NetScaler – HLB and Reverse Proxy for Skype

NetScaler – HLB and Reverse Proxy for Skype for Business Server 2015 or Lync 2013.

Have a look below for step-by-step manual how to configure NetScaler. You should already have the basic configuration done and installed all required certificates.

NetScaler should be configured with 3 legs to DMZ 1, DMZ 2 and LAN each leg. If you want to configure box only for HLB or RP please apply steps only for required configuration.

 

NetScaler – HLB and Reverse Proxy for Skype

Image

 

Monitors for Skype for Business Front End server.

We will create separate monitor for each web service. Internal 80,443 External 4443 and OWAS 443.

Click on Traffic Management > Load Balancing > Monitors

 

NS_1

 

Click on Add

Put the name for monitor

and select type: HTTP

NS_2
 

No changes are required for Standard Parameters apart of port. It should be either 80, 443, 4443 or OWAS 443.

Next click on Special Parameters

 

NS_3

 

Change HTTP Request for Front End to:

GET /Autodiscover/XFrame/XFrame.html

or for Office Web App server/Office Online Server to:

GET /healthtest.html

Response Code should be 200.

 

Servers

Go to **Traffic Management > Load Balancing > Servers
** and add all the server you want to use with HLB/RP

 

NS_21

Provide Server Name, IP Address and click Create.

 

Services

Now we will create services. Go to Traffic Management > Load Balancing > Services.

Click Add

  NS_20

 

Put the service name f.e svc_HLB_Skype_80

Select Existing Server and from drop down list select the name of the server you want to add**.**

For Front end server:

Service for Office Online Server is required as well. Port should be 443 and protocol SSL.

After creating Service you should see screen like below.

 

NS_5

 

Click on Monitors

 

NS_6

 

Then click Add Binding. On a next page click on arrow and select monitor you have created earlier.

 

NS_7

 

Click Bind and Close and Done.

 

If you have 3 servers in a pool should have list of services as below:

 

NS_4

 

Virtual Servers

To create Virtual Servers go to Traffic Management > Load Balancing >Virtual Servers and click Add

 

NS_10

 

Put the name of the vServer f.e. vc_HLB_Skype_443

Configuration should be as per below

For HLB 80

Protocol: HTTP

Port: 80

IP Address: VIP for Load Balancer

 

For HLB 443

Protocol: SSL_BRIDGE

Port: 443

IP Address: VIP for Load Balancer

 

For Reverse Proxy Skype

Protocol: SSL

Port: 443

IP Address: DMZ 2 VIP in our example 192.168.0.10 (see diagram on top of the page)

 

For OWAS configuration you will need separate VIP in  DMZ 2 (not included on diagram)

For Reverse Proxy OWAS

Protocol: SSL

Port: 443

IP Address: DMZ 2 VIP in our example it will be 192.168.0.11

 

Next window should show you summary of the basic configuration for Virtual Server

For SSL_Bridge

 

NS_11

 

  For SSL (you need to bind the Certificate with vServer. Click on **Certificates ** from the list on the right and select required certificate from the list by clicking an arrow)

 

NS_12

 

 

Add Persistence as SOURCEIP and Method to Least Connection

Click on Services and Service Groups > Add Bindings  and same as for Monitors click on arrow and add Services.

 

NS_24

 

When finished the HLB part of configuration should work. And configuration should look like this:

 

NS_23_1

 

Reverse Proxy

Click on Traffic Management > Content Switching > Virtual Server

Click Add

 

NS_25

 

Put the name f.e. vs_cs_RP_Skype_443. Select protocol SSL. Put the IP address from DMZ 1 (the one that Public IP will be NATed to). Change port to 443. And Click OK.

 

NS_26

 

Click on **Content Switching Policy Bound

 

NS_27

 

**Click on plus to add new policy.

 

NS_28

 

Provide name and Click on Switch to Classic Syntax. This will slightly change the look of the window.

 

NS_29

 

 

Now under expression put

REQ.HTTP.HEADER Host == OWAS.domain.com

Host should be your public FQDN you want to publish for Skype it will be:

REQ.HTTP.HEADER Host == lyncdyscover.domain.com || REQ.HTTP.HEADER Host == ext.domain.com || REQ.HTTP.HEADER Host == dialin.domain.com

To separate host use double pipe ||

After you create new Content Switching Policy tick it and click Select.

You should see Policy Binding window

 

NS_30

 

 

Click on Target Load Balancing Virtual Server and select from the list required vServer (the one created for RP with SSL protocol). F.e vs_RP_Skype_443 for Skype or vs_RP_OWAS_443 for Office Web App server.

Click Bind and OK

From the list on the right add certificate and assign required certificate.

 

 

NOTE:

For Office Web App health test to work you need to create html document. Place this document on OWAS server:

“C:\Program Files\Microsoft Office Web Apps\RootWebsite"

The html content:

<html>
    <body>
    UP
   </body>
</html>

 

I hope this will help you to configure NetScaler to use with Skype.

 

Resources:

Netscaler Deployment Guide

Configure Citrix Netscaler VPX as Reverse Proxy for Lync Server 2013