re: A/V Edge and Publicly routable IP addresses (Part ii)

richardo — Fri, 14 Mar 2008 13:37:35 GMT

What I am really curious about, is the actual implementation of the "firewall" on the external side of the edge server.

All the guides just put a simple red line, that represents the border between the edge server and the internet, but they lack to detail what kind of firewalling should be put there.

If NAT isn't an issue, one would simply put a PC router in DMZ, that will translate packets coming to its public leg into a private IP used by the edge server's external leg and things are fine. However, if we should use public IP on the external side, I feel that things get complicated, as the router and even the edge external leg should have its own public IP. In this case if I understand correctly, we have 2 choices:

-filter the traffic arriving to the edge's external interface using Layer3 switch rules (that means, filtering applyed to the router of the ISP that hosts our DMZ servers)

-put an additional PC router into the DMZ that will route packets arriving from the ISP via the PC router to the edge's external public IP, and do the filtering meanwhile.

Filtering may not be possible on the edge server locally, as colocation with ISA is not supported, and the built-in w2k3 firewall is not so flexible to easily create those dynamic bidirectional port-ranges.

Public IP Requirements for A/V Edge

Rob Costello — Sun, 16 Mar 2008 11:56:08 GMT

So a few people get nervous when you tell them your going to need a publicly routable IP when implementing

re: A/V Edge and Publicly routable IP addresses (Part ii)

Alan Twigg — Fri, 09 May 2008 17:36:04 GMT

Does anyone have detailed tech info on the STUN\ICE implementation in OCS2007? it doesn't appear to be working correctly in our environment ( we do have a publicly routable ip address and no natting on any firewall )