Forum Discussion

david_baumgart_'s avatar
Jul 26, 2016

Firewall config for Skype for Business Reverse Proxy

Hey Everyone:

 

I recently completed setting up an edge pool for my Skype for Business 2015 deployment and all of my services are working as intended (IM/Presence and Video calls). I now wish to deploy reverse proxy services to allow mobile devices to connect externally. Fortunately for me I just so happen to have a Big IP in my DMZ and another Big IP in my internal network with my FE pool.

 

I am a bit confused about the ports that need to be open on different sides of the networks. I understand that the DMZ F5 is going to get it's own public IP address which will be NAT'd to my DMZ subnet where my DMZ F5 "lives". I understand also that I will specifically be NAT'ing TCP 80 and 443 to the Big IP.

 

Using the iApp I am going to have it forward reverse proxy traffic over to my internal Big IP which "lives" on my messaging subnet (just the subnet I have Skype and Exchange running on) and the internal will have the Skype iApp configured to receive the reverse proxy traffic from the DMZ Bip IP.

 

My question is, do I open ports 443 and 80 between the two Big IP's and then have 4443 and 8080 open between the internal Bip Ip and the FE pool? Or is there something I am missing where I'd open 4443 and 8080 between the two Big IP's (which I don't think is the case, just verifying).

 

Thanks all!

 

  • So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.

     

    So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.

     

7 Replies

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account

    So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.

     

    So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.

     

    • JamesSevedge_23's avatar
      JamesSevedge_23
      Historic F5 Account

      Although just to suplement that answer the traffic is going to be 443 when it hits dmz and then 4443 between big ip's. However opening up the other ports may be required depending on the other S4B services you are deploying.

       

    • david_baumgart_'s avatar
      david_baumgart_
      Icon for Cirrus rankCirrus

      Followup question. I understand that i need to allow the traffic such as this:

       

      WAN/NAT -> DMZ Reverse proxy VIP DMZ Big IP Self IP -> Internal Reverse Proxy VIP

       

      But what about the return path? Do I allow the traffic back from the Internal Big IP VIP to the DMZ Big IP self IP? Or does it turn around and try to send from Internal BIG IP Self IP -> DMZ Self IP?

       

      Or am I completely missing the target here?

       

      Thanks again!

       

    • JamesSevedge_23's avatar
      JamesSevedge_23
      Historic F5 Account

      The return path will be the same (dmz self ip to internal vip). Snat auto map is applied on the DMZ vip for reverse proxy traffic, so internal reverse proxy vip sees traffic as sourced from dmz big ip self ip (as you stated).