How to integrate F5 with SphereShield?

AGAT offers the following methods for integrating F5 with SphereShield:


In-line Approach

The In-line approach has the F5 Load Balancer send traffic to the Bastion reverse proxy which will then filter the traffic and sends it to the next hop (usually the next load balancer which then forwards the traffic to the Skype for Business front-end pool), this is configured manually by your F5 team & in the



Direct Approach (iApp)

The Direct approach has an iApp deployed on the F5 load balancer, which sends traffic to be filtered by the Bastion reverse proxy. Afterwards, the Bastion sends the traffic back to the F5 load balancer which then forwards the traffic to the next hop (usually the next load balancer which then forwards the traffic to the Skype for Business front-end pool), this is configured in the iApp and in the Bastion.xml



Should I choose the In-Line or the Direct approach?

The In-line approach is our best practice. although it does require more configuration on the F5 team side.

The Direct approach requires less configuration by the F5 team, but it is less favored.


How to configure the iApp?

External Connection to Bastion Servers configuration

"What IP Address do you want to use for the client virtual server?" - Should be an available IP Address in the subnet, this will create a VIRT (Virtual server) AKA VIP (Virtual IP) in order to Load balance the traffic to the Bastions.

"Description" - Any text that would help you identify this configuration

"Add at least one filter(bastion) address" - Enter the IP and listener of the Bastion on your Subnet, E.G:

In case you have more than one Bastion server, you can click on "Add".

"HealthMonitor" - Choose an HTTPS Health Monitor that you have created. (Check our Admin Guide in order to see how our Health monitor is configured).

Skype for Business Connection from Bastion Configuration

"IP address of SFB Virt" - Should be an available IP Address in your subnet, this will create a VIRT AKA VIP in order to Load Balance the traffic to the next hop (E.g. The next F5, the DMZ to LAN firewall, etc..).

"Description" - Any text that would help you identify this configuration

"sfbnode" - Enter the IP Address of the next hop, The host headers of the requests that need to be forwarded to the Skype for Business Front-End (E.g. - Lyncdiscover, Skype Web external services, Meet, etc...), and enter the port on which the next hop listens on. You can press on "Add" in order to add more host headers.

Example:

"ProfileClientSSLCert" - Add the imported certificate that matches the hosts you configured.  /wiki/spaces/SKYP/pages/625247443

 "ProfileClientSSLKey" - Add the imported certificate key that matches your certificate.

"SSLChain" - Add the imported certificate SSL Chain that matches your certificate.


EWS Connection from Bastion Configuration

Here you have a choice if to publish EWS (Exchange Web Services) through our Bastion server in order to be filtered by our EWS Protector filter.

As this is optional, you can leave this as "no" if you do not wish to publish EWS via Agat's Bastion.

"IP Address of EWS VIRT"  -Should be an available IP Address in your subnet, this will create a VIRT AKA VIP in order to Load Balance the traffic to the next hop (E.g. The next F5, the DMZ to LAN firewall, etc..).

"Description" - Any text that would help you identify this configuration

"ewsnode" - Enter the IP Address of the next hop, The host headers of the requests that need to be forwarded to the Skype for Business Front-End (E.g. - Autodiscover), and enter the port on which the next hop listens on. You can press on "Add" in order to add more host headers.

Press on "Add" in order to add more host headers.

Example:

"ProfileClientSSLCert" - Add the imported certificate that matches the hosts you configured.

 

"ProfileClientSSLKey" - Add the imported certificate key that matches your certificate.

 

"SSLChain" - Add the imported certificate SSL Chain that matches your certificate.