How you configure your firewalls largely depends on the specific firewalls you use in your organization. However, each firewall has common configuration requirements that are specific to Office Communications Server 2007 R2. Follow the manufacturer’s instructions for configuring each firewall, along with the information in this section, which describe the settings that must be configured on the two firewalls.
To conform to the requirement of a publicly routable IP address of the A/V Edge service, the external firewall of the perimeter network must not act as a NAT for this IP address when a hardware load balancer is being used. If the edge server is a single consolidated edge server, Office Communications Server 2007 R2 allows the use of NAT for all three edge services.
Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge service. The internal IP address of the A/V Edge service must be fully routable from the internal network to the internal IP address of the A/V Edge service.
The following figure shows the default firewall ports for each server in the perimeter network. For details about configuring the internal and external firewalls of your perimeter network, see the documentation.
To help increase security in your perimeter network, we recommend that you deploy edge servers in the following ways:
- Create a new subnet out of your router for Office
- Verify that traffic coming to the Office Communications Server
subnet does not route to other subnets.
- On your initial router, configure rules to ensure that there is
no routing between your Office Communications Server 2007 R2 subnet
and other subnets (with the exception of a management subnet that
can include management services for your perimeter network).
- On your internal router, do not allow any broadcasts or
multicasts coming from the Office Communications Server 2007 R2
subnet in the perimeter network.
- Deploy edge servers between two firewalls (an internal firewall
and an external firewall) to ensure strict routing from one network
edge to the other.
In addition, to enhance edge server performance and security, as well as to facilitate deployment, use the following guidelines when establishing your deployment process:
- Deploy edge servers only after you finish deploying Office
Communications Server 2007 R2 inside your organization, unless
you are migrating from Microsoft Office Live Communications
Server 2005 Service Pack 1to Microsoft Office Communications
Server 2007 R2. For details about the migration process, see
documentation and the
- Deploy edge servers in a workgroup rather than a domain. Doing
so simplifies installation and keeps the Active Directory Domain
Services out of the perimeter network. Locating Active Directory
Domain Services in the perimeter network can present a significant
- Deploy your edge servers in a staging or lab environment before
deploying them in your production environment. Deploy the edge
servers in your perimeter network only when you are satisfied that
the test deployment meets your requirements and that it can be
incorporated successfully in a production environment.
- Deploy at least one Director to act as an authentication
gateway for inbound external traffic.
- Deploy edge servers on dedicated computers that only run what
is required. This includes disabling unnecessary services and
running only essential programs on the computer, such as programs
embodying routing logic that are developed by using Microsoft SIP
Processing Language (MSPL) and the Office Communications Server
- Enable monitoring and auditing as early as possible on the
- Use a computer that has two network adapters to provide
physical separation of the internal and external network