Microsoft Office Communications Server 2007 R2

Microsoft Office Communications Server2007R2

Deploying Edge Servers for External User Access

Published: May 2009

Updated: July 2009

Updated: April 2010

For the most up-to-date version of the Deploying Edge Servers for External User Access documentation and the complete set of the Microsoft® Office Communications Server 2007 R2 online documentation, see the Office Communications Server TechNet Library at http://go.microsoft.com/fwlink/?LinkID=132106.

Note: In order to find topics that are referenced by this document but not contained within it, search for the topic title in the TechNet library at http://go.microsoft.com/fwlink/?LinkID=132106.

1

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Copyright © 2010 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Outlook, SQL Server, Visio, Visual C++, Windows, Windows Media, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

2

Contents

Deploying Edge Servers 1

Set Up the Infrastructure for Edge Servers 1

Configure a Reverse Proxy 1

Before You Begin 3

Configure Network Adapters 3

Install ISA Server 2006 4

Request and Configure a Certificate for Your Reverse HTTP Proxy 4

Configure Web Publishing Rules 4

Verify or Configure Authentication and Certification on IIS Virtual Directories 6

Create a DNS Record 7

Verify Access through Your Reverse Proxy 7

Configure DNS 8

Configure Firewalls 8

Prepare for Edge Server Internal Certificates 8

Deploy a Director 9

Deploying a Standard Edition Server as a Director 10

Step 1 Deploy a Standard Edition Server Configured as a Director 10

Step 2 Deactivate Server Roles on the Standard Edition Server (Optional) 11

Deploying an Enterprise Pool as a Director 12

Step 1 Set up SQL, DNS and Create a Pool 12

Step 2 Configure the Pool as a Director 12

Step 3 Add Front End Servers 14

Step 4 Configure Certificates on Each Front End Server 14

Step 5 Start Services 14

Step 6 Validate Your Server and Pool Configuration 14

Deactivate Address Book Server on the Standard Edition Server or Enterprise Edition Servers 14

Set Up Edge Servers 15

Deploy Load Balancers 15

Configuring Your Load Balancer 16

Install Edge Servers 17

Activate Edge Servers 18

Configure Edge Servers 18

Set Up Certificates for the Internal Interface 22

Configuring the Certificates on Your Internal Interface 22

Set Up Certificates for the External Interface 26

Configuring the Certificates on the External Interfaces 26

Set Up Certificates for A/V Authentication 29

Start Edge Servers 32

Configure the Environment 33

Configure Federation 33

How Federated Traffic Is Evaluated When Using Automatic Discovery 34

Enabling discovery of federated partners 34

Add a Trusted Federated Partner 35

Configure Settings for Anonymous Users 35

Configure Users for Federation, Public IM Connectivity, and Remote User Access 37

Connect Your Internal Servers with Your Edge Servers 38

Before You Begin 38

Configure a Director 38

Configure Other Internal Servers and Pools for External User Access 40

Validate Your Edge Configuration 42

Validate Edge Server Configuration and Connectivity 42

Verify Remote User Connectivity 44

Test Connectivity of Other External Users 44

Validate Internal Server Configuration and Functionality 45

Validate Front End Server Functionality 45

Validate Web Components Server Functionality 46

Validate Web Conferencing Server Functionality 47

Validate A/V Conferencing Server Functionality 48

Appendix: Deploying Edge Servers for External User Access 49

External User Access Requirements 49

Infrastructure Requirements for External User Access 50

Perimeter Network Guidelines 50

DNS Requirements for External User Access 50

Certificate Requirements for External User Access 55

Certificate Requirements for the Internal Interface of Edge Servers 55

Certificate Requirements for the External Interface of Edge Servers 55

A/V Authentication Certificate 55

Firewall Requirements for External User Access 56

Publicly Routable IP Address 56

Default Ports 57

Edge Server Firewall Policy Rules 57

Reverse Proxy Firewall Policy Rules 61

50,000 - 59,999 Port Range 62

Edge Server Deployment Guidelines 62

IIS Requirements for External Access 63

Accounts and Permissions Requirements 64

Administrative Credentials 64

Security Levels 72

Exchange UM Security Levels 72

Media Gateway Security 73

4

Deploying Edge Servers

Edge Server is a server role in Office Communications Server. By deploying Edge Servers, your organization’s users benefit from Office Communications Server features while working outside your firewalls. Additionally, users from other organizations can collaborate with your internal users. For details, see the External User Access topic in the Planning and Architecture documentation.

In This Document

· Set Up the Infrastructure for Edge Servers

· Set Up Edge Servers

· Configure the Environment

· Validate Your Edge Configuration

· Appendix: Deploying Edge Servers for External User Access.

Set Up the Infrastructure for Edge Servers

Before deploying your Edge Servers, you need to set up your infrastructure to support the Edge Server deployment. To set up the infrastructure, use the procedures in this section to do the following:

· Configure a Reverse Proxy

· Configure DNS

· Configure Firewalls

· Prepare for Edge Server Internal Certificates

· Deploy a Director (Optional but recommended)

Configure a Reverse Proxy

For Office Communications Server Edge Server deployments, a Microsoft Internet Security and Acceleration (ISA) Server or other reverse proxy in the perimeter network is required for the following:

· To enable external users to download meeting content for your meetings.

· To enable external users to expand distribution groups.

· To enable remote users to download files from the Address Book Service.

· To enable external devices to connect to Device Update Service and obtain updates.

The following table shows the specific directories used by the Web Components Server. We recommend that you configure your HTTP reverse proxy to use all directories.

Directories used by Web Components Server

Directory / Use /
https://ExternalFQDN/etc/place/null / Stores meeting content.
https://ExternalFQDN/GroupExpansion/ext/service.asmx / Stores distribution group expansion information. The external URL to the Web Components Server running the Address Book Web Query service.
https://<ExternalFQDN>/ABS/ext/Handler / Stores Address Book Server files.
https://<external server FQDN>/RequestHandler/ucdevice.upx / The external URL to the Web Components Server running Device Update Service. For details, see Device Update Service in the Office Communications Server 2007 R2 Planning and Architecture documentation.
https://<ExternalFQDN>DeviceUpdateFiles_Ext / The external URL to the Web Components Server where the device updates are located.

The detailed steps in this section describe how to configure an ISA Server 2006 as a reverse proxy. If you are using a different reverse proxy, consult the documentation for that product.

You can use the information in this section to set up the reverse proxy, which requires completing the following procedures:

· Configure the network adapter cards.

· Install and configure ISA Server 2006.

· Request and configure a digital certificate for SSL.

· Create a Web server publishing rule and verify that the secure Web server publishing rule properties are correct.

· Verify or configure authentication and certification on Internet Information Services (IIS) virtual directories.

· Create an external Domain Name System (DNS) entry.

· Verify that you can access the Web site through the Internet.

Before You Begin

When you set up your Enterprise pools and Standard Edition servers, you had the option to configure an external Web farm fully qualified domain name (FQDN) on the Web Farm FQDNs page in the Create Pool wizard or the Deploy Server wizard. If you did not configure this URL when you ran these wizards, you need to manually configure these settings. To do so, open a command prompt and type the following command:

lcscmd.exe /web /action:updatepoolurls /externalwebfqdn:<ext web farm FQDN> /poolname:<pool name>

Configure Network Adapters

You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter. For details about deploying ISA Server with a single network adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at http://go.microsoft.com/fwlink/?LinkId=129592. This document also applies to ISA Server2006.

In the following procedures, the ISA Servercomputer has two network adapters:

· A public, or external, network adapter, which is exposed to the clients that will attempt to connect to your Web site (usually over the Internet).

· A private, or internal, network interface, which is exposed to the internal Web servers.

You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter.

To configure the network adapter cards on the reverse proxy computer

1. On the server running ISA Server 2006, open Network Connections by clicking Start, pointing to Settings, and then clicking Network Connections.
2. Right-click the external network connection that you want to use for the external interface, and then click Properties.
3. On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.
4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.
5. Click OK, and then click OK.
6. In Network Connections, right-click the internal network connection that you want to use for the internal interface, and then click Properties.
7. Repeat steps 3 through 5 to configure the internal network connection.

Install ISA Server 2006

Install ISA Server 2006 according to the setup instructions included with the product. For details about installing ISA Server, see ISA Server 2006 - Getting Started at http://go.microsoft.com/fwlink/?LinkId=129596.

Request and Configure a Certificate for Your Reverse HTTP Proxy

You need to install the root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (that is, the IIS server running your Office Communications Server Web components) on the server running ISA Server 2006.

You must install a Web server certificate on your ISA Server. This certificate should match the published FQDN of your external Web farm where you are hosting meeting content and Address Book files.

If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN.

Configure Web Publishing Rules

ISA Server uses Web publishing rules to securely publish internal resources, such as a meeting URL, over the Internet. Publishing information to Internet users makes computing resources inside the internal network available to users outside the network.

Use the following procedure to create Web publishing rules.

Note:

This procedure assumes that you have installed ISA Server2006 Standard Edition.

To create a Web server publishing rule on the computer running ISA Server2006

1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.
3. On the Welcome to the New Web Publishing Rule page, type a friendly name for the publishing rule (for example, OfficeCommunicationsWebDownloadsRule), and then click Next.
4. On the Select Rule Action page, select Allow, and then click Next.
5. On the Publishing Type page, select Publish a single Web site or load balancer, and then click Next.
6. On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and click Next.
7. On the Internal Publishing Details page, type the FQDN of the internal Web farm that hosts your meeting content and Address Book content in the Internal Site name box.
Note
If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is the internal Web farm FQDN.
The ISA Server must be able to resolve the FQDN to the IP address of the internal Web server. If the ISA Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name orIP address box, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the ISA Server and that the ISA Server can reach an internal DNS server or a DNS server that resides in the perimeter network.
8. On the Internal Publishing Details page, in the Path (optional) box, type /* as the path of the folder to be published, and then click Next.
Note:
In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.
9. On the Publish Name Details page, confirm that This domain name is selected under Accept Requests for, type the external Web farm FQDN in the Public Name box, and then click Next.
10. On Select Web Listener page, click New (this opens the New Web Listener Definition Wizard).
11. On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in the Web listener name box (for example, Web Servers), and then click Next.
12. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.
13. On the Web Listener IP Address page, select External, and then click Select IP Addresses.
14. On the External Listener IP selection page, select Specified IP address on the ISA Server computer in the selected network, select the appropriate IP address, click Add, and then click OK.
15. Click Next.
16. On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address you just added, and then click Select Certificate.
17. On the Select Certificate page, select the certificate that matches the public name specified in step 9, click Select, and then click Next.
18. On the Authentication Setting page, select No Authentication, and then click Next.
19. On the Single Sign On Setting page, click Next.
20. On the Completing the Web Listener Wizard page, verify that the Web listener settings are correct, and then click Finish.
21. Click Next.
22. On the Authentication Delegation page, select No delegation, but client may authenticate directly, and click Next.
23. On the User Set page, click Next.
24. On the Completing the New Web Publishing Rule Wizard page, verify that the Web publishing rule settings are correct, and then click Finish.
25. Click Apply in the details pane to save the changes and update the configuration.

To modify the properties of the Web publishing rule