Edge Server OCS 2007 R2 Design Question RRS feed

  • Question

  • Hi there,

    We have a network where I have a ISA 2006 server with a internal, external and DMZ interface. I wish to add the Edge Server within the DMZ network with a single network card.

    Is it allowed to do this, and add multiple ip adresses in the same nic for internal and external connectivity?

    For examle I use 2 ip's.

    ip 1: for Edge Internal Communications
    ip 2: for Edge External and AV authentication Services.

    Check out my Microsoft Unified Communications (Dutch) Blog @ www.MsUC.nl
    Monday, June 8, 2009 12:10 PM

All replies

  • Hello,

    Edge server requires 2 physical NICs.  1 for external traffic (can have as many IPs as you want on the external subnet) and 1 for internal traffic.  You cannot have internal and external traffic on the same card/subnet, you will run into issue.

    Hope this helps!


    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Monday, June 8, 2009 12:25 PM
  • Hi Stevens,

    As per the OCS Edge Server Architecure, you could have either 4 NIC's or 2 NIC's on the OCS Edge.

    If you go with 2 NIC's on the Edge, you would have to ensure the following are met,

    1. External NIC used for external communication of clients with Access Edge, Web Conf Edge and the A/V Edge. If you have installed OCS 2007 R2, you would need 3 private DMZ IP's on the same NIC that would be natted to the 3 respective public ip's on the ISA External adapter.e.g ( for AccessEdge/ for WebConfEdge/ for A/VEdge all on the same NIC)

    2. Internal NIC used for internal communication with the front-end and also the same nic would be used for all the 3 components. e.g (

    Please note you open the required ports on the firewall for both internal and external communication.

    Hope this clarifies your doubts. Let me know in case of any other queries/concerns.


     Savio Fernandes Sr Consultant MCTS/MCITP/Windows2008/Exchange2007


    Monday, June 8, 2009 6:15 PM
  • Take a look at these articles for more details on Edge NIC configuration scenarios:

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, June 8, 2009 11:06 PM
  • Hi all,

    Thanks a lot for your time to reply to my question. I have read in another article (unfortunally I cannot find it anymore), that with R2 it is actually supported to use all configuration on one interface so i got mislead there.

    Still I think this is a very strange situation. Basicly I have to connect a DMZ server around my firewall directly to the internal lan, which will cause troubles with the security people.

    Also I have problems with ip-adresses. I need 3 public ip's to use all services but i have only 1 and its attached to my isa server in this case.

    What I would prefer to achieve in this case is:

    |Internet Router|
    |ISA Firewall|----------[DMZ]
    [LAN Switch]

    The Edge server only has 1 NIC. I wish to use 2 IP's for this server. for the Internal communication, and for all external communication.

    Since we are able to provide ports, I could just simply use port 4430 for Edge, port 4431 for WebConf, port 4432 for A/V Edge .

    Using NAT (or better yet, PAT), I can take just one public IP (and only purchase 1 SSL certificate), to forward the neccesary ports from the public ip to

    And ofcourse for internal communication i can open up the ports on the isa server.

    I have to note that this is a demo enviroment! For a customer's situation i would never recommend this, but right now i just wish to get this working using this situation.

    Does anybody think this would actually work? For demo purposes ofcourse?

    Microsoft Unified Communications (Dutch) Blog @ www.MsUC.nl
    Tuesday, June 9, 2009 9:24 AM
  • Putting multiple IP addresses on a single interface from the same subnetwork is a recipe for headaches with the Edge Server.  Read the section 'Fuzzy Configurations' in the second link I posted.  I know of no changes to the supported Edge scenarios from RTM to R2 (and the bulk of those statements came directly from members of the OCS product team) outside of the NAT for A/V and Media Port range changes.

    Technically you can probably get what you need to work, but it most likely won't be 100% functionailty and will probably be a LOT of troubleshooting to get to operational.

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, June 9, 2009 11:02 PM
  • Thanks a lot Jeff its all clear I have read your pages. Great work!

    One last question: How do you deal with the issue that you are going to connect your internal inteface NIC directly from the DMZ to the LAN in a 3 leg setup? Do you setup another firewall in between those two or just allow the security risc?
    Microsoft Unified Communications (Dutch) Blog @ www.MsUC.nl
    Wednesday, June 10, 2009 3:02 PM