Reverse Proxy RRS feed

  • Question


    I configured an Office Communications 2007 server up for video conferencing for internal usages and it works great, now I need to configure a Communications Edge server for external users to access the inside. Now I need to configure a Microsoft ISA server for a reverse Proxy.

    ISA server with 2 NIC’s  one is connected to the internal network with IP 10.x.x.x the other is connected to our DMZ and the DMZ ‘s address is 172.x.x.x so I configured the NIC with IP address 172.x.x.x if this is correct what do I use for a gateway? What needs to be done on the firewall, do I need to NAT an address to the ISA server? Any help would be big time. Or is this overkill, all I want is a reverse proxy configured, can I use 1 NIC or do I need 2 does it need to be in the DMZ?



    Friday, August 15, 2008 6:27 PM

All replies

  • It sounds like you might be confusing the 'Reverse Proxy' and Edge Server.  take a look at these articles as they should answer you question:




    Friday, August 15, 2008 6:37 PM



       Thanks these should help out a lot.



    Friday, August 15, 2008 7:13 PM
  • Just got the new NIC cards installed in the future ISA Server and the Consolidated Edge server, each server has 4 ports.


    I have serveral question to show you how confused I am.

        I have configured the edge server with 3 IP's A/V = PUBLIC (169.X.X.X) Access Edge = private(10.x.x.x) Web Conf = private (10.x.x.x) The server is not in the domain so here is one of the dumb question, it's asking for the Access Servers FQDN, Access server's External firewall IP address (we have a Cisco ASA firewall) is this the IP it's asking for?


    Monday, October 6, 2008 3:42 PM
  • I'm not sure what 'it' is that is doing the asking, but that might be a reference to the Access Edge Server FQDN, which would be the FQDN that you have assigned to the certificate placed on the Access Edge interface.  This is typically sip.domain.com and is the what external clients resolve and connect to to establish communications.

    Monday, October 6, 2008 5:36 PM
  • Sorry "it" is the Edge planning tool, my bad, so do I need all these certificates in place before I install or can I add them later?




    Monday, October 6, 2008 5:52 PM
  • You can add them later but the external Edge roles will not opertate without at least some ceritifcate applied to them.  If you have an internal Enterprise CA you could issue ceritificates to simply test functionailty and then re-run the Certificate Wizard to create new certificate requests to send to a trusted third-party.

    Monday, October 6, 2008 6:35 PM

    Great, When running the planning tool what do they mean by External Firewall IP, is this the IP of the firewall or is it the NAT address?


    Monday, October 6, 2008 8:56 PM
  • The IP address that is actually on the server's external interface.  Unless you're talking about the A/V Edge, then the IP address should be the same regardless of the location, as NAT isn't allowed for that guy 
    Monday, October 6, 2008 9:09 PM
  • It's starting to come clear,LOL. Just so I'm on the same page this is the IP config I have on my edge server


    A/V Edge has a public IP 169.x.x.x.x can't NAT that.

    Access Edge has a private IP 10.x.x.x.x which according to the Planning tool report should be NAT'd

    Web Conf has a Private IP 10.X.X.X. which also should be NAT'd


    And I believe I need another IP for the server called the edge (internal)



    Tuesday, October 7, 2008 12:35 PM
  • Yes, you'll need an IP for the internal interface as well.  Take a look at the different supported Edge configurations I have outlined in those blog articles I posted earlier in the thread.



    Tuesday, October 7, 2008 12:52 PM
  • Thanks Jeff,


         Is the Director server really necessary, I have the front end server and the edge server, can the director reside on the front end? Can the Director be a virtual server?




    Tuesday, October 7, 2008 2:08 PM
  • Hi,


    The Director Role IS a Front-End Server but one that only serves to authenticate users and redirect them to the correct FE server where the user is homed. There are no users homed on this server and that's when it's called a Director :-)


    As you may have read all SIP connections from the Access Edge server into your internal network is NOT authenticated because the Access Edge server is not domain joined. Hence to improve security the Director server can be your entry point which performs the authentication and proxies the connection to the user's home front-end server. Since the Director server cannot be hosted in the DMZ (supportability statement) you should take special care about securing this server like putting Host-Based Intrusion Detection Software or Integrity Monitoring Software.


    Furthermore if you happen to have multiple home pools in your enteprise you can provide a single namespace by using the director role which after the authentication would redirect the user to their correct home pool.



    Tonino Bruno


    Tuesday, October 7, 2008 2:38 PM
  •  skully58 wrote:

    Thanks Jeff,


         Is the Director server really necessary, I have the front end server and the edge server, can the director reside on the front end? Can the Director be a virtual server?



    It's not neccesary and you don't need to install one for a fully functional OCS deployment.  It can be virtualized but it's not supported at all.  How many users will you be supporting?

    Tuesday, October 7, 2008 4:14 PM

    We have over 500 users but I doubt that many will use it; we have purchase 3 round tables for internal meetings. The edge server is being configured to say we can connect to users from the outside, possible for presentation from vendors.


    Tuesday, October 7, 2008 6:28 PM