locked
Question regarding Lync EDGE server - internal NIC RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi guys.

    Lets persume this scenario:

    Lync FE IP:

    192.168.200.10 (LAN IP)

    Lync EDGE IP:

    LAN (Internal) NIC:

    192.168.200.12 (LAN IP)

    DMZ NIC:

    172.16.209.40 (DMZ IP) ---> natted to public IP 192.168.107.40

    172.16.209.50 (DMZ IP) ---> natted to public IP 192.168.107.50

    172.16.209.60 (DMZ IP) ---> natted to public IP 192.168.107.50

    Question regarding internal NIC.

    In this NIC we have IP and SUBNET MASK entered.

    Gateway is entered on External NIC

    Would it be wrong to enter IP address of internal DNS (on internal LAN NIC) on edge server?

    bostjanc

    Monday, August 17, 2015 1:02 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

    The official supported Microsoft way to doing a single DMZ deployment would be this

    Edge DMZ Interface (EXTERNAL)

    172.16.209.40

    172.16.209.50

    172.16.209.60

    Default Gateway: 172.16.209.1

    DNS: 8.8.8.8

    DNS: 8.8.4.4

    Or your ISP DNS Server IPs (Do not use internal DNS Servers)

    Edge DMZ Interface (INTERNAL)

    172.16.209.70

    mask: 255.255.255.0

    NO DEFAULT GATEWAY

    NO DNS

    HOSTS FILE Entries

    192.168.200.10 LyncFe.domain.local

    192.168.200.x internaca.domain.local

    STATIC ROUTES

    192.160.200.x mask 255.255.255.0 172.16.209.1 IF <edge internal interface number> metric 1 /p

    repeat for other internal subnets

    Your scenario, where the internal interface of the edge server sits on the LAN segment is not supported. However, it will work for you, just less security.

    In this instance the above is still correct. Define DNS servers on the external interface only and make sure they are external DNS servers from your ISP or Google (other DNS providers can be used). The implications of using internal DNS servers for this server is if your edge server was ever compromised by an attacker, they could use this server to determine all internal servers / services and this widens their attack surface. Having said that, using internal DNS servers will work for you with specific regard to "getting the system working" just not recommended or supported.

    thanks

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Marked as answer by B_C_R Monday, August 17, 2015 1:50 PM
    Monday, August 17, 2015 1:44 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

    The official supported Microsoft way to doing a single DMZ deployment would be this

    Edge DMZ Interface (EXTERNAL)

    172.16.209.40

    172.16.209.50

    172.16.209.60

    Default Gateway: 172.16.209.1

    DNS: 8.8.8.8

    DNS: 8.8.4.4

    Or your ISP DNS Server IPs (Do not use internal DNS Servers)

    Edge DMZ Interface (INTERNAL)

    172.16.209.70

    mask: 255.255.255.0

    NO DEFAULT GATEWAY

    NO DNS

    HOSTS FILE Entries

    192.168.200.10 LyncFe.domain.local

    192.168.200.x internaca.domain.local

    STATIC ROUTES

    192.160.200.x mask 255.255.255.0 172.16.209.1 IF <edge internal interface number> metric 1 /p

    repeat for other internal subnets

    Your scenario, where the internal interface of the edge server sits on the LAN segment is not supported. However, it will work for you, just less security.

    In this instance the above is still correct. Define DNS servers on the external interface only and make sure they are external DNS servers from your ISP or Google (other DNS providers can be used). The implications of using internal DNS servers for this server is if your edge server was ever compromised by an attacker, they could use this server to determine all internal servers / services and this widens their attack surface. Having said that, using internal DNS servers will work for you with specific regard to "getting the system working" just not recommended or supported.

    thanks

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Marked as answer by B_C_R Monday, August 17, 2015 1:50 PM
    Monday, August 17, 2015 1:44 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Mark, thank you for watching two threads at the same time.

    bostjanc

    Monday, August 17, 2015 1:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    no probs :)

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Monday, August 17, 2015 1:54 PM