Forum Discussion
david_baumgart_
Cirrus
CirrusFirewall config for Skype for Business Reverse Proxy
Hey Everyone:
I recently completed setting up an edge pool for my Skype for Business 2015 deployment and all of my services are working as intended (IM/Presence and Video calls). I now wish to d...
So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.
So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.
So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.
So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.
Although just to suplement that answer the traffic is going to be 443 when it hits dmz and then 4443 between big ip's. However opening up the other ports may be required depending on the other S4B services you are deploying.
david_baumgart_Followup question. I understand that i need to allow the traffic such as this:
WAN/NAT -> DMZ Reverse proxy VIP DMZ Big IP Self IP -> Internal Reverse Proxy VIP
But what about the return path? Do I allow the traffic back from the Internal Big IP VIP to the DMZ Big IP self IP? Or does it turn around and try to send from Internal BIG IP Self IP -> DMZ Self IP?
Or am I completely missing the target here?
Thanks again!
The return path will be the same (dmz self ip to internal vip). Snat auto map is applied on the DMZ vip for reverse proxy traffic, so internal reverse proxy vip sees traffic as sourced from dmz big ip self ip (as you stated).
- david_baumgart_
So just to be clear, because for some reason I am having a brain glitch when reading that reply (my apologies for being dense!), on the path BACK OUT to DMZ going from internal to external, the VIP is the IP sending back to the DMZ self ip rather than it passing the return process off to the internal self IP, correct?
This makes sense from a networking perspective, I just wanna make sure I'm 100% clear. Thanks again and sorry for being repetitive!
That is correct, clarifying is never being dense, just thorough! :)
- david_baumgart_
Thank you my friend!