• Article

Load Balancer Requirements for Edge Servers

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

You can use load balancers to distribute incoming connections across multiple edge servers. You deploy load balancers for traffic from both the external network and traffic from the internal network. A single load balancer can be used for all three server roles; however, using separate virtual IP addresses (VIPs) for each server role is recommended. If you are deploying in a scaled single-site edge topology or scaled remote site edge topology, you must use a load balancer.

For load-balanced Web Conferencing Edge Servers and A/V Edge Servers in the perimeter network, outgoing requests are connected directly to a specific Web Conferencing Edge Server or A/V Edge Server. These outgoing requests are handled as follows:

  • Each time an internal Web Conferencing Server starts up, it looks up the Web Conferencing Edge Servers that are configured in its environment, and then it looks up the DNS A record of each. The internal Web Conferencing Server then initiates four outbound TCP connections to the internal IP and port of each Web Conferencing Edge Server.

  • The load balancer for the A/V Edge Servers routes each A/V request to one of the A/V Edge Servers, which then manages the connection until it ends.

The basic requirements for load balancing are as follows:

  • If you want to load balance Web Conferencing Edge Servers, you must collocate each Web Conferencing Edge Server with an Access Edge Server. The A/V Edge Server must not be collocated on the same server.

  • The external interfaces of multiple collocated Access Edge Servers and Web Conferencing Edge Servers must be load balanced; however, only the internal interface of the Access Edge Servers in this configuration should be load balanced. The internal interface of the Web Conferencing Edge Servers must not be load balanced.

  • The load balancer must provide a configurable TCP idle-timeout interval with a maximum value greater than or equal to the minimum of the REGISTER refresh or SIP Keep-Alive interval of 20 minutes.

  • All Access Edge Servers and Web Conferencing Edge Servers that are connected to the load balancer must be configured identically, including identical internal and external ports, Allow lists, Block lists, federated partners, internal domain lists, internal server lists, remote user settings, and proxy connections.

  • Certificates must be installed and configured to support load balancing (as covered in the Microsoft Office Communications Server 2007 Edge Server Deployment Guide).

  • Federated partner Access Edge Servers, and remote user clients must target the virtual IP address used by the Access Edge Server array on the external load balancer.

  • The internal next hop server (typically, a Director) must target the virtual IP address used by the Access Edge Server on the internal load balancer. If you are deploying a Director for an Enterprise Pool, you do this as part of the Director configuration, as covered in Microsoft Office Communications Server 2007 Edge Server Deployment Guide.

Sample Configuration

The following figure shows how a load balancer is configured for collocated Access Edge Servers and Web Conferencing Edge Servers and two dedicated A/V Edge Servers. In the diagram below, two Access Edge Servers are collocated with Web Conferencing Edge Servers in an array. These servers are called A and B. Two dedicated A/V Edge Servers are called C and D. These servers are configured as follows:

  • Each server role—A/V Edge Server, Web Conferencing Edge Server, and Access Edge Server—has its own external FQDN that resolves to a separate VIP on the external load balancer. In this example:

    • Access Edge Servers use the external FQDN of ExternaAccesslLB.contoso.com.

    • Web Conferencing Edge Servers use the external FQDN of ExternaWeblLB.contoso.com.

    • A/V Edge Servers use the external FQDN of ExternalAVLB.contoso.com.

  • The Access Edge Servers and the A/V Edge Servers each have a unique internal FQDN that resolves to a separate VIP on the internal load balancer. In this example:

    • Access Edge Servers use the internal FQDN of InternalAccessLB.corp.contoso.com.

    • A/V Edge Servers use the internal FQDN of InternalAVLB.corp.contoso.com.

  • The Web Conferencing Edge Servers are not load balanced on the internal side.

Internally, a Front-End Server, a Web Conferencing Server, and an A/V Conferencing Server are installed together on three Enterprise Edition Servers in an Enterprise pool in the consolidated configuration (Servers E, F, and G). This internal topology is for illustration purposes only. You may install any of the internally supported topologies as discussed in the Planning Guide.

Figure 27   Load Balancing Example

aaf5e0c8-e48a-4ead-807a-53f7081a5946

DNS records

The following DNS SRV records are required by the Access Edge Server:

  • If you are enabling public IM connectivity or using DNS based discovery for your Access Edge Server, an external SRV record for all edge servers that points to _sipfederationtls._tcp.contoso.com over port 5061 (where contoso.com is the name of the SIP domain of this organization). This SRV record should point to an A record with the external FQDN of the Access Edge Server that resolves to the VIP on the external load balancer that is used by the Access Edge Servers. In this example, because there is only one SIP domain, only one SRV record like this is needed. If you have multiple SIP domains, you need a DNS SRV record for each. This is required only if you are enabling public IM connectivity or want to allow other organizations that want to federate with your organization to discover your Access Edge Server by using DNS.

  • If you are enabling remote user access to IM and presence, a DNS SRV (service location) record for _sip._tls.contoso.com over port 443 where contoso.com is the name of your organization’s SIP domain. This SRV record must point to an A record with the external FQDN of the Access Edge Server that resolves to the VIP on the external load balancer used by the Access Edge Servers. If you have multiple SIP domains, you need a DNS SRV record for each to supports automatic configuration for remote users for instant messaging and conferencing. If you are configuring your clients manually, you do not need this DNS SRV record.

The following external DNS A records are required:

  • An external A record for sip.ExternalAccessLB.contoso.com that points to the VIP address used by the Access Edge Servers on the external load balancer in the perimeter network. (One A record for each SIP domain).

  • ExternalWebLB.contoso.com resolves to the VIP address used by the Web Conferencing Edge Servers on the external load balancer in the perimeter network.

  • ExternalAVLB.contoso.com resolves to the VIP address used by the A/V Edge Servers on the external load balancer in the perimeter network.

The following internal DNS A records are required:

  • InternalAccessLB.corp.contoso.com, points to the VIP of the internal load balancer in the perimeter network used by the Access Edge Servers.

  • InternalAVLB.corp.contoso.com, points to the VIP of the internal load balancer in the perimeter network used by the A/V Edge Servers.

  • InternalLB.corp.contoso.com points to the VIP of the load balancer of the Enterprise pool in which the internal A/V Conferencing Servers and Web Conferencing Servers reside.

  • SrvrA.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on Server A.

  • SrvrB.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on Server B.

Certificates

The certificates are configured in the following way:

  • The external interface of the load balancer Access Edge Server has a certificate with a subject name (SN) of ExternalAccessLB.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate). If this organization was supporting multiple SIP domains, then each supported SIP domain would need to be added to the SAN.

  • The external interface of the Web Conferencing Edge Server has a certificate with a subject name (SN) of ExternalWebLB.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).

  • No certificate is required on the external interface of the A/V Edge Server.

  • The internal interface of each Access Edge Server has a certificate with an SN of InternalAccessLB.corp.contoso.com. This certificate is shared with the internal edge of the Web Conferencing Edge Server You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).

  • The internal edge of the A/V Edge Server has a certificate with an SN of InternalAVLB.corp.contoso.com. You would configure this certificate on server C and mark it as exportable and then import it to Server D. (Each server in the A/V Edge Server array must use the same certificate).

  • The internal edge of the A/V Edge Server is configured with an additional certificate used for A/V authentication. The same A/V authentication certificate must be installed on each A/V Edge Server. This means that the certificate must be from the same issuer and use the same private key. For this reason, the same certificate must be imported on all A/V Edge Servers in the array.

Internal Web Conferencing Servers in Your Enterprise Pool:

  • Each internal Web Conferencing Server in the Enterprise pool has a certificate with the subject name (SN) of InternalLB.corp.contoso.com.

Internal A/V Conferencing Servers:

  • Each internal A/V Conferencing Server has a certificate with the subject name (SN) of InternalLB.corp.contoso.com.

Edge Server Configuration

The FQDN of the VIP of the load balancer, InternalLB.corp.contoso.com is configured on the internal server list on each Edge Server and port 5061 is configured as the port. (With the edge server wizard, you can configure this setting, or this setting can be configured on Computer Management on the Internal tab of the edge server properties page.)

Trusted Edge Server List in Active Directory

The trusted edge server list in Active Directory is configured when you run the Configure Pool or Server wizard and configure external access or you can configure it manually on the Edge Server tab in Global Properties. (See the Microsoft Office Communications Server 2007 Administration Guide for step-by-step instructions) This list defines edge servers that internal servers allow to connect to them. The FQDN of each VIP on the internal load balancer of the edge servers must be added to this list. In this example: InternalAccessLB.corp.contoso.com and InternalAV.corp.contoso.com.

Web Conferencing Edge Servers Configured on the Pool or Server

The list of trusted Web Conferencing Edge Servers contains an entry for each Web Conferencing Edge Server with its internal and external FQDN and port number. These entries are configured when you run the Configure Pool or Server wizard and configure external access or you can configure these entries manually on the Web Conferencing Edge Server tab in the pool or server properties.

In the example, the internal pool would have these entries:

Server A:

Internal FQDN: SrvrA.corp.contoso.com

Internal port: 8057

External FQDN ExternalWebLB.contoso.com

External port: 443

Server B:

Internal FQDN: SrvrB.corp.contoso.com

Internal port: 8057

External FQDN ExternalWebLB.contoso.com

External port: 443

A/V Edge Servers Configured on the Pool or Server

The list of trusted A/V Edge Servers is defined at the global level and the pool uses these settings when you configure your Standard Edition Server or Enterprise pool. Additionally, you specify the internal FQDN of the A/V Edge Server used by this server or pool. You can also update the A/V Edge Server used by your server or pool manually on the A/V Edge Server tab in the pool or server properties.

In the example, the internal pool would have these entries that apply to all servers in the pool:

Internal FQDN: InternalAVLB.corp.contoso.com

Internal port: TCP: 443, 5062, UDP:3478

External FQDN: ExternalAVLB.contoso.com

External port: TCP: port 443 UDP: port 3478