Thanks. I’d set it on either the Access Edge or the Web Conferencing Edge NIC.

Elan

OPTION 1:
————-
In essence, that was the simple answer. There is a physical port on the firewall; 3rd port. Typically it is used for DMZ which can be used for my second set of public ip ranges for OCS use. Another way could be have a hub of the first port which the Edge Server hangs off of (option 2 below).

OPTION 2:
————-
Internet—Router—Firewall——————–LAN Switch——Internal Computers
**************Firewall—-Hub on public interface port——–Edge Server

On the firewall, I would just create a rule that alows that 1 public ip for the Edge Role (A/V) to communicate with internal OCS servers.

Thanks again for inspiring and bringing clarity. These options above are SORELY missing or lacking in simplicity in Microsoft Documents or anywhere else!

Since I am not a firewall person, and I only have 3 interfaces to work with (only Standard Setup with 2 servers), how do you propose I configure this? I have 10 public ip’s; 1 for the external interface if SonicWall, and 4 public ip’s as one-to-one NAT (208.x.x.x). The 2nd interface is my for my internal LAN (192.168.18.x). The last interface is not used for DMZ at all. Please note I only have two servers to work with for 50 users for OCS 2007.

How would you propose I configure my firewall to accomodate this - not how, but sample diagram or setup? My immediate question is how can I have an Edge server with a public ip with NO NAT at all - like one-to-one NAT?! How to do this with my setup? Thanks.

http://technet.microsoft.com/en-us/library/bb663639.aspx

Question: Have you prepared any documentation that addresses the specific configuration of the ISA Server firewall policies that will allow external Office Communicator 2007 clients to connect through the ISA Server? I’ve been going around and around on this for a long time…

Ken Peterson

So let’s say we went with Method 1

Nic #1 - A/V Edge (Public IP)
Nic #2 - Access Edge (DMZ IP)
Nic #3 - Web Conferencing Edge (DMZ IP)
Nic #4 - Internal (Internal IP)

The Windows Operating System can only have 1 default route (0.0.0.0). This default route’s next hop is the default gateway. Because of this, you have 2 options:
Option #1 - Ensure this default gateway knows how to route to the internet, your DMZ, and all internal subnets. If it does, and you want to use this router, you will have to make sure all necessary ports are open. If this is unacceptable to you and you do not want to open all the required ports to the internal network, you can go to option #2.
Option #2 - Ensure this default gateway knows how to route to the internet and DMZ. For your internal subnets, you would create a static route to your internal network. This way, you’re creating a second gateway for certain traffic before it hits the default route. This way, your internal traffic does not go through your edge router and goes directly from OCS to the internal router which would be more secure.

For this custom route that routes traffic directly to a router on the inside of your corporate network, you would do something like:
route add 192.168.119.0 mask 255.255.255.0 192.168.119.2

So in this command, we want to send traffic destined to the 192.168.119.x network that uses a subnet of 255.255.255.0 with the next hop (gateway) being 192.168.119.2 (our router on the internal corporate network).

Does this help?

could you please explain in more detail the part for the IP configuration for TCP/IP please? sorry i don’t understand :)

is the default gateway assigned by VMWare?

thanks, appreciate help.