Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 13 – Cisco VCS and hardware load balancers in front of a bank of FEPs
Cisco VCS Deployment Guide: Microsoft Lync 2010 and Cisco VCS X6.1
Page 77 of 81
TLS connection
When a TLS connection is made through the load balancer, the load balancer routes the whole TLS
stream through to the same destination device (FEP). If the FEP were to fail then the load balancer
would route the TLS traffic to an alternative FEP. Having all traffic routed to the same FEP is not a
disadvantage in that the majority of traffic into Lync Server is from Lync clients, and it is these that
need to be balanced across FEPs. The HLB provides the resilience required for the Cisco VCS such
that if an FEP fails, Cisco VCS will be routed to another FEP, and in fact all traffic going through a
single FEP makes following the signaling path easier in case debugging is required.
stream through to the same destination device (FEP). If the FEP were to fail then the load balancer
would route the TLS traffic to an alternative FEP. Having all traffic routed to the same FEP is not a
disadvantage in that the majority of traffic into Lync Server is from Lync clients, and it is these that
need to be balanced across FEPs. The HLB provides the resilience required for the Cisco VCS such
that if an FEP fails, Cisco VCS will be routed to another FEP, and in fact all traffic going through a
single FEP makes following the signaling path easier in case debugging is required.
Responses directly from devices behind a Hardware Load Balancer
If Source Address NATing is enabled on the HLB, responses to messages (like TRYING to an INVITE)
will be routed back to the Cisco VCS via the HLB because the new transaction will be sent to the
‘From’ address, however, mid dialogue requests (like Re-INVITE and BYE) will be sent to the Cisco
VCS directly because they will be sent to the device identified in the Record-route header.
will be routed back to the Cisco VCS via the HLB because the new transaction will be sent to the
‘From’ address, however, mid dialogue requests (like Re-INVITE and BYE) will be sent to the Cisco
VCS directly because they will be sent to the device identified in the Record-route header.
Authentication with TCP
Trusting a VCS IP address (the alternative to communicating over TLS) is a security risk if the HLB is
performing Source Address NATing, because in this case the FEPs will have to Trust the IP address
of the HLB, and so any message sent via the HLB would be treated as trusted.
performing Source Address NATing, because in this case the FEPs will have to Trust the IP address
of the HLB, and so any message sent via the HLB would be treated as trusted.
If Source Address NATing is not enabled on the HLB then the IP address of the Cisco VCS can be
trusted.
trusted.