I deployed a Microsoft Lync Edge server in a DMZ and am having problems with certaiin ports making through the firewall.
Ihhave 2 DMZ's set up with the server in between. Once of the NIC's is facing one DMZ and that is natted to the internet. The other NIC is in another DMZ and that is routing to the internal network. The Edge server acts as a proxy to let the software client log into the internal Lync server.
Internet -->nat--->EXTERNAL DMZ<-----edge server---->INTERNAL DMZ---->LAN
The problem is I cannot get the UDP/TCP port range 50000-59999 to pass from the edge server into the internal network. I have a policy allowing all traffic from the LAN to the INTERNAL-DMZ and a policy allowing all traffic from the INTERNAL-DMZ to the LAN (if I could ever get it working I would tighten this down).
Some traffic passes through as the clients can log in and do IM, but the application sharing and media features that use these higher ports fail. The signaling messages get through but the media does not.
I have verified it is the SSG because I moved the internal NIC of the EDGE server to a switch, routed traffic between the LAN and internal edge NIC and everything works fine.
I have disabled SIP ALG as well as tcp-syn-check. Any ideas why it isn't letting this traffic through? Any better debus I can run to get more insight, debug flow drop and debug flow basic are not showing me anything.
Thanks!
EDIT-------going over my traffic flow, I think I found my issue, still need advice solving it though. My LAN facing interface on the SSG is natted and the default GW for my LAN, so I believe the traffic is being natted to/from the LAN to the internal DMZ. I have read that maybe I should disable NAT on the interface and use policy based natting?