Office Communications Server 2007 R2 DNS / Firewall Düzenlemeleri

Ocak 1st, 2010 admin Yorum yok

Office Communications Server 2007 R2 sürümünün kurulumu yapılırken özellikle dış kullanıcıların bağlanması için gerekli altyapı hazırlıklarının yapılması gerekmektedir. Bu hazırlıklar;

1- Dış DNS hazırlıkları

2-Güvenlik Duvarı hazırlıkları

Dış DNS Hazırlıkları aşağıdaki tabloda yer alan A ve SRV kayıtları ile yapılmaktadır. Real IP 1 …. kısmına ise Edge sunucunuzun dış erişimler için kullanılacak olan 4 adet gerçek ip adresine ait kayıtlar olmalıdır.

Not: Önerilen 4 gerçek ip adresi yapısı haricinde yapılacak düzenlemeler için lütfen ip planlanınıza uygun şekilde kayıtları oluşturun.

Record Type	Record Name	IP Address & Detail		Information
(A)	sip.<sipdomain>	Real IP 1		FQDN / IP Address of the Access Edge server
(A)	sipexternal.<sipdomain>	Real IP 1		FQDN / IP Address of the Access Edge server
(A)	live. <sipdomain>	Real IP 2		FQDN / IP Address of the Web Conferencing Edge server
(A)	av. <sipdomain>	Real IP 3		FQDN / IP Address of the A/V Edge server
(SRV)	_sip._tls.<sipdomain>	_tls for port 443 – sip.<sipdomain>		Create _sip._tls if enabling Office Communicator for remote access
(SRV)	_sip._tcp.<sipdomain>	_tcp for port 5060 – sip.<sipdomain>		Create _sip._tcp if enabling Office Communicator for remote access
(SRV)	_sipfederationtls._tcp. <sipdomain>	_tcp for port 5061 – sip.<sipdomain>		Create _sipfederationtls._tcp if enabling federation and/or PIC
(A)	Rproxy.<sipdomain>	Real IP 4	FQDN / IP Address of the Reverse Proxy server (ISA 2006 SP1)

Güvenlik Duvarı Hazırlıkları kısmında ise aşağıdaki şekilde göründüğü şekli ile iç ve dış güvenlik duvarı arasında yer alan bir sunucu/lar için güvenlik duvarı kuralları yazılmalıdır. Bu kurallar ise şekilden sonraki tablo içerisinde anlatılmıştır.

Not: Tablo içeriğinde türkçe ifadelerde hataları önleme amacı ile ingilizce olarak yer verilmiştir.

FW_Port

Access Edge Servis için Güvenlik Duvarı Kuralları ( ip address Real IP 1 – NAT IP 1)

Firewall	Policy rules	Figure mapping
Internal	Local Port: Any.Direction: Inbound (for remote user access and federation). Remote Port: 5061 TCP (TCP/MTLS). Local IP address: The internal IP address of the Access Edge service. Remote IP: The IP address of the next hop server. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.	5
Internal	Local Port: 5061 TCP (SIP/MTLS).Direction: Outbound (for remote user access and federation). Remote Port: Any. Local IP address: The internal IP address of the Access Edge service. Remote IP: If no Director is deployed, you may use any IP address. If a Director is deployed, use the IP address of the Director or the virtual IP address of the load balancer, if the Directors are load balanced.	5
External	Local Port: 5061 TCP (SIP/MTLS).Direction: Inbound/Outbound (federation). Remote Port: Any. Local IP: The external IP address of the Access Edge service. Remote IP: Any IP address.	3
External	Local Port: 443 TCP (SIP/TLS).Direction: Inbound (for remote user access). Remote Port: Any. Local IP: The external IP address of the Access Edge service. Remote IP: Any IP address.	4
External	Local Port: 53 DNS.Direction: Outbound (for DNS queries). Remote Port: Any. Local IP: The external IP address of the Access Edge service. Remote IP: Any IP address.	11
External	Local Port: 80 HTTP.Direction: Outbound (to download certificate revocation lists). Remote Port: Any. Local IP: The external IP address of the Access Edge service. Remote IP: Any IP address.	15

Web Conferencing Edge Servis için Güvenlik Duvarı Kuralları (ip address Real IP 2 – NAT IP 2)

Firewall	Policy rules	Figure mapping
Internal	Local Port: 8057 TCP (PSOM/MTLS)Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge service) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge service Remote IP: Any IP address	7
External	Local Port: 443 TCP (PSOM/TLS)Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge service Remote IP: Any IP address	6

Firewall

Policy rules

Figure mapping

Internal

Local Port: 8057 TCP (PSOM/MTLS)Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge service)

Remote Port: Any

Local IP: The internal IP address of the Web Conferencing Edge service

Remote IP: Any IP address

External

Local Port: 443 TCP (PSOM/TLS)Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences)

Remote Port: Any

Local IP: The external IP address of the Web Conferencing Edge service

Remote IP: Any IP address

A/V Edge Servis için Güvenlik Duvarı Kuralları (ip address Real IP 3 – NAT IP 3)

Firewall	Policy rules	Figure mapping
Internal	Local Port: 443 TCP (STUN/TCP).Direction: Outbound (for media transfer between internal users and external users). Remote Port: Any. Local IP: The internal IP address of the A/V Edge service. Remote IP: Any IP address.	12
Internal	Local Port: 5062 TCP (SIP/MTLS).Direction: Outbound (for authentication of A/V users). Remote Port: Any. Local IP: The internal IP address of the A/V Edge service. Remote IP: Any IP address.	13
Internal	Local Port: 3478 UDP (STUN/UDP).Direction: Outbound (for media transfer between internal users and external users). Remote Port: Any. Local IP: The internal IP address of the A/V Edge service. Remote IP: Any IP address. Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.	14
External	Local Port: 443 TCP (STUN/TCP).Direction: Inbound (for external users’ access to media and A/V sessions). Remote Port: Any. Local IP: The external IP address of the A/V Edge service. Remote IP: Any IP address.	8
External	Local Port: 3478 UDP (STUN/UDP). Direction: Inbound/Outbound (for external users connecting to media or A/V sessions). Remote Port: Any. Local IP: The external IP address of the A/V Edge service. Remote IP: Any IP address. Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.	10
External	Local Port Range: 50,000-59,999 TCP (RTP/TCP)Direction: Outbound (for media transfer). Remote Port: Any. Local IP: The external IP address of the A/V Edge service. Remote IP: Any IP address.	9

Reverse Proxy için Güvenlik Duvarı Kuralları(ip address Real IP 4 – NAT IP 4)

Firewall	Policy rules	Figure mapping
Internal	Local Port: Any Direction: Inbound (for external user access to Web conferences) Remote Port: 443 TCP (HTTP(S)) Local IP: The internal IP address of the reverse proxy Remote IP: Any	2
External	Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any	1

Firewall

Policy rules

Figure mapping

Internal

Local Port: Any

Direction: Inbound (for external user access to Web conferences)

Remote Port: 443 TCP (HTTP(S))

Local IP: The internal IP address of the reverse proxy

Remote IP: Any

External

Local Port: 443 TCP (HTTP(S))

Direction: Inbound

Remote Port: Any

Local IP address: The external IP address of the HTTP reverse proxy

Remote IP: Any

Not: Güvenlik Duvarı üzerinde UDP portların erişimleri için gerekli düzenlemeler yapılmalıdır.

Pts	Sal	Çar	Per	Cum	Cts	Paz
« Şub
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29

Communicatons Servers

Office Communications Server 2007 R2 DNS / Firewall Düzenlemeleri

Sayfalar

Bağlantılar

Arşivler

Ara

Son Yazılar