none
Edge server requirements: reverse proxy and external IP's?

    Întrebare

  • Hi folks,

    I have 2 questions regarding Edge Server deployment...

    1. Is a reverse-proxy server required for Edge Server deployment?

    :I'm doing a lab deployment and do not have a reverse-proxy set-up nor do I wish to use more lab resources to stand up another server instance...

    2. Do I need 3 separate external facing IP's for each of SIP access, Web Conferencing, and A/V services? Or can I use 1 external IP for all three?

    : again, I do not wish to use too many IPs... The lab environment can only NAT 1:1... so I can't NAT 3 external facing Edge IPs behind 1 public IP...

    Thanks in advance folks!


    me

    22 februarie 2012 17:05

Răspunsuri

  • Hi,

    The Edge Server must contain two separate network adapters, one for the internal-facing interface and one for the external-facing interface.

    http://technet.microsoft.com/en-us/library/gg412847.aspx

    We cannot have a single interface on the Edge server as the Lync software was designed to work only with multiple interfaces on Edge Server. It has a requirement to have and bind separate IP addresses for internal and external services. The internal and external subnets must not be routable to each other. A good blog posted by Jeff about this issue:

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=15

    In this case, I suggest you contact Amazon VPC Support to check if it can support adding multiple virtual Network interfaces to make it meets the 2 NICs requirements on Edge server.

    Regarding the external web service publishing without reverse proxy, you can try to make your firewall redirect the traffic from 80/443 to 8080/4443. If this does not work, we may still have to add another IP address on Front End to resolve this issue. A bolog post by Ken talking about this issue:

    http://ucken.blogspot.com/2011/01/lync-external-web-services-without.html?showComment=1295881463582#c5478030596975450029

    However, publishing Lync external web service without reverse proxy is not supported by Microsoft, you will try it in lab environment. For production environment, I recommend meeting the requirements that Microsoft supported to deploy.

    Best Regards,

    Kent

    23 februarie 2012 15:03
  • 1) Depends on what you want to test out. If you want to test out Online Meetings, address book externally, etc. then a reverse proxy will be required.  See what all the reverse proxy does here: http://technet.microsoft.com/en-us/library/gg425779.aspx .  For a lab-only (wouldn't recommend this), you could NAT directly from Internet to FE pool server to publish web services.  This way you wouldn't have to stand up another server instance for TMG.

    2) If you want to use a single IP address for all three Edge services (Access, AV, Web Con), this is definitely a supported configuration. The issue is that you must use different ports for all three services. If using a seperate IP and FQDN for each service, these would be assigned to port 443. In a single IP config, the recommendation is to assign the Access to port 5061, AV to 443 and WC to 444. The issue that could come up is if you are at a remote site or invite a partner or anonymous user to a conference and their firewall is blocking outbound nonstandard ports. In this case the external user would either not be able to join the conference at all or have other issues within the conference. The recommendation is to use 3 seperate IPs since almost all companies/firewalls allow 443 outbound.


    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Lync 2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    22 februarie 2012 17:37
  • Hi,eyesoft2222,

    Agree with Kent,you must have two seperate network cards on your Edge server,either using physical NIC or adding a virtual one.As I know,Amazon VPC add Elastic Network Interfaces support to allow you run dual-homed network appliances in your VPC or create a back-end management network for your public facing instances.

    Regarding publishing external web servcie without reverse proxy it's also possible if you can add additional public IP address for your FrontEnd server with redirecting traffic from 80/443 to 8080/4443 as they siad.I don't think "have the firewall route the external services traffic to the one IP address that is assigned to the Front End" will work due to certificate or DNS issue,and it may cause some security risks and some weird issues.Again,using a Reverse proxy is highly recommended way to publish the Lync external web service.

    Regards,

    Sharon


    Sharon Shen

    TechNet Community Support

    ***************************************************************************************************************************************************************************** Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial t

    24 februarie 2012 08:11
    Moderator

Toate mesajele

  • 1) Depends on what you want to test out. If you want to test out Online Meetings, address book externally, etc. then a reverse proxy will be required.  See what all the reverse proxy does here: http://technet.microsoft.com/en-us/library/gg425779.aspx .  For a lab-only (wouldn't recommend this), you could NAT directly from Internet to FE pool server to publish web services.  This way you wouldn't have to stand up another server instance for TMG.

    2) If you want to use a single IP address for all three Edge services (Access, AV, Web Con), this is definitely a supported configuration. The issue is that you must use different ports for all three services. If using a seperate IP and FQDN for each service, these would be assigned to port 443. In a single IP config, the recommendation is to assign the Access to port 5061, AV to 443 and WC to 444. The issue that could come up is if you are at a remote site or invite a partner or anonymous user to a conference and their firewall is blocking outbound nonstandard ports. In this case the external user would either not be able to join the conference at all or have other issues within the conference. The recommendation is to use 3 seperate IPs since almost all companies/firewalls allow 443 outbound.


    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Lync 2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    22 februarie 2012 17:37
  • Thank you TWHarrington for your reply..

    Some additional questions if i may...

    1. this lab environment is up on Amazon VPC, and as far as I'm aware, there is no way for me to have two NIC's (required by Edge) on a server instance. What I'm thinking of doing for that is to have the firewall route a public IP (which would represent the IP that would've been assigned to the second NIC on edge that is external facing) to the edge server that has 1 NIC.. I'm not sure if this will work...

    2. As you mentioned on your reply, I can have a firewall route directly to the Front End instead of routing external services through reverse-proxy.. I did some searches and the posts I found seems to require adding a second IP address to the Front End server (which I can't do on Amazon VPC instance as far as I know)... So I figure I can have the firewall route the external services traffic to the one IP address that is assigned to the Front End... would this cause any issue?

    This is getting pretty confusing in my head... Let me know if the questions do not make sense...


    me

    22 februarie 2012 18:57
  • Hi,

    The Edge Server must contain two separate network adapters, one for the internal-facing interface and one for the external-facing interface.

    http://technet.microsoft.com/en-us/library/gg412847.aspx

    We cannot have a single interface on the Edge server as the Lync software was designed to work only with multiple interfaces on Edge Server. It has a requirement to have and bind separate IP addresses for internal and external services. The internal and external subnets must not be routable to each other. A good blog posted by Jeff about this issue:

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=15

    In this case, I suggest you contact Amazon VPC Support to check if it can support adding multiple virtual Network interfaces to make it meets the 2 NICs requirements on Edge server.

    Regarding the external web service publishing without reverse proxy, you can try to make your firewall redirect the traffic from 80/443 to 8080/4443. If this does not work, we may still have to add another IP address on Front End to resolve this issue. A bolog post by Ken talking about this issue:

    http://ucken.blogspot.com/2011/01/lync-external-web-services-without.html?showComment=1295881463582#c5478030596975450029

    However, publishing Lync external web service without reverse proxy is not supported by Microsoft, you will try it in lab environment. For production environment, I recommend meeting the requirements that Microsoft supported to deploy.

    Best Regards,

    Kent

    23 februarie 2012 15:03
  • Hi,eyesoft2222,

    Agree with Kent,you must have two seperate network cards on your Edge server,either using physical NIC or adding a virtual one.As I know,Amazon VPC add Elastic Network Interfaces support to allow you run dual-homed network appliances in your VPC or create a back-end management network for your public facing instances.

    Regarding publishing external web servcie without reverse proxy it's also possible if you can add additional public IP address for your FrontEnd server with redirecting traffic from 80/443 to 8080/4443 as they siad.I don't think "have the firewall route the external services traffic to the one IP address that is assigned to the Front End" will work due to certificate or DNS issue,and it may cause some security risks and some weird issues.Again,using a Reverse proxy is highly recommended way to publish the Lync external web service.

    Regards,

    Sharon


    Sharon Shen

    TechNet Community Support

    ***************************************************************************************************************************************************************************** Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial t

    24 februarie 2012 08:11
    Moderator
  • Thanks Sharon and Kent for the information. In production deployment, I'd definitely include a reserse-proxy...

    I followed the steps in the articles linked in your replies. I'm not able to redirect ports (no option to do so on Amazon VPC as far as I can tell). I added a second IP to the Front End NAT'ed to a public IP and followed the directions on the articles.

    I still can't get things like address book to get published to external users. My guess is that this is because, I do not have any public DNS records pointing to my lab domain?

    I tried adding entries to the host file on the external user's local machine, but didn't help. 

    Appreciate the help!

    - update, never mind, got it working by adding an entry to the host file...


    me


    5 martie 2012 16:18