We are looking to deploy a single consolidated edge on a vSphere Cluster. From reading the Microsoft documentation, it appears you need two layers of firewalling.
Internet <--> Firewall <--> Edge Server/Reverse Proxy <--> Firewall <--> Front End/LAN
In practice, given a virtual environment, with only one external facing firewall, do you really need another firewall in-between the Edge (which will have two NICS, one on the DMZ, and one on the LAN with static routes/no default gatewy) and the Frontend server on the LAN?
On that note – with regards to a reverse proxy, why can't you just NAT direct from the WAN to the LAN interface of the frontend for the Lync Web Services?
Best Answer
Microsoft's best practices and design guidelines for Lync/SfB deployments suggest:
That said, it's actually quite common to use simpler configurations: