In a secure environment, Director Servers are recommended. They are the target for almost all Internet-related traffic, with a single exception – Front End Server Web Services traffic. This is acceptable due to the face that this traffic is only established once the initial SIP authentication is processed.

Web-based traffic does not require any authentication because Meet and Dial-In will be redirected to the Director Servers and therefore the security model becomes valid.

Note: If this security model is applied, please be aware that all internal DNS targets will have to point to this Director Pool too.

To separate this traffic, simply apply a second Director Pool and make this the preferred target for internal consolidated access. The DMZ-based Director Pool will then be the target defined in the Edge Server NEXT HOP parameter.

The diagram above offers a solution where the “INSIDE DMZ” zone is treated as the second defence zone and is allowed to be accessed from internal clients too. Beside the introduced Director Pool, there is a Reverse Proxy chain. A chain is when at least two Proxy Servers are configured in a row and depend on each other.

All external Web Services are published with a listener on the first, Internet-facing Reverse Proxy server. This points from there towards its chain member (the second Reverse Proxy) which then directs all requests to the designated destinations.

As described earlier, the Edge Server works in this scenario. The Edge Server acts as the NEXT HOP configuration point towards the Director Server. It is implemented as an additional security layer.

The Director now handles SIP and Web Service traffic and builds another line of defence.

Note: The Lync Mobility design is probably the most difficult of all designs. As defined in the prerequisites, the clients need access to the same Reverse Proxy entry point for internal (WLAN) and external (3G). Implementing this with a chained proxy can be difficult. How the internal WLAN client can establish those required connections should be discussed with your internal security officers.