These services must be able to communicate with the outside world as well as with your
internal network. Make sure your internal network is able to reach the internal interface of
your Edge Server on all the required ports.
Using Network Address Translation (NAT)
DMZ segments are commonly assigned their own range of private IP addresses. The firewall
then uses NAT to translate the public IP addresses to private ones. The Access Edge and
Web Conferencing IP addresses can be configured using NAT in this fashion.
However, the A/V Edge address cannot use NAT. This means the IP address you assign to
the Edge Server??™s NIC dedicated to the A/V service must be the same as the public IP address
assigned to the external interface on your fi rewall.
NOTE
OCS requires a public IP address on the A / V Edge service and will not work
properly without it. OCS uses Simple Traversal of UDP over NAT (STUN) to
make the VPN-less connection, and STUN requires a public IP address for
public-facing applications. This is called out in STUN RFC 3489, Section 6. Any
application using STUN has the same requirements. For further information
on STUN, view the entire STUN RFC at www.faqs.org/rfcs/rfc3489.html.
This often can cause security administrators to panic. But don??™t let them forget that having
a public IP address does not mean the fi rewall isn??™t protecting the server. Most fi rewalls will
support this kind of fi rewalling.
To do this securely you must confi gure your fi rewall to route requests ???transparently??? to the
NIC dedicated to the A/V service.
Pages:
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218