locked
Deploying edge server with Single consolidated edge topology RRS feed

  • Question

  • I have a couple of questions about deploying OCS2007R2 Edge services

    Right now we have standard edition OCS2007R2 installed on a server in the internal network. It works well with communicator and Live Meeting. The only problem is external user access. So I wanted to deploy the edge services.

    I have been reading and had a couple of questions. The way our network is setup is we have one Cisco ASA 4400 firewall. That firewall has 4 interfaces on it. One for management, one for internal, one for external, and another one for a DMZ.

    Right now I have one server planned for the OCS Edge services (all on one server). The server (Blade BL480c) has two usable nic cards. The DMZ has public IP addresses and thats it. You can access the DMZ from the internal interface.

    What I am wanting is to do anonymous Live Meetings. We want to setup a meeting and have anonymouse users from around the state to join (possibly 80 users at one time if thats possible, that is if EVERY county coordinator joined which is highly unlikely). We want to be able to share documents, and do video and voice, and share applications on the meetings organizers computer.

    So...
    If I have ONE blade server in a DMZ with all three services installed... I'm looking at:
    A/V = av.adem.arkansas.gov
    Access = access.adem.arkansas.gov
    Web Conferencing = conference.adem.arkansas.gov

    Due to only have two nic cards, I can assign multiple IP's to each nic so I can give each service its own external FQDN and IP address. Now if I do this, which services NEED SSL certificates? We have our own CA (internal), but if the user isn't on our network then it won't work like that. My next question is can all this work WITHOUT a reverse proxy?

    My last question is.. I see the talk about these edge servers needing a external IP and a internal IP. Well our DMZ only has external (public) IP addresses. So how would this work?

    I'm just trying to find out how to accomplish what I want to accomplish without using to much servers, buying a billion SSL certificates, and buying a ISA server.

    Any help would be appreciated!
    Tuesday, July 7, 2009 1:20 AM

Answers

  • Jacob,

    For the edge server (blade) you said it had 2 NICs.  You will utilize 1 NIC for the internal network, and the other will sit on the DMZ network.  The DMZ IP's will be NAT'd public IPs (i'd recommend 1 IP per role).  You will need 2 public certificates  (by public I mean Thawte, Go Daddy, Digicert or the like) and 2 private certificates - 1 for the internal interface and 1 for AV (using the FQDN of the access edge servers internal interface, but should be a different cert for security reasons). 

    Please grab the edge server planning tool from the link below and run through it, it should help. 

    http://www.microsoft.com/downloads/details.aspx?FamilyID=EC4B960C-3FE2-41BD-ABDF-AE89CFCB8C6C&displaylang=en

    For ISA, you can get around it by using a different reverse proxy, maybe something open source, but to share content you will need some type of reverse proxy.

    Hope this helps.

    -KP
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Tuesday, July 7, 2009 8:18 PM
  • Jacob

    As Kevin described you should connect one of the NIC:s to the DMZ switch and the other NIC to an internal network switch.


    On the DMZ-NIC, use three public IP-adresses (Access, Web and Audio/Video) and use the GW on the DMZ as default gateway for the Edge Server. (no default gateway on internal NIC only IP-adress and network mask because of the dead gateway problem in Windows server OS)

    Use internal IP-adress on the internal NIC. In order to reach the internal network resources from the Edge you set persistent route from the internal NIC to the internal network.

    In the Edge Server forum I believe you can find a lot of useful information on how to make this work.

    /T

    Wednesday, July 8, 2009 6:26 AM

All replies

  • Is it possible to just put the consolidated edge server on the internal network and just NAT it through the firewall instead of messing with the DMZ and all these configurations
    Tuesday, July 7, 2009 2:10 AM
  • Hi,

    - get two 3rd party SSL Certs for Access Edge and Web Conferencing Edge (e.g. Verisign, GoDaddy, ...) otherwise anonymous users will need your Root CA on their machines to join (I don't think that's in your scope...)

    - you can use a cert from you internal CA for the A/V Edge Role

    - the edge server needs an internal IP to connect to the Frontend Server and and an external IP for every role which connects to the DMZ
    Tuesday, July 7, 2009 8:19 AM
  • Thats what i was saying. Our Cisco firewall is connected to a different switch for the DMZ (one interface). The only IP's that can be assigned to the servers in that switch are always external (public) ips. So where am I going to get the internal IP addresses? Can the DMZ be taken out of the question and the edge server just sit on our internal network and everything work?

    Example:
    We have our external ip address range.. say its 172.172.0.0 255.255.0.0 (these are public IPs, the world can see)
    Then we have our internal ip address range... say its 192.168.0.0 255.255.0.0 (only people inside the firewall can see these) <-- This interface on the firewall is connected to a 5412zl procurve switch

    Then we have our DMZ ip address range.... say 172.175.0.0 255.255.0.0 (these are public IPs, the world can see) <-- This interface on the firewall is connected to a different switch.

    So the only IP's that can be assigned to the servers in the DMZ are public ips (any ips from 172.175.0.0 to 172.175.254.254). So in that case how do I assign it a internal ip? Obviously if I assign a public IP then the internal communications server can see the Edge server.
    Tuesday, July 7, 2009 1:07 PM
  • Jacob,

    For the edge server (blade) you said it had 2 NICs.  You will utilize 1 NIC for the internal network, and the other will sit on the DMZ network.  The DMZ IP's will be NAT'd public IPs (i'd recommend 1 IP per role).  You will need 2 public certificates  (by public I mean Thawte, Go Daddy, Digicert or the like) and 2 private certificates - 1 for the internal interface and 1 for AV (using the FQDN of the access edge servers internal interface, but should be a different cert for security reasons). 

    Please grab the edge server planning tool from the link below and run through it, it should help. 

    http://www.microsoft.com/downloads/details.aspx?FamilyID=EC4B960C-3FE2-41BD-ABDF-AE89CFCB8C6C&displaylang=en

    For ISA, you can get around it by using a different reverse proxy, maybe something open source, but to share content you will need some type of reverse proxy.

    Hope this helps.

    -KP
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Tuesday, July 7, 2009 8:18 PM
  • It does help... the problem is I do everything in the network from the Firewall to supporting all the desktop PC's. Myself and one other person. We might know how to do a majority of things, but not a master at any. What do they call that... Jack of all trades, but master of none...

    Anyways, that is what is confusing me.... You can the DMZ IP's will be NAT'd public IPs... but the problem is, the DMZ IP's are already public IP's assigned from our ISP. The only IP's I can assign the servers sitting in the DMZ are public IP's. The DMZ is even on its own switch away from the main switch.

    So how exactly do I assign an internal IP that our internal network can see when our DMZ has no internal IP's? I mean obviously our internal network can see the DMZ since the DMZ is public.. anyone can see it!


    *** You will utilize 1 NIC for the internal network, and the other will sit on the DMZ network.
    But you can't because it is a different switch and connected to a different interface on the cisco firewall... i believe you can't?
    • Edited by Jacob Dixon Wednesday, July 8, 2009 2:07 AM
    Wednesday, July 8, 2009 1:28 AM
  • Jacob

    As Kevin described you should connect one of the NIC:s to the DMZ switch and the other NIC to an internal network switch.


    On the DMZ-NIC, use three public IP-adresses (Access, Web and Audio/Video) and use the GW on the DMZ as default gateway for the Edge Server. (no default gateway on internal NIC only IP-adress and network mask because of the dead gateway problem in Windows server OS)

    Use internal IP-adress on the internal NIC. In order to reach the internal network resources from the Edge you set persistent route from the internal NIC to the internal network.

    In the Edge Server forum I believe you can find a lot of useful information on how to make this work.

    /T

    Wednesday, July 8, 2009 6:26 AM
  • Sorry, I was mis-understanding.

    I was able to accomplish this by using one ethernet module on one side of the c7000 enclosure and a fiber module on the other side. This allowed half of the nic cards for the DMZ switch and the other half for the internal network.... working with blade servers is a little different... You can't just hook a lan cable into a nic card... that was my issue.. But after doing that it works. I was able to use 1 nic for external and 1 nic for internal...

    Can an ISA server go on the edge server as well?
    Wednesday, July 8, 2009 1:10 PM
  • Jacob,

    Glad that sorted it out for you.  ISA isn't supported on the edge. 

    Thanks!

    KP
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Wednesday, July 8, 2009 6:06 PM
  • It is not recommended for the Edge Server to straddle your DMZ and Internal network.  If your edge server becomes comprimised from the DMZ, entire access to the inside network is allowed through the internal interface, which pretty much negates the purpose of the DMZ in the first place.

    The edge server guide firewall diagram (for R2 on page 59) shows it well.  Your external firewall is your outside interface on your firewall, the server resides in the DMZ entirely, and the internal firewall is your firewall between DMZ and internal network (logical, it is usually the same firewall as outside but is using a different interface).

    You do need two interfaces, and external facing and an internal facing.  When you configure the edge server, you point the appropriate ports and services to the correct interface so the firewalls can be configured to only allow traffic to/from those particular addresses.  This provides the best protection and is certainly outlined and written up well in the Microsoft access edge deployment guides.

    • Edited by Matt Slaga Wednesday, July 22, 2009 5:27 PM
    Wednesday, July 22, 2009 5:24 PM