CirrusFirewall config for Skype for Business Reverse Proxy
Hey Everyone:
I recently completed setting up an edge pool for my Skype for Business 2015 deployment and all of my services are working as intended (IM/Presence and Video calls). I now wish to deploy reverse proxy services to allow mobile devices to connect externally. Fortunately for me I just so happen to have a Big IP in my DMZ and another Big IP in my internal network with my FE pool.
I am a bit confused about the ports that need to be open on different sides of the networks. I understand that the DMZ F5 is going to get it's own public IP address which will be NAT'd to my DMZ subnet where my DMZ F5 "lives". I understand also that I will specifically be NAT'ing TCP 80 and 443 to the Big IP.
Using the iApp I am going to have it forward reverse proxy traffic over to my internal Big IP which "lives" on my messaging subnet (just the subnet I have Skype and Exchange running on) and the internal will have the Skype iApp configured to receive the reverse proxy traffic from the DMZ Bip IP.
My question is, do I open ports 443 and 80 between the two Big IP's and then have 4443 and 8080 open between the internal Bip Ip and the FE pool? Or is there something I am missing where I'd open 4443 and 8080 between the two Big IP's (which I don't think is the case, just verifying).
Thanks all!
So when you have a split deployment as mentioned for reverse proxy traffic then big ip 1(DMZ) would receive traffic and forward to big ip 2 (internal, in front of FE servers) on the already translated port 4443. Big ip 2 will then pass that through to individual FE servers on the same 4443 port.
So the real answer to your question is between the two big ip's you should allow for 80, 8080, 443 and 4443 to ensure traffic processing.
