Publishing OCS 2007 Edge Server Roles using ISA Server 2006

When publishing OCS 2007 Edge server roles there are two ways to configure it. First, you may have all OCS edge server roles on Public IP and second, to have Access Edge and Web conferencing roles on private IP and have them published through ISA Server using NAT. Remember, A/V role still requires Public IP whatever method you choose.

Assumptions:

1. Writing this configuration I am assuming that you have single Edge server role.
2. ISA Server is configured as 3-Leg Firewall

Ports Required

Role		External User Port Requirements	Internal User Port Requirements
Access Edge Server		5061,443	5061
A/V Edge Server		443,3478 50,000-59,999	443, 5062 50,000-59,999
Web Conferencing Edge Server		443	8057

Protocols Required in ISA

Protocol Name	Protocol Type	Protocol Direction	Port Range
Mutual Transport Layer Security (MTLS)	TCP	Outbound	5061-5061
Simple Traversal of UDP through NAT (STUN)	TCP	Outbound	50,000-59,999
	UDP	Send	*50,000-59,999
	UDP	Send	3478-3478

 

Method 1: You have all OCS Edge server roles on public IP

On ISA Server 2006 we have to create three computer objects and then create three Access rules to allow traffic from external users. We will have to create two custom protocols named MTLS (Port 5061 TCP) and STUN (TCP 50,000-59,999, UDP 50,000-59,999, and UDP 3478)

Creating Protocol

1. In the ISA Console, click Firewall Policy on left and then click Toolbox tab on extreme right hand side bar
2. Go to Protocols and click New Protocol
3. Name that protocol "MTLS" and click next
4. Click new and select TCP, direction is Outbound and Port range is 5061 to 5061. Click ok and click next
5. Click Next on Secondary Connections page
6. Click Finish

**Repeat the above steps to create the STUN protocol. Check the directions mentioned in the above table to create the protocol correctly.

Create Computer Object

1. Go to the Firewall Policy and go to the Toolbox on right bar
2. Under Toolbox click network objects and click new
3. Select Computer and Name the object as "Access Edge". Give the IP address of the Access Edge role. This IP is your Public IP you assigned on the OCS Edge server.
4. Click Ok

**Repeat these steps to create Computer objects for Web Conferencing and A/V roles.

Create Access Rule

1. Right click on Firewall Policy, select New and click "Access Rule"
2. Name the Rule as Access Edge and Click Next
3. Select Allow and click Next
4. On Protocols page click Add and select the MTLS protocol we created above. Also, select HTTPS and click Next
5. Under the Access Rule source click Add and select External under networks. Click Next
6. Under the Access Rule Destination click Add and select Perimeter under networks. Click Next.
7. Under User Sets page let the default "All users" be selected
8. Click Finish

**Repeat these steps to create access rules for Web conferencing and A/V role. When you are finished creating the rules, they may look like

Access Rule Name	Rule Action	Protocols	Access Rule Source	Access Rule Destination	User Sets
Access Edge	Allow	HTTPS MTLS/SIP	External	Access Edge	All Users
A/V Edge	Allow	HTTPS STUN	External	A/V Edge	All Users
Web Conferencing Edge	Allow	HTTPS	External	Web Conferencing Edge	All Users

 

Method 2: When using NAT for Access Edge and Web conferencing

We need:

1. Three Computer Objects in ISA named "Access Edge", "Web Conferencing" and "A/V Edge"
2. Inbound MTLS protocol.
3. Creating the NAT relationship for Access Edge and Web Conferencing
4. Three Server Publishing rules
5. One Access Rule for A/V Edge

Protocol Name	Protocol Type	Protocol Direction	Port Range
Mutual Transport Layer Security (MTLS)	TCP	Inbound	5061-5061

 

Creating the computer objects

Follow the steps mentioned in Method 1 for creating the computer objects

Creating the Inbound MTLS Protocol

Follow the steps mentioned in the Method 1 for creating the protocol. Remember to change the direction to inbound.

Creating the NAT Relationship between Access Edge and Web Conferencing

1. Click networks under configuration in ISA console
2. Go to network rules on the middle pane
3. From the right pane click "Create new network rule"
4. Name the network rule as "OCS Access" and click Next
5. Under the Sources page click add and select "Access Edge" and "Web Conferencing" computer objects we created earlier. Click Next
6. Under the Traffic Destination page click Add and select external. Click next
7. On network relationship page, select network Address Translation (NAT) and click Next
8. Click Finish

Create Server Publishing Rules

1. Go to Firewall Policy, right click select new and click Non-web server protocol publishing rule
2. Name it "MTLS Access" and click Next
3. Under the Select Server, enter the IP address for the OCS Access Edge and click Next
4. Under the Select protocol page, select the MTLS protocol which we created in previous step. The protocol will only appear here if it is inbound. No outbound protocols appear here.
5. Click Next
6. On the network listener IP addresses page select External and click Addresses to select the appropriate public IP mapped with this role
7. Click Finish

**Repeat the above steps to create two server publishing rules for HTTPS Server. Associate these rules with Access Edge and Web Conferencing IP addresses.

Creating the Access Rule for A/V Edge

Follow the steps in Method 1 to create access rule to allow traffic for A/V Edge server.