locked
OCS 2007 Edge Server Deployment with a Dual-homed (2 NICs) ISA Server 2006 RRS feed

  • Question

  • Dear All:
    I hope this thread is still active. I've been struggling with the deployment of OCS Edge and I hope I can find some help here. I have a front firewall ( SonicWall Pro 4060) and a back firewall ( ISA Server 2006). My ISA has only two 2 NICs( best for security). What is the scenario to deployment an Edge Server in my case? I don't have 3rd leg on the ISA to use as a DMZ where I can set up the Edge Server. Has anyone dealt with a situation similar to mine? I've been reading Jeff's blogs, the TechNet docs and what not but I'm still confused. I have IM up and running for my internal users and I'm trying to offer it to the remote users, thus the need for the Edge Server Role.

    Right now, I'm publishing Exchange, MOSS 2007 via the External Interface of the ISA ( using virtual IPs) and it works great. Is it possible to do the same for the Edge Server? It's probably not the best practice.

    Anyway, thank you in advance for any hint, tip, recommendation, blogs, white papers,....that you may suggest to me.

    Best regards,
    Thursday, November 5, 2009 4:36 PM

Answers

  • Have you read this whitepaper?
    Designing Your Perimeter Network for Office Communications Server 2007 White Paper
    http://www.microsoft.com/downloads/details.aspx?familyid=e4a8d703-e41a-47d9-b9dd-2799f894af92&displaylang=en

    It is for OCS 2007 but will also work for OCS 2007 R2
    (OCS 2007 R2 does support NAT for A/V EDGE)
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Thursday, November 5, 2009 6:19 PM
  • Depending on how your ISA server is configured (2-legged typically straddles the internal firewall) you don't need to do anything special to get the Edge server deployed.  Ideally both legs of the ISA Server should be connected to two separate Perimeter network IP subnets which are located inside two separate firewalls, but since your internal firewall is the ISA server then you have a couple different choices.  The MS white paper linked in my blogs and the post above shod give you the info needed to understand what configuration is best for your environment.


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, November 12, 2009 2:05 PM
    Moderator

All replies

  • Have you read this whitepaper?
    Designing Your Perimeter Network for Office Communications Server 2007 White Paper
    http://www.microsoft.com/downloads/details.aspx?familyid=e4a8d703-e41a-47d9-b9dd-2799f894af92&displaylang=en

    It is for OCS 2007 but will also work for OCS 2007 R2
    (OCS 2007 R2 does support NAT for A/V EDGE)
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Thursday, November 5, 2009 6:19 PM
  • I've just downloaded the paper and will go through it to see if it can help. Thanks a lot for your recommendation.
    Friday, November 6, 2009 2:07 PM
  • Depending on how your ISA server is configured (2-legged typically straddles the internal firewall) you don't need to do anything special to get the Edge server deployed.  Ideally both legs of the ISA Server should be connected to two separate Perimeter network IP subnets which are located inside two separate firewalls, but since your internal firewall is the ISA server then you have a couple different choices.  The MS white paper linked in my blogs and the post above shod give you the info needed to understand what configuration is best for your environment.


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, November 12, 2009 2:05 PM
    Moderator
  • Jeff, thanks a lot for your feedback. I went through the whitepaper that you suggested over the weekend and it's very informative. However, I still have a cloud of confusion that is bothering me. Based on my network topology in which I'm using the dual-homed ISA Server 2006 as a back firewall (one NIC connected to the Front firewall and the other to the Internal LAN), where to do you think the external NIC of the Edge Server should be connected? Right now, I have it connected to one of the open ports on the front firewall ( SonicWall) and the other NIC is connected to the LAN. Basically, there is no direct connection between the ISA and the Edge Server and it's confusing me with the Reverse proxy configuration. I'm publishing Exchange, MOSS 2007 via the External interface using virtual IPs ( 192.168.3.2, 192.168.3.3, 192.168, 3.4,...) with a Default Gateway of 192.168.3.1 NATed to a Public IP. Considering that I only want to offer IM and presence to my remote users, do you think there is a possibility to use a virtual IP on the ISA External NIC ( let's say 192.168.3.5 for e.g) to push IM out? If that's possible, do we still need the External NIC of the Edge Server ( right now connected to 192.168.5.2 with a Default Gateway of 192.168.5.1 which is NATed to a Public IP)? It's still confusing at this point. I'm not an Expert on OCS 2007 so my apologies if my questions are trivial.

    Best regards and thank you in advance for your feedback.

     
    Monday, November 16, 2009 4:09 PM
  • After days of pains, I managed to finish the set up of my OCS Edge Server, validate the configurations and it's now up and running. IM and Presence are working both from inside my network and from outside. But...publishing OCS 2007 in my type of network tology wasn't fun at all. The good thing is that I've learned a lot doing this.
    Thanks to all those who have helped.
    Friday, November 20, 2009 6:49 PM