2

We are looking to deploy a single consolidated edge on a vSphere Cluster. From reading the Microsoft documentation, it appears you need two layers of firewalling.

Internet <--> Firewall <--> Edge Server/Reverse Proxy <--> Firewall <--> Front End/LAN

In practice, given a virtual environment, with only one external facing firewall, do you really need another firewall in-between the Edge (which will have two NICS, one on the DMZ, and one on the LAN with static routes/no default gatewy) and the Frontend server on the LAN?

On that note - with regards to a reverse proxy, why can't you just NAT direct from the WAN to the LAN interface of the frontend for the Lync Web Services?

BastianW
  • 2,848
  • 4
  • 19
  • 34
PnP
  • 1,684
  • 8
  • 37
  • 65

1 Answers1

1

Microsoft's best practices and design guidelines for Lync/SfB deployments suggest:

  • Using a reverse proxy for publishing the external web services of Front-End servers.
  • Placing the Edge servers in a position such that they are locked between two firewalls, one separating their public interfaces from the Internet, and one separating their internal interfaces from the LAN.

That said, it's actually quite common to use simpler configurations:

  • The reverse proxy can indeed be replaced by a simple NAT, but you'll need to remap TCP ports, because the external web services need to be published on TCP port 443, but they are actually listening on Front-End servers on TCP port 4443 (port 443 is used for the internal web services).
  • The Edge servers can have their internal interfaces directly connected to your LAN; however, please keep in mind that this is a potential security risk: if an Edge server gets compromised, it can (and will) be used as a bridgehead into your network; that's the main design reason for putting a firewall between it and your LAN.
Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Is there a disadvantage to using NAT instead of a reverse proxy? – PnP Feb 20 '16 at 00:19
  • Not really; all the reverse proxy does is forwarding HTTP requests from external clients to Front-End server(s) and passing replies back; it doesn't really add much in terms of security. – Massimo Feb 20 '16 at 00:33
  • A reverse proxy only has a true purpose in environments where internal servers don't have Internet access at all, so they can't directly reply to external requests; in such environments, NAT is unfeasible and you actually *need* an additional layer between internal servers and external clients. – Massimo Feb 20 '16 at 00:34
  • In terms of the Edge being compromised, surely this would be no different to sticking a TMG in-place for your Internal firewall, with an Interface on both the LAN and the DMZ (where the Edge is located). If this was compromised, you would have the same problem? – PnP Feb 24 '16 at 17:12
  • A reverse proxy only handles HTTP requests (and it doesn't handle them directly, it just forwards them to other servers); an Edge server provides a lot more services, with a much bigger attack surface. – Massimo Feb 24 '16 at 19:23
  • I would like to have a chat with you if possible on stack chat to discuss, I'm struggling to decide on an appropriate design solution with only one physical firewall with VMs based on a vSphere cluster. Would you mind? – PnP Feb 24 '16 at 19:31
  • That's ok for me (just keep in mind that different people can have have different opinions and mine are no better than anyone else's; also, a lot depends on the actual infrastructure and requirements). – Massimo Feb 24 '16 at 20:00
  • https://chat.stackoverflow.com/rooms/104473/s4b-migration – PnP Feb 24 '16 at 20:39
  • 1
    if I could upvote you more,I would! – PnP Feb 24 '16 at 22:37
  • Well, technically you did... that +100 bounty was quite nice ;) – Massimo Feb 25 '16 at 23:14