Please Don’t Put Your Skype Edge Internal Interface on the LAN

This has come up on TechNet uncountable times.  I’ve seen it in deployments large and small. I’ve seen it so much that I feel it needs a large font.

TECHNET DOES NOT SUGGEST YOU PUT YOUR EDGE ON THE INTERNAL LAN.  PLEASE DON’T DO THIS.

Every edge server should have two interfaces, one internal facing and one external facing.  I realize that the TechNet documentation doesn’t always use the clearest language and we see articles like this that states “On your internal interface, configure one static IP on the internal perimeter network subnet”.

However, that does not mean your internal network.   A perimeter network is also often called a DMZ.  This is a separate network firewalled from all other networks.

PUTTING YOUR EDGE SERVER WITH ONE LEG IN A DMZ AND ANOTHER ON YOUR INTERNAL LAN BYPASSES YOUR FIREWALL AND IS BAD SECURITY PRACTICE.

Instead, TechNet is suggesting two separate perimeter networks (or DMZs).  An external facing one that can communicate with the Internet via a firewall or with access control, and a separate internal facing one that communicate with internal servers and workstations via a firewall.  These two networks should not be able to route to each other and only necessary ports should be opened.

 

 

 

4 thoughts on “Please Don’t Put Your Skype Edge Internal Interface on the LAN

  1. Trevor Miller

    I’m with you in that in ideal circumstances (and how MSFT designed it) the edge server should have interfaces that exist within two DMZ networks. The reality is that many customers don’t have dual-DMZ network segments and sometimes the only option is to put the external interface in the DMZ and the internal interface on an internal subnet/VLAN. Yes, it’s best practices NOT to, but that doesn’t mean it doesn’t work. At a bare minimum, what is REALLY required is two separate subnets so that IP routing doesn’t get fubar’d on the edge.

    1. C. Anthony Caragol Post author

      I’ve found it works well entirely in a single subnet, with no apparent broken functionality or routing issues (if you know of an issue with this method, let me know), BUT it’s not supported. So if the client REALLY can’t do two DMZs, you have to pick between: Supported-but bad security or Unsupported-but better security. Both scenarios are terrible, supported but bad security would be preferred, but a good security team won’t let this fly and you may have to go unsupported or nothing. My preference would be for Microsoft to remove the two-subnet requirement, but I don’t see that happening.

      1. Trevor Miller

        Assuming the routing tables are correct, then yes, I’ve seen it function in a single subnet scenario as well. Regardless whether it’s single subnet or dual subnet, routing tables need to be correct or things will simply not work (no surprise there). I definitely don’t lead with a single-only subnet scenario never advise that approach, as having separate subnets simply makes things easier and is the more supported route.

        Regarding “good security” vs “bad security” – I think that’s subjective to each organization and isn’t as simple as me saying “dual DMZ subnet = good security”. Defense in-depth is always the preferred approach which means dual DMZ subnet is the way to go. That being said, single DMZ subnet or spanning-DMZ-to-intranet could be made to function in a secure method as well, with the right approaches. They simply need to understand the risks of going one way or another and so long as they understand the security ramifications of that, then I accept their acceptance of that. As the old saying goes: “You can lead a horse to water but you can’t make him drink.”.

        1. C. Anthony Caragol Post author

          Agree that security is much more complex than having multiple DMZs, and multiple DMZs doesn’t mean you have better security. My thought on the particular spanning-DMZ-to-intranet scenario, is that if you’re in this scenario it’s likely because you can’t have multiple DMZs. If you can’t have multiple DMZs, it’s also likely that you have other servers in that same DMZ. If one of those other servers gets compromised because it’s not as hardened as the Skype edge, then you’re relying on Windows security and maybe the Windows firewall to now keep the attacker off of the edge/internal zone.

Comments are closed.