Hello all! Ok, I will start off by saying that networking is usually not my thing, and networking in a DMZ is especially behind my normal working!
Now to describe our situation: Currently, we have a single, Standard edition OCS 2007 R2 deployment in our internal network. This "pool" consists of a single server. This server is housed at our MAIN site. We also have users at two other remote sites. These two other remote sites are on our AD Domain, but on different LANs and different subnets. We also have 1 ISA server at each site (total of 3 ISA servers), and our three sites are all connected by ISA site-to-site VPNs. These ISA site-to-site VPNs are set up to Route (not NAT) ALL traffic between the sites. Also, we do NOT have DMZs set up at any of the three sites. In each site, the ISA server servers as the sole Firewall (I know this may not be ideal, but it is what it is).
Now for DNS. Our internal domain is domainname.local, and externally the world knows us as domainname.com. Because of this, our email addresses end in domainname.com, and this is what we wanted to use to log in to the Communicator clients. So, we have split DNS set up in our environment, so that domainname.com is resolvable within our internal network. Therefore, the certificate used in our OCS server uses a SN of "OCS.domainname.com", and has an Subject Alternate Name of "OCS.domainname.local". For everyone at our main site, this setup works great! We can do Live Meetings with multiple participants, and we are able to share desktops, share applications, do whiteboarding, and do A/V. Awesome! Since the connection between our main site and remote sites consists of an ISA site-to-site VPN connection that ROUTES ALL traffic, I figured we would have the same functionality between the main and remote sites. Apparently, that would be too easy. A/V refuses to work between the sites.
I have been told by a few different sources now that even though this connection is in place that is supposed to ROUTE ALL traffice between the sites, A/V will still not work between the sites without an OCS Edge server in place at the main site. I suppose this would be necessary for external user access anyway.
Now, here is what I want to do. I have two small hardware firewalls, and I wish to use one as the external firewall that interfaces with the internet, and I wish to use the other to interface between our internal main site and the Consolidate Edge Server. I must be frank: after pouring over all sorts of documentation about how to deploy the edge server, I am more than a little confused! For one, I understand that the A/V server role must have a "publicly roubtable IP address", and that the firewalls on both sides of the DMZ should not NAT any traffic to the Edge server. So, when configuring the actual Edge server, do I literally assign three publicly routable IP addresses to the external-facing NIC of the Edge server?
When configuring the external firewall, I know that the internet-facing side of the firewall needs to having it's port configured with the three "publicly routable IP addresses", but what IP addresses need to be assigned to the port on the DMZ side of this firewall, the port that connects to the Edge server?
For the internal DMZ router, obviously the port facing our internal network will have three IP addresses assigned to it from our internal IP range, but what IP needs to be place on the DMZ facing side of this router?
As you can see, I am pretty confused about all the IPs involved with this setup, and how they interact (non-NATed). Now, as far as the FQDNs that are supposed to be assigned to both NICs on the Edge server; what do they consist of?! If the edge server is in it's own WORKGROUP, and not on the internal domain, then what would the FQDN be? Obviously not Edgeserver.workgroup...
Now, if someone can spell out very simply and plainly what is needed as far as external DNS records, that would be wonderful! Right now, externally, our DNS points ocs.domainname.com to an IP that resides on our ISA server. Ok, so what FQDN should exist in the outside world that will direct traffic to our Edge server. I don't understand what all our External DNS entries need to have to point certain traffic at ISA, and certain traffic at the Edge Server. I know that we already configured the rules in ISA so that we can successfully access
https://ocs.domainname.com/GroupExpansion/ext/service.asmx. , https://ocs.domainname.com/conf/ext/Tshoot.html , and https://externalwebfarmFQDN/abs/ext. Like I said, we can successfully access these urls from the internet, so I am sure that ISA is set up properly. I have just gotten information overload as to how to setup the Edge DMZ setup. PLEASE help. I would greatly appreciate ANY help, but at this point some simple, clear explanations and directions will be more helpful that MS's wordy articles. Thanks again! I sincerely apologize about the extremely long post!
