Firewall Support

Office Communications Server supports an internal firewall, an external firewall, or both an internal and an external firewall for Edge Servers. A configuration with both an internal and an external firewall is strongly recommended.

The internal firewall, the external firewall, or both can consist of multiple firewall computers behind a hardware load balancer.

In addition to being supported as a reverse proxy, Microsoft Internet Security and Acceleration (ISA) Server is supported as a firewall for Office Communications Server 2007 R2. The following versions of ISA are supported as a firewall:

ISA Server 2006
ISA Server 2004

Note:
If you use ISA Server as your firewall, configuring it as a NAT is not supported, because ISA Server 2006 does not support static NAT.

The firewall requirements for correct functioning of Edge Servers are as follows:

For single, nonscaled Edge Server deployments (single Edge Server in a location), the IP address of the external interface of the A/V Edge service may or may not be publicly routable (although it is recommended that it be publicly routable). In this scenario, the external firewall can be configured as a network address translation (NAT). If the external firewall is configured as a NAT, it must be configured as a destination NAT (DNAT) for inbound traffic (from the Internet to the Edge Server) and as a source NAT (SNAT) for outbound traffic (from the Edge Server to the Internet). For details, see Firewall Requirements for External User Accessin the Planning and Architecture documentation.
For scaled Edge Server deployments (multiple Edge Servers in a location), the IP address of the external interface of the A/V Edge service must be publicly routable. In this scenario, the external firewall must not function as a NAT.
In all Edge Server topologies, the internal firewall must not act as a NAT for the internal IP address of any Edge Servers.
Each service running on an Edge Server should have a separate IP address, which can be on a separate physical network adapter, or it can be a single multihomed network adapter.

For details about default ports and required firewall settings, see Ports and Protocolsin the Planning and Architecture documentation.