none
OCS 2007 R1 EDGE SERVER BEHIND A NAT

    Question

  • ·         Hello All,

    I need to deploy and Edge server 2007 R1 minimizing the number of publicy routable IP addresses.

    I have found this very useful post:

    https://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33

    and I am in this situation:

    image

     

    There is also an ISA2006 acting as reverse proxy

    Now the problem is:

    how many public routable IP addresses do I need?

    If I use for example 90.90.90.90 (Public IP) for A/V service

    192.168.0.1 (natted IP) for access service

    192.168.0.2 (natted IP) for live meeting service

    192.168.0.3 (natted IP) for ABS and live meeting contents download

    Now I have the problem of publishing A records on internet DNSs and so:

    A record for 90.90.90.90 av.mydomain.org

    A record for ??????????? lm.mydomain.org

    A record for ??????????? sip.mydomain.org

    A record for ??????????? abs.mydomain.org

    How can clients reach sip.mydomain.org (abs and lm) if those Ip addresses are not known to the internet?

    At the end of the day the question of the questions is: by using natting do I save public routable IP addresses to my customer or I'am just hiding a part of customer internal address scheme but I have in BOTH cases to provide 5 public routable IP addresses (1 for A/V, 1 for Live Meeting, 1 for Access Server 1 for ABS 1 for external firewall)?

    Thank you and best regards

    beppe


    giuseppe
    Tuesday, August 02, 2011 12:57 PM

Answers

  • You'll still need three individual public IP addresses for a best practice deployment. In the R1 release you can NAT the Access Edge and Web Conferencing interfaces (that's two private IP address NAT'd to 2 public IP addreses) with a third public IP address assigned directly to the external A/V interface.  If neeed, you can put all three external roles on a single IP address as long as you assign unique listening ports for each role (e.g. 5061 for Access Edge, 443 for A/V and 444 for Web Conferencing).
    Jeff Schertz, Microsoft Solutions Architect - Polycom | Lync MVP
    • Marked as answer by giuseppe01 Wednesday, August 03, 2011 2:42 PM
    Wednesday, August 03, 2011 1:33 PM

All replies

  • "How can clients reach sip.mydomain.org (abs and lm) if those Ip addresses are not known to the internet?" You need to have another Router/Firewall that Edge Server uses to go online for sip.mydomain.org, so, you will need to use the publicly IP address that router uses and open specific ports on it to make it work. (for example 5061 TCP Port)

    Wednesday, August 03, 2011 12:20 PM
  • You'll still need three individual public IP addresses for a best practice deployment. In the R1 release you can NAT the Access Edge and Web Conferencing interfaces (that's two private IP address NAT'd to 2 public IP addreses) with a third public IP address assigned directly to the external A/V interface.  If neeed, you can put all three external roles on a single IP address as long as you assign unique listening ports for each role (e.g. 5061 for Access Edge, 443 for A/V and 444 for Web Conferencing).
    Jeff Schertz, Microsoft Solutions Architect - Polycom | Lync MVP
    • Marked as answer by giuseppe01 Wednesday, August 03, 2011 2:42 PM
    Wednesday, August 03, 2011 1:33 PM
  • So at the end of the day in both cases (whether I'll be using natting or not) I always need 4 public IP addresses 3 four Access Server and 1 for Reverse Proxy. I might be end up with a minimum of two if I play with Access Server ports but I am not sure a want to go in that conondrum....
    giuseppe
    Wednesday, August 03, 2011 2:13 PM
  • Correct.  Regardless of where the public IP is located (firewall or on the Edge server) you still need that public IP to resolve from the public DNS records for each Access Edge role.
    Jeff Schertz, Microsoft Solutions Architect - Polycom | Lync MVP
    Wednesday, August 03, 2011 2:28 PM
  • What do you reckon of the mad idea of playing with ports? Two IP addresses in that case but a lot of work especially from MOC clients point of view.

    Regards


    giuseppe
    Wednesday, August 03, 2011 2:38 PM