locked
Edge Server security - its own subnet.. really? RRS feed

  • Question

  • I know what MS Best Practices says about Edges requiring their own subnet in a DMZ..  but is that a simple CYA type of a statement based on a perfect absolute world environment or could I utilize an already existing DMZ that has 1 FTP server in it.. ?

    I don't understand how much more secure the Edge servers will be by themselves on their own isolated subnet -- the firewall is providing the same security to them regardless of them being in the same subnet as other boxes...

     

    Tuesday, October 11, 2011 7:12 PM

Answers

  • HI,

    Edge can be deployed in the same DMZ subnet with the TMG or FTP. The reason they say that Edge should be deployed in the DMZ is that it will be internet facing and the best place for it is the DMZ. and it doesn't have to be it's own DMZ.

    Thamara.

    • Proposed as answer by Sean_XiaoModerator Wednesday, October 12, 2011 5:26 AM
    • Marked as answer by systemnt Wednesday, October 12, 2011 12:20 PM
    Wednesday, October 12, 2011 1:49 AM
  • The DMZ in the microsoft document is deployed in internal network. The edge server Internal interface connects it. Other servers can works with Lync edge server in the same subnet with of DMZ.

    Please read the the following post, help it can clear you:

    http://social.technet.microsoft.com/Forums/en-US/ocsedge/thread/d06a95a1-c243-486d-9287-50f4715a62a7/


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by systemnt Wednesday, October 12, 2011 12:20 PM
    Wednesday, October 12, 2011 5:26 AM
    Moderator
  • Here the answer from our MS DSE:

    "there is no reasoning as to why  the Edge servers could not be deployed into the subnet that share with other servers as long the ports require for other servers do not pose a  security thread  to the Lync edge servers. The best practice for the edge security recommended to deploy edge in its own subnet because it is more secure with Network Isolation. Configure separate subnets to prevent loopbacks"

    So.. basically you are both right:..and I was right.. as far as the CYA purpose of the best practices dialog.

     

    • Marked as answer by systemnt Wednesday, October 12, 2011 12:20 PM
    Wednesday, October 12, 2011 12:20 PM
  • FYI I have never deployed an Edge server in a dedicated DMZ, sometimes it's a 'new' DMZ but soon afterwards other server roles (e.g. TMG) would be introduced into the same DMZ.

     


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP
    • Marked as answer by systemnt Wednesday, October 12, 2011 1:59 PM
    Wednesday, October 12, 2011 12:27 PM
    Moderator

All replies

  • HI,

    Edge can be deployed in the same DMZ subnet with the TMG or FTP. The reason they say that Edge should be deployed in the DMZ is that it will be internet facing and the best place for it is the DMZ. and it doesn't have to be it's own DMZ.

    Thamara.

    • Proposed as answer by Sean_XiaoModerator Wednesday, October 12, 2011 5:26 AM
    • Marked as answer by systemnt Wednesday, October 12, 2011 12:20 PM
    Wednesday, October 12, 2011 1:49 AM
  • The DMZ in the microsoft document is deployed in internal network. The edge server Internal interface connects it. Other servers can works with Lync edge server in the same subnet with of DMZ.

    Please read the the following post, help it can clear you:

    http://social.technet.microsoft.com/Forums/en-US/ocsedge/thread/d06a95a1-c243-486d-9287-50f4715a62a7/


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by systemnt Wednesday, October 12, 2011 12:20 PM
    Wednesday, October 12, 2011 5:26 AM
    Moderator
  • Here the answer from our MS DSE:

    "there is no reasoning as to why  the Edge servers could not be deployed into the subnet that share with other servers as long the ports require for other servers do not pose a  security thread  to the Lync edge servers. The best practice for the edge security recommended to deploy edge in its own subnet because it is more secure with Network Isolation. Configure separate subnets to prevent loopbacks"

    So.. basically you are both right:..and I was right.. as far as the CYA purpose of the best practices dialog.

     

    • Marked as answer by systemnt Wednesday, October 12, 2011 12:20 PM
    Wednesday, October 12, 2011 12:20 PM
  • FYI I have never deployed an Edge server in a dedicated DMZ, sometimes it's a 'new' DMZ but soon afterwards other server roles (e.g. TMG) would be introduced into the same DMZ.

     


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP
    • Marked as answer by systemnt Wednesday, October 12, 2011 1:59 PM
    Wednesday, October 12, 2011 12:27 PM
    Moderator