Firewall Requirements for External User Access (2007 R2 Beta)
[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]
How you configure your firewalls is largely dependent on the specific firewalls you use in your organization, but each firewall also has common configuration requirements that are necessary for Office Communications Server 2007 R2. Follow the manufacturer's instructions for configuring each firewall, along with the information in this section, which describes the settings that must be configured on the internal and external firewalls.
Publicly Routable IP Address
In any location with multiple Edge Servers deployed behind a load balancer, the external firewall may not function as a network address translator (NAT). However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT. If you do so, configure the NAT as a destination network address translator (DNAT) for inbound traffic—in other words, configure any firewall filter used for traffic from the internet to the Edge Server with DNAT, and configure any firewall filter for traffic going from the Edge Server to the internet (outbound traffic) as a source network address translator (SNAT).
Note
If you are using Microsoft Internet Security and Acceleration (ISA) Server 2006 as your external firewall, you might not be able to configure it as a NAT in this scenario.
In all topologies, however, the internal firewall may not act as a NAT for the internal IP address of any Edge Servers.
Default Ports
The following figure shows the default firewall ports for each server in the perimeter network.
Figure 1. Default firewall ports in the perimeter network
.jpg "Cc816187.e8cae4e4-4b71-45aa-9b07-676cd581d7e0(en-us,office.12).jpg")
The following sections provide additional information about each port to be configured for each server role in each topology, as well as a mapping of the numbers in the previous figure to the respective port descriptions.
Edge Server Firewall Policy Rules
The following three tables describe the firewall policy rules to be configured for the Edge Server. These settings are listed in separate tables to help illustrate which port settings are used by each service running on the Edge Server.
The following sections list the firewall policy rules that are required on each server in the perimeter network. In the tables in these sections, the numbers in the Figure Mapping column correspond to the numbers in Figure 1.
In the following tables, the direction for firewall policy rules that is indicated as outbound is defined as follows:
- On the internal firewall, it corresponds to traffic from servers on the internal (private) network to the Edge Server in the perimeter network.
- On the external firewall, it corresponds to traffic from the Edge Server in the perimeter network to the Internet.
Firewall Settings for the Access Edge Service
| Firewall | Policy Rules | Figure Mapping |
|---|---|---|
Internal |
Local Port: Any. Direction: Inbound (for remote user access and federation). Remote Port: 5061 TCP (TCP/MTLS). Local IP address: The internal IP address of the Access Edge service. Remote IP: The IP address of the next hop server. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced. |
5 |
Internal |
Local Port: 5061 TCP (SIP/MTLS). Direction: Outbound (for remote user access and federation). Remote Port: Any. Local IP address: The internal IP address of the Access Edge service. Remote IP: If no Director is deployed, you must use any IP address. If a Director is deployed, use the IP address of the Director or the virtual IP address of the load balancer, if the Directors are load balanced. |
5 |
External |
Local Port: 5061 TCP (SIP/MTLS). Direction: Inbound/Outbound (federation). Remote Port: Any. Local IP: The external IP address of the Access Edge service. Remote IP: Any IP address. |
3 |
|
Local Port: 443 TCP (SIP/TLS). Direction: Inbound (for remote user access). Remote Port: Any. Local IP: The external IP address of the Access Edge service. Remote IP: Any IP address. |
4 |
Note
PSOM is the Microsoft proprietary protocol used for Web conferencing.
Firewall Settings for the Web Conferencing Edge service
| Firewall | Policy Rules | Figure Mapping |
|---|---|---|
Internal |
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge service) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge service Remote IP: Any IP address |
7 |
External |
Local Port: 443 TCP (PSOM/TLS) Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge service Remote IP: Any IP address |
6 |
Firewall Settings for the A/V Edge service
| Firewall | Policy Rules | Figure Mapping |
|---|---|---|
Internal |
Local Port: 443 TCP (STUN/TCP). Direction: Outbound (for internal users to send media to external users). Remote Port: Any. Local IP: The internal IP address of the A/V Edge service. Remote IP: Any IP address. |
12 |
|
Local Port: 5062 TCP (SIP/MTLS). Direction: Outbound (for authentication of A/V users). Remote Port: Any. Local IP: The internal IP address of the A/V Edge service. Remote IP: Any IP Address. |
13 |
|
Local Port: 3478 UDP (STUN/UDP). Direction: Outbound (for internal users to send media to external users). Remote Port: Any. Local IP: The internal IP address of the A/V Edge service. Remote IP: Any IP Address. .gif "Cc816187.note(en-us,office.12).gif") Note:
If you are using ISA Server as your firewall, you must configure the rule for send/receive.
|
14 |
External |
Local Port: 443 TCP (STUN/TCP). Direction: Inbound (for external users access to media and A/V sessions). Remote Port: Any. Local IP: The external IP address of the A/V Edge Service. Remote IP: Any IP Address. |
8 |
|
Local Port: 3478 UDP (STUN/UDP). Direction: Inbound (for external users connecting to media or A/V sessions). Remote Port: Any. Local IP: The external IP address of the A/V Edge service. Remote IP: Any IP Address. Note:
If you are using ISA Server as your firewall, you must configure the rule for send/receive.
|
10 |
|
Local Port Range: 50,000-59,999 TCP (RTP/TCP) (This port range is required to be open for outbound connections. For inbound connections, you need to open this port range only if you are federating with organizations running Office Communications Server 2007 or earlier. For details, see 50,000 - 59,999 Port Range.) Direction: Inbound/Outbound (for media transfer). Remote Port: Any. Local IP: The external IP address of the A/V Edge service. This IP address must be a publicly routable IP address. Remote IP: Any IP Address. |
Local Port Range: 50,000-59,999 UDP (RTP/UDP) (This port range is required to be open only if you are federating with organizations running Office Communications Server 2007 or earlier. For details, see 50,000 - 59,999 Port Range.) Direction: Inbound/Outbound (for media transfer). Remote Port: Any. Local IP: The external IP address of the A/V Edge service. This IP address must be a publicly routable IP address. Remote IP: Any IP Address. |
Reverse Proxy Firewall Policy Rules
The following table describes the firewall policy to be configured for the reverse proxy.
Firewall Settings for the Reverse Proxy
| Firewall | Policy Rules | Figure Mapping |
|---|---|---|
Internal |
Local Port: Any Direction: Inbound (for external user access to Web conferences) Remote Port: 443 TCP (HTTP(S)) Local IP: The internal IP address of the reverse proxy Remote IP: Any |
2 |
External |
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any Note:
If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, open port 443 outbound.
|
1 |