Mino – The UC Guy

Microsoft Unified Communications Blog

OCS R2 Updates about the Firewall Requirements for External User Access

Posted by Mino on February 25, 2009

One of the main topics that has been giving me hard times when communicating with a firewall System Admin would be why would the OCS AV Edge Server need a Publicely routable IP , and how secure it is to open 10,000 ports  ( 50,000 – 59,999 ) TCP/UDP ?

usually we used to get Microsoft articles and explain more about the STUN protocol and why It cant work behind NAT and then how to secure the Edge .

But now with the R2 I have good good news for the Firewall Admin team  :

1- If you are implementing a Single Consolidated Edge Server then you can work with NAT IP rather than the publicely routable real IP which was required before . Only Only if this is a Single consolidated Edge

2- the 50,000 – 59,999 UDP/TCP ports which are required to be open , are only required if you are planning to have fedration with other orginizations . if there is no fedration in your plan then no need to open these ports .

I hope you are happy now Firewall Admin team  J

Firewall Requirements for External User Access

 

 Publicly Routable IP Address

In any location with multiple Edge Servers deployed behind a load balancer, the external firewall cannot function as a network address translation (NAT). However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT.

If you do so, configure the NAT as a destination network address translation (DNAT) for inbound traffic—in other words, configure any firewall filter used for traffic from the Internet to the Edge Server with DNAT, and configure any firewall filter for traffic going from the Edge Server to the Internet (outbound traffic) as a source network address translation (SNAT). The inbound and outbound filters must map to the same public IP address and the same private IP address, as shown in the figure below.

The A/V Edge Service requires the port range from 50,000 through 59,999 to be open only for the sharing of audio/video with federated organizations.

  • If you will be federating with organizations that run Office Communications Server 2007 and earlier, you must open this port range for both RTP/TCP and RTP/UDP, and for both inbound and outbound connections.
  • If you will be federating only with organizations that run Office Communications Server 2007 R2, you need only to open this port range for RTP/TCP, only for outbound connections.
  • Otherwise, if you will not be sharing audio/video over a federated relationship, you can close this port range.

  dd441361_6b3a5ede-4253-4874-b096-2e969bf52626en-usoffice_131

Source : http://technet.microsoft.com/en-us/library/dd441361(office.13).aspx

Advertisements

One Response to “OCS R2 Updates about the Firewall Requirements for External User Access”

  1. max said

    thank you for useful post

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: