In this section, we??™ll cover some of the most important aspects of a secure Edge
deployment.
Firewall Setup
The Edge Server communicates extensively with the OCS front-end server components
as well as with the outside world; most of this communication will traverse your fi rewall.
Correctly confi guring your fi rewall will ensure that your OCS deployment is both secure
and functional.
In the simplest confi guration, your network will have a single perimeter fi rewall that
terminates your Internet connections. You could deploy multiple fi rewalls (one on each side
of your OCS Edge), but I will concentrate on a single-fi rewall confi guration here.
External Connectivity
You need to open TCP port 443 for each one of your Edge roles, along with port 5061 for
federation and public IM connectivity.
The Edge Server also requires you to open a large range of User Datagram Protocol
(UDP) ports for A/V connectivity: ports 50,000 through 59,999. This is quite a span and
may cause some concern. However, OCS is not actively listening on these ports??”in other
words, they are not open all the time waiting for someone (an attacker or otherwise) to
168 Chapter 5 ??? Confi guring the Edge Server
connect to them. A port is opened only when an external client has established an A/V
session. When the session is fi nished, the port is closed and is no longer actively listening.
DMZ Connectivity
Your Access Edge service and your Web Conferencing Edge service sit in the DMZ segment.
Pages:
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217