TMG and Lync Firewall Rules for NAT

Intro information  

This blog describes how you can configure a Microsoft Forefront Threat Management Gateway server (TMG) to allow external users connect to our on-premises Lync environment.

The environment contains only 2 public routable IP addresses, Microsoft recommends 3 IP addresses for the Edge server and 1 for the Reverse Proxy. But in some environments there is no other way then to use less addresses.

The environment is built with an Active Directory based on Windows 2008 R2 and a Microsoft Lync Server 2010 environment setup on the same OS. The Lync environment contains a Front End server and one consolidated Edge server.  

Assumptions   

  • The environment has two public routable IP Addresses 80.150.194.3 and 80.150.194.4
  • The LAN interface is directly connected to the LAN
  • The following DNS names are registered for the following services
    • 80.150.194.3 – sip.lab.nl – IM, Presence and Federation
    • 80.150.194.3 – webconf.lab.nl – Web Conferencing Edge Service
    • 80.150.194.3 – av.lab.nl – A/V Service
    • 80.150.194.4 – lync.lab.nl – Web Components
  • DMZ is internally routed and for external access we will configure Network Adress Translation (NAT).

NAT: Short for Network Address Translation, an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the LAN meets the Internet makes all necessary IP address translations 

Pre Requirements 

  • A configured Lync Front End and Edge environment
  • The Thread Management Gateway Server is already installed and connected to the network
  • TMG interfaces are ready with IP addresses configured as we can see in the figure below
  • TMG server contains 3 interfaces, LAN, DMZ and WAN
  • In this example the NICs are configured as follows:
    • LAN: 192.168.1.250/24 with DNS to DC
    • DMZ: 172.16.1.250/16 no DNS
    • WAN: 80.150.194.(3,4)/29 no DNS
  • Binding order: LAN, DMZ, WAN
  • TMG contains internal Root certificate
  • TMG contains external certificate for Lync

  

TMG Basic Configuration  

To start the configuration of the TMG server we will have to decide which network setup the TMG server is configured. As seen in the figure below, we can identify it is a 3 leg perimeter setup.  

 

When we first run the TMG management snap-in we will be confronted with a small setup. This setup contains 3 basic steps. The first one is Configure Network Settings. Press 1) Configure Network settings;  

  1. Press 1) Configure Network settings;
  2. The setup wizard will be started;
  3. Press next to start the Network Setup Wizard;
  4. In the “network Template Selector” screen we will choose 3-Leg Permiter;
  5. On the page of the LAN Settings we will choose the LAN interface;
  6. On the Internet settings page we will choose the WAN interface;
  7. On the last screen, Perimiter Network Settings we will configure the last interface DMZ. We choose Private network because we want to internally route the network. On the external side we will configure NAT for translating the public address to a private address.
  8. Press finish to complete the wizard;

Steps 2 and 3 we will not describe, you can finish them as you want. 

Unrestricted Internet Access 

We will assume that the internal systems are trusted, so we will give them fully internet access. We must configure an access as described below. 

  1. Open Firewall Policy -> Menu Action -> New -> Access rule;
  2. Give the rule an appropriate name and click next;
  3. The rule action will be allow. Click next;
  4. We will allow all outbound traffic, so selected all outbound traffic and click next;
  5. As sources for the Access rule we will configure Internal and DMZ, click next;
  6. As destination we will provide External, select it and click next;
  7. We want to allow all users the use of this role, select it and click next;
  8. Press finish to create this rule;

Create Objects 

To allow traffic we must create some objects. The objects are described below. 

Computer Objects

NameAddressNAT Address
Access Edge172.16.1.2180.150.194.3
WebConf Edge172.16.1.2280.150.194.3
AV Edge172.16.1.2380.150.194.3
Reverse ProxyFront End80.150.194.4

Protocol Objects
NameTCP or UDPPortsInbound/Outbound
Access ServicesTCP443
5061
Inbound
Webconf ServicesTCP444Inbound
AV ServicesTCP and UDP445 TCP
50000-59999 TCP
50000-59999 UDP
3478 UDP
Inbound

*Configure Receive Send 

Create NAT Rule 

We will have to create one NAT rule. You can configure this rule within the networking screen under the networking rules tab.

To create this configuration, please follow these steps:   

  1. Go to Networking and select the tab Network Rules;
  2. Go to the menu Action -> New -> Network Rule;
  3. Give the rule a appropriate name and click next;
  4. Select all internal machines  and click next;
  5. As destination we will provide the external object and click next;
  6. We want to use NAT, select this and click next;
  7. As IP Address we will configure the 80.150.194.3 address and then we will click next;
  8. Press finish to create the rule;

We will have to crwate the following rule:

NameRelationSourceDestinationNAT Address
Access, WebConf, AV NAT NATAccess Edge
WebConf Edge
AV Edge
External80.150.194.3
 

Create non-Web Server Publishing Rule 

We will have to create 3 non Webserver publishing rules to allow traffic from external sources to our Lync environment. Please follow the instructions: 

  • Go to  Firewall Policy -> Menu Action -> New -> non-WebServer publishing rule;
  • Give the rule an appropriate name and press next;
  • Enter the internal address of the server and press next;
  • Select the protocol set and press next;
  • Select here the external object and click on address;
  • Select the 3rd option and choose the right IP address add it, then click OK
  • Press next to continue
  • Press finish to create the rule;

You have to configure the following rules:

NameActionProtocollsSourceDestination
Access ServicesAllowAccess ServicesExternal172.16.1.21
WebConf ServicesAllowWebConf servicesExternal172.16.1.22
AV ServicesAllowAV ServicesExternal172.16.1.23
 

Reversed Proxy

The Front End server of Lync provides some features that you may want to publish to your own external users. The Front end server is normally not connected to the internet without a Firewall. To make use of the feature set of the Front end, we will have to create a Reverse proxy configuration. 

The Front End server provides the following features to external users:

  • To enable external users to download meeting content for your meetings.
  • To enable remote users to expand distribution groups.
  • To enable remote users to download files from the Address Book Service.

To configure a Reverse Proxy, we will have to make two separate configurations. These are Create Web listener and Create Web Site Publishing Rule

Create Web listener 

  1. Go to Firewall Policy;
  2. In the toolbox you choose  Network Objects, select Web listeners;
  3. Press on  New -> Web Listener;
  4. Give the listener an appropriate name and click next;
  5. We want to make use of SSL, click next;
  6. Select here the external object, click on select IP address;
  7. Select here 80.150.194.4 click OK and the click next;
  8. Select here the external certificate we have installed and click next;
  9. We do not want the TMG to handle off the authentication, select No Authentication click next;
  10. There will be no Single Sign on click next;
  11. Press finish to create the listener;

Create Web Site Publishing Rule 

  1. Go to Firewall Policy;
  2. Go to menu Action -> New -> Web Site Publishing Rule;
  3. Give the rule an appropriate name and click next;
  4. The rule action will be allow, click next;
  5. We select publish single website or load balancer and then press next;
  6. We will use SSL, select this and then click next;
  7. In this screen we will have to configure the internal FQDN of the FE server, click next;
  8. On this screen we will configure the /* as path, click next;
  9. On this screen we will have to provide the external name, enter this and click next;
  10. On the screen for the web listener we select the just created listener and click next;
  11. Leave delegation default and click next;
  12. We want to allow all users the use of this rule, click next;
  13. Press finish to create this rule;
NameActionProtocollsSourceDestination
Lync Reverse ProxyAllowHTTPSExternallyncfe.lab.local

Because the Front End server is listening on a different port for external connections we have to modify the redirection of the rule. Open the Reverse proxy rule and open the tab Bridging. Now enable the options Redirect requests to HTTP port and Redirect requests to SSL port aan. Choose for HTTP 8080 and for SSL 4443. Click on OK to save the rule. 

Rule Base  
As we finalized the configuration, we will end up with the following rule base for the environment. Clients will now be able to connect from external networks and have all the Lync available features. This does not imply Exchange/Outlook features. 

This entry was posted in Nieuws, Servers. Bookmark the permalink.

16 Responses to TMG and Lync Firewall Rules for NAT

  1. Ted Weiss says:

    How do you account for the ‘next hop’ IP address that you usually need for an edge deployment? I see you have 3 IPs for the external side of the edge server – but not an ‘internal’ IP for the internal side (even though its the same subnet/nic etc).

  2. Jeff Schertz says:

    Have you actually tested ICE media negotiation with this configuration? Microsoft still states that TMG is not a supported NAT firewall if the Edge A/V is using private addresses, just as ISA was not supported.

    • Hey Jeff,

      I’ve looked everywhere and can’t find an official-looking statement from Microsoft about the supportability or otherwise for TMG2010 as an Edge firewall. Can you point me to where you’ve found this??

      Thanks,

      G.

  3. webproxy says:

    I don?t even know how I ended up here, however I assumed this submit was once good. I do not realize who you’re but certainly you are going to a well-known blogger should you aren’t already ;) Cheers!

  4. Rasheedah says:

    I like this blog but my question is the same as Jeff’s.

  5. Moonty says:

    When I Configure This User CANT Login From Router BUT CAN LOGIN LYNC from direct public ip
    2- when test microsoft ocs site Testing SSLCertificate for validity

    test rproxy Work Fine but Question
    My Simple Url
    lync.sample.com/meet
    lync.sample.com/dialin
    lync.sample.com/admin
    I Want To Deny anyone type admin from external and across my lync control

    Thanks

  6. Tomas says:

    Hi

    same comment as Ted had, don’t you need to have second interface for Edge? how you then configure it?

    thanks.

    br, tomas

  7. Jerrid W. says:

    I’m very new to this, but I believe he mentions that the internal NIC is connected directly to the internal network. If that is the case, while this makes the deployment less complicated, I don’t see a lot of companies willing to allow a Windows box with one leg in the DMZ and one in the internal network. It’s tough enough to convince a security department to even allow a Windows box with TMG installed to do that.

    Either way, this article has been very help to me and I appreciate it!

  8. Normally I don’t learn article on blogs, however I wish to say that this write-up very pressured me to check out and do it! Your writing style has been surprised me. Thank you, quite nice article.

  9. Mark says:

    Excellent article. It is unfortunate that there’s no way to use the two public IPs (one for the web services and the other for the combined AE, WC and AV) and have it all on 443. I can see no way to do that without using all 4 public IPs.

  10. Efe says:

    thanks for blog but my question is the same as Jeff’s.
    is this configuration really working with AV communications?

  11. Jelle Balk says:

    In response to questions of Jeff and Efe, AV communications is working fine. I have done all required AV tests and all have finished in a working situation. If you have a situation that is not working, do not hesitate to contact me.

    Jelle Balk

  12. Mohammed J.H says:

    I have deployed lync standard edition and followed this article to publish lync server on TMG! I have had no issue what so ever! Desktop sharing works, Audio and video are working, All lync features are working fine!

    The only thing which I can’t see is that RTP packets are being declined on TMG and i’m not sure how voice is working since RTP packets are dropping! I can see there’s a successful connection being natted from my external IP address to DMZ IP address on Lync Edge.

    Another thing is, I’m using mobility application server “Maxmobile” by Altigen and with a different lync deployment which doesn’t have a firewall at all. it works fine!

    However with my new lync deployment on TMG! call comes but no voice at all. Not sure if this is related but it’s weird since RTP is not allowed and there’s voice in calls to GSM, to federated partners, to meetings .etc

    any ideas?

  13. Lionel says:

    Hi,

    On the basis that you have

    1) managed to successfully NAT the Edge services through TMG;
    2) you have already deviated from the default 443 ports for WebConf and AV;

    Why not change the port for Access services too and have the whole implementation possible with 1 IP?

    Just curious why this can’t be done under the circumstances.

  14. Jelle Balk says:

    Dear Lionel,

    The solution is based on 1 public IP address, the access services is based on port 5061, as well as the federation port.

    With regards,

    Jelle Balk

  15. Asif says:

    Hi
    From your diagram you use one NIC for Edge Server. I read few blogs and they advice to use 2 NICs for edge server. Please advice

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>