Multi-tier firewall
-
09/شعبان/1428 09:21 صHi, We have a multi-tier firewall environment to get to our internal network. I was wanting to know what is the recommend way to get through the firewalls? Can we use multiple edge servers to route between the firewall zones?
جميع الردود
-
11/شعبان/1428 03:28 م
Hi,
If you have 2 firewalls, you can do something like this:
INTERNET-------FIREWALL---------EdgeServer-----FIREWALL------Internal Network-----Front-EndServer
The OCS Edge Server Deployment Doc has a lot of detail on how to configure the firewalls for OCS Edge to work properly. It will give you the inside and outside ports/IP addresses to open. The docs are available here:
If you have more than 2 firewalls, you'll have to post more details on what your setup is like.
Regards,
Matt
-
05/ذو الحجة/1428 01:39 مThanks, My question should really of read two DMZs. The configuration we need is more like:
INTERNET-------FIREWALL_1---------EdgeServer-----FIREWALL_2----------???????------ FIREWALL_3---------Internal Network-----Front-EndServer
Any help with this would be much appreciated.
Regards, -
05/ذو الحجة/1428 02:35 مالمشرفThe Edge server needs to talk to a Director or Front-End server so I don't think there's a way to link two of them. For a full deployment you'll need to make sure you can route to at least IP public IP address on the Edge external as well as route traffic between the internal network on and the Edge internal interface. You cannot use NAT on traffic between the Front-End and Edge servers. If you are double-natting traffic from internal-to-external across three firewalls then you might have to get creative with your deployment.
-
06/ذو الحجة/1428 12:41 صThanks, we thought the issues was due to double NATTing but have not seen any products that would fix the issue. I guess the other question is if we have a hardware load balancer in front of the front end edge servers, then the load balancer is going to perform another NAT.
-
06/ذو الحجة/1428 04:04 مالمشرف
The Front-End load balancer shouldn't be performing NAT, you'd just want to use a virtual IP in the same subnetwork as the IP addresses already bound to each Enterprise server's physical interface.
Also, you can setup a single Enterprise server pool without using a load-balancer, simply bind a second IP address to the Enterprise Front-End server and use that for your pool record. Then when a second server is added to the mix just transistion that 'virtual' IP over to the hardware balancer.
-
06/ذو الحجة/1428 10:39 م
Cheers..The front end server is not performing the NAT, but the Hardware load-balancer is. The OCS deployment guides recommend setting it up with SNAT.
I guess I still need a solution for directing traffic through two DMZ segments.... do you know of any third part products that could sit either between the internet and the edge server, or between the edge server and the front-end pool/director
-
01/محرم/1429 10:37 صDoes anyone know of an director documentation. The MS stuff is pretty light and would like some more indepth information?
