Sunday, November 8, 2009

Little known fact about load balancing OCS 2007 R2 Edge servers...

I spent some time helping a team member recently with an issue relating to OCS 2007 R2 Edge servers and F5 Neworks load balancers. The effort involved troubleshooting Live Meeting connectivity to remote users. The behavior was such that the remote user would connect to the Live Meeting briefly, then disconnect.

A call to Microsoft support resulted in the engineer indicating port 8057 shouldn't be load balanced. Upon posting to an internal Microsoft forum site, I was informed that this is in fact true. Also, the Microsoft employee indicated the way you should be configuring the web conferencing edge server configuration is to list the actual server names in the internal fqdn entry of the properties of OCS. To do this follow these steps:
  1. Right-click your Enterprise Pool and choose Properties, then Web Conferencing Properties.
  2. You need to add entries for each web conferencing Edge server in your environment. Click the Add button and type the name of the server in the internal dialog box (i.e. serverA.dmz.contoso.com). Then type the external load balanced "shared name" (i.e. webconf.contoso.com).
  3. Repeat the same process for each Edge server you're load balancing to making sure the internal name represents the actual server name.
Now thinking about this setup you would assume the certificate bound to the internal interface should represent the "shared name" of the internal load balanced virtual IP right? Well I'm told the answer is no. If your Edge servers' internal interface fqdn is "ocsedge.contoso.com", you don't need subject alternative names for each server along with it. What strikes me as odd here is that I've just spelled out the need for specifying the Edge server's fqdn within the pool server yet you don't have to "line up" the name in the certificate.

If you investigate the documented firewall rules on the Microsoft web site, port 8057 over MTLS is used. I'm still puzzled as to how you can have MTLS working without the certificate names matching the name(s) defined in the pool settings.

Another poorly documented configuration is the firewall rule required to make Live Meeting work with hardware load balancers and multiple Edge servers. Yes, you need to permit port 8057 from "any" to the DMZ but don't send it through your load balancer. Make sure the rule permits 8057 traffic from the LAN to the internal interfaces of each Edge server.

That's all for now.

Cheers.

3 comments:

  1. @ the time of writing this comment (2010.02.19) the OCS 2007 R2 guide does not list TCP(!) port 8057 as a load balanced port in the following topic:

    Microsoft Office Communications Server 2007 R2 > Planning and Architecture > Determining Your Infrastructure Requirements > Port Requirements > Ports and Protocols > Table 1. Ports and Protocols Used by Office Communications Server and Clients

    ReplyDelete
  2. So am I correct to assume that you would still have a Virtual Server that load balances to your webconferencing interfaces on your edge servers but only load balance and monitor port 443? F5 documentation is rough in the OCS 2007R2 world. The template in there 10.1 OS does not reference AV or webconferencing the edge so am trying to figure this all out. Thanks for your help!

    ReplyDelete
  3. You want to make sure you load balance (and have a vserver) for each port listed on the site: http://technet.microsoft.com/en-ca/library/dd425238(office.13).aspx

    The internal load balanced ports are 443, 5061, 5062, and 3478 (UDP).

    I share your concern here. This will be a personal goal of mine to have much better documentation and clarification of load balancing Edge servers when MCS 2010 is released.

    ReplyDelete