Solved

Lync 2013 Edge Without DMZ

Posted on 2013-11-08
6
1,357 Views
Last Modified: 2013-11-13
Is it possible and does anyone have a recommended method for setting up Lync edge without a DMZ?

Id like FE & Edge servers to sit behind existing load balanced ISA's.

I don't intend for any of my clients to talk directly to the FE pool or the Edge server. All traffic is to be routed through ISA.

Many thanks!
0
Comment
Question by:pxuser
  • 3
  • 3
6 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39635333
All you really need to make life easy is to separate networks on the edge server so that it can route the traffic from external to internal.

when you say don't intend any users to connect directly to the FE are you talking about internal users as well? That would make it very hard to work
0
 

Author Comment

by:pxuser
ID: 39639592
Yes I would like all internal users to connect to a Public address on the ISA. My reasoning behind this is not wanting to have to maintain split DNS for the desired external domain name.

Just to clarify the 'internal' clients are not on the same public address range and they sit behind a different ISA to the FE and Edge, so could technically be classed as external.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39640194
thats a bit of a risk with traffic as you are putting an extra overhead on things, not sure how SIP traffic would cope going through ISA, it seems like a lot of effort for a few PinPoint records for one SIP domain

i think i would need a network diagram to understand where things sit.

but///
the only real design consideration for Edge services are
Not on the Domain
two NIC's on seperate ranges to allow for routing between the two
Enough IP's to service all the edge services

its then up to you how you allow traffic through to it and whether it sits between firewalls etc
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:pxuser
ID: 39641821
I've carved up a weather map and made it into a quick diagram... Its virtual so if you start from the far right, everything below the B-RAS is at our office site and everything above is in the data centre.

Ultimately all traffic must pass through ISA & TMG one way or another, so if there is an overhead for doing things this way I don't have a choice.

The route highlighted in red is the internal ISA network that allows traffic to and from the server and client networks.

The Blue route is my preferred route. If all traffic is routed this way it would prevent having to maintain internal and external DNS records for the SIP domain as this domain is not held in internal DNS. Laptops and mobiles etc wouldn't have to transition between the two routes when dropping off and on the wifi for example.
 

 
I guess my main questions are around the edge configuration:

1. Does the external NIC on the edge have to be on a separate range? - This means adding         additional NIC's to ISA (I'm guessing this is a yes)

2. Does each Edge service need its own Public IP and FQDN?

3. 'A/V Edge service is NAT enabled' in the edge configuration - can you shed some light on this?

4. Have I missed anything?


Thanks.
0
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
ID: 39641922
1. To make life easy on the Lync Edge Servers yes a seperate range so that it can route properly

2. yes, some are consolidated and pointed at one place but you will need at least 4 - 3 edge and 1 Front End RP

3. this means that it can cope with being translated through a firewall so you don't need your Lync Server directly on the Internet  i.e. you can translate from 1.1.1.1 to 192.168.7.1 and it will cope

I think the best thing is to think about this as though all your clients are remote clients as none of them will be able to connect directly to the FE servers.

here is a Edge Diagram to get you started

http://technet.microsoft.com/en-us/library/gg425891.aspx
0
 

Author Closing Comment

by:pxuser
ID: 39644321
Thanks for your help
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Viewers will learn the different options available in the Backstage view in Excel 2013.
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now