Publishing a Lync 2010 server without ISA or TMG

It is not possible even WITH TMG. Lync has a separate server role, the edge server role, that handles external traversal. Currently this is REQUIRED due to limitations in IPv4 and the industry standard SIP protocol to properly manage multiple endpoint connections. The edge roles cannot be collocated ith other roles.

-Cliff

Thank you Cliff,

So what you are saying is that I will need another server to handle the external side of the Lync server?

If this is the case and suppose I do install a second server what are the limitations of the Watchguard firewall? Will I need TMG or ISA?

Regards,

Daniel

I recommend TMG over ISA.  Also Both the Edge server and the Reverse Proxy need to be in a DMZ.  The Edge can be a VM but the Reverse Proxy must be a physical box.  You will also need to request certs through the Edge server.  Thisis analagous to when you setup the certs for the Front End server, but with the Edge server you will be requesting the certs from a Public Ca instead of an internal CA.

There is a fair bit of prep for this so I suggest you plan in advance.

Are you certain Cliff? It seems to be working for me currently although I am not using the Enterprise Voice and only using LYNC for Audio/Video/IM and presence.

Keith, are you saying you can do A/V for external users without an Edge server?

Because of how lync uses secondary connections, unexpected connection and performance issues will occur without a proper edge server. While you can pass the primary protocol (SIP) through a firewall, the secondary connections cannot occur inbound without either completely opening the firewall (might as well not have one) or a server capable of terminating the endpoints. Such a configuration may appear to work during testing, but can be extremely frustrating for users as inbound initiated IMsnand audio will either fall incomplete or be dropped. Yes, I am quite sure on this point; it is a technical limitation of SIP, RTSP, and RTP, and is not unique to Lync. Multiple-site IP PBXs or IP PBXs that allow remote endpiont registration also require similar edge services and planning considerations. That is why SIP gateways are both big business and fairly expensive.

-Cliff

No, I'm not. My external users are actually internal users operating externally and come in via the TMG's VPN. My LYNC implementation is on a single server currently, merely being a PoC for some colleagues. However, later we will be implementing Enterprise Voice and opening up fully and moving to a production implementation so it was a request for confirmation on something that I wasn't aware of.

I have around 700-ish ISA and TMG implementations behind me and have been an MVP and an MCT for both products for many years but have neve performed a LYNC implementation prior to my limited PoC - but I was under the impression that LYNC 2010 could be published on a single box via TMG. Not that you would want to necessarily but that it was at least possible. I like to think I am well versed in TMG in all areas, and probably more than most but still find out new things each week. :)

If you have configured your VPN so that connected devices have unrestricted access to the internal network (or at least unrestricted access to an entire server) this could technically work. There would still be significant performance implications, I'd argue a user on a VPN is still "on the network" and therefore not an external user from a topology standpoint, and most importantly, granting that unrestricted access is a significant security concern, as you are no longer leveraging any firewall protection (watchguard, TMG, other) withnuntrusted devices, but...yes...technically that would work.

-Cliff

Hey Keith,

As an MVP on both of the firewall technologies....  I am curious as to what you recomend TMG or ISA?  I vastly prefer TMG but I don't have the depth of experience in it.

Cliff - fair points. The server is a quad-core blade with 128GB ram and the Internet pipe is rather brilliant so performance is not an issue.

TMG is by far the better product - not only being a 64-bit application it includes pre-listed URL sets and categories, has a proper NIS service, supports standard and Enterprise arrays (properly) and the ISP-R optoins make it a brilliant highly-available service.

That said, my apologies for seemingly hijacking the original posters question thread.

TMG is what they renamed ISA when they pulled it intonthe Forefront brand. While I obviously cannot speak for Keith, I'll be surprised to see someone recommend an older version of a product ... Not that it doesn't happen ...XP vs. Vista, etc. But yeah, these aren't two separate products.  

TMG vs. UAG, OTOH....that could be an interesting (off-topic) conversation.

-Cliff

TMG & UAG. Two totally different products with two completely different audiences.

Agreed. But here us overlap. But alas, I am guilty of the unintentional hijacking too. So, as an aside Keith, ping my offline if you don't mind. I had a quick question fir you and didn't spot contact info in your profile.

.

Hi to those who have contributed to this question,

Unfortunately I do not feel that my question has really been answered here.

So what you are saying is that I will need another server to handle the external side of the Lync server?

If this is the case and suppose I do install a second server what are the limitations of the Watchguard firewall? Will I need TMG or ISA?

So will I need ISA or TMG to make this possible?

Regards,

Daniel

Thank you Cliff,

I kind of feel my question got hijacked a little with the back and forth but you have answered my question.

At some point in time if I need further information can I contact you?

Regards,

Daniel