Ocs Edgeserverdeploy
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ocs Edgeserverdeploy as PDF for free.
More details
- Words: 31,264
- Pages: 104
Microsoft Office Communications Server 2007 (Public Beta) Edge Server Deployment Guide Published: March 2007
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, MSN, SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents Contents............................................................. ..............................3 Introduction..................................................................................... ..1 How to Use this Guide.................................................. ................1 Terminology............................................................................ ......2 Step 1. Get Ready for Edge Server Deployment................................2 Step 1.1. Decide Which Servers You Need in Your Edge Server Deployment................................................................................. .3 Step 1.2. Choose the Deployment Topology.................................5 Step 1.3. Establish Your Deployment Process.............................11 Step 1.4. Verify Prerequisites..................................................... .12 Step 2. Set Up the Infrastructure for Edge Servers..........................13 Step 2.1. Configure DNS..................................................... ........14 Step 2.2. Configure Firewalls.................................... ..................21 Step 2.3. Configure a Reverse Proxy..........................................38 Step 2.4. Configure a Director (Optional, but Recommended)....44 Step 3. Set Up Edge Servers................................. ..........................47 Step 3.1. Deploy Load Balancers...................................... ..........47 Configuring Your Load Balancer............................................. .....54 Step 3.2. Install Edge Servers....................................................54 Step 3.3. Activate Edge Servers............................... ..................56 Step 3.4. Configure Edge Servers....................................... ........57 Step 3.5. Set Up Certificates for the Internal Interface...............61 Step 3.6. Set Up Certificates for the External Interface..............69 Step 3.7. Set Up Certificates for A/V Authentication...................76 Step 3.8 Start Services...................................................... .........80 Step 4. Configure the Environment.................................................80 Step 4.1. Configure Federation......................................... ..........80 Step 4.2. Configure Settings for Anonymous Users....................83 Step 4.3 Configure Users for Federation, Public IM Connectivity, and Remote User Access......................................................... ..........85 Step 4.4. Connect Your Internal Servers with Your Edge Servers 86 Step 5. Validate Your Edge Configuration........................................90 Appendix A: Configuring an Array of Standard Edition Servers as a Director ........................................................................................................ 92
Creating Certificates for an Array of Standard Edition Servers, configured as Director................................................... .............94 Configuring DNS Resolution for Directors on the Access Edge Server .............................................................................................. .....95 Configuring the FQDN of the Array on the Host Authorization List95 Appendix B: Sample Certificate................................................. ......96 Sample Certificate Request....................................... .................96 Example Using a Verisign Trial Certificate..................................99 Appendix C Manually Configuring a Client for Remote User Access100 Appendix D Optimizing Your Network Interface Card for High A/V Traffic ...................................................................................................... 100
Introduction If you need to communicate with users and organizations outside your internal network by using your Microsoft® Office Communications Server 2007 (Public Beta) deployment, you need to deploy one or more edge servers. You install edge servers in your perimeter network (also known as screened subnet) so that users outside your organization’s firewall are authorized before they obtain access to your Office Communications Server deployment. This document guides you through the deployment of edge servers in your Office Communications Server 2007 topology. You typically deploy edge servers after you have deployed Office Communications Server in your internal network. You can use the information in this guide to deploy your edge servers by completing the following steps: •
Step 1. Get Ready for Edge Server Deployment. This includes deciding which edge servers you need, meeting prerequisites, establishing your deployment process, and choosing deployment topologies.
•
Step 2. Set Up the Infrastructure for Edge Servers. This includes configuring DNS, firewalls, and a reverse proxy, as well as configuring a Director (if appropriate).
•
Step 3. Set Up Edge Servers. This includes deploying and configuring a load balancer, individual edge servers, and certificates.
•
Step 4. Configure the Environment. This includes configuring anonymous participation settings, connecting internal servers with edge servers, and configuring users for external connectivity (federation, remote access, and public IM connectivity).
•
Step 5. Validate Your Edge Configuration. This includes validating server configuration, as well as verifying that the edge servers can communicate with internal servers.
Additionally, you can use the information in Appendix A to configure an array of Standard Edition servers that are connected to a load balancer as a Director.
How to Use this Guide This document presents the step-by-step tasks you need to deploy Office Communications Server 2007 edge servers. You should complete all deployment steps in the sequence shown in this guide. Before starting deployment, you should use the Office Communications Server 2007 Planning Guide to determine your deployment options and strategy. The planning guide provides an indepth discussion of planning considerations and guidance on designing your Office Communications Server topology. Also, the process of deploying edge servers requires that you perform some tasks that are described in detail in other documents, which are noted in specific sections of this document where they are required.
2
“Office Communications Server 2007 Edge Server Deployment Guide
Terminology Anonymous user. An external user who does not have credentials in the Active Directory®
Domain Services. A/V. audio/video. Edge server An Office Communications Server that resides in the perimeter network and
provides connectivity for external users and public IM connections. Each edge server has one or more of the following roles: Access Edge Server, a Web Conferencing Edge Server, or an A/V Edge Server. External user. A user connecting from outside the corporate firewall. External users include
anonymous users, federated users, and remote users. Federated user. An external user who possesses valid credentials with a federated partner and
who therefore is treated as authenticated by Office Communications Server. Internal IP address. An IP address that is accessible from the internal network of an
organization (also referred to as a private IP address). The Computer Management and Administration Tools for Office Communications Server use the term private for this address. PSOM. Persistent Shared Object Model protocol. A custom protocol for transporting Web
conferencing content. External IP address. An IP address that is accessible from an external network (a network
outside of an organization, such as the Internet). Also referred to as a public IP address. The Computer Management and Administration Tools for Office Communications Server use the term public for this address. Public IP address. See External IP address. Remote user. An external user with a persistent Active Directory identity within the
organization. SIP. Session Initiation Protocol, a signaling protocol for Internet telephony. Web farm. A collection of IIS servers or an IIS server hosting content.
Step 1. Get Ready for Edge Server Deployment Before starting deployment of your edge servers, you need to complete the following steps: 1. Decide which edge server you need in your organization. 2. Choose the deployment topology that best meets the needs of your organization. 3. Establish a deployment process for how you will deploy edge servers. 4. Meet all edge server deployment prerequisites.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Step 1.1. Decide Which Servers You Need in Your Edge Server Deployment Edge servers enable your internal users and external users to communicate using Microsoft Office Communicator or the Microsoft Office Live Meeting 2007 client. Depending on your needs, you install edge servers in one or more of the following roles: •
Access Edge Server
•
Web Conferencing Edge Server
•
Audio/Video Conferencing Edge Server
In addition to these Office Communications Server 2007 roles, you might need to install a Reverse Proxy. The following table provides an overview of how these servers are used. Table 1 Edge server requirements overview Server
Required to Support
Corresponding Internal Server Required
Protocol
Access Edge Server
Any external user scenario, including public IM connectivity, remote user access, federation, external access to conferences, and external access to voice functionality
Office Communications Server 2007 server or pool and, optionally, a Director
Session Initiation Protocol (SIP)
Web Conferencing Edge Server
External Web conferencing
Web Conferencing Server
Persistent Shared Object Model (PSOM)
A/V Edge Server
A/V conferences with external users Point-to-point A/V calls with external users
A/V Conferencing Server
RTP/RTCP, Simple Traversal of UDP through NAT (STUN)/
Reverse Proxy
Group expansion, address book file download, and access to meeting content
Web server (IIS)
HTTP(s)
3
4
“Office Communications Server 2007 Edge Server Deployment Guide
Server
Required to Support
Corresponding Internal Server Required
Protocol
(such as slides) for Web conferencing
Additional details about when you need each edge server is provided in the following sections.
When You Need an Access Edge Server If you want to enable external or remote users to collaborate with any Office Communications Server users in your organization, you must deploy an Access Edge Server, in addition to any other edge servers and internal servers you might deploy. The Access Edge Server provides the core functionality for collaboration between your internal users and users outside your internal network who are using Communicator or the Live Meeting 2007 client. The Access Edge Server provides a single, trusted connection point for both outbound and inbound Session Initiation Protocol (SIP) traffic. Like the Microsoft Office Live Communications Server 2005 Access Proxy, the Office Communications Server 2007 Access Edge Server enables the following capabilities: •
Federation. Internal users can communicate with external users of a federated organization by using IM or conferencing. You can also configure federation with an audio conferencing provider (ACP) to provide telephony integration.
•
Remote user access. Remote or roaming users of your organization can access servers running Office Communication Server from outside your intranet.
•
Public IM connectivity. Employees can use IM to communicate with users of instant messaging services that are provided by the MSN® network of Internet services, Yahoo!®, and AOL®. Public IM connectivity requires a separate license.
When You Need a Web Conferencing Edge Server If you want external users to participate in your internal conference meetings, you can deploy a Web Conferencing Edge Server. The Web Conferencing Edge Server permits external users to join on-premise meetings by using the Live Meeting 2007 client. When your organization deploys a Web Conferencing Edge Server, internal users can invite remote users to meetings, including users from a federated domain (federated users) or other external users (anonymous users, who do not have an identity in the Active Directory® Domain Services either in your organization or in a domain that is federated with your organization). Enterprise users and federated users are authenticated using their Active Directory credentials. Anonymous users are authenticated by using a per-meeting conference key provided to them inside the invitation conference organizers send. All recipients of an e-mail containing a conference key are authenticated using the same conference key. For more information about anonymous users, see the Office Communications Server 2007 Technical Overview.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
When You Need an Audio/Video Edge Server Add an A/V Edge Server if you want to make it possible to share audio and video with external users, such as vendors or employees who are working from home. With an A/V Edge Server, users can: •
Add audio and video data to meetings with external participants.
•
Share audio and video directly with an external user (point-to-point).
An A/V Edge Server provides a single, trusted connection point through which media traffic enters and exits your network. The A/V Edge Server also provides remote connectivity through any intermediate network address translation (NAT) devices and firewalls.
Step 1.2. Choose the Deployment Topology Office Communications Server 2007 supports a variety of topologies for edge server deployment. This section describes the supported topologies and explains the considerations for choosing the edge server topology that best addresses the needs of your organization, as well as for deploying components in the internal topology to support edge servers. The size, geographical distribution, and needs of your organization are the primary determinants of which edge server topology is most appropriate for your organization. This section describes technical considerations for locating edge servers and the various edge server topologies and considerations for choosing the topology that is best suited for your organization. Although your business requirements should drive your topology decisions, your decisions should also take into account the following technical considerations: •
A single server can provide multiple edge server roles.
•
A load balancer is required to support multiple Access Edge Servers, multiple Web Conferencing Edge Servers, and multiple A/V Edge Servers.
•
Each edge server role requires a single external interface to which users can connect by using the fully qualified domain name (FQDN).
•
The external IP address of the A/V Edge Server must be a external IP address that is directly contactable by external parties
Note To conform to the requirement of a publicly routable IP address of the A/V Edge Server, the external firewall of the perimeter network must not act as a NAT (Network Address Translator) for this IP address.
•
To prevent port conflicts, if multiple edge servers (such as an A/V Edge Server and a Web Conferencing Edge Server) are collocated on a single computer, each edge server should have its own external IP address.
•
Each collocated edge server must use a unique port and IP address combination.
5
6
“Office Communications Server 2007 Edge Server Deployment Guide
•
If you configure the Access Edge Server, A/V Edge Server, or Web Conferencing Edge Server to use a port other than 443, an attempt by a remote user to sign in by using Office Communicator 2007 or to join a conference from within another organization’s intranet may fail. This situation can occur because many organizations prevent traffic traveling through their firewall over non-default ports.
The following table summarizes the supported edge server topologies, which are listed in order of increasing complexity.
Table 2 Supported Edge Server Topologies Topology
Description
Consolidated Edge Topology
The Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server are collocated on a single computer.
Single-Site Edge Topology
The Access Edge Server and Web Conferencing Edge Server are collocated. The A/V Edge Server is on a separate computer.
Scaled Single-Site Edge Topology
Two or more Web Conferencing and Access Edge Server are collocated and load balanced. Two or more A/V Edge Servers are each installed on separate computers and load balanced.
Multiple-Site Edge Topology
In the data center: • The Web Conferencing Edge Server and Access Edge Server are collocated and load balanced. • Two or more A/V Edge Servers are each installed on separate computers and load balanced. In each remote location: Either: • The Web Conferencing Edge Server should be on a dedicated computer. • The A/V Edge Server should be on a dedicated computer. OR • Two or more A/V Edge Servers are each installed on separate computers and load balanced. • Two or more Web Conferencing Edge Servers are each installed on separate computers and load balanced.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Consolidated Edge Topology The consolidated edge topology is appropriate for small organizations. In the consolidated edge topology, all three edge server roles (Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server) are collocated on a single physical computer. This topology offers: •
Reduced server cost.
•
Ease of deployment and administration.
This topology does not: •
Scale easily.
•
Provide load balancing.
•
Provide high availability.
Note To avoid port conflicts when running all server roles on a single computer, use a different IP address for each server role.
The following figure illustrates the consolidated edge topology.
Figure 1. Consolidated edge topology
Single-Site Edge Topology The single-site edge topology is appropriate for medium to large organizations. In the single-site edge topology: •
The Access Edge Server and Web Conferencing Edge Server are collocated on a single physical computer.
•
The A/V Edge Server is installed on a separated dedicated computer.
7
8
“Office Communications Server 2007 Edge Server Deployment Guide
This topology is recommended because it offers: •
Flexibility.
•
Efficient bandwidth utilization (because the A/V Edge Server, which uses the most bandwidth, is on a separate computer).
•
The fewest number of computers to manage.
This topology does not: •
Scale easily.
•
Provide load balancing.
•
Provide high availability.
Figure 2 illustrates the single-site edge topology.
A/V Edge Server:
Internet Internal Deployment Access Edge Server: Web Conferencing Edge Server
Figure 2. Single-site edge topology
Scaled Single-Site Edge Topology The scaled single-site edge topology is appropriate for large organizations. This topology is recommended because it: •
Provides load balancing.
•
Provides high availability
•
Scales easily.
The scaled single-site edge topology is the single-site edge topology scaled out in the following ways: •
A load balancer is connected to two or more computers, with Access Edge Server and Web Conferencing Edge Server collocated on each computer.
•
Another load balancer is connected to two or more separate computers, each of which serves as an A/V Edge Server.
Figure 3 illustrates the scaled single-site edge topology.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Load Balanced A/V Edge Servers :
Internet Internal Deployment
Load balanced Access Edge Server: Web Conferencing Edge Server
Figure 3. Scaled single-site edge topology
Multiple-Site Edge Topology The multiple-site edge topology is appropriate for organizations with remote sites that are geographically dispersed and are connected by using a WAN. In the multiple-site edge topology, you integrate remote locations into a scaled topology by deploying: •
The scaled topology in your data center (as specified in the scaled single-site edge topology).
•
Local A/V Conferencing and Web Conferencing Edge Servers and a local Standard Edition server or pool in each remote location.
In this topology, traffic from remote or federated users in the remote location travels across the WAN only to contact the Access Edge Server for authentication and instant messaging and presence, which incurs lower bandwidth cost. The Access Edge Server returns the local pool or Standard Edition Server for users at the remote site, and the pool or server points the user to the local A/V or Web Conferencing Edge Server. A/V traffic and traffic from the Web Conferencing Server remain local, which results in a better user experience and lower bandwidth usage of the WAN. Figure 4 illustrates a multiple-site edge topology.
9
10
“Office Communications Server 2007 Edge Server Deployment Guide
Data Center
A/V Edge Server :
Internet
Internal Deployment
Log on Logon Load balanced Access Edge Server & Web Conferencing Edge Server
Remote Site
A/V Edge Server
Internal Deployment
Web Conferencing Edge Server
Figure 4 Multiple-site edge topology In the remote office, you can also scale the edge topology to provide high availability for external access. In a scaled edge topology of a remote office, one or more A/V Edge Servers are deployed on dedicated servers and Web Conferencing Edge Servers are deployed on separate dedicated computers. All edge servers are connected to a hardware load balancer.
Scaled Remote Site Edge Topology As a variation to the multiple-site edge topology, if you have large remote sites or want to enable high availability in these sites, you can scale the topology in the remote sites by load-balancing your Web Conferencing Edge Servers and your A/V Edge Servers in a topology similar to the following.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
11
Connecting to Internal Servers When you deploy an Access Edge Server, you can connect it to your internal network components in either of the following ways: •
Connecting directly to an internal server or Enterprise pool.
•
Using a Director. A Director is optional but is strongly recommended in all topologies that involve connections across the Internet, especially those that support remote users. The Director is an Office Communications Server 2007 server that does not host users but that, as a member of an Active Directory domain, has access to Active Directory for purposes of authenticating remote users and routing traffic to the appropriate server or Enterprise pool. By authenticating inbound SIP traffic from remote users, the Director helps insulate home servers and Enterprise pools from potentially malicious traffic, while relieving them of the overhead of performing authentication.
You can deploy either a single Director or an array of Directors behind a load balancer. In a large deployment with significant external traffic, the load balancer provides a significant improvement in performance.
Step 1.3. Establish Your Deployment Process Your deployment process should contain all the details that are required to deploy your edge servers, including what you want to deploy and how to deploy all components. You can use this
12
“Office Communications Server 2007 Edge Server Deployment Guide
guide as the starting point for your deployment process, tailoring it as appropriate to your deployment needs. To enhance edge server performance and security, as well as to facilitate deployment, use the following guidelines when establishing your deployment process: •
Deploy edge servers only after you have finished deploying Office Communications Server 2007 inside your organization, unless you are migrating from Microsoft® Office Live Communications Server 2005 with Service Pack 1 to Microsoft Office Communications Server 2007. For information about the migration process, see Migrating to Office Communications Server 2007.
•
Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory® Domain Services out of the perimeter network. Locating Active Directory in the perimeter network can present a significant security risk
•
Deploy your edge servers in a staging or lab environment before deploying them in your production environment. Deploy the edge servers in your perimeter network only when you are satisfied that the test deployment meets your requirements and that it can be incorporated successfully in a production environment.
•
Deploy at least one Director to act as an authentication gateway for inbound external traffic.
•
Deploy edge servers on dedicated computers that do not run anything that is not required. This includes disabling unnecessary services and running only essential programs on the computer, such as programs embodying routing logic that are developed by using MSPL (Microsoft SIP Processing Language) and the Office Communications Server API.
•
Enable monitoring and auditing as early as possible on the computer.
•
Use a computer that has two network adapters to provide physical separation of the internal and external network interfaces.
•
Deploy the edge server between two firewalls (an internal firewall and an external firewall) to ensure strict routing from one network edge to the other.
In addition to these recommendations, your edge server deployment process should build on the information provided in the Microsoft Office Communications Server 2007 Planning Guide and the topology information in the following section of this guide.
Step 1.4. Verify Prerequisites Before you deploy your edge servers, ensure that your IT infrastructure, network, and systems meet the following requirements: •
Each computer on which you plan to use as an edge server is running one of the following operating systems: •
Microsoft Windows Server® 2003, Standard Edition, Service Pack 1 or later
•
Windows Server 2003, Enterprise Edition Service Pack 1 or later
•
Windows Server 2003, Datacenter Edition Service Pack 1 or later
•
Microsoft Windows Server® 2003 R2, Standard Edition, Service Pack 1 or later
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
Windows Server 2003 R2, Enterprise Edition Service Pack 1 or later
•
Windows Server 2003 R2, Datacenter Edition Service Pack 1 or later
•
All hardware for your edge server meets the recommended system requirements as documented in the Office Communications Server 2007 Planning Guide.
•
PKI (Public Key Infrastructure) is deployed and configured to use a certification authority (CA) infrastructure that is provided by either Microsoft or another provider.
•
A perimeter network that supports the assignment of a publicly routable IP address to A/V Edge Servers.
•
Your perimeter firewalls can support opening the ports that are described in the following section.
•
A reverse HTTP proxy is deployed in your perimeter network and can be configured as described in “Configuring a Reverse Proxy” later in this document.
•
All users that require any of the new functionality that is provided by an Office Communications Server 2007 edge server install the Live Meeting 2007 client and Communicator 2007.
13
Audio/Video Requirements The following section summarizes some key requirements for audio/video in an Office Communications Server deployment: •
We recommend that A/V Conferencing Servers and A/V Edge Servers be deployed on a 1GB Ethernet LAN.
•
We recommend that you run the Quality of Service scheduler on each A/V Conferencing Server or A/V Edge Server to monitor audio and video traffic flow across the network.
•
If you anticipate a high volume of audio/video traffic or experience packet loss after you deploy, use Appendix D, “Optimizing Your Network Interface Card,” to optimize A/V traffic flow.
Step 2. Set Up the Infrastructure for Edge Servers Before deploying your edge servers, you need to set up your infrastructure to support the edge server deployment. To set up the infrastructure, use the procedures in this section to do the following: •
Configure DNS
•
Configure the firewalls
•
Configure a reverse proxy
•
Configure a Director (optional)
14
“Office Communications Server 2007 Edge Server Deployment Guide
Step 2.1. Configure DNS As covered earlier in this document, when collocating multiple server roles on a single computer, you should use a separate external IP address for each role. Specific DNS settings must be configured on each external and internal interface of each edge server. In general, this includes configuring DNS records to point to appropriate servers in the internal network and configuring DNS records as appropriate for each edge server.
Note To prevent DNS SRV spoofing and ensure that certificates provide valid ties from the user URI to real credentials, Office Communications Server 2007 requires that the name of the DNS SRV domain match the server name on the certificate. The subject name (SN) must point to sip.<domain>.com.
The actual DNS records required depend on which edge servers you deploy and on your deployment topology, as covered in this section. The following tables provide details about each DNS record required for each topology. The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the consolidated edge topology.
Note The port numbers referenced in the following tables and later in this document are typically the default ports. If you use different port settings, you will need to modify the procedures in this guide accordingly.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Table 3 DNS records for the consolidated edge topology
15
16
“Office Communications Server 2007 Edge Server Deployment Guide
Internal/Exte rnal Record External
Internal
Server
DNS Settings
Collocated Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server
An external SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the FQDN of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This is required only if enabling enhanced federation or public IM connectivity. A DNS SRV (service location) record for _sip._tls.<domain>, over port 443 where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports automatic configuration for remote users for instant messaging and conferencing. Note: Configuring multiple SRV records for the same SIP domain is not supported. If multiple DNS records are returned to a DNS SRV query, the Access Edge Server will always pick the DNS SRV record with the lowest numerical priority and highest numerical weight. For each supported SIP domain in your organization, an external A record for sip.<domain>.com that resolves to the external IP address of the Access Edge Server for each SIP domain. If a client cannot perform an SRV record lookup to connect to the Access Edge server it will use this A record as a fallback. An external DNS A record that resolves to the external name of the Web Conferencing Edge Server to the external IP address of the Web Conferencing Edge Server. An external DNS A record that resolves the external name of the A/V Edge Server to the external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy.
Collocated Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server
An internal DNS A record that resolves the internal FQDN of the edge server to internal IP address of the edge server. Office Communications Server 2007 servers within the organization use this DNS A record to connect to the internal interface of the edge server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the single-site edge topology. Table 4 DNS records for the single-site edge topology Interfac e
Server
DNS Settings
17
18
“Office Communications Server 2007 Edge Server Deployment Guide
External
Collocated Access Edge Server and Web Conferencing Edge Server
An external DNS SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the external FQDN of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each SIP domain. An external DNS SRV (service location) record for _sip._tls.<domain>, over port 443 where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports federated partners and remote access by means of direct connection to the Access Edge Server. Note: Configuring multiple SRV records for the same SIP domain is not supported. If multiple DNS records are returned to a DNS SRV query, the Access Edge Server will always pick the DNS SRV record with the lowest numerical priority and highest numerical weight. For each supported SIP domain in our organization, an external DNS A record for sip. <domain>.com that points to the external IP address of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. If a client cannot perform an SRV record lookup to connect to the Access Edge server it will use this A record as a fallback. An external DNS A record that resolves the external FQDN of the Web Conferencing Edge Server to its external IP address.
A/V Edge Server
An external DNS A record that points to the external FQDN of the A/V Edge Server to its external IP address. This IP address must be a publicly routable IP address.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Internal
Collocated Access Edge Server and Web Conferencing Edge Server
An internal DNS A record that resolves the internal FQDN of the collocated Access Edge Server and Web Conferencing Edge Server to its internal IP address.
A/V Edge Server
An internal DNS A record that resolves to the internal FQDN of the A/V Edge Server to its internal IP address.
The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the scaled single-site edge topology. Table 5 DNS records for the scaled single-site edge topology Interfac e
Server
DNS Settings
19
20
“Office Communications Server 2007 Edge Server Deployment Guide
External
Access Edge Server Web Conferencing Edge Server
An external DNS SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the external FQDN of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. An external DNS SRV (service location) record for _sip._tls.<domain>, over port 443, where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports federated partners and remote access by means of direct connection to the Access Edge Server. Note: Configuring multiple SRV records for the same SIP domain is not supported. If multiple DNS records are returned to a DNS SRV query, the Access Edge Server will always pick the DNS SRV record with the lowest numerical priority and highest numerical weight. For each supported SIP domain in your organization, an external A record for sip.<domain>.com that points to the external IP address of the virtual IP address used by the Access Edge Server on the external load balancer. If a client cannot perform an SRV record lookup to connect to the Access Edge server, it uses this A record as a fallback. An external DNS A record that resolves the external FQDN the Web Conferencing Edge Server array to the VIP address used by the Web Conferencing Edge Server array on the external load balancer.
A/V Edge Server
An external DNS A record that resolves the external FQDN of the A/V Edge Server array to the virtual IP address used by the A/V Edge Servers on the external load balancer on the external edge.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Internal
Access Edge Server Web Conferencing Edge Server
An internal DNS A record that resolves the internal FQDN of the Access Edge Server array to the virtual IP address used by the Access Edge Servers on the internal load balancer. An internal DNS A record that resolves the internal FQDN of each Web Conferencing Edge Server to its internal IP address.
A/V Edge Server
An internal DNS A record that resolves the internal FQDN of the A/V Edge Server array to the virtual IP address used by the A/V Edge Servers on the internal load balancer.
The data center configuration for the multiple-site edge topology is the same as that for the scaled single-site edge topology, but additional configuration is required for the remote site. The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the remote site of the multiple-site edge topology. Table 6 DNS records for the multiple-site edge topology remote site Interfac e External
Internal
Remote Site Server
DNS Settings
Web Conferencing Edge Server
An external DNS A record that resolves to the external FQDN of the Web Conferencing Edge Server in the remote site to its external IP address.
A/V Edge Server
An external DNS A record that resolves the external FQDN of the A/V Edge Server in the remote site to its external IP address. This IP address must be a publicly routable IP address.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy.
Web Conferencing Edge Server
An internal DNS A record that resolves to the internal FQDN of the Web Conferencing Edge Server in the remote site to its internal IP address.
A/V Edge Server
An internal DNS A record that resolves the internal FQDN of the A/V Edge Server to its internal IP address.
Step 2.2. Configure Firewalls Configuring firewalls includes configuring both of the following:
21
22
“Office Communications Server 2007 Edge Server Deployment Guide
•
Internal firewall between the perimeter network and your internal network.
•
External firewall between the perimeter network and the Internet.
How you configure your firewalls is largely dependent on the specific firewalls you use in your organization, but each firewall also has common configuration requirements that are specific to Office Communications Server 2007. Follow the manufacturer’s instructions for configuring each firewall, along with the information in this section, which describe the settings that must be configured on the two firewalls. The following figure shows the default firewall ports for each server in the perimeter network.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Figure 5 Firewall ports for the perimeter network
The following sections provide additional information about each port to be configured for each server role in each topology, as well as a mapping of the numbers in the previous figure to the respective port descriptions. In the following tables, the direction for firewall policy rules that is indicated as outbound is defined as follows: •
On the internal firewall, it corresponds to traffic from servers on the internal (private) network to the edge server in the perimeter network.
23
24
“Office Communications Server 2007 Edge Server Deployment Guide
•
On the external firewall, it corresponds to traffic from the edge server in the perimeter network to the Internet.
Consolidated Edge Topology Firewall Policy Rules The following tables explain the firewall policy rules that are required on each server in the perimeter network when you deploy edge servers in the consolidated edge topology. The following describes the firewall policy to be configured for the reverse proxy. Table 7 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Access Edge Server. Table 8 Firewall Settings for the Access Edge Server Fire wall Inter nal
Policy Rules
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: The IP address of the next hop server. If a
Figure Mappi ng 5
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
25
Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced. Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Outbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: If no Director is deployed, you must use any IP address. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
5
Exter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound/Outbound (federation) Remote Port: Any Local IP: The external IP address of the Access Edge Server Remote IP: Any IP address
3
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for remote user access) Remote Port: Any Local IP: The external IP address of the Access Edge Server. Remote IP: Any IP address
4
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 9 Firewall Settings for the Web Conferencing Edge Server Fire wall Inter nal
Policy Rules
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge
Figure Mappi ng 7
26
“Office Communications Server 2007 Edge Server Deployment Guide
Servers) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge Server Remote IP: Any IP address Exter nal
Local Port: 443 TCP (PSOM/TLS) Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge Server Remote IP: Any IP address
6
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 10 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For authentication of A/V users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server. Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP /TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
Single Site Edge Topology Firewall Policy Rules The following tables explain the firewall policy rules required on each server in the perimeter network when you deploy edge servers in the single site edge topology. The following table describes the firewall policy to be configured for the reverse proxy. Table 11 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
27
28
“Office Communications Server 2007 Edge Server Deployment Guide
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Access Edge Server. Table 12 Firewall Settings for the Access Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: The IP address of the next hop server. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
5
Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Outbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: If no Director is deployed, you must use any
5
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
29
IP address. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced. Exter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound/Outbound (federation) Remote Port: Any Local IP: The external IP address of the Access Edge Server Remote IP: Any IP address
3
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for remote user access) Remote Port: Any Local IP: The external IP address of the Access Edge Server Remote IP: Any IP address
4
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 13 Firewall Settings for the Web Conferencing Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge Servers) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge Server Remote IP: Any IP address
7
Exter
Local Port: 443 TCP (PSOM/TLS)
6
30
“Office Communications Server 2007 Edge Server Deployment Guide
nal
Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge Server Remote IP: Any IP address
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 14 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For A/V authentication of users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP/TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
Scaled Single Site Edge Topology Firewall Policy Rules The following tables explain the firewall policy rules required on each server in the perimeter network when you deploy edge servers in the single site edge topology. The following table describes the firewall policy to be configured for the reverse proxy. Table 15 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
31
32
“Office Communications Server 2007 Edge Server Deployment Guide
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Access Edge Server. Table 16 Firewall Settings for the Access Edge Server Fire wall Inter nal
Policy Rules
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: The IP address of the next hop server. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
Figure Mappi ng 5
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Outbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: If no Director is deployed, you must use any IP address. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
5
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for remote user access) Remote Port: Any Local IP: The VIP address used by the Access Edge Server array on the external load balancer. Remote IP: Any IP address
4
33
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 17 Firewall Settings for the Web Conferencing Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge Servers) Remote Port: Any Local IP: The internal IP addresses of the Web Conferencing Edge Servers Remote IP: Any IP address
7
Exter nal
Local Port: 443 TCP (PSOM/TLS) Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The VIP address used by the Web Conferencing Edge Server array on the external load balancer
6
34
“Office Communications Server 2007 Edge Server Deployment Guide
Remote IP: Any IP address
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 18 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The VIP address used by the A/V Edge Server array on the internal load balancer. Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For A/V authentication of users) Remote Port: Any Local IP: The VIP address used by the A/V Edge Server array on the internal load balancer. Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server and the VIP address used by the A/V Edge Server array on the internal load balancer. Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The VIP address used by the A/V Edge Server array on the external load balancer. Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP/TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server and the VIP address used by the A/V Edge Server array on the external load balancer Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
35
Multiple Edge Site Topology Firewall Policy Rules for the Remote Site The following tables explain the firewall policy rules required on each server in the perimeter network in the remote site when you deploy edge servers in the multiple edge site topology. The firewall policy rules that are required in the central data center are the same as those required in the scaled single site topology described in the previous section. Because the users in the remote site use the Access Edge Server in the central site, there is no table for the Access Edge Server in this section. The following table describes the firewall policy to be configured for the reverse proxy.
36
“Office Communications Server 2007 Edge Server Deployment Guide
Table 19 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy in the remote site Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy in the remote site Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 20 Firewall Settings for the Web Conferencing Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge Servers) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge Server in the remote site Remote IP: Any IP address
7
Exter
Local Port: 443 TCP (PSOM/TLS)
6
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
nal
Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge Server in the remote site Remote IP: Any IP address
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 21 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server in the remote site Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For A/V authentication of users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server in the remote site. Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server in the remotes site. Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
37
38
“Office Communications Server 2007 Edge Server Deployment Guide
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server in the remote site Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP /TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server in the remote site. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server in the remote site. Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
Step 2.3. Configure a Reverse Proxy For Microsoft Office Communications Server 2007, a reverse proxy, such as provided by Microsoft Internet Security and Acceleration (ISA) Server, although not required by any of the edge server components, is required by the internal Web server for the following purposes: •
To enable external users to download meeting content for your meetings.
•
To enable remote users to expand distribution groups.
•
To enable remote users to download files from the Address Book Service.
ISA Server 2004 is used only to publish information from the internal IIS server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
39
In addition to deploying ISA Server 2004 as a reverse proxy, you can also use ISA Server 2004 as a firewall. This guide covers only deployment of ISA Server 2004 as a reverse proxy. For more information about using ISA Server 2004 as a firewall, see the ISA Server 2004 product documentation. The detailed steps in this section describe how to configure an ISA 2004 server as a reverse proxy. You can use the information in this section to set up the reverse proxy, which requires completing the following procedures: •
Configure the network adapter cards.
•
Install ISA Server 2004
•
Request and configure a digital certificate for SSL.
•
Perform the initial configuration.
•
Create a Web server publishing rule.
•
Configure SSL bridging.
•
Verify that the secure Web server publishing rule properties are correct
•
Verify or configure authentication and certification on IIS virtual directories.
•
Create an external DNS entry.
•
Verify that you can access the portal site through the Internet.
If you are using a different reverse proxy, consult the documentation for that product. ISA Server uses Web publishing rules in order to securely publish internal resources, such as a meeting URL, over the Internet. Publishing information to Internet users makes computing resources inside the internal network available to users outside the network. In the following procedures, the ISA Server computer has two network adapters: •
A public, or external, network adapter, which is exposed to the clients that will attempt to connect to your portal site (usually over the Internet).
•
A private, or internal, network interface, which is exposed to the internal Web servers to which outside users will connect.
You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter.
Note ISA Server 2004 can also be set up to use a single network adapter. For more information, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at http://www.microsoft.com/technet/isa/2004/plan/single_adapte r.mspx.
40
“Office Communications Server 2007 Edge Server Deployment Guide
To configure the network adapter cards on the reverse proxy computer. 1. On the server running ISA Server 2004, open Network Connections. Click Start, point to Settings, and then click Network Connections. 2. Right-click the external network connection to be used for the external interface, and then click Properties. 3. On the Properties page, on the General tab, in the This connection uses the following items list, click Internet Protocol (TCP/IP), and then click Properties. 4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached. 5. Click OK twice. In Network Connections, right-click the internal network connection to be used for the internal interface, and then click Properties Repeat steps 3 through 5 to configure the internal network connection.
To install ISA Server 2004 •
Install ISA Server 2004 SP2 according to the setup instructions that are included with the product, as well as all hotfixes.
To request and configure a digital certificate for SSL •
The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server needs to be installed on the server running ISA Server 2004. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.
Note If you are using separate IIS servers to host meeting content and Address Book data, you need to configure the ISA server with two certificates (each matching the published external FQDN of each of the two external Web sites) and install a second IP address on the external network interface of the ISA Server. ISA can bind only one certificate to one IP address. If you configure an ISA server with multiple sites, you can use a certificate that uses a wildcard. However, if you do, ensure that you do not use the same certificate for IIS for the internal site. For information about how to publish multiple Web sites with a wildcard certificate, see Using a Single Certificate to Publish Multiple Secure Web Sites at http://www.microsoft.com/technet/isa/2004/maintain/wildcard. mspx
To create a Web server publishing rule on the ISA Server 2004 computer 1. Open ISA Server Management. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
41
2. In the console tree, expand ServerName, right-click Firewall Policy, point to New, and then click Secure Web Server Publishing Rule to start the New SSL Web Publishing Rule Wizard. 3. On the Welcome page, in SSL Web publishing rule name, type a friendly name for the publishing rule, and then click Next. For example, the name of the rule could be OfficeCommunicationsServerExternalRule. 4. On the Publishing Mode page, click SSL Bridging, and then click Next.
Note You also have the option of selecting Tunneling, but SSL Bridging is recommended, and so it is the option documented in the following procedure. SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSLenabled Web applications, after receiving the client's request, ISA Server decrypts it, inspects it, and terminates the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. If the secure Web publishing rule is configured to forward the request using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires that the published Web server responds with a server-side certificate
To configure SSL bridging 1. On the Select Rule Action page, click Allow. 2. On the Bridging Mode page, click Secure connection to clients and Web server, and then click Next. 3. On the Define Website to Publish page, type the FQDN of the internal Web farm that hosts your meeting content and Address Book content in the Computer name or IP address box. 4. Select from the following options: •
If you are using an Office Communications Server 2007 Standard Edition server, this FQDN will be the Standard Edition server FQDN.
•
If you are using an Office Communications Server 2007 Enterprise pool, this FQDN will be the internal Web farm FQDN.
•
If you are hosting Address Book content and meeting content on different servers or pools, you must run this procedure twice—one time for the server that hosts the meeting content and one time for the server or pool that hosts the Address Book content.
5. Click Next. 6. On the Public Name Details page, type a name for the IIS server in the Public name box. This name will be seen by outside users. 7. Click Next.
42
“Office Communications Server 2007 Edge Server Deployment Guide
8. On the Select Web Listener page, click New. 9. In the New Web Listener Definition Wizard, type a friendly name for the Web listener (for example, ServerExternalWebListener) in the Web listener name box, and then click Next. 10. To select a specific IP address for the Web Listener, on the IP Addresses page, in Available IP Addresses, select External check box, and then click Address. 11. On the External Network Listener IP Selection page, do the following: •
Under Listen for requests on, click Specified IP addresses on the ISA Server computer in the selected network.
•
In Available IP Addresses, click an IP address, click Add, and then click OK.
•
Click Next.
12. On the Port Specification page, do the following: •
Under HTTP, clear the Enable HTTP check box.
•
Under SSL, select Enable SSL and verify that the SSL port is 443 (the default value), and then in Certificate, and then click Select.
13. In the Select Certificate dialog box, click the certificate that matches the external name that you specified in step 4, and then click OK. 14. On the completion page, verify successful completion, and then click Finish. 15. In the New Web Publishing Rule Wizard, click Next. 16. In User Sets, click Next, and then click Finish. 17. In Microsoft Internet Security and Acceleration Server 2004, at the top of the center pane, click Apply.
To verify that the secure Web server publishing rule properties are correct 1. Open ISA Server Management. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management. 2. In the console tree, expand ServerName, and then click Firewall Policy. 3. In the details pane, right-click the secure Web server publishing rule that you created by using the previous procedure (to create a Web server publishing rule on the ISA Server 2004; for example, OfficeCommunicationsServerExternalRule), and then click Properties. 4. On the Properties page, click the From tab, and then do the following: a.
In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove.
b.
Click Add.
c.
In the Add Network Entities dialog box, expand Networks, click External, click Add, and then click Close.
5. On the To tab, click Requests appear to come from the ISA Server computer, and then click OK.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Note The following procedure is for the Default Web Site in IIS. You must also verify or configure authentication and certification on each front-end Web server in the Microsoft Office SharePoint® Portal Server deployment.
To verify or configure authentication and certification on IIS virtual directories 1. Open Internet Information Services Manager. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the left pane, expand ServerName, and then expand Web Sites. 3. Right-click Default Web Site, and then click Properties. 4. On the Web Site tab, ensure that the port number is 443 in the SSL port box. 5. On the Directory Security tab, under Secure communications, click Server Certificate. 6. On the Welcome to the Web Server Certificate Wizard page, click Next. 7. On the Server Certificate page, click Assign an existing certificate, and then click Next. 8. On the Available Certificates page, click the certificate you want to use for your Web server in the Select a certificate list, and then click Next. 9. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use list, and then click Next. 10. On the Certificate Summary page, verify that the settings are correct, and then click Next. 11. On the completion page, click Finish, and then click OK. 12. Repeat this procedure for each additional front-end Web server in the SharePoint Portal Server deployment, modifying as appropriate for each front-end Web server.
To create an external DNS entry •
Create an external DNS A record that points to the external interface of your ISA server. For information about how to create a DNS A record, see your DNS documentation.
To verify that you can access the portal site through the Internet 1. Deploy the Microsoft Office Live Meeting 2007 client as described in the Microsoft Office Live Meeting 2007 Client Quick Reference. 2. Open a Web browser, and then in the Address bar, type the URLs that are used by clients to access the Address Book files and the portal site for Web conferencing.
43
44
“Office Communications Server 2007 Edge Server Deployment Guide
•
For Address Book Server type a URL similar to the following: https://externalwebfarmFQDN/abs/ext where externalwebfarmFQDN is the external FQDN of the Web farm that hosts Address Book server files. User should receive an HTTP challenge, because directory security on the Address Book Server folder is configured to Microsoft Windows® authentication by default.
•
For Web conferencing, type a URL similar to the following: https://externalwebfarmFQDN/conf/ext/Tshoot.html where externalwebfarmFQDN is the external FQDN of the Web farm that hosts meeting content. This URL should display the troubleshooting page for Web conferencing.
Step 2.4. Configure a Director (Optional, but Recommended) The Office Communications Server 2007 Director is the recommended internal next-hop server to which an Access Edge Server routes inbound SIP traffic destined to internal servers. The Director authenticates inbound requests and distributes them among the servers in the Enterprise pool or to the appropriate Standard Edition Server. Office Communications Server 2007 supports the following Director configurations: •
A single Standard Edition Server that is configured as a Director.
•
An array of Standard Edition Servers that are configured as a Director (requires an Enterprise CA).
•
An Enterprise pool that is configured as a Director.
You deploy a Director in a manner similar to the way that you deploy any other Office Communications Server 2007 server, and you configure it as a Director by using the Deployment Wizard. In a load balanced edge server topology (a scaled single-site topology or a multiple-site edge topology), the next hop server on the Director must target the virtual IP address of the Edge Server array’s internal load balancer. Some special configuration steps are required if you choose to deploy an array of Standard Edition servers as a Director. See Appendix A for more information.
Deploy Your Director To deploy a Director in your organization, you need to set up certificates and DNS as you would for any internal Office Communications Server. The following procedure guides you through the process of configuring a Standard Edition Server as a Director.
To configure a Standard Edition Server as a Director 1. Configure your DNS records as described in the Office Communications Server 2007 Standard Edition Deployment Guide. 2. Insert the Microsoft Office Communications Server CD. Setup starts and launches the Deployment Tool. If you are installing from a network share, navigate to the \Setup\I386 folder, and then double-click Setup.exe.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
45
3. Click Deploy Standard Edition Server. 4. At Configure Server, click Run. 5. On the Welcome to the Configure Pool/Server Wizard page, click Next. 6. On the Server or Pool to Configure page, select the server from the list, and then click Next. 7. On the SIP domains page, verify that your SIP domain appears in the list box. If it does not, click the SIP domains in your environment box, type your SIP domain, and then click Add. Repeat these steps for all other SIP domains that the Standard Edition Server will support. When you are finished, click Next. 8. On the Client Logon Settings page, do one of the following: •
If the Communicator and Live Meeting clients in your organization will use DNS to locate the pool, click Some or all clients will use DNS SRV records for automatic logon. o
•
Do not select the Use this server or pool as a Director for automatic logon check box if you are configuring a Director for external access only. This setting allows internal clients to log on through a Director, and the Director then routes requests to the appropriate server or pool.
If the Communicator clients in your organization will not use DNS to logon to the pool and you plan to manually configure clients to connect to the pool, click Clients will be manually configured for logon.
9. When you are finished, click Next. 10. On the SIP Domains for Automatic Logon page, do one of the following: •
If in the previous step you selected Some or all clients will use DNS SRV records for automatic logon, select the check box for the domains that will be supported by the server for automatic sign-in, and then click Next.
•
If, in the step 8, you selected Clients will be manually configured for logon, skip to the next step.
11. On the External User Access Configuration page, click Do not configure external user access now, and then click Next. 12. On the Ready to Configure Server or Pool page, review the settings that you specified, and then click Next to configure the Standard Edition Server. 13. When the files have been installed and the wizard has completed, verify that the View the log when you click ‘Finish’ check box is selected, and then click Finish. 14. In the log file, verify that <Success> appears under the Execution Result column. Look for <Success> Execution Result at the end of each task to verify Standard Edition Server configuration completed successfully. Close the log window when you finish.
46
“Office Communications Server 2007 Edge Server Deployment Guide
Deactivate Server Roles and Unnecessary Components (Optional) As a security best practice, you should deactivate and uninstall the server roles that that Director does not require. This practice involves deactivating and uninstalling the Web Conferencing, A/V Conferencing and Web Component roles on this server and deactivating the Address Book Server.
To deactivate the roles not required for a Director 1. Log on to the Director with an account that is a member of the local administrators group and a member of RTCUniversalServerAdmins. 2. Open the Office Communications Server 2007 Administration tools: Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007. 3. Select one of the following: •
•
For a Standard Edition Server, expand Standard Edition Server, expand the Standard Edition that you just deployed: 1.
Right-click the FQDN of the server, point to Deactivate, and then click Web Conferencing and complete the wizard.
2.
Right-click the FQDN of the server, point to Deactivate, and then click A/V Conferencing and complete the wizard.
3.
Right-click the FQDN of the server, point to Deactivate, and then click Web Components and complete the wizard.
For an Enterprise pool, expand Enterprise pools, expand the pool that you just deployed: 1.
Expand Web Conferencing, right-click the FQDN of the server, and then click Deactivate and complete the wizard.
2.
Expand A/V Conferencing, right-click the FQDN of the server, and then click Deactivate and complete the wizard.
3.
Expand Web Components, right-click the FQDN of the server, and then click Deactivate and complete the wizard.
To deactivate the Address Book Server 1. Open a Command Prompt window: Click Start, point to Run and then type cmd. 2. At the command prompt, type wbemtest. 3. In Namespace, type root\cimv2, and then click Connect. 4. Click Enum Classes, and then click OK. 5. Select MSFT_SIPAddressBookSetting. 6. Click Instances. 7. Select your SQL database instance. 8. Double-click Outputlocation.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
47
9. In the Value field, click Null. 10. Click Save Property. 11. Click Save Object. 12. Click Close.
Step 3. Set Up Edge Servers After setting up the infrastructure for edge servers, you need to set up edge servers in the perimeter network. You can use the procedures in this section to do this by completing the following steps: 1. Deploy a load balancer, if appropriate. 2. Install edge servers. 3. Activate edge servers. 4. Configure edge servers. 5. Set up certificates for the internal interface. 6. Set up certificates for the external interface. 7. Set up A/V Conferencing certificates for the internal network. 8. Configure the load balancer, if appropriate. Deploying a load balancer and configuring the load balancer are required only in the scaled single-site edge topology and the data center of the multiple-site edge topology. Deployment of a load balancer for the remote site of the multiple-site edge topology is not recommended or supported.
Step 3.1. Deploy Load Balancers You can use load balancers to distribute incoming connections across multiple edge servers. If you are deploying edge servers in a scaled single-site edge topology or a multiple-site edge topology, you must deploy a load balancer for the collocated Access Edge Servers and Web Conferencing Edge Servers and the A/V Edge Servers in the perimeter network of the data center. You deploy load balancers for traffic from both the external network and traffic from the internal network. A single load balancer can be used for all three server roles; however, using separate virtual IP addresses (VIPs) for each server role is highly recommended. Microsoft recommends port 443 for all three server roles, and because a different port/IP combination is required for each server role, separate VIPs support the recommended configuration. For load-balanced Web Conferencing Edge Servers and A/V Edge Servers in the perimeter network of the data center, outgoing requests are connected directly to a specific Web Conferencing Edge Server or A/V Edge Server. These outgoing requests are handled as follows:
48
“Office Communications Server 2007 Edge Server Deployment Guide
•
Each time an internal Web Conferencing Server starts up, it looks up the Web Conferencing Edge Servers that are configured in its environment, and then it looks up the DNS A record of each. The internal Web Conferencing Server then initiates four outbound TCP connections to the internal IP and port of each Web Conferencing Edge Server.
•
The load balancer for the A/V Edge Servers routes each A/V request to one of the A/V Edge Servers, which then manages the connection until it ends.
Additional information about load balancing, including an example, is provided in the “Planning for Load Balancing” section of the Office Communications Server 2007 Planning Guide. You should use the information provided there to help you determine the appropriate configuration for load balancing. The basic requirements for load balancing are as follows: •
If you want to load balance Web Conferencing Edge Servers, you must collocate each Web Conferencing Edge Server with an Access Edge Server. The A/V Edge Server must not be collocated on the same server.
•
The external interfaces of multiple collocated Access Edge Servers and Web Conferencing Edge Servers must be load balanced. However, only the internal interface of the Access Edge Servers in this configuration should be load balanced. The internal interface of the Web Conferencing Edge Servers must not be load balanced.
•
All Access Edge Servers and Web Conferencing Edge Servers that are connected to the load balancer must be configured identically, including identical internal and external ports, Allow lists, Block lists, federated partners, internal domain lists, internal server lists, remote user settings, and proxy connections.
•
Certificates must be installed and configured to support load balancing (as covered Step 3.6, Step 3.7, and Step 3.8 of this guide, which cover deployment of certificates for edge servers).
•
Federated partner Access Edge Servers, and remote user clients must target the virtual IP address used by the Access Edge Server array on the external load balancer.
•
The internal next hop server (typically, a Director) must target the virtual IP address that is used by the Access Edge Server on the internal load balancer. If you are deploying a Director for an Enterprise Pool, you do this as part of the Director configuration, as covered in Step 2.4. Configure a Director for an Enterprise Pool.
Sample Configuration The following figure shows how a load balancer is configured for collocated Access Edge Servers and Web Conferencing Edge Servers and two dedicated A/V Edge Servers. In the diagram below, two Access Edge Servers are collocated with Web Conferencing Edge Servers in an array. These servers are called A and B. Two dedicated A/V Edge Servers are called C and D. These servers are configured as follows: •
Each server role—A/V Edge Server, Web Conferencing Edge Server and Access Edge Server—has its own external FQDN that resolves to a separate VIP on the external load balancer. In this example: •
Access Edge Servers use the external FQDN of AccessExternalLB.contoso.com
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
•
•
Web Conferencing Edge Servers use the external FQDN of WebExternalLB.contoso.com
•
A/V Edge Servers use the external FQDN of AVExternalLB.contoso.com
The Access Edge Servers and the A/V Edge Servers each have a unique internal FQDN that resolves to a separate VIP on the internal load balancer. In this example: •
Access Edge Servers use the internal FQDN of AccessInternalLB.corp.contoso.com
•
A/V Edge Servers use the internal FQDN of AVInternalLB.corp.contoso.com
The Web Conferencing Edge Servers are not load balanced on the internal side.
Internally, a Front-End Server, a Web Conferencing Server, and an A/V Conferencing Server are installed together on three Enterprise Edition Servers in an Enterprise pool in the consolidated configuration (Servers E, F, and G). This internal topology is for illustration purposes only. You may install any of the internally supported topologies as discussed in the Planning Guide.
49
50
“Office Communications Server 2007 Edge Server Deployment Guide
DNS records The following DNS SRV records are required by the Access Edge Server:
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
51
•
If you are enabling public IM connectivity or enhanced federation, an external SRV record for all edge servers that points to _sipfederationtls._tcp.contoso.com over port 5061 (where contoso.com is the name of the SIP domain of this organization). This SRV record should point to an A record with the external FQDN of the Access Edge Server that resolves to the VIP on the external load balancer that is used by the Access Edge Servers. In this example, because there is only one SIP domain, only one SRV record like this is needed. If you have multiple SIP domains, you need a DNS SRV record for each. This is required only if you are enabling enhanced federation or public IM connectivity.
•
A DNS SRV (service location) record for _sip._tls.contoso.com over port 443 where contoso.com is the name of your organization’s SIP domain. This SRV record must point to an A record with the external FQDN of the Access Edge Server that resolves to the VIP on the external load balancer used by the Access Edge Servers. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports automatic configuration for remote users for instant messaging and conferencing.
The following external DNS A records are required. •
ExternalAccessLB.contoso.com resolves to the VIP of the external load balancer in the perimeter network used by the Access Edge Servers. It is used by external clients and other Access Edge Servers to reach the Access Edge Server from the Internet.
•
An external A record for sip.ExternalAccessLB.contoso.com that points to the VIP address used by the Access Edge Servers on the external load balancer in the perimeter network. (One A record for each SIP domain).
•
ExternalWebLB.contoso.com resolves to the VIP address used by the Web Conferencing Edge Servers on the external load balancer in the perimeter network.
•
ExternalAVLB.contoso.com resolves to the VIP address used by the A/V Edge Servers on the external load balancer in the perimeter network.
The following internal DNS A records are required. •
InternalAccessLB.corp.contoso.com, points to the VIP of the internal load balancer in the perimeter network used by the Access Edge Servers.
•
InternalAVLB.corp.contoso.com, points to the VIP of the internal load balancer in the perimeter network used by the A/V Edge Servers.
•
InternalLB.corp.contoso.com points to the VIP of the load balancer of the Enterprise pool to which the internal A/V Conferencing Servers and Web Conferencing Servers are attached.
•
SrvrA.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on Server A
•
SrvrB.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on Server B
Certificates The certificates are configured in the following way Access Edge Servers
52
“Office Communications Server 2007 Edge Server Deployment Guide
•
The external interface of the load balancer he Access Edge Server has a certificate with a subject name (SN) of ExternalAccessLB.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
The external interface of the Web Conferencing Edge Server has a certificate with a subject name (SN) of ExternalWebLB.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
No certificate is required on the external interface of the A/V Edge Server.
•
The internal interface of each Access Edge Server has a certificate with an SN of InternalAccessLB.corp.contoso.com. This certificate is shared with the internal edge of the Web Conferencing Edge Server You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
The internal edge of the A/V Edge Server has a certificate with an SN of InternalAVLB.corp.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
The internal edge of the A/V Edge Server is configured with an additional certificate used for A/V authentication. The same A/V authentication certificate must be installed on each A/V Edge Server. This means that the certificate must be from the same issuer and use the same private key.
Internal Web Conferencing Servers in Your Enterprise Pool Each internal Web Conferencing Server in the Enterprise pool has a certificate with the subject name (SN) of InternalLB.corp.contoso.com. Internal A/V Conferencing Servers Each internal A/V Conferencing Server has a certificate with the subject name (SN) of InternalLB.corp.contoso.com .
Edge Server Configuration The FQDN of the VIP of the load balancer, InternalLB.corp.contoso.com is configured on the internal server list on each Edge Server and port 5061 is configured as the port. (The edge server wizard allows you to configure this, or this setting can be configured on Computer Management on the Internal tab of the edge server properties page.)
Trusted Edge Server List in Active Directory The trusted edge server list in Active Directory is configured when you run the Configure Pool or Server wizard and configure external access or you can configure it manually on the Edge Server tab in Global Properties. (See the Administration Guide for step-by-step instructions) This list defines edge servers that internal servers allow to connect to them. The FQDN of each VIP on the internal load balancer of the edge servers must be added to this list. In this example: InternalAccessLB.corp.contoso.com and InternalAV.corp.contoso.com.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
53
Web Conferencing Edge Servers Configured on the Pool or Server The list of trusted Web Conferencing Edge Servers contains an entry for each Web Conferencing Edge Server with its internal and external FQDN and port number. These entries are configured when you run the Configure Pool or Server wizard and configure external access or you can configure these entries manually on the Web Conferencing Edge Server tab in the pool or server properties. In the example, the internal pool would have these entries Server A: Internal FQDN: SrvrA.corp.contoso.com Internal port: 8057 External FQDN ExternalWebLB.contoso.com External port: 443 Server B Internal FQDN: SrvrB.corp.contoso.com Internal port: 8057 External FQDN ExternalWebLB.contoso.com External port: 443
A/V Edge Servers Configured on the Pool or Server The list of trusted A/V Edge Servers contains an entry for each A/V Edge Server with its internal and external FQDN and port number and the external port range. It is configured when you run the Configure Pool or Server wizard and configure external access or you can configure it manually on the A/V Edge Server tab in the pool or server properties. In the example, the internal pool would have these entries Server C: Internal FQDN: InternalAVLB.corp.contoso.com Internal port: TCP: 443, 5062, UDP:3478 External FQDN: ExternalAVLB.contoso.com External port: TCP: port 443 UDP: port 3478 Server D Internal FQDN: InternalAVLB.corp.contoso.com Internal port: TCP: 443, 5062, UDP:3478 External FQDN: ExternalAVLB.contoso.com External port: TCP: port 443; UDP: port 3478
54
“Office Communications Server 2007 Edge Server Deployment Guide
Configuring Your Load Balancer If you are deploying edge servers in a scaled single-site edge topology or a multiple site edge topology, and you deployed a load balancer as described in Step 3.1, you now need to configure the load balancers. After configuring edge servers in the perimeter network of your data center, ensure that they are correctly connected to the load balancer, and then ensure that the ports listed in the following tables are open on the internal interface of the load balancer and on the external interface of the load balancer, respectively. Table 22 Internal Load Balancer Port Settings Component
Port
Access Edge Server
TCP 5061
Web Conferencing Edge Server
N/A
A/V Edge Server
TCP 5062 TCP 443, UDP 3478
Table 23 External Load Balancer Port Settings Component
Port
Access Edge Server
TCP 5061, 443
Web Conferencing Edge Server
TCP 443
A/V Edge Server
TCP 443, UDP 3478
Step 3.2. Install Edge Servers Your edge server topology determines the computers on which you must complete the edge server installation procedure. The following table shows the edge server installation requirements for each topology. Table 24 Server installation requirements for each topology Location
Data center
Consolidated Edge Topology
Single-Site Edge Topology
Scaled Single Site Edge Topology
Deploy all server roles together on one computer.
Deploy the Access Edge Server and the Web Conferencing Server together on one computer.
Deploy the Access Edge Server and the Web Conferencing Edge Server together on one computer (scaled as
Multiple Site Edge Topology Same as the scaled singlesite edge topology.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Location
Consolidated Edge Topology
Remote site
N/A
Single-Site Edge Topology
Scaled Single Site Edge Topology
Deploy the A/V Edge Server on a separate computer.
appropriate). Deploy the A/V Edge Server on a separate computer (scaled as appropriate).
N/A
N/A
Multiple Site Edge Topology
Deploy the Web Conferencing Edge Server on a separate computer. Deploy the A/V Edge Server on a separate computer. OR Deploy two or more A/V Edge Servers each installed on separate computers and load balance them. Deploy two or more Web Conferencing Edge Servers are each on separate computers and load balance them.
You deploy edge servers by using the Office Communications Server 2007 Deployment Wizard, which you access by running Setup.exe from the Office Communications Server 2007 installation CD or, if you are deploying over the network, from the network share. From the Deployment Wizard, you can access multiple individual wizards that facilitate completion of edge server deployment tasks. You can use these wizards, as covered in this section, to complete the following procedures: •
Install the edge server. When you install an edge server, the installation process copies the required edge server files to the local computer.
55
56
“Office Communications Server 2007 Edge Server Deployment Guide
•
Activate the edge server. When you activate an edge server, you configure it to have one or more edge server roles.
•
Configure the edge server. Configuration includes specifying the settings that are necessary for the edge server to work.
•
Configure certificates for the edge servers.
To install an edge server 1. Log on to the computer on which you want to install your edge server as a member of the Administrators group. 2. If Systems Management Server (SMS) is running on the computer, stop the SMS service. 3. Start Setup and launch the Deployment Wizard by doing one of the following: •
If installing the edge server from the Office Communications Server 2007 installation CD, insert the CD. If Setup does not start automatically, from the Start menu, click Run. In the Open box, type \Setup\I386\Setup.exe, and then click OK.
•
If you are installing the edge server from a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.
4. Click Deploy Other Server Roles. 5. Click Deploy Edge Server. 6. Next to Step 1: Install Files for Edge Server, click Install to start the Install Files for Edge Server Setup Wizard. 7. On the Welcome page, click Next. 8. On the License Agreement page, if you agree to the licensing terms, click I accept the terms in the licensing agreement, and then click Next. 9. On the Customer Information page, in User name and Organization, type your name and the name of your organization. 10. Use the product key that is automatically supplied, and then click Next. 11. On the Install Location page, in Location, type the location where you want to install the edge server files, and then click Next. 12. On the Confirm Installation page, click Next. 13. On the completion page, click Close.
Step 3.3. Activate Edge Servers After installing the required files, as covered in Step 2.2, you continue with the Deployment Wizard (using the following procedure) to activate the edge server. The Deployment Wizard provides an activation wizard that simplifies activation of the edge server, which requires the following: •
Assigning one or more edge server roles to the edge server
•
Specifying a service account to use for the edge server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
57
Complete the following activation procedure on each computer being deployed as an edge server in the perimeter network of the data center or a remote site. After you have activated a server role on the computer, you can rerun the activation wizard at a later time to add another server role, as appropriate.
To activate an edge server 1. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 2: Activate Edge Server, click Run to start the Activate Office Communications Server 2007 Wizard. 2. On the Welcome page, click Next. 3. On the Edge Server Roles page, select the one or more of the following check boxes: •
Activate Access Edge Server
•
Activate Web Conferencing Edge Server
•
Activate A/V Edge Server
Note An A/V Edge Server and a Web Conferencing Edge Server cannot be activated together on a single computer without also activating an Access Edge Server on the same computer.
4. On the Select Service Account page, select Create a new account or Use an existing account, type the account name and password to be used for the edge server, enter a password, and then click Next. 5. On the Ready to Activate Edge Server page, review the settings, and then click Next. 6. On the completion page, select the View the log when you click ‘Finish’ checkbox, and then click Finish. 7. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Step 3.4. Configure Edge Servers After activating an edge server, as covered in Step 2.2, you continue with the Deployment Wizard (using the following procedure) to configure the edge server. The Deployment Wizard provides a Configuration Wizard that simplifies the configuration of settings that are necessary for your edge server to work, including the following: •
Configuration of the external and internal interfaces for each server role you have activated on the computer.
•
Selection of the features that you want to enable.
•
Configuration of the way that routing to and from your internal servers is handled.
58
“Office Communications Server 2007 Edge Server Deployment Guide
Complete the following configuration procedure on each computer being deployed as an edge server in the perimeter network of the data center or a remote site.
To configure an edge server 1. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 3: Configure Edge Server, click Run to start the Configure Office Communications Server 2007 Edge Server Wizard. 2. On the Welcome page, click Next. 3. On the Import Settings from a Configuration File page, do one of the following: •
If you want to configure this server as a new edge server (you do not have settings that you want to import from a previously installed edge server), click Next.
•
If you have previously set up an edge server and exported the settings from it to a configuration file that you want to import on this edge server (as covered in step 16 of this procedure), select the Import settings check box, type the full path and name of the file containing the settings you want to import (or click Browse to locate and select the file), and then click Next.
4. On the Internal Interface page, do the following: •
In Internal Interface IP Address box, click the internal interface IP address. If this server will be connected to a load balancer, use the IP address of the local computer.
•
In FQDN for the internal interface, type the FQDN of the internal interface. If this server will be connected to a load balancer, use the virtual IP address of the load balancer.
5. Click Next. 6. On the External Interface page, configure the IP address and the FQDN for the external interfaces of the roles that you are activating on this server. For load balanced edge servers, specify the IP address and FQDN as follows: •
For an Access Edge Server that will be connected to a load balancer, specify the IP address of the edge server and FQDN of the virtual IP address of the load balancer. The default federation port is set to 5061 and cannot be changed. The default TCP port for remote access is 5061. To specify a port other than 5061 for remote user access, click either 443 or Other. If you click Other, type the port number.
•
For a Web Conferencing Edge Server that will be connected to a load balancer, specify the IP address of the edge server and the FQDN of the virtual IP address of the load balancer. The default TCP port if 443. To specify a port other than 443, click Other, and then type the port number.
•
For an A/V Edge Server that will be connected to a load balancer, specify the IP address of the edge server and the FQDN of the virtual IP address of the load balancer. The default TCP port is 443. To specify a port other than 443, click Other, and then type the port number.
Note If you are collocating edge server roles on a computer, each should have a separate IP address. If you do not use a separate IP address for each, you must use separate ports for each collocated edge server role.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
59
7. Click Next. 8. Select from the following options: •
If you are installing only A/V Edge Server on this computer, skip to step 12 to complete the wizard.
•
If you are installing Access Edge Server and Web Conferencing on this computer, proceed with the next step.
•
If you are installing a Web Conferencing Edge Server only, skip to step 13.
9. On the Enable Features on Access Edge Server page, select the features that you want to enable on this Access Edge Server as follows:
•
To make it possible for remote users to connect to Office Communications Server 2007 from the Internet to view presence information and exchange instant messages with internal users using this Access Edge Server, select the Allow remote user access to your network check box. o
To make it possible for external anonymous users to join conferences through this Access Edge Server, select the Allow anonymous user to join meetings check box. Anonymous users are external users who do not have credentials in the Active Directory® Domain Services.
60
“Office Communications Server 2007 Edge Server Deployment Guide
o
•
In your edge server deployment, you can optionally use one Access Edge Server for remote user access and a different Access Edge Server for federation and public IM connectivity. In this configuration on the Access Edge Server used for remote access, if you plan to enable federation or public IM connectivity for your remote users, click the Allow remote users to communicate with federated contacts; otherwise, your remote users cannot send messages to federated or public IM contacts.
To enable federation or public IM connectivity through this Access Edge Server, select the Enable federation check box. o
To use DNS to automatically locate Access Edge Servers of your federated partners, select the Allow discovery of federation partners using DNS check box. We recommend this configuration.
o
To enable public IM connectivity through this Access Edge Server, select the Federation with selected public IM providers check box, and then and select the IM providers that you want to use with federated partners.
Important Before you can connect to these IM providers, you must purchase additional service licenses and provision the connections by using the Microsoft provisioning page (http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provisio n). Public IM connectivity will not work without this license. The license you purchase permits communications to MSN, AOL, and the Yahoo IM providers. If you want to limit public IM connectivity to a specific provider, you can disable the public IM providers you do not want to connect with.
Note Additional configuration of anonymous users and federation is described in “Step 4. Configure the Environment” later in this guide.
10. Click Next. 11. On the FQDN of the Internal Next Hop Server page, in the FQDN of next hop server box, type or click the FQDN of the next hop server to which this Access Edge Server routes internal traffic or, if you are using a Director to route incoming traffic, type the FQDN of the Director, and then click Next. 12. On the Authorized Internal SIP Domains page: •
If you are activating an Access Edge Server on this computer, for each SIP domain to be supported in your Office Communications Server 2007 deployment, in the box, type the name of the SIP domain, and then click Add. After adding all SIP domains to be supported, click Next.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
61
If you are activating an A/V Edge Server on a dedicated computer, enter the SIP domain used for default routing, click Add, and then click Next.
Note
If you are activating a Web Conferencing Server on a dedicated computer, this screen does not appear. Proceed to the next step.
13. On the Authorized Internal Servers page, do the following: •
If you are installing the Access Edge Server on this computer, specify each internal server that can connect to your Access Edge Server. If you are routing all outbound traffic through a Director, type only the FQDN of the Director, and then click Add. If you are not using a Director, type the FQDN of each Enterprise pool and Standard Edition server in your organization, clicking Add after each.
•
If you are installing the Web Conferencing Edge Server on this computer, type the FQDN of each Web Conferencing Server or each Enterprise pool or Standard Edition server that hosts a Web Conferencing Server, clicking Add after typing each FQDN.
•
If you are installing A/V Edge Server, type the FQDN of each Enterprise pool or Standard Edition Server that can connect to the A/V Edge Server, clicking Add after typing each FQDN.
14. Click Next. 15. On the summary page, review the settings that you selected, and then click Next. 16. On the wizard completion page, do the following: •
Select the View the log when you click ‘Finish’ check box.
•
If you want to export the server settings to a configuration file so that they can be imported to another edge server (to streamline the setup of that server), select Export, specify a location and name for the XML file to which you want to save the server settings, and then click Save.
•
Click Finish.
17. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Step 3.5. Set Up Certificates for the Internal Interface A certificate is required for MTLS communication between the edge servers and internal servers (including the A/V Conferencing Server and Mediation Server). For information about the Mediation Server, see the Office Communications Server 2007 Voice Guide. The certificate requirements are summarized below, and the subsequent tables detail the specific requirements for each edge server topology.
62
“Office Communications Server 2007 Edge Server Deployment Guide
Certificate Requirements for the Internal Interface The following summarizes the certificate requirements for the internal interface of your edge servers. •
Each edge server in the perimeter network of the data center requires a certificate for the internal interface: •
If you are deploying a load balancer with multiple collocated Access Edge Servers and Web Conferencing Edge Servers, use a single certificate with a subject name that matches the FQDN for the virtual IP address used by the Access Edge Servers on the internal load balancer of the servers, for example: Certificate SN = accessedge_array.contoso.perimeter
•
For Web Conferencing Edge Servers (collocated on the computer with the Access Edge Server), by default, this certificate is shared by the Web Conferencing Edge Server. If an A/V Edge Server is also collocated on the server, it also shares this certificate by default. If the servers are not collocated, you must use separate certificates for each server role.
•
The A/V Edge Server in the perimeter network of the data center requires a certificate for the internal interface if it is running on a separate computer than the Access Edge Server. If you are deploying multiple A/V Edge Servers (with a load balancer), use a single certificate with a subject name that matches the FQDN for the virtual IP address used by the A/V Edge Server on the internal load balancer, for example: Certificate SN = avedge_array.contoso.perimeter
•
The Web Conferencing Edge Server in each remote site of a multiple-site edge topology requires a certificate on the internal interface with a subject name that matches the FQDN published on the internal interface of the firewall in the data center, and mapping to the Web Conferencing Edge Server in the remote site.
•
The A/V Edge Server in each remote site of a multiple-site edge topology requires a certificate on the internal interface with a subject name that matches the FQDN published on the internal interface of the firewall in the data center, and mapping to the A/V Edge Server in the remote site.
Certificate Requirements for Each Topology The following table summarizes the certificate requirements for the internal interface of each edge server role in the consolidated edge topology. Table 25 Certificates for internal interface of the edge server in the consolidated edge topology Server role Access Edge Server , Web Conferencing Edge Server A/V Edge Server
Certificate A single, shared certificate configured on the internal interface with a subject name that matches the internal FQDN of the edge server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
The following table summarizes the certificate requirements for the internal interface of each edge server role in the single site edge topology. Table 26 Internal Certificates for the single-site edge topology Server role
Certificate
Access Edge Server Web Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the computer with the Access Edge and Web Conferencing Edge Servers collocated
A/V Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the A/V Edge Server.
The following table summarizes the certificate requirements for the internal interface of each edge server role in the scaled single site edge topology. Table 27 Internal Certificates for the scaled single-site edge topology Server role
Certificate
Access Edge Server Web Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the VIP address used by the Access Edge Server on the internal load balancer. This certificate is shared between the Web Conferencing Edge Server and Access Edge Server and must be configured on the internal interface of the Web Conferencing Edge Server and the Access Edge Server. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in the Access Edge Server and Web Conferencing Edge Server array.
A/V Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the VIP address used by the A/V Edge Server on the internal load balancer. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in A/V Conferencing Edge Server array.
63
64
“Office Communications Server 2007 Edge Server Deployment Guide
The following table summarizes the certificate requirements for the internal interface of each edge server in the remote site in a multiple edge site topology. The servers in the central site will use the same certificates as those in the scaled single site topology. Table 28 Internal Certificates for the remote site in a multiple site edge topology Server role
Certificate
Access Edge Server
No Access Edge Server is deployed in the remote site.
Web Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the Web Conferencing Edge Server in the remote site.
A/V Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the A/V Edge Server in the remote site.
Configuring the Certificates on Your Internal Interface To set up a certificate on the internal interface for an edge server, use the procedures in this section to do the following: 1. Download the CA certification path for the internal interface. 2. Install the CA certification path for the internal interface. 3. Verify that the CA is in the list of trusted root CAs. 4. Create the certificate request for the internal interface. 5. Import the certificate for the internal interface on the first edge server. 6. Export the certificate. 7. Import the certificate on other edge servers. 8. Assign the certificate for the internal interface to each edge server. You can use the Communications Certificate Wizard to complete most of the certificate setup procedures for the internal interface. You can start this wizard from the Office Communications Server 2007 installation media, as covered in the following procedures, or from the Administrative Tools interface on which Office Communications Server 2007 has already been installed.
Note the CA certification path for the internal interface To download The steps of the procedures in this section are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CA, consult the documentation of the CA. By default, all authenticated users have rights to request certificates. This procedure also assumes that all edge servers are in the central site and use the same certificate. If you use separate certificates for the Web Conferencing Server(s) or the A/V Edge Server, you will need to repeat the procedures in this section for each separate certificate. If you are deploying certificates in remote sites, modify the procedures as appropriate for the edge servers in the remote sites.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
1. With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA Server online, log on to Office Communications Server 2007 server in the internal network (not the edge server) as a member of the Administrators group. 2. Click Start, click Run, type http:///certsrv, and then click OK. 3. Under Select a task, click Download a CA certificate, certificate chain, or CRL. 4. Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain. 5. In the File Download dialog box, click Save. 6. Save the .p7b file to the hard disk on the server, and then copy it to a folder on each edge server. If you open this file, the file should contain all the certificates that are in the certification path. To view the certification path, open the server certificate and click the certification path.
To import the CA certification path for the internal interface 1. On each edge server in your deployment, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next.
65
66
“Office Communications Server 2007 Edge Server Deployment Guide
3. On the Available Certificate Tasks page, click Import a certificate chain from a .p7b file, and then click Next. 4. On Import Certificate Chain page, type the full path and name of the .p7b file (or click Browse to locate and select the file), and then click Next. 5. Click Finish. 6. Repeat this procedure on each edge server.
To verify that your CA is in the list of trusted root CAs 1. On each edge server, open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK. 2. On the File menu, click Add/Remove Snap-in, and then click Add. 3. In the Add Standalone Snap-ins box, click Certificates, and then click Add. 4. In the Certificate snap-in dialog box, click Computer account, and then click Next. 5. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish. 6. Click Close, and then click OK. 7. In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 8. In the details pane, verify that your CA is on the list of trusted CAs. 9. Repeat this procedure on each edge server.
To create the certificate request for the internal interface 1. On one edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Create a new certificate, and then click Next. 4. On the Select the Component for Which the Certificate Is Requested page, select the Edge Server Private Interface check box, and then click Next. 5. On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box, and then click Next.
Note If the Enterprise CA is reachable from the edge server, you can use the Send the request immediately to an online certification authority option. Since this is typically, not the case, this procedure and other certificate request procedures in this guide do not cover the use of that option. Additionally, be aware that once you create a request, it is pending and the Certificate Wizard will not let you create another request until you have processed the pending one.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
67
6. On the Name and Security Settings page, type a friendly name for the certificate, and specify the bit length (typically, the default of 1024), select the Mark certificate as exportable check box, and then click Next. 7. On the Organization Information page, enter the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next. 8. On the Your Server’s Subject Name page, type or select the subject name and subject alternate name of the edge server. The subject name should match the FQDN of the edge server published by the internal firewall for the internal interface on which you are configuring the certificate: •
For the internal interface of the edge server, this subject name should match the name that your internal servers use to connect to the edge server (typically, the FQDN of the internal interface for the edge server).
•
If you are using a load balancer, the edge server traffic still uses the FQDN of the internal edge of the server (server name), but if you are using a virtual IP address for the edge server, the certificate should match the server FQDN of the virtual IP address used by this server role on the internal load balancer. For the internal interface, this is typically the published DNS name for the perimeter network that maps to the edge server.
9. Click Next. 10. On the Geographical Information page, type the location information, and then click Next. 11. On the Certificate Request File Name page, type the full path and file name to which the request is to be saved in the File name box (or click Browse to locate and select the certificate), and then click Next. For example, C:\certrequest_AccessEdge.txt 12. On the Request Summary page, click Next. 13. On the wizard completion page, verify successful completion, and then click Finish. 14. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so it is available for import. 15. Repeat this procedure for each edge server.
To import the certificate for the internal interface 1. On the Access Edge Server on which you created the certificate request, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Pending Certificate Request page, click Process the pending request and import the certificate, and then click Next. 4. On the Process a Pending Request page, in Path and file name, type the full path and file name of the certificate that you requested and received for the internal interface of this edge server (or click Browse to locate and select the certificate), and then click Next. 5. On the wizard completion page, verify successful completion, and then click Finish.
68
“Office Communications Server 2007 Edge Server Deployment Guide
To export the certificate for the internal interface for import to other edge servers 1. On the edge server on which you requested and imported the certificate, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then click Next. 4. On the Available Certificates page, in Select a certificate, click the certificate that you imported to this edge server (as covered in the previous procedure), and then click Next. 5. On the Export Certificate page, in Path and file name, type the full path and file name of to which you want to export the certificate (or click Browse to locate and select the certificate), and then click Next. 6. In the Export Certificate Password page, in Password, type the password that will be used to import the certificate on the other edge servers, and then click Next. 7. On the wizard completion page, verify successful completion, and then click Finish. 8. Copy the exported file to a location or media that is accessible by the other edge servers.
To import the certificate for the internal interface on the other edge servers 1. On each of the other edge servers, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next. 4. On the Import Certificate page, in Path and file name, type the full path and file name of the certificate that you exported from the first edge server (or click Browse to locate and select the certificate), clear the Mark certificate as exportable check box, and then click Next. 5. In the Import Certificate Password, in Password, type the password that you typed when you exported the certificate from the first server, and then click Next. 6. On the wizard completion page, verify successful completion, and then click Finish. 7. Repeat this procedure for each edge server that will use the same certificate.
To assign the certificate to the internal interface of the edge servers 1. On each edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
69
3. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next. 4. On the Available Certificates page, select the certificate that you requested for the internal interface of this edge server, and then click Next. 5. On the Available Certificate Assignments page, select the Edge Server private interface check box (the server interface on which you want to install the certificate), and then click Next. 6. On the Configure the Certificate Settings of Your Server page, review your settings, and then click Next to assign the certificates. 7. On the wizard completion page, click Finish. 8. Repeat this procedure for each edge server to which you assigned this certificate.
Step 3.6. Set Up Certificates for the External Interface After setting up certificates for the internal interface, you are ready to set up the certificates for the external interface. The following sections summarize the certificate requirements for the external interface of your edge servers and detail the specific requirements for each topology.
Certificate Requirements for the External Interface The certificate requirements for the external interface include the following: •
For each unique IP address on the external interface that you use for the Access Edge Server and Web Conferencing Edge Server, you will need a separate certificate. We recommend that you use a separate external IP addresses for each server role, even if all servers are collocated. An external certificate is not required on the A/V Edge Server.
•
For the scaled single site edge topology, we recommend that each server role use a separate VIP address on the external load balancer. A separate certificate matching the FQDN of each VIP address used by each Access Edge and Web Conferencing Edge server role must be installed on that server. For example, the Web Conferencing Edge Servers must have a certificate that matches the VIP addressed used by the Web Conferencing Edge Servers on the external load balancer. The certificate must be marked as exportable on the first physical computer where you configure the certificate and then imported into each additional computer in the array. An external certificate is not required for the A/V Edge Server array on the external interface.
•
If you are deploying a multiple-site topology, the Web Conferencing Edge Server in the perimeter network of each remote site requires a certificate with a subject name that matches the external FQDN of the Web Conferencing Edge Server in the remote site. A certificate is not required for the external interface of the A/V Edge Server.
•
If you are supporting public IM connectivity with AOL, AOL requires a certificate configured for both client and server authorization. (For MSN and Yahoo!, a Web certificate will suffice).
70
“Office Communications Server 2007 Edge Server Deployment Guide
•
Public certificates are required if you enable Web conferencing and enable your users to invite anonymous participants (individuals from outside your organization that do not have Active Directory credentials).
•
Public certificates are required for public IM connectivity, and they are highly recommended for enhanced federation. The public certificate must be from a public CA that is on the default list of trusted root CAs installed on the server.
Note It is possible to use your Enterprise subordinate CA for direct federation, as well as for testing or trial purposes if all partners agree to trust the CA or cross-sign the certificate.
Certificate Requirements for Each Topology The following tables summarize the certificate requirements for each topology. The following table summarizes the certificate requirements for the external interface of each edge server role in the consolidated edge topology.
Table 29 External Certificates for the edge server in the consolidated edge topology Server role
Certificate
Access Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the edge server. If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. For example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com
Web Conferencing Edge Server
A certificate configured on the external interface that matches the external FQDN of the Web Conferencing Edge Server.
A/V Conferencing Edge Server
Not required
The following table summarizes the certificate requirements for the external interface of each edge server role in the single site edge topology.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Table 30 External Certificates for the single-site edge topology Server role
Certificate
Access Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the computer with the Access Edge and Web Conferencing Edge Servers collocated. If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. For example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com
Web Conferencing Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of Web Conferencing Edge Server
A/V Conferencing Edge Server
Not required
The following table summarizes the certificate requirements for the external interface of each edge server role in the scaled single site edge topology.
Table 31 External Certificates for the scaled single-site edge topology
71
72
“Office Communications Server 2007 Edge Server Deployment Guide
Server role
Certificate
Access Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the VIP address used by the Access Edge Server on the external load balancer. If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. Example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in the Access Edge Server and Web Conferencing Edge Server array. This certificate must be used as the certificate on the external interface of the Access Edge Server.
Web Conferencing Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the VIP address used by the Web Conferencing Edge Server on the external load balancer. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in the Access Edge Server and Web Conferencing Edge Server array. This certificate must be used as the certificate on the external interface of the Web Conferencing Edge Server.
A/V Conferencing Edge Server
Not required.
The following table summarizes the certificate requirements for the external interface of each edge server in the remote site in a multiple edge site topology. The servers in the central site will use the same certificates as those in the scaled single site topology. Table 32 External Certificates for the remote site in a multiple site edge topology
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Server role
73
Certificate
Access Edge Server
No Access Edge Server is deployed in the remote site.
Web Conferencing Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the Web Conferencing Edge Server in the remote site.
A/V Conferencing Edge Server
Not required.
Configuring the Certificates on the External Interfaces To set up a certificate for the external interface of an Access Edge Server or Web Conferencing Edge Server, complete all of the procedures in this section, which include the following: 1. Create the certificate request for the external interface of the edge server. 2. Submit the request to your public CA. 3. Import the certificate for the external interface of each edge server. 4. Assign the certificate for the external interface of each edge server.
Note When you request a certificate from an External CA, the credentials provided must have rights to request a certificate from that CA. Each CA has a security policy that defines which credentials (specific user and group names) are allowed to request, issue, manage, or read certificates.
To create the certificate request for the external interface of the edge server 1. On the edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available tasks page, click Create a new certificate, and then click Next. 4. On the Delayed or Immediate Request page, select the Prepare the request now, but send later check box, and then click Next. 5. On the Name and Security Settings page, type a friendly name for the certificate, specify the bit length (typically, the default of 1024), select the Mark certificate as exportable check box, and then click Next. 6. On the Organization Information page, type the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next.
74
“Office Communications Server 2007 Edge Server Deployment Guide
7. On the Your Server’s Subject Name page, type or select the subject name and subject alternate name of the edge server: •
The subject name should match the FQDN of the server published by the external firewall for the external interface on which you are configuring the certificate. For the external interface of the Access Edge Server, this certificate subject name should be sip.<domain>.
•
If multiple SIP domain names exist and they do not appear in Subject alternate name, type the name of each additional SIP domain as sip.<domain>, separating names with a comma. Domains entered during configuration of the Access Edge Server are automatically added to this box.
8. Click Next. 9. On the Geographical Information page, type the location information, and then click Next. 10. On the Certificate Request File Name page, type the full path and file name of the file to which the request is to be saved (or click Browse to locate and select the file), and then click Next. 11. On the Request Summary page, click Next. 12. On the Certificate Wizard Completed page, verify successful completion, and then click Finish. 13. Copy the output file to a location from which it can be submitted to the public CA.
To submit a request to a public certification authority 1. Open the output file. 2. Copy and paste the contents of the CSR into the appropriate text box beginning with: -----BEGIN NEW CERTIFICATE REQUEST----And ending with:----END NEW CERTIFICATE REQUEST 3. If prompted, select the following options: •
Microsoft as the server platform
•
IIS as the version
•
Web Server as the usage type
•
PKCS7 as the response format
4. When the public CA has verified your information, you will receive an e-mail message containing text required for your certificate. 5. Copy the text from the e-mail message and save the contents in a text file (.txt) on your local computer. 6. Download the root CA chain of the public CA and install it on the local computer store of each edge server.
Note Appendix B provides an example of a certificate request and a sample procedure for requesting a certificate from a public CA.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
75
To import the certificate for the external interface of the edge server 1. Log on to the edge server as a member of the Administrators group. 2. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 3. On the Welcome page, click Next. 4. On the Available certificate tasks page, click Process the pending request and import the certificate, and then click Next. 5. Type the full path and file name of the certificate that you requested for the external interface of the edge server (or click Browse to locate and select the certificate), and then click Next. 6. Click Finish. 7. Repeat this procedure for each edge server in your deployment that requires a certificate on the external interface.
To assign the certificate for the external interface of the edge server 1. In Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next. 4. On the Available Certificates page, select the certificate that you requested for the external interface of the edge server, and then click Next. 5. On the Available certificate assignments page, select the external interface where you want to install the certificate, and then click Next. 6. Review your settings, and then click Next to assign the certificates. 7. On the wizard completion page, click Finish. 8. Repeat this procedure for each edge server in your deployment that requires a certificate on the external interface.
Step 3.7. Set Up Certificates for A/V Authentication After configuring the edge certificates for the external and internal interfaces, you are ready to set up the A/V authentication certificates on A/V Edge Servers. The private key of the A/V authentication certificate is used to generate authentication credentials. As a security precaution, you should not use the same certificate for A/V authentication that you use for the internal interface of the A/V Edge Server (covered earlier in this guide). The same A/V authentication certificate must be installed on each A/V Edge Server if multiple servers are deployed in a load balanced array. This means that the certificate must be from the same issuer and use the same private key.
76
“Office Communications Server 2007 Edge Server Deployment Guide
To set up certificates for A/V Edge Servers, use the procedures in this section to do the following: 1. Create the A/V certificate request on the A/V Edge Server. 2. Import certificate on the first A/V Edge Server. 3. Export the certificate. 4. Import the certificate on other edge A/V Edge Servers. 5. Assign certificate to each A/V Edge Server.
Note The steps of these procedures are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 Enterprise CA and using the same certification path as you did in “Step 3.6 Set Up Certificates for the Internal Interface.” If you are not using the same certification path, you will need to download the certification path, install it, and verify that it is in the list of trusted root CAs, as covered in internal interface procedure. For step-by-step guidance for using any other CA, consult the documentation of the CA.
To create the A/V authentication certificate request for A/V Edge Servers 1. On the A/V Edge Server (if in an array, any one of the A/V Edge Servers), in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Create a new certificate, and then click Next. 4. On the Select the Component for Which Certificate Is Requested page, select the A/V Edge Server Public Interface check box. 5. On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box, and then click Next. 6. On the Name and Security Settings page, type a friendly name for the certificate, specify the bit length (typically, the default of 1024), select the Mark the certificate as exportable checkbox, and then click Next. 7. On the Organization Information page, type the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next. 8. On the Your Server’s Subject Name page, in Subject name, type or select the subject name of the A/V Edge Server. The subject name should match the external FQDN of the A/V Edge Server or the FQDN of the VIP used by the A/V Edge Server array on the external load balancer if the A/V Edge Servers are load balanced 9. Click Next.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
77
10. On the Geographical Information page, type the location information, and then click Next. 11. On the Certificate Request File Name page, type the full path and file name to which the request is to be saved (or click Browse to locate and select the certificate), and then click Next. 12. On the Request Summary page, review the certificate information, and then click Next. 13. On the Certificate Wizard completed page, verify successful completion, and then click Finish to submit the request. The Enterprise CA then creates the request. 14. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to a location that is accessible by the A/V Edge Server on which you requested the certificate.
To import the A/V authentication certificate on the first A/V Edge Server 1. On the A/V Edge Server on which you created the certificate request, in the Deployment Wizard, in Deploy Other Server Roles, in Deploy Edge Server, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available certificate tasks page, click Process the pending request and import the certificate, and then click Next. 4. On the Process a Pending Request page, type the full path and file name of the certificate that you requested for A/V authentication in the Path and file name box (or click Browse to locate and select the file), and then click Next. 5. On the wizard completion page, verify successful completion, and then click Finish.
To export the certificate for A/V authentication 1. On the A/V Edge Server on which you requested and imported the certificate, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then click Next. 4. On the Available Certificates page, in Select a certificate, click the certificate that you imported to this edge server (as covered in the previous procedure), and then click Next. 5. On the Export Certificate page, in Path and file name, type the full path and file name of to which you want to export the certificate (or click Browse to locate and select the certificate), and then click Next. 6. In the Export Certificate Password page, in Password, type the password that will be used to import the certificate on the other edge servers, and then click Next. 7. On the wizard completion page, verify successful completion, and then click Finish.
78
“Office Communications Server 2007 Edge Server Deployment Guide
8. Copy the exported file to a location or media that is accessible by the other A/V Edge Servers.
To import the certificate for A/V authentication on the other edge servers 1. On each of the other edge servers, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next. 4. On the Import Certificate page, in Path and file name, type the full path and file name of the certificate that you exported from the first A/V Edge Server (or click Browse to locate and select the certificate), clear the Mark certificate as exportable check box, and then click Next. 5. In the Import Certificate Password, in Password, type the password that you typed when you exported the certificate from the first server, and then click Next. 6. On the wizard completion page, verify successful completion, and then click Finish. 7. Repeat this procedure for each A/V Edge Server that will use the same certificate.
To assign the A/V authentication certificate on the A/V Edge Servers 1. On each A/V Edge Server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next. 4. On the Available Certificates page, select the certificate that you requested for the A/V Edge Server (in the previous procedure), and then click Next. 5. On the Available Certificate Assignments page, select the A/V Edge Server check box. 6. On the Configure the Certificate Settings of Your Server page, review your settings, and then click Next. 6. On the wizard completion page, click Finish. 7. After assigning the certificate on each A/V Edge Server, open the Certificate snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and then verify in the details pane that the A/V authentication certificate is listed. Do this on each A/V Edge Server. 8. If your deployment includes an array of A/V Edge Servers, repeat this procedure for each A/V Edge Server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
79
Step 3.8 Start Services After completing the set up of the edge servers and load balancers, you need to start the service on each edge server.
To start the services 1. On each edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 6: Start Services, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Ready to Start Office Communications Server 2007 Services page, review the list of services, and then click Next to start the services. 4. When the services have started and the wizard has completed, verify that the View the log when you click ‘Finish’ check box is selected, and then click Finish. 5. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Step 4. Configure the Environment After you have set up your edge servers and load balancers, you need to set up your environment, including access restrictions and user settings, as appropriate to your organization. To do this, use the procedures in this section to do the following: •
Configure federation with federated partners or audio conferencing providers (ACP).
•
Configure global settings for anonymous users.
•
Configure users for federation, remote user access, and public connectivity.
•
Connect your internal servers with your edge servers.
Step 4.1. Configure Federation Federation provides you organization with the ability to communicate with other organizations’ Access Edge Server to share IM and presence. You can also federate with an audio conferencing provider using either of the two methods below. The process of configuring federation with an organization or an audio conferencing provider is identical. If you have enabled federation on the Access Edge Server, access by federated partners, including audio conferencing providers (ACPs), is controlled using one of the following methods:
80
“Office Communications Server 2007 Edge Server Deployment Guide
•
Allow automatic DNS-based discovery of Access Edge Servers for federated partners. This is the default option during initial configuration of an Access Edge Server because it offers a good level of security and features that facilitate configuration and management. For instance, when you enable enhanced federation on your Access Edge Server, Office Communications Server 2007 automatically evaluates incoming traffic from enhanced federation partners and limits or blocks that traffic depending on trust level, amount of traffic, and administrator settings.
•
Do not allow DNS-based discovery and limit access of federated partners to only the FQDNs of each Access Edge Server for which you want to enable connections. Connections with federated partners are allowed only with the specific Access Edge Servers you add to your Allow list. This method offers the highest level of security, but does not offer the ease of management and other features available with DNS-based discovery. If an FQDN of an Access Edge Server changes, you must manually change the FQDN of the server in the Allow list.
When you ran the Configure Edge Server Wizard, if you chose not to allow automatic discovery of federation partners, you must add each federation partner to the Allow tab of your edge server for federation to work. If you chose to use DNS-based discovery of Access Edge Servers, you can use the Allow tab to grant a higher level of trust to some federated partners. This is necessary if you expect to have legitimate higher than average volume of traffic from some federation partners. If a federated party has sent requests to more then 1000 URIs (valid or invalid) in the local domain, the connection first placed on the Watch list. Any additional requests are then blocked by the Access Edge Server. If the Access Edge Server detects suspicious traffic on a connection, it will limit the federation partner to a low message rate of 1 msg/sec. The Access Edge Server detects suspicious traffic by calculating the ratio of #successful to #failed responses. The Access Edge server also limits legitimate federated partner connections (unless added to the allow list) to 20 messages/sec. If you know that you will have more than 1000 requests sent by a legitimate federated partner or a volume of over 20 messages per second sent to your organization, to allow these volumes, you must add the federated partner to the Allow tab. After configuring federation, you can use Office Communications Server 2007 administrative tools to monitor and manage federated partner access on an ongoing basis. For more information, see the Microsoft Office Communications Server 2007 Administration Guide.
To enable DNS-based discovery of Access Edge Servers of federated partners 1. Log on to the Access Edge Server as a member of Administrators group or a group with equivalent user rights. 2. Open Computer Management. Click Start, click All Programs, click Administrative Tools, and then click Computer Management. 3. In the console tree, expand Services and Applications, right-click Microsoft Office Communications Server 2007, and then click Properties. 4. On the Access Methods tab, select the Federate with other domains check box.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
81
5. On the Allow tab, click Add. 6. In the Add Federated Partner dialog box, do the following: •
In the Federated partner domain name box, type the domain of each federated partner domain.
•
If you did not configure automatic discovery of federated domains, type the FQDN of the federated partners Access Edge Server in the Federated partner Access Edge Server box.
•
Click OK.
7. Repeat steps 5 and 6 for each federated partner you want to add to your Allow list, and then click OK.
Note After using this procedure to configure DNS-based discovery, you can use the procedures in the Office Communications Server 2007 Administration Guide to manage the trust levels of specific domains.
To restrict federated partner access to specific Access Edge Servers 1. Log on to the Access Edge Server as a member of Administrators group or a group with equivalent user rights. 2. Open Computer Management. Click Start, click All Programs, click Administrative Tools, and then click Computer Management. 3. In the console tree, expand Services and Applications, right-click Microsoft Office Communications Server 2007, and then click Properties. 4. On the Access Methods tab, ensure that the Federate with other domains check box is selected, but clear the Allow discovery of federation partners check box. 5. On the Allow tab, click Add. 6. In the Add Federated Partner dialog box, do the following: •
In the Federated partner domain name box, type the name of the federated partner domain that you want to add to your Allow list.
•
In the Federated partner Access Edge Server box, type the name of each Access Edge Server that you want to add to your Allow list. Only names that you add to the list are allowed to discover your Access Edge Server.
•
Click OK.
7. Repeat steps 5 and 6 for each federated partner you want to add to your Allow list, and then click OK.
82
“Office Communications Server 2007 Edge Server Deployment Guide
Step 4.2. Configure Settings for Anonymous Users As described previously in this guide, anonymous participation in meetings enables a user whose identity is verified only through the meeting or conference key to join meetings. When you ran the Configuration Wizard on your edge servers, you had the option to allow anonymous users, but you can also configure specific settings to control anonymous participation. This includes configuring the global policy and implementing user-level settings to control participation by anonymous users. Use the procedures in this section to do the following: •
Configure the settings on the Meeting tab in Global Properties in to specify how anonymous participation is implemented in your organization (allow anonymous users, disallow anonymous users, or allow only specific users to invite anonymous users).
•
When you configure the settings on the Meeting tab, if you choose the option to enforce anonymous participation on a user-by-user basis, you also need to configure settings for each of the individual users that you want to allow to invite anonymous users to meetings.
To configure the global policy for anonymous participation in meetings 1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a server with the Office Communications Server 2007 administration tools installed as a member of the RTCUniversalUserAdmins or a group with equivalent user rights. 2. Open Office Communications Server 2007, Administrative Tools. Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007Administrative Tools. 3. In the console tree, right-click the forest node, point to Properties, and then click Global Properties. 4. Click the Meetings tab.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
5. In the Anonymous participants box, click the global policy that you want to enforce: •
Allow users to invite anonymous participants. This policy allows all users in your organization to invite anonymous users to meetings.
•
Disallow users from inviting anonymous participants. This policy prevents all users in your organization from inviting anonymous users to meetings.
•
Enforce per user. This policy requires that you configure each individual user account that you want to be able to invite anonymous users feature (as covered in next procedure). All other users are prevented from inviting anonymous users.
Note By default, the global policy does not allow Anonymous users, unless you selected the Anonymous users option on the Features that Will Be Enabled on this Access Edge Server page when you configured your edge servers, as explained in Step 3.4 earlier in this guide. You can use the above options to change the global policy. If you choose the Enforce per user option, the global policy prevents all users from inviting anonymous users to participate in meetings, except for any individual accounts that you specifically configure to be allowed to invite anonymous users as explained later in this section.
83
84
“Office Communications Server 2007 Edge Server Deployment Guide
6. To configure a global meeting policy, do the following: •
Under Policy Settings, click the name of the policy that you want to use in the Global policy list.
•
To view or modify a policy, under Policy Definition, click the name of the policy, click Edit, and then modify the policy, as appropriate.
7. If you chose to enforce anonymous participation using the Enforce per user setting on the Meeting tab, use the next procedure to configure initial settings for each user that is to be allowed to invite anonymous users.
To configure settings so an individual user can invite anonymous users (if using the Enforce per user option) 1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a server with the Office Communications Server 2007 administration tools installed as a member of the RTCUniversalUserAdmins or a group with equivalent user rights. 2. Open Office Communications Server 2007. Click Start, point to Programs, point to Administrative Tools, and then click Office Communications Server 2007, Administrative Tools. 3. In the console tree, locate the Standard Edition server node or Enterprise pool node containing the user account that you want to enable, expand the node, and then click Users. 4. In the details pane, right-click the name of the user account that you want to allow to invite anonymous participants, and then click Properties. 5. On the Communications tab, under Meetings, select the Allow anonymous participants check box.
Note This option is available only if you selected Enforce per user option in the previous procedure.
Step 4.3 Configure Users for Federation, Public IM Connectivity, and Remote User Access You enable federation, public IM connectivity, and remote user access for specific users to control the methods that users can use to communicate with external users.
Note individual users to communicate with external users To configure The following procedure covers how to configure individual users for federation, public IM connectivity, and remote access. You can also configure a group of users by rightclicking Users or the OU containing the user accounts (or clicking Users or the OU, and selecting specific user accounts in the details pane), and then clicking Configure Communications Users. For more information, see the Microsoft Office Communications Server 2007 Administration Guide.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
85
1. Log on as a member of the DomainAdmins group to an Enterprise Edition Server or a server that is a member of an Active Directory domain and that has the Office Communications Server administration tools installed. 2. Open Active Directory Users and Computers. Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers. 3. In the console tree, expand the Users container or the other organization unit (OU) that contains the user account for which you want to enable federation, public IM connectivity, or remote user access, right-click the user account name, and then click Properties. 4. On the Communications tab, click Configure next to Additional options. 5. In User Options, under Federation, do the following: •
To enable the user account for federation, select the Enable Federation check box.
•
To enable the user account for public IM connectivity, select the Enable public IM connectivity check box.
•
To enable user account for remote access, select the Enable remote user access check box.
6. Click OK twice.
Step 4.4. Connect Your Internal Servers with Your Edge Servers To connect your internal servers to your edge servers and configure the internal servers to route outbound traffic to the edge servers, you need to run the Configure Server Wizard or Configure Pool Wizard on each server or pool in your organization, as well as on the Director (if you deployed a Director, as recommended).
Configuring a Director When your run the Configure Pool or Server Wizard and configure external access on a Director, you configure the following settings: •
Add your Director as the next hop server through which all external SIP traffic is routed. This setting is configured on the Federation tab in Global Properties.
•
Add your Access Edge Server to the authorized Access Edge Server list on the Edge Server tab in the Global Properties.
•
Override the “next hop” setting that is used globally by internal serves and pools so that the Director routes all outbound traffic directly to the Access Edge Server. This setting is configured at the pool or Standard Edition Server level on the Federation tab.
To configure your Director for external user access 1. Log on to your Director with an account that is a member of the RtcUniversalServerAdmins group. 2. Start the Deployment Wizard by doing one of the following:
86
“Office Communications Server 2007 Edge Server Deployment Guide
•
If you have the Office Communications Server 2007 installation CD, insert the CD. If Setup does not start automatically, from the Start menu, click Run, type \Setup\I386\Setup.exe, and then click OK.
•
If the Office Communications Server 2007 files reside on a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.
3. Do one of the following: •
On a Standard Edition server, click Deploy Standard Edition Server.
•
On an Enterprise Edition server, click Deploy Pool in a Consolidated Topology or Deploy Pool in an Expanded Topology.
4. At Configure Server, click Run. 5. On the Welcome to the Configure Pool/Server Wizard page, click Next. 6. On the Server or Pool to Configure page, select the server from the list, and then click Next. 7. Accept the default settings until you reach the External User Access Configuration page. 8. On the External User Access Configuration page, click Configure for external user access now, and then click Next.
9. On the Route External SIP Traffic page, click Route traffic through a Director, and then click Use this pool or server as the Director for routing external traffic.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
87
10. Click Next. 11. On the Trusted Access Edge Servers page, type the FQDN of the each Access Edge Server, click Add after each. If you are using an array of Access Edge Servers type the FQDN of the VIP of the internal load balancer. The FQDNs that you enter on this page are added to the list of authorized Access Edge Servers on the Edge Server tab in Global Properties. 12. Under Specify the Access Edge Server that internal servers will use to route traffic, select the FQDN of the Access Edge Server to which you want all outbound traffic routed from your internal servers and then click Next. 13. On the Web Conferencing Edge Server page, click Next. You configure each internal server and pool to route to the appropriate Web Conferencing Edge Server. Directors do not route Web Conferencing traffic. 14. On the Trusted A/V Edge Servers page, enter the internal FQDN of each A/V Edge Server authorized to connect to your internal servers. The FQDNs that you enter on this page are added to the list of authorized A/V Edge Servers on the Edge Server tab in Global Properties. 15. On the A/V Edge Server Used by This Server or Pool page, click Next. You configure each internal server and pool to route to the appropriate A/V Edge Server. Directors do not route A/V traffic. 16. On the Ready to Configure Server or Pool page, review the settings that you specified, and then click Next to configure the Standard Edition Server. 17. When the files have been installed and the wizard has completed, verify that the View the log when you click ‘Finish’ check box is selected, and then click Finish. 18. In the log file, verify that <Success> appears under the Execution Result column. Look for <Success> Execution Result at the end of each task to verify Standard Edition Server configuration completed successfully. Close the log window when you finish.
Configuring Other Internal Servers and Pools for External User Access Use the following procedure to configure your internal servers or pools for external access. The procedure will vary slightly depending on whether or not you use a Director.
To connect your internal server with your edge servers 1. Log on to your internal Standard Edition Server or Enterprise pool with an account that is a member of the RtcUniversalServerAdmins group. 2. Start the Deployment Wizard by doing one of the following: •
If you have the Office Communications Server 2007 installation CD, insert the CD. If Setup does not start automatically, from the Start menu, click Run, type \Setup\I386\Setup.exe, and then click OK.
•
If the Office Communications Server 2007 files reside on a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.
3. Do one of the following: •
On a Standard Edition server, click Deploy Standard Edition Server.
88
“Office Communications Server 2007 Edge Server Deployment Guide
•
On an Enterprise Edition server, click Deploy Pool in a Consolidated Topology or Deploy Pool in an Expanded Topology.
4. Next to Configure Server or Configure Pool, click Run to start the Pool/Server Configuration Wizard. 5. On the Welcome page, click Next. 6. On the Server or Pool to Configure page, in the list, click the pool or server that you want to configure, and then click Next. 7. Continue through the wizard, specifying the settings that are appropriate to your pool or server configuration, until you reach the External User Access page 8. On the External User Access Configuration page, click Configure for external user access now. 9. On the Routing External SIP Traffic page, do one of the following: •
If you plan to route all traffic sent to and from the edge servers through a Director, click Route traffic through a Director and, if this is the Director, select the Use this pool or server as the Director for routing external traffic check box, click Next, and then perform the remaining steps in this procedure.
•
If you do not plan to route all traffic sent to and from the edge servers through a Director, click Route directly to and from internal pools and servers.
10. Click Next. 11. On the Trusted Access Edge Servers page, do the following •
In the top box, type the FQDNs of each Access Edge Server that is authorized to connect to your internal servers and pools, clicking Add after typing each name.
•
In the Specify the Access Edge Server that internal servers will use for outbound traffic list, click the name of the Access Edge Server to which internal servers and pools will route outbound traffic.
12. On the Web Conferencing Edge Server page, do the following: •
In Internal FQDN, type the FQDN of each internal interface that will be used by internal servers to connect to the Web Conferencing Edge Server, clicking Add after typing each FQDN.
•
In External FQDN, type the FQDN of each external interface that will be used by external users to connect to the Web Conferencing Edge Server, clicking Add after typing each FQDN.
13. Click Next. 14. On the Trusted A/V Edge Servers page, type the FQDN of the internal interface that will be used to connect to the A/V Edge Server in the FQDN box, type the port number to be used for the internal interface in the Port box, and then click Add. Repeat for each FQDN to be used. Servers are added to list of authorized A/V Edge Servers on the Edge Server tab in Global Properties.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
89
15. On the A/V Edge Server Used by This Server or Pool page, type the FQDN of the internal interface of the A/V Edge Server that this server or pool will use for A/V authentication. This FQDN is added to the A/V Properties at the “pool” level for an Enterprise pool or Standard Edition Server. 16. Click Next. 17. On the Ready to Configure Server or Pool page, review the settings that you selected, and then click Next. 18. On the completion page, click Finish.
Step 5. Validate Your Edge Configuration After you have deployed your edge topology and set up the environment, you should run the Validation Wizard on each individual edge server in order to verify its configuration and connectivity.
To validate your server configuration 1. Log on to each edge server as a member of the RTCLocalServerAdmins group or a group with equivalent user rights. 2. In the Deployment Wizard, beside Validate Server Functionality, click Run to start the Validation Wizard. 3. On the Welcome page, click Next. 4. On the Select Validation Steps page, select the options you want to validate: •
Select the Validate SIP Logon (1-Party) and IM (2-Party) check box. This option verifies if your enabled users can log on, and it can only be run after you create and enable your users. You need to run this check on an internal server to validate internal connectivity and verify communications with the edge servers, as described in the next procedure.
•
Select the Validate Local Server Configuration checkbox to validate that the server on which you are running is configured correctly.
•
Select the Validate Connectivity check box to verify that the server has connectivity to internal servers.
5. Click Next. 6. On the User Account page, do the following: •
Type the account name, user sign-in name, and password of a test user or other user who is enabled for SIP.
•
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
7. Click Next.
90
“Office Communications Server 2007 Edge Server Deployment Guide
8. On the Second user account page, do the following •
Type the account name, user sign-in name, and password of a second test user or other user who is enabled for SIP. This account will be used with the first account that you specified to test IM functionality between two users.
•
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
9. Click Next. 10. In the wizard completion page, verify that the Check this box to view log files results check box is selected, and then click Finish to exit. 11. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
To verify that your edge servers can communicate with internal servers 1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a server with the Office Communications Server 2007 administration tools installed as a member of the RTCUniversalUserAdmins or a group with equivalent user rights. 2. In the Deployment Wizard, beside Validate Server Functionality or Validate Pool Functionality, click Run to start the Validation Wizard. 3. On the Welcome page, click Next. 4. On the Select Validation Steps page: •
Select the Validate SIP Logon (1-Party) and IM (2-Party) check box. This option verifies that the user accounts you created and enabled can be used to log on and connect.
•
Select the Validate Local Server Configuration checkbox to validate that the server on which you are running is configured correctly.
•
Select the Validate Connectivity check box to verify that the server has connectivity to the back-end database and other internal servers.
5. On the User Account page, do the following: •
Type the account name, user sign-in name, and password of a test user or other user who is enabled for SIP.
•
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
6. Click Next. 7. On the Second user account page, do the following •
Type the account name, user sign-in name, and password of a second test user or other user who is enabled for SIP. This account will be used with the first account that you specified to test IM functionality between two users.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
91
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
8. Click Next. 9. If you have configured federation or public IM connectivity, on the Federation and Public IM Connectivity page, do the following: •
Select the Test between internal user and federated users check box.
•
In the Enter SIP User Accounts for federated use box, type the SIP URI of one or more federated user accounts (separated by semicolons) that you want to use to test this functionality. Otherwise, leave the check box cleared.
10. Click Next. 11. On the wizard completion page, verify that the View the log when you click Finish check box is selected, and then click Finish. 12. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Appendix A: Configuring an Array of Standard Edition Servers as a Director For larger deployments with external access enabled, you might want to deploy an array Office Communications Servers to function as a Director. Servers in this array are connected through a load balancer and share a virtual IP address. The load balancer routes each incoming communication to a computer in the array, which then routes the communication to the internal Office Communications Server 2007 server or Enterprise pool.
“Office Communications Server 2007 Edge Server Deployment Guide
IP0
IP1
IP2
Perimeter Network
IP3
DIR1
V I P 1
F I R E W A L L
V I P 2
IP5 DIR2
V I P 0
AP1
Figure 6 Access Edge Server Topology with two Directors
AP2
92
IP4
IP6
Internal Network
In the configuration shown in the figure, the following virtual IP addresses are assigned to the load balancers as follows: •
VIP0 is virtual IP address of the external interface of the Access Edge Server array (AP1 and AP2).
•
VIP1 is virtual IP address of the internal interface of the Access Edge Server array (AP1 and AP2).
•
VIP2 is virtual IP address of the Directory array (DIR1 and DIR 2), which is visible to the perimeter network.
In the figure, the IP address of each network element is labeled below the network element. For illustrative purposes, assume that the following FQDN for each network element is as shown in the following table.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
93
Table 33 Network elements and associated FQDNs Network Element
FQDN
VIP0
sip.contoso.com
AP1
ap1.contoso.com
AP2
ap2.contoso.com
VIP1
apbank.corp.contoso.co m
VIP2
dirpool.corp.contoso.co m
DIR1
dir1.corp.contoso.com
DIR2
dir2.corp.contoso.com
Depending on whether you deploy an Enterprise pool with a Back-End Database that contains no user data or multiple Standard Edition Servers as an array, the configuration of the array will vary. The primary differences are as follows: •
The certificates that are installed on the Standard Edition servers must have the computer FQDN in the SUBJECT field and the FQDN of the virtual IP address of the Director must be listed in the SUBJECT_ALT_NAME field.
•
At the forest level, the global default route for federation must point to the FQDN of the virtual IP address of the Director. In the case of an Enterprise pool, it must point to the FQDN of the Enterprise pool.
•
The default route for federation on each of the Standard Edition servers in the Director array must point to the FQDN of the virtual IP address of the Access Edge Server array. This setting is configured on the Federation tab of each Standard Edition Server or Enterprise pool. If an Enterprise pool is used as a Director, this setting would be made only once, at the pool level.
•
Individual server names must be listed in the “trusted internal servers” list on the Access Edge Servers, in addition to the FQDN of the virtual IP address of the Director.
•
DNS entries must be added for each Standard Edition Server in the perimeter network, in addition to the FQDN of the virtual IP address.
Creating Certificates for an Array of Standard Edition Servers, configured as Director A certificate that is installed on a Standard Edition Server that is part of a Director array must meet the following requirements: •
The FQDN of the Server is used for the subject (SUBJECT of the certificate).
•
The FQDN of the virtual IP address of the Director and the FQDN of the Server must be used as the subject alternate name (SUBJECT_ALT_NAME of the certificate).
94
“Office Communications Server 2007 Edge Server Deployment Guide
By default, the Microsoft Enterprise subordinate CA does not allow issuing a certificate with a subject alternate name, so issuing a certificate with a Subject alternate name on a Microsoft Enterprise subordinate CA requires changing some settings on the CA. For example, in the example described earlier in this appendix, the FQDN for the virtual IP address of the Director is dirpool.corp.contoso.com and one of the server names is dir1.corp.contoso.com. The subject alternate name must contain both the server name and the FQDN of the virtual IP address, or else the certificate cannot be correctly loaded by the Security Service Provider Interface (SSPI). Additionally, because each certificate lists the individual server name in addition to the FQDN of the virtual IP address, each server must be installed with a different certificate: a common certificate cannot be shared across all the servers in the array. These requirements are in addition to the standard certificate requirements for Office Communications Server 2007, such as having the Encrypted Key Usage set for both client and server authentication.
Configuring DNS Resolution for Directors on the Access Edge Server The individual IP addresses of the Director servers must be visible to the Access Edge Server, in addition to the virtual IP address of the Director. This requirement is in addition to the requirements for using a pool for a Director. For example, if you are using hosts files on the Access Edge Server, the hosts files are as follows: 172.67.89.80
dirpool.corp.contoso.com
172.78.89.1
dir1.corp.contoso.com
172.78.89.2
dir2.corp.contoso.com
Note We recommend that you use a hosts file only if the Access Edge Server does not have access to the internal DNS server. If there are FQDNs that the Access Edge Server is not able to resolve, you can add them to the hosts file.
Configuring the FQDN of the Array on the Host Authorization List After you have set up your certificates and configured DNS records for your Director array, you must add the FQDN of the VIP of the load balancer to each internal server or pool on the Host Authorization tab.
To add the VIP of the array to the Host Authorization list
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
1. Log on to an Office Communications Server 2007 server joined to a domain or another computer with the Office Communications Server 2007 administration tools installed with an account that is a member of the RTCUniversalServerAdmins group. 2. Expand Enterprise pools, and then expand the pool name. 3. Right-click Front Ends, and then click Properties. 4. Click the Host Authorization tab. 5. Click Add and enter the FQDN of the VIP of the load balancer used by the Director array. 6. Repeat steps 2 through 5 for each Enterprise pool in your organization. 7. Expand Standard Edition Servers. 8. Right-click the server name, point to Properties, and then click Front End Properties. 9. Click the Host Authorization tab. 10. Click Add and enter the FQDN of the VIP of the load balancer used by the Director array. 11. Repeat steps 7 through 9 for each Standard Edition Server in your environment.
Appendix B: Sample Certificate The CSR (certificate signing request) generated by the Communications Certificate Wizard that you use to request your certificate will vary, depending on the CA you choose. In general it contains the information shown in the following figures.
Sample Certificate Request For a Single Access Edge Server (Exportable=FALSE) [Version] Signature= "$Windows NT$" [NewRequest] Subject= "CN=server1.contoso.come;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US" KeySpec = 1 KeyLength = 1024 Exportable = FALSE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA Schannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1
95
96
“Office Communications Server 2007 Edge Server Deployment Guide
For an array of Access Edge Servers (Exportable=TRUE) [Version] Signature= "$Windows NT$" [NewRequest] Subject= "CN=server1.contoso.come;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US" KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA Schannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1
Note The subject line in the PolicyFileIn.Inf file must contain the following information: Subject=”CN=FQDN of your Access Edge Server or Array ;OU=ProjectName;O=CompanyName;L=City;S=fullNameofSta te;C=two-letter country/region abbreviation Most public CAs require strict compliance with the above information. Examples: CN=AP1..fabrikam.com;OU=LCS;O=Fabrikam;L=Eugene;S=Or egon;C=US CN=AParry.marketing.proseware.com ;OU=LCS;O=Proseware;L=Portland;S=Maine;C=US
Table 34 Fields in PolicyFileIn.inf Field
Notes
Signature=$Windows NT$” Subject=”CN=FQDN;OU=Organizati onal unit;O=Company ;L=city S=state;C=country/region
CN: The fully qualified domain name of your Access Edge Server or Access Edge Server array (the server or array on which you are installing the certificate) OU: Some division or department O: Company name
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Field
Notes L :City S: Full state or province name (no abbreviations are accepted) C: Two-letter country/region code
KeySpec=1
Indicates both encryption and signing (standard TLS requirement)
KeyLength = 1024
Must be a power of 2 between 1024 and 4096, inclusive.
Exportable = FALSE (single Access Edge Server) Exportable=TRUE (array of Access Edge Servers)
FALSE for a single Access Edge Server TRUE for an array of Access Edge Servers
MachineKeySet = TRUE
Specifies that the certificate will be put into the local computer store
SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE
This field must be set to FALSE; otherwise, RTCSRV will not be able to use it.
UseExistingKeySet = FALSE
This field must be set to FALSE to generate a new private key.
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
SCHANNEL (Windows TLS provider) requirement
ProviderType = 12
SCHANNEL (Windows TLS provider) requirement
RequestType = PKCS10
Can be PKCS10 or PKCS7. Almost all CAs accept PKCS10, so you should leave the request type as PKCS10.
KeyUsage = 0xa0
Similar to KeySpec field. This value indicates that this certificate can be used for both encryption and signing.
OID=1.3.6.1.5.5.7.3.1
Enhanced key usage for server authorization
97
98
“Office Communications Server 2007 Edge Server Deployment Guide
Example Using a Verisign Trial Certificate The following procedure guides you through the process of selecting a trial certificate from Verisign.
Important This procedure is an example, and it demonstrates the process of requesting a trial certificate. The exact process may vary, depending on your certificate provider. For production use, you must purchase a valid certificate, not a trial certificate.
To request a trial certificate from Verisign 1. In your browser, go to http://www.verisign.com/. 2. On the right side of the page, click Free SSL trial. 3. In the new window that opens, complete the form by entering your contact and other requested information, and then click Submit. 4. Review the information on the Before you start page, and then click Continue. 5. On the Welcome page, review the process for request a certificate, and then click Continue. 6. Enter your technical information, and then click Continue. 7. In the Select Server Platform and Paste Certificate Signing Request box, do the following: •
In Select Server Platform, click Microsoft.
•
In Select Version, click IIS 6.0.
•
In Paste Certificate Signing Request (CSR) obtained from your server, paste the contents of the CRS generated by the LcsCertutil tool.
8. In What do you plan to use this SSL certificate for, select Web Server. 9. Click Continue. 10. On the Verify CSR information page, review the CSR information. If you want to make a change, click Change CSR to return to the previous page. Otherwise continue to the next step. 11. In the Challenge Phrase box, enter a challenge phrase and enter a reminder question. This phrase will be required when you import the certificate. 12. On the Order Summary and Acceptance page, review the information and then click Accept.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
99
Appendix C Manually Configuring a Client for Remote User Access Use the following procedure to manually configure a client to point to an Access Edge Server for remote user access.
To manually configure a client: 1. Open Communicator. 2. Click the Presence icon. 3. Click Options. 4. Click Advanced. 5. In Advanced Connections setting, under Configure settings, in External Server name or IP address, enter the <external FQDN of the Access Edge Server>:443. For example, sipalt.access.contoso.com:443
Appendix D Optimizing Your Network Interface Card for High A/V Traffic For many deployments, you can use the default settings on your network interface. However, in the following situations, you should optimize for A/V traffic flow by increasing receive and transmit buffers settings to three times their default value on your network interface cards: •
You anticipate audio and video traffic on any particular A/V Conferencing Server or A/V Edge Server to exceed 200 to 250Mbps.
•
Your servers experience packet loss on the network.
Note The following procedure provides steps to change these settings on a typical network interface card. The procedure will vary depending on your manufacturer.
To change your network interface card settings 1. Log on to the computer running A/V Conferencing Server or A/V Edge Server with local administrator permissions. 2. Right-click Computer Manager, and then click Manage. 3. In the console pane, click Device Manager. 4. In the details pane, expand Network adaptors 5. Right-click your network adapter, and then click Properties. 6. Click the Advanced tab.
100
“Office Communications Server 2007 Edge Server Deployment Guide
7. Under Settings, click Performance Options. 8. Under Settings, click Receive Descriptors.
9. In the Value box, change the value to three times the default value, and then click OK. 10. Under Settings, click Transmit Descriptors.
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, MSN, SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents Contents............................................................. ..............................3 Introduction..................................................................................... ..1 How to Use this Guide.................................................. ................1 Terminology............................................................................ ......2 Step 1. Get Ready for Edge Server Deployment................................2 Step 1.1. Decide Which Servers You Need in Your Edge Server Deployment................................................................................. .3 Step 1.2. Choose the Deployment Topology.................................5 Step 1.3. Establish Your Deployment Process.............................11 Step 1.4. Verify Prerequisites..................................................... .12 Step 2. Set Up the Infrastructure for Edge Servers..........................13 Step 2.1. Configure DNS..................................................... ........14 Step 2.2. Configure Firewalls.................................... ..................21 Step 2.3. Configure a Reverse Proxy..........................................38 Step 2.4. Configure a Director (Optional, but Recommended)....44 Step 3. Set Up Edge Servers................................. ..........................47 Step 3.1. Deploy Load Balancers...................................... ..........47 Configuring Your Load Balancer............................................. .....54 Step 3.2. Install Edge Servers....................................................54 Step 3.3. Activate Edge Servers............................... ..................56 Step 3.4. Configure Edge Servers....................................... ........57 Step 3.5. Set Up Certificates for the Internal Interface...............61 Step 3.6. Set Up Certificates for the External Interface..............69 Step 3.7. Set Up Certificates for A/V Authentication...................76 Step 3.8 Start Services...................................................... .........80 Step 4. Configure the Environment.................................................80 Step 4.1. Configure Federation......................................... ..........80 Step 4.2. Configure Settings for Anonymous Users....................83 Step 4.3 Configure Users for Federation, Public IM Connectivity, and Remote User Access......................................................... ..........85 Step 4.4. Connect Your Internal Servers with Your Edge Servers 86 Step 5. Validate Your Edge Configuration........................................90 Appendix A: Configuring an Array of Standard Edition Servers as a Director ........................................................................................................ 92
Creating Certificates for an Array of Standard Edition Servers, configured as Director................................................... .............94 Configuring DNS Resolution for Directors on the Access Edge Server .............................................................................................. .....95 Configuring the FQDN of the Array on the Host Authorization List95 Appendix B: Sample Certificate................................................. ......96 Sample Certificate Request....................................... .................96 Example Using a Verisign Trial Certificate..................................99 Appendix C Manually Configuring a Client for Remote User Access100 Appendix D Optimizing Your Network Interface Card for High A/V Traffic ...................................................................................................... 100
Introduction If you need to communicate with users and organizations outside your internal network by using your Microsoft® Office Communications Server 2007 (Public Beta) deployment, you need to deploy one or more edge servers. You install edge servers in your perimeter network (also known as screened subnet) so that users outside your organization’s firewall are authorized before they obtain access to your Office Communications Server deployment. This document guides you through the deployment of edge servers in your Office Communications Server 2007 topology. You typically deploy edge servers after you have deployed Office Communications Server in your internal network. You can use the information in this guide to deploy your edge servers by completing the following steps: •
Step 1. Get Ready for Edge Server Deployment. This includes deciding which edge servers you need, meeting prerequisites, establishing your deployment process, and choosing deployment topologies.
•
Step 2. Set Up the Infrastructure for Edge Servers. This includes configuring DNS, firewalls, and a reverse proxy, as well as configuring a Director (if appropriate).
•
Step 3. Set Up Edge Servers. This includes deploying and configuring a load balancer, individual edge servers, and certificates.
•
Step 4. Configure the Environment. This includes configuring anonymous participation settings, connecting internal servers with edge servers, and configuring users for external connectivity (federation, remote access, and public IM connectivity).
•
Step 5. Validate Your Edge Configuration. This includes validating server configuration, as well as verifying that the edge servers can communicate with internal servers.
Additionally, you can use the information in Appendix A to configure an array of Standard Edition servers that are connected to a load balancer as a Director.
How to Use this Guide This document presents the step-by-step tasks you need to deploy Office Communications Server 2007 edge servers. You should complete all deployment steps in the sequence shown in this guide. Before starting deployment, you should use the Office Communications Server 2007 Planning Guide to determine your deployment options and strategy. The planning guide provides an indepth discussion of planning considerations and guidance on designing your Office Communications Server topology. Also, the process of deploying edge servers requires that you perform some tasks that are described in detail in other documents, which are noted in specific sections of this document where they are required.
2
“Office Communications Server 2007 Edge Server Deployment Guide
Terminology Anonymous user. An external user who does not have credentials in the Active Directory®
Domain Services. A/V. audio/video. Edge server An Office Communications Server that resides in the perimeter network and
provides connectivity for external users and public IM connections. Each edge server has one or more of the following roles: Access Edge Server, a Web Conferencing Edge Server, or an A/V Edge Server. External user. A user connecting from outside the corporate firewall. External users include
anonymous users, federated users, and remote users. Federated user. An external user who possesses valid credentials with a federated partner and
who therefore is treated as authenticated by Office Communications Server. Internal IP address. An IP address that is accessible from the internal network of an
organization (also referred to as a private IP address). The Computer Management and Administration Tools for Office Communications Server use the term private for this address. PSOM. Persistent Shared Object Model protocol. A custom protocol for transporting Web
conferencing content. External IP address. An IP address that is accessible from an external network (a network
outside of an organization, such as the Internet). Also referred to as a public IP address. The Computer Management and Administration Tools for Office Communications Server use the term public for this address. Public IP address. See External IP address. Remote user. An external user with a persistent Active Directory identity within the
organization. SIP. Session Initiation Protocol, a signaling protocol for Internet telephony. Web farm. A collection of IIS servers or an IIS server hosting content.
Step 1. Get Ready for Edge Server Deployment Before starting deployment of your edge servers, you need to complete the following steps: 1. Decide which edge server you need in your organization. 2. Choose the deployment topology that best meets the needs of your organization. 3. Establish a deployment process for how you will deploy edge servers. 4. Meet all edge server deployment prerequisites.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Step 1.1. Decide Which Servers You Need in Your Edge Server Deployment Edge servers enable your internal users and external users to communicate using Microsoft Office Communicator or the Microsoft Office Live Meeting 2007 client. Depending on your needs, you install edge servers in one or more of the following roles: •
Access Edge Server
•
Web Conferencing Edge Server
•
Audio/Video Conferencing Edge Server
In addition to these Office Communications Server 2007 roles, you might need to install a Reverse Proxy. The following table provides an overview of how these servers are used. Table 1 Edge server requirements overview Server
Required to Support
Corresponding Internal Server Required
Protocol
Access Edge Server
Any external user scenario, including public IM connectivity, remote user access, federation, external access to conferences, and external access to voice functionality
Office Communications Server 2007 server or pool and, optionally, a Director
Session Initiation Protocol (SIP)
Web Conferencing Edge Server
External Web conferencing
Web Conferencing Server
Persistent Shared Object Model (PSOM)
A/V Edge Server
A/V conferences with external users Point-to-point A/V calls with external users
A/V Conferencing Server
RTP/RTCP, Simple Traversal of UDP through NAT (STUN)/
Reverse Proxy
Group expansion, address book file download, and access to meeting content
Web server (IIS)
HTTP(s)
3
4
“Office Communications Server 2007 Edge Server Deployment Guide
Server
Required to Support
Corresponding Internal Server Required
Protocol
(such as slides) for Web conferencing
Additional details about when you need each edge server is provided in the following sections.
When You Need an Access Edge Server If you want to enable external or remote users to collaborate with any Office Communications Server users in your organization, you must deploy an Access Edge Server, in addition to any other edge servers and internal servers you might deploy. The Access Edge Server provides the core functionality for collaboration between your internal users and users outside your internal network who are using Communicator or the Live Meeting 2007 client. The Access Edge Server provides a single, trusted connection point for both outbound and inbound Session Initiation Protocol (SIP) traffic. Like the Microsoft Office Live Communications Server 2005 Access Proxy, the Office Communications Server 2007 Access Edge Server enables the following capabilities: •
Federation. Internal users can communicate with external users of a federated organization by using IM or conferencing. You can also configure federation with an audio conferencing provider (ACP) to provide telephony integration.
•
Remote user access. Remote or roaming users of your organization can access servers running Office Communication Server from outside your intranet.
•
Public IM connectivity. Employees can use IM to communicate with users of instant messaging services that are provided by the MSN® network of Internet services, Yahoo!®, and AOL®. Public IM connectivity requires a separate license.
When You Need a Web Conferencing Edge Server If you want external users to participate in your internal conference meetings, you can deploy a Web Conferencing Edge Server. The Web Conferencing Edge Server permits external users to join on-premise meetings by using the Live Meeting 2007 client. When your organization deploys a Web Conferencing Edge Server, internal users can invite remote users to meetings, including users from a federated domain (federated users) or other external users (anonymous users, who do not have an identity in the Active Directory® Domain Services either in your organization or in a domain that is federated with your organization). Enterprise users and federated users are authenticated using their Active Directory credentials. Anonymous users are authenticated by using a per-meeting conference key provided to them inside the invitation conference organizers send. All recipients of an e-mail containing a conference key are authenticated using the same conference key. For more information about anonymous users, see the Office Communications Server 2007 Technical Overview.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
When You Need an Audio/Video Edge Server Add an A/V Edge Server if you want to make it possible to share audio and video with external users, such as vendors or employees who are working from home. With an A/V Edge Server, users can: •
Add audio and video data to meetings with external participants.
•
Share audio and video directly with an external user (point-to-point).
An A/V Edge Server provides a single, trusted connection point through which media traffic enters and exits your network. The A/V Edge Server also provides remote connectivity through any intermediate network address translation (NAT) devices and firewalls.
Step 1.2. Choose the Deployment Topology Office Communications Server 2007 supports a variety of topologies for edge server deployment. This section describes the supported topologies and explains the considerations for choosing the edge server topology that best addresses the needs of your organization, as well as for deploying components in the internal topology to support edge servers. The size, geographical distribution, and needs of your organization are the primary determinants of which edge server topology is most appropriate for your organization. This section describes technical considerations for locating edge servers and the various edge server topologies and considerations for choosing the topology that is best suited for your organization. Although your business requirements should drive your topology decisions, your decisions should also take into account the following technical considerations: •
A single server can provide multiple edge server roles.
•
A load balancer is required to support multiple Access Edge Servers, multiple Web Conferencing Edge Servers, and multiple A/V Edge Servers.
•
Each edge server role requires a single external interface to which users can connect by using the fully qualified domain name (FQDN).
•
The external IP address of the A/V Edge Server must be a external IP address that is directly contactable by external parties
Note To conform to the requirement of a publicly routable IP address of the A/V Edge Server, the external firewall of the perimeter network must not act as a NAT (Network Address Translator) for this IP address.
•
To prevent port conflicts, if multiple edge servers (such as an A/V Edge Server and a Web Conferencing Edge Server) are collocated on a single computer, each edge server should have its own external IP address.
•
Each collocated edge server must use a unique port and IP address combination.
5
6
“Office Communications Server 2007 Edge Server Deployment Guide
•
If you configure the Access Edge Server, A/V Edge Server, or Web Conferencing Edge Server to use a port other than 443, an attempt by a remote user to sign in by using Office Communicator 2007 or to join a conference from within another organization’s intranet may fail. This situation can occur because many organizations prevent traffic traveling through their firewall over non-default ports.
The following table summarizes the supported edge server topologies, which are listed in order of increasing complexity.
Table 2 Supported Edge Server Topologies Topology
Description
Consolidated Edge Topology
The Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server are collocated on a single computer.
Single-Site Edge Topology
The Access Edge Server and Web Conferencing Edge Server are collocated. The A/V Edge Server is on a separate computer.
Scaled Single-Site Edge Topology
Two or more Web Conferencing and Access Edge Server are collocated and load balanced. Two or more A/V Edge Servers are each installed on separate computers and load balanced.
Multiple-Site Edge Topology
In the data center: • The Web Conferencing Edge Server and Access Edge Server are collocated and load balanced. • Two or more A/V Edge Servers are each installed on separate computers and load balanced. In each remote location: Either: • The Web Conferencing Edge Server should be on a dedicated computer. • The A/V Edge Server should be on a dedicated computer. OR • Two or more A/V Edge Servers are each installed on separate computers and load balanced. • Two or more Web Conferencing Edge Servers are each installed on separate computers and load balanced.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Consolidated Edge Topology The consolidated edge topology is appropriate for small organizations. In the consolidated edge topology, all three edge server roles (Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server) are collocated on a single physical computer. This topology offers: •
Reduced server cost.
•
Ease of deployment and administration.
This topology does not: •
Scale easily.
•
Provide load balancing.
•
Provide high availability.
Note To avoid port conflicts when running all server roles on a single computer, use a different IP address for each server role.
The following figure illustrates the consolidated edge topology.
Figure 1. Consolidated edge topology
Single-Site Edge Topology The single-site edge topology is appropriate for medium to large organizations. In the single-site edge topology: •
The Access Edge Server and Web Conferencing Edge Server are collocated on a single physical computer.
•
The A/V Edge Server is installed on a separated dedicated computer.
7
8
“Office Communications Server 2007 Edge Server Deployment Guide
This topology is recommended because it offers: •
Flexibility.
•
Efficient bandwidth utilization (because the A/V Edge Server, which uses the most bandwidth, is on a separate computer).
•
The fewest number of computers to manage.
This topology does not: •
Scale easily.
•
Provide load balancing.
•
Provide high availability.
Figure 2 illustrates the single-site edge topology.
A/V Edge Server:
Internet Internal Deployment Access Edge Server: Web Conferencing Edge Server
Figure 2. Single-site edge topology
Scaled Single-Site Edge Topology The scaled single-site edge topology is appropriate for large organizations. This topology is recommended because it: •
Provides load balancing.
•
Provides high availability
•
Scales easily.
The scaled single-site edge topology is the single-site edge topology scaled out in the following ways: •
A load balancer is connected to two or more computers, with Access Edge Server and Web Conferencing Edge Server collocated on each computer.
•
Another load balancer is connected to two or more separate computers, each of which serves as an A/V Edge Server.
Figure 3 illustrates the scaled single-site edge topology.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Load Balanced A/V Edge Servers :
Internet Internal Deployment
Load balanced Access Edge Server: Web Conferencing Edge Server
Figure 3. Scaled single-site edge topology
Multiple-Site Edge Topology The multiple-site edge topology is appropriate for organizations with remote sites that are geographically dispersed and are connected by using a WAN. In the multiple-site edge topology, you integrate remote locations into a scaled topology by deploying: •
The scaled topology in your data center (as specified in the scaled single-site edge topology).
•
Local A/V Conferencing and Web Conferencing Edge Servers and a local Standard Edition server or pool in each remote location.
In this topology, traffic from remote or federated users in the remote location travels across the WAN only to contact the Access Edge Server for authentication and instant messaging and presence, which incurs lower bandwidth cost. The Access Edge Server returns the local pool or Standard Edition Server for users at the remote site, and the pool or server points the user to the local A/V or Web Conferencing Edge Server. A/V traffic and traffic from the Web Conferencing Server remain local, which results in a better user experience and lower bandwidth usage of the WAN. Figure 4 illustrates a multiple-site edge topology.
9
10
“Office Communications Server 2007 Edge Server Deployment Guide
Data Center
A/V Edge Server :
Internet
Internal Deployment
Log on Logon Load balanced Access Edge Server & Web Conferencing Edge Server
Remote Site
A/V Edge Server
Internal Deployment
Web Conferencing Edge Server
Figure 4 Multiple-site edge topology In the remote office, you can also scale the edge topology to provide high availability for external access. In a scaled edge topology of a remote office, one or more A/V Edge Servers are deployed on dedicated servers and Web Conferencing Edge Servers are deployed on separate dedicated computers. All edge servers are connected to a hardware load balancer.
Scaled Remote Site Edge Topology As a variation to the multiple-site edge topology, if you have large remote sites or want to enable high availability in these sites, you can scale the topology in the remote sites by load-balancing your Web Conferencing Edge Servers and your A/V Edge Servers in a topology similar to the following.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
11
Connecting to Internal Servers When you deploy an Access Edge Server, you can connect it to your internal network components in either of the following ways: •
Connecting directly to an internal server or Enterprise pool.
•
Using a Director. A Director is optional but is strongly recommended in all topologies that involve connections across the Internet, especially those that support remote users. The Director is an Office Communications Server 2007 server that does not host users but that, as a member of an Active Directory domain, has access to Active Directory for purposes of authenticating remote users and routing traffic to the appropriate server or Enterprise pool. By authenticating inbound SIP traffic from remote users, the Director helps insulate home servers and Enterprise pools from potentially malicious traffic, while relieving them of the overhead of performing authentication.
You can deploy either a single Director or an array of Directors behind a load balancer. In a large deployment with significant external traffic, the load balancer provides a significant improvement in performance.
Step 1.3. Establish Your Deployment Process Your deployment process should contain all the details that are required to deploy your edge servers, including what you want to deploy and how to deploy all components. You can use this
12
“Office Communications Server 2007 Edge Server Deployment Guide
guide as the starting point for your deployment process, tailoring it as appropriate to your deployment needs. To enhance edge server performance and security, as well as to facilitate deployment, use the following guidelines when establishing your deployment process: •
Deploy edge servers only after you have finished deploying Office Communications Server 2007 inside your organization, unless you are migrating from Microsoft® Office Live Communications Server 2005 with Service Pack 1 to Microsoft Office Communications Server 2007. For information about the migration process, see Migrating to Office Communications Server 2007.
•
Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory® Domain Services out of the perimeter network. Locating Active Directory in the perimeter network can present a significant security risk
•
Deploy your edge servers in a staging or lab environment before deploying them in your production environment. Deploy the edge servers in your perimeter network only when you are satisfied that the test deployment meets your requirements and that it can be incorporated successfully in a production environment.
•
Deploy at least one Director to act as an authentication gateway for inbound external traffic.
•
Deploy edge servers on dedicated computers that do not run anything that is not required. This includes disabling unnecessary services and running only essential programs on the computer, such as programs embodying routing logic that are developed by using MSPL (Microsoft SIP Processing Language) and the Office Communications Server API.
•
Enable monitoring and auditing as early as possible on the computer.
•
Use a computer that has two network adapters to provide physical separation of the internal and external network interfaces.
•
Deploy the edge server between two firewalls (an internal firewall and an external firewall) to ensure strict routing from one network edge to the other.
In addition to these recommendations, your edge server deployment process should build on the information provided in the Microsoft Office Communications Server 2007 Planning Guide and the topology information in the following section of this guide.
Step 1.4. Verify Prerequisites Before you deploy your edge servers, ensure that your IT infrastructure, network, and systems meet the following requirements: •
Each computer on which you plan to use as an edge server is running one of the following operating systems: •
Microsoft Windows Server® 2003, Standard Edition, Service Pack 1 or later
•
Windows Server 2003, Enterprise Edition Service Pack 1 or later
•
Windows Server 2003, Datacenter Edition Service Pack 1 or later
•
Microsoft Windows Server® 2003 R2, Standard Edition, Service Pack 1 or later
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
Windows Server 2003 R2, Enterprise Edition Service Pack 1 or later
•
Windows Server 2003 R2, Datacenter Edition Service Pack 1 or later
•
All hardware for your edge server meets the recommended system requirements as documented in the Office Communications Server 2007 Planning Guide.
•
PKI (Public Key Infrastructure) is deployed and configured to use a certification authority (CA) infrastructure that is provided by either Microsoft or another provider.
•
A perimeter network that supports the assignment of a publicly routable IP address to A/V Edge Servers.
•
Your perimeter firewalls can support opening the ports that are described in the following section.
•
A reverse HTTP proxy is deployed in your perimeter network and can be configured as described in “Configuring a Reverse Proxy” later in this document.
•
All users that require any of the new functionality that is provided by an Office Communications Server 2007 edge server install the Live Meeting 2007 client and Communicator 2007.
13
Audio/Video Requirements The following section summarizes some key requirements for audio/video in an Office Communications Server deployment: •
We recommend that A/V Conferencing Servers and A/V Edge Servers be deployed on a 1GB Ethernet LAN.
•
We recommend that you run the Quality of Service scheduler on each A/V Conferencing Server or A/V Edge Server to monitor audio and video traffic flow across the network.
•
If you anticipate a high volume of audio/video traffic or experience packet loss after you deploy, use Appendix D, “Optimizing Your Network Interface Card,” to optimize A/V traffic flow.
Step 2. Set Up the Infrastructure for Edge Servers Before deploying your edge servers, you need to set up your infrastructure to support the edge server deployment. To set up the infrastructure, use the procedures in this section to do the following: •
Configure DNS
•
Configure the firewalls
•
Configure a reverse proxy
•
Configure a Director (optional)
14
“Office Communications Server 2007 Edge Server Deployment Guide
Step 2.1. Configure DNS As covered earlier in this document, when collocating multiple server roles on a single computer, you should use a separate external IP address for each role. Specific DNS settings must be configured on each external and internal interface of each edge server. In general, this includes configuring DNS records to point to appropriate servers in the internal network and configuring DNS records as appropriate for each edge server.
Note To prevent DNS SRV spoofing and ensure that certificates provide valid ties from the user URI to real credentials, Office Communications Server 2007 requires that the name of the DNS SRV domain match the server name on the certificate. The subject name (SN) must point to sip.<domain>.com.
The actual DNS records required depend on which edge servers you deploy and on your deployment topology, as covered in this section. The following tables provide details about each DNS record required for each topology. The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the consolidated edge topology.
Note The port numbers referenced in the following tables and later in this document are typically the default ports. If you use different port settings, you will need to modify the procedures in this guide accordingly.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Table 3 DNS records for the consolidated edge topology
15
16
“Office Communications Server 2007 Edge Server Deployment Guide
Internal/Exte rnal Record External
Internal
Server
DNS Settings
Collocated Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server
An external SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the FQDN of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This is required only if enabling enhanced federation or public IM connectivity. A DNS SRV (service location) record for _sip._tls.<domain>, over port 443 where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports automatic configuration for remote users for instant messaging and conferencing. Note: Configuring multiple SRV records for the same SIP domain is not supported. If multiple DNS records are returned to a DNS SRV query, the Access Edge Server will always pick the DNS SRV record with the lowest numerical priority and highest numerical weight. For each supported SIP domain in your organization, an external A record for sip.<domain>.com that resolves to the external IP address of the Access Edge Server for each SIP domain. If a client cannot perform an SRV record lookup to connect to the Access Edge server it will use this A record as a fallback. An external DNS A record that resolves to the external name of the Web Conferencing Edge Server to the external IP address of the Web Conferencing Edge Server. An external DNS A record that resolves the external name of the A/V Edge Server to the external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy.
Collocated Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server
An internal DNS A record that resolves the internal FQDN of the edge server to internal IP address of the edge server. Office Communications Server 2007 servers within the organization use this DNS A record to connect to the internal interface of the edge server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the single-site edge topology. Table 4 DNS records for the single-site edge topology Interfac e
Server
DNS Settings
17
18
“Office Communications Server 2007 Edge Server Deployment Guide
External
Collocated Access Edge Server and Web Conferencing Edge Server
An external DNS SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the external FQDN of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each SIP domain. An external DNS SRV (service location) record for _sip._tls.<domain>, over port 443 where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports federated partners and remote access by means of direct connection to the Access Edge Server. Note: Configuring multiple SRV records for the same SIP domain is not supported. If multiple DNS records are returned to a DNS SRV query, the Access Edge Server will always pick the DNS SRV record with the lowest numerical priority and highest numerical weight. For each supported SIP domain in our organization, an external DNS A record for sip. <domain>.com that points to the external IP address of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. If a client cannot perform an SRV record lookup to connect to the Access Edge server it will use this A record as a fallback. An external DNS A record that resolves the external FQDN of the Web Conferencing Edge Server to its external IP address.
A/V Edge Server
An external DNS A record that points to the external FQDN of the A/V Edge Server to its external IP address. This IP address must be a publicly routable IP address.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Internal
Collocated Access Edge Server and Web Conferencing Edge Server
An internal DNS A record that resolves the internal FQDN of the collocated Access Edge Server and Web Conferencing Edge Server to its internal IP address.
A/V Edge Server
An internal DNS A record that resolves to the internal FQDN of the A/V Edge Server to its internal IP address.
The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the scaled single-site edge topology. Table 5 DNS records for the scaled single-site edge topology Interfac e
Server
DNS Settings
19
20
“Office Communications Server 2007 Edge Server Deployment Guide
External
Access Edge Server Web Conferencing Edge Server
An external DNS SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the external FQDN of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. An external DNS SRV (service location) record for _sip._tls.<domain>, over port 443, where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge Server. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports federated partners and remote access by means of direct connection to the Access Edge Server. Note: Configuring multiple SRV records for the same SIP domain is not supported. If multiple DNS records are returned to a DNS SRV query, the Access Edge Server will always pick the DNS SRV record with the lowest numerical priority and highest numerical weight. For each supported SIP domain in your organization, an external A record for sip.<domain>.com that points to the external IP address of the virtual IP address used by the Access Edge Server on the external load balancer. If a client cannot perform an SRV record lookup to connect to the Access Edge server, it uses this A record as a fallback. An external DNS A record that resolves the external FQDN the Web Conferencing Edge Server array to the VIP address used by the Web Conferencing Edge Server array on the external load balancer.
A/V Edge Server
An external DNS A record that resolves the external FQDN of the A/V Edge Server array to the virtual IP address used by the A/V Edge Servers on the external load balancer on the external edge.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Internal
Access Edge Server Web Conferencing Edge Server
An internal DNS A record that resolves the internal FQDN of the Access Edge Server array to the virtual IP address used by the Access Edge Servers on the internal load balancer. An internal DNS A record that resolves the internal FQDN of each Web Conferencing Edge Server to its internal IP address.
A/V Edge Server
An internal DNS A record that resolves the internal FQDN of the A/V Edge Server array to the virtual IP address used by the A/V Edge Servers on the internal load balancer.
The data center configuration for the multiple-site edge topology is the same as that for the scaled single-site edge topology, but additional configuration is required for the remote site. The following table describes the DNS records that must be configured for the external interface and the internal interface of edge servers in the remote site of the multiple-site edge topology. Table 6 DNS records for the multiple-site edge topology remote site Interfac e External
Internal
Remote Site Server
DNS Settings
Web Conferencing Edge Server
An external DNS A record that resolves to the external FQDN of the Web Conferencing Edge Server in the remote site to its external IP address.
A/V Edge Server
An external DNS A record that resolves the external FQDN of the A/V Edge Server in the remote site to its external IP address. This IP address must be a publicly routable IP address.
Reverse proxy
An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy.
Web Conferencing Edge Server
An internal DNS A record that resolves to the internal FQDN of the Web Conferencing Edge Server in the remote site to its internal IP address.
A/V Edge Server
An internal DNS A record that resolves the internal FQDN of the A/V Edge Server to its internal IP address.
Step 2.2. Configure Firewalls Configuring firewalls includes configuring both of the following:
21
22
“Office Communications Server 2007 Edge Server Deployment Guide
•
Internal firewall between the perimeter network and your internal network.
•
External firewall between the perimeter network and the Internet.
How you configure your firewalls is largely dependent on the specific firewalls you use in your organization, but each firewall also has common configuration requirements that are specific to Office Communications Server 2007. Follow the manufacturer’s instructions for configuring each firewall, along with the information in this section, which describe the settings that must be configured on the two firewalls. The following figure shows the default firewall ports for each server in the perimeter network.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Figure 5 Firewall ports for the perimeter network
The following sections provide additional information about each port to be configured for each server role in each topology, as well as a mapping of the numbers in the previous figure to the respective port descriptions. In the following tables, the direction for firewall policy rules that is indicated as outbound is defined as follows: •
On the internal firewall, it corresponds to traffic from servers on the internal (private) network to the edge server in the perimeter network.
23
24
“Office Communications Server 2007 Edge Server Deployment Guide
•
On the external firewall, it corresponds to traffic from the edge server in the perimeter network to the Internet.
Consolidated Edge Topology Firewall Policy Rules The following tables explain the firewall policy rules that are required on each server in the perimeter network when you deploy edge servers in the consolidated edge topology. The following describes the firewall policy to be configured for the reverse proxy. Table 7 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Access Edge Server. Table 8 Firewall Settings for the Access Edge Server Fire wall Inter nal
Policy Rules
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: The IP address of the next hop server. If a
Figure Mappi ng 5
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
25
Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced. Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Outbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: If no Director is deployed, you must use any IP address. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
5
Exter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound/Outbound (federation) Remote Port: Any Local IP: The external IP address of the Access Edge Server Remote IP: Any IP address
3
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for remote user access) Remote Port: Any Local IP: The external IP address of the Access Edge Server. Remote IP: Any IP address
4
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 9 Firewall Settings for the Web Conferencing Edge Server Fire wall Inter nal
Policy Rules
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge
Figure Mappi ng 7
26
“Office Communications Server 2007 Edge Server Deployment Guide
Servers) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge Server Remote IP: Any IP address Exter nal
Local Port: 443 TCP (PSOM/TLS) Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge Server Remote IP: Any IP address
6
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 10 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For authentication of A/V users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server. Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP /TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
Single Site Edge Topology Firewall Policy Rules The following tables explain the firewall policy rules required on each server in the perimeter network when you deploy edge servers in the single site edge topology. The following table describes the firewall policy to be configured for the reverse proxy. Table 11 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
27
28
“Office Communications Server 2007 Edge Server Deployment Guide
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Access Edge Server. Table 12 Firewall Settings for the Access Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: The IP address of the next hop server. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
5
Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Outbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: If no Director is deployed, you must use any
5
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
29
IP address. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced. Exter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound/Outbound (federation) Remote Port: Any Local IP: The external IP address of the Access Edge Server Remote IP: Any IP address
3
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for remote user access) Remote Port: Any Local IP: The external IP address of the Access Edge Server Remote IP: Any IP address
4
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 13 Firewall Settings for the Web Conferencing Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge Servers) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge Server Remote IP: Any IP address
7
Exter
Local Port: 443 TCP (PSOM/TLS)
6
30
“Office Communications Server 2007 Edge Server Deployment Guide
nal
Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge Server Remote IP: Any IP address
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 14 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For A/V authentication of users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP/TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
Scaled Single Site Edge Topology Firewall Policy Rules The following tables explain the firewall policy rules required on each server in the perimeter network when you deploy edge servers in the single site edge topology. The following table describes the firewall policy to be configured for the reverse proxy. Table 15 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
31
32
“Office Communications Server 2007 Edge Server Deployment Guide
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Access Edge Server. Table 16 Firewall Settings for the Access Edge Server Fire wall Inter nal
Policy Rules
Local Port: 5061 TCP (SIP/MTLS) Direction: Inbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: The IP address of the next hop server. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
Figure Mappi ng 5
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Inter nal
Local Port: 5061 TCP (SIP/MTLS) Direction: Outbound (for remote user access and federation) Remote Port: Any Local IP address: The internal IP address of the Access Edge Server Remote IP: If no Director is deployed, you must use any IP address. If a Director is deployed, use the IP address of the Director or VIP of the load balancer, if the Directors are load balanced.
5
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for remote user access) Remote Port: Any Local IP: The VIP address used by the Access Edge Server array on the external load balancer. Remote IP: Any IP address
4
33
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 17 Firewall Settings for the Web Conferencing Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge Servers) Remote Port: Any Local IP: The internal IP addresses of the Web Conferencing Edge Servers Remote IP: Any IP address
7
Exter nal
Local Port: 443 TCP (PSOM/TLS) Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The VIP address used by the Web Conferencing Edge Server array on the external load balancer
6
34
“Office Communications Server 2007 Edge Server Deployment Guide
Remote IP: Any IP address
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 18 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The VIP address used by the A/V Edge Server array on the internal load balancer. Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For A/V authentication of users) Remote Port: Any Local IP: The VIP address used by the A/V Edge Server array on the internal load balancer. Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server and the VIP address used by the A/V Edge Server array on the internal load balancer. Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The VIP address used by the A/V Edge Server array on the external load balancer. Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP/TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server and the VIP address used by the A/V Edge Server array on the external load balancer Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
35
Multiple Edge Site Topology Firewall Policy Rules for the Remote Site The following tables explain the firewall policy rules required on each server in the perimeter network in the remote site when you deploy edge servers in the multiple edge site topology. The firewall policy rules that are required in the central data center are the same as those required in the scaled single site topology described in the previous section. Because the users in the remote site use the Access Edge Server in the central site, there is no table for the Access Edge Server in this section. The following table describes the firewall policy to be configured for the reverse proxy.
36
“Office Communications Server 2007 Edge Server Deployment Guide
Table 19 Firewall Settings for the Reverse Proxy Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (SIP/TLS) Direction: Inbound (for external user access to Web conferences) Remote Port: Any Local IP: The internal IP address of the reverse proxy in the remote site Remote IP: Any
2
Exter nal
Local Port: 443 TCP (HTTP(S)) Direction: Inbound Remote Port: Any Local IP address: The external IP address of the HTTP reverse proxy in the remote site Remote IP: Any Note: If you want your users to be able to connect from inside your intranet to external conferences hosted by other companies, then you will also need to open port 443 outbound.
1
The following table describes the firewall policy rules to be configured for the Web Conferencing Edge Server.
Note PSOM is the Microsoft proprietary protocol used for Web conferencing.
Table 20 Firewall Settings for the Web Conferencing Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 8057 TCP (PSOM/MTLS) Direction: Outbound (for traffic between internal Web Conferencing Servers and the Web Conferencing Edge Servers) Remote Port: Any Local IP: The internal IP address of the Web Conferencing Edge Server in the remote site Remote IP: Any IP address
7
Exter
Local Port: 443 TCP (PSOM/TLS)
6
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
nal
Direction: Inbound (for access of remote, anonymous, and federated users to internal Web conferences) Remote Port: Any Local IP: The external IP address of the Web Conferencing Edge Server in the remote site Remote IP: Any IP address
The following table describes the firewall policy rules to be configured for the A/V Edge Server. Table 21 Firewall Settings for the A/V Edge Server Fire wall
Policy Rules
Figure Mappi ng
Inter nal
Local Port: 443 TCP (STUN/TCP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server in the remote site Remote IP: Any IP address
12
Local Port: 5062 TCP (SIP/MTLS) Direction: Outbound (For A/V authentication of users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server in the remote site. Remote IP: Any IP Address
13
Local Port: 3478 UDP (STUN/UDP) Direction: Outbound (for internal users to send media to external users) Remote Port: Any Local IP: The internal IP address of the A/V Edge Server in the remotes site. Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
14
37
38
“Office Communications Server 2007 Edge Server Deployment Guide
Exter nal
Local Port: 443 TCP (STUN/TCP) Direction: Inbound (for external users access to media and A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server in the remote site Remote IP: Any IP Address
8
Local Port Range: 50,000-52,999 TCP (RTP /TCP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server in the remote site. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
9
Local Port: 3478 UDP (STUN/UDP) Direction: Inbound (for external users connecting to media or A/V sessions) Remote Port: Any Local IP: The external IP address of the A/V Edge Server in the remote site. Remote IP: Any IP Address Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.
10
Local Port Range: 50,000-52,999 UDP (RTP/UDP) Direction: Inbound/Outbound (for media transfer) Remote Port: Any Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address. Remote IP: Any IP Address
11
Step 2.3. Configure a Reverse Proxy For Microsoft Office Communications Server 2007, a reverse proxy, such as provided by Microsoft Internet Security and Acceleration (ISA) Server, although not required by any of the edge server components, is required by the internal Web server for the following purposes: •
To enable external users to download meeting content for your meetings.
•
To enable remote users to expand distribution groups.
•
To enable remote users to download files from the Address Book Service.
ISA Server 2004 is used only to publish information from the internal IIS server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
39
In addition to deploying ISA Server 2004 as a reverse proxy, you can also use ISA Server 2004 as a firewall. This guide covers only deployment of ISA Server 2004 as a reverse proxy. For more information about using ISA Server 2004 as a firewall, see the ISA Server 2004 product documentation. The detailed steps in this section describe how to configure an ISA 2004 server as a reverse proxy. You can use the information in this section to set up the reverse proxy, which requires completing the following procedures: •
Configure the network adapter cards.
•
Install ISA Server 2004
•
Request and configure a digital certificate for SSL.
•
Perform the initial configuration.
•
Create a Web server publishing rule.
•
Configure SSL bridging.
•
Verify that the secure Web server publishing rule properties are correct
•
Verify or configure authentication and certification on IIS virtual directories.
•
Create an external DNS entry.
•
Verify that you can access the portal site through the Internet.
If you are using a different reverse proxy, consult the documentation for that product. ISA Server uses Web publishing rules in order to securely publish internal resources, such as a meeting URL, over the Internet. Publishing information to Internet users makes computing resources inside the internal network available to users outside the network. In the following procedures, the ISA Server computer has two network adapters: •
A public, or external, network adapter, which is exposed to the clients that will attempt to connect to your portal site (usually over the Internet).
•
A private, or internal, network interface, which is exposed to the internal Web servers to which outside users will connect.
You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter.
Note ISA Server 2004 can also be set up to use a single network adapter. For more information, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at http://www.microsoft.com/technet/isa/2004/plan/single_adapte r.mspx.
40
“Office Communications Server 2007 Edge Server Deployment Guide
To configure the network adapter cards on the reverse proxy computer. 1. On the server running ISA Server 2004, open Network Connections. Click Start, point to Settings, and then click Network Connections. 2. Right-click the external network connection to be used for the external interface, and then click Properties. 3. On the Properties page, on the General tab, in the This connection uses the following items list, click Internet Protocol (TCP/IP), and then click Properties. 4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached. 5. Click OK twice. In Network Connections, right-click the internal network connection to be used for the internal interface, and then click Properties Repeat steps 3 through 5 to configure the internal network connection.
To install ISA Server 2004 •
Install ISA Server 2004 SP2 according to the setup instructions that are included with the product, as well as all hotfixes.
To request and configure a digital certificate for SSL •
The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server needs to be installed on the server running ISA Server 2004. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.
Note If you are using separate IIS servers to host meeting content and Address Book data, you need to configure the ISA server with two certificates (each matching the published external FQDN of each of the two external Web sites) and install a second IP address on the external network interface of the ISA Server. ISA can bind only one certificate to one IP address. If you configure an ISA server with multiple sites, you can use a certificate that uses a wildcard. However, if you do, ensure that you do not use the same certificate for IIS for the internal site. For information about how to publish multiple Web sites with a wildcard certificate, see Using a Single Certificate to Publish Multiple Secure Web Sites at http://www.microsoft.com/technet/isa/2004/maintain/wildcard. mspx
To create a Web server publishing rule on the ISA Server 2004 computer 1. Open ISA Server Management. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
41
2. In the console tree, expand ServerName, right-click Firewall Policy, point to New, and then click Secure Web Server Publishing Rule to start the New SSL Web Publishing Rule Wizard. 3. On the Welcome page, in SSL Web publishing rule name, type a friendly name for the publishing rule, and then click Next. For example, the name of the rule could be OfficeCommunicationsServerExternalRule. 4. On the Publishing Mode page, click SSL Bridging, and then click Next.
Note You also have the option of selecting Tunneling, but SSL Bridging is recommended, and so it is the option documented in the following procedure. SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSLenabled Web applications, after receiving the client's request, ISA Server decrypts it, inspects it, and terminates the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. If the secure Web publishing rule is configured to forward the request using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires that the published Web server responds with a server-side certificate
To configure SSL bridging 1. On the Select Rule Action page, click Allow. 2. On the Bridging Mode page, click Secure connection to clients and Web server, and then click Next. 3. On the Define Website to Publish page, type the FQDN of the internal Web farm that hosts your meeting content and Address Book content in the Computer name or IP address box. 4. Select from the following options: •
If you are using an Office Communications Server 2007 Standard Edition server, this FQDN will be the Standard Edition server FQDN.
•
If you are using an Office Communications Server 2007 Enterprise pool, this FQDN will be the internal Web farm FQDN.
•
If you are hosting Address Book content and meeting content on different servers or pools, you must run this procedure twice—one time for the server that hosts the meeting content and one time for the server or pool that hosts the Address Book content.
5. Click Next. 6. On the Public Name Details page, type a name for the IIS server in the Public name box. This name will be seen by outside users. 7. Click Next.
42
“Office Communications Server 2007 Edge Server Deployment Guide
8. On the Select Web Listener page, click New. 9. In the New Web Listener Definition Wizard, type a friendly name for the Web listener (for example, ServerExternalWebListener) in the Web listener name box, and then click Next. 10. To select a specific IP address for the Web Listener, on the IP Addresses page, in Available IP Addresses, select External check box, and then click Address. 11. On the External Network Listener IP Selection page, do the following: •
Under Listen for requests on, click Specified IP addresses on the ISA Server computer in the selected network.
•
In Available IP Addresses, click an IP address, click Add, and then click OK.
•
Click Next.
12. On the Port Specification page, do the following: •
Under HTTP, clear the Enable HTTP check box.
•
Under SSL, select Enable SSL and verify that the SSL port is 443 (the default value), and then in Certificate, and then click Select.
13. In the Select Certificate dialog box, click the certificate that matches the external name that you specified in step 4, and then click OK. 14. On the completion page, verify successful completion, and then click Finish. 15. In the New Web Publishing Rule Wizard, click Next. 16. In User Sets, click Next, and then click Finish. 17. In Microsoft Internet Security and Acceleration Server 2004, at the top of the center pane, click Apply.
To verify that the secure Web server publishing rule properties are correct 1. Open ISA Server Management. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management. 2. In the console tree, expand ServerName, and then click Firewall Policy. 3. In the details pane, right-click the secure Web server publishing rule that you created by using the previous procedure (to create a Web server publishing rule on the ISA Server 2004; for example, OfficeCommunicationsServerExternalRule), and then click Properties. 4. On the Properties page, click the From tab, and then do the following: a.
In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove.
b.
Click Add.
c.
In the Add Network Entities dialog box, expand Networks, click External, click Add, and then click Close.
5. On the To tab, click Requests appear to come from the ISA Server computer, and then click OK.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Note The following procedure is for the Default Web Site in IIS. You must also verify or configure authentication and certification on each front-end Web server in the Microsoft Office SharePoint® Portal Server deployment.
To verify or configure authentication and certification on IIS virtual directories 1. Open Internet Information Services Manager. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the left pane, expand ServerName, and then expand Web Sites. 3. Right-click Default Web Site, and then click Properties. 4. On the Web Site tab, ensure that the port number is 443 in the SSL port box. 5. On the Directory Security tab, under Secure communications, click Server Certificate. 6. On the Welcome to the Web Server Certificate Wizard page, click Next. 7. On the Server Certificate page, click Assign an existing certificate, and then click Next. 8. On the Available Certificates page, click the certificate you want to use for your Web server in the Select a certificate list, and then click Next. 9. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use list, and then click Next. 10. On the Certificate Summary page, verify that the settings are correct, and then click Next. 11. On the completion page, click Finish, and then click OK. 12. Repeat this procedure for each additional front-end Web server in the SharePoint Portal Server deployment, modifying as appropriate for each front-end Web server.
To create an external DNS entry •
Create an external DNS A record that points to the external interface of your ISA server. For information about how to create a DNS A record, see your DNS documentation.
To verify that you can access the portal site through the Internet 1. Deploy the Microsoft Office Live Meeting 2007 client as described in the Microsoft Office Live Meeting 2007 Client Quick Reference. 2. Open a Web browser, and then in the Address bar, type the URLs that are used by clients to access the Address Book files and the portal site for Web conferencing.
43
44
“Office Communications Server 2007 Edge Server Deployment Guide
•
For Address Book Server type a URL similar to the following: https://externalwebfarmFQDN/abs/ext where externalwebfarmFQDN is the external FQDN of the Web farm that hosts Address Book server files. User should receive an HTTP challenge, because directory security on the Address Book Server folder is configured to Microsoft Windows® authentication by default.
•
For Web conferencing, type a URL similar to the following: https://externalwebfarmFQDN/conf/ext/Tshoot.html where externalwebfarmFQDN is the external FQDN of the Web farm that hosts meeting content. This URL should display the troubleshooting page for Web conferencing.
Step 2.4. Configure a Director (Optional, but Recommended) The Office Communications Server 2007 Director is the recommended internal next-hop server to which an Access Edge Server routes inbound SIP traffic destined to internal servers. The Director authenticates inbound requests and distributes them among the servers in the Enterprise pool or to the appropriate Standard Edition Server. Office Communications Server 2007 supports the following Director configurations: •
A single Standard Edition Server that is configured as a Director.
•
An array of Standard Edition Servers that are configured as a Director (requires an Enterprise CA).
•
An Enterprise pool that is configured as a Director.
You deploy a Director in a manner similar to the way that you deploy any other Office Communications Server 2007 server, and you configure it as a Director by using the Deployment Wizard. In a load balanced edge server topology (a scaled single-site topology or a multiple-site edge topology), the next hop server on the Director must target the virtual IP address of the Edge Server array’s internal load balancer. Some special configuration steps are required if you choose to deploy an array of Standard Edition servers as a Director. See Appendix A for more information.
Deploy Your Director To deploy a Director in your organization, you need to set up certificates and DNS as you would for any internal Office Communications Server. The following procedure guides you through the process of configuring a Standard Edition Server as a Director.
To configure a Standard Edition Server as a Director 1. Configure your DNS records as described in the Office Communications Server 2007 Standard Edition Deployment Guide. 2. Insert the Microsoft Office Communications Server CD. Setup starts and launches the Deployment Tool. If you are installing from a network share, navigate to the \Setup\I386 folder, and then double-click Setup.exe.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
45
3. Click Deploy Standard Edition Server. 4. At Configure Server, click Run. 5. On the Welcome to the Configure Pool/Server Wizard page, click Next. 6. On the Server or Pool to Configure page, select the server from the list, and then click Next. 7. On the SIP domains page, verify that your SIP domain appears in the list box. If it does not, click the SIP domains in your environment box, type your SIP domain, and then click Add. Repeat these steps for all other SIP domains that the Standard Edition Server will support. When you are finished, click Next. 8. On the Client Logon Settings page, do one of the following: •
If the Communicator and Live Meeting clients in your organization will use DNS to locate the pool, click Some or all clients will use DNS SRV records for automatic logon. o
•
Do not select the Use this server or pool as a Director for automatic logon check box if you are configuring a Director for external access only. This setting allows internal clients to log on through a Director, and the Director then routes requests to the appropriate server or pool.
If the Communicator clients in your organization will not use DNS to logon to the pool and you plan to manually configure clients to connect to the pool, click Clients will be manually configured for logon.
9. When you are finished, click Next. 10. On the SIP Domains for Automatic Logon page, do one of the following: •
If in the previous step you selected Some or all clients will use DNS SRV records for automatic logon, select the check box for the domains that will be supported by the server for automatic sign-in, and then click Next.
•
If, in the step 8, you selected Clients will be manually configured for logon, skip to the next step.
11. On the External User Access Configuration page, click Do not configure external user access now, and then click Next. 12. On the Ready to Configure Server or Pool page, review the settings that you specified, and then click Next to configure the Standard Edition Server. 13. When the files have been installed and the wizard has completed, verify that the View the log when you click ‘Finish’ check box is selected, and then click Finish. 14. In the log file, verify that <Success> appears under the Execution Result column. Look for <Success> Execution Result at the end of each task to verify Standard Edition Server configuration completed successfully. Close the log window when you finish.
46
“Office Communications Server 2007 Edge Server Deployment Guide
Deactivate Server Roles and Unnecessary Components (Optional) As a security best practice, you should deactivate and uninstall the server roles that that Director does not require. This practice involves deactivating and uninstalling the Web Conferencing, A/V Conferencing and Web Component roles on this server and deactivating the Address Book Server.
To deactivate the roles not required for a Director 1. Log on to the Director with an account that is a member of the local administrators group and a member of RTCUniversalServerAdmins. 2. Open the Office Communications Server 2007 Administration tools: Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007. 3. Select one of the following: •
•
For a Standard Edition Server, expand Standard Edition Server, expand the Standard Edition that you just deployed: 1.
Right-click the FQDN of the server, point to Deactivate, and then click Web Conferencing and complete the wizard.
2.
Right-click the FQDN of the server, point to Deactivate, and then click A/V Conferencing and complete the wizard.
3.
Right-click the FQDN of the server, point to Deactivate, and then click Web Components and complete the wizard.
For an Enterprise pool, expand Enterprise pools, expand the pool that you just deployed: 1.
Expand Web Conferencing, right-click the FQDN of the server, and then click Deactivate and complete the wizard.
2.
Expand A/V Conferencing, right-click the FQDN of the server, and then click Deactivate and complete the wizard.
3.
Expand Web Components, right-click the FQDN of the server, and then click Deactivate and complete the wizard.
To deactivate the Address Book Server 1. Open a Command Prompt window: Click Start, point to Run and then type cmd. 2. At the command prompt, type wbemtest. 3. In Namespace, type root\cimv2, and then click Connect. 4. Click Enum Classes, and then click OK. 5. Select MSFT_SIPAddressBookSetting. 6. Click Instances. 7. Select your SQL database instance. 8. Double-click Outputlocation.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
47
9. In the Value field, click Null. 10. Click Save Property. 11. Click Save Object. 12. Click Close.
Step 3. Set Up Edge Servers After setting up the infrastructure for edge servers, you need to set up edge servers in the perimeter network. You can use the procedures in this section to do this by completing the following steps: 1. Deploy a load balancer, if appropriate. 2. Install edge servers. 3. Activate edge servers. 4. Configure edge servers. 5. Set up certificates for the internal interface. 6. Set up certificates for the external interface. 7. Set up A/V Conferencing certificates for the internal network. 8. Configure the load balancer, if appropriate. Deploying a load balancer and configuring the load balancer are required only in the scaled single-site edge topology and the data center of the multiple-site edge topology. Deployment of a load balancer for the remote site of the multiple-site edge topology is not recommended or supported.
Step 3.1. Deploy Load Balancers You can use load balancers to distribute incoming connections across multiple edge servers. If you are deploying edge servers in a scaled single-site edge topology or a multiple-site edge topology, you must deploy a load balancer for the collocated Access Edge Servers and Web Conferencing Edge Servers and the A/V Edge Servers in the perimeter network of the data center. You deploy load balancers for traffic from both the external network and traffic from the internal network. A single load balancer can be used for all three server roles; however, using separate virtual IP addresses (VIPs) for each server role is highly recommended. Microsoft recommends port 443 for all three server roles, and because a different port/IP combination is required for each server role, separate VIPs support the recommended configuration. For load-balanced Web Conferencing Edge Servers and A/V Edge Servers in the perimeter network of the data center, outgoing requests are connected directly to a specific Web Conferencing Edge Server or A/V Edge Server. These outgoing requests are handled as follows:
48
“Office Communications Server 2007 Edge Server Deployment Guide
•
Each time an internal Web Conferencing Server starts up, it looks up the Web Conferencing Edge Servers that are configured in its environment, and then it looks up the DNS A record of each. The internal Web Conferencing Server then initiates four outbound TCP connections to the internal IP and port of each Web Conferencing Edge Server.
•
The load balancer for the A/V Edge Servers routes each A/V request to one of the A/V Edge Servers, which then manages the connection until it ends.
Additional information about load balancing, including an example, is provided in the “Planning for Load Balancing” section of the Office Communications Server 2007 Planning Guide. You should use the information provided there to help you determine the appropriate configuration for load balancing. The basic requirements for load balancing are as follows: •
If you want to load balance Web Conferencing Edge Servers, you must collocate each Web Conferencing Edge Server with an Access Edge Server. The A/V Edge Server must not be collocated on the same server.
•
The external interfaces of multiple collocated Access Edge Servers and Web Conferencing Edge Servers must be load balanced. However, only the internal interface of the Access Edge Servers in this configuration should be load balanced. The internal interface of the Web Conferencing Edge Servers must not be load balanced.
•
All Access Edge Servers and Web Conferencing Edge Servers that are connected to the load balancer must be configured identically, including identical internal and external ports, Allow lists, Block lists, federated partners, internal domain lists, internal server lists, remote user settings, and proxy connections.
•
Certificates must be installed and configured to support load balancing (as covered Step 3.6, Step 3.7, and Step 3.8 of this guide, which cover deployment of certificates for edge servers).
•
Federated partner Access Edge Servers, and remote user clients must target the virtual IP address used by the Access Edge Server array on the external load balancer.
•
The internal next hop server (typically, a Director) must target the virtual IP address that is used by the Access Edge Server on the internal load balancer. If you are deploying a Director for an Enterprise Pool, you do this as part of the Director configuration, as covered in Step 2.4. Configure a Director for an Enterprise Pool.
Sample Configuration The following figure shows how a load balancer is configured for collocated Access Edge Servers and Web Conferencing Edge Servers and two dedicated A/V Edge Servers. In the diagram below, two Access Edge Servers are collocated with Web Conferencing Edge Servers in an array. These servers are called A and B. Two dedicated A/V Edge Servers are called C and D. These servers are configured as follows: •
Each server role—A/V Edge Server, Web Conferencing Edge Server and Access Edge Server—has its own external FQDN that resolves to a separate VIP on the external load balancer. In this example: •
Access Edge Servers use the external FQDN of AccessExternalLB.contoso.com
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
•
•
Web Conferencing Edge Servers use the external FQDN of WebExternalLB.contoso.com
•
A/V Edge Servers use the external FQDN of AVExternalLB.contoso.com
The Access Edge Servers and the A/V Edge Servers each have a unique internal FQDN that resolves to a separate VIP on the internal load balancer. In this example: •
Access Edge Servers use the internal FQDN of AccessInternalLB.corp.contoso.com
•
A/V Edge Servers use the internal FQDN of AVInternalLB.corp.contoso.com
The Web Conferencing Edge Servers are not load balanced on the internal side.
Internally, a Front-End Server, a Web Conferencing Server, and an A/V Conferencing Server are installed together on three Enterprise Edition Servers in an Enterprise pool in the consolidated configuration (Servers E, F, and G). This internal topology is for illustration purposes only. You may install any of the internally supported topologies as discussed in the Planning Guide.
49
50
“Office Communications Server 2007 Edge Server Deployment Guide
DNS records The following DNS SRV records are required by the Access Edge Server:
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
51
•
If you are enabling public IM connectivity or enhanced federation, an external SRV record for all edge servers that points to _sipfederationtls._tcp.contoso.com over port 5061 (where contoso.com is the name of the SIP domain of this organization). This SRV record should point to an A record with the external FQDN of the Access Edge Server that resolves to the VIP on the external load balancer that is used by the Access Edge Servers. In this example, because there is only one SIP domain, only one SRV record like this is needed. If you have multiple SIP domains, you need a DNS SRV record for each. This is required only if you are enabling enhanced federation or public IM connectivity.
•
A DNS SRV (service location) record for _sip._tls.contoso.com over port 443 where contoso.com is the name of your organization’s SIP domain. This SRV record must point to an A record with the external FQDN of the Access Edge Server that resolves to the VIP on the external load balancer used by the Access Edge Servers. If you have multiple SIP domains, you need a DNS SRV record for each. This SRV record supports automatic configuration for remote users for instant messaging and conferencing.
The following external DNS A records are required. •
ExternalAccessLB.contoso.com resolves to the VIP of the external load balancer in the perimeter network used by the Access Edge Servers. It is used by external clients and other Access Edge Servers to reach the Access Edge Server from the Internet.
•
An external A record for sip.ExternalAccessLB.contoso.com that points to the VIP address used by the Access Edge Servers on the external load balancer in the perimeter network. (One A record for each SIP domain).
•
ExternalWebLB.contoso.com resolves to the VIP address used by the Web Conferencing Edge Servers on the external load balancer in the perimeter network.
•
ExternalAVLB.contoso.com resolves to the VIP address used by the A/V Edge Servers on the external load balancer in the perimeter network.
The following internal DNS A records are required. •
InternalAccessLB.corp.contoso.com, points to the VIP of the internal load balancer in the perimeter network used by the Access Edge Servers.
•
InternalAVLB.corp.contoso.com, points to the VIP of the internal load balancer in the perimeter network used by the A/V Edge Servers.
•
InternalLB.corp.contoso.com points to the VIP of the load balancer of the Enterprise pool to which the internal A/V Conferencing Servers and Web Conferencing Servers are attached.
•
SrvrA.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on Server A
•
SrvrB.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on Server B
Certificates The certificates are configured in the following way Access Edge Servers
52
“Office Communications Server 2007 Edge Server Deployment Guide
•
The external interface of the load balancer he Access Edge Server has a certificate with a subject name (SN) of ExternalAccessLB.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
The external interface of the Web Conferencing Edge Server has a certificate with a subject name (SN) of ExternalWebLB.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
No certificate is required on the external interface of the A/V Edge Server.
•
The internal interface of each Access Edge Server has a certificate with an SN of InternalAccessLB.corp.contoso.com. This certificate is shared with the internal edge of the Web Conferencing Edge Server You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
The internal edge of the A/V Edge Server has a certificate with an SN of InternalAVLB.corp.contoso.com. You would configure this certificate on server A and mark it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge Server and Access Edge Server array must use the same certificate).
•
The internal edge of the A/V Edge Server is configured with an additional certificate used for A/V authentication. The same A/V authentication certificate must be installed on each A/V Edge Server. This means that the certificate must be from the same issuer and use the same private key.
Internal Web Conferencing Servers in Your Enterprise Pool Each internal Web Conferencing Server in the Enterprise pool has a certificate with the subject name (SN) of InternalLB.corp.contoso.com. Internal A/V Conferencing Servers Each internal A/V Conferencing Server has a certificate with the subject name (SN) of InternalLB.corp.contoso.com .
Edge Server Configuration The FQDN of the VIP of the load balancer, InternalLB.corp.contoso.com is configured on the internal server list on each Edge Server and port 5061 is configured as the port. (The edge server wizard allows you to configure this, or this setting can be configured on Computer Management on the Internal tab of the edge server properties page.)
Trusted Edge Server List in Active Directory The trusted edge server list in Active Directory is configured when you run the Configure Pool or Server wizard and configure external access or you can configure it manually on the Edge Server tab in Global Properties. (See the Administration Guide for step-by-step instructions) This list defines edge servers that internal servers allow to connect to them. The FQDN of each VIP on the internal load balancer of the edge servers must be added to this list. In this example: InternalAccessLB.corp.contoso.com and InternalAV.corp.contoso.com.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
53
Web Conferencing Edge Servers Configured on the Pool or Server The list of trusted Web Conferencing Edge Servers contains an entry for each Web Conferencing Edge Server with its internal and external FQDN and port number. These entries are configured when you run the Configure Pool or Server wizard and configure external access or you can configure these entries manually on the Web Conferencing Edge Server tab in the pool or server properties. In the example, the internal pool would have these entries Server A: Internal FQDN: SrvrA.corp.contoso.com Internal port: 8057 External FQDN ExternalWebLB.contoso.com External port: 443 Server B Internal FQDN: SrvrB.corp.contoso.com Internal port: 8057 External FQDN ExternalWebLB.contoso.com External port: 443
A/V Edge Servers Configured on the Pool or Server The list of trusted A/V Edge Servers contains an entry for each A/V Edge Server with its internal and external FQDN and port number and the external port range. It is configured when you run the Configure Pool or Server wizard and configure external access or you can configure it manually on the A/V Edge Server tab in the pool or server properties. In the example, the internal pool would have these entries Server C: Internal FQDN: InternalAVLB.corp.contoso.com Internal port: TCP: 443, 5062, UDP:3478 External FQDN: ExternalAVLB.contoso.com External port: TCP: port 443 UDP: port 3478 Server D Internal FQDN: InternalAVLB.corp.contoso.com Internal port: TCP: 443, 5062, UDP:3478 External FQDN: ExternalAVLB.contoso.com External port: TCP: port 443; UDP: port 3478
54
“Office Communications Server 2007 Edge Server Deployment Guide
Configuring Your Load Balancer If you are deploying edge servers in a scaled single-site edge topology or a multiple site edge topology, and you deployed a load balancer as described in Step 3.1, you now need to configure the load balancers. After configuring edge servers in the perimeter network of your data center, ensure that they are correctly connected to the load balancer, and then ensure that the ports listed in the following tables are open on the internal interface of the load balancer and on the external interface of the load balancer, respectively. Table 22 Internal Load Balancer Port Settings Component
Port
Access Edge Server
TCP 5061
Web Conferencing Edge Server
N/A
A/V Edge Server
TCP 5062 TCP 443, UDP 3478
Table 23 External Load Balancer Port Settings Component
Port
Access Edge Server
TCP 5061, 443
Web Conferencing Edge Server
TCP 443
A/V Edge Server
TCP 443, UDP 3478
Step 3.2. Install Edge Servers Your edge server topology determines the computers on which you must complete the edge server installation procedure. The following table shows the edge server installation requirements for each topology. Table 24 Server installation requirements for each topology Location
Data center
Consolidated Edge Topology
Single-Site Edge Topology
Scaled Single Site Edge Topology
Deploy all server roles together on one computer.
Deploy the Access Edge Server and the Web Conferencing Server together on one computer.
Deploy the Access Edge Server and the Web Conferencing Edge Server together on one computer (scaled as
Multiple Site Edge Topology Same as the scaled singlesite edge topology.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Location
Consolidated Edge Topology
Remote site
N/A
Single-Site Edge Topology
Scaled Single Site Edge Topology
Deploy the A/V Edge Server on a separate computer.
appropriate). Deploy the A/V Edge Server on a separate computer (scaled as appropriate).
N/A
N/A
Multiple Site Edge Topology
Deploy the Web Conferencing Edge Server on a separate computer. Deploy the A/V Edge Server on a separate computer. OR Deploy two or more A/V Edge Servers each installed on separate computers and load balance them. Deploy two or more Web Conferencing Edge Servers are each on separate computers and load balance them.
You deploy edge servers by using the Office Communications Server 2007 Deployment Wizard, which you access by running Setup.exe from the Office Communications Server 2007 installation CD or, if you are deploying over the network, from the network share. From the Deployment Wizard, you can access multiple individual wizards that facilitate completion of edge server deployment tasks. You can use these wizards, as covered in this section, to complete the following procedures: •
Install the edge server. When you install an edge server, the installation process copies the required edge server files to the local computer.
55
56
“Office Communications Server 2007 Edge Server Deployment Guide
•
Activate the edge server. When you activate an edge server, you configure it to have one or more edge server roles.
•
Configure the edge server. Configuration includes specifying the settings that are necessary for the edge server to work.
•
Configure certificates for the edge servers.
To install an edge server 1. Log on to the computer on which you want to install your edge server as a member of the Administrators group. 2. If Systems Management Server (SMS) is running on the computer, stop the SMS service. 3. Start Setup and launch the Deployment Wizard by doing one of the following: •
If installing the edge server from the Office Communications Server 2007 installation CD, insert the CD. If Setup does not start automatically, from the Start menu, click Run. In the Open box, type \Setup\I386\Setup.exe, and then click OK.
•
If you are installing the edge server from a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.
4. Click Deploy Other Server Roles. 5. Click Deploy Edge Server. 6. Next to Step 1: Install Files for Edge Server, click Install to start the Install Files for Edge Server Setup Wizard. 7. On the Welcome page, click Next. 8. On the License Agreement page, if you agree to the licensing terms, click I accept the terms in the licensing agreement, and then click Next. 9. On the Customer Information page, in User name and Organization, type your name and the name of your organization. 10. Use the product key that is automatically supplied, and then click Next. 11. On the Install Location page, in Location, type the location where you want to install the edge server files, and then click Next. 12. On the Confirm Installation page, click Next. 13. On the completion page, click Close.
Step 3.3. Activate Edge Servers After installing the required files, as covered in Step 2.2, you continue with the Deployment Wizard (using the following procedure) to activate the edge server. The Deployment Wizard provides an activation wizard that simplifies activation of the edge server, which requires the following: •
Assigning one or more edge server roles to the edge server
•
Specifying a service account to use for the edge server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
57
Complete the following activation procedure on each computer being deployed as an edge server in the perimeter network of the data center or a remote site. After you have activated a server role on the computer, you can rerun the activation wizard at a later time to add another server role, as appropriate.
To activate an edge server 1. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 2: Activate Edge Server, click Run to start the Activate Office Communications Server 2007 Wizard. 2. On the Welcome page, click Next. 3. On the Edge Server Roles page, select the one or more of the following check boxes: •
Activate Access Edge Server
•
Activate Web Conferencing Edge Server
•
Activate A/V Edge Server
Note An A/V Edge Server and a Web Conferencing Edge Server cannot be activated together on a single computer without also activating an Access Edge Server on the same computer.
4. On the Select Service Account page, select Create a new account or Use an existing account, type the account name and password to be used for the edge server, enter a password, and then click Next. 5. On the Ready to Activate Edge Server page, review the settings, and then click Next. 6. On the completion page, select the View the log when you click ‘Finish’ checkbox, and then click Finish. 7. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Step 3.4. Configure Edge Servers After activating an edge server, as covered in Step 2.2, you continue with the Deployment Wizard (using the following procedure) to configure the edge server. The Deployment Wizard provides a Configuration Wizard that simplifies the configuration of settings that are necessary for your edge server to work, including the following: •
Configuration of the external and internal interfaces for each server role you have activated on the computer.
•
Selection of the features that you want to enable.
•
Configuration of the way that routing to and from your internal servers is handled.
58
“Office Communications Server 2007 Edge Server Deployment Guide
Complete the following configuration procedure on each computer being deployed as an edge server in the perimeter network of the data center or a remote site.
To configure an edge server 1. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 3: Configure Edge Server, click Run to start the Configure Office Communications Server 2007 Edge Server Wizard. 2. On the Welcome page, click Next. 3. On the Import Settings from a Configuration File page, do one of the following: •
If you want to configure this server as a new edge server (you do not have settings that you want to import from a previously installed edge server), click Next.
•
If you have previously set up an edge server and exported the settings from it to a configuration file that you want to import on this edge server (as covered in step 16 of this procedure), select the Import settings check box, type the full path and name of the file containing the settings you want to import (or click Browse to locate and select the file), and then click Next.
4. On the Internal Interface page, do the following: •
In Internal Interface IP Address box, click the internal interface IP address. If this server will be connected to a load balancer, use the IP address of the local computer.
•
In FQDN for the internal interface, type the FQDN of the internal interface. If this server will be connected to a load balancer, use the virtual IP address of the load balancer.
5. Click Next. 6. On the External Interface page, configure the IP address and the FQDN for the external interfaces of the roles that you are activating on this server. For load balanced edge servers, specify the IP address and FQDN as follows: •
For an Access Edge Server that will be connected to a load balancer, specify the IP address of the edge server and FQDN of the virtual IP address of the load balancer. The default federation port is set to 5061 and cannot be changed. The default TCP port for remote access is 5061. To specify a port other than 5061 for remote user access, click either 443 or Other. If you click Other, type the port number.
•
For a Web Conferencing Edge Server that will be connected to a load balancer, specify the IP address of the edge server and the FQDN of the virtual IP address of the load balancer. The default TCP port if 443. To specify a port other than 443, click Other, and then type the port number.
•
For an A/V Edge Server that will be connected to a load balancer, specify the IP address of the edge server and the FQDN of the virtual IP address of the load balancer. The default TCP port is 443. To specify a port other than 443, click Other, and then type the port number.
Note If you are collocating edge server roles on a computer, each should have a separate IP address. If you do not use a separate IP address for each, you must use separate ports for each collocated edge server role.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
59
7. Click Next. 8. Select from the following options: •
If you are installing only A/V Edge Server on this computer, skip to step 12 to complete the wizard.
•
If you are installing Access Edge Server and Web Conferencing on this computer, proceed with the next step.
•
If you are installing a Web Conferencing Edge Server only, skip to step 13.
9. On the Enable Features on Access Edge Server page, select the features that you want to enable on this Access Edge Server as follows:
•
To make it possible for remote users to connect to Office Communications Server 2007 from the Internet to view presence information and exchange instant messages with internal users using this Access Edge Server, select the Allow remote user access to your network check box. o
To make it possible for external anonymous users to join conferences through this Access Edge Server, select the Allow anonymous user to join meetings check box. Anonymous users are external users who do not have credentials in the Active Directory® Domain Services.
60
“Office Communications Server 2007 Edge Server Deployment Guide
o
•
In your edge server deployment, you can optionally use one Access Edge Server for remote user access and a different Access Edge Server for federation and public IM connectivity. In this configuration on the Access Edge Server used for remote access, if you plan to enable federation or public IM connectivity for your remote users, click the Allow remote users to communicate with federated contacts; otherwise, your remote users cannot send messages to federated or public IM contacts.
To enable federation or public IM connectivity through this Access Edge Server, select the Enable federation check box. o
To use DNS to automatically locate Access Edge Servers of your federated partners, select the Allow discovery of federation partners using DNS check box. We recommend this configuration.
o
To enable public IM connectivity through this Access Edge Server, select the Federation with selected public IM providers check box, and then and select the IM providers that you want to use with federated partners.
Important Before you can connect to these IM providers, you must purchase additional service licenses and provision the connections by using the Microsoft provisioning page (http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provisio n). Public IM connectivity will not work without this license. The license you purchase permits communications to MSN, AOL, and the Yahoo IM providers. If you want to limit public IM connectivity to a specific provider, you can disable the public IM providers you do not want to connect with.
Note Additional configuration of anonymous users and federation is described in “Step 4. Configure the Environment” later in this guide.
10. Click Next. 11. On the FQDN of the Internal Next Hop Server page, in the FQDN of next hop server box, type or click the FQDN of the next hop server to which this Access Edge Server routes internal traffic or, if you are using a Director to route incoming traffic, type the FQDN of the Director, and then click Next. 12. On the Authorized Internal SIP Domains page: •
If you are activating an Access Edge Server on this computer, for each SIP domain to be supported in your Office Communications Server 2007 deployment, in the box, type the name of the SIP domain, and then click Add. After adding all SIP domains to be supported, click Next.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
61
If you are activating an A/V Edge Server on a dedicated computer, enter the SIP domain used for default routing, click Add, and then click Next.
Note
If you are activating a Web Conferencing Server on a dedicated computer, this screen does not appear. Proceed to the next step.
13. On the Authorized Internal Servers page, do the following: •
If you are installing the Access Edge Server on this computer, specify each internal server that can connect to your Access Edge Server. If you are routing all outbound traffic through a Director, type only the FQDN of the Director, and then click Add. If you are not using a Director, type the FQDN of each Enterprise pool and Standard Edition server in your organization, clicking Add after each.
•
If you are installing the Web Conferencing Edge Server on this computer, type the FQDN of each Web Conferencing Server or each Enterprise pool or Standard Edition server that hosts a Web Conferencing Server, clicking Add after typing each FQDN.
•
If you are installing A/V Edge Server, type the FQDN of each Enterprise pool or Standard Edition Server that can connect to the A/V Edge Server, clicking Add after typing each FQDN.
14. Click Next. 15. On the summary page, review the settings that you selected, and then click Next. 16. On the wizard completion page, do the following: •
Select the View the log when you click ‘Finish’ check box.
•
If you want to export the server settings to a configuration file so that they can be imported to another edge server (to streamline the setup of that server), select Export, specify a location and name for the XML file to which you want to save the server settings, and then click Save.
•
Click Finish.
17. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Step 3.5. Set Up Certificates for the Internal Interface A certificate is required for MTLS communication between the edge servers and internal servers (including the A/V Conferencing Server and Mediation Server). For information about the Mediation Server, see the Office Communications Server 2007 Voice Guide. The certificate requirements are summarized below, and the subsequent tables detail the specific requirements for each edge server topology.
62
“Office Communications Server 2007 Edge Server Deployment Guide
Certificate Requirements for the Internal Interface The following summarizes the certificate requirements for the internal interface of your edge servers. •
Each edge server in the perimeter network of the data center requires a certificate for the internal interface: •
If you are deploying a load balancer with multiple collocated Access Edge Servers and Web Conferencing Edge Servers, use a single certificate with a subject name that matches the FQDN for the virtual IP address used by the Access Edge Servers on the internal load balancer of the servers, for example: Certificate SN = accessedge_array.contoso.perimeter
•
For Web Conferencing Edge Servers (collocated on the computer with the Access Edge Server), by default, this certificate is shared by the Web Conferencing Edge Server. If an A/V Edge Server is also collocated on the server, it also shares this certificate by default. If the servers are not collocated, you must use separate certificates for each server role.
•
The A/V Edge Server in the perimeter network of the data center requires a certificate for the internal interface if it is running on a separate computer than the Access Edge Server. If you are deploying multiple A/V Edge Servers (with a load balancer), use a single certificate with a subject name that matches the FQDN for the virtual IP address used by the A/V Edge Server on the internal load balancer, for example: Certificate SN = avedge_array.contoso.perimeter
•
The Web Conferencing Edge Server in each remote site of a multiple-site edge topology requires a certificate on the internal interface with a subject name that matches the FQDN published on the internal interface of the firewall in the data center, and mapping to the Web Conferencing Edge Server in the remote site.
•
The A/V Edge Server in each remote site of a multiple-site edge topology requires a certificate on the internal interface with a subject name that matches the FQDN published on the internal interface of the firewall in the data center, and mapping to the A/V Edge Server in the remote site.
Certificate Requirements for Each Topology The following table summarizes the certificate requirements for the internal interface of each edge server role in the consolidated edge topology. Table 25 Certificates for internal interface of the edge server in the consolidated edge topology Server role Access Edge Server , Web Conferencing Edge Server A/V Edge Server
Certificate A single, shared certificate configured on the internal interface with a subject name that matches the internal FQDN of the edge server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
The following table summarizes the certificate requirements for the internal interface of each edge server role in the single site edge topology. Table 26 Internal Certificates for the single-site edge topology Server role
Certificate
Access Edge Server Web Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the computer with the Access Edge and Web Conferencing Edge Servers collocated
A/V Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the A/V Edge Server.
The following table summarizes the certificate requirements for the internal interface of each edge server role in the scaled single site edge topology. Table 27 Internal Certificates for the scaled single-site edge topology Server role
Certificate
Access Edge Server Web Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the VIP address used by the Access Edge Server on the internal load balancer. This certificate is shared between the Web Conferencing Edge Server and Access Edge Server and must be configured on the internal interface of the Web Conferencing Edge Server and the Access Edge Server. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in the Access Edge Server and Web Conferencing Edge Server array.
A/V Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the VIP address used by the A/V Edge Server on the internal load balancer. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in A/V Conferencing Edge Server array.
63
64
“Office Communications Server 2007 Edge Server Deployment Guide
The following table summarizes the certificate requirements for the internal interface of each edge server in the remote site in a multiple edge site topology. The servers in the central site will use the same certificates as those in the scaled single site topology. Table 28 Internal Certificates for the remote site in a multiple site edge topology Server role
Certificate
Access Edge Server
No Access Edge Server is deployed in the remote site.
Web Conferencing Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the Web Conferencing Edge Server in the remote site.
A/V Edge Server
A certificate configured on the internal interface with a subject name that matches the internal FQDN of the A/V Edge Server in the remote site.
Configuring the Certificates on Your Internal Interface To set up a certificate on the internal interface for an edge server, use the procedures in this section to do the following: 1. Download the CA certification path for the internal interface. 2. Install the CA certification path for the internal interface. 3. Verify that the CA is in the list of trusted root CAs. 4. Create the certificate request for the internal interface. 5. Import the certificate for the internal interface on the first edge server. 6. Export the certificate. 7. Import the certificate on other edge servers. 8. Assign the certificate for the internal interface to each edge server. You can use the Communications Certificate Wizard to complete most of the certificate setup procedures for the internal interface. You can start this wizard from the Office Communications Server 2007 installation media, as covered in the following procedures, or from the Administrative Tools interface on which Office Communications Server 2007 has already been installed.
Note the CA certification path for the internal interface To download The steps of the procedures in this section are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CA, consult the documentation of the CA. By default, all authenticated users have rights to request certificates. This procedure also assumes that all edge servers are in the central site and use the same certificate. If you use separate certificates for the Web Conferencing Server(s) or the A/V Edge Server, you will need to repeat the procedures in this section for each separate certificate. If you are deploying certificates in remote sites, modify the procedures as appropriate for the edge servers in the remote sites.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
1. With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA Server online, log on to Office Communications Server 2007 server in the internal network (not the edge server) as a member of the Administrators group. 2. Click Start, click Run, type http://
To import the CA certification path for the internal interface 1. On each edge server in your deployment, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next.
65
66
“Office Communications Server 2007 Edge Server Deployment Guide
3. On the Available Certificate Tasks page, click Import a certificate chain from a .p7b file, and then click Next. 4. On Import Certificate Chain page, type the full path and name of the .p7b file (or click Browse to locate and select the file), and then click Next. 5. Click Finish. 6. Repeat this procedure on each edge server.
To verify that your CA is in the list of trusted root CAs 1. On each edge server, open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK. 2. On the File menu, click Add/Remove Snap-in, and then click Add. 3. In the Add Standalone Snap-ins box, click Certificates, and then click Add. 4. In the Certificate snap-in dialog box, click Computer account, and then click Next. 5. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish. 6. Click Close, and then click OK. 7. In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 8. In the details pane, verify that your CA is on the list of trusted CAs. 9. Repeat this procedure on each edge server.
To create the certificate request for the internal interface 1. On one edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Create a new certificate, and then click Next. 4. On the Select the Component for Which the Certificate Is Requested page, select the Edge Server Private Interface check box, and then click Next. 5. On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box, and then click Next.
Note If the Enterprise CA is reachable from the edge server, you can use the Send the request immediately to an online certification authority option. Since this is typically, not the case, this procedure and other certificate request procedures in this guide do not cover the use of that option. Additionally, be aware that once you create a request, it is pending and the Certificate Wizard will not let you create another request until you have processed the pending one.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
67
6. On the Name and Security Settings page, type a friendly name for the certificate, and specify the bit length (typically, the default of 1024), select the Mark certificate as exportable check box, and then click Next. 7. On the Organization Information page, enter the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next. 8. On the Your Server’s Subject Name page, type or select the subject name and subject alternate name of the edge server. The subject name should match the FQDN of the edge server published by the internal firewall for the internal interface on which you are configuring the certificate: •
For the internal interface of the edge server, this subject name should match the name that your internal servers use to connect to the edge server (typically, the FQDN of the internal interface for the edge server).
•
If you are using a load balancer, the edge server traffic still uses the FQDN of the internal edge of the server (server name), but if you are using a virtual IP address for the edge server, the certificate should match the server FQDN of the virtual IP address used by this server role on the internal load balancer. For the internal interface, this is typically the published DNS name for the perimeter network that maps to the edge server.
9. Click Next. 10. On the Geographical Information page, type the location information, and then click Next. 11. On the Certificate Request File Name page, type the full path and file name to which the request is to be saved in the File name box (or click Browse to locate and select the certificate), and then click Next. For example, C:\certrequest_AccessEdge.txt 12. On the Request Summary page, click Next. 13. On the wizard completion page, verify successful completion, and then click Finish. 14. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so it is available for import. 15. Repeat this procedure for each edge server.
To import the certificate for the internal interface 1. On the Access Edge Server on which you created the certificate request, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Pending Certificate Request page, click Process the pending request and import the certificate, and then click Next. 4. On the Process a Pending Request page, in Path and file name, type the full path and file name of the certificate that you requested and received for the internal interface of this edge server (or click Browse to locate and select the certificate), and then click Next. 5. On the wizard completion page, verify successful completion, and then click Finish.
68
“Office Communications Server 2007 Edge Server Deployment Guide
To export the certificate for the internal interface for import to other edge servers 1. On the edge server on which you requested and imported the certificate, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then click Next. 4. On the Available Certificates page, in Select a certificate, click the certificate that you imported to this edge server (as covered in the previous procedure), and then click Next. 5. On the Export Certificate page, in Path and file name, type the full path and file name of to which you want to export the certificate (or click Browse to locate and select the certificate), and then click Next. 6. In the Export Certificate Password page, in Password, type the password that will be used to import the certificate on the other edge servers, and then click Next. 7. On the wizard completion page, verify successful completion, and then click Finish. 8. Copy the exported file to a location or media that is accessible by the other edge servers.
To import the certificate for the internal interface on the other edge servers 1. On each of the other edge servers, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next. 4. On the Import Certificate page, in Path and file name, type the full path and file name of the certificate that you exported from the first edge server (or click Browse to locate and select the certificate), clear the Mark certificate as exportable check box, and then click Next. 5. In the Import Certificate Password, in Password, type the password that you typed when you exported the certificate from the first server, and then click Next. 6. On the wizard completion page, verify successful completion, and then click Finish. 7. Repeat this procedure for each edge server that will use the same certificate.
To assign the certificate to the internal interface of the edge servers 1. On each edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
69
3. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next. 4. On the Available Certificates page, select the certificate that you requested for the internal interface of this edge server, and then click Next. 5. On the Available Certificate Assignments page, select the Edge Server private interface check box (the server interface on which you want to install the certificate), and then click Next. 6. On the Configure the Certificate Settings of Your Server page, review your settings, and then click Next to assign the certificates. 7. On the wizard completion page, click Finish. 8. Repeat this procedure for each edge server to which you assigned this certificate.
Step 3.6. Set Up Certificates for the External Interface After setting up certificates for the internal interface, you are ready to set up the certificates for the external interface. The following sections summarize the certificate requirements for the external interface of your edge servers and detail the specific requirements for each topology.
Certificate Requirements for the External Interface The certificate requirements for the external interface include the following: •
For each unique IP address on the external interface that you use for the Access Edge Server and Web Conferencing Edge Server, you will need a separate certificate. We recommend that you use a separate external IP addresses for each server role, even if all servers are collocated. An external certificate is not required on the A/V Edge Server.
•
For the scaled single site edge topology, we recommend that each server role use a separate VIP address on the external load balancer. A separate certificate matching the FQDN of each VIP address used by each Access Edge and Web Conferencing Edge server role must be installed on that server. For example, the Web Conferencing Edge Servers must have a certificate that matches the VIP addressed used by the Web Conferencing Edge Servers on the external load balancer. The certificate must be marked as exportable on the first physical computer where you configure the certificate and then imported into each additional computer in the array. An external certificate is not required for the A/V Edge Server array on the external interface.
•
If you are deploying a multiple-site topology, the Web Conferencing Edge Server in the perimeter network of each remote site requires a certificate with a subject name that matches the external FQDN of the Web Conferencing Edge Server in the remote site. A certificate is not required for the external interface of the A/V Edge Server.
•
If you are supporting public IM connectivity with AOL, AOL requires a certificate configured for both client and server authorization. (For MSN and Yahoo!, a Web certificate will suffice).
70
“Office Communications Server 2007 Edge Server Deployment Guide
•
Public certificates are required if you enable Web conferencing and enable your users to invite anonymous participants (individuals from outside your organization that do not have Active Directory credentials).
•
Public certificates are required for public IM connectivity, and they are highly recommended for enhanced federation. The public certificate must be from a public CA that is on the default list of trusted root CAs installed on the server.
Note It is possible to use your Enterprise subordinate CA for direct federation, as well as for testing or trial purposes if all partners agree to trust the CA or cross-sign the certificate.
Certificate Requirements for Each Topology The following tables summarize the certificate requirements for each topology. The following table summarizes the certificate requirements for the external interface of each edge server role in the consolidated edge topology.
Table 29 External Certificates for the edge server in the consolidated edge topology Server role
Certificate
Access Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the edge server. If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. For example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com
Web Conferencing Edge Server
A certificate configured on the external interface that matches the external FQDN of the Web Conferencing Edge Server.
A/V Conferencing Edge Server
Not required
The following table summarizes the certificate requirements for the external interface of each edge server role in the single site edge topology.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Table 30 External Certificates for the single-site edge topology Server role
Certificate
Access Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the computer with the Access Edge and Web Conferencing Edge Servers collocated. If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. For example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com
Web Conferencing Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of Web Conferencing Edge Server
A/V Conferencing Edge Server
Not required
The following table summarizes the certificate requirements for the external interface of each edge server role in the scaled single site edge topology.
Table 31 External Certificates for the scaled single-site edge topology
71
72
“Office Communications Server 2007 Edge Server Deployment Guide
Server role
Certificate
Access Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the VIP address used by the Access Edge Server on the external load balancer. If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. Example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in the Access Edge Server and Web Conferencing Edge Server array. This certificate must be used as the certificate on the external interface of the Access Edge Server.
Web Conferencing Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the VIP address used by the Web Conferencing Edge Server on the external load balancer. This certificate must be marked as exportable on the first computer where you configure the certificate and then imported onto each additional computer in the Access Edge Server and Web Conferencing Edge Server array. This certificate must be used as the certificate on the external interface of the Web Conferencing Edge Server.
A/V Conferencing Edge Server
Not required.
The following table summarizes the certificate requirements for the external interface of each edge server in the remote site in a multiple edge site topology. The servers in the central site will use the same certificates as those in the scaled single site topology. Table 32 External Certificates for the remote site in a multiple site edge topology
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Server role
73
Certificate
Access Edge Server
No Access Edge Server is deployed in the remote site.
Web Conferencing Edge Server
A certificate configured on the external interface with a subject name that matches the external FQDN of the Web Conferencing Edge Server in the remote site.
A/V Conferencing Edge Server
Not required.
Configuring the Certificates on the External Interfaces To set up a certificate for the external interface of an Access Edge Server or Web Conferencing Edge Server, complete all of the procedures in this section, which include the following: 1. Create the certificate request for the external interface of the edge server. 2. Submit the request to your public CA. 3. Import the certificate for the external interface of each edge server. 4. Assign the certificate for the external interface of each edge server.
Note When you request a certificate from an External CA, the credentials provided must have rights to request a certificate from that CA. Each CA has a security policy that defines which credentials (specific user and group names) are allowed to request, issue, manage, or read certificates.
To create the certificate request for the external interface of the edge server 1. On the edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available tasks page, click Create a new certificate, and then click Next. 4. On the Delayed or Immediate Request page, select the Prepare the request now, but send later check box, and then click Next. 5. On the Name and Security Settings page, type a friendly name for the certificate, specify the bit length (typically, the default of 1024), select the Mark certificate as exportable check box, and then click Next. 6. On the Organization Information page, type the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next.
74
“Office Communications Server 2007 Edge Server Deployment Guide
7. On the Your Server’s Subject Name page, type or select the subject name and subject alternate name of the edge server: •
The subject name should match the FQDN of the server published by the external firewall for the external interface on which you are configuring the certificate. For the external interface of the Access Edge Server, this certificate subject name should be sip.<domain>.
•
If multiple SIP domain names exist and they do not appear in Subject alternate name, type the name of each additional SIP domain as sip.<domain>, separating names with a comma. Domains entered during configuration of the Access Edge Server are automatically added to this box.
8. Click Next. 9. On the Geographical Information page, type the location information, and then click Next. 10. On the Certificate Request File Name page, type the full path and file name of the file to which the request is to be saved (or click Browse to locate and select the file), and then click Next. 11. On the Request Summary page, click Next. 12. On the Certificate Wizard Completed page, verify successful completion, and then click Finish. 13. Copy the output file to a location from which it can be submitted to the public CA.
To submit a request to a public certification authority 1. Open the output file. 2. Copy and paste the contents of the CSR into the appropriate text box beginning with: -----BEGIN NEW CERTIFICATE REQUEST----And ending with:----END NEW CERTIFICATE REQUEST 3. If prompted, select the following options: •
Microsoft as the server platform
•
IIS as the version
•
Web Server as the usage type
•
PKCS7 as the response format
4. When the public CA has verified your information, you will receive an e-mail message containing text required for your certificate. 5. Copy the text from the e-mail message and save the contents in a text file (.txt) on your local computer. 6. Download the root CA chain of the public CA and install it on the local computer store of each edge server.
Note Appendix B provides an example of a certificate request and a sample procedure for requesting a certificate from a public CA.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
75
To import the certificate for the external interface of the edge server 1. Log on to the edge server as a member of the Administrators group. 2. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 3. On the Welcome page, click Next. 4. On the Available certificate tasks page, click Process the pending request and import the certificate, and then click Next. 5. Type the full path and file name of the certificate that you requested for the external interface of the edge server (or click Browse to locate and select the certificate), and then click Next. 6. Click Finish. 7. Repeat this procedure for each edge server in your deployment that requires a certificate on the external interface.
To assign the certificate for the external interface of the edge server 1. In Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next. 4. On the Available Certificates page, select the certificate that you requested for the external interface of the edge server, and then click Next. 5. On the Available certificate assignments page, select the external interface where you want to install the certificate, and then click Next. 6. Review your settings, and then click Next to assign the certificates. 7. On the wizard completion page, click Finish. 8. Repeat this procedure for each edge server in your deployment that requires a certificate on the external interface.
Step 3.7. Set Up Certificates for A/V Authentication After configuring the edge certificates for the external and internal interfaces, you are ready to set up the A/V authentication certificates on A/V Edge Servers. The private key of the A/V authentication certificate is used to generate authentication credentials. As a security precaution, you should not use the same certificate for A/V authentication that you use for the internal interface of the A/V Edge Server (covered earlier in this guide). The same A/V authentication certificate must be installed on each A/V Edge Server if multiple servers are deployed in a load balanced array. This means that the certificate must be from the same issuer and use the same private key.
76
“Office Communications Server 2007 Edge Server Deployment Guide
To set up certificates for A/V Edge Servers, use the procedures in this section to do the following: 1. Create the A/V certificate request on the A/V Edge Server. 2. Import certificate on the first A/V Edge Server. 3. Export the certificate. 4. Import the certificate on other edge A/V Edge Servers. 5. Assign certificate to each A/V Edge Server.
Note The steps of these procedures are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 Enterprise CA and using the same certification path as you did in “Step 3.6 Set Up Certificates for the Internal Interface.” If you are not using the same certification path, you will need to download the certification path, install it, and verify that it is in the list of trusted root CAs, as covered in internal interface procedure. For step-by-step guidance for using any other CA, consult the documentation of the CA.
To create the A/V authentication certificate request for A/V Edge Servers 1. On the A/V Edge Server (if in an array, any one of the A/V Edge Servers), in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Create a new certificate, and then click Next. 4. On the Select the Component for Which Certificate Is Requested page, select the A/V Edge Server Public Interface check box. 5. On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box, and then click Next. 6. On the Name and Security Settings page, type a friendly name for the certificate, specify the bit length (typically, the default of 1024), select the Mark the certificate as exportable checkbox, and then click Next. 7. On the Organization Information page, type the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next. 8. On the Your Server’s Subject Name page, in Subject name, type or select the subject name of the A/V Edge Server. The subject name should match the external FQDN of the A/V Edge Server or the FQDN of the VIP used by the A/V Edge Server array on the external load balancer if the A/V Edge Servers are load balanced 9. Click Next.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
77
10. On the Geographical Information page, type the location information, and then click Next. 11. On the Certificate Request File Name page, type the full path and file name to which the request is to be saved (or click Browse to locate and select the certificate), and then click Next. 12. On the Request Summary page, review the certificate information, and then click Next. 13. On the Certificate Wizard completed page, verify successful completion, and then click Finish to submit the request. The Enterprise CA then creates the request. 14. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to a location that is accessible by the A/V Edge Server on which you requested the certificate.
To import the A/V authentication certificate on the first A/V Edge Server 1. On the A/V Edge Server on which you created the certificate request, in the Deployment Wizard, in Deploy Other Server Roles, in Deploy Edge Server, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available certificate tasks page, click Process the pending request and import the certificate, and then click Next. 4. On the Process a Pending Request page, type the full path and file name of the certificate that you requested for A/V authentication in the Path and file name box (or click Browse to locate and select the file), and then click Next. 5. On the wizard completion page, verify successful completion, and then click Finish.
To export the certificate for A/V authentication 1. On the A/V Edge Server on which you requested and imported the certificate, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then click Next. 4. On the Available Certificates page, in Select a certificate, click the certificate that you imported to this edge server (as covered in the previous procedure), and then click Next. 5. On the Export Certificate page, in Path and file name, type the full path and file name of to which you want to export the certificate (or click Browse to locate and select the certificate), and then click Next. 6. In the Export Certificate Password page, in Password, type the password that will be used to import the certificate on the other edge servers, and then click Next. 7. On the wizard completion page, verify successful completion, and then click Finish.
78
“Office Communications Server 2007 Edge Server Deployment Guide
8. Copy the exported file to a location or media that is accessible by the other A/V Edge Servers.
To import the certificate for A/V authentication on the other edge servers 1. On each of the other edge servers, in Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next. 4. On the Import Certificate page, in Path and file name, type the full path and file name of the certificate that you exported from the first A/V Edge Server (or click Browse to locate and select the certificate), clear the Mark certificate as exportable check box, and then click Next. 5. In the Import Certificate Password, in Password, type the password that you typed when you exported the certificate from the first server, and then click Next. 6. On the wizard completion page, verify successful completion, and then click Finish. 7. Repeat this procedure for each A/V Edge Server that will use the same certificate.
To assign the A/V authentication certificate on the A/V Edge Servers 1. On each A/V Edge Server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next. 4. On the Available Certificates page, select the certificate that you requested for the A/V Edge Server (in the previous procedure), and then click Next. 5. On the Available Certificate Assignments page, select the A/V Edge Server check box. 6. On the Configure the Certificate Settings of Your Server page, review your settings, and then click Next. 6. On the wizard completion page, click Finish. 7. After assigning the certificate on each A/V Edge Server, open the Certificate snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and then verify in the details pane that the A/V authentication certificate is listed. Do this on each A/V Edge Server. 8. If your deployment includes an array of A/V Edge Servers, repeat this procedure for each A/V Edge Server.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
79
Step 3.8 Start Services After completing the set up of the edge servers and load balancers, you need to start the service on each edge server.
To start the services 1. On each edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to Step 6: Start Services, click Run to start the Communications Certificate Wizard. 2. On the Welcome page, click Next. 3. On the Ready to Start Office Communications Server 2007 Services page, review the list of services, and then click Next to start the services. 4. When the services have started and the wizard has completed, verify that the View the log when you click ‘Finish’ check box is selected, and then click Finish. 5. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Step 4. Configure the Environment After you have set up your edge servers and load balancers, you need to set up your environment, including access restrictions and user settings, as appropriate to your organization. To do this, use the procedures in this section to do the following: •
Configure federation with federated partners or audio conferencing providers (ACP).
•
Configure global settings for anonymous users.
•
Configure users for federation, remote user access, and public connectivity.
•
Connect your internal servers with your edge servers.
Step 4.1. Configure Federation Federation provides you organization with the ability to communicate with other organizations’ Access Edge Server to share IM and presence. You can also federate with an audio conferencing provider using either of the two methods below. The process of configuring federation with an organization or an audio conferencing provider is identical. If you have enabled federation on the Access Edge Server, access by federated partners, including audio conferencing providers (ACPs), is controlled using one of the following methods:
80
“Office Communications Server 2007 Edge Server Deployment Guide
•
Allow automatic DNS-based discovery of Access Edge Servers for federated partners. This is the default option during initial configuration of an Access Edge Server because it offers a good level of security and features that facilitate configuration and management. For instance, when you enable enhanced federation on your Access Edge Server, Office Communications Server 2007 automatically evaluates incoming traffic from enhanced federation partners and limits or blocks that traffic depending on trust level, amount of traffic, and administrator settings.
•
Do not allow DNS-based discovery and limit access of federated partners to only the FQDNs of each Access Edge Server for which you want to enable connections. Connections with federated partners are allowed only with the specific Access Edge Servers you add to your Allow list. This method offers the highest level of security, but does not offer the ease of management and other features available with DNS-based discovery. If an FQDN of an Access Edge Server changes, you must manually change the FQDN of the server in the Allow list.
When you ran the Configure Edge Server Wizard, if you chose not to allow automatic discovery of federation partners, you must add each federation partner to the Allow tab of your edge server for federation to work. If you chose to use DNS-based discovery of Access Edge Servers, you can use the Allow tab to grant a higher level of trust to some federated partners. This is necessary if you expect to have legitimate higher than average volume of traffic from some federation partners. If a federated party has sent requests to more then 1000 URIs (valid or invalid) in the local domain, the connection first placed on the Watch list. Any additional requests are then blocked by the Access Edge Server. If the Access Edge Server detects suspicious traffic on a connection, it will limit the federation partner to a low message rate of 1 msg/sec. The Access Edge Server detects suspicious traffic by calculating the ratio of #successful to #failed responses. The Access Edge server also limits legitimate federated partner connections (unless added to the allow list) to 20 messages/sec. If you know that you will have more than 1000 requests sent by a legitimate federated partner or a volume of over 20 messages per second sent to your organization, to allow these volumes, you must add the federated partner to the Allow tab. After configuring federation, you can use Office Communications Server 2007 administrative tools to monitor and manage federated partner access on an ongoing basis. For more information, see the Microsoft Office Communications Server 2007 Administration Guide.
To enable DNS-based discovery of Access Edge Servers of federated partners 1. Log on to the Access Edge Server as a member of Administrators group or a group with equivalent user rights. 2. Open Computer Management. Click Start, click All Programs, click Administrative Tools, and then click Computer Management. 3. In the console tree, expand Services and Applications, right-click Microsoft Office Communications Server 2007, and then click Properties. 4. On the Access Methods tab, select the Federate with other domains check box.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
81
5. On the Allow tab, click Add. 6. In the Add Federated Partner dialog box, do the following: •
In the Federated partner domain name box, type the domain of each federated partner domain.
•
If you did not configure automatic discovery of federated domains, type the FQDN of the federated partners Access Edge Server in the Federated partner Access Edge Server box.
•
Click OK.
7. Repeat steps 5 and 6 for each federated partner you want to add to your Allow list, and then click OK.
Note After using this procedure to configure DNS-based discovery, you can use the procedures in the Office Communications Server 2007 Administration Guide to manage the trust levels of specific domains.
To restrict federated partner access to specific Access Edge Servers 1. Log on to the Access Edge Server as a member of Administrators group or a group with equivalent user rights. 2. Open Computer Management. Click Start, click All Programs, click Administrative Tools, and then click Computer Management. 3. In the console tree, expand Services and Applications, right-click Microsoft Office Communications Server 2007, and then click Properties. 4. On the Access Methods tab, ensure that the Federate with other domains check box is selected, but clear the Allow discovery of federation partners check box. 5. On the Allow tab, click Add. 6. In the Add Federated Partner dialog box, do the following: •
In the Federated partner domain name box, type the name of the federated partner domain that you want to add to your Allow list.
•
In the Federated partner Access Edge Server box, type the name of each Access Edge Server that you want to add to your Allow list. Only names that you add to the list are allowed to discover your Access Edge Server.
•
Click OK.
7. Repeat steps 5 and 6 for each federated partner you want to add to your Allow list, and then click OK.
82
“Office Communications Server 2007 Edge Server Deployment Guide
Step 4.2. Configure Settings for Anonymous Users As described previously in this guide, anonymous participation in meetings enables a user whose identity is verified only through the meeting or conference key to join meetings. When you ran the Configuration Wizard on your edge servers, you had the option to allow anonymous users, but you can also configure specific settings to control anonymous participation. This includes configuring the global policy and implementing user-level settings to control participation by anonymous users. Use the procedures in this section to do the following: •
Configure the settings on the Meeting tab in Global Properties in to specify how anonymous participation is implemented in your organization (allow anonymous users, disallow anonymous users, or allow only specific users to invite anonymous users).
•
When you configure the settings on the Meeting tab, if you choose the option to enforce anonymous participation on a user-by-user basis, you also need to configure settings for each of the individual users that you want to allow to invite anonymous users to meetings.
To configure the global policy for anonymous participation in meetings 1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a server with the Office Communications Server 2007 administration tools installed as a member of the RTCUniversalUserAdmins or a group with equivalent user rights. 2. Open Office Communications Server 2007, Administrative Tools. Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007Administrative Tools. 3. In the console tree, right-click the forest node, point to Properties, and then click Global Properties. 4. Click the Meetings tab.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
5. In the Anonymous participants box, click the global policy that you want to enforce: •
Allow users to invite anonymous participants. This policy allows all users in your organization to invite anonymous users to meetings.
•
Disallow users from inviting anonymous participants. This policy prevents all users in your organization from inviting anonymous users to meetings.
•
Enforce per user. This policy requires that you configure each individual user account that you want to be able to invite anonymous users feature (as covered in next procedure). All other users are prevented from inviting anonymous users.
Note By default, the global policy does not allow Anonymous users, unless you selected the Anonymous users option on the Features that Will Be Enabled on this Access Edge Server page when you configured your edge servers, as explained in Step 3.4 earlier in this guide. You can use the above options to change the global policy. If you choose the Enforce per user option, the global policy prevents all users from inviting anonymous users to participate in meetings, except for any individual accounts that you specifically configure to be allowed to invite anonymous users as explained later in this section.
83
84
“Office Communications Server 2007 Edge Server Deployment Guide
6. To configure a global meeting policy, do the following: •
Under Policy Settings, click the name of the policy that you want to use in the Global policy list.
•
To view or modify a policy, under Policy Definition, click the name of the policy, click Edit, and then modify the policy, as appropriate.
7. If you chose to enforce anonymous participation using the Enforce per user setting on the Meeting tab, use the next procedure to configure initial settings for each user that is to be allowed to invite anonymous users.
To configure settings so an individual user can invite anonymous users (if using the Enforce per user option) 1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a server with the Office Communications Server 2007 administration tools installed as a member of the RTCUniversalUserAdmins or a group with equivalent user rights. 2. Open Office Communications Server 2007. Click Start, point to Programs, point to Administrative Tools, and then click Office Communications Server 2007, Administrative Tools. 3. In the console tree, locate the Standard Edition server node or Enterprise pool node containing the user account that you want to enable, expand the node, and then click Users. 4. In the details pane, right-click the name of the user account that you want to allow to invite anonymous participants, and then click Properties. 5. On the Communications tab, under Meetings, select the Allow anonymous participants check box.
Note This option is available only if you selected Enforce per user option in the previous procedure.
Step 4.3 Configure Users for Federation, Public IM Connectivity, and Remote User Access You enable federation, public IM connectivity, and remote user access for specific users to control the methods that users can use to communicate with external users.
Note individual users to communicate with external users To configure The following procedure covers how to configure individual users for federation, public IM connectivity, and remote access. You can also configure a group of users by rightclicking Users or the OU containing the user accounts (or clicking Users or the OU, and selecting specific user accounts in the details pane), and then clicking Configure Communications Users. For more information, see the Microsoft Office Communications Server 2007 Administration Guide.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
85
1. Log on as a member of the DomainAdmins group to an Enterprise Edition Server or a server that is a member of an Active Directory domain and that has the Office Communications Server administration tools installed. 2. Open Active Directory Users and Computers. Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers. 3. In the console tree, expand the Users container or the other organization unit (OU) that contains the user account for which you want to enable federation, public IM connectivity, or remote user access, right-click the user account name, and then click Properties. 4. On the Communications tab, click Configure next to Additional options. 5. In User Options, under Federation, do the following: •
To enable the user account for federation, select the Enable Federation check box.
•
To enable the user account for public IM connectivity, select the Enable public IM connectivity check box.
•
To enable user account for remote access, select the Enable remote user access check box.
6. Click OK twice.
Step 4.4. Connect Your Internal Servers with Your Edge Servers To connect your internal servers to your edge servers and configure the internal servers to route outbound traffic to the edge servers, you need to run the Configure Server Wizard or Configure Pool Wizard on each server or pool in your organization, as well as on the Director (if you deployed a Director, as recommended).
Configuring a Director When your run the Configure Pool or Server Wizard and configure external access on a Director, you configure the following settings: •
Add your Director as the next hop server through which all external SIP traffic is routed. This setting is configured on the Federation tab in Global Properties.
•
Add your Access Edge Server to the authorized Access Edge Server list on the Edge Server tab in the Global Properties.
•
Override the “next hop” setting that is used globally by internal serves and pools so that the Director routes all outbound traffic directly to the Access Edge Server. This setting is configured at the pool or Standard Edition Server level on the Federation tab.
To configure your Director for external user access 1. Log on to your Director with an account that is a member of the RtcUniversalServerAdmins group. 2. Start the Deployment Wizard by doing one of the following:
86
“Office Communications Server 2007 Edge Server Deployment Guide
•
If you have the Office Communications Server 2007 installation CD, insert the CD. If Setup does not start automatically, from the Start menu, click Run, type \Setup\I386\Setup.exe, and then click OK.
•
If the Office Communications Server 2007 files reside on a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.
3. Do one of the following: •
On a Standard Edition server, click Deploy Standard Edition Server.
•
On an Enterprise Edition server, click Deploy Pool in a Consolidated Topology or Deploy Pool in an Expanded Topology.
4. At Configure Server, click Run. 5. On the Welcome to the Configure Pool/Server Wizard page, click Next. 6. On the Server or Pool to Configure page, select the server from the list, and then click Next. 7. Accept the default settings until you reach the External User Access Configuration page. 8. On the External User Access Configuration page, click Configure for external user access now, and then click Next.
9. On the Route External SIP Traffic page, click Route traffic through a Director, and then click Use this pool or server as the Director for routing external traffic.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
87
10. Click Next. 11. On the Trusted Access Edge Servers page, type the FQDN of the each Access Edge Server, click Add after each. If you are using an array of Access Edge Servers type the FQDN of the VIP of the internal load balancer. The FQDNs that you enter on this page are added to the list of authorized Access Edge Servers on the Edge Server tab in Global Properties. 12. Under Specify the Access Edge Server that internal servers will use to route traffic, select the FQDN of the Access Edge Server to which you want all outbound traffic routed from your internal servers and then click Next. 13. On the Web Conferencing Edge Server page, click Next. You configure each internal server and pool to route to the appropriate Web Conferencing Edge Server. Directors do not route Web Conferencing traffic. 14. On the Trusted A/V Edge Servers page, enter the internal FQDN of each A/V Edge Server authorized to connect to your internal servers. The FQDNs that you enter on this page are added to the list of authorized A/V Edge Servers on the Edge Server tab in Global Properties. 15. On the A/V Edge Server Used by This Server or Pool page, click Next. You configure each internal server and pool to route to the appropriate A/V Edge Server. Directors do not route A/V traffic. 16. On the Ready to Configure Server or Pool page, review the settings that you specified, and then click Next to configure the Standard Edition Server. 17. When the files have been installed and the wizard has completed, verify that the View the log when you click ‘Finish’ check box is selected, and then click Finish. 18. In the log file, verify that <Success> appears under the Execution Result column. Look for <Success> Execution Result at the end of each task to verify Standard Edition Server configuration completed successfully. Close the log window when you finish.
Configuring Other Internal Servers and Pools for External User Access Use the following procedure to configure your internal servers or pools for external access. The procedure will vary slightly depending on whether or not you use a Director.
To connect your internal server with your edge servers 1. Log on to your internal Standard Edition Server or Enterprise pool with an account that is a member of the RtcUniversalServerAdmins group. 2. Start the Deployment Wizard by doing one of the following: •
If you have the Office Communications Server 2007 installation CD, insert the CD. If Setup does not start automatically, from the Start menu, click Run, type \Setup\I386\Setup.exe, and then click OK.
•
If the Office Communications Server 2007 files reside on a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.
3. Do one of the following: •
On a Standard Edition server, click Deploy Standard Edition Server.
88
“Office Communications Server 2007 Edge Server Deployment Guide
•
On an Enterprise Edition server, click Deploy Pool in a Consolidated Topology or Deploy Pool in an Expanded Topology.
4. Next to Configure Server or Configure Pool, click Run to start the Pool/Server Configuration Wizard. 5. On the Welcome page, click Next. 6. On the Server or Pool to Configure page, in the list, click the pool or server that you want to configure, and then click Next. 7. Continue through the wizard, specifying the settings that are appropriate to your pool or server configuration, until you reach the External User Access page 8. On the External User Access Configuration page, click Configure for external user access now. 9. On the Routing External SIP Traffic page, do one of the following: •
If you plan to route all traffic sent to and from the edge servers through a Director, click Route traffic through a Director and, if this is the Director, select the Use this pool or server as the Director for routing external traffic check box, click Next, and then perform the remaining steps in this procedure.
•
If you do not plan to route all traffic sent to and from the edge servers through a Director, click Route directly to and from internal pools and servers.
10. Click Next. 11. On the Trusted Access Edge Servers page, do the following •
In the top box, type the FQDNs of each Access Edge Server that is authorized to connect to your internal servers and pools, clicking Add after typing each name.
•
In the Specify the Access Edge Server that internal servers will use for outbound traffic list, click the name of the Access Edge Server to which internal servers and pools will route outbound traffic.
12. On the Web Conferencing Edge Server page, do the following: •
In Internal FQDN, type the FQDN of each internal interface that will be used by internal servers to connect to the Web Conferencing Edge Server, clicking Add after typing each FQDN.
•
In External FQDN, type the FQDN of each external interface that will be used by external users to connect to the Web Conferencing Edge Server, clicking Add after typing each FQDN.
13. Click Next. 14. On the Trusted A/V Edge Servers page, type the FQDN of the internal interface that will be used to connect to the A/V Edge Server in the FQDN box, type the port number to be used for the internal interface in the Port box, and then click Add. Repeat for each FQDN to be used. Servers are added to list of authorized A/V Edge Servers on the Edge Server tab in Global Properties.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
89
15. On the A/V Edge Server Used by This Server or Pool page, type the FQDN of the internal interface of the A/V Edge Server that this server or pool will use for A/V authentication. This FQDN is added to the A/V Properties at the “pool” level for an Enterprise pool or Standard Edition Server. 16. Click Next. 17. On the Ready to Configure Server or Pool page, review the settings that you selected, and then click Next. 18. On the completion page, click Finish.
Step 5. Validate Your Edge Configuration After you have deployed your edge topology and set up the environment, you should run the Validation Wizard on each individual edge server in order to verify its configuration and connectivity.
To validate your server configuration 1. Log on to each edge server as a member of the RTCLocalServerAdmins group or a group with equivalent user rights. 2. In the Deployment Wizard, beside Validate Server Functionality, click Run to start the Validation Wizard. 3. On the Welcome page, click Next. 4. On the Select Validation Steps page, select the options you want to validate: •
Select the Validate SIP Logon (1-Party) and IM (2-Party) check box. This option verifies if your enabled users can log on, and it can only be run after you create and enable your users. You need to run this check on an internal server to validate internal connectivity and verify communications with the edge servers, as described in the next procedure.
•
Select the Validate Local Server Configuration checkbox to validate that the server on which you are running is configured correctly.
•
Select the Validate Connectivity check box to verify that the server has connectivity to internal servers.
5. Click Next. 6. On the User Account page, do the following: •
Type the account name, user sign-in name, and password of a test user or other user who is enabled for SIP.
•
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
7. Click Next.
90
“Office Communications Server 2007 Edge Server Deployment Guide
8. On the Second user account page, do the following •
Type the account name, user sign-in name, and password of a second test user or other user who is enabled for SIP. This account will be used with the first account that you specified to test IM functionality between two users.
•
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
9. Click Next. 10. In the wizard completion page, verify that the Check this box to view log files results check box is selected, and then click Finish to exit. 11. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
To verify that your edge servers can communicate with internal servers 1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a server with the Office Communications Server 2007 administration tools installed as a member of the RTCUniversalUserAdmins or a group with equivalent user rights. 2. In the Deployment Wizard, beside Validate Server Functionality or Validate Pool Functionality, click Run to start the Validation Wizard. 3. On the Welcome page, click Next. 4. On the Select Validation Steps page: •
Select the Validate SIP Logon (1-Party) and IM (2-Party) check box. This option verifies that the user accounts you created and enabled can be used to log on and connect.
•
Select the Validate Local Server Configuration checkbox to validate that the server on which you are running is configured correctly.
•
Select the Validate Connectivity check box to verify that the server has connectivity to the back-end database and other internal servers.
5. On the User Account page, do the following: •
Type the account name, user sign-in name, and password of a test user or other user who is enabled for SIP.
•
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
6. Click Next. 7. On the Second user account page, do the following •
Type the account name, user sign-in name, and password of a second test user or other user who is enabled for SIP. This account will be used with the first account that you specified to test IM functionality between two users.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
•
91
In the Server or Pool list, click the name of the server or Enterprise pool on which the user account is hosted.
8. Click Next. 9. If you have configured federation or public IM connectivity, on the Federation and Public IM Connectivity page, do the following: •
Select the Test between internal user and federated users check box.
•
In the Enter SIP User Accounts for federated use box, type the SIP URI of one or more federated user accounts (separated by semicolons) that you want to use to test this functionality. Otherwise, leave the check box cleared.
10. Click Next. 11. On the wizard completion page, verify that the View the log when you click Finish check box is selected, and then click Finish. 12. When the Office Communications Server 2007 Deployment Log opens in a Web browser window, verify that Success appears under Execution Result in the action column on the far right side of the screen. Optionally, expand each individual task and verify that the Execution Result shows Success for the task. When you finish, close the log window.
Appendix A: Configuring an Array of Standard Edition Servers as a Director For larger deployments with external access enabled, you might want to deploy an array Office Communications Servers to function as a Director. Servers in this array are connected through a load balancer and share a virtual IP address. The load balancer routes each incoming communication to a computer in the array, which then routes the communication to the internal Office Communications Server 2007 server or Enterprise pool.
“Office Communications Server 2007 Edge Server Deployment Guide
IP0
IP1
IP2
Perimeter Network
IP3
DIR1
V I P 1
F I R E W A L L
V I P 2
IP5 DIR2
V I P 0
AP1
Figure 6 Access Edge Server Topology with two Directors
AP2
92
IP4
IP6
Internal Network
In the configuration shown in the figure, the following virtual IP addresses are assigned to the load balancers as follows: •
VIP0 is virtual IP address of the external interface of the Access Edge Server array (AP1 and AP2).
•
VIP1 is virtual IP address of the internal interface of the Access Edge Server array (AP1 and AP2).
•
VIP2 is virtual IP address of the Directory array (DIR1 and DIR 2), which is visible to the perimeter network.
In the figure, the IP address of each network element is labeled below the network element. For illustrative purposes, assume that the following FQDN for each network element is as shown in the following table.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
93
Table 33 Network elements and associated FQDNs Network Element
FQDN
VIP0
sip.contoso.com
AP1
ap1.contoso.com
AP2
ap2.contoso.com
VIP1
apbank.corp.contoso.co m
VIP2
dirpool.corp.contoso.co m
DIR1
dir1.corp.contoso.com
DIR2
dir2.corp.contoso.com
Depending on whether you deploy an Enterprise pool with a Back-End Database that contains no user data or multiple Standard Edition Servers as an array, the configuration of the array will vary. The primary differences are as follows: •
The certificates that are installed on the Standard Edition servers must have the computer FQDN in the SUBJECT field and the FQDN of the virtual IP address of the Director must be listed in the SUBJECT_ALT_NAME field.
•
At the forest level, the global default route for federation must point to the FQDN of the virtual IP address of the Director. In the case of an Enterprise pool, it must point to the FQDN of the Enterprise pool.
•
The default route for federation on each of the Standard Edition servers in the Director array must point to the FQDN of the virtual IP address of the Access Edge Server array. This setting is configured on the Federation tab of each Standard Edition Server or Enterprise pool. If an Enterprise pool is used as a Director, this setting would be made only once, at the pool level.
•
Individual server names must be listed in the “trusted internal servers” list on the Access Edge Servers, in addition to the FQDN of the virtual IP address of the Director.
•
DNS entries must be added for each Standard Edition Server in the perimeter network, in addition to the FQDN of the virtual IP address.
Creating Certificates for an Array of Standard Edition Servers, configured as Director A certificate that is installed on a Standard Edition Server that is part of a Director array must meet the following requirements: •
The FQDN of the Server is used for the subject (SUBJECT of the certificate).
•
The FQDN of the virtual IP address of the Director and the FQDN of the Server must be used as the subject alternate name (SUBJECT_ALT_NAME of the certificate).
94
“Office Communications Server 2007 Edge Server Deployment Guide
By default, the Microsoft Enterprise subordinate CA does not allow issuing a certificate with a subject alternate name, so issuing a certificate with a Subject alternate name on a Microsoft Enterprise subordinate CA requires changing some settings on the CA. For example, in the example described earlier in this appendix, the FQDN for the virtual IP address of the Director is dirpool.corp.contoso.com and one of the server names is dir1.corp.contoso.com. The subject alternate name must contain both the server name and the FQDN of the virtual IP address, or else the certificate cannot be correctly loaded by the Security Service Provider Interface (SSPI). Additionally, because each certificate lists the individual server name in addition to the FQDN of the virtual IP address, each server must be installed with a different certificate: a common certificate cannot be shared across all the servers in the array. These requirements are in addition to the standard certificate requirements for Office Communications Server 2007, such as having the Encrypted Key Usage set for both client and server authentication.
Configuring DNS Resolution for Directors on the Access Edge Server The individual IP addresses of the Director servers must be visible to the Access Edge Server, in addition to the virtual IP address of the Director. This requirement is in addition to the requirements for using a pool for a Director. For example, if you are using hosts files on the Access Edge Server, the hosts files are as follows: 172.67.89.80
dirpool.corp.contoso.com
172.78.89.1
dir1.corp.contoso.com
172.78.89.2
dir2.corp.contoso.com
Note We recommend that you use a hosts file only if the Access Edge Server does not have access to the internal DNS server. If there are FQDNs that the Access Edge Server is not able to resolve, you can add them to the hosts file.
Configuring the FQDN of the Array on the Host Authorization List After you have set up your certificates and configured DNS records for your Director array, you must add the FQDN of the VIP of the load balancer to each internal server or pool on the Host Authorization tab.
To add the VIP of the array to the Host Authorization list
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
1. Log on to an Office Communications Server 2007 server joined to a domain or another computer with the Office Communications Server 2007 administration tools installed with an account that is a member of the RTCUniversalServerAdmins group. 2. Expand Enterprise pools, and then expand the pool name. 3. Right-click Front Ends, and then click Properties. 4. Click the Host Authorization tab. 5. Click Add and enter the FQDN of the VIP of the load balancer used by the Director array. 6. Repeat steps 2 through 5 for each Enterprise pool in your organization. 7. Expand Standard Edition Servers. 8. Right-click the server name, point to Properties, and then click Front End Properties. 9. Click the Host Authorization tab. 10. Click Add and enter the FQDN of the VIP of the load balancer used by the Director array. 11. Repeat steps 7 through 9 for each Standard Edition Server in your environment.
Appendix B: Sample Certificate The CSR (certificate signing request) generated by the Communications Certificate Wizard that you use to request your certificate will vary, depending on the CA you choose. In general it contains the information shown in the following figures.
Sample Certificate Request For a Single Access Edge Server (Exportable=FALSE) [Version] Signature= "$Windows NT$" [NewRequest] Subject= "CN=server1.contoso.come;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US" KeySpec = 1 KeyLength = 1024 Exportable = FALSE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA Schannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1
95
96
“Office Communications Server 2007 Edge Server Deployment Guide
For an array of Access Edge Servers (Exportable=TRUE) [Version] Signature= "$Windows NT$" [NewRequest] Subject= "CN=server1.contoso.come;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US" KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA Schannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1
Note The subject line in the PolicyFileIn.Inf file must contain the following information: Subject=”CN=FQDN of your Access Edge Server or Array ;OU=ProjectName;O=CompanyName;L=City;S=fullNameofSta te;C=two-letter country/region abbreviation Most public CAs require strict compliance with the above information. Examples: CN=AP1..fabrikam.com;OU=LCS;O=Fabrikam;L=Eugene;S=Or egon;C=US CN=AParry.marketing.proseware.com ;OU=LCS;O=Proseware;L=Portland;S=Maine;C=US
Table 34 Fields in PolicyFileIn.inf Field
Notes
Signature=$Windows NT$” Subject=”CN=FQDN;OU=Organizati onal unit;O=Company ;L=city S=state;C=country/region
CN: The fully qualified domain name of your Access Edge Server or Access Edge Server array (the server or array on which you are installing the certificate) OU: Some division or department O: Company name
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
Field
Notes L :City S: Full state or province name (no abbreviations are accepted) C: Two-letter country/region code
KeySpec=1
Indicates both encryption and signing (standard TLS requirement)
KeyLength = 1024
Must be a power of 2 between 1024 and 4096, inclusive.
Exportable = FALSE (single Access Edge Server) Exportable=TRUE (array of Access Edge Servers)
FALSE for a single Access Edge Server TRUE for an array of Access Edge Servers
MachineKeySet = TRUE
Specifies that the certificate will be put into the local computer store
SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE
This field must be set to FALSE; otherwise, RTCSRV will not be able to use it.
UseExistingKeySet = FALSE
This field must be set to FALSE to generate a new private key.
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
SCHANNEL (Windows TLS provider) requirement
ProviderType = 12
SCHANNEL (Windows TLS provider) requirement
RequestType = PKCS10
Can be PKCS10 or PKCS7. Almost all CAs accept PKCS10, so you should leave the request type as PKCS10.
KeyUsage = 0xa0
Similar to KeySpec field. This value indicates that this certificate can be used for both encryption and signing.
OID=1.3.6.1.5.5.7.3.1
Enhanced key usage for server authorization
97
98
“Office Communications Server 2007 Edge Server Deployment Guide
Example Using a Verisign Trial Certificate The following procedure guides you through the process of selecting a trial certificate from Verisign.
Important This procedure is an example, and it demonstrates the process of requesting a trial certificate. The exact process may vary, depending on your certificate provider. For production use, you must purchase a valid certificate, not a trial certificate.
To request a trial certificate from Verisign 1. In your browser, go to http://www.verisign.com/. 2. On the right side of the page, click Free SSL trial. 3. In the new window that opens, complete the form by entering your contact and other requested information, and then click Submit. 4. Review the information on the Before you start page, and then click Continue. 5. On the Welcome page, review the process for request a certificate, and then click Continue. 6. Enter your technical information, and then click Continue. 7. In the Select Server Platform and Paste Certificate Signing Request box, do the following: •
In Select Server Platform, click Microsoft.
•
In Select Version, click IIS 6.0.
•
In Paste Certificate Signing Request (CSR) obtained from your server, paste the contents of the CRS generated by the LcsCertutil tool.
8. In What do you plan to use this SSL certificate for, select Web Server. 9. Click Continue. 10. On the Verify CSR information page, review the CSR information. If you want to make a change, click Change CSR to return to the previous page. Otherwise continue to the next step. 11. In the Challenge Phrase box, enter a challenge phrase and enter a reminder question. This phrase will be required when you import the certificate. 12. On the Order Summary and Acceptance page, review the information and then click Accept.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
99
Appendix C Manually Configuring a Client for Remote User Access Use the following procedure to manually configure a client to point to an Access Edge Server for remote user access.
To manually configure a client: 1. Open Communicator. 2. Click the Presence icon. 3. Click Options. 4. Click Advanced. 5. In Advanced Connections setting, under Configure settings, in External Server name or IP address, enter the <external FQDN of the Access Edge Server>:443. For example, sipalt.access.contoso.com:443
Appendix D Optimizing Your Network Interface Card for High A/V Traffic For many deployments, you can use the default settings on your network interface. However, in the following situations, you should optimize for A/V traffic flow by increasing receive and transmit buffers settings to three times their default value on your network interface cards: •
You anticipate audio and video traffic on any particular A/V Conferencing Server or A/V Edge Server to exceed 200 to 250Mbps.
•
Your servers experience packet loss on the network.
Note The following procedure provides steps to change these settings on a typical network interface card. The procedure will vary depending on your manufacturer.
To change your network interface card settings 1. Log on to the computer running A/V Conferencing Server or A/V Edge Server with local administrator permissions. 2. Right-click Computer Manager, and then click Manage. 3. In the console pane, click Device Manager. 4. In the details pane, expand Network adaptors 5. Right-click your network adapter, and then click Properties. 6. Click the Advanced tab.
100
“Office Communications Server 2007 Edge Server Deployment Guide
7. Under Settings, click Performance Options. 8. Under Settings, click Receive Descriptors.
9. In the Value box, change the value to three times the default value, and then click OK. 10. Under Settings, click Transmit Descriptors.
Related Documents
Ocs Edgeserverdeploy
October 2019 11
Ocs Updateservicedeploy
October 2019 8
Ocs Adguide
October 2019 7
Ocs Backup
October 2019 18
Ocs Admin
October 2019 18