Sign in
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
Customer doesn’t want edge servers in DMZ

Locked Customer doesn’t want edge servers in DMZ

  • Tuesday, 28 July 2009 7:28 PM
     
     
    Sign In to Vote
    0

    I’m working on an OCS 2007 R2 installation where the customer prefers not to put their OCS 2007 R2 Edge servers in their DMZ, nor do they want to allow network traffic to travel from the internet all the way in to their internal network.

    Basically, they would like their OCS implementation to work similar to Exchange, using ISA servers in their DMZ as a proxy for their OCS traffic, using the consolidated edge servers like client access servers in Exchange.

    I really haven’t found this sort of implementation documented anywhere, and of course, I’m having trouble actually making anything work the way they want.  They have really pushed back on putting an edge interface in the DMZ.

    If there is any possible way to use ISA as an application proxy for OCS web conferencing and access, can someone please help me out with some steps on setting that up?

    Thanks,
    Joseph Durnal

       

    All Replies

    • Tuesday, 28 July 2009 9:53 PM
      Moderator
       
       Answered
      Sign In to Vote
      0
      Joseph,

      I feel your pain, that argument is really based more on fear than reality.  The sole point of the Edge server is to not have to punch 100 holes in internal firewalls to provide for services directly from internal servers.  Deviating from the recommended deployment just moves toward a less-secure deployment with all sorts of band-aids and hacks required to get the desired functionality.

      That said, you could put the Edge servers internally, but then all off the External Edge listening ports (including a large range of media ports) will need to opened on an internal firewall instead of an external firewall.  It may be possible to get IM/Presence working like this, but allowing for media traversal (which includes Desktop Sharing) would be a nightmare.
      Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
         
      • Tuesday, 28 July 2009 11:01 PM
         
         
        Sign In to Vote
        0

        A lot can be said for setting it up just like the picture on technet :).   I have a meeting with the security department and basically, they will have the choice to scrap key features of the OCS deployment.  Some times, it just takes some convincing.  I've done it the supported way in environments with stronger security requirements.  Like you said, that is the point of the edge server, I just need to drive that point home.

        Joseph Durnal

           
        • Wednesday, 29 July 2009 12:08 PM
           
           
          Sign In to Vote
          0
          This is a very good White paper that explains everything about the EDGE server and DMZ
          You security people should definately read it

          Designing Your Perimeter Network for Office Communications Server 2007 White Paper
          http://www.microsoft.com/downloads/details.aspx?FamilyID=e4a8d703-e41a-47d9-b9dd-2799f894af92&DisplayLang=en
          - Belgian Unified Communications Community : http://www.pro-exchange.be -