locked
Edge server IP address, hardware topology RRS feed

  • Question

  • Can an edge server be behind a regular router that has NAT enabled?

    If not, does the server need it's own public IP?

    My ISP currently has a DHCP reservation for my public IP so I need to let them know every time I change my router as they need the new MAC address.

    I have an Exchange server on the same ISP, port forwarding is in the router to the Exchange server.

    My current setup is router to firewall to switch.

    Will I need a 2nd line from the router to the edge server?

    My current firewall only has 2 NIC's and acts as a transparent bridge.



    • Edited by Susan_773 Monday, January 13, 2020 11:39 PM
    Monday, January 13, 2020 11:32 PM

All replies

  • Hi Susan_773,

    According to the official document, Skype for Business Edge server topologies are able to use routable public IP addresses or non-routable private IP addresses with symmetric NAT.

    Router can act as a simple firewall if it meets the following requirements:

    * Monitor the network traffic

    * Filter the network traffic

    * Allow or block the network traffic

    If you want to learn more about how routers function as hardware firewalls, you can read this article: https://www.howtogeek.com/122065/htg-explains-i-have-a-router-do-i-need-a-firewall/

    This scenario is the non-routable private IP addresses with NAT. You need to remember some important points:

    * You need to use routable private IP addresses on all three external interfaces.

    * You need to configure symmetric NAT for incoming and outgoing traffic.

    * Configure your NAT to not change incoming source addresses.

    * Your Edge Servers need to be able to communicate with one another from their public A/V Edge IP addresses.

    * NAT can only be used for scaled consolidated Edge Servers if you use DNS load balancing.

    For more information about Edge server environmental requirements in Skype for Business Server, you can refer to this link: https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/edge-server-deployments/edge-environmental-requirements

    If you want to use routable public IP addresses, in my understanding, you need a new public IP address due to the Exchange server has use the 443 port. You can refer to the link to learn more about the network ports for clients and mail flow in Exchange: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2016

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Tuesday, January 14, 2020 5:01 AM
  • Thanks for the reply.

    The router is currently not acting as a firewall. It is NAT'ing traffic and port forwarding to my exchange server.

    To clarify, I can keep my router as is (NAT'ing, using the only public IP) as long as the edge server has private IP's and public DNS points to that public IP address?

    My router is running my VPN so I would very much like to keep it and it requires the public IP.

    I'm unfamiliar with symmetric NAT.

    If I need to make changes to NAT, what would be needed to ensure that Exchange and regular network traffic would still function properly?

    I plan to have a single Skype edge server and single regular Skype server.

    I've seen several hw topology diagrams for how this is supposed to be setup. One has firewall - edge/reverse proxy - firewall - edge network.

    You mentioned 3 interfaces and so does the Microsoft doc info. Using those 3 interfaces, would I only need 1 firewall?

    Depending on how things turn out, I plan to have the edge server on the same instance as the reverse proxy (configured in server 2016) on a Hyper -V virtual machine on the same box as my main Skype server.

    Example IP's: 55.55.55.55 public - 10.10.10.0/24 private network.

    How would I configure the 2/3 NIC's?

    Tuesday, January 14, 2020 6:25 PM
  • Hi Susan_773,

    If you want to keep your router to use the Public IP for Exchange server, it is recommended to use another Public IP for Edge server.

    If you want to make changes to NAT, which I confirmed with the Exchange support engineer, you just need to make sure the ports and network for Exchange server work well.

    As you said, three interfaces of Edge server can use one firewall.

    About how to configure the NICs, you can read the article: http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/

    There are some scenarios for Edge server in Skype for Business server for your reference. You can choose a suitable one for your test environment. The detail is in the link: https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/edge-server-deployments/scenarios

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, January 15, 2020 6:52 AM
  • Hi Susan_773,

    If you want to keep your router to use the Public IP for Exchange server, it is recommended to use another Public IP for Edge server.

    If you want to make changes to NAT, which I confirmed with the Exchange support engineer, you just need to make sure the ports and network for Exchange server work well.

    As you said, three interfaces of Edge server can use one firewall.

    About how to configure the NICs, you can read the article: http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/

    There are some scenarios for Edge server in Skype for Business server for your reference. You can choose a suitable one for your test environment. The detail is in the link: https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/edge-server-deployments/scenarios

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    I need the public IP address for the router for VPN and don't want to tell my boss they need to buy another public IP.

    If there's a way to have 1 public IP and have both Skype and Exchange function, I would like to know how to configure it. Would that be done in reverse proxy? I've never configured reverse proxy before so I don't know what all it can do.

    Thursday, January 16, 2020 4:40 AM
  • Hi Susan_773,

    Perhaps, you can try to use the same public IP for Skype for Business server and Exchange server at the same time. But we don’t recommend that.

    Someone did a test in Lync server 2013 using only one public IP address. It seems that the deployment gets working. But it was just a lab to see if they could get it to work. It was tested in the lab like the following link: https://blog.netnerds.net/2013/08/setup-a-fully-functional-lync-2013-lab-using-only-one-public-ip-address/.

    However, it is recommending that you use two minimum different IPs in the Skype for Business server. If you use one IP for Edge server, you could use port 442 for the A/V edge service and set port 443 for Reverse Proxy server. 

    About how to deploy Reverse Proxy server, you can read the article: https://lucavitali.wordpress.com/2017/06/30/arr-how-to-setup-and-use-with-multiple-lyncsfb-sip-domains/.

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Friday, January 17, 2020 9:00 AM
  • Hi Susan_773,

    Do you have any further issue on this topic?

    Meanwhile, if there is no issue, please remember to mark helpful reply as answer to close the thread. Your action would be helpful to other users who encounter the same issue and read this thread.

    Thanks for your understanding.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, January 24, 2020 8:36 AM
  • I don’t hear from you for a long time. If you have any update, please feel free to share with us.

    Here I will provide a brief and temporary summary of this post.

     

    <Request/Expectation>:

    Can an edge server be behind a regular router that has NAT enabled?

    If not, does the server need its own public IP?

    I have an Exchange server on the same ISP, port forwarding is in the router to the Exchange server.

    My current setup is router to firewall to switch.

    Will I need a 2nd line from the router to the edge server?

    My current firewall only has 2 NIC's and acts as a transparent bridge.

     

    <Suggestions>:

    According to the official document, Skype for Business Edge server topologies are able to use routable public IP addresses or non-routable private IP addresses with symmetric NAT.

    Router can act as a simple firewall if it meets the following requirements:

    * Monitor the network traffic

    * Filter the network traffic

    * Allow or block the network traffic

    If you want to learn more about how routers function as hardware firewalls, you can read this article: https://www.howtogeek.com/122065/htg-explains-i-have-a-router-do-i-need-a-firewall/

    If you want to keep your router to use the Public IP for Exchange server, it is recommended to use another Public IP for Edge server.

    If you want to make changes to NAT, which I confirmed with the Exchange support engineer, you just need to make sure the ports and network for Exchange server work well.

    As you said, three interfaces of Edge server can use one firewall.

    Perhaps, you can try to use the same public IP for Skype for Business server and Exchange server at the same time. But we don’t recommend that.

    Someone did a test in Lync server 2013 using only one public IP address. It seems that the deployment gets working. But it was just a lab to see if they could get it to work. It was tested in the lab like the following link: https://blog.netnerds.net/2013/08/setup-a-fully-functional-lync-2013-lab-using-only-one-public-ip-address/.

    However, it is recommending that you use two minimum different IPs in the Skype for Business server. If you use one IP for Edge server, you could use port 442 for the A/V edge service and set port 443 for Reverse Proxy server.

     

    <Reference Links>:

    For more information about Edge server environmental requirements in Skype for Business Server, you can refer to this link: https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/edge-server-deployments/edge-environmental-requirements

    You can refer to the link to learn more about the network ports for clients and mail flow in Exchange: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2016

    About how to configure the NICs, you can read the article: http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/

    About how to deploy Reverse Proxy server, you can read the article: https://lucavitali.wordpress.com/2017/06/30/arr-how-to-setup-and-use-with-multiple-lyncsfb-sip-domains/.

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, January 29, 2020 8:42 AM