locked
OCS Deployment for Remote User Access RRS feed

  • Question

  • Hi,

     

    I am planning to setup OCS Edge for remote user access to our internal OCS system. I have read about the requirements for multiple NICs, public IP, etc. However, I have several questions related to our environment here:

     

    1. We have two broadband Internet lines, with one dynamic IP each.

    2. One of the line is protected by ISA 2006 (gateway).

     

    With the environment above, is it possible to deployed consolidated edge for remote user access? If so, how would the network architecture looks like?

     

    Thanks.

     

    -hasmadi-

    Friday, September 19, 2008 9:06 AM

All replies

  • You are going to need at least two static IP address dedicated to the Edge server in order to

    have full remote functionality.

     

    If you plan to only use IM and not Audio/Video it is possible to use the other dynamic IP address for NAT, but you will have to constantly update records with some public Dynamic DNS solution or manually monitor that IP depending on how often it changes.  That said, you' really need a static IP address in order to have supported functionality.

    Friday, September 19, 2008 1:02 PM
    Moderator
  • Jeff,

     

    Thanks for your response. I currently have public dynamic dns solution in place to update the records when the IP changes for both broadband links, as well as it supports SRV records. So far the solution is stable and updates the records accordingly. Here's what I'm thinking further of doing:

     

    1. Deploy one consolidated OCS Edge server with four NICs as follows:

    a. NIC #1 = Public IP for A/V Edge (using 2nd broadband Internet line)

    b. NIC #2 = Private IP for internal Edge connection to OCS FE server

    c. NIC #3 = Private IP (DMZ) for Access Edge connected to ISA server DMZ segment (with NAT from external)

    d. NIC #4 = Private IP (DMZ) for Web Conferencing Edge connected to ISA server DMZ segment (with NAT from external)

    2. Web components will be reverse published by the ISA server (gateway/external firewall).

    3. Enable port forwarding on both broadband links routers for all required ports.

     

    My questions further:

     

    Since ISA is the only gateway/external firewall and reverse proxy server, the ISA public external IP would be shared (NAT) by OCS web components, access edge and web conferencing edge. Will this be an issue?

     

     Thanks.

     

    -hasmadi-

    Friday, September 19, 2008 1:31 PM
  • If

    you have any other listeners configured on ISA using that single external IP address, then you won't be able to 'share' that same IP address with other listeners for the remaining OCS external traffic.  Also, if you have an internal website pulished over SSL (e.g. Outlook Web Access) then you'l run into problems as port 443 is used by default for Access Edge connections.  It is possible to change the default ports that the Edge server's external interfaces listen on, but then things get really messy.  You might be able to get some or all of this working with enough tweaking, but you'll be way outside the supported scope.

    Friday, September 19, 2008 1:38 PM
    Moderator
  • Hi Jeff,

     

    I do have other listeners defined on the ISA server for OWA and MOSS reverse publishing, but they used sepcifically defined ports, which is not conflicting with those required by OCS Edge Server. Port 443 is also currently unutilized, so I can assigned it to OCS Edge if need be.

     

    I am looking at this based on the article "OCS 2007 and ISA 2006: Firewall Design and Architecture" (http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html) which shows the OCS Edge being placed behind the ISA server.

     

    Thanks.

     

    -hasmadi-

    Sunday, September 21, 2008 5:26 AM