-featured, software-powered VoIP solution, integrated with a powerful PBX infrastructure. Microsoft Lync Server 2010 extends the architecture of Office Communications Server 2007 to include Private Branch Exchange Pool configurations Front-end servers Conferencing components VoIP components Perimeter network configuration and components Conference protocols Conference call flow

For more details on the Microsoft Lync Server 2010, see Appendix C. For technical overview and deployment and implementation details, visit: http://www.microsoft.com/en-us/lync/default.aspx.

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

3 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

Active Directory

Enterprise Pool

SQL

Back-end server

HT T

HT

P/

TP

/H

HT T

P TT

HTTP reverse proxy SIP

PS

HT T

P/H

TTP

SIP

SIP Director Hardware load balancer

P SI
Microsoft Office Meeting Console

Access edge server

SR

P SO

M
Web conferencing edge server

P SO M

TP

SR

TP

Focus Web Conferencing Server A/V Conferencing Server

IM Conferencing Server Telephony Conferencing Server IIS Servers

S RT P
Microsoft Office Communica tor External DNS External firewall

A/V conferencing edge server

Internal DNS Internal firewall

Peripheral N etwork

Internal Network

Internet
Figure 1. Reference architecture

Enterprise Network

Brocade ServerIron ADX deployed in front of Microsoft Lync Server 2010 increases application uptime, maximizes server farm utilization, and shields servers and applications from malicious attacks. The switches receive all client requests and distribute them efficiently to the most available server in the pool. ServerIron ADX switches consider server availability, load, response time, and other user-configured performance metrics when selecting a server for incoming client connections. By performing sophisticated and customizable health checks to all the Lync Server 2010 servers, ServerIron ADX quickly identifies resource outages in real time and redirects client connections to other available servers. Server capacity can be increased or decreased on demand without impacting applications and client connections. When demand grows, IT engineers can simply add new server resources on the fly without service interruption, and then configure ServerIron ADX to use the new servers for client connections. Brocade ServerIron ADX is application aware and can inspect many types of application-level content to perform intelligent switching of client requests to appropriate servers. Application switching eliminates the need to replicate content and application functions on all servers and optimizes overall resource utilization, application performance, and availability. ServerIron ADX supports Layer 7 switching based on broad content types including URL, HTTP headers, HTTP cookies, SSL session IDs, and XML tags. For implementations in which session persistence across multiple TCP ports on the same server is a key requirement, the ADX supports the industrys most advanced and easily customizable load balancing interface. In addition, the performance delivered by ServerIron ADX ensures that applications provide optimal enduser response time and immense scalability even when enabled for Layer 4 7 switching. Using sticky sessions and track-group switching, a group of transactions from a given client are sent to the server that created the original session when the client first connected. A crucial benefit of using ServerIron ADX is its ability to ensure the client stays with one real server so that all real-time information is preserved as the client continues to communicate across several application ports.

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

4 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

Another benefit of Brocade ServerIron ADX is its ability to protect server farms and applications from malicious attack. ServerIron ADX switches are proven to defeat wire-speed gigabit-rate Denial of Service (DoS) attacks, while maintaining peak application performance. They also provide high-performance content inspection and filtering for malicious content, including viruses and worms, which are distributed through application-level messages to cripple servers and take down applications. Brocade ServerIron ADX solutions provide immediate Return on Investment (ROI), while improving the ROI of the Lync Server 2010 infrastructure. They support significantly higher application traffic and number of user connections on existing server resources by maximizing utilization. On-demand and unlimited virtual server farm scalability eliminates the need for forklift upgrades and dramatically improves the ROI on the server infrastructure. Downtime associated with security breaches and scheduled maintenance is eliminated, resulting in improved availability, which in turn saves customers tens of thousands to millions of dollars a year. Application delivery has become a technology of choice to improve the scalability, availability, and security of IP applications. Brocade ServerIron ADX switches, with networking and application intelligence, provide the rich features and high performance required for building massively scalable and highly secure application infrastructure.

DEPLOYMENT ARCHITECTURE
A Microsoft Lync Server 2010 pool consists of one or more front-end servers, which provide IM, presence, and conferencing services and are connected to a Microsoft SQL Server database for storing user and conference information. Depending on the pool configuration, the database might reside on the same server. In addition, certain conferencing components might be deployed on the same physical computer, depending on the chosen pool configuration. Lync Server 2010 offers two pool configurations: one Standard Edition configuration and one consolidated Enterprise Edition configuration. The Enterprise Edition configuration consists of front-end servers, which are connected to a separate dedicated SQL Server backend database. NOTE: In an Enterprise pool, the back-end database must run on a dedicated server, separate from other Enterprise Edition servers.

Active Directory

SQL Server back-end database

Focus IM conferencing server Web conferencing server Telephony conferencing server A/V conferencing server

Hardware IP load balancer

IIS servers

Enterprise Pool: Consolidated Configuration

Figure 2. Consolidated configuration

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

5 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

Active Directory Front-end se rvers


Focus IM conferencing server Telephony conferencing server

SQL Server back-end database


Web con ferencing servers

A/V con ferencing servers

Hardware IP load balancer

Load balancer Web co mponents se rvers (Se rvers running IIS)

Enterprise Pool: Expanded Configuration

Figure 3. Expanded configuration Also the access edge servers, HTTP reverse proxy, and A/V edge server can be load balanced in the perimeter network. In addition, the Communicator Web Access and Director can be deployed on multiple servers, which are load balanced. The scenario is shown in Figure 4.
UC Endpoints
Communica tor Live Meeting Communica tor Phone Edition

Identity Active Direc tory MIIS

Load Balancer

MSN Yahoo AOL

Public IP HTTP reverse proxy

Communica tor Web access (App se rver)

Communica tor Mobile

Web conferencing edge se rver

Federated Networks

Inbound Router Outbound Router ABS

Pool
Passive Active

Interacti ve Apps

Load Balancer

Load Balancer

Load Balancer Load Balancer

Load Balancer

Access sdge servers

Direc tor(s)

Front-end se rvers
(Registration/ presence se rver)

Back End SQL Se rver

Exchange UM Speech (Voice-mail) server

Archiving Pool IM CDR A/V Edge Server(s) Media Gateway(s) Mediation server(s) IIS servers Conferencing servers (A/V, Data, IM) Monitoring Fax PBX CTI se rver (RCC Ga teway)

PSTN

MMC

MOM

External

Perimeter Network

Internal
SIP PSTN p rotocol HTTP Media Archive EnterpriseVoice Component

Figure 4. Load balancing on multiple servers

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

6 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

GENERAL REQUIREMENTS
A front-end server requires a hardware load balancer. If you are deploying a Standard Edition Server or a single Enterprise Edition Front End Server, a load balancer is not required. A hardware load balancer is also required for arrays of Lync Server 2010 edge servers or an array of Standard Edition Servers configured as a Director. These requirements are summarized in the Table 1. Table 1. Microsoft recommended hardware load balancer requirements for Lync Server 2010 Deployment A single Standard Edition Server Enterprise pool with multiple front-end servers Array of directors Array of edge servers Load Balancer Requirement Load balancer not required Hardware load balancer required Hardware load balancer required Hardware load balancer required

Table 2. Hardware load balancer ports required for Lync Server 2010 Port Required 5060 (TCP) 5061 (TCP) Virtual IP Load balancer VIPs used by frontend servers and Director servers Load balancer VIPs used by frontend servers, Director servers, and internal and external interfaces used by edge servers Load balancer VIP used by Internal facing interface for the edge servers Load balancer VIP used by the front-end servers Load balancer VIP used by frontend servers Load balancer VIP used by frontend servers Load balancer VIP used by frontend servers Load balancer VIP used by frontend servers Load balancer VIP used by frontend servers Load balancer VIP used by frontend servers Load balancer VIP used by the internal and external interfaces of the edge servers Port Use Client-to-server SIP communication over TCP Client-to- server SIP communication over TLS and SIP communication between the front-end servers over MTLS

5062 (TCP)

Used for internal ports for SIP /MTLS authentication of IM communications flowing outbound through the internal firewall Used for incoming SIP listening requests for applications sharing Used by the QoE Agent on the front-end servers Used for incoming SIP listening requests for Response Group Service Used for incoming SIP listening requests for Conferencing Attendant Used for incoming SIP listening requests for Conferencing Announcement Service Used for incoming SIP listening requests for Outside Voice Control To move users and perform other pool-level WMI operations over DCOM Used for internal and external ports for STUN/UDP inbound and outbound media communications

5065 (TCP) 5069 (TCP) 5071 (TCP) 5072(TCP) 5073 (TCP) 5074 (TCP)

135 3478 (UDP)

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

7 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

Port Required 444 443

Virtual IP Load balancer VIP used by frontend servers Load balancer VIP used by the Web components server

Port Use Communication between the internal components that manage conferencing and the conferencing servers HTTPS traffic to the pool URLs

The configurations provided in this document are configured for use to load balance groups of servers whether they are EE pools, access groups, or Director servers. The configuration is for a one-arm configuration in which the servers are not directly connected to ServerIron ADX (which requires source-nat to ensure return communication goes through ServerIron ADX).

Affinity
Affinity is the ability to associate a client to a specific Client Access Server (CAS) to ensure that all requests sent from that client go to the same edge or front-end server. The following affinity methods are supported on the Brocade ServerIron ADX and are required for Microsoft Lync Server 2010: Cookie-based persistence Source IP port persistence

Cookie-Based Persistence
This method is very reliable for tying a client session to a Lync Server 2010 edge server. The load balancer inserts a cookie into the client-server protocol that is associated with a Lync Server 2010 edge server. The session continues to forward traffic to the same Lync Server 2010 server until the session is over. The cookie-based persistence method is supported for Microsoft Lync Server 2010 edge server protocols that run on top of HTTP in Lync Server 2010 edge server, but has these limitations: The load balancer needs to have the ability to read and interpret the HTTP stream. With SSL, the load balancer must decrypt traffic to examine its content. To use this method, the client must support receiving arbitrary cookies from the server and then including them in all future requests to that server.

Source IP Port Persistence


In this method, the load balancer looks at a client IP address and sends all traffic from a certain source/client IP to a given front-end server. However, the source IP method has two limitations: Whenever the IP address of the client changes, the affinity is lost. However, the user impact is acceptable as long as this occurs infrequently. Having a large number of clients from the same IP address leads to uneven distribution. Distribution of traffic among the front-end server then depends on how many clients are arriving from a given IP address. Two things that can cause a lot of clients to arrive from the same IP address are: o Network Address Translators (NATs) or outgoing proxy servers (for example, Microsoft Forefront Threat Management Gateway, or TMG). In this case the original client IP addresses are masked by the NAT or outgoing proxy server IP addresses. Front-end to front-end server traffic

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

8 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

FURTHER DESIGN CONSIDERATIONS FOR THE LYNC SERVER 2010 SOLUTION


High Availability
Attached in the Appendix is a section on Redundancy and how to enable this on ADX to ensure failover without session loss. Both ADX switches in an HA pair share a common MAC address known to the clients. Therefore, if a failover occurs, the clients still know ADX by the same MAC address. The active sessions running on the clients continue and the clients and routers do not need to re-ARP the ADX MAC address.

Application Affinity Options


SSL Proxy. Secure Socket Layer (SSL) Proxy is the most secure configuration option available, allowing for end-to-end SSL encryption. It is also more complex as it requires keys and certificates on the Brocade ServerIron ADX, as well as on each real server.SSL Proxy allows the Brocade ServerIron ADX to decrypt HTTPS traffic, run complex HTTP Content SWitching Rules (CSW rules), re-encrypt the traffic, and forward it to the appropriate server. The CWS feature makes sure that existing user sessions are forwarded to the same server to which the session was initially connected. Affinity is handled by the CSW rules, which look at the cookie and determine whether it is a new cookie from a new session or an existing cookie generated by the Brocade ServerIron ADX. The new cookie is stripped from the packet and replaced with a load balancer cookie that has a server ID (server-id) attached to it. The server ID ensures that all traffic from that session is now forwarded to the same server. Source IP Port Persistence. Source IP Port Persistence provides a persistent hashing mechanism for
virtual server ports, which evenly distributes hash assignments and enables a client to always be redirected to the same real server. This feature applies to non-HTTP traffic for which cookies are not part of the protocol specification.

Security
The built-in DoS Protection (when enabled with the ip tcp syn-proxy command) identifies and blocks DoS attacks, protecting the network from service failures and downtime. As a TCP SYN request comes in, a TCP SYN/ACK is returned with a special SEQ number. If a TCP ACK is not returned or if it is incorrect the session is never added to the session table, preventing wasted resources. If the proper TCP ACK is returned with a proper SEQ number, a connection is established and the entry is written to the session table, This method of SYN protection allows Brocade to provide the highest level of DOS protection in the industry mitigating attacks of over 120 million SYN attacks per second, in the case of a fully loaded ServerIron ADX 10000. This equates to thwarting a real time 100 GB line attack in real time without affecting legitimate traffic flows and user connections. Appendix D provides more details about Brocade ServerIron ADX.
Any internal host C1

1 2
Good client C2

TCP SYN TCP SYN ACK - Special SEQ TCP ACK - Special SEQ

Brocade ServerIron ADX

Complete TCP connection

Host A

3 1 2 3

TCP SYN TCP SYN ACK - Special SEQ BAD TCP ACK - Special SEQ

No TCP connection

Host B

Bad client

Protects internal hosts from attack

Figure 5. Brocade ADX DoS attack mitigation

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

9 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

BROCADE SERVERIRON ADX CONFIGURATION


This configuration is a basic switch configuration for ADX that will work with Enterprise Pool, Access Groups, and Director Pools by utilizing the standard ports used by these servers for Lync Server 2010 applications. The version of ServerIron ADX software tested is 12.2. Figure 6 provides a logical layout of the ServerIron ADX and Lync Server 2010 layout. Additionally customization must be reviewed against the Microsoft Lync Server 2010 planning guide. Prior to configuring, determine and record server names, IP addresses, and ports required.
Brocade ServerIron ADX HA pair Server virtual EDVIP 10.5.57.90 Server virtual DIRVIP 10.10.57.13

Server virtual FEVIP 10.10.57.13 Lync Server 2010 edge servers Server real ED1 10.5.57.11 Server real ED2: 10.5.57.12 Lync Server 2010 Directors Server real DIR1: 10.10.57.8 Server real DUR2: 10.10.57.9

Lync Server 2010 front-end servers Server real FE1: 10.10.57.11 Server real FE2: 10.10.57.12

Ports load balanced: Server port 5060 tcp Server port 5061tcp Server port 5063 tcp Server port 135 tcp Server port 80 tcp Server port 443 tcp Server port 444 tcp Server port 5069 tcp

Figure 6. Logical Brocade ServerIron ADX for load balancing Lync Server 2010 servers To manage Brocade ServerIron ADX via the Command-Line Interface (CLI):
ServerIron> enable

At the opening CLI prompt, enter enable. Access the configuration level of the CLI by entering the following command:

ServerIron# config term

ServerIron (config)# ip address 10.10.58.250 255.255.255.0 ServerIron (config)# ip default-gateway 10.10.58.2 ServerIron (config)# hostname ADX1 ADX(config)# username admin password ADX(config)# no enable aaa console ADX(config)# telnet server

To assign an IP address , enter the following command:

To assign a default gateway , enter the following command:

Other optional commands:

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

10 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

To exit from the configuration level of the CLI, enter the following command:
ADX (config)# exit ADX# write memory

To save the configuration to NVRAM, enter the following command:

Initial configuration:
ADX (config)# vlan 999 ADX (config-vlan-1)# untag e16

ADX(config-vlan-1)# no spanning-tree

Set up the default server ports used for SIP:


ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# ADX(config)# server port 5060 tcp server port 5061 tcp server port 5062 tcp server port 5065 tcp server port 5071 tcp server port 5072 tcp server port 5073 tcp server port 5074 tcp server port 3478 udpADX(config)# server port 5069 tcp server port 135 tcp server port 80 tcp server port 443 tcp server port 444

ADX(config)# tcp

Define the CSW policy:


csw-rule "catchall" url exists csw-rule "cookie" header "cookie" search "SERVERID=" case-insensitive csw-rule "lync" url prefix "/LYNC" case-insensitive ! csw-policy "Cookie1_action" case-insensitive match "cookie" persist offset 0 length 4 group-or-server-id match "catchall" forward 1 match "lync" forward 1 match "lync" rewrite insert-cookie "ServerID" default forward 1 default rewrite insert-cookie "ServerID"

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

11 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

Define the SSL profiles (ensure that certificates are loaded into the ServerIron ADX):
ssl profile clientside_1 keypair-file cert certificate-file LB1.cer cipher-suite all-cipher-suites verify-client-cert per-connection request session-cache off ssl profile serverside_1 cipher-suite all-cipher-suites ca-cert-file contoso.crt session-cache off

Define the real servers:


server real ES1 10.10.58.13 port ssl port sips port 3478 port 5062 ! server real ES2 10.10.58.14 port ssl port sips port 3478 port 5062 server real FE1 10.10.58.16 port http port http url "HEAD /<NULL>" port http l4-check-only port 444 port ssl port 135 port sips port sip port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 ! server real FE2 10.10.58.17 port http port http url "HEAD /" port http l4-check-only port 444 port ssl port 135 port sips port sip port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 ! server real DIR1 10.10.58.21 port sips port sip !
Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 12 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

server real DIR2 10.10.58.22 port sips port sip ! server real ES_NIC2_EX1 10.10.57.247 port ssl port ssl server-id 1206 port ssl group-id 1 1 port sips port 3478 ! server real ES_NIC2_EX2 10.10.57.248 port ssl port ssl server-id 1205 port ssl group-id 1 1 port sips port 3478 ! ! server virtual Internal_ES 10.10.58.12 predictor round-robin port ssl no port ssl sticky port ssl persist-hash port ssl ssl-proxy clientside_1 serverside_1 port sips port 5062 port 3478 bind ssl ES1 ssl ES2 ssl bind sips ES1 sips ES2 sips bind 5062 ES1 5062 ES2 5062 bind 3478 ES1 3478 ES2 3478

Virtual server setup:


server virtual fevip 10.10.58.15 predictor round-robin port http port http persist-hash port 444 port ssl no port ssl sticky port ssl persist-hash port 135 port sips port sip port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 bind http FE1 http FE2 http bind 444 FE1 444 FE2 444 bind ssl FE1 ssl FE2 ssl bind 135 FE1 135 FE2 135 bind sips FE1 sips FE2 sips bind sip FE1 sip FE2 sip bind 5069 FE1 5069 FE2 5069 bind 5065 FE1 5065 FE2 5065 bind 5071 FE1 5071 FE2 5071 bind 5072 FE1 5072 FE2 5072 bind 5073 FE1 5073 FE2 5073
Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 13 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

bind 5074 FE1 5074 FE2 5074 ! server virtual dirvip 10.10.58.23 predictor least-conn port sips port sip bind sips DIR2 sips DIR1 sips bind sip DIR1 sip DIR2 sip ! server virtual ES_External 10.10.57.245 predictor round-robin port ssl no port ssl sticky port ssl persist-hash port ssl ssl-proxy clientside_1 serverside_1 port ssl csw-policy "Cookie1_action" port ssl csw port sips port 3478 bind ssl ES_NIC2_EX1 ssl ES_NIC2_EX2 ssl bind sips ES_NIC2_EX1 sips ES_NIC2_EX2 sips bind 3478 ES_NIC2_EX1 3478 ES_NIC2_EX2 3478

One-armed mode setup requirements Source NAT (to ensure that traffic passes back through the ServerIron ADX and not from server to client):

server source-nat server source-nat-ip 10.10.58.249 255.255.255.0 0.0.0.0 port-range 2


LAG and VLAN:
vlan 102 by port untagged ethe 1 to 4 no spanning-tree interface ethernet 1 link-aggregate configure link-aggregate active ! interface ethernet 2 link-aggregate configure link-aggregate active ! interface ethernet 3 link-aggregate configure link-aggregate active ! interface ethernet 4 link-aggregate configure link-aggregate active

key 10000

key 10000

key 10000

key 10000

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

14 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

APPENDIX A: HIGH AVAILABILITY AND REDUNDANCY


Having no failover makes configuration and management a little easier because you dont have to configure and manage specific appliances. However, if one server fails, then your entire Unified Communications environment is down, which means no VOIP, no IM, no presence, and/or conferencing. Failover allows another Brocade ServerIron to continually provide access to the servers in case of a failure. The different methods of deploying a Brocade ServerIron are: Active-Hot Standby. One active ServerIron, another ServerIron in standby (supported only with switch code). Active-Standby VIP. Both ServerIron ADX switches can receive traffic but only the Active VIP handles Layer 4 7 traffic, and the other VIP is in Standby and functions as a standby (supported with router or switch code). Active-Active. Both ServerIron ADX switches are active for the same VIP, the ServerIron ADX that receives the request services that request. In the event of a ServerIron ADX failure, the remaining ServerIron ADX handles all requests (supported with router or switch code).

Setting Up Active-Hot Standby Redundancy


In a typical hot standby configuration, one Brocade ServerIron is the active device and performs all the Layer 2 switching as well as the Layer 4 SLB switching while the other ServerIron monitors the switching activities and remains in a hot standby role. If the active ServerIron becomes unavailable, the standby ServerIron immediately assumes the unavailable ServerIron switchs responsibilities. The failover from the unavailable ServerIron to the standby ServerIron happens transparently to users. Both ServerIron switches share a common MAC address known to the clients. Therefore, if a failover occurs, the clients still know the ServerIron by the same MAC address. The active sessions running on the clients continue and the clients and routers do not need to re-ARP for the ServerIron MAC address. NOTE: All real servers must be connected to the SeverIron switches via a Layer 2 switch or NIC team directly to the ServerIron switches (active NIC connected to the active ServerIron). Configure port 1 on each ServerIron, enter the following command:
ServerIron (config)# server backup Ethernet 16 00e0.1234.1234 vlan-id 999

(This is the same primary MAC address used on both ServerIron switches.)

Configure VLAN 999, used for the sync connection between the ServerIron switches. Note you must turn off spanning tree.
ServerIron (config)# vlan 999 ServerIron (config)# untagged ethernet 1 ServerIron (config)# no spanning-tree

To set the number of minutes on the primary ServerIron that it waits before retaking the primary role back over after an outage, enter the following command (only on the primary ServerIron): (5 minutes is minimum value)
ServerIron# server backup-preference 5

To save the configuration to NVRAM, enter the following command:


ServerIron# write memory

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

15 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

Setting Up Active-Standby VIP Redundancy


The configuration use a active and standby VIP for each VIP created. The active VIP and back up VIP is determined by the sym-priority value associated with the VIP. The VIP with the highest sym-priority value is considered the active VIP and the others are standbys. The configuration does not require any changes to spanning-tree and does not require any sync connection between the ServerIron as it will use the network topology. Note that there cannot be a router hop between the two ServerIron switches s and there must be Layer 2 connectivity. The minimum configuration for Active VIP is as follows. Configure the VIP to use sym-priority.
ServerIron1 (config)# server virtual vip1 1.1.1.1 ServerIron1 (config)# sym-priority 10

The minimum configuration for Standby VIP is:


Serveriron2 (config)# server virtual vip1 1.1.1.1 ServerIron2 (config)# sym-priority 5

Setting Up Active-Active Redundancy


Active-active SLB uses session information to ensure that the same ServerIron load balances all requests for a given VIP. The first ServerIron that receives a request for the VIP load balances the request, creates a session table entry for the VIP, and sends the session information to the other ServerIron. Both ServerIron switches in the configuration use the session information so that the same ServerIron is used for subsequent requests for the VIP. In this example, ServerIron A and ServerIron B each have been configured to provide active-active Symmetrical Server Load Balancing (SSLB) for the HTTP port on VIP1 and VIP2. The first ServerIron to receive a request for port HTTP on one of these VIPs load balances the request, creates session entries for the VIP, and sends the session information to the other ServerIron. Both ServerIron switches use the session information for the VIP to ensure that the same ServerIron load balances subsequent requests for the same application port and VIP. Either ServerIron can use session information to forward the server reply back to the client. For example, if ServerIron A is the load balancer for a client request and the server reply comes back through ServerIron B, ServerIron B can use the session information received from ServerIron A through session synchronization to perform the required address translations and send the reply to the client. ServerIron B does not need to forward the reply to ServerIron A for address translation and forwarding. The minimum configuration for active-active is VIP: Configure the VIP to use sym-active:
ServerIron (config)# server virtual vip1 1.1.1.1 ServerIron (config)# Port 80 ServerIron (config)# sym-priority 10 ServerIron (config)#sym-active

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

16 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

APPENDIX B: RUNNING CONFIGURATION


Current configuration : 2572 bytes ver 12.2.00 ssl profile clientside_1 keypair-file cert certificate-file LB1.cer cipher-suite all-cipher-suites verify-client-cert per-connection request session-cache off ssl profile serverside_1 cipher-suite all-cipher-suites ca-cert-file contoso.crt session-cache off ! server backup ethe 16 001b.ed05.80a0 vlan-id 999 server backup-preference 5 ! ! server port 5060 tcp server port 5061 tcp server port 5065 tcp server port 5071 tcp server port 5072 tcp server port 5073 tcp server port 5074 tcp server port 135 tcp server port 444 tcp server port 5069 tcp server port 3478 udp server source-nat server source-nat-ip 10.10.58.249 255.255.255.0 0.0.0.0 port-range 2 ! context default ! csw-rule "catchall" url exists csw-rule "cookie" header "cookie" search "SERVERID=" case-insensitive csw-rule "lync" url prefix "/LYNC" case-insensitive ! csw-policy "Cookie1_action" case-insensitive
Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 17 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

! ! server real ES1 10.10.58.13 port ssl port sips port 3478 port 5062 ! server real ES2 10.10.58.14 port ssl port sips port 3478 port 5062 ! server real FE1 10.10.58.16 port http port http url "HEAD /<NULL>" port http l4-check-only port 444 port ssl port 135 port sips port sip port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 ! server real FE2 10.10.58.17 port http port http url "HEAD /" port http l4-check-only port 444 port ssl port 135 port sips port sip port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 ! server real DIR1 10.10.58.21 port sips port sip ! server real DIR2 10.10.58.22 port sips port sip ! server real ES_NIC2_EX1 10.10.57.247 port ssl port ssl server-id 1206

match "cookie" persist offset 0 length 4 group-or-server-id match "catchall" forward 1 match "lync" forward 1 match "lync" rewrite insert-cookie "ServerID" default forward 1 default rewrite insert-cookie "ServerID"

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

18 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

! server real ES_NIC2_EX2 10.10.57.248 port ssl port ssl server-id 1205 port ssl group-id 1 1 port sips port 3478 ! ! server virtual Internal_ES 10.10.58.12 predictor round-robin port ssl no port ssl sticky port ssl persist-hash port ssl ssl-proxy clientside_1 serverside_1 port sips port 5062 port 3478 bind ssl ES1 ssl ES2 ssl bind sips ES1 sips ES2 sips bind 5062 ES1 5062 ES2 5062 bind 3478 ES1 3478 ES2 3478 ! server virtual fevip 10.10.58.15 predictor round-robin port http port http persist-hash port 444 port ssl no port ssl sticky port ssl persist-hash port 135 port sips port sip port 5069 port 5065 port 5071 port 5072 port 5073 port 5074 bind http FE1 http FE2 http bind 444 FE1 444 FE2 444 bind ssl FE1 ssl FE2 ssl bind 135 FE1 135 FE2 135 bind sips FE1 sips FE2 sips bind sip FE1 sip FE2 sip bind 5069 FE1 5069 FE2 5069 bind 5065 FE1 5065 FE2 5065 bind 5071 FE1 5071 FE2 5071 bind 5072 FE1 5072 FE2 5072 bind 5073 FE1 5073 FE2 5073 bind 5074 FE1 5074 FE2 5074 ! server virtual dirvip 10.10.58.23 predictor least-conn port sips port sip bind sips DIR2 sips DIR1 sips bind sip DIR1 sip DIR2 sip !
Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 19 of 23

port ssl group-id port sips port 3478

1 1

APPLICATION DELIVERY

SOLUTION GUIDE

server virtual ES_External 10.10.57.245 predictor round-robin port ssl no port ssl sticky port ssl persist-hash port ssl ssl-proxy clientside_1 serverside_1 port ssl csw-policy "Cookie1_action" port ssl csw port sips port 3478 bind ssl ES_NIC2_EX1 ssl ES_NIC2_EX2 ssl bind sips ES_NIC2_EX1 sips ES_NIC2_EX2 sips bind 3478 ES_NIC2_EX1 3478 ES_NIC2_EX2 3478 ! vlan 1 name DEFAULT-VLAN by port ! vlan 2 by port ! vlan 999 by port untagged ethe 16 no spanning-tree ! vlan 102 by port untagged ethe 1 to 4 no spanning-tree ! aaa authentication web-server default local boot sys fl sec no enable aaa console hostname ADX1 ip address 10.10.58.250 255.255.255.0 ip default-gateway 10.10.58.2 telnet server username admin password 8 $1$F24..pm4$BCF.gmzFo3V3gj7dj9Ej60 no-asm-block-till-bootup ! interface management 1 ip address 192.168.1.2 255.255.255.0 ! interface ethernet 1 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 2 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 3 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 4 link-aggregate configure key 10000 link-aggregate active ! end

NOTE: If there is a backup ServerIron ADX, the configuration will be similar to the primary. In the following case, two commands are different: 1) No command server backup-preference 5 is entered on the secondary and 2) the command for server source NAT should reflect server source-nat-ip 32.254.0.231 255.255.255.0 32.254.0.230 port-range 1

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

20 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

APPENDIX C: MICROSOFT LYNC SERVER 2010


Brocade ServerIron ADX switches have been certified for server load balancing in Microsoft Lync Server 2010 interoperability labs: http://office.microsoft.com/en-us/communicationsserver Lync Server 2010 is the next version of Microsoft Office Communications Server 2007. Lync Server 2010 builds on the foundation of Presence and Instant Messaging, Federated Communications and Remote Call Control delivered by Office Communications Server 2007. Key new features include improvements to Instant Messaging and Presence capability such as integration with Microsoft Exchange Server distribution lists as well as the addition of software-powered VoIP and PBX, allowing users to make, receive, and manage voice (phone) calls using Office Communicator 2007 running on their computer and multi-party on-premise audio/video and Web conferencing. Lync Server 2010 also supports the ICE framework of protocols, allowing users to take advantage of these communications capabilities from wherever they are without needing to establish a VPN connection. Microsoft designed Lync Server 2010 to interoperate with Office Communications Server 2007. The migration process involves deploying Lync Server 2010 infrastructure in parallel to a Office Communications Server 2007 deployment and then easily migrating users across the new infrastructure. For migration details, read the Microsoft Lync Server 2010 product documentation found in the Microsoft technical library at the link provided at the beginning of this appendix. Load balancing technology has become the technology of choice to improve the scalability, availability, and security of IP applications. Brocade ServerIron ADX switches, with the networking and application intelligence, rich features, and high performance required for building massively scalable and highly secure application infrastructure. See the Microsoft Lync Server 2010 planning guide.
Access edge se rver and Web conferencing edge se rver Active Directory

SQL Database
Web con ferencing servers

Front-end se rvers A/V Edge Se rver

HTTP Reverse Proxy

A/V con ferencing servers

Load balancer

Load balancer Web Co mponents Se rvers (Se rvers running IIS)

Indicates existing infrastructure

Enterprise Pool: Expanded Configuration Internal Users

Figure 6. High-scalability, high-availability deployment supporting IM and conferencing for internal and external users

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

21 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

APPENDIX D: BROCADE SERVERIRON ADX


The Brocade ADX switches receive all client requests, and distribute them efficiently to the best server among the available pool. ADX switches consider server availability, load, response time, and other userconfigured performance metrics when selecting a server for incoming client connections. The ADX performs sophisticated and customizable health checks to the Lync 2010 servers, quickly identifying resource outages in real time and re-direct client connections to other available servers. ADX provides a highly scalable solution that allows server capacity to be increased or decreased on demand without impacting the applications and client connections. When demand grows, IT engineers can simply slide in new server resources and configure the ADX switch to use the new servers for client connections. ADX switches are application aware and can inspect many types of application level content to perform intelligent switching of client requests to appropriate servers. Application switching eliminates the need to replicate content and application functions on all servers, and optimizes overall resource utilization, application performance and availability. ADX switches support switching based on broad content types including URL, HTTP headers, HTTP cookies, SSL session IDs, and XML tags. For implementations where session persistence across multiple TCP ports on the same server is a key requirement, ADX supports the industrys most advanced and easily customizable load balancing interface. In addition, the performance delivered by ADX ensures that applications provide the best end-user response time and immense scalability even when enabled for Layer 4 through 7 switching. Using sticky sessions and track-group switching, a group of transactions from a given client are sent to the server originally selected and has the session created when the client first connected.

Application Performance
ADX switches, with their intelligent application-aware load balancing and content switching, significantly improve overall performance by optimally utilizing server resources. Using customizable load balancing methods and metrics, application performance can be tuned to achieve best response time and maximum throughput. By taking advantage of HTTP1.1 protocol mechanisms, ADX supports Server Connection Offload, eliminating connection overhead from servers and providing robust security. Server resources are truly dedicated to maximize application performance and user response time.

Application Availability
High-performance load balancing using ADX switches ensures always-on applications by intelligently distributing application traffic among all available servers, and dynamically monitoring the ability of servers and applications running on them to deliver optimal performance. Using customizable health checks at various levels of granularity like host, port, application and transaction. ADX switches instantaneously and transparently react to increases and decreases in server resources by redirecting client traffic as needed. To protect applications from catastrophic failures, the switches can be deployed in multiple high-availability modes with stateful session failover. Applications are completely transparent to switch failures, and continue to function uninterrupted.

Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure

22 of 23

APPLICATION DELIVERY

SOLUTION GUIDE

Application and Server Farm Security


Security is a critical challenge for all businesses, but particularly for applications where regulatory compliance is a risk factor. As reliance on the network to deliver mission-critical applications increases, so does the threat posed by network-based attacks. ADX has many intelligent features and superior performance to reliably protect against many forms of DoS, Virus and worm attacks. They protect application infrastructure and server farms against wire-speed Gigabit rate DoS attacks, which translates to 120 million attacks per second in the case of a fully configured ADX 10000.

Application and Server Farm Scalability


Scaling applications and server farms is one of the most fundamental requirements for continued business growth, and is easily and permanently met by the ServerIron load balancers. ADX provides unlimited scalability to any IP-based application, allowing businesses to leverage commodity servers to build highly sophisticated and secure application infrastructure. Massive scalability is achieved with complete transparency to existing clients and servers without downtime.

Higher Return on Investment (ROI)


Brocade ADX application delivery controllers provide immediate ROI, and also improve the ROI of application and server infrastructure. By implementing the new Server Connection Offload feature in existing server farm and application deployments, customers can immediately improve the overall capacity by an average of 20 to 40%. ADX switches support significantly higher application traffic and clients with existing resources through efficient utilization. Downtime associated with security breaches, and server and application maintenance is eliminated, resulting in improved availability. Load balancers also simplify application and server farm management, which improves productivity and helps conserve valuable capital to address other critical problems in the network.

2010 Brocade Communications Systems, Inc. All Rights Reserved. 11/10 GA-SG-355-00 Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. Deploying Brocade ServerIron ADX to Increase Availability, Scalability, and Security of Microsoft Lync Server 2010 Infrastructure 23 of 23