locked
ISA, Edge and public IP addresses RRS feed

  • Question

  • I have 4 public addresses available and want to setup a consolidated Edge topology using ISA as an external firewall and reverse proxy. Is that possible? How would I assign addresses to ISA interfaces? I assume this is only possible if I connect A/V-server directly to the internet, otherwise I would need a larger subnet that can be splitted into external and DMZ sub-subnet - is that right?

     

    Thanks a lot,

    Johann

     

    (Posted the same question recently as a comment in Jeff's excellent OCS Edge Server Configuration Topologies article in his blog)

     

    Monday, July 21, 2008 1:46 PM

All replies


  • The external leg of AV Edge should be connected to the internet... (The idea is to ensure that the external ip address configured on the external interface of the AV Edge server remains routable. http://www.ocspedia.com/Misc/PublicIP_AVEdge.htm )


    Other things should be pretty much straight..

    How to install and configure Access Edge Server : http://www.ocspedia.com/Edge_Server/Deploy_AEP.htm

    How to install and configure Web Conferencing Edge Server : http://www.ocspedia.com/Edge_Server/Deploy_WebConf_Edge.htm

    How to install and configure A/V Edge Server : http://www.ocspedia.com/Edge_Server/Deploy_AV_Edge.htm

    How to install and configure Reverse Proxy : http://www.ocspedia.com/Misc/Reverse_Proxy.htm

    http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html


    Regards,
    R. Kinker
    MCSE 2003 (Messaging), MCTS - LCS 2005, MCTS - OCS 2007
    http://www.ocspedia.com
    http://www.itcentrics.com/LCS_Home.htm
    Monday, July 21, 2008 5:37 PM
  •  jwdberlin wrote:

    (Posted the same question recently as a comment in Jeff's excellent OCS Edge Server Configuration Topologies article in his blog)

     

     

    Johann,

     

    I'm not sure exactly what you are asking.  What configuration do you plan to have ISA (3-leg, Edge, Front, etc) and how many adapters?  Or is ISA already deployed and you are trying to adapt it to the OCS Edge server?  Do you plan to use all 4 public address for Edge or are you trying to conserve as many as possible for other non-OCS resources?

     

    If you can burn all address for OCS, then I would just deploy all Edge roles on public IP addresses, and configure ISa in 3-leg with the perimter network in that IP subnetwork.  Then all Edge roles can exist on a single NIC for external access.

    Tuesday, July 22, 2008 2:29 PM
    Moderator
  •  jwdberlin wrote:

    (Posted the same question recently as a comment in Jeff's excellent OCS Edge Server Configuration Topologies article in his blog)

     

     

    Johann,

     

    I'm not sure exactly what you are asking.  What configuration do you plan to have ISA (3-leg, Edge, Front, etc) and how many adapters?  Or is ISA already deployed and you are trying to adapt it to the OCS Edge server?  Do you plan to use all 4 public address for Edge or are you trying to conserve as many as possible for other non-OCS resources?

     

    If you can burn all address for OCS, then I would just deploy all Edge roles on public IP addresses, and configure ISa in 3-leg with the perimter network in that IP subnetwork.  Then all Edge roles can exist on a single NIC for external access.

    Tuesday, July 22, 2008 2:29 PM
    Moderator
  •  Jeff Schertz wrote:
    I'm not sure exactly what you are asking.  What configuration do you plan to have ISA (3-leg, Edge, Front, etc) and how many adapters?

     

    I could better explain it in German

     

    Anyway: I can put in as many network adapters as necessary and I can burn all 4 addresses. I just want to secure my Edge server completely through ISA firewall and use ISA as a reverse proxy. ISA would not be used for anything else (we have 8 addresses, 1 is network, 1 is broadcast, 1 is for MX/SMTP and 1 is for outgoing gateway - so 4 are available).

     

    I just want to secure my Edge server completely through ISA server (as far as I know I cannot open a port range for A/V using Windows Firewall if I connect A/V role/NIC directly to internet). I still have not found a working example including interface and address assignments for ISA (and Edge) server using max. 4 addresses.

     

    Regards,

    Johann

     

     

    Tuesday, July 22, 2008 10:19 PM