Firewalls for Office Communications Server 2007 R2
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
How you configure your firewalls largely depends on the specific firewalls you use in your organization. However, each firewall has common configuration requirements that are specific to Office Communications Server 2007 R2. Follow the manufacturer’s instructions for configuring each firewall, along with the information in this section, which describe the settings that must be configured on the two firewalls.
To conform to the requirement of a publicly routable IP address of the A/V Edge service, the external firewall of the perimeter network must not act as a NAT for this IP address when a hardware load balancer is being used. If the edge server is a single consolidated edge server, Office Communications Server 2007 R2 allows the use of NAT for all three edge services.
Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge service. The internal IP address of the A/V Edge service must be fully routable from the internal network to the internal IP address of the A/V Edge service.
The following figure shows the default firewall ports for each server in the perimeter network. For details about configuring the internal and external firewalls of your perimeter network, see the Office Communications Server 2007 R2 Edge Server Deployment Guide documentation.
Figure 1. Default firewall ports for perimeter network servers
To help increase security in your perimeter network, we recommend that you deploy edge servers in the following ways:
Create a new subnet out of your router for Office Communications Server.
Verify that traffic coming to the Office Communications Server subnet does not route to other subnets.
On your initial router, configure rules to ensure that there is no routing between your Office Communications Server 2007 R2 subnet and other subnets (with the exception of a management subnet that can include management services for your perimeter network).
On your internal router, do not allow any broadcasts or multicasts coming from the Office Communications Server 2007 R2 subnet in the perimeter network.
Deploy edge servers between two firewalls (an internal firewall and an external firewall) to ensure strict routing from one network edge to the other.
In addition, to enhance edge server performance and security, as well as to facilitate deployment, use the following guidelines when establishing your deployment process:
Deploy edge servers only after you finish deploying Office Communications Server 2007 R2 inside your organization, unless you are migrating from Microsoft Office Live Communications Server 2005 Service Pack 1to Microsoft Office Communications Server 2007 R2. For details about the migration process, see the Migration from Office Communications Server 2007 documentation and the Migration from Live Communications Server 2005 documentation.
Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory Domain Services out of the perimeter network. Locating Active Directory Domain Services in the perimeter network can present a significant security risk.
Deploy your edge servers in a staging or lab environment before deploying them in your production environment. Deploy the edge servers in your perimeter network only when you are satisfied that the test deployment meets your requirements and that it can be incorporated successfully in a production environment.
Deploy at least one Director to act as an authentication gateway for inbound external traffic.
Deploy edge servers on dedicated computers that only run what is required. This includes disabling unnecessary services and running only essential programs on the computer, such as programs embodying routing logic that are developed by using Microsoft SIP Processing Language (MSPL) and the Office Communications Server API.
Enable monitoring and auditing as early as possible on the computer.
Use a computer that has two network adapters to provide physical separation of the internal and external network interfaces.