Microsoft LynServer 2013 : Firewall Requirements Overview, Ports Required for Internal and External Access

Firewall Requirements Overview

Wikipedia defines a firewall as a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit or deny computer applications based on a set of rules and other criteria.

There are several types of firewall techniques, including these:

• Packet Filtering—Packet filtering inspects packets as they are passed through the network and rejects or accepts these packets based on defined rules. Typically, these rules will specify a source and destination address, a port, and either an allow or deny statement to define the behavior of the packet-filtering rule. Packet-filtering firewalls are generally fast but can be difficult to configure for applications that dynamically choose ports for communications after an initial handshake.

• Application Gateway—Application gateways apply security enforcement to specific applications. In other words, the gateway understands the applications and can recognize their packets. It makes its decisions based on which applications are allowed to pass through the firewall. Application gateways can be relatively easy to configure but are generally processor intensive and thus cannot handle as much throughput as a packet-filtering firewall.

• Proxy/Reverse Proxy Server—A proxy server intercepts all messages entering and leaving the network. It inspects the packets and then continues the conversation on behalf of the protected system. In this way, packets never go directly from the source to the protected destination or from the protected source directly to the uncontrolled destination. Not unlike applications gateways, proxy servers are processor intensive.

Network-Based Firewalls

Most implementations of Lync Server involve some form of a network-based firewall, usually in the DMZ (demilitarized zone). The purpose of this device is to ensure that only the necessary services on the Lync Server systems are made available externally.

To maximize security, it is fairly common to configure the external services of Lync Server so that not only is there a firewall between the Internet and the Lync Server servers, but there also is a firewall between the internal network and the Lync Server servers. This can be accomplished either with dual firewalls or by placing the Lync Server servers into a DMZ on a three-or-more-legged firewall. Dual firewalls are technically more secure because if an attacker compromised the firewall that was exposed externally, he would still have to compromise a second firewall before having access to the internal hosts.

The first step in implementing this type of firewall for Lync Server is to understand what services you plan to make available from outside the network and then to determine exactly which ports and protocols need to be opened on the firewall.

Ports Required for Internal and External Access

The specific ports needed to open on a firewall vary somewhat depending on what services are placed into the DMZ and which services need to be accessible from the Internet. This section summarizes commonly deployed DMZ roles and the ports necessary to support them. The description calls out the port, traffic type, type of firewall it applies to (internal or external), and purpose for the opening. Table 1 describes, in detail, the port requirements for Lync Server 2013.

Table 1. Edge Server Port Requirements

Note

“Inbound” and “Outbound” refer to the direction between the Internet or internal network and the specified Access Edge Service. For example, if the service is A/V Edge, and it says “Inbound,” you must open the port with the destination address of the A/V Edge Service IP Address.

Using Operating System Firewalls

In Windows Server 2003 SP1, Microsoft introduced an integrated firewall into the Windows operating system. As with most Microsoft products, it has improved with each iteration. Flash-forward to Windows Server 2012 and you find that the integrated firewall is quite good. Lync Server does an excellent job of integrating into the Windows Server Firewall at the time of installation.

Layering an operating system layer firewall with a network layer firewall is an excellent way to improve overall security of a system with minimal expense. With these two layered together, if the network firewall becomes compromised, the attacker has to pierce the OS layer firewall to compromise the systems. Similarly, given that many attack vectors can come from within the company itself, the OS layer firewall offers protection from trusted systems that might become compromised.

Configuring the Windows Server Firewall for Lync Server

If the Windows Firewall is enabled and started at the time of installation of Lync Server components, the necessary exceptions are created automatically.

Tip

If Windows Firewall was off during the first installation, you can simply turn on Windows Firewall and run the Lync Server Deployment Wizard to configure Lync Server 2013 Windows Firewall Rules.

Using Network Address Translation (NAT) with Lync Server

If a single Edge Server is placed behind a firewall, it is acceptable to enable NAT. NAT effectively takes packets bound for the firewall and forwards them to hosts inside the firewall based on port rules. This enables a company with limited numbers of routable IP addresses to support multiple services with fewer IP addresses. It also provides a layer of security by requiring the firewall to process the packet first before it reaches the eventual destination. In addition, it enables protected systems to hide their IP information because they never appear to be a source of a packet to a system on the Internet; the firewall always appears to be the source.