locked
A/V between firewalled subnets (2007 R2) RRS feed

  • Question

  • Hi,

    My network has ACL's on a core router restricting access between various different user subnets and also between these subnets and the WIFI. However we want to allow Communicator users to be able to make voice and video calls between subnets and also from WIFI to LAN and vice-versa.

    I am also going to deploy a consolidated edge for external access at some point.

    What port ranges would need to be allowed between subnets for A/V to work between Communicator clients - or can I get these to be proxied by the internal NIC of the edge server?

    I'm not sure how to design a deployment for this scenario, ive only seen documentation for a pure internal\external split. Can anyone recommend the best practice here?

    M
    Monday, May 25, 2009 10:48 PM

Answers

All replies

  • Hi,

    It would depend upon your network layout - it would probably be simplest if you could put an Edge server on your network where all users can connect to an 'external' interface on ports 443 and 3478. This could be separate to an Edge server used for external access if needs be, or the same and use internal IPs. Be careful with DNS in either case, otherwise your clients will try to go direct to the FE and not use the Edge server.

    Alternatively, you could limit the ports used by Communicator, then open the ports necessary on the routers -  have a look at this thread from Thom Foreman... http://social.microsoft.com/Forums/en-US/communicationsserversecurity/thread/62b4691a-1d64-4ec6-8da9-c9b6c65717d4 and information on TechNet - http://technet.microsoft.com/en-us/library/bb964029.aspx

    HTH, cheers,

    Tim
    • Marked as answer by m.r.wallis Friday, October 2, 2009 8:22 AM
    Tuesday, May 26, 2009 8:06 AM
  • So if my LAN users (lets say 10,000 users) are handed an SRV record that points them to the front end pool as normal but say my WIFI users (lets say 100 users) get an SRV record that points them to an edge server, would this work for calls between WIFI and LAN (assuming these two networks are firewalled from eachother) Or would everyone have to use the edge server, even on the LAN? I'm guessing not. I wouldnt want to have to spec an edge server to cope with every voice/video call between two users on the LAN.

    There isn't much help in the docs or web to illustrate this sceanrio, so im just thinking of treating the WIFI users as "external", and the same for our other heavily firewalled subnets.

    M

    Tuesday, August 11, 2009 10:20 PM