locked
Help me understand how A/V should be properly setup. RRS feed

  • Question

  • I am having a hard time understanding how to configure my perimeter network for the AV edge role requirements in OCS R1.

    I understand that the AV role requires a public IP Address, where the other roles can be NATd, but I can't seem to figure out just what I need to do to accomplish this WITH some sort of firewalling (essentially how to keep all ports closed except the ones required by AV Role and at the same time not NAT)?  I don't think a software firewall is very ideal and not something most of you use (maybe i am way wrong in assuming this?), but I am wondering what the details are on how it is being implemented.  I have a hard time beleiving that people are just setting the AV edge interface live on the internet without some sort of filtering/security.

    Right now I have my edge server in a consolidated form, where all edge roles are on the same physical box.  I have 4 IP Addresses bound to 1 NIC only and all are the same ip scheme, ex:
    access edge: 10.0.0.1
    web conf edge: 10.0.0.2
    AV edge: 10.0.0.3
    Edge internal: 10.0.0.4

    Pretty much everything works both internal and external, except for AV externally (which is fine for now, but i want to get this setup properly).

    I have my ISA Server also on 10.0.0.5 with a public ip on its external interface doing the reverse proxy.

    I want to get a fully functional OCS setup and I of course don't want to compromise the security of my network in the process.  I have my private LAN sitting behind the DMZ (the 10.0.0.0 /24 network) so all communication from Edge to my OCS Standard server and Mediation server traverses a firewall.

    For example if from the outside something is trying to hit my OCS Standard server on port 443 traffic hits my private lan firewalls DMZ interface: 10.0.0.10 which NATs to my OCS server: 192.168.0.10 on the internal private lan.

    I hope this is enough information.  I appreciate any help I can get, the more step by the better, since I can't seem to grasp this concept very well.  Thanks a million!
    Wednesday, February 25, 2009 11:56 PM

All replies

  • Communications between the OCS Front-End server and the Edge internal interface must be routable and cannot traverse NAT.  If your EDGE server's internal interface is on a different private IP subnetwork than the internal network (10.x.y.z and 192.168.y.z) then make sure that the firewall can route traffic between those networks, in addition to configuring static routes on the Edge server in needed.


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, February 26, 2009 12:16 AM
    Moderator
  • Normally this is accomplished by having a routable DMZ. ie. Internet-12.1.1.x(public IPs), DMZ-12.1.2.x(public IPs), Internal-192.168.1.x (private IPs). If you do not have a routable DMZ then really your only other option is to throw another NIC in the server and run that card directly to the internet and assign the AV service to it. Although, I highly recommend that you do NOT place an interface on public IPs without being behind a firewall.

    R2 is suppose to support NATing of the AV service but I have heard from a few engineers that work for Microsoft tell me that it can be flaky. I personally have not done it yet so I cannot speak from experience.
     

    Mark
    Sunday, March 1, 2009 5:14 AM