Office Communications Server supports an internal firewall, an external firewall, or both an internal and an external firewall for Edge Servers. A configuration with both an internal and an external firewall is strongly recommended.
The internal firewall, the external firewall, or both can consist of multiple firewall computers behind a hardware load balancer.
In addition to being supported as a reverse proxy, Microsoft Internet Security and Acceleration (ISA) Server is supported as a firewall for Office Communications Server 2007 R2. The following versions of ISA are supported as a firewall:
- ISA Server 2006
- ISA Server 2004
|If you use ISA Server as your firewall, configuring it as a NAT is not supported, because ISA Server 2006 does not support static NAT.|
The firewall requirements for correct functioning of Edge Servers are as follows:
- For single, nonscaled Edge Server deployments (single Edge
Server in a location), the IP address of the external interface of
the A/V Edge service may or may not be publicly routable (although
it is recommended that it be publicly routable). In this scenario,
the external firewall can be configured as a network address
translation (NAT). If the external firewall is configured as a NAT,
it must be configured as a destination NAT (DNAT) for inbound
traffic (from the Internet to the Edge Server) and as a source NAT
(SNAT) for outbound traffic (from the Edge Server to the Internet).
For details, see
Requirements for External User Accessin the Planning and
- For scaled Edge Server deployments (multiple Edge Servers in a
location), the IP address of the external interface of the A/V Edge
service must be publicly routable. In this scenario, the external
firewall must not function as a NAT.
- In all Edge Server topologies, the internal firewall must not
act as a NAT for the internal IP address of any Edge Servers.
- Each service running on an Edge Server should have a separate
IP address, which can be on a separate physical network adapter, or
it can be a single multihomed network adapter.
For details about default ports and required firewall settings, see Ports and Protocolsin the Planning and Architecture documentation.