Přihlásit
 
HlavníKnihovnaCertifikaceDownloadPodporaKomunitaFóra
Zdroje informací pro profesionály v oboru IT >
Lync Multitenant Pack for Hosters - Planning for security

Answered Lync Multitenant Pack for Hosters - Planning for security

  • 15. března 2012 20:50
     
     
    Přihlásit se a hlasovat
    0

    Hello,

    We are planning to deploy Lync 2010 in our hosting environment, but currently we are doing a POC installation in our lab.

    There is almost no mention of security in the Multitenant Pack for Partner Hosting Deployment Guide document. What concerns me the most is that one of the requirements is to have Front End server with two networks interfaces where one is configured with non NAT-ed public IP address. This practically puts the machine on the Internet with plenty of ports open even with Windows Firewall still enabled.

    What are the recommendations for placing Front End as well as Director and Edge server roles directly on the Internet with public IP address as deployment guide document suggests?

    Thanks,

    Dinko

     

Všechny reakce

  • 16. března 2012 11:01
     
     
    Přihlásit se a hlasovat
    0

    Hello,

    Microsoft never recommends  to put front end server publicily because not only your exposing Front end to public but also your AD & Messaging environment, Best is to put Edge server to External configure Director to Offload the Authentication from Front end server and put Front end on LAN, this is the best .

    There is a thread already in technet may be this is help you.

    http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/86797d4f-0487-4618-bed3-14e65cbce64a/

    Regards

    Zahoor

     
  • 16. března 2012 18:29
     
     
    Přihlásit se a hlasovat
    0

    Hi Zahoor,

    Thank you for your response.

    I agree that Front End server should be placed on the local LAN, but I'm referring to this text from Multitenant Pack for Partner Hosting Deployment Guide:

    "Front End Servers should have public IP addresses that are not configured to use NAT in addition to their private ones. This is because the Lync Server Multitenant Hosting Pack topology does not use Edge Servers to proxy SIP communication between the Internet and the Front End Servers."

    This basically means that Front End server is multi homed with two network adapters, one on the local LAN where AD and Messaging systems are located and one on the public Internet.

    Regards,
    Dinko

     
  • 17. března 2012 19:01
     
     Odpovědět
    Přihlásit se a hlasovat
    1

    "Front End Servers should have public IP addresses that are not configured to use NAT in addition to their private ones. This is because the Lync Server Multitenant Hosting Pack topology does not use Edge Servers to proxy SIP communication between the Internet and the Front End Servers."

    This basically means that Front End server is multi homed with two network adapters, one on the local LAN where AD and Messaging systems are located and one on the public Internet.

    Non-NATed IP address does not mean you have to put your machine directly on the internet. You machine still should be behind the firewall, but firewall should be using the publicably routeable IP addresses for the protected interfaces.
     
  • 26. července 2012 7:23
     
     
    Přihlásit se a hlasovat
    0

    Hi Dinko  ,

    I’m installing lync 2010 multitenant  , Have the same hesitation with multi homed network configuration  .It’ll be great if you could share your configuration details  . Specific to Edge  , Director and Front End Configurations  . 

    • Have you configured both Director and FrontEnd Servers with multi homed network
    • Since the client requests goes to the director ,  Is there any reason to deploy the Edge server  
    • Any other common pitfalls

    regards,

    TR

     
  • 26. července 2012 7:51
     
     Navržená odpověď
    Přihlásit se a hlasovat
    1

    Hi TR,

    I'm glad I'm not the only one with concerns :)

    In the end our configuration has only two servers, Edge and Front End. We've completely left out the Director role because it serves only to redirect users to their Front End pool which would only make sense if we had multiple Front End pools in multiple datacenters. But since we have only one Front End (small installation) we just point everything to Front End, not the Director.

    Edge and Front End are multihomed, each server has internal interface and non NATed external interface with public IP address. We have placed the external interfaces behind the TMG firewall so they are not directly on the Internet. On TMG we controll which ports are allowed to go through to the Edge and Front End. Internal interfaces of both servers are placed on the same internal logical subnet shared with the rest of the servers. In a more secure environment we would consider to separate internal subnets and deploy another firewall between Edge and Front End and maybe event between Edge, Front End and the rest of the network but it is too complicated and too much of equipment needed for simple installation.

    Edge server is required if you will be doing federation with external users. All of your tenant users will always go to Front End server, but external federated users will actually go to Edge server. This means that your _sipfederationtls SRV record should point to your Edge external public IP.

    Regards,
    Dinko

    • Navržen jako odpověď CAVIT 26. července 2012 21:43
    •  
     
  • 26. července 2012 21:47
     
     
    Přihlásit se a hlasovat
    0

    Thank you for sharing Dinko  , Will install an Edge  , FE , Mediation with seperate BE for database  .