Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
2
Replies

ISA or ASA - Office Communicator 2007 Edge Setup

saquib.tandel
Level 1
Level 1

‎12-26-2010 11:01 AM - edited ‎03-11-2019 12:27 PM

Hi All,

I need some expert advice on Office Communicator 2007 Edge Server acccess for External Users ( Users behind the firewall )

We got One Firewall in our Scenario. Firewall Requirement is really scary requested by Microsoft.

Microsoft recommends ISA Server and not Cisco ASA / PIX Firewall.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  • Public IP address. The A/V Edge server needs to have a publicly routable IP address. This address must be publicly routable; you can't fudge it by giving it an IP address in a private range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and do any sort of NAT to it. 1:1 NAT or static NAT mapping won't do the trick here. You can and should have a firewall between it and the Internet, but it can't be doing any address translation.
  • Dual-homed. The A/V Edge server cannot be separated from the internal OCS servers by NAT. Therefore, if you're using a private address range and NAT in your internal network, you have to give the A/V Edge server a second network interface and IP address on routable, non-NAT address range. (Note, however, it doesn't have to be the same address range as the internal network, simply on an address range that is directly routable without NAT.)
  • 20,0002 external ports. The external (publicly routable) interface needs to have the following ports opened to the Internet: UDP 3478, TCP 443, UDP 50,000-59,999, and TCP 50,000-59,999.

    • +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    http://technet.microsoft.com/en-us/library/dd441361%28office.13%29.aspx      [ link has more details ]

    I did google and found all techie having same issue.

    Thanks

    ST

    Labels:
    0 Helpful
    2 Replies 2

    Kureli Sankar
    Cisco Employee
    Cisco Employee

    ‎12-26-2010 12:36 PM

    Hello,

    I read the following in the link that you provided.

    In any location with multiple Edge Servers deployed behind a  load balancer, the external firewall cannot function as a network  address translation (NAT). However, in a site with only a single Edge  Server deployed, the external firewall can be configured as a NAT.

    If you do so, configure the NAT as a destination network address  translation (Destination NAT) for inbound traffic—in other words,  configure any firewall filter used for traffic from the Internet to the  Edge Server with Destination NAT, and configure any firewall filter for  traffic going from the Edge Server to the Internet (outbound traffic) as  a source network address translation (Source NAT). The inbound and  outbound filters must map to the same public IP address and the same  private IP address, as shown in Figure 1.

    Figure 1. Sample Destinationn NAT and Source NAT configuration
    Dd441361.6b3a5ede-4253-4874-b096-2e969bf52626(en-us,office.13).jpg

    In all topologies, however, the internal firewall cannot act as a NAT for the internal IP address of any Edge Servers.

    I am not sure why they say not to NAT.  This one line above "However, in a site with only a single Edge  Server deployed, the external firewall can be configured as a NAT." say you can definitely NAT.

    -KS

    0 Helpful

    saquib.tandel
    Level 1
    Level 1
    In response to Kureli Sankar

    ‎12-26-2010 01:26 PM

    Hi

    The Edge Server will be placed in DMZ with 3 NIC  ; this is microsoft requirement

    One NIC for Voice  - Public IP [ cannot have natted IP ]

    One NIC for Web conference - Public IP  [ cannot have natted IP ]

    One NIC for LAN communication

    Not sure ; how do I configure this on ASA [ not clear what do they mean by publicly routable ip address - how to configure it on firewall ]

    I feel I am opening almost all ports ; is this normal?

    A/V Edge Server

    An external DNS A record that points the external FQDN of the A/V Edge Server to its external IP address. This IP address must be a publicly routable IP address.

    External

    Local Port: 443 TCP (STUN/TCP)

    Direction: Inbound (for external users access to media and A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Local Port Range: 50,000-59,999 TCP (RTP /TCP)

    Direction: Inbound/Outbound (for media transfer)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.

    Remote IP: Any IP Address


    What is STUN referring in the next statement

    Local Port: 3478 UDP (STUN/UDP)

    Direction: Inbound (for external users connecting to media or A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive

    0 Helpful
    Customers Also Viewed These Support Documents
    Review Cisco Networking for a $25 gift card