Forum Discussion

Soap_111722's avatar
Soap_111722
Icon for Nimbostratus rankNimbostratus
Feb 11, 2013

Lync 2010 iApp Problems

Old Environment:

 

2 x LTM 6400 Series

 

BIG-IP 9.4.0 Build 517.5

 

'two-armed' configuration

 

 

New Environment:

 

2 x LTM 4000 Series

 

BIG-IP 11.3.0 Build 2968.0 Hotfix HF1

 

'two-armed' configuration

 

 

Migration:

 

We are currently starting to configure our new environment in preparation of migrating over in the next few months.

 

 

Issue:

 

I am trying to deploy Lync 2010 using the current iApp. I have run through the template and everything comes back healthy, VIP, Pools, Nodes are all green and look good. When I have my messaging administrator try to connect to the VIP it just hangs and tells him that he cannot logon. If he points his lync client back to the VIP on the old environment it works as expected. Now in the old environment we did have to create some SNAT pools in order to get this working. Using the iApp template it sounds like that is only needed if your going to have over 64,000 connections or something along those lines. We will not have that many users. However, I went ahead and created SNAT pools manually anyway and added them (trying to duplicate the current setup) but he still could not connect. Before I start mucking around with changes, I though it best to reach out to the community for some guidance. I am hoping something can steer me in the right directions with this. Thank you in advance.

 

 

microsoft
partner

19 Replies

Sort By
Show More
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Apr 26, 2013
    Hi Jerome, I have never seen that problem before, but it sounds like it might be a product bug in BIG-IP. What format was the cert/key in when you imported it onto the BIG-IP?

     

    thanks

     

    Mike
  • J_LE_42749's avatar
    J_LE_42749
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2013
    Hi Mike & thanks for your fast answer.

     

    I cannot recollect to be honest (done a couple of months already)...

     

    any way I can check that?

     

    thanks

     

    Jérôme
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Apr 26, 2013
    Hmmm, not really. The quickest thing to do would be to go back to the Lync servers and re-export the certificates as .pfx files, which contain both the cert and private key. Then you can re-import those into the BIG-IP and try again.
  • J_LE_42749's avatar
    J_LE_42749
    Icon for Nimbostratus rankNimbostratus
    May 02, 2013
    Hi Mike,

     

     

    Thanks for your feedback - sorry it took me a couple of days to get the .pfx file from the right people...

     

    Now, I'm in! iApp is working okay. Thanks so much!!

     

     

    Question there: is there any way to protect against brute force attack (with ASM) for Lync, specifically?

     

    It seems quite easy to download Lync mobile App from public Store and lock accounts trying many user/password combination...

     

    Furthermore I did notice that some Web services (such as DialIn) are asking for user authentication (http/401), hence another entry to lock accounts...

     

     

    Does anyone implement such WAF protection with Lync?

     

     

    Thank you

     

    Best Regards

     

    Jérome
  • Michael_61190's avatar
    Michael_61190
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2013

    Reviving this old thread to see if folks have implemented any iRules or other controls to prevent password guessing at the network perimeter. All I get from Microsoft is a recommendation to use a filter produced for TMG. :O

     

    • Peter_de_Beer_1's avatar
      Peter_de_Beer_1
      Historic F5 Account
      Apr 29, 2014
      Looking for the same solution. TMG is now EOL, and Enterprises deploying MS Lync client on Mobile devices want to protect against brute force attacks and locking out the AD accounts.
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Oct 15, 2013

    Reviving this old thread to see if folks have implemented any iRules or other controls to prevent password guessing at the network perimeter. All I get from Microsoft is a recommendation to use a filter produced for TMG. :O

     

    • Peter_de_Beer_1's avatar
      Peter_de_Beer_1
      Historic F5 Account
      Apr 29, 2014
      Looking for the same solution. TMG is now EOL, and Enterprises deploying MS Lync client on Mobile devices want to protect against brute force attacks and locking out the AD accounts.
  • J_LE_42749's avatar
    J_LE_42749
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2013

    Hi Michael, I saw the same article :D I personally did not succeed in protecting the DialIn login page with ASM because it used SAML to send credentials to the back-end servers (the POST request does not send username & password as parameters but an XML content). RFE 388564 was opened a couple of months ago to add this feature into ASM.