Tuesday, 28 July 2009 7:28 PM
I’m working on an OCS 2007 R2 installation where the customer prefers not to put their OCS 2007 R2 Edge servers in their DMZ, nor do they want to allow network traffic to travel from the internet all the way in to their internal network.
Basically, they would like their OCS implementation to work similar to Exchange, using ISA servers in their DMZ as a proxy for their OCS traffic, using the consolidated edge servers like client access servers in Exchange.
I really haven’t found this sort of implementation documented anywhere, and of course, I’m having trouble actually making anything work the way they want. They have really pushed back on putting an edge interface in the DMZ.
If there is any possible way to use ISA as an application proxy for OCS web conferencing and access, can someone please help me out with some steps on setting that up?
Tuesday, 28 July 2009 9:53 PMModeratorJoseph,
I feel your pain, that argument is really based more on fear than reality. The sole point of the Edge server is to not have to punch 100 holes in internal firewalls to provide for services directly from internal servers. Deviating from the recommended deployment just moves toward a less-secure deployment with all sorts of band-aids and hacks required to get the desired functionality.
That said, you could put the Edge servers internally, but then all off the External Edge listening ports (including a large range of media ports) will need to opened on an internal firewall instead of an external firewall. It may be possible to get IM/Presence working like this, but allowing for media traversal (which includes Desktop Sharing) would be a nightmare.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
- Marked As Answer by Joseph M Durnal Tuesday, 28 July 2009 10:42 PM
Tuesday, 28 July 2009 11:01 PM
A lot can be said for setting it up just like the picture on technet :). I have a meeting with the security department and basically, they will have the choice to scrap key features of the OCS deployment. Some times, it just takes some convincing. I've done it the supported way in environments with stronger security requirements. Like you said, that is the point of the edge server, I just need to drive that point home.
Wednesday, 29 July 2009 12:08 PMThis is a very good White paper that explains everything about the EDGE server and DMZ
You security people should definately read it
Designing Your Perimeter Network for Office Communications Server 2007 White Paper
- Belgian Unified Communications Community : http://www.pro-exchange.be -