Straddling the Internal Firewall

Another firewall topology that, unfortunately, is used too often is where the internal interface of the Edge Server does not pass through any firewall. Instead, it straddles the firewall by being connected directly to the internal network. Administrators still secure the external adapter in this scenario. However, instead of creating the appropriate rules for the internal adapter, they just place it on the internal network, as shown in Figure 31.5.

Figure 31.5. Lync Server firewall straddling.

There is not much benefit to straddling a firewall with the internal adapter because there are risks are associated with placing the internal adapter directly on the internal network. The Edge Server is really designed to be a layer of defense between Internet clients and internal users, but there is no separation between the Edge and internal network if it can communicate with any client on any port. If the time has been taken to properly secure the external adapter, much of the hard work has already been completed and it shouldn’t be difficult to complete the remaining firewall rules to properly secure a server.

Organizations should spend the extra time to properly secure the internal adapter to protect the rest of the Lync Server infrastructure. If a second perimeter network VLAN does not exist, a business should spend time planning to add one to meet the requirements of each Edge adapter being in a separate network.

As a last resort, it is technically possible to place both Edge Server adapters on the same network, but organizations run a risk with this configuration because it is not technically supported. However, some organizations might not allow any device to straddle two perimeter network VLANs, so there might not be another choice. This scenario is a bit more complicated and requires careful planning and configuration of static route commands on each Edge Server.