Publishing a Lync 2010 server without ISA or TMG

ProspectConsulting
ProspectConsulting used Ask the Experts™
on
Hi All,

I have been using Lync 2010 internally here now for 6 months and the business and I wanted to take it to the next level and enable the external features of Lync.

From what I have been able to gather so far this is pretty much impossible without the use of TMG or ISA. Is this right?

What I have to use at this point in time is;

1x Windows server 2008 R2 Standard x64
1x Watchguard x750e Firebox

With this would this be possible to setup the appropriate rules to publish Lync 2010?

Regards,

Daniel.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
It is not possible even WITH TMG. Lync has a separate server role, the edge server role, that handles external traversal. Currently this is REQUIRED due to limitations in IPv4 and the industry standard SIP protocol to properly manage multiple endpoint connections. The edge roles cannot be collocated ith other roles.

-Cliff

Author

Commented:
Thank you Cliff,

So what you are saying is that I will need another server to handle the external side of the Lync server?

If this is the case and suppose I do install a second server what are the limitations of the Watchguard firewall? Will I need TMG or ISA?

Regards,

Daniel
I recommend TMG over ISA.  Also Both the Edge server and the Reverse Proxy need to be in a DMZ.  The Edge can be a VM but the Reverse Proxy must be a physical box.  You will also need to request certs through the Edge server.  Thisis analagous to when you setup the certs for the Front End server, but with the Edge server you will be requesting the certs from a Public Ca instead of an internal CA.

There is a fair bit of prep for this so I suggest you plan in advance.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Are you certain Cliff? It seems to be working for me currently although I am not using the Enterprise Voice and only using LYNC for Audio/Video/IM and presence.
Keith, are you saying you can do A/V for external users without an Edge server?
Distinguished Expert 2018

Commented:
Because of how lync uses secondary connections, unexpected connection and performance issues will occur without a proper edge server. While you can pass the primary protocol (SIP) through a firewall, the secondary connections cannot occur inbound without either completely opening the firewall (might as well not have one) or a server capable of terminating the endpoints. Such a configuration may appear to work during testing, but can be extremely frustrating for users as inbound initiated IMsnand audio will either fall incomplete or be dropped. Yes, I am quite sure on this point; it is a technical limitation of SIP, RTSP, and RTP, and is not unique to Lync. Multiple-site IP PBXs or IP PBXs that allow remote endpiont registration also require similar edge services and planning considerations. That is why SIP gateways are both big business and fairly expensive.

-Cliff
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
No, I'm not. My external users are actually internal users operating externally and come in via the TMG's VPN. My LYNC implementation is on a single server currently, merely being a PoC for some colleagues. However, later we will be implementing Enterprise Voice and opening up fully and moving to a production implementation so it was a request for confirmation on something that I wasn't aware of.

I have around 700-ish ISA and TMG implementations behind me and have been an MVP and an MCT for both products for many years but have neve performed a LYNC implementation prior to my limited PoC - but I was under the impression that LYNC 2010 could be published on a single box via TMG. Not that you would want to necessarily but that it was at least possible. I like to think I am well versed in TMG in all areas, and probably more than most but still find out new things each week. :)
Distinguished Expert 2018

Commented:
If you have configured your VPN so that connected devices have unrestricted access to the internal network (or at least unrestricted access to an entire server) this could technically work. There would still be significant performance implications, I'd argue a user on a VPN is still "on the network" and therefore not an external user from a topology standpoint, and most importantly, granting that unrestricted access is a significant security concern, as you are no longer leveraging any firewall protection (watchguard, TMG, other) withnuntrusted devices, but...yes...technically that would work.

-Cliff
Hey Keith,

As an MVP on both of the firewall technologies....  I am curious as to what you recomend TMG or ISA?  I vastly prefer TMG but I don't have the depth of experience in it.
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Cliff - fair points. The server is a quad-core blade with 128GB ram and the Internet pipe is rather brilliant so performance is not an issue.

TMG is by far the better product - not only being a 64-bit application it includes pre-listed URL sets and categories, has a proper NIS service, supports standard and Enterprise arrays (properly) and the ISP-R optoins make it a brilliant highly-available service.

That said, my apologies for seemingly hijacking the original posters question thread.
Distinguished Expert 2018

Commented:
TMG is what they renamed ISA when they pulled it intonthe Forefront brand. While I obviously cannot speak for Keith, I'll be surprised to see someone recommend an older version of a product ... Not that it doesn't happen ...XP vs. Vista, etc. But yeah, these aren't two separate products.  

TMG vs. UAG, OTOH....that could be an interesting (off-topic) conversation.

-Cliff
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
TMG & UAG. Two totally different products with two completely different audiences.
Distinguished Expert 2018

Commented:
Agreed. But here us overlap. But alas, I am guilty of the unintentional hijacking too. So, as an aside Keith, ping my offline if you don't mind. I had a quick question fir you and didn't spot contact info in your profile.
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
.

Author

Commented:
Hi to those who have contributed to this question,

Unfortunately I do not feel that my question has really been answered here.

So what you are saying is that I will need another server to handle the external side of the Lync server?

If this is the case and suppose I do install a second server what are the limitations of the Watchguard firewall? Will I need TMG or ISA?

So will I need ISA or TMG to make this possible?

Regards,

Daniel
Distinguished Expert 2018
Commented:
Yes, you will need another server if you want to allow external access directly from outside endpoints (no VPN, no DirectAccess type configurations).

The edge server role is designed to be firewall friendly so you *should* be able to get away without TMG. With that said, ever since Watchguard switched to Fireware as their sole OS, back around v10 a few years back, do to their many many bugs and substandard support...at the price they charge for their yearly support contracts, I have quit using and supporting them. There may be implementation issues specific to Watchguard that I am unaware of. But as far as Lync is concerned, with a proper edge server, it works with man brands of firewalls.

TMG does provide some unique security features and can certainly be used to augment Lync. Forget ISA. TMG replaces it and there is never a reason (that I can think of) to deploy ISA over TMG. Depending on the size of your deployment, as I hinted at above, UAG also can be an option. What Keith said is true, TMG and UAG are different products (with a little overlap) but TMG still has its roots in proxy server, and is geared towards managing and protecting outbound connections. It's ability to publish services and protect incoming connections is somewhat basic whereas UAG was designed for exactly this purpose. In large deployments it is not uncommon to see both in place where TMG handles protecting the internal network and UAG handles protecting the external services offered.

I bring this up because, as I recall (which could be wrong), The x750 series was one of the higher end watchguard models which you only saw in larger networks, so I'm trying to be thorough in my answer based on what I could guess to be your network size.

But to recap, all you *should* need is a server. Assuming there are no problems with Watchguard's firewall rules, that will work. You can get more functionality with TMG, and even more with UAG, but those are additive with increasing options for security and configurability and are not required for a basic deployment, and certainly not required for a test lab.

HTH,

-Cliff

Author

Commented:
Thank you Cliff,

I kind of feel my question got hijacked a little with the back and forth but you have answered my question.

At some point in time if I need further information can I contact you?

Regards,

Daniel

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial