F5 configuration for OCS R2 Enterprise Edition

This has been somewhat of a trial and error situation for our OCS R2 deployment and at times very tiring trying to coordinate the OCS and F5 teams to be on the same path. Nevertheless, the information below will help other hapless soles on their path in getting this configuration working successfully. The table below should help anyone get the right settings to have all the different working parts of an OCS R2 deployment working when using an F5 to load balance multiple front end servers in a consolidated deployment.



To configure a health monitor for 5061 using the web F5 admin interface (information taken from F5 OCS R1 configuration document):
1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens.
2. Click the Create button. The New Monitor screen opens.
3. In the Name box, type a name for the Monitor.
4. From the Type list, select HTTPS.The TCP Monitor configuration options appear.
5. From the Configuration list, select Advanced. The advanced configuration options appear.
6. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout.
7. In the Alias Service Port box, type 5061.
8. Click the Finished button.

From the .conf file it will look something like this:
}
monitor ocs-frontend-sip-5061 {
defaults from https
interval 30
timeout 91
dest *:5061
}

Also, you will need to create a TCP profile with an Idle timeout of1200 seconds and enable TCP resets on idle timeout which will need to be applied to each of the F5 pools created.

Of course all this information is on the internet in various places. The following document is available from MSFT on load balancing requirements for OCS R2 but it’s a general document not specific for F5.

Hopefully this will help someone out there somewhere :-)

6 comments:

  1. Great Information Chris. Thanks! I was wondering if you have seen implementations with BigIP where the FE's have an IP address and then use the loopback adapter (with the BigIP VIP as the address)? BigIP is not setup as the default gateway in this configuration.

    ReplyDelete
  2. Hi,

    This is the exact configuration we use and the reason to use SNAT. No need to have the front ends on the same subnet as the F5 where the F5 is the defualt gateway. Everything is happening at layer 3 and allows a lot more flexibility in your setup.

    The most important setting in the information above that can be easily missed or incorrectly set is persistence or as MSFT call it affinity. This must be set to source address for everything to function correctly especially port 5061. The F5 can not do deep packet inspection becuase of TLS so setting that port persistence setting to somehting like SIP can cause all sorts of issues.

    Thanks for the comment and good question, I am sure its a question others have as well.

    ReplyDelete
  3. F5 has just released an updated version of the OCS Deployment guide, which now covers R2.

    Got to http://www.f5.com/pdf/deployment-guides/f5-ocs-r2-dg.pdf

    ReplyDelete
  4. Thanks for the link to the new F5 documentation. It is nice to have the offical documentation from the vendor at last.

    ReplyDelete
  5. At first glance this document does not talk at persistence which if incorrectly set will stop your deployment fom working and is also a recommended MSFT setting. You may also find you need this setting in your CWA configuration to stop sessions from disconnecting. So as nice as it is to have the document it still lacks a complete configuration.

    ReplyDelete
  6. We just upgraded from 9 to version 10 and now we are not Federated with anyone. Does anyone know a quick fix?

    ReplyDelete

Note: Only a member of this blog may post a comment.