Forum Discussion

david_baumgart_'s avatar
Jul 26, 2016

Firewall config for Skype for Business Reverse Proxy

Hey Everyone:

 

I recently completed setting up an edge pool for my Skype for Business 2015 deployment and all of my services are working as intended (IM/Presence and Video calls). I now wish to deploy reverse proxy services to allow mobile devices to connect externally. Fortunately for me I just so happen to have a Big IP in my DMZ and another Big IP in my internal network with my FE pool.

 

I am a bit confused about the ports that need to be open on different sides of the networks. I understand that the DMZ F5 is going to get it's own public IP address which will be NAT'd to my DMZ subnet where my DMZ F5 "lives". I understand also that I will specifically be NAT'ing TCP 80 and 443 to the Big IP.

 

Using the iApp I am going to have it forward reverse proxy traffic over to my internal Big IP which "lives" on my messaging subnet (just the subnet I have Skype and Exchange running on) and the internal will have the Skype iApp configured to receive the reverse proxy traffic from the DMZ Bip IP.

 

My question is, do I open ports 443 and 80 between the two Big IP's and then have 4443 and 8080 open between the internal Bip Ip and the FE pool? Or is there something I am missing where I'd open 4443 and 8080 between the two Big IP's (which I don't think is the case, just verifying).

 

Thanks all!

 

  • So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.

     

    So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.

     

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account

    So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.

     

    So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.

     

    • JamesSevedge_23's avatar
      JamesSevedge_23
      Historic F5 Account

      That is correct, clarifying is never being dense, just thorough! :)

       

    • david_baumgart_'s avatar
      david_baumgart_
      Icon for Cirrus rankCirrus

      So just to be clear, because for some reason I am having a brain glitch when reading that reply (my apologies for being dense!), on the path BACK OUT to DMZ going from internal to external, the VIP is the IP sending back to the DMZ self ip rather than it passing the return process off to the internal self IP, correct?

       

      This makes sense from a networking perspective, I just wanna make sure I'm 100% clear. Thanks again and sorry for being repetitive!