locked
Design question with edge server RRS feed

  • Question

  • We are currently looking to deploy an edge server for web conf purposes as well as federation.  We are trying to figure out why the Edge server needs to straddle the internal fw.  The network admin are dead against this design.  Are there any other supported solutions?  The DMZ is configured with an internal and external fw.

    Wednesday, September 30, 2009 4:28 PM

Answers

  • Technically the Edge server should not be connected to the internal network.  It should be connected to two separate IP subnets in a Perimeter network, but be able to route directly to the internal servers.  NAT cannot be used between the internal server and Edge server.  The Edge Server should be located between both firewalls, but the requirement of having two interfaces on the host means that each needs to be in a different network.  You may need to define a second perimeter VLAN so supply seperate IP subnetworks for the Edge server if you currently only have a single IP subnetwork in your DMZ (Perimeter Network).

    Check out this blog article, as well as the Perimeter White Paper I have linked in it: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 30, 2009 5:08 PM
    Moderator
  • I have done multiple deployments with the same problem.

    Typically what we see is a single DMZ network. The edge server is placed in this network and has two physical NICS.

    NIC1- DMZ External
    This has the IP addresses for access edge, web conferencing edge, A/V edge on it.

    NIC2- DMZ Internal
    This has the Internal IP address of the edge server, this is what your internal clients and internal servers will communicate with.

    NIC 1 typically has the default gateway on it, NIC2 has no default gateway specified.

    If you do this configuration you will need a route with the interface specified to make sure that communications between the internal network and the edge internal interface go out that "internal" interface.

    It would look something like route add -p 10.108.50.0 MASK 255.255.255.0 10.0.0.1 IF 11

    10.108.50.0 being the internal network, 10.0.0.1 being the gateway IP address on the DMZ network.

    The dmz to internal firewall then would need to be configured to allow communications on the specified ocs ports between that "internal" interface and the internal LAN.



    I don't think i need to get into too much more detail, but let me know if you do not understand the general idea.

    Randy Wintle | MCTS: UC Voice Specialization | Winxnet Inc
    Friday, October 2, 2009 6:32 PM

All replies

  • Technically the Edge server should not be connected to the internal network.  It should be connected to two separate IP subnets in a Perimeter network, but be able to route directly to the internal servers.  NAT cannot be used between the internal server and Edge server.  The Edge Server should be located between both firewalls, but the requirement of having two interfaces on the host means that each needs to be in a different network.  You may need to define a second perimeter VLAN so supply seperate IP subnetworks for the Edge server if you currently only have a single IP subnetwork in your DMZ (Perimeter Network).

    Check out this blog article, as well as the Perimeter White Paper I have linked in it: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 30, 2009 5:08 PM
    Moderator
  • I have done multiple deployments with the same problem.

    Typically what we see is a single DMZ network. The edge server is placed in this network and has two physical NICS.

    NIC1- DMZ External
    This has the IP addresses for access edge, web conferencing edge, A/V edge on it.

    NIC2- DMZ Internal
    This has the Internal IP address of the edge server, this is what your internal clients and internal servers will communicate with.

    NIC 1 typically has the default gateway on it, NIC2 has no default gateway specified.

    If you do this configuration you will need a route with the interface specified to make sure that communications between the internal network and the edge internal interface go out that "internal" interface.

    It would look something like route add -p 10.108.50.0 MASK 255.255.255.0 10.0.0.1 IF 11

    10.108.50.0 being the internal network, 10.0.0.1 being the gateway IP address on the DMZ network.

    The dmz to internal firewall then would need to be configured to allow communications on the specified ocs ports between that "internal" interface and the internal LAN.



    I don't think i need to get into too much more detail, but let me know if you do not understand the general idea.

    Randy Wintle | MCTS: UC Voice Specialization | Winxnet Inc
    Friday, October 2, 2009 6:32 PM