Firewall Support
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2013-06-26
Office Communications Server supports an internal firewall, an external firewall, or both an internal and an external firewall for Edge Servers. A configuration with both an internal and an external firewall is strongly recommended.
The internal firewall, the external firewall, or both can consist of multiple firewall computers behind a hardware load balancer.
In addition to being supported as a reverse proxy, Microsoft Internet Security and Acceleration (ISA) Server is supported as a firewall for Office Communications Server 2007 R2. The following versions of ISA are supported as a firewall:
ISA Server 2006
ISA Server 2004
Note
If you use ISA Server as your firewall, configuring it as a NAT is not supported, because ISA Server 2006 does not support static NAT.
The firewall requirements for correct functioning of Edge Servers are as follows:
For single, non-scaled Edge Server deployments (single Edge Server in a location), the IP address of the external interface of the A/V Edge service may or may not be publicly routable (although it is recommended that it be publicly routable). In this scenario, the external firewall can be configured as a network address translation (NAT). For details, see Firewall Requirements for External User Access in the Planning and Architecture documentation.
For scaled Edge Server deployments (multiple Edge Servers in a location), the IP address of the external interface of the A/V Edge service must be publicly routable. In this scenario, the external firewall must not function as a NAT.
In all Edge Server topologies, the internal firewall must not act as a NAT for the internal IP address of any Edge Servers.
Each service running on an Edge Server should have a separate IP address, which can be on a separate physical network adapter, or it can be a single multi-homed network adapter.
For details about default ports and required firewall settings, see Ports and Protocols in the Planning and Architecture documentation.