12-26-2010 11:01 AM - edited 03-11-2019 12:27 PM
Hi All,
I need some expert advice on Office Communicator 2007 Edge Server acccess for External Users ( Users behind the firewall )
We got One Firewall in our Scenario. Firewall Requirement is really scary requested by Microsoft.
Microsoft recommends ISA Server and not Cisco ASA / PIX Firewall.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
http://technet.microsoft.com/en-us/library/dd441361%28office.13%29.aspx [ link has more details ]
I did google and found all techie having same issue.
Thanks
ST
12-26-2010 12:36 PM
Hello,
I read the following in the link that you provided.
In any location with multiple Edge Servers deployed behind a load balancer, the external firewall cannot function as a network address translation (NAT). However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT.
If you do so, configure the NAT as a destination network address translation (Destination NAT) for inbound traffic—in other words, configure any firewall filter used for traffic from the Internet to the Edge Server with Destination NAT, and configure any firewall filter for traffic going from the Edge Server to the Internet (outbound traffic) as a source network address translation (Source NAT). The inbound and outbound filters must map to the same public IP address and the same private IP address, as shown in Figure 1.
In all topologies, however, the internal firewall cannot act as a NAT for the internal IP address of any Edge Servers.
I am not sure why they say not to NAT. This one line above "However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT." say you can definitely NAT.
-KS
12-26-2010 01:26 PM
Hi
The Edge Server will be placed in DMZ with 3 NIC ; this is microsoft requirement
One NIC for Voice - Public IP [ cannot have natted IP ]
One NIC for Web conference - Public IP [ cannot have natted IP ]
One NIC for LAN communication
Not sure ; how do I configure this on ASA [ not clear what do they mean by publicly routable ip address - how to configure it on firewall ]
I feel I am opening almost all ports ; is this normal?
A/V Edge Server | An external DNS A record that points the external FQDN of the A/V Edge Server to its external IP address. This IP address must be a publicly routable IP address. |
External | Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address |
Local Port Range: 50,000-59,999 TCP (RTP /TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address |
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide