CWA Error through F5 Load Balancer: Your Connection was ended. Please Sign in Again. (Error Code: 0-1-482)
On a recent deployment we deployed CWA internally and externally using ISA Server 2006. The customer decided they wanted to provide high availability to the CWA service, so we introduced a hardware load balancer to provide that functionality. After we set the two servers with identical site settings behind the load balancer we started having users receive this error when connecting to the CWA site:
At first glance deploying CWA through a load balancer would seem pretty basic, they are websites you access over https, however there is some key information in the R2 Documentation for deploying CWA behind a load balancer. http://technet.microsoft.com/en-us/library/dd441196(office.13).aspx
Communicator Web Access supports most hardware load balancers, provided that the load balancer:
- Allows you to set the TCP idle timeout to 1,800 seconds (30 minutes). The TCP idle timeout represents the amount of time the server will wait for information during a session. If you are using a reverse proxy server (such as Microsoft Internet Security and Acceleration Server) then the TCP idle timeout on that computer should also be set to 1,800 seconds.
- Allows you to use a source network address translation (SNAT) pool if you need to handle more than 65,000 simultaneous connections. SNAT is designed to "hide" multiple servers behind a single IP address (that is, a number of servers can be accessed using just one IP address). With a SNAT pool, servers can be hidden behind multiple IP addresses.
- Allows you to use cookie persistence when configuring session affinity. With cookie persistence, information about the actual Communicator Web Access server being used for a session is stored in an Internet cookie on the client computer. When configuring the load balancer’s session persistence profile it is recommended that you use "HTTP Cookie Insert." With this configuration method, information about the server to which the client is connected is inserted in the header of the HTTP response from that server as a cookie.
Our issue was related to the persistence profile. When a user connects to CWA they must maintain a connection to the same server as the initial connection or it will not work. The persistence profile, using a HTTP Cookie Insert method will enable this persistence.
We were using an F5 BIG IP LTM Load balancer for this deployment, we actually chose “Source Address Affinity”. Below you can seen a screenshot of the persistence profile used in this configuration.