When publishing OCS 2007 Edge server roles there are two ways to configure it. First, you may have all OCS edge server roles on Public IP and second, to have Access Edge and Web conferencing roles on private IP and have them published through ISA Server using NAT. Remember, A/V role still requires Public IP whatever method you choose.
Assumptions:
- Writing this configuration I am assuming that you have single Edge server role.
- ISA Server is configured as 3-Leg Firewall
Ports Required
Role |
External User Port Requirements |
Internal User Port Requirements |
|
Access Edge Server |
5061,443 |
5061 |
|
A/V Edge Server |
443,3478 50,000-59,999 |
443, 5062 50,000-59,999 |
|
Web Conferencing Edge Server |
443 |
8057 |
Protocols Required in ISA
Protocol Name |
Protocol Type |
Protocol Direction |
Port Range |
Mutual Transport Layer Security (MTLS) |
TCP |
Outbound |
5061-5061 |
Simple Traversal of UDP through NAT (STUN) |
TCP |
Outbound |
50,000-59,999 |
UDP |
Send |
*50,000-59,999 |
|
UDP |
Send |
3478-3478 |
Method 1: You have all OCS Edge server roles on public IP
On ISA Server 2006 we have to create three computer objects and then create three Access rules to allow traffic from external users. We will have to create two custom protocols named MTLS (Port 5061 TCP) and STUN (TCP 50,000-59,999, UDP 50,000-59,999, and UDP 3478)
Creating Protocol
- In the ISA Console, click Firewall Policy on left and then click Toolbox tab on extreme right hand side bar
- Go to Protocols and click New Protocol
- Name that protocol "MTLS" and click next
- Click new and select TCP, direction is Outbound and Port range is 5061 to 5061. Click ok and click next
- Click Next on Secondary Connections page
- Click Finish
**Repeat the above steps to create the STUN protocol. Check the directions mentioned in the above table to create the protocol correctly.
Create Computer Object
- Go to the Firewall Policy and go to the Toolbox on right bar
- Under Toolbox click network objects and click new
- Select Computer and Name the object as "Access Edge". Give the IP address of the Access Edge role. This IP is your Public IP you assigned on the OCS Edge server.
- Click Ok
**Repeat these steps to create Computer objects for Web Conferencing and A/V roles.
Create Access Rule
- Right click on Firewall Policy, select New and click "Access Rule"
- Name the Rule as Access Edge and Click Next
- Select Allow and click Next
- On Protocols page click Add and select the MTLS protocol we created above. Also, select HTTPS and click Next
- Under the Access Rule source click Add and select External under networks. Click Next
- Under the Access Rule Destination click Add and select Perimeter under networks. Click Next.
- Under User Sets page let the default "All users" be selected
- Click Finish
**Repeat these steps to create access rules for Web conferencing and A/V role. When you are finished creating the rules, they may look like
Access Rule Name |
Rule Action |
Protocols |
Access Rule Source |
Access Rule Destination |
User Sets |
Access Edge |
Allow |
HTTPS MTLS/SIP |
External |
Access Edge |
All Users |
A/V Edge |
Allow |
HTTPS STUN |
External |
A/V Edge |
All Users |
Web Conferencing Edge |
Allow |
HTTPS |
External |
Web Conferencing Edge |
All Users |
Method 2: When using NAT for Access Edge and Web conferencing
We need:
- Three Computer Objects in ISA named "Access Edge", "Web Conferencing" and "A/V Edge"
- Inbound MTLS protocol.
- Creating the NAT relationship for Access Edge and Web Conferencing
- Three Server Publishing rules
- One Access Rule for A/V Edge
Protocol Name |
Protocol Type |
Protocol Direction |
Port Range |
Mutual Transport Layer Security (MTLS) |
TCP |
Inbound |
5061-5061 |
Creating the computer objects
Follow the steps mentioned in Method 1 for creating the computer objects
Creating the Inbound MTLS Protocol
Follow the steps mentioned in the Method 1 for creating the protocol. Remember to change the direction to inbound.
Creating the NAT Relationship between Access Edge and Web Conferencing
- Click networks under configuration in ISA console
- Go to network rules on the middle pane
- From the right pane click "Create new network rule"
- Name the network rule as "OCS Access" and click Next
- Under the Sources page click add and select "Access Edge" and "Web Conferencing" computer objects we created earlier. Click Next
- Under the Traffic Destination page click Add and select external. Click next
- On network relationship page, select network Address Translation (NAT) and click Next
- Click Finish
Create Server Publishing Rules
- Go to Firewall Policy, right click select new and click Non-web server protocol publishing rule
- Name it "MTLS Access" and click Next
- Under the Select Server, enter the IP address for the OCS Access Edge and click Next
- Under the Select protocol page, select the MTLS protocol which we created in previous step. The protocol will only appear here if it is inbound. No outbound protocols appear here.
- Click Next
- On the network listener IP addresses page select External and click Addresses to select the appropriate public IP mapped with this role
- Click Finish
**Repeat the above steps to create two server publishing rules for HTTPS Server. Associate these rules with Access Edge and Web Conferencing IP addresses.
Creating the Access Rule for A/V Edge
Follow the steps in Method 1 to create access rule to allow traffic for A/V Edge server.
Hi Inderjeet,Great Blog. Do you know how to publish OCS 2007 through the new Threat Management Gateway? Also I need to setup OCS but only have a single server for ISA/TMG and a single server for OCS 2007, we don’t have another server to run as a separate Edge/Access Proxy server. Is this possible? I’m wondering if you can setup the Edge/Access Proxy on the ISA/TMG server?
Hi Inderjeet,I want to just publish the Access Edge and keep getting back on the ISA Server – Failed Connection Attempt – Web Proxy (Reverse). I’m also using Method #2. Thank you.