Firewalls for Lync Server 2010
Topic Last Modified: 2012-07-18
How you configure your firewalls largely depends on the specific firewalls you use in your organization. However, each firewall has common configuration requirements that are specific to Microsoft Lync Server 2010. Follow the manufacturer’s instructions for configuring each firewall, along with the information in this section, which describe the settings that must be configured on the two firewalls.
To conform to the requirement of a publicly routable IP address of the A/V Edge service, the external firewall of the perimeter network must not act as a NAT for this IP address when a hardware load balancer is being used. If the edge server is a single consolidated edge server, Lync Server 2010 allows the use of NAT for all three edge services. When using DNS load balancing, you can use NAT at the firewall for all edge services.
Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge service. The internal IP address of the A/V Edge service must be fully routable from the internal network to the internal IP address of the A/V Edge service.
For details about configuring the internal and external firewalls of your perimeter network, see Determining External A/V Firewall and Port Requirements in the Planning documentation.
Best Practices
To help increase security in your perimeter network, we recommend that you deploy edge servers in the following ways:
Create a new subnet out of your router for Lync Server.
Verify that traffic coming to the Lync Server subnet does not route to other subnets.
On your initial router, configure rules to ensure that there is no routing between your Lync Server subnet and other subnets (with the exception of a management subnet that can include management services for your perimeter network).
On your internal router, do not allow any broadcasts or multicasts coming from the Lync Server subnet in the perimeter network.
Deploy edge servers between two firewalls (an internal firewall and an external firewall) to ensure strict routing from one network edge to the other.
In addition, to enhance edge server performance and security, as well as to facilitate deployment, use the following guidelines when establishing your deployment process:
Deploy edge servers only after you finish deploying Lync Server 2010 inside your organization, unless you are migrating from Microsoft Office Communications Server 2007 to Lync Server 2010. For details about the migration process, see the Migration from Office Communications Server 2007 R2 to Lync Server 2010 documentation and the Migration from Office Communications Server 2007 to Lync Server 2010 documentation.
Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory Domain Services out of the perimeter network. Locating Active Directory Domain Services in the perimeter network can present a significant security risk.
Deploy your edge servers in a staging or lab environment before deploying them in your production environment. Deploy the edge servers in your perimeter network only when you are satisfied that the test deployment meets your requirements and that it can be incorporated successfully in a production environment.
Deploy at least one Director to act as an authentication gateway for inbound external traffic.
Deploy edge servers on dedicated computers that only run what is required. This includes disabling unnecessary services and running only essential programs on the computer, such as programs embodying routing logic that are developed by using Microsoft SIP Processing Language (MSPL) and the Lync Server API.
Enable monitoring and auditing as early as possible on the computer.
Use a computer that has two network adapters to provide physical separation of the internal and external network interfaces.