Forum Discussion
david_baumgart_
Cirrus
CirrusFirewall config for Skype for Business Reverse Proxy
Hey Everyone:
I recently completed setting up an edge pool for my Skype for Business 2015 deployment and all of my services are working as intended (IM/Presence and Video calls). I now wish to d...
So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.
So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.
So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.
So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.
The return path will be the same (dmz self ip to internal vip). Snat auto map is applied on the DMZ vip for reverse proxy traffic, so internal reverse proxy vip sees traffic as sourced from dmz big ip self ip (as you stated).