Solved

Lync 2013 Edge Without DMZ

Posted on 2013-11-08
6
1,370 Views
Last Modified: 2013-11-13
Is it possible and does anyone have a recommended method for setting up Lync edge without a DMZ?

Id like FE & Edge servers to sit behind existing load balanced ISA's.

I don't intend for any of my clients to talk directly to the FE pool or the Edge server. All traffic is to be routed through ISA.

Many thanks!
0
Comment
Question by:pxuser
  • 3
  • 3
6 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39635333
All you really need to make life easy is to separate networks on the edge server so that it can route the traffic from external to internal.

when you say don't intend any users to connect directly to the FE are you talking about internal users as well? That would make it very hard to work
0
 

Author Comment

by:pxuser
ID: 39639592
Yes I would like all internal users to connect to a Public address on the ISA. My reasoning behind this is not wanting to have to maintain split DNS for the desired external domain name.

Just to clarify the 'internal' clients are not on the same public address range and they sit behind a different ISA to the FE and Edge, so could technically be classed as external.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39640194
thats a bit of a risk with traffic as you are putting an extra overhead on things, not sure how SIP traffic would cope going through ISA, it seems like a lot of effort for a few PinPoint records for one SIP domain

i think i would need a network diagram to understand where things sit.

but///
the only real design consideration for Edge services are
Not on the Domain
two NIC's on seperate ranges to allow for routing between the two
Enough IP's to service all the edge services

its then up to you how you allow traffic through to it and whether it sits between firewalls etc
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:pxuser
ID: 39641821
I've carved up a weather map and made it into a quick diagram... Its virtual so if you start from the far right, everything below the B-RAS is at our office site and everything above is in the data centre.

Ultimately all traffic must pass through ISA & TMG one way or another, so if there is an overhead for doing things this way I don't have a choice.

The route highlighted in red is the internal ISA network that allows traffic to and from the server and client networks.

The Blue route is my preferred route. If all traffic is routed this way it would prevent having to maintain internal and external DNS records for the SIP domain as this domain is not held in internal DNS. Laptops and mobiles etc wouldn't have to transition between the two routes when dropping off and on the wifi for example.
 

 
I guess my main questions are around the edge configuration:

1. Does the external NIC on the edge have to be on a separate range? - This means adding         additional NIC's to ISA (I'm guessing this is a yes)

2. Does each Edge service need its own Public IP and FQDN?

3. 'A/V Edge service is NAT enabled' in the edge configuration - can you shed some light on this?

4. Have I missed anything?


Thanks.
0
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
ID: 39641922
1. To make life easy on the Lync Edge Servers yes a seperate range so that it can route properly

2. yes, some are consolidated and pointed at one place but you will need at least 4 - 3 edge and 1 Front End RP

3. this means that it can cope with being translated through a firewall so you don't need your Lync Server directly on the Internet  i.e. you can translate from 1.1.1.1 to 192.168.7.1 and it will cope

I think the best thing is to think about this as though all your clients are remote clients as none of them will be able to connect directly to the FE servers.

here is a Edge Diagram to get you started

http://technet.microsoft.com/en-us/library/gg425891.aspx
0
 

Author Closing Comment

by:pxuser
ID: 39644321
Thanks for your help
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Microsoft OS looks great, is easier than ever to upgrade to, it is even free.  So what's the catch?  If you don't change the privacy settings, Microsoft will, in accordance with the (EULA) you clicked okay to without reading, collect all the…
Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now