Skip to main content
Sign In   |   Help
 
Go SearchAdvanced Search
Home
Categories
Bloggers
www.pointbridge.com

View All Site Content

OCS Edge Server Requires Separate Internal and External Interfaces
By: Jeff Schertz | Posted: November 9, 2007 at 10:31 AM
Add Comment Add Comment | Share It Share It | Category: Office Communications Server
9
Comments

I recently ran into a deployment problem for a customer where we attempted to use just two network interfaces for a single Edge Server configuration.  If you follow the deployment documentation for the Office Communications Server 2007 Edge server, you'll see that they require the Edge server to have up to four separate network interface ports, one for internal and one for each of the three Edge Server Roles.  From a network bandwidth standpoint in a high-usage scenario this many interfaces can be helpful, but when installing a single Edge Server containing all 3 roles it could be more efficient to potentially reduce the amount of hardware requirements.

 

Since the new hardware we were using to deploy the Edge server currently only had a single dual-port network interface (the additional card was back-ordered), we decided that we would locate the public IP address for the A/V Edge Server on one port, and then include the remaining three IP addresses for the Edge Access Server, Web Conferencing Server, and host's primary "internal" address all on the second port, like so:

 

NIC #1

10.1.1.10 - Host

10.1.1.11 - Access Edge Server

10.1.1.12 - Web Conferencing Edge Server

 

NIC #2

12.1.2.34 - A/V Edge Server

 

Because the host's internal IP and the two NAT-compatible Edge IPs are in the same subnet, then Windows Server will allow them to be bound to the same physical interface.  The router that NIC #1 is plugged into was configured to route traffic to/from 10.1.1.10 back to the internal firewall, but route traffic for the other .11 and .12 addresses to the external firewall which was set to NAT both behind dedicated public IP addresses.  The second interface would be connected to a dedicated port on the external firewall appliance and traffic would be routed without any address translation directly to the Edge Server.

 

After deployment and configuration of the Edge Access role I was having problems getting external clients to successfully login to OCS.  I rechecked the configuration and all the settings were correct, the certificates were assigned and working, and there were no IP routing issues.  I could telnet to both ports 443 and 5061 on both the Edge and Front-End servers from any location on either side of both firewalls.  Using performance monitor on the Edge server I could see the inbound connections coming in from the external clients, but the connection was failing to make the next-hop to the internal pool.  The complete lack of errors or warnings in the event log didn't help much either.

 

The next morning my client notified me that the additional dual-port NIC had arrived and was installed, so I went about reconfiguring the network utilizing a third interface:

 

NIC #1

10.1.1.10 - Host

 

NIC #2

12.1.2.34 - A/V Edge Server

 

NIC #3

10.1.1.11 - Access Edge Server

10.1.1.12 - Web Conferencing Edge Server

 

At this point Office Communicator on the external test client connected immediately.  So even though my internal and external IP addresses are on the same subnet and both interfaces connect back to the same router, OCS apparently requires separate physical interfaces or will just not function correctly.

 

Theoretically the first configuration should have worked, but I originally had my reservations about whether OCS would not like the internal and external route sharing the same physical interface, even though I saw no connectivity problems between the Edge and Front-End servers over various ports.
Re: Routing Table for second configuration
By: Jeff Schertz | Posted: May 21, 2010 at 9:46 PM
Take a look at this newer article which covers routing for multiple interface Edge servers: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=78
Routing Table for second configuration
By: akshat | Posted: May 21, 2010 at 8:57 PM
Hi Jeff, Can you please recall and share how you configred the routes in Windows on Edge server for you second scenario. That would be very helpfull. I searched a lot but could not find any document o link with that detail. Regards,
Single Firewall
By: Just4Know | Posted: November 12, 2009 at 1:46 PM
Can i have the same confuguration (IP in the same subnet for host, Access and Web) working with a single firewall??
hi Jeff (OCS GURU)
By: feroz | Posted: September 17, 2009 at 8:40 AM
Dear jeff,i am bit confused with OCS.i have ocs setup in lan envoirenment audio/video working fine.i would like to setup A/v edge server.do i need to setup internal /external firewalls? or only external firewall required.? if possible can you send me the diagram of your network.my email address is feroz1020@gmail.com
Re:
By: Jeff Schertz | Posted: February 19, 2009 at 7:23 AM
That only applies when using publicly routable IP addresses on all three external roles. In the scenario outlined above when using NAT on the Access Edge and Webconf roles you'll need a third interface to host the public IP for A/V Edge. More details on these other scenarios can be found in a newer blog entry: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33
By: JBPostcti | Posted: February 19, 2009 at 4:16 AM
I usually configure an edge with only 2 interfaces; Internal and external. I've never seen any issues assigning the 3 external IPs to that one interface.
Why the requirement for multiple network interfaces
By: TC | Posted: February 19, 2008 at 10:37 AM
I see the point behind an Edge server with multiple roles having one IP per role. What I don't get is the requirement for "internal" and "external" interfaces, or even the need for multiple NICs. What is the technical gotcha that forces this requirement?
Re: Very helpful, additional questions...
By: Jeff Schertz | Posted: December 19, 2007 at 3:41 PM
From experience I've learned you can't use a single interface on the Edge server regardless of how you configure TCP/IP. I could not get the Access Edge Server to successfully pass connection traffic from the external OC client into the internal Front-End server. Traffic destined for Internal and External hosts needs to travel over physically separate interfaces. I'm sure this is why ALL of the OCS documentation calls for at least two NICs for each Edge Server. Take a look at my more recent blog "OCS Edge Server Configuration Topologies" for more details regarding ISA deployments.
Very helpful, additional questions...
Posted: December 18, 2007 at 5:10 PM
Our scenario is one consolidated OCS Edge, the only role we want active is IM for federation, no remote clients, or Web and A/V. We have ISA and plan to route 5061 traffic through ISA to the Edge which will also be in the DMZ. Can I use 1 NIC on the Edge Server with private IP of 192.168.x.x and NAT traffic through PIX > ISA > OCS Edge? Then internal machines will also connect to the same private IP of Edge Server. Do clients talk to Edge Server, or just the OCS Pool does?
 

 About Jeff Schertz
Senior ConsultantJeff Schertz is a senior consultant for PointBridge, focused on unified communications. He has over 10 years of experience in the IT industry ranging from family-owned businesses to global product dev... [more]

View Jeff Schertz's profile on LinkedIn
Microsoft Certified IT Professional

 Tag Cloud

 External Links

 ‭(Hidden)‬ Admin Links
 
Home | Categories | Bloggers | All Posts | Recent Posts | Search PointBridge Blogs
About Us | Contact Us | What’s New at PointBridge | www.pointbridge.com
© 2007 PointBridge. All rights reserved. | One North Franklin, Suite 2470, Chicago, Illinois 60606 | 312.334.1900 Terms of Use