Topic Last Modified: 2011-05-02
How you configure your firewalls largely depends on the specific firewalls you use in your organization. However, each firewall has common configuration requirements that are specific to Microsoft Lync Server 2010. Follow the manufacturer’s instructions for configuring each firewall, along with the information in this section, which describe the settings that must be configured on the two firewalls.
To conform to the requirement of a publicly routable IP address of the A/V Edge service, the external firewall of the perimeter network must not act as a NAT for this IP address when a hardware or DNS load balancer is being used. If the edge server is a single consolidated edge server, Lync Server 2010 allows the use of NAT for all three edge services.
Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge service. The internal IP address of the A/V Edge service must be fully routable from the internal network to the internal IP address of the A/V Edge service.
For details about configuring the internal and external firewalls of your perimeter network, see Determining External A/V Firewall and Port Requirements in the Planning documentation.
Best Practices
To help increase security in your perimeter network, we recommend that you deploy edge servers in the following ways:
- Create a new subnet out of your router for Lync Server.
- Verify that traffic coming to the Lync Server subnet does not
route to other subnets.
- On your initial router, configure rules to ensure that there is
no routing between your Lync Server subnet and other subnets (with
the exception of a management subnet that can include management
services for your perimeter network).
- On your internal router, do not allow any broadcasts or
multicasts coming from the Lync Server subnet in the perimeter
network.
- Deploy edge servers between two firewalls (an internal firewall
and an external firewall) to ensure strict routing from one network
edge to the other.
In addition, to enhance edge server performance and security, as well as to facilitate deployment, use the following guidelines when establishing your deployment process:
- Deploy edge servers only after you finish deploying Lync Server
2010 inside your organization, unless you are migrating from
Microsoft Office Communications Server 2007 to Lync Server 2010.
For details about the migration process, see the Migration from Office
Communications Server 2007 R2 to Lync Server 2010 documentation
and the Migration from Office
Communications Server 2007 to Lync Server 2010
documentation.
- Deploy edge servers in a workgroup rather than a domain. Doing
so simplifies installation and keeps the Active Directory Domain
Services out of the perimeter network. Locating Active Directory
Domain Services in the perimeter network can present a significant
security risk.
- Deploy your edge servers in a staging or lab environment before
deploying them in your production environment. Deploy the edge
servers in your perimeter network only when you are satisfied that
the test deployment meets your requirements and that it can be
incorporated successfully in a production environment.
- Deploy at least one Director to act as an authentication
gateway for inbound external traffic.
- Deploy edge servers on dedicated computers that only run what
is required. This includes disabling unnecessary services and
running only essential programs on the computer, such as programs
embodying routing logic that are developed by using Microsoft SIP
Processing Language (MSPL) and the Lync Server API.
- Enable monitoring and auditing as early as possible on the
computer.
- Use a computer that has two network adapters to provide
physical separation of the internal and external network
interfaces.