Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Microsoft LynServer 2013 : Firewall Requirements Overview, Ports Required for Internal and External Access

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/29/2014 3:09:25 AM

Firewall Requirements Overview

Wikipedia defines a firewall as a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit or deny computer applications based on a set of rules and other criteria.

There are several types of firewall techniques, including these:

Packet Filtering—Packet filtering inspects packets as they are passed through the network and rejects or accepts these packets based on defined rules. Typically, these rules will specify a source and destination address, a port, and either an allow or deny statement to define the behavior of the packet-filtering rule. Packet-filtering firewalls are generally fast but can be difficult to configure for applications that dynamically choose ports for communications after an initial handshake.

Application Gateway—Application gateways apply security enforcement to specific applications. In other words, the gateway understands the applications and can recognize their packets. It makes its decisions based on which applications are allowed to pass through the firewall. Application gateways can be relatively easy to configure but are generally processor intensive and thus cannot handle as much throughput as a packet-filtering firewall.

Proxy/Reverse Proxy Server—A proxy server intercepts all messages entering and leaving the network. It inspects the packets and then continues the conversation on behalf of the protected system. In this way, packets never go directly from the source to the protected destination or from the protected source directly to the uncontrolled destination. Not unlike applications gateways, proxy servers are processor intensive.

Network-Based Firewalls

Most implementations of Lync Server involve some form of a network-based firewall, usually in the DMZ (demilitarized zone). The purpose of this device is to ensure that only the necessary services on the Lync Server systems are made available externally.

To maximize security, it is fairly common to configure the external services of Lync Server so that not only is there a firewall between the Internet and the Lync Server servers, but there also is a firewall between the internal network and the Lync Server servers. This can be accomplished either with dual firewalls or by placing the Lync Server servers into a DMZ on a three-or-more-legged firewall. Dual firewalls are technically more secure because if an attacker compromised the firewall that was exposed externally, he would still have to compromise a second firewall before having access to the internal hosts.

The first step in implementing this type of firewall for Lync Server is to understand what services you plan to make available from outside the network and then to determine exactly which ports and protocols need to be opened on the firewall.

Ports Required for Internal and External Access

The specific ports needed to open on a firewall vary somewhat depending on what services are placed into the DMZ and which services need to be accessible from the Internet. This section summarizes commonly deployed DMZ roles and the ports necessary to support them. The description calls out the port, traffic type, type of firewall it applies to (internal or external), and purpose for the opening. Table 1 describes, in detail, the port requirements for Lync Server 2013.

Table 1. Edge Server Port Requirements

Image Image Image

Note

“Inbound” and “Outbound” refer to the direction between the Internet or internal network and the specified Access Edge Service. For example, if the service is A/V Edge, and it says “Inbound,” you must open the port with the destination address of the A/V Edge Service IP Address.

Using Operating System Firewalls

In Windows Server 2003 SP1, Microsoft introduced an integrated firewall into the Windows operating system. As with most Microsoft products, it has improved with each iteration. Flash-forward to Windows Server 2012 and you find that the integrated firewall is quite good. Lync Server does an excellent job of integrating into the Windows Server Firewall at the time of installation.

Layering an operating system layer firewall with a network layer firewall is an excellent way to improve overall security of a system with minimal expense. With these two layered together, if the network firewall becomes compromised, the attacker has to pierce the OS layer firewall to compromise the systems. Similarly, given that many attack vectors can come from within the company itself, the OS layer firewall offers protection from trusted systems that might become compromised.

Configuring the Windows Server Firewall for Lync Server

If the Windows Firewall is enabled and started at the time of installation of Lync Server components, the necessary exceptions are created automatically.


Caution

Although many administrators are tempted to disable the Windows Firewall, it is certainly worth leaving it in place with the necessary rules configured. If you are convinced you don’t want to use the Windows Firewall, and you don’t plan to use a third-party operating system layer firewall, leave the Windows Firewall service running, but configure the rules to allow all traffic to pass unhindered. This prevents possible problems in interacting with the Windows Filtering Platform.



Tip

If Windows Firewall was off during the first installation, you can simply turn on Windows Firewall and run the Lync Server Deployment Wizard to configure Lync Server 2013 Windows Firewall Rules.


Using Network Address Translation (NAT) with Lync Server

If a single Edge Server is placed behind a firewall, it is acceptable to enable NAT. NAT effectively takes packets bound for the firewall and forwards them to hosts inside the firewall based on port rules. This enables a company with limited numbers of routable IP addresses to support multiple services with fewer IP addresses. It also provides a layer of security by requiring the firewall to process the packet first before it reaches the eventual destination. In addition, it enables protected systems to hide their IP information because they never appear to be a source of a packet to a system on the Internet; the firewall always appears to be the source.


Tip

If you enable NAT for the external firewall, configure firewall filters that are used for traffic from the Internet to the Edge Server with Destination Network Address Translation (DNAT). Similarly, configure and filter for traffic going from the Edge Server to the Internet with Source Network Address Translation (SNAT). Important to note is that the inbound and outbound filters for this purpose must use the same internal and external addresses. If externally, the Edge is 11.22.33.44 and is mapped to an Edge Server at 10.1.1.44. The mapping for the Edge to talk to the Internet needs traffic from 10.1.1.44 to come from 11.22.33.44. Although this might seem obvious, there are many situations in which all internal hosts appear to come from the same IP address. This is called PAT, or port address translation, or is sometimes called NAT overload.



Caution

If multiple Edge Servers are deployed in a load-balanced fashion, the external firewall cannot be configured for NAT. Regardless of whether load balancers are used, an internal firewall used to protect Edge Servers cannot be NAT enabled for the internal IP address of an Edge Server.


Other -----------------
- Micorosoft Sharepoint 2013 : SharePoint Metadata Types (part 4) - Metadata in Publishing
- Micorosoft Sharepoint 2013 : SharePoint Metadata Types (part 3) - Metadata in Lists
- Micorosoft Sharepoint 2013 : SharePoint Metadata Types (part 2) - Content Types
- Micorosoft Sharepoint 2013 : SharePoint Metadata Types (part 1) - Site Columns
- Micorosoft Sharepoint 2013 : The SharePoint Content Type Model - New Content Type Model Functionality
- Microsoft SQL Server 2012 : Knowing Tempdb - Troubleshooting Common Issues (part 3) - Troubleshooting Space Issues
- Microsoft SQL Server 2012 : Knowing Tempdb - Troubleshooting Common Issues (part 2) - Latch Contention - ikelihood of it happening. Multiple Tempdb Data Files
- Microsoft SQL Server 2012 : Knowing Tempdb - Troubleshooting Common Issues (part 1) - Latch Contention - Allocation Page Contention
- Microsoft SQL Server 2012 : Knowing Tempdb - Overview and Usage (part 2) - The Version Store
- Microsoft SQL Server 2012 : Knowing Tempdb - Overview and Usage (part 1) - User Temporary Objects
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server