Clarifying 3 LEG DMZ network configuration RRS feed

  • Question

  • Hi,


    I am currently testing out deploying OCS2007 together with ISA2004 the internal AD domain is 2003 the internal and external FQDN are the same.


    I am trying to clarify the correct way to deploy OCS2007 when you have one firewall which protects both the internal network and the DMZ My firewall is configured as follows;


    External 81.*.*.*/27




    My plan was to have an ISA2004 server in the DMZ long with the Access Edge and Web Conferencing Edge server (these roles on the same server)


    I have already attempted to deploy, however having read a number of articals I have stopped as I believe I have the network configuration incorrect. Following what I have read here is what I plan now;


    ISA SRV in DMZ 2 x NICS


    NIC1 (External default Gateway Hardware Firewall)

    NIC2 (Permiter connected to External NIC of Access Edge)


    OCS2007 Access Edge


    NIC1 (External Connected to Internal NIC of ISA srv)

    NIC2 (Internal Connected and routed to Hardware Firewall


    I believe that should I wish to have an Edge A/V server then a third NIC would be required on the Access Edge server or better still seperate that out)


    Am I also right in saying it is the prefered configuration to not have the Access Edge a member of the internal domain ?


    I would be really gratefull if someone could confirm this is the correct approach, please keep in mind this is only a testing inviroment and not for production purposes.


    Any Help Gratefully recieved


    Ashley Mothershaw

    MCSE, MCSA, MCSA Messenging NCSA

    Monday, February 4, 2008 11:39 AM

All replies

  • I highly recommend installing a second NIC in the Edge Server at least.  Some have been able to get OCS working correctly with only a single interface, but it's tricky and is not supported by Microsoft, so you are making things harder than they need to be if going that route.


    In addition, you can use a single interface on the ISA server, but it depending on your hardware (available interfaces on external firewall?) I'd again recommend to go with at least two interfaces.  ISA Server is flexible enough to be deployed in a variety of configurations, but it's really what you are trying to accomplish WITH ISA with pre-determines it's configuration (think about 'means before the ends').


    Correct, the Access Edge should not be a member of the internal domain.


    And considering you are simply trying to test out OCS, I would follow the deployment guidelines as close as possible.


    Monday, February 4, 2008 4:21 PM