Lync2013/Skype for Business 2015 Firewall requirements

lynclync-2013skypeskype-for-business-2016

We are looking to deploy a single consolidated edge on a vSphere Cluster. From reading the Microsoft documentation, it appears you need two layers of firewalling.

Internet <--> Firewall <--> Edge Server/Reverse Proxy <--> Firewall <--> Front End/LAN

In practice, given a virtual environment, with only one external facing firewall, do you really need another firewall in-between the Edge (which will have two NICS, one on the DMZ, and one on the LAN with static routes/no default gatewy) and the Frontend server on the LAN?

On that note – with regards to a reverse proxy, why can't you just NAT direct from the WAN to the LAN interface of the frontend for the Lync Web Services?

Best Answer

Microsoft's best practices and design guidelines for Lync/SfB deployments suggest:

  • Using a reverse proxy for publishing the external web services of Front-End servers.
  • Placing the Edge servers in a position such that they are locked between two firewalls, one separating their public interfaces from the Internet, and one separating their internal interfaces from the LAN.

That said, it's actually quite common to use simpler configurations:

  • The reverse proxy can indeed be replaced by a simple NAT, but you'll need to remap TCP ports, because the external web services need to be published on TCP port 443, but they are actually listening on Front-End servers on TCP port 4443 (port 443 is used for the internal web services).
  • The Edge servers can have their internal interfaces directly connected to your LAN; however, please keep in mind that this is a potential security risk: if an Edge server gets compromised, it can (and will) be used as a bridgehead into your network; that's the main design reason for putting a firewall between it and your LAN.
Related Topic