Sign in
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
Single Edge server deployment with ISA 3-leg FW and 1 public IP

Locked Single Edge server deployment with ISA 3-leg FW and 1 public IP

  • Thursday, August 27, 2009 9:58 AM
     
     
    Sign In to Vote
    0
    Hi,

    My company wants me to plan an OCS 2007 R2 deployment, but I'm facing constraints due to our network topology.
    Here is the general setup :


        Router    (ext interface 1 public IP, int interface 192.168.1.1)
            |
            |
            |
        ---------    (ext: 192.168.1.2)
        | ISA   |
        |server|---(DMZ: 192.168.2.1)----------------consolitated single OCS Edge(4 private DMZ IP)
        | 2006 |
        ---------    (int: 192.168.3.1)
            |
            |
            |LAN (192.168.3.xxx)
            |
        ------------------
        |           |        |
        AD    MOSS    OCS front-end


    More details :
    - ISA Server 2006 actiing as a 3-leg firewall and reverse proxy. All the trafic from the router will be forwarded to the ISA Server. I cannot bind the public IP on the ISA and leave the router.
    - In the LAN subnet (192.168.3.xxx), 1 OCS front-end server
    - In the DMZ subnet (192.168.2.xxx), 1 OCS edge server with 2 network cards (access,av,webcon on the 1st, ocsedge on the 2nd). Here are the private IP:
    access.company.com -> 192.168.2.1
    av.company.com       -> 192.168.2.2
    webcon.company.com-> 192.168.2.3
    ocsedge.company.com->192.168.2.10 - internal communication with the OCS front-end

    On external DNS records, av,webcon and access.company.com will point to the same and unique public IP we have.

    The ISA Server will forward the required ports to the different private IP of the OCS Edge server.

    I know that the AV IP should be public, but since I'm not using a scaled edge it should be ok.
    I also know that this is not the perfect setup at all, but I cannot afford for the moment having 2 firewalls.

    My question is:
    Is my configuration going to work?
    a) Specifically, I only have a single public IP and I don't know if it will correctly work for the external users, since port 443 is used by access, webcon and av (maybe ISA publishing rules could help ?).
    b) Concerning the ocsedge IP (192.168.2.10), it is on the same subnet as the other OCS Edge roles. Will it work correctly ?
    c) If not, can I give the the ocsedge an IP in the LAN subnet? I know doing that will bypass the firewall, so it will be less secure.

    Thanks for your answers !
    • Edited by Superjoe Thursday, August 27, 2009 10:03 AM Minor corrections
    •  
       

    All Replies

    • Thursday, August 27, 2009 12:52 PM
       
       
      Sign In to Vote
      0
      Well with only 1 external IP this will not work. You can now NAT all of the roles on the edge. But it still requires 4 public IP's total, 3 for the edge server and 1 for the proxy.

      The best thing to do is call the provider and ask for a block of 5 IP's
      Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
         
      • Thursday, August 27, 2009 1:03 PM
         
         
        Sign In to Vote
        0
        Well, I guess I'll have to ask for a change of the crappy router and provider subscription we currently own, because currently there is no way to add public IP's
        So ok, let's say I have my block of 5 public IP's.

        I will have to bind the 4 public IP to the ISA server interface, am I correct?

        If it is, my a) concern is resolved.
        And for the questions b) and c), should I give to the ocsedge an IP in the DMZ or the LAN subnet ?
           
        • Thursday, August 27, 2009 1:22 PM
          Moderator
           
           Answered
          Sign In to Vote
          0
          Actually you won't be able to use the current configuration with NAT either.  Although R2 does support NAT for the A/V role on a consolidated server as Mitch pointed out, it does not work with ISA Server 2006 as the firewall since it doesn't support static NAT.  Take a look at this portion of the documentation:
          http://technet.microsoft.com/en-us/library/dd441361(office.13).aspx

          Your only option would be to put the A/V Edge role on a dedicated interface that is connected to an external firewall configured for either static NAT or simply route the public IP directly to the A/V interface.
          Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
             
          • Thursday, August 27, 2009 2:12 PM
             
             
            Sign In to Vote
            0
            Hum, I think that I'm a bit lost.
            As you said, ISA Server 2006 does't support static NAT. So I could simply directly route a public IP to the A/V interface.
            But I guess I would have to do the same for the webcon and access IP, is that correct?

            In your blog (http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33), if I consider the 1st supported configuration with NAT, it means that the external firewall CANNOT be an ISA Server 2006?
            And in the 2nd supported configuration with 3 publicly routable IP address, how is the Edge server protected? Since you directly bind 3 external IP on the Edge server external interface, the external firewall is not used or do you configure it to let the public IP's passing through the firewall?
               
            • Thursday, August 27, 2009 2:51 PM
              Moderator
               
               Answered
              Sign In to Vote
              0
              One important point is that blog of mine is specific to pre-R2 and doesn't take into account the R2 NAT supported features.

              You would only have to route to the A/V interface and can still use NAT on the Access Edge and Web Conf interface(s).

              Yes, the 1st config can't use ISA Server.

              In the later scenarios just becuase a public IP is assigned to the server itself does not mean it's connected directly to the open Internet.  It's still recommended to filter that port on an external firewall.  So although the IP is not translated, only the required ports are open and all others filtered.
              Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
                 
              • Thursday, August 27, 2009 3:51 PM
                 
                 
                Sign In to Vote
                0
                Thank you Jeff for those clarifications. I didn't know that it was possible to have public IP's on the DMZ.

                I have a last question: On the post in your blog I mentionned, on scenarios using multiple public IP's, it means that you have to buy a block a public IP's, then route these IP's to the DMZ Edge external interface using the external firewall (http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=12 seems to show it is ISA default behavior) ? Is ISA Server 2006 capable of this, and do you have some "how-to" links ?

                Thanks !

                • Edited by Superjoe Thursday, August 27, 2009 4:02 PM more details
                •  
                   
                • Thursday, August 27, 2009 4:51 PM
                  Moderator
                   
                   Answered
                  Sign In to Vote
                  0
                  Yes, in fact the default configuration for ISA Server 2006 when using the 3rd Leg Perimeter Network Wizard is to define the DMZ as a routable, public IP subnetwork.  To change that behavior over to private then other Network Relationship settings need to the flipped.  See this blog article for more details: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=12

                  If nothing else is currently in your DMZ then you should have the flexibilty to switch over to using public IPs instead of private IPs.
                  Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS