Forum Discussion
CCE - Internal firewall
The traffic from the Internet relayed through Edge server never comes to the internal client network "Directly".
Detailed ref:
https://enablingtechcorp.com/Blog/TabId/777/ArtMID/2450/ArticleID/493/REALLY-IMPORTANT-Skype-for-Business-Edge-Server-Configuration-Note.aspx
Yes, you need firewall rules to allow certain ports and protocols between mediation server the client subnet(s) assuming that the client subnet(s) are on different network(s).
Thanks for you answer.
What does not work if you don't configure the rule?
Regarding to you answer:
The traffic from the Internet relayed through Edge server never comes to the internal client network "Directly".
I understand this. But if you don't need the rules from mediant to client why should we configure it? In security world the rule is, the least privilige to do the job. If I don't configure the rule and everything still works i don't see the benefit of configuring it.
Yes, you don't need to configure it.
However, some organizations we deployed the CCE had a firewall (traffic filtering/blocking) between CCE Mediation server network, for example, 192.168.0.0 and the internal client network, 10.10.10.0. Therefore, we asked them to allow certain ports and protocols between CCE mediation server network and the client network.
My firewall will also block the traffic from mediant to clients. But, if the client initiates the traffic to mediant server, return traffic from mediant to client is allowed.
So summary, the rules from mediant to client are not needed as long as return traffic from client to mediant is allowed? Is this correct?
Yes, exactly right.