locked
Firewall between Clients and Front ends RRS feed

  • Question

  • Hello everyone, one of our client would like to use a firewall between the Lync client and the Lync entreprise front ends.

    I can limit the ports used for the communication (using the settings for QOS...), but I don't like this architecture.

    As communications are real time I'm afraid to have some issues and the users will say : Lync is not working.

    Is there any dociument about this kind of infrastructure , did someone already installed LYNC like this?

    Any comments will be welcome.

    Thanks

    jean-Marc

    Wednesday, December 12, 2012 11:19 AM

All replies

  • Hi,

    I would recommend to perform a Pilot test with few users and make sure that all scenarios like IM,call , conference and collaboration are working as expected.

    Following blog may help you with internal firewall requirments ; http://blogs.technet.com/b/meacoex/archive/2011/07/12/lync-internal-ports.aspx

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    Wednesday, December 12, 2012 11:43 AM
  • is your client aware that LYNC communications are SSL encrypted? Perhaps just use the windows firewall on the FE pool servers using a LYNC template ??

    Curt Chapman MCSE + EXCHANGE

    Thursday, December 13, 2012 7:28 PM
  • The issue is not that Lync is not secure (we use SSL, firewall on servers...). The issue is that the network and security team want to put firewall between Workstations and servers. The Lync servers are the first one because we are in the pilot phase of Lync but in a near future they want to put other servers behind firewall.

    They don't trust the Microsoft security, Active directory, Microsoft firewall on servers. They only trust their Firewalls.   But I don't trust their firewall not in term of security but more in term of reliability, time out ,....

    So I would like to find some article that can help me to convince them.

    Regards

    Thursday, December 13, 2012 8:43 PM
  • I'd start with the "Microsoft Lync Server 2010 Security Guide" which contains this quote that I frequently use:

    If a network service is not running, it is not exploitable by a remote attacker and the surface of attack of the host computer is reduced. However, within a single service, reducing the number of ports does not provide the same benefit. The A/V Edge service software is no more exposed to attack with 10,000 ports open as it is with 10.

    You can download the guide here:

    http://www.microsoft.com/en-us/download/details.aspx?id=2729

    You'll also likely want to download a copy of the protocol workloads poster.

    That being said, if your security team insists on placing a firewall between the clients and the Lync front ends, I'd consider trying to find a way to force all of your client traffic over an Edge server, essentially treating them as external clients. I don't know if anyone else has ever tried this...

    Friday, January 4, 2013 2:28 PM
  • Hi Francois,

    I have some customers with the requirement to have a Firewall between each application. It was a hard work to explain each needed port to the Network Team, but it works fine without any issues.

    Best way is to use the Lync workload poster and to Limit the used ports for RTP traffic.

    http://www.microsoft.com/en-us/download/details.aspx?id=6797

    and the port list from TechNet

    http://technet.microsoft.com/en-us/library/gg398833.aspx


    regards Holger Technical Specialist UC

    Wednesday, January 9, 2013 1:55 PM