Topic Last Modified: 2011-05-06
The Access Edge service provides a single connection point through which both inbound and outbound SIP traffic can cross firewalls, separating internal and external networks for federation and remote user access traffic. In addition, all SIP signaling traffic that is necessary to set up and tear down conferencing and media sessions with outside users passes through the Access Edge service.
The Access Edge service is a specially configured proxy that was designed and tested to operate in the perimeter network. The Access Edge service enforces routing rules that separate the outside edge of the network from the inside edge and provides a central platform to manage and enable cross-organization, domain-based policies. This is an IP-based routing solution and does not imply that a physical firewall is not needed. We strongly recommend that you use one or more physical firewalls.
The Access Edge service does not require Active Directory Domain Services, because it manages only SIP domains, not users. That is, the Access Edge service does not authenticate client connections, but it does validate inbound message headers, authorize remote federation servers, and authorize federation traffic. Using a configured internal next-hop address, the Access Edge service passes inbound remote user traffic unchallenged to an internal next hop SIP server (typically a Director) for authentication (because federation traffic is authenticated by the partner domain and is authorized at the Access Edge service, the internal server does no additional authentication). It is also recommended that the Access Edge service be run in a dedicated workgroup or domain that is not a part of the enterprise namespace.
Best Practices
- Deploy the edge server in a peripheral network with firewalls
configured on both its internal and external edges.
- Deploy the Edge Server in a domain or workgroup that is not
part of your internal Active Directory domain.
- Deploy a Director to authenticate incoming SIP traffic.