OCS and ISA 2006 in a DMZ??

OCS and ISA 2006 in a DMZ?? (Full Version)

All Forums >> [ISA 2006 Firewall] >> DMZ

Message

Sleurink76 -> OCS and ISA 2006 in a DMZ?? (12.Jun.2008 4:56:55 AM)
I've read the article of John Weber and Tom Pacyk (http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html) about the ISA architecture for OCS deployment. But...I've already tried this configuration and everything seems to be working...except the Audio / Video part. This is something we use very much. The problem is that the Audio / Video of the OCS Access Edge Server can't be NAT. The only way to get this working, is by setting the Internet IP adress directly on the External NIC of the Access Edge Server. Does anyone, maybey John or Tom :) , have an idea of how to get this working behind a firewall / DMZ construction?? Greetings, Hans

Jason Jones -> RE: OCS and ISA 2006 in a DMZ?? (12.Jun.2008 5:06:14 AM)
The best option is to create an anonymous access DMZ on ISA Server using public IP addresses. You can then define a route relationship on ISA for the DMZ network which allows you to restrict inbound traffic whilst meeting the requiement not to use NAT. Depending upon you public IP address range, you could either supernet this down or purchase a new public IP address range for the DMZ and get this routed via your Internet router to ISA. I think this approach is going to be our recommendation, until Microsoft provides better guidance specifically for ISA used in the AV edge scenario. Hope this helps... Cheers JJ

Sleurink76 -> RE: OCS and ISA 2006 in a DMZ?? (12.Jun.2008 5:21:52 AM)
Jason, thanks for the quick response. I also thought to route the traffic through ISA, the only thing is that I don't have an example of a good configuration. The problem I ran into, is the gateway settings etc... Do you know a good manual or white paper where this is described? B.t.w., we have a whole C-class range, so IP's enough...;)

Jason Jones -> RE: OCS and ISA 2006 in a DMZ?? (12.Jun.2008 6:01:43 AM)
Most DMZ examples have a private address range and hence use NAT, however the following series of articles should help with the concept of a routed DMZ. http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part1.html http://www.isaserver.org/articles/2004multidmzp1.html Hope this helps... Cheers JJ

Page: [1]