Topic Last Modified: 2010-04-16
Office Communications Server supports an internal firewall, an external firewall, or both an internal and an external firewall for Edge Servers. A configuration with both an internal and an external firewall is strongly recommended.
The internal firewall, the external firewall, or both can consist of multiple firewall computers behind a hardware load balancer.
In addition to being supported as a reverse proxy, Microsoft Internet Security and Acceleration (ISA) Server is supported as a firewall for Office Communications Server 2007 R2. The following versions of ISA are supported as a firewall:
ISA Server 2006
ISA Server 2004
|If you use ISA Server as your firewall, configuring it as a NAT is not supported, because ISA Server 2006 does not support static NAT.|
The firewall requirements for correct functioning of Edge Servers are as follows:
For single, non-scaled Edge Server deployments (single Edge Server in a location), the IP address of the external interface of the A/V Edge service may or may not be publicly routable (although it is recommended that it be publicly routable). In this scenario, the external firewall can be configured as a network address translation (NAT). For details, see Firewall Requirements for External User Access in the Planning and Architecture documentation.
For scaled Edge Server deployments (multiple Edge Servers in a location), the IP address of the external interface of the A/V Edge service must be publicly routable. In this scenario, the external firewall must not function as a NAT.
In all Edge Server topologies, the internal firewall must not act as a NAT for the internal IP address of any Edge Servers.
Each service running on an Edge Server should have a separate IP address, which can be on a separate physical network adapter, or it can be a single multi-homed network adapter.
For details about default ports and required firewall settings, see Ports and Protocols in the Planning and Architecture documentation.