Yes, you read this correctly: In a single-server Edge deployment a private IP address is now supported on the A/V Edge Role.  It is still recommended to use a public IP address and is still not supported for scaled Edge deployments, but through some magical alignment of the stars (or more likely some work by the product team) this requirement has changed for the better.

As minor as the point seems to be in the documentation, there must be at least 2 posts every week in the TechNet forums asking how and why the previous requirement for a public IP address was in place for OCS 2007 and stating what a problem it is for smaller shops to get a fully-functional deployment up and running.  It’s also a major stumbling block in proof-of-concept and sandbox labs.

Basically, the R2 documentation states it is supported if the external firewall can be configured to filter inbound traffic with DNAT and outbound traffic can be configured with SNAT then.  There is also a note that if ISA Server 2006 is used as the external firewall then this scenario may not work.  Another repeated statement is that in no scenario should the internal firewall perform Network Address Translation between the Edge Server’s internal IP address and the internal network hosting the Front-End and other OCS and Active Directory servers.  This appears to have been misunderstood previously and has been specifically reworded more clearly.

Another welcome change to the A/V Edge configuration requirements is that the RTP TCP/UDP inbound port range of 50000 to 59000 is no longer required with R2, but is optionally supported.  The client A/V communications can be limited to just the STUN UDP 3478 and TCP 443 ports, greatly simplifying the external firewall configuration.  So if a current deployment already has the firewall configured for the previous 50000-59000 port range, then OCS R2 still supports using them, but new deployments can benefit from these changes off the bat.