topic Re: Microsoft Lync 2010 - 2013 in General Topics

Microsoft Lync 2010 - 2013

planotexasguru — Mon, 10 Dec 2012 19:40:27 GMT

Has anyone rolled out MS Lync 2010 servers in your network and worked out the policies & rules for the Lync traffic. If so would someone be willing to share the details. I am very new to the PANOS and i do not want to create security risk.

Thank you in advance,

PlanoGuy

Re: Microsoft Lync 2010 - 2013

msullivan — Mon, 10 Dec 2012 21:08:24 GMT

This is an example of the "Single Consolidated Edge" we are using. Good Luck!

Mike

Re: Microsoft Lync 2010 - 2013

planotexasguru — Mon, 10 Dec 2012 21:51:51 GMT

Thank you for the diagram Mike, it will be usefull. however i am looking for something more basic to the policies and rules and what they will look like in the PA-500 GUI...

Thanks Mike

Re: Microsoft Lync 2010 - 2013

msullivan — Tue, 11 Dec 2012 19:38:23 GMT

Hi Plano,

So in my case, the PAN is the internal firewall. I created custom application for the Lync ports (8057, 5061, 5062, 4443). I created an application group for all the FE -> Edge services that includes the aforementioned ports and additionally included ssl and stun.

I made App Override policies for the Lync ports so they were mapped correctly and implemented security rules per the diagram. So it sort if looks like this:

Custom App:

App Group:

App Override:

Sec Pol:

Obviously, your actual mileage may vary, but this should get you close for the FE <-> Edge server policy.

Cheers,

Mike

Re: Microsoft Lync 2010 - 2013

Anon1 — Tue, 11 Dec 2012 20:03:41 GMT

Hi,

there is a document from Palo Alto Networks and Citrix Netscaler (as load balancer for Lync) describing a reference setup:

http://media.paloaltonetworks.com/documents/panw-netscaler-lync.pdf

Re: Microsoft Lync 2010 - 2013

parkerbc — Wed, 06 Feb 2013 15:16:55 GMT

This is a fantastic document.

Thank you for posting.

Re: Microsoft Lync 2010 - 2013

Sly_Cooper — Tue, 26 Aug 2014 15:51:34 GMT

msullivan - Why do you need to create custom apps and app override policies? Can it not work with service (port) based policies? What setting have you configured for custom apps. I am interested in knowing about the timeout values.

Re: Microsoft Lync 2010 - 2013

msullivan — Tue, 26 Aug 2014 16:59:55 GMT

Hi Sly,

You don't need to setup custom apps and overrides, but I do for two reasons:

- Seeing the app identified makes for better reporting

- If you want reporting and consistant functionality, you best use app overrides because the next App ID update might break production rules. Case in point, some Lync traffic was originally identified as SSL (that's fine with me), then PA came out with an update and now identifies the same traffic over port 443 as ms-lync (or something like that). That broke our clients for a few minutes.

If you want to tune timeouts, you'll need to create a custom app. I use the defautl timeouts for Lync connections, but I do have some custom timeouts for other long lived app connections.

Thanks,

Mike

Re: Microsoft Lync 2010 - 2013

Sly_Cooper — Tue, 23 Sep 2014 08:44:23 GMT

msullivan - can you please share screenshot for the details of custom apps?