When people start digging into the specifics of the A/V Edge role in OCS 2007, they usually have a strong and immediate knee-jerk reaction something along the lines of, “No way!” (Mine was, “Oh, heck no!”) This reaction is usually caused by learning one or more of the following deployment requirements:
- Public IP address. The A/V Edge server needs to have a publicly routable IP address. This address must be publicly routable; you can’t fudge it by giving it an IP address in a private range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and do any sort of NAT to it. 1:1 NAT or static NAT mapping won’t do the trick here. You can and should have a firewall between it and the Internet, but it can’t be doing any address translation.
- Dual-homed. The A/V Edge server cannot be separated from the internal OCS servers by NAT. Therefore, if you’re using a private address range and NAT in your internal network, you have to give the A/V Edge server a second network interface and IP address on routable, non-NAT address range. (Note, however, it doesn’t have to be the same address range as the internal network, simply on an address range that is directly routable without NAT.)
- 20,0002 external ports. The external (publicly routable) interface needs to have the following ports opened to the Internet: UDP 3478, TCP 443, UDP 50,000-59,999, and TCP 50,000-59,999. Security people immediately look at the need to have 10,000 dynamic TCP ports and 10,000 dynamic UDP ports and have their head asplode in sheer instinctive security reaction.
I’ve personally reacted to all three of these requirements; I’ve yet to talk to a security-conscious IT professional new to OCS who hasn’t. So what on Earth is Microsoft doing putting these requirements in place? Have they completely lost it about security?
In a word, no.
There are good reasons why these requirements are in place. Rather than go over them myself, however, let me simply direct you to this excellent post on the OCS team blog. If you have any questions, post them there and tell ’em I sent you. Note that to post questions on their blog, you need to first join their Community Server site. This is painless and easy; simply click the Join link in the upper right-hand corner, pick a username and password, provide your email address, and you’re ready to go.