locked
How do I secure the AV Edge? RRS feed

  • Question

  • I'm having a tough time selling the idea of placing a MSFT server directly on the internet. Can someone give me some advice on how this box can be secured? Is there any scenario that would allow it to be placed behind a firewall that wouldn't NAT it? What if I put it behind a load balancer where the load balancer has a public IP, but load balances to the edge farm with DMZ IP's - is that also illegal?

    Is anyone else having trouble with the idea of putting this server out there with nothing to protect it?

    Maybe I'm not understanding this completely, does the prerequisite of the AV Edge requiring a public IP mean that the AV Edge has a physical interface on the internet or is there a firewall solution that allows me to restrict traffic by port to the AV Edge?

    Can I use server publishing in ISA to accomplish this?
    Tuesday, August 12, 2008 2:48 AM

All replies

  • The only requirement of the A/V Authentication Edge service is that the interface on the Edge server is assigned a publicy routable IP address.  How you route traffic to that interface is left up to your security practices, just as long as there is no Network Address Translation performed.

     

    The intended design would be used with a multi-port firewall appliance, so that you can forward a public IP subnetwork to that interface through a dedicated port, limiting traffic only over the ports defined in the deployment guides.  I would never want to just plug that interface into a switch 'on the Internet' outside all firewall devices.

    Tuesday, August 12, 2008 1:37 PM
    Moderator
  • You should find all required information in this whitepaper:

    Designing Your Perimeter Network for Office Communications Server 2007 White Paper

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e4a8d703-e41a-47d9-b9dd-2799f894af92&DisplayLang=en

     

     

    Wednesday, August 13, 2008 3:50 PM
  • ISA Server publishing will not meet the requirement for the A/V Edge to have an externally routable IP address as it does perform NAT.

     

    As Jeff stated:

     

    The intended design would be used with a multi-port firewall appliance, so that you can forward a public IP subnetwork to that interface through a dedicated port, limiting traffic only over the ports defined in the deployment guides.  I would never want to just plug that interface into a switch 'on the Internet' outside all firewall devices.

     

    If anyone has a real world example of this configuration, along with a specific firewall (mfgr) suggestion that can perform what is recommended, it would be helpful for me to see. I've read the perimeter network design guide, but it wasnt clear enough for me.

     

    Friday, August 15, 2008 12:43 PM