locked
Best practise to secure SfB Edge Reverse Proxy RRS feed

  • Question

  • looking for some advice please on secure skype for business implementations.

    The Skype Edge server authenticates the users that connect, does it proxy the authenticate on to the FEPool or establish a new connection?

    Also the Reverse web proxy that uses dailin, meet, lyncweb and lyncdiscover appear to go directly to the pool with only a port break. Is there a way to secure this further from our core network? we have thought about moving the pool further out of the network towards.

    We would like to have anonymous access to invite users to meetings etc but don't want to expose the pool via the web proxy.

    Thought about ADFS and using Office 365 but the ports will still be open to allow the federation of office 365.

    Any thoughts on how to do this?

    Thanks


    .: Lister :.

    Tuesday, September 27, 2016 2:08 PM

Answers

  • Edge will proxy by establishing a new connection, it doesn't pass the info directly through if that's the question.  It asks on behalf of the client in it's own session.

    You can place the reverse proxy in DMZs if you'd like to keep it secure if that's the question.  

    You can't have anonymous access to meetings without exposing the pool via web proxy to those anonymous users.  That's just how they'll connect unfortunately.

    I don't understand the last question, but you can lock Office 365 to only it's FQDNs or address ranges: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    • Proposed as answer by Alice-Wang Wednesday, September 28, 2016 7:22 AM
    • Marked as answer by Alice-Wang Tuesday, October 11, 2016 8:57 AM
    Tuesday, September 27, 2016 5:11 PM

All replies

  • Edge will proxy by establishing a new connection, it doesn't pass the info directly through if that's the question.  It asks on behalf of the client in it's own session.

    You can place the reverse proxy in DMZs if you'd like to keep it secure if that's the question.  

    You can't have anonymous access to meetings without exposing the pool via web proxy to those anonymous users.  That's just how they'll connect unfortunately.

    I don't understand the last question, but you can lock Office 365 to only it's FQDNs or address ranges: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    • Proposed as answer by Alice-Wang Wednesday, September 28, 2016 7:22 AM
    • Marked as answer by Alice-Wang Tuesday, October 11, 2016 8:57 AM
    Tuesday, September 27, 2016 5:11 PM
  • Hi Mike, 

    For Reverse proxy DMZ is the available solution /Recommended, O365  port information which  you are worried should be open by every company who wanted to use the hybrid mode, you will still be having Firewall in your company that will be allowing the specific ports required. 


    Linus || Please mark posts as answers/helpful if it answers your question.

    • Proposed as answer by Alice-Wang Wednesday, September 28, 2016 7:25 AM
    Wednesday, September 28, 2016 5:38 AM
  • Hi Mike Lister,

    Welcome to post in our forum.

    Agree with others.

    As a supplement, for SFB server reverse proxy, for security, you need to deploy reverse proxy in the DMZ.

    Some of the features that require external access through a reverse proxy include the following:

    Enabling external users to download meeting content for your meetings.

    Enabling external users to expand distribution groups.

    Enabling remote users to download files from the Address Book service.

    Accessing the Lync Web App client.

    Accessing the Dial-in Conferencing Settings webpage.

    Enabling external devices to connect to Device Update web service and obtain updates.

    Enabling mobile applications to automatically discover and use the mobility (Mcx) URLs from the Internet.

    Enabling the SFB client, Lync Windows Store app and SFB Mobile client to locate the Lync Discover (autodiscover) URLs and use Unified Communications Web API (UCWA).

    Here is a blog about setting up reverse proxy for Lync server 2013, it’s same to SFB server 2015

    https://technet.microsoft.com/en-us/library/gg398069(v=ocs.15).aspx

    Hope this helpful to you.


    Alice Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alice-Wang Monday, October 10, 2016 10:04 AM
    Wednesday, September 28, 2016 8:07 AM