locked
No internal interface on Edge Server? RRS feed

  • Question

  •  

    Hey guys. Is it possible to deploy a OCS edge server on the dmz without having an internal IP attached to one of the NICs?  My manager does not want a server to have this kind of access to the inside network even though you can still block access at the firewall. Just wondering if this was possible. Thanks


    Erik

    Tuesday, February 26, 2008 1:27 PM

All replies

  • You don't have to connect the internal interface directly to the internal LAN - you can NAT it if there is a firewall between your Edge server and the LAN.

    Tuesday, February 26, 2008 3:57 PM
    Moderator
  •  

    The deployment docs say that the internal interface needs an internal cert from our CA, so what happens with that now or can we just bypass it and use the external provider such as verisign? How will the dmz machines be able to talk to an internal pool without this certificate?  Thanks for your help Mike

     

    Erik

    Tuesday, February 26, 2008 9:35 PM
  • You must have some kind of certificate on the internal interface.  If you are using an internal CA then that's the easiest.  If not then you could certainly purchase another certificate for that interface from Verisign, or buy a UC cert from one of the providers that offers them and include a SAN for the FQDN of that interface.

    Wednesday, February 27, 2008 12:58 PM
    Moderator
  •  

    Hey Mike. Thanks for the follow. I apologize but I must be confused. Check this out

     

    I have four enterprise servers setup in a pool on the internal network behind a load balancer.  I will have an access edge/web conference on one server in the dmz. I will also have another server on the dmz running just the a/v role. I also plan on running a reverse proxy on a separate box. I have 4 certificates from my enterprise CA installed on the four internal machines. I guess I will need 3 verisign certs for the dmz public addresses, as well as one for the isa server.

     

    So if the internal interface does not exist on these dmz servers, how do I install a cert so these servers can talk to the resource pool on the inside?  Thanks for your help


    Erik

    Wednesday, February 27, 2008 6:53 PM
  • You must have an internal interface, even if it just another IP address on the same NIC.  This is true for all Edge servers.

     

    You will need at least 4 external certificates:

     

    - Access Edge

    - Web Conf Edge

    - A/V Edge

    - ABS/Web Components (via reverse proxy)

     

    Alternatively you can get one certificate with the Access Edge as the subject and the other names as SANs.

     

    Additionally you will need 2 certificates for the internal interfaces of your 2 edge servers.  These can be generated from your internal CA as long as you trust that CA on your Edge servers.

    Wednesday, February 27, 2008 7:19 PM
    Moderator
  • Hey. I guess I misread your first statement concerning the internal interface. So basically, what you are saying is that one of the nics on the Edge will need to have an internal IP address that is on the same subnet as the internal company network correct?

     

    Erik

     

    Thursday, February 28, 2008 12:49 PM
  • No, not necessarily, though that's one option.  You can put the "internal" interface on your DMZ segment and NAT the traffic between the DMZ and the LAN.

    Friday, February 29, 2008 1:09 PM
    Moderator