IT tutorials
 
Applications Server
 

Microsoft Lync Server 2010 : Using Network Layer Firewalls with Lync Server

1/15/2013 6:37:17 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Wikipedia defines a firewall as a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit or deny computer applications based on a set of rules and other criteria.

There are several types of firewall techniques including

  • Packet filtering— Packet filtering inspects packets as they are passed through the network and rejects or accepts these packets based on defined rules. Typically, these rules are in the form of source address to destination address on port XYZ, allow. Packet-filtering firewalls are generally fast but can be difficult to configure for applications that dynamically choose ports for communications after an initial handshake.

  • Application gateway— Application gateways apply security enforcement to specific applications. In other words, the gateway understands the applications and can recognize its packets. It makes its decisions based on which applications are allowed to pass through the firewall. Application gateways can be relatively easy to configure but are generally processor intensive and thus cannot handle as much throughput as a packet-filtering firewall.

  • Proxy/reverse proxy server— A proxy server intercepts all messages entering and leaving the network. It inspects the packets and then continues the conversation on behalf of the protected system. In this way, packets never go directly from the source to the protected destination or from the protected source directly to the uncontrolled destination. Not unlike applications gateways, proxy servers are processor intensive.

Network-Based Firewalls

Most implementations of Lync Server involve some form of a network-based firewall, usually in the DMZ (Demilitarized Zone). The purpose of this device is to ensure that only the necessary services on the Lync Server systems are made available externally. Although an administrator might want external users to reach an Edge Server on port 443 for a web-based client, it is probably not desirable for users on the Internet to be able to map a drive to the Edge Server on port 445.

To maximize security, it is fairly common to configure the external services of Lync Server so that not only is there a firewall between the Internet and the Lync Server servers, but that there is also a firewall between the internal network and the Lync Server servers. This can be accomplished either with dual firewalls, or by placing the Lync Server servers into a DMZ on a three or more legged firewall. Dual firewalls are technically more secure because if an attacker compromised the firewall that was exposed externally, he or she must still compromise a second firewall before having access to the internal hosts.

The first step in implementing this type of firewall for Lync Server is to understand what services you plan to make available from outside the network and then to determine exactly which ports and protocols need to be opened on the firewall.

Considerations with Network Address Translation and Lync Server

If a single Edge Server is placed behind a firewall, it is acceptable to enable NAT. NAT effectively takes packets bound for the firewall and forwards them to hosts inside the firewall based on port rules. This enables a company with limited numbers of routable IP addresses to support multiple services with fewer IP addresses. It also provides a layer of security by requiring the firewall to process the packet first before it reaches the eventual destination. In addition, it enables protected systems to hide their IP information because they never appear to be a source of a packet to a system on the Internet; the firewall always appears to be the source.

Tip

If you enable NAT for the external firewall, configure firewall filters that are used for traffic from the Internet to the Edge Server with destination network address translation (DNAT). Similarly, configure and filter for traffic going from the Edge Server to the Internet with source network address translation (SNAT). Important to note is that the inbound and outbound filters for this purpose must use the same internal and external addresses. If externally, the Edge is 11.22.33.44 and is mapped to an Edge Server at 10.1.1.44. The mapping for the Edge to talk to the Internet needs traffic from 10.1.1.44 to come from 11.22.33.44. Although this might seem obvious, there are many situations where all internal hosts appear to come from the same IP address. This is called PAT or Port Address Translation or is sometimes called NAT overload.


Caution

If multiple Edge Servers are deployed in a load-balanced fashion, the external firewall cannot be configured for NAT. Regardless of the use of load balancers or not, an internal firewall used to protect Edge Servers cannot be NAT enabled for the internal IP address of an Edge Server.


Ports to Open

The specific ports needed to open on a firewall vary somewhat depending on what services are placed into the DMZ and which services need to be accessible from the Internet. This section summarizes commonly deployed DMZ roles and the ports necessary to support them. The description calls out the port, traffic type, type of firewall it applies to (internal or external), and the purpose for the opening.

Audio/Video Edge Service Port Ranges

TCP 50,000 through 59,999— Incoming, these ports are needed for connections with Federated partners running Lync Server. Federated partners still running OCS 2007 also need UDP 50,000 through 59,999. This is to support RTP (Real-Time Transport Protocol). Federated A/V to a partner running an OCS 2007 R2 edge environment works over 3478/UDP or 443/TCP. This applies to the external firewall.

TCP 443 (STUN/TCP)— Outbound, for media transfer between internal users and external users. This applies to both the internal and external firewalls.

UDP 3478 (STUN/UDP)— Inbound and outbound for media exchange between internal users and external users. This applies to both the internal and external firewalls.

TCP 5062 (SIP/MTLS)— Outbound, for authentication of A/V users. This applies to the internal firewall.

Access Edge Service Port Ranges

TCP 5061 (TCP/MTLS)— Incoming and outgoing, usually to a director or the virtual IP of a load balancer. This applies to the internal firewall.

UDP 53 (DNS)— Outgoing, to enable the Access Edge to find other systems. The Access Edge should be configured to use an external DNS, to avoid unnecessary openings in the internal firewall. This might require using the host file to find systems also in the DMZ. This applies to the external firewall.

TCP 80 (HTTP)— Outgoing, to enable the system to download Certificate Revocation Lists. This applies to the external firewall.

TCP 443 (HTTPS)— Outgoing, to enable the system to download Certificate Revocation Lists that are published with SSL. This applies to the external firewall.

TCP 5061 (SIP/MTLS)— Incoming and outgoing. This applies to the external firewall.

Web Conferencing Edge Service

TCP 8057 (PSOM/MTLS)— Outbound, for communications between Web Conferencing Servers and the Web Conferencing Edge Service. This applies to the internal firewall.

TCP 443 (PSOM/TLS)— Inbound for access of remote, anonymous, and federated users into internal Web Conferences. This applies to the external firewall.

All Edge Servers

TCP 4443 (HTTPS)— Inbound, to enable for replication of configuration data to Edge Servers from the Central Management Server. This applies to the internal firewall.

 
Others
 
- InfoPath with SharePoint 2010 : Central Administration - Manage Form Templates
- InfoPath with SharePoint 2010 : Central Administration - Upload a Form Template
- Microsoft Dynamic AX 2009 : Developing Web User Interface Components (part 5) - BoundField Controls, Web Parts
- Microsoft Dynamic AX 2009 : Developing Web User Interface Components (part 4) - AxToolbar, AxPopup
- Microsoft Dynamic AX 2009 : Developing Web User Interface Components (part 3) - AxGroup, AxLookup
- Microsoft Dynamic AX 2009 : Developing Web User Interface Components (part 2)
- Microsoft Dynamic AX 2009 : Developing Web User Interface Components (part 1)
- SharePoint 2010 : Service Applications - Creating the Secure Store
- SharePoint 2010 : Service Applications - Managing a service
- System Center Configuration Manager 2007 : Proving the Concepts (part 2) - Testing in the POC Phase
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us