Publicly routable IP address needed for A/V Edge server

  • Article

When deploying OCS 2007 in a environment where you wish to have remote users (i.e. users outside of your network) still be able to use the services you will need to deploy an Edge Server. The Edge Server was known as the Access Proxy in LCS 2005. Much like the front end pool of OCS 2007, the Edge Server can scale to the needs of your environment and can be deployed in a consolidated mode (all roles on one server) or expanded mode (seperate servers for each role). The roles for the Edge Server are the Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server. The Access Edge Server is essentially the same thing as the Access Proxy of LCS 2005 (with improvements). The Web Conferencing Edge Server allows remote and anonymous users to attend web conferences that are hosted on your OCS environment. The A/V Edge Server allows remote users to participate in audio and video communication. The external network interface for the A/V Edge Server must use a publiclly routeable IP address and cannot be NAT'ed.

This often solicits a gasp by the network security people. So, I'd like to try to explain what we are doing to make this work and why it is not as big of a security risk as some may think. First, we have to dispel of the notion that NAT equals security. It doesn't. The security risk is the application bound to the port, not knowing the IP address to the application. In other words, teaching a dog to meow doesn't make a cat feel any better. If NAT is your sole means of security from the Internet then you better start planning for IPv6 now because NAT doesn't exist in the IPv6 world. What's that you say??? How can that be??? You see, non-routeable addresses were not invented for security. They were invented to expand the number of users on the Internet without running out of addresses. Since the Internet has continued to grow beyond what non-routable IP addresses can help solve, IPv6 has been adopted. IPv6 is an exponetial leap in the number of addresses available, so we no longer need non-routable IP addresses anymore. So, NAT won't exist in IPv6 either. All addresses will be routable.

OK, so I'm not using IPv6 now and you're still making me use a public IP address on the A/V Edge Server. That is true and it is because of the technology Microsoft is using to allow A/V to traverse firewalls and the Internet. In particular we are talking about ICE (Interactive Connectivity Establishment) which is a draft standard being considered by the IETF and co-authored by Microsoft and Cisco. ICE makes use of two protocols, STUN (Simple Traversal of UPD through NATs) and TURN (Traversal Using Relay NAT).

So, if we look at the RFC for STUN (RFC 3489) we see that STUN assumes that the server exists on the public Internet. If the server is located in another private address realm, the user may or may not be able to use its discovered address to communicate with other users. There is no way to detect such a condition (RFC 3489 Section 14.3). STUN imposes some restrictions on the network topologies for porper operation. If client A obtains an address from STUN server X, and sends it to client B, B may not be able to send to A using that IP address. The STUN server must be in the network which is a common ancestor to both - in this case, the public Internet (RFC 3489 Section 14.3).

Again, this is not something that has been developed by Microsoft by itself. It was co-authored with Cisco to help overcome NAT traversal for UDP traffic. Any other application that uses STUN will have the same requirements.