Publicly Routable DMZ for Microsoft Lync 2010 Edge Servers

mss — Mon, 18 Jun 2012 17:21:18 GMT

Hello all,

I'm hoping you can help me with a problem that has me stumped. I'm trying to configure our PA 5020 to support a Microsoft Lync 2010 server edge environment being load balanced by an F5. Per Microsoft, in order to do this the IP addresses on the edge servers must be publicly routable and cannot employ NAT. Currently, my external interface is configured with a 63.x.x.x/24 address/netmask. We have two DMZ's 10.11.107.1/24 and 10.11.113.1/24 respectively that are taking advantage of NAT's. We have 16 addresses in all that we need to make publicly routable, currently configured to be 63.x.x.120-135. I thought that I could setup a new interface as a public DMZ but was unable to as the IP address ranges on the two interfaces overlapped, so the commit failed. I'm somewhat of a networking novice but I'm pretty sure trying to put those devices in the 107 DMZs won't work as they'll have the wrong gateway address and won't route.

I'm really stumped as to how I can accomplish this without NAT's.

Any help would be greatly appreciated.

Rob Z ,

Re: Publicly Routable DMZ for Microsoft Lync 2010 Edge Servers

mikand — Tue, 19 Jun 2012 09:34:52 GMT

To sum it up:

External: 63.x.x.x/24

DMZ1: 10.11.107.1/24

DMZ2: 10.11.113.1/24

I assume the range at External is a public range handed over to you by your ISP?

This is what I would do:

1) Setup a linknet between your PA and your ISP, for example:

PA: 10.0.0.1/30

ISP: 10.0.0.2/30

2) Instruct your ISP to route that 63.x.x.x/24 with nexthop 10.0.0.1 (or whatever IP your PA end up with).

3) Set your PA to use 10.0.0.2 (or whatever IP your ISP will use) as default gateway.

Now you can setup parts of 63.x.x.x/24 directly on interfaces on your PA aswell as NAT the other IP's to the DMZ's using private IP's (DMZ1 and DMZ2).

So you would end up with (just an example):

External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24)

DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255)

DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255)

DMZ3: 63.0.0.113/28 (63.0.0.113 is IP at PA, 63.0.0.112-127)

NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever)

NAT2: 63.0.0.44 -> 10.11.113.5 (or whatever)

But if possible I would start to use this range from two sides. Like NATed IPs from the lower part and routed IPs from the higher part (or the other way around 😃

Like so:

External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24 from ISP)

DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255)

DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255)

DMZ3: 63.0.0.241/28 (63.0.0.241 is IP at PA, 63.0.0.240-255)

NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever)

NAT2: 63.0.0.2 -> 10.11.113.5 (or whatever)

topic Re: Publicly Routable DMZ for Microsoft Lync 2010 Edge Servers in General Topics

Publicly Routable DMZ for Microsoft Lync 2010 Edge Servers

Re: Publicly Routable DMZ for Microsoft Lync 2010 Edge Servers