Microsoft Office Communications Server 2007 – Software Update Service Deployment Guide Published September 2007 Updated October 2007
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ® 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows NT, Windows Server, Windows Vista, RoundTable, and SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents Contents.....................................................................................................................................................3 Introduction................................................................................................................................................5 Overview of the Software Update Service.................................................................................................5 Supported Topologies.............................................................................................................................5 Components of the Software Update Service........................................................................................6 How the Software Update Service Works..............................................................................................7 How Updates Are Uploaded and Managed within the Software Update Service..............................8 How Devices Connect to the Software Update Service.....................................................................8 Scenarios for the Software Update Service................................................................................................9 Controlling the way device updates are deployed to users................................................................9 Approving an update..........................................................................................................................9 Rolling back a defective update.........................................................................................................9 Introducing new models...................................................................................................................10 Removing an old model...................................................................................................................10 Retrieving updates automatically or manually.................................................................................10 Retrieve an inventory of devices in the organization.......................................................................10 Overview of Deployment.........................................................................................................................10 Prerequisites.............................................................................................................................................11 Dependencies for Automatic Uploads..............................................................................................11 Configuring SharePoint............................................................................................................................11 Step 1 Create the SharePoint Default Site (if you have not already)..................................................12 Step 2 Enable Anonymous User Access ............................................................................................12 Step 3 Configure Alternate Mapping Access .....................................................................................13 Step 4 Install Files for the SharePoint Server Software Update Service Component.........................16 Verify Installation (optional)............................................................................................................16 Step 5 Create the Software Update Services SharePoint Site.............................................................17 Step 6 Grant Service Account Permissions to Administer the SharePoint Site..................................18 Step 7 Configure Certificates on the SharePoint Server ....................................................................20 Deploying and Configuring the Software Update Service.......................................................................22 Prerequisites.........................................................................................................................................22
4
Microsoft Office Communications Server 2007 Update Server
Step 1 Deploying the Software Update Service..................................................................................23 Installing the Software Update Service on Office Communications Server....................................23 Activate the Software Update Service.............................................................................................23 Step 2 Configuring Certificates on the Software Update Service.......................................................24 Step 3 Configure Kerberos on the Service Account...........................................................................25 Step 4 Configure Your Reverse Proxy (For External Access Only)...................................................26 Configure Network Adapters...........................................................................................................27 Install ISA Server 2006....................................................................................................................28 Request and Configure a Certificate for Your Reverse HTTP Proxy...............................................28 Configure Web Publishing Rules.....................................................................................................28 Verify or Configure Authentication and Certification on IIS Virtual Directories............................32 Create a DNS Record.......................................................................................................................33 Verify Access through Your Reverse Proxy.....................................................................................33 Step 5 Upload a Cabinent File in the Management Console (Optional).............................................34 Step 6 Test Software Update Service..................................................................................................34 Step 6.1 Add a Test Device.............................................................................................................34 Step 6.2 Restart Your Device..........................................................................................................35 Step 6.3 Verify the Audit Logs........................................................................................................35 Appendix A: Troubleshooting..................................................................................................................36 Service Account Is Changed in Office Communication Server...........................................................36 Server Name and Port Changes...........................................................................................................37 Problems Creating the Update Site on SharePoint...............................................................................38 Problems Deleting a SharePoint Site...................................................................................................39 Problems with Anonymous Access or Permissions on the Document Library Folder........................39 Appendix B: Configuring RoundTable for the Software Update Service................................................43 Configuring Device Specifics Updates for RoundTable......................................................................45 Appendix C: Manually Configuring the URLs Used by the Software Update Service...........................47 Update the SharePoint Update Site URL.............................................................................................47 Update the External Download URLs for the Software Update Service.............................................48 Update the External Update URL of the Software Update Service on a Standard Edition Server..48 Update the External Update URL of the Software Update Service on an Enterprise Pool..............48
Introduction
Introduction Unified communication (UC) devices, such as Microsoft® Communicator Phone Experience and Microsoft RoundTable™, enable rich communication within an organization. Deploying these devices requires regular maintenance by the IT department, which includes providing available software updates to these unified communications devices. All UC devices rely on an automatic mechanism to obtain software update required on a regular basis. Microsoft Office Communications Server 2007 Upgrade Service provides an automated way to update all unified communications devices deployed in an organization. These software updates can be the latest enhancements or fixes to known issues in the current version already deployed on the device. This document guides you through the process of deploying the Office Communications Server 2007 Software Update Service in your organization.
Overview of the Software Update Service Office Communications Server 2007 Upgrade Service has two primary components: •
SharePoint® Site – An update module running on Windows® SharePoint Services 3.0 that functions as the repository for update images, log files, device files, and any other files that might be required as part of the update on a unified communications device. This module also serves as the installation point for the Web service required by the upgrade server.
•
Software Update Service – A service that runs on Office Communications Server. This component is the core of the Software Update Service and works in conjunction with the SharePoint site to provide appropriate updates to UC devices in an enterprise. In a typical installation, several updates services can work with each SharePoint site.
Supported Topologies The Software Update Service must be installed on an Office Communications Server on which the Web Component Server role is running. You can deploy the Software Update Service on the following Office Communications Servers: •
A Standard Edition Server
•
Each Enterprise Edition Server in the consolidated pool configuration
•
Each Web Components (IIS) Server in the expanded pool configuration
5
6
Microsoft Office Communications Server 2007 Update Server
You must install the SharePoint Server on a dedicated separate computer from the Office Communications Server 2007 Software Update Service. If your organization contains multiple pools and Standard Edition Servers, you must install the Software Update Service on each pool (all servers running the Web Components Server role) and each Standard Edition Server. Based on SharePoints usage model that assumes a 10% concurrent connection rate, a single SharePoint Server update site can support up to 90,000 devices for an organization. If you assume a usage model of up to 50% of the organization using devices, a single SharePoint Server can be used for an organization with a user base of 180,000 users.
Components of the Software Update Service There are several components in the Software Update Service that interact with each other to download, approve, and deploy device updates: •
•
Software Update Service on the Office Communications Server 2007 Web Components Server. This component: •
Services all unified communications devices. Devices connect to the Software Update Service and the Software Update Service determines whether an update is required for the current version running on the device.
•
Retrieves updates from Microsoft Update Service or manually (if no connection to the Microsoft Update Service exists) and writes this information to the data store on the SharePoint Server.
•
Provides the Management Console for managing updates.
Management Console – Most of the administrator tasks are completed using this console, which is a Web console hosted on the Software Update Service that runs on the Office Communications Server. This console allows you to manage your updates, approve or reject updates, roll back defective updates, test new updates on devices, or delete updates. The Management Console uses the following URL constructs: •
For a Standard Edition Server: https://
/MgmtConsole
•
For an Enterprise pool: URL https:// /MgmtConsole In an Enterprise pool, you can use the FQDN of any Web Components Server in the pool, but you cannot use the FQDN of the pool. You cannot send requests through the load balancer because the Management Console does not have state manager to manage activity made on the console. When a change is committed, it is automatically synchronized across all Web Component Servers within the pool.
Introduction
•
Auto updates – This component gets newly published device updates from the Microsoft Update Service (MUS), Windows Server® Update Service (WSUS), or the Windows Update Agent. If your organization does not automatically connect to a Microsoft Update site, you can manually download cab files that contain update metadata from the Microsoft Web site.
•
SharePoint Server – The Update Site serves as the central repository for the update information, logs, and audit information. The Update Site provides the installation point for devices that require updates. It also allows administrators to view logs and other update data on the SharePoint Server that contains a data store with the following information: •
Configuration information – Information such as the file storage host and share name, Windows Server Update Service server information, the life time of the log folder, and other configuration information required by Update Service is stored in the data store on the SharePoint Sever.
How the Software Update Service Works The following figure shows the architecture of Office Communications Server Software Update Service and its associated components. Figure 1 Architecture of Office Communications Server Software Update Service Microsoft Update Service Firewall
WSUS
UC Servers
Network
UC Endpoints
Public IP Perimeter
Round Table
SharePoint with Update Module
OCS with Update Service
Communicator Phone Experience
HTTP Reverse Proxy
UC Endpoints
Communicator Phone Experience
External MUS data path Sharepoint data
RoundTable
Internal OCS/Update Server data path Admin path
UC Administrator
7
8
Microsoft Office Communications Server 2007 Update Server
How Updates Are Uploaded and Managed within the Software Update Service As figure 1 illustrates, if your organization is connected to the Microsoft Update Service, updates are uploaded in the following manner: 1.
Windows Update Agent runs on every computer running Windows Server 2003. The update agent connects directly to the Microsoft Update Service on the Windows Server Update Service (depending on your organization). It talks directly to MUS or WSUS, which is transparent to users.
2.
Windows Update Agent retrieves any updates from the Microsoft Update Service.
3.
An internal component of the Office Communications Server 2007 Software Update Service (the update package handler) retrieves all UC device-specific updates and writes this information to the configuration store on the SharePoint Update site.
4.
These updates are automatically published to the pending approvals on the Manage Updates tab in the Management Console of the Office Communications Server Software Update Service.
5.
The Management Console writes any changes to the SharePoint Update site.
How Devices Connect to the Software Update Service Currently the Software Update Service supports two unified communications devices: RoundTable and Communicator Phone Edition. RoundTable must be manually configured to connect to the Software Update Service and upload any device updates. For more information, see Appendix B: Configuring RoundTable for the Software Update Service. Communicator Phone Edition using the default configuration connects to the Software Update Service in the following way: 1. When Communicator Phone Edition signs in to the server or pool hosting the corresponding user account, Communicator Phone Edition gets in-band provisioning information from the server or pool containing internal and external URL of the IIS server running the Software Update Service. 2. At startup, when the device signs in, and every 24 hours, Communicator Phone Edition checks for updates by sending an HTTP request over port 443 to the IIS or Web Components Servers hosting the Software Update Service. Within the HTTP request is the current version that Communicator Phone Edition is running. 3. Office Communications Server Software Update Service returns a response containing one of the following: •
If no updates exists for the current version, the response contains downloads=0.
•
If an update exists for the current version, the response contains an internal and external URL for the SharePoint Server site.
4. Communicator Phone Edition sends an HTTPS request to the SharePoint Server.
Introduction
•
If Communicator Phone Edition is connecting from within the intranet, it sends an HTTPS request over port 443 to the SharePoint site.
•
If Communicator Phone Edition is connecting from outside the intranet, it sends an HTTPS request over port 443 to the SharePoint site.
5. The image is downloaded to the device. 6.
The device waits for five minutes of idle activity, and then restarts
7.
When restart is complete, the device is updated.
Scenarios for the Software Update Service As an administrator who is responsible for ensuring that all UC devices in your enterprise are maintained and upgraded at a regular basis, you might encounter one of the following scenarios that require installing an upgrade server.
Controlling the way device updates are deployed to users As an administrator, you can verify each update on a test device and then make these updates available to the appropriate devices in your organization. You can use Microsoft Office Communications Server Update Server to download device-specific updates and test them before deployment in an enterprise environment, giving a greater degree of control over update deployment.
Approving an update You have set up your enterprise to automatically download updates from Microsoft Updates Service. However, you want to have the authority to approve or disapprove an update that has been downloaded automatically from the Microsoft Update Service. With Microsoft Office Communications Server Update Server, you can approve or reject updates that have been downloaded automatically from the Microsoft Update Service before deployment. This allows you to make sure that all updates are valid and functional instead of having to troubleshoot after deployment.
Rolling back a defective update You have recently deployed a UC device update only to realize that the update is defective. You can roll back the defective update and reinstall a prior version. Microsoft Office Communications Server Update Server allows you to roll back a defective update and retain a tested prior update as the latest one. The next time a UC device polls the Upgrade Server for an update, it is sent a URL to a prior (rolled back) version of the upgrade. The device now automatically installs this update and effectively remove the defective upgrade.
9
10
Microsoft Office Communications Server 2007 Update Server
Introducing new models In a situation where a new model of a UC device is introduced in the market, you want all software updates relevant for this model to be available for deployment. With Microsoft Office Communications Server Update Server, you can create new data files or documents on your SharePoint site for all new UC devices. As updates for the new model are published by Windows Updates Services, they are downloaded by the Upgrade Server ready for approval and deployment.
Removing an old model UC devices can at times be pulled off the market, the company can stop manufacturing those devices, or you can decide to replace a particular model in your enterprise with a different model. In such situations, you want to clean up all data files associated with that model from your Upgrade Service. With Microsoft Office Communications Server Update Server, you can delete all data files or documents relating to a particular UC model from your SharePoint site.
Retrieving updates automatically or manually You can retrieve updates for the Software Update Service automatically or manually.
Automatic Updates If your organization has a Windows Server Update Service that is connected to the Microsoft Update Service, your Office Communications Server 2007 Software Update Service automatically receives updates for your unified communications devices.
Manual Updates If your organization does not have a Windows Server Update Service or chooses not to connect to Microsoft Update Service, you can manually upload an upgrade using the Microsoft Web site http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=updatesite. The site is also useful if your organization is connected to the Microsoft Update Service, but the automatic updates mechanism malfunctions, Microsoft Update Service might be out of service, or there are issues connecting with the Internet.
Retrieve an inventory of devices in the organization You can use the log files and audit information on the SharePoint Update site to get an inventory of all devices in your organization. For more information, see the Microsoft Office Communications Server 2007 Software Update Services Administration Guide.
Overview of Deployment Deployment involves two major tasks:
Introduction
•
Configuring the SharePoint Server for the Software Update Service site and installing the Software Update Service component on the SharePoint site. (This installation creates the Software Update Services site.)
•
Deploying the Office Communications Server 2007 Software Update Service on an Office Communications Server.
11
Prerequisites Ensure that you check for the following prerequisites before you start deploying. 1. Windows SharePoint Services is installed in your environment. 2. Microsoft Office Communications Server 2007 is deployed in your environment. You must install the Software Update Service component on an Office Communications Server 2007 Standard or Enterprise Edition Server, as described earlier. 3. An existing PKI infrastructure is in place and devices are configured with a valid certificate issued from a public CA (recommended) or a private CA that allows the device to connect to the Update Service from outside the intranet. 4. If you intend to support external access to the Software Update Service to enable users with UC devices to connect to the Software Update Service from outside your intranet: You must have: •
A supported edge topology deployed and operational in your perimeter network and remote user access enabled for users with UC devices. For more information about deploying edge servers, see the Microsoft Office Communications Server Edge Serve Deployment Guide.
•
A reverse proxy in your perimeter network if you intend to support external access to the Software Update Service.
5. If your organization uses IPSec, it must be configured to run in boundary or request mode.
Dependencies for Automatic Uploads As explained earlier, if you want to automatically receive updates, the following is required: •
Microsoft Windows Server Update Service
•
Microsoft Update Service
Configuring SharePoint Configuring SharePoint involves the following steps: Step 1 Create the SharePoint Default Site Step 2 Enable Anonymous User Access Step 3 Configure Alternate Mapping Access
12
Microsoft Office Communications Server 2007 Update Server
Step 4 Install Files for the SharePoint Server Software Update Service Component Step 5 Create the Software Update Service SharePoint Site Step 6 Grant Service Account Permissions to Administer the SharePoint Site Step 7 Configure Certificates on the SharePoint Server
Step 1 Create the SharePoint Default Site (if you have not already) Creating the default SharePoint site is part of the standard SharePoint installation process. If you have not already completed this step, use the procedure below.
To run the configuration wizard to create the default SharePoint site 1.
Start the SharePoint Products and Technologies Configuration Wizard: Click Start, point to Administrative, point to Administrative Tools, and then click SharePoint Products and Technologies Configuration Wizard.
2.
Click Next.
3.
Click Yes, and then click Next.
4.
Complete the wizard.
The default SharePoint site opens.
Step 2 Enable Anonymous User Access Use the following procedure to enable anonymous access to the SharePoint site. Anonymous access is required to allow devices and others to connect and retrieve updates from the Software Update Service SharePoint site. You must enable anonymous access on the Authentication Providers page, but only grant permissions to the Software Update Service site (as explained later in this guide).
To enable anonymous user access to the SharePoint site 1.
Open the newly created site: http://<servername>:<default central administration port>/Default.aspx. For example: http://sharepointserver1:28406/default.aspx: Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.
2.
Click the Application Management tab.
3.
Under Application Security, click Authentication Providers.
Introduction
4.
On the Authentication Providers page, click Default.
5.
On the Edit Authentication page, under Web Application verify that the Web site maps to the SharePoint-80 site.
6.
Click the Enable anonymous access check box, and then click Save.
13
Step 3 Configure Alternate Mapping Access Alternate mappings allow you to configure URLs that can be used to access your SharePoint site. For the Software Update Service, you configure alternate mappings to allow access using an HTTPS URL.
14
Microsoft Office Communications Server 2007 Update Server
To configure alternate mapping access 1.
Open SharePoint Server 3.0 Central Administration: Click Start, point to Administrative Tools, and then click SharePoint Server 3.0 Central Administration.
2.
Click the Operations tab.
3.
Under Global Configuration, click Alternate access mappings.
4.
On the Alternate Access Mappings page, click Add Internal URLs.
5.
On the Add Internal URLs page, click No Selection, and then click Change Alternate Access Mapping Collection.
Introduction
6.
Click SharePoint – 80.
7.
On the Add Internal URLs page, under URL protocol host and port, type the https://<SharePointServer Name>URL, and click OK.
8.
Repeat the following steps 4 – 7 and add each of the following URLs. http://<SharePointServer fully qualified domain name> (http URL with fully qualified domain name (FQDN) of the server) https://<SharePointServer fully qualified domain name> (https URL with FQDN of the server)
9.
Verify that the following URLs display on the Alternate Access Mapping page. https://<SharePointServer Name> (https URL with computer name)
15
16
Microsoft Office Communications Server 2007 Update Server
http://<SharePointServer fully qualified Name> (http URL with fully qualified domain name (FQDN) of the server) https://<SharePointServer fully qualified Name> (https URL with FQDN of the server)
Step 4 Install Files for the SharePoint Server Software Update Service Component After you have configured the necessary settings for SharePoint, install the files necessary for the update component, a module running on a SharePoint portal functions as the repository for update images, log files, device files, and any other files that might be required as part of the update on a UC device. This module also serves as the installation point for the Web service required by the Upgrade Server.
To install the files for the Software Update Service SharePoint component 1.
Log on to the SharePoint Server with an account that is a member of the local administrator’s group.
2.
On the Microsoft Web site, double-click OCSSoftwareUpdateServiceSP.msi.
3.
On the Welcome page, click Next.
4.
On the License Agreement page, if you accept the licensing terms, click I accept the terms of the license agreement, and then click Next.
5.
On the Confirm Installation page, click Next.
6.
Click Close.
Verify Installation (optional) After completing the installation wizard, verify a successful installation by ensuring that the correct files have been installed on the server and that IIS is configured properly.
File Verification The following files should be installed at :\Program Files\Common Files\Microsoft Shared\web server extensions\12\ISAPI: •
ApprovalDs.xsd
•
DocumentLibraryPath.xml
•
FileDescriptor.xsd
•
Microsoft.RTC.UCServer.SharePointSetup.exe
•
UCUpdateService.asmx
•
UCUpdateServicedisco.aspx
•
UCUpdateServicewsdl.aspx
Introduction
IIS Configuration Use the following procedure to verify the proper settings in IIS.
To verify the proper configuration in IIS 1.
Open Internet Information Services (IIS) Manager: Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2.
In Internet Information Services (IIS) Manager, expand your server, and then expand Application pools.
3.
Verify that the following nodes display: •
SharePoint – 80
•
SharePoint Central Administration v3
4.
Under Application Pools, click Web Service Extensions.
5.
In the details pane, verify that Asp.NET v2.0.50727 and Windows SharePoint Services V3 display with an Allowed status.
Step 5 Create the Software Update Services SharePoint Site After you have installed the files required for the Software Update Service component on SharePoint, run the executable to create the Software Update Service SharePoint site.
To create the SharePoint Site for the Software Update Service 1.
Log on to the SharePoint Server with an account that is a member of the SharePoint Farm administrator’s group with full control and the SharePoint site collection administrator’s group or a group that has equivalent permissions.
2.
On the command path, move to the following directory: C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\ISAPI\.
3.
Run the following command. Microsoft.RTC.UCServer.SharePointSetup.exe <SharePoint servername> <SharePoint Central Admin Port number> <password> <domain> <SharePoint port>.
Table 1 Command-Line Parameters Arguments
Description
Servername
SharePoint Server name, for example http://SharepointServer1
SharePoint Central
TCP Port in the SharePoint Central Administration.
17
18
Microsoft Office Communications Server 2007 Update Server
Administrator Port number Admin UserID
This is the administrator user ID who can create the SharePoint site.
Admin Email
The e-mail alias for the administrator.
Password
The administrator password.
Domain
The domain on which the administrator account resides.
SharePoint port
The SharePoint port (TCP port of SharePoint – 80 site), port 80
For example: Microsoft.RTC.UCServer.SharePointSetup.exe http://SharepointServer1 28406 ted [email protected] MyPassword corp.contoso.com 80
To verify that the SharePoint site is successfully created 1.
Open the site and verify creation, for example http://sharepointserver1/sites/UCUpdateServer/default.aspx.
2.
Click Documents.
3.
Verify that the following document libraries are created: •
Server
•
Logs
•
Updates
4.
Verify that the DB folder is created in the Document Library Server. For example, http://sharepointserver1/sites/UCUpdateServer/Server/DB/.
5.
Verify that the ConfigSettings.xml file is in the DB folder.
Step 6 Grant Service Account Permissions to Administer the SharePoint Site After you have created the default site for the Software Update Service SharePoint component, use the following procedure to grant the service account used by Office Communications Server 2007 Web Component Server the necessary permissions to the site. This service account (RTCComponentService by default) requires full permissions to the site and must be configured as a site collection administrator.
Introduction
19
To add the service account used 1.
Open the site at http://<servername>/sites/UCUpdateServer/default.aspx. For example, http://sharepointserver1/sites/UCUpdateServer/default.aspx.
2.
Click Site Actions, and then click Site Settings.
3.
On the Site Settings page, under Users and Permissions, click Site Collection Administrator.
4.
On the Site Collection Administrator page, next to Site Collection Administrators, type the name of the service account used by the Web Components Server. If your organization uses the default service account name, enter it (<domain>\RTCComponentService). If your organization uses a different account, enter that service account name.
5.
Click OK.
6.
On the Site Settings page, click Advanced Permissions.
7.
On the Permissions page, click New.
8.
Click Add Users.
20
Microsoft Office Communications Server 2007 Update Server
9.
Under Users and Groups, type the name of the service account used by Office Communications Server 2007 Web Components. If your organization uses the default service account name, enter it, RTCComponentService. If your organization uses a different account, enter that service account name.
10. Under Give Permissions, click Give users permissions directly, and then click Full Control – has full control.
11. Click OK.
Step 7 Configure Certificates on the SharePoint Server To configure HTTPS access on your SharePoint Server, you need to configure a certificate for the Web site. The certificate must be a Web server certificate with a subject name that matches the FQDN of the server name. Use the following procedure to assign an existing certificate on your SharePoint Server. If you must request and assign the certificate, see the procedure immedidate following this one.
To assign an existing certificate to the SharePoint Site 1.
Open Internet Information Services (IIS) Manager: Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2.
In the console pane, expand Websites.
3.
Right-click SharePoint – 80, and then click Properties.
4.
On the Web Site tab, type 443 in the SSL Port box.
5.
Click the Directory Security tab.
Introduction
6.
Click Server Certificate.
7.
On the Welcome to the Web Server Certificate Wizard screen, click Next.
8.
Click Assign an existing certificate, and then click Next.
9.
Under Select a certificate, select the certificate, and then click Next.
10. Select the port, and then click Next. 11. Review the Certificate Summary, and then click Next. 12. Click Finish to complete the wizard. 13. Restart IIS, and then check that all the pool and Web sites are running. 14. Open your SharePoint Server site using HTTPS: https:// /sites/UCUpdateServer/default.aspx. For example: https://sharepointserver1.contoso.com /sites/UCUpdateServer/default.aspx
To request and assign a new certificate to the SharePoint Site 1.
Open Internet Information Services (IIS) Manager.
2.
In the console pane, expand Websites.
3.
Right-click SharePoint – 80, and then click Properties.
4.
On the Web Site tab, type 443 in the SSL Port box.
5.
Click the Directory Security tab.
6.
Click Server Certificate.
7.
On the Welcome to the Web Server Certificate Wizard page, click Next.
8.
Click Create a new certificate, and then click Next.
9.
On the Delayed or Immediate Request page, click Send the request immediately to an online certificate authority, and then click Next. If you are using a public certification authority (CA), you can select the option to prepare the request and then send it later.
10. On the Name and Security Settings page, type a meaningful name for the certificate, select a bit length for the certificate, and then click Next. 11. On the Organization Information page, type or select the name of your organization and organizational unit, and then click Next. 12. On the Your Site’s Common Name page, type the fully qualified name of the SharePoint Server, and then click Next. 13. On the Geographical Information page, enter location information in the Country/Region, State/Province, and City/Locality boxes. Do not use abbreviations. When you are finished, click Next.
21
22
Microsoft Office Communications Server 2007 Update Server
14. On the SSL port page, accept the default port 443, and then click Next. 15. On the Choose a Certification Authority page, click your CA in the list, and then click Next. 16. On the Certificate Request Submission page, review the settings that you specified, and then click Next. 17. Click Finish. 18. Open your SharePoint Server site using HTTPS: https:// /sites/UCUpdateServer/default.aspx. For example: https://sharepointserver1.contoso.com /sites/UCUpdateServer/default.aspx
Deploying and Configuring the Software Update Service After your SharePoint Server is fully configured, you can deploy the Software Update Service on Office Communications Server. The deployment process involves the following steps: Step 1 Deploy the Software Update Service Step 2 Configure Certificates on the Software Update Service Step 3 Configure Kerberos on the Service Account Step 4 Configuring Your Reverse Proxy Step 5 Upload a Cab File in the Management Console Step 6 Test Software Update Service
Prerequisites As explained earlier, to support Office Communications Server 2007 Software Update Service, an Office Communications Server 2007 Standard Edition Server or Enterprise pool must be deployed in your organization. You must install the Office Communications Server 2007 Software Update Service on one of the following: •
Office Communications Server 2007 Standard Edition
•
Office Communications Server 2007 Enterprise Edition Server in a pool in the consolidated configuration
•
Office Communications Server 2007 Web Components Server (the server running IIS) in a pool in the expanded configuration
Introduction
23
Step 1 Deploying the Software Update Service Deploying the Software Update Service involves two processes: •
Installing Software Update Service files on the local computer
•
Activating the Software Update Service on the local computer
Installing the Software Update Service on Office Communications Server Use the following procedure to install the files locally on the server where you plan to deploy the Software Update Service.
To install the Update Server 1.
Log on to your Office Communications Server with an account that is a member of the local administrators group or has equivalent permissions.
2.
Access the Microsoft Web site to download the Software Update Service.
3.
Double-click OCSSoftwareUpdateService.msi.
4.
On the Welcome page, click Next.
5.
On the License Agreement page, if you agree to the terms, click I accept the terms in the license agreement, and then click Next.
6.
On the Confirm Installation page, click Next.
7.
Click Close to complete the installation.
Activate the Software Update Service Use the following procedure to activate the Software Update Service.
To activate the Software Update Service 1.
Log on to your server with an account that is a member of the RTCUniversalServerAdmins group and the local administrators group.
2.
Open a command prompt.
3.
Navigate to the \Program Files\ Microsoft Office Communications Server 2007\Web Components\UC Device Updates\CommonFiles directory.
4.
Type the following command: •
For a Standard Edition Server cscript ConfigUpdatesServer.vbs /Action:Activate /InternalUpdatesStoreURL:https:///sites/ucupdateserver /ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateser ver
24
Microsoft Office Communications Server 2007 Update Server
/user:RTCComponentService /Password:<password> /ExternalWebfqdn:<External FQDN of Web farm>
•
For an Enterprise pool cscript ConfigUpdatesServer.vbs /Action:Activate /InternalUpdatesStoreURL:https:///sites/ucupdateser ver /ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateser ver /user:RTCComponentService /Password:<password> /ExternalWebfqdn:<External FQDN of Web farm> /guest: /guestpassword:<password>
where: •
InternalUpdatesStoreURL is the internal URL used to access the SharePoint Update site from inside the intranet.
•
ExternalUpdatesStoreURL is the external URL link to the SharePoint Update site from inside the intranet. Use the following format: https://<ExternalFQDN>/sites/ucupdateserver.
•
ExternalWebfqdn is the FQDN that devices use to connect to the Software Update Service from outside the intranet. Use the following format: <external server FQDN>. For a Note:
•
User identifies the service account under which Office Communications Server 2007 Web Components is run. The default service account is RTCComponentService.
•
Password is the password for the service account.
•
guest is the guest user account used in Office Communications Server (the default account is RTCGuestAccessUser) or it can be any domain user.
•
guestpassword is the password for the guess user account.
Step 2 Configuring Certificates on the Software Update Service Use the following procedure to configure the Web certificate required for HTTPS access on the Software Update Service running on Office Communication Server. You can use the same certificate that you assigned on the Web Components Server role when you set up Office Communications Server.
Introduction
25
To configure a certificate on the Update Server 1.
Log on to Update Server with an account that is a member of the local adminstrator’s group.
2.
Open Internet Information Services (IIS) Manager.
3.
Expand Web Sites.
4.
Right-click Default Web Sites, and then click Properties.
5.
On the Web Site tab, verify that 443 is entered in the SSL Port box.
6.
Click the Directory Security tab.
7.
Click Server Certificate.
8.
On the Certificate Wizard page, select Next.
9.
Select Assign an existing certificate, and then click Next.
10. Select the existing certificate, and then click Next. 11. Under SSL port this web site should use, verify that 443 is entered, and then click Next. 12. Review the Certificate Summary, and then click Next. 13. Click Finish to close the wizard. 14. Restart Microsoft Internet Information Services, and then verify that all pools and Web sites are running.
Step 3 Configure Kerberos on the Service Account For administrators to access the Management Console, you must configure the service account used by Web Components Server to use Kerberos authentication. When the service account is configured to use Kerberos, it automatically prompts the administrator for a user name and password and enabled them to access the site (if authorized).
To configure Kerberos on the Service Account 1.
Download the SetSPN_Setup.exe from the following location: http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=setspn.
2.
Double-click SETSPN_Setup.exe.
3.
Navigate to the directory where SETSPN is installed. If you install it from the location in step 1, the directory is :\Program Files\Resource Kit.
4.
Open a command prompt, and then type the following command. setspn -A HTTP/[FQDN] [Domain]\<service account used by Web Components (default name is RTCComponentService)>
You should receive an output similar to the following.
26
Microsoft Office Communications Server 2007 Update Server
Registering ServicePrincipalNames for CN=Admin,OU=Users,OU=all users,DC=corp,DC=contoso, DC=com HTTP/server1.corp.contoso.com Updated object
5.
Restart the IIS.
6.
Open the following URLs to ensure that connectivity to the Management Console works. https:///RequestHandler/ucdevice.upx https:// <:///MgmtConsole/ApprovalProcess.aspx
Step 4 Configure Your Reverse Proxy (For External Access Only) To enable devices to connect to the Software Update Service from outside your organization’s firewall, a Microsoft Internet Security and Acceleration (ISA) Server or other reverse proxy in the perimeter network is required. The following table shows the specific directories used by the Web components for the Software Update Service. We recommend configuring your HTTP reverse proxy to use all directories. Table 2 Directories Used by Web Components Server Directory
Use
https://<external server FQDN>/RequestHandler/ucdevice.upx
The external URL to the Web Components Server running Software Update Service
https://<ExternalFQDN>/sites/ucupdate server Note: This directory is not accessible from the outside because it does not allow anonymous access. UC devices use a fully qualified path to the specific update they require.
The external URL for the SharePoint Update site
The detailed steps in this section describe how to configure an ISA 2006 server as a reverse proxy. If you are using a different reverse proxy, consult the documentation for that product. If you already have an ISA Server or another reverse proxy configured for external user access for Office Communications Server, proceed to Request and Configure a Certificate for Your Reverse HTTP Proxy.
Introduction
27
You can use the information in this section to set up ISA as the reverse proxy, which requires completing the following procedures. •
Configure Network Adapters
•
Install ISA Server 2006
•
Request and Configure a Certificate for Your Reverse Proxy
•
Configure Web Publishing Rules
•
Verify or Configure Authentication
•
Create a DNS Record
•
Verify Access through Your Reverse Proxy
ISA Server uses Web publishing rules to securely publish internal resources, such as a meeting URL, over the Internet. Publishing information to Internet users makes computing resources inside the internal network available to users outside the network.
Configure Network Adapters You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter. For information about deploying ISA Server with a single network adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site. This document also applies to ISA Server 2006. In the following procedures, the ISA Server computer has two network adapters: •
A public, or external, network adapter, which is exposed to the clients that attempt to connect to your Web site (usually over the Internet)
•
A private, or internal, network interface, which is exposed to the internal Web servers to which outside users connect
To configure the network adapter cards on the reverse proxy computer 1.
On the server running ISA Server 2006, open Network Connections. Click Start, point to Settings, and then click Network Connections.
2.
Right-click the external network connection to be used for the external interface, and then click Properties.
3.
On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.
4.
On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.
5.
Click OK twice.
28
Microsoft Office Communications Server 2007 Update Server
6.
In the Network Connections dialog box, right-click the internal network connection to be used for the internal interface, and then click Properties.
7.
Repeat steps 3 through 5 to configure the internal network connection.
Install ISA Server 2006 •
Install ISA Server 2006 according to setup instruction included with the product. For more information about installing ISA Server, see Microsoft ISA Server 2006 - Getting Started at the Microsoft TechNet Web site.
Note After completing the ISA Server setup, a default access rule denying traffic to all network resources is present. You need to configure your firewall rules as defined in the previous procedure to resolve this denial.
Request and Configure a Certificate for Your Reverse HTTP Proxy The root CA certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web Components) needs to be installed on the server running ISA Server 2006. This certificate should match the published FQDN of the external Web farm where you are hosting the Software Update Service (the external FQDN of the Web Components r servers). •
You must install a Web server certificate on your ISA Server. This certificate should match the published FQDN of your external Web farm where you are hosting the Software Update Service.
•
If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN.
Configure Web Publishing Rules Use the following procedure to create Web publishing rules.
Note This procedure assumes that ISA Server 2006 Standard Edition is installed.
To create a Web server publishing rule on the ISA Server 2006 computer 1.
Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2.
In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.
Introduction
29
3.
On the Welcome to the New Web Publishing Rule page, enter a friendly name for the publishing rule, and then click Next. For example, the name of the rule can be OfficeCommunicationsWebDownloadsRule.
4.
On the Select Rule Action page, select Allow, and then click Next.
5.
On the Publishing Type page, select Publish a single Web site or load balancer, and then click Next.
6.
On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and then click Next.
7.
On the Internal Publishing Details page, enter the FQDN of the internal Web farm that hosts the Software Update Service in the Internal Site name box, and then click Next.
8.
On the Internal Publishing Details page, enter /* as the path of the folder to be published in the Path (optional) box, and then click Next.
Note The ISA Server must be able to resolve the FQDN to the IP address of the internal Web server. If the ISA Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then enter the IP address of the internal Web server in the Computer name or IP address box. If you do this, you must ensure that the ISA Server has port 53 opened and can reach an internal DNS server or a DNS server that resides in the perimeter network.
•
If your internal server is a Standard Edition, this FQDN is the Standard Edition server FQDN.
•
If your internal server is an Enterprise pool, this FQDN is the internal Web farm FQDN.
Note In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.
9.
On the Publish Name Details page, confirm that This domain name is selected for Accept Requests for, type the external Web farm FQDN for the Software Update Service in the Public Name box, and then click Next.
10. On the Select Web Listener page, click New to create a new Web listener. 11. On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in the Web listener name box, and then click Next. For example, type Web Servers.
30
Microsoft Office Communications Server 2007 Update Server
12. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next. 13. On the Web Listener IP Address page, select External, and then click Select IP Addresses. 14. On the External Listener IP selection page, select Specified IP address on the ISA Server computer in the selected network, select the appropriate IP address, click Add, and then click OK. 15. Click Next. 16. On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address you just added, and then click Select Certificate. 17. On the Select Certificate page, select the certificate that matches the public name specified in step 10, click Select, and then click Next. 18. On the Authentication Setting page, select No Authentication, and then click Next. 19. On the Single Sign On Setting page, click Next. 20. On the Completing the Web Listener Wizard page, review the Web listener settings, and then click Finish. 21. Click Next. 22. On the Authentication Delegation page, select No delegation, but the client might authenticate directly, and then click Next. 23. On the User Set page, click Next. 24. On the Completing the New Web Publishing Rule Wizard page, review the Web publishing rule settings, and then click Finish. 25. In the details pane, click Apply to save the changes and update the configuration.
To create a Web server publishing rule on the ISA Server 2006 computer for the SharePoint site 1.
Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2.
In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.
3.
On the Welcome to the New Web Publishing Rule page, enter a friendly name for the publishing rule, and then click Next. For example, the name of the rule can be OfficeCommunicationsWebDownloadsRule.
4.
On the Select Rule Action page, select Allow, and then click Next.
5.
On the Publishing Type page, select Publish a single Web site or load balancer, and then click Next.
6.
On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and then click Next.
Introduction
31
7.
On the Internal Publishing Details page, enter the internal FQDN of the SharePoint Server hosting the Software Update Service site in the Internal Site name box, and then click Next.
8.
On the Internal Publishing Details page, enter /* as the path of the folder to be published in the Path (optional) box, and then click Next.
Note The ISA Server must be able to resolve the FQDN to the IP address of the internal Web server. If the ISA Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, enter the IP address of the internal Web server. If you do this, you must ensure that the ISA Server has port 53 opened and can reach an internal DNS server or a DNS server that resides in the perimeter network.
Note In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.
9.
On the Publish Name Details page, confirm that This domain name is selected for Accept Requests for, type the external FQDN for the SharePoint Server hosting the Software Update Service site in the Public Name box, and then click Next.
10. On the Select Web Listener page, click New to create a new Web listener. 11. On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in the Web listener name box, and then click Next. For example, type Web Servers. 12. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next. 13. On the Web Listener IP Address page, select External, and then click Select IP Addresses. 14. On the External Listener IP selection page, select Specified IP address on the ISA Server in the selected network, select the appropriate IP address, click Add, and then click OK. 15. Click Next. 16. On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address you just added, and then click Select Certificate. 17. On the Select Certificate page, select the certificate that matches the public name specified in step 9, click Select, and then click Next. 18. On the Authentication Setting page, select No Authentication, and then click Next.
32
Microsoft Office Communications Server 2007 Update Server
19. On the Single Sign On Setting page, click Next. 20. On the Completing the Web Listener Wizard page, review the Web listener settings, and then click Finish. 21. Click Next. 22. On the Authentication Delegation page, select No delegation, but the client might authenticate directly, and then click Next. 23. On the User Set page, click Next. 24. On the Completing the New Web Publishing Rule Wizard page, review the Web publishing rule settings, and then click Finish. 25. In the details pane, click Apply in the details pane.
To modify the properties of the Web publishing rule 1.
Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2.
In the left pane, expand ServerName, and then click Firewall Policy.
3.
In the details pane, right-click the secure Web server publishing rule that you created in the previous procedure (for example, OfficeCommunicationsServerExternal Rule), and then click Properties.
4.
On the Properties page, click the From tab, and then: •
In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove.
•
Click Add.
•
In the Add Network Entities dialog box, expand Networks, click External, click Add, and then click Close.
5.
If you need to publish another path on the Web server, click the Paths tab.
6.
Click Add, type /* for the path to be published, and then click OK.
7.
Click Apply to save changes, and then click OK.
8.
In the details pane, click Apply to save the changes and update the configuration.
Verify or Configure Authentication and Certification on IIS Virtual Directories Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly.
To verify or configure authentication and certification on IIS virtual directories Note Perform the following procedure on each IIS Server in your internal Office Communications Server. The following procedure is for the default Web site in IIS.
Introduction
1.
Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2.
Expand ServerName, and then expand Web Sites.
3.
Right-click <default or selected> Web Site, and then click Properties.
4.
On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click OK.
5.
On the Directory Security tab, click Server Certificate under Secure communications. This opens the Welcome to the Web Server Certificate Wizard.
6.
Click Next.
7.
On the Server Certificate page, click Assign an existing certificate, and then click Next.
8.
On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use box, and then click Next.
9.
On the Certificate Summary page, verify that settings are correct, and then click Next.
10. Click Finish. 11. Click OK to close the Default Web Site Properties dialog box.
Create a DNS Record Create an external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The device uses this record to connect to the reverse proxy.
Verify Access through Your Reverse Proxy Use the following procedure to verify that your users can access information on the reverse proxy. You might need to complete the firewall configuration and DNS configuration before access works correctly.
To verify that you can access the Web site through the Internet 1.
Access your internal SharePoint Software Update Service site.
2.
Under Updates, click UCPhone.
3.
Select a vendor folder, select a model folder, select the hardware revision and software locale, and then select the update type.
4.
At the specific folder containing the update, right-click one of the update files, and then click Properties.
5.
In the Properties dialog box, copy the URL in the Address field, and then paste it into a browser. The URL looks similar to the following example.
33
34
Microsoft Office Communications Server 2007 Update Server
http:///sites/UCUpdateServer/Updates/UCPhone/Poly com/CX700/A/ENU/CPE/CPE.cat
6.
Change internalSharePointFQDN to the external FQDN of the SharePoint Server, so your URL appears as follows http://<externalSharePointServerFQDN>/sites/UCUpdateServer/Updates/UCPhone/Poly com/CX700/A/ENU/CPE/CPE.cat
7.
From outside your intranet, open a browser and ensure you can access the URL.
Step 5 Upload a Cabinent File in the Management Console (Optional) If your organization is connected to Microsoft Update Service cab files containing metadata about available updates, they are automatically downloaded to your Software Update Service. However, if your organization chooses not to connect directly to the Microsoft Update Service, you can manually upload a file to the Office Communications Server 2007 Software Update Service.
To upload a cab file 1.
Log on to the Office Communications Server 2007 running the Software Update Service.
2.
Open the URL https:// /MgmtConsole/upload.aspx.
3.
Access the UCUpdates.cab file using the Microsoft Web site http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=OCSupdate. Extract the cabinet file to a local directory.
4.
Browse to the file, and then click Upload.
Step 6 Test Software Update Service After you have configured your Software Update Service on Office Communications Server, you can test the Software Update Service by adding a test device and using the audit logs to ensure that the correct information is sent to the device. Testing the Software Update Service involves the following three steps: Step 6.1 Add a Test Device Step 6.2 Restart your Device Step 6.3 Verify the Audit Logs
Step 6.1 Add a Test Device Use the following procedure to add a test device.
Introduction
35
To add a test device 1.
Open the Management Console: Open a browser and type https://< /MgmtConsole/default.aspx.
2.
Click the Test Devices tab.
3.
Click Add a new test device.
4.
Under Friendly name, enter a meaningful name for the device.
5.
Under Type, select Mac Address or Serial Number.
6.
Under Unique identifier, enter the Mac address or serial number.
7.
Click Save.
Step 6.2 Restart Your Device After you have configured the device as a test device, restart the device so that it logs in to the pool or Standard Edition server and receive information about how to contact the Software Update Service.
Step 6.3 Verify the Audit Logs Use the following procedure to verify that the Software Update Service correctly connected with your test device and sent valid information.
To verify the audit logs 1.
Open the Update Site on your SharePoint Services: Open a browser and type http:///sites/UCUpdateServer/default.aspx/.
2.
Under Documents, click Logs.
3.
On the Logs page, click the Server folder.
4.
Click the Audit Folder.
5.
Click the ImageUpdates Folder.
6.
Open the current audit log.
7.
Verify that you see responses similar to the following: The following request does not receive a response from the server because the device is running the current version. Reading these files is easier in Notepad with Word Wrap turned off. 09/04/2007 16:11:35,,10.35.46.89,UCPhone,9/4/2007 4:10:53 PM,"001B9E2CC7B4","1108009636","","<Model>","","<Software locale>",cpe.nbt;1.0.469.0;9/4/2007 6:07:42 PM,
The following request receives a response from the Software Update Service because the device is running an older version.
36
Microsoft Office Communications Server 2007 Update Server
Logging DateTime,User Name,User Host Address,Device Type,Request DateTime,Mac Address,Serial Number,Vendor,Model,Revision,Locale,Requested[# Seperated for Multiple],Response[# Seperated for Multiple]
09/04/2007 15:54:35,[email protected],10.35.46.136,UCPhone,9/4/2007 3:53:54 PM,"001B9E2CC7DB","1108009675","","CPE","A","ENU",cpe.nbt;1.0.466.0;8/31 /2007 8:15:08 PM, https://SharePointServer1.contoso.com/sites/ucupdateserver/Updates/UCPhone//<Model>//<Software Locale>/CPE/CPE.nbt;1.0.469.0;9/4/2007 6:07:42 PM
Appendix A: Troubleshooting This appendix lists possible conditions or problems you might encounter and the recommended resolutions.
Service Account Is Changed in Office Communication Server Use the following procedure if you change the name of the service account used the Web components in Office Communications Server. The default service account name is RTCComponentService. 1.
If the Office Communications Server changes, execute the activation command.
2.
Open a command prompt.
3.
Move to the \Program Files\Microsoft Office Communications Server 2007\Web Components\UC Device Updates\CommonFiles directory.
4.
Type the following: •
For a Standard Edition Server cscript ConfigUpdatesServer.vbs /Action:Activate /InternalUpdatesStoreURL:https:///sites/ucupdateserver /ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateser ver /user:RTCComponentService /Password:<password> /ExternalWebfqdn:<External FQDN of Web farm>
•
For an Enterprise pool
Introduction
37
cscript ConfigUpdatesServer.vbs /Action:Activate /InternalUpdatesStoreURL:https:///sites/ucupdateser ver /ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateser ver /user:RTCComponentService /Password:<password> /ExternalWebfqdn:<External FQDN of Web farm /guest: /guestpassword:******
where:
5.
•
InternalUpdatesStoreURL is the internal URL used to access the SharePoint Update site from inside the intranet.
•
ExternalUpdatesStoreURL is the external URL link to the SharePoint Update site from inside the intranet.
•
ExternalWebfqdn is the FQDN that devices use to connect to the Software Update Service from outside the intranet.
•
User identifies the service account under which Office Communications Server 2007 Web Components Server is run. The default service account is RTCComponentService.
•
Password is the password for the service account.
•
guest is the guest user account used in Office Communications Server (the default account is RTCGuestAccessUser) or it can be any domain user.
•
guestpassword is the password for the guess user account.
If the SharePoint Server changes, add the new account to the SharePoint site administrator.
Server Name and Port Changes Office Communication Server Changes Office Communication Server names change after installation of Office Communication Server. Changing the FQDN of the Office Communications Server after deployment is not supported. If you do recreate your server by changing the name, you must deactivate and uninstall Office Communications Server. By default, the port cannot be changed in the Office Communication Server. It always runs on default port. SharePoint Server Changes Changing the SharePoint Server name after installing Windows SharePoint Server 3.0 is not recommended.
38
Microsoft Office Communications Server 2007 Update Server
If you change the port setting for a SharePoint site, use the following steps to update other settings: 1.
The corresponding port changes should be updated in the Alternate Access Mapping.
2.
Verify that the port has the correct certificate installed.
3.
Update the URL details in the WMI entries.
Problems Creating the Update Site on SharePoint Use the following section to troubleshoot problems creating the Software Update Service site on SharePoint Server. 1.
If the SharePoint Server changes, run Microsoft.RTC.UCServer.SharePointSetup.exe <SharePoint servername> <SharePoint Central Admin Port number> <password> <domain> <SharePoint port>. Table 3: Command-Line Parameters Argument
Description
Servername
The SharePoint Server name, for example http://TanjayTestSPS.
SharePoint Central Administrator Port number
The TCP port in the SharePoint Central Administration.
Admin UserID
The user ID of the administrator who can create the SharePoint site.
Admin Email
The e-mail alias for the administrator.
Password
The administrator password.
Domain
The domain on which the administrator account resides.
SharePoint port
The SharePoint port (TCP port of SharePoint – 80 site).
For example: Microsoft.RTC.UCServer.SharePointSetup.exe http://SharePointServer1:28406 Admin [email protected] ******* corp.contoso.com 80
2.
If you encounter a site creation error with Operation Time Out, run the same command and during the setup process, choose option 2 to delete the partially created site.
Introduction
39
Problems Deleting a SharePoint Site Use the following section to troubleshoot problems deleting a SharePoint site. 1.
Open the SharePoint Central Administration Site.
2.
Open the Application Management.
3.
In SharePoint Web Application Management, click Delete Web Application .
4.
Select the Web application that is not getting deleted, and then click Delete the Site.
5.
Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Products and Technologies Configuration Wizard.
6.
Reconfigure the default settings.
7.
After successfully deleting the site, try to recreate it.
8.
If the site cannot be deleted, see SharePoint Services troubleshooting information.
Problems with Anonymous Access or Permissions on the Document Library Folder If you encounter problems with anonymous access to the SharePoint site or general problems accessing Document Library or other folders on the SharePoint site, use the following steps to ensure that anonymous access is enabled:
To grant anonymous users read access 1.
Open the site at http://<servername>/sites/UCUpdateServer/default.aspx. For example, http://sharepointserver1/sites/UCUpdateServer/default.aspx.
2.
Click Site Actions, and then click Site Settings.
3.
On the Site Settings page, click Advanced Permissions under Users and Permissions.
40
Microsoft Office Communications Server 2007 Update Server
4.
On the Permissions page, click Anonymous Access in the Settings list.
5.
On the Change Anonymous Access page, select Lists and Libraries under Anonymous users can access, and then click OK.
6.
On the Permissions: Updates Server page, click Documents.
7.
On the All Site Content page, click Updates.
Introduction
8.
On the Updates page, click Settings, and then click Document Library Settings.
9.
On the Customize Updates page, click Permissions for this document library.
41
42
Microsoft Office Communications Server 2007 Update Server
10. On the Permissions Updates page, click Settings, and then click Anonymous Access.
11. On the Change Anonymous Access Settings: Updates page, select the View Items check box, and then click OK.
Introduction
43
Appendix B: Configuring RoundTable for the Software Update Service This appendix describes how to configure a Microsoft RoundTable device to use the Software Update Service. Before starting, make sure that you have a supported version of Office InfoPath installed: Office InfoPath 2003 or Office InfoPath 2007.
To apply new settings to a Microsoft RoundTable device 1.
In the %ProgramFiles%\Microsoft RoundTable\DeviceManagement\ directory, double-click DeviceConfig.xsn to start the InfoPath form. The following figure shows a portion of this form.
44
Microsoft Office Communications Server 2007 Update Server
2.
After you change the settings to suit your particular installation, save the configuration (as RTConfig.xml, for example) to the same directory as Rtmanage.exe. The section following this procedure provides details of the InfoPath configuration form.
3.
Open a command prompt, change the directory to %ProgramFiles%\Microsoft RoundTable\DeviceManagement\, and then type the following command line. Rtmanage.exe -m:img -i:config -f:RTConfig.xml
4.
Check for any XML parsing errors by running this command. Rtmanage.exe -m:cfg -q:cfgparseresult
5.
If there are no errors, proceed to the next step. Otherwise fix the errors and repeat from step 3.
6.
Restart the device by running this command line. Rtmanage.exe -m:cfg -r
Table 1. Software Updates Settings Field
Description
Automatically update using the image
Selected or cleared. If this check box is selected, automatic image updates are
Factory default Selected
Introduction
Field
Description
Factory default
update server
enabled.
Exclude configuration file from automatic update
Selected or cleared. If this check box is selected, the configuration file is excluded from automatic update.
Cleared
Update time
The time of the day at half-hour intervals.
3:30 A.M. local time
Update interval
Every Every Every Every Every Every Every Every
Every day
Server
The name of the update server.
Ucupdates
Port
The port for device-server communication.
80
Uniform resource identifier path
The URI path on the server with which to communicate.
(empty string)
day Sunday Monday Tuesday Wednesday Thursday Friday Saturday
45
Configuring Device Specifics Updates for RoundTable Occasionally, an update may be required for a specific RoundTable device. Software Update Service allows you to configure device specific updates for RoundTable so that these devices can identifier themselves by their serial number and the Software Update Service can then send any specific devices required.
To configure Software Update Service to send RoundTable device-specific updates: 1.
You must manually create a folder in the Updates Folder under the RoundTable folder on the SharePoint site, called DeviceSpecificUpdates
2.
For each deployed RoundTable in your organization, create a folder with the serial number of the device.
3.
When the RoundTable device connects to the Software Updates Service, the Software Updates Service will send an updated configuration file or any other files for the device (if it is required).
46
Microsoft Office Communications Server 2007 Update Server
4.
The following shows an example of the configuration file. The portion in bold is specific to a particular device. <mstns:RoundTable xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:mstns="http://www.microsoft.com/RoundTable/DeviceManagement/RoundTable.xs d" xmlns:xd="http://schemas.microsoft.com/office/infopath/2003"> <mstns:RoomSettings mstns:RoomName="Example" mstns:RoomSize="Medium" mstns:TableSize="10'x5'" mstns:Lighting="Normal" mstns:TextField1="" mstns:TextField2="" mstns:TextField3=""> <mstns:NetworkSettings mstns:DeviceName="Example1" mstns:DHCPEnabled="true" mstns:IPAddress="" mstns:SubnetMask="" mstns:DefaultGateway="" mstns:PreferredDNSServer="" mstns:AlternateDNSServer=""> <mstns:TimeSettings mstns:TimeZone="Pacific Standard Time" mstns:DaylightSaving="true"> <mstns:DisplaySettings mstns:DisplayLanguage="English" mstns:ScreenSaverText=""> <mstns:TelephonySettings mstns:PhoneNumber="" mstns:FlashTiming="700" mstns:DialWithoutToneDetection="Off"> <mstns:SoftwareUpdatesSettings mstns:UseAutoUpdate="true" mstns:ExcludeConfig="false" mstns:UpdateTime="03:30:00" mstns:UpdateInterval="Everyday" mstns:Server="UpdateServer1.Domain1.Forest1.Contoso.com" mstns:Port="80" mstns:Uri="/RequestHandler/ucdevice.upx"> <mstns:LogSettings mstns:LogToServer="true" mstns:UploadTime="12:30:00" mstns:UploadInterval="Every hour" mstns:MaxLogSizeInMemory="1024" mstns:Server="UpdateServer1.Domain1.Forest1.Contoso.com" mstns:Port="80"
Introduction
47
mstns:Uri="/RequestHandler/ucdevice.upx"> <mstns:PowerManagementSettings mstns:LCDBacklightOff="5"> <mstns:AdvancedSettings mstns:SpeakerDetectionAlgorithm="AudioVideoSpeakerSelection" mstns:SpeakerSwitchingFrequency="Normal" mstns:WhiteBalanceSetting="Auto" mstns:LightTemperature="4100K"> <mstns:DebugSettings mstns:AudioSetting="Off" mstns:VideoSetting="Off" mstns:System="Off" mstns:ExtendedProperties=""> <mstns:SpeedDials> <mstns:SpeedDial mstns:Name=""
Appendix C: Manually Configuring the URLs Used by the Software Update Service After installing the Software Update Service, if you need to change the URLs used by the Software Update Service, you can modify the URLs in the following ways.
Update the SharePoint Update Site URL To update the URL used by the SharePoint Update site, you can rerun the activation script and update the InternalUPdatesStoreURL and the ExternalUpdatesStoreURL parameters to change the SharePoint site URLs: •
For a Standard Edition Server cscript ConfigUpdatesServer.vbs /Action:Activate /InternalUpdatesStoreURL:https:///sites/ucupdateserver /ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateserver /user:RTCComponentService /Password:<password> /ExternalWebfqdn:<External FQDN of Web farm>
•
For an Enterprise pool
48
Microsoft Office Communications Server 2007 Update Server
cscript ConfigUpdatesServer.vbs /Action:Activate /InternalUpdatesStoreURL:https:///sites/ucupdateserver /ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateserver /user:RTCComponentService /Password:<password> /ExternalWebfqdn:<External FQDN of Web farm> /guest: /guestpassword:******
where: •
InternalUpdatesStoreURL is the internal URL used to access the SharePoint Update site from inside the intranet.
•
ExternalUpdatesStoreURL is the external URL link to the SharePoint Update site from inside the intranet. Use the following format: https://<ExternalFQDN>/sites/ucupdateserver.
•
ExternalWebfqdn is the FQDN that devices use to connect to the Software Update Service from outside the intranet. Use the following format: https://<external server FQDN>/RequestHandler/ucdevice.upx.
•
User identifies the service account under which Office Communications Server 2007 Web Components is run. The default service account is RTCComponentService.
•
Password is the password for the service account.
•
guest is the guest user account used in Office Communications Server (the default account is RTCGuestAccessUser) or it can be any domain user.
•
guestpassword is the password for the guess user account.
Update the External Download URLs for the Software Update Service After you have deployed the Software Update Service, you cannot change the internal update URL on the Software Update Service. The way you change the external URL varies depending on whether you are updating the URL on a Standard Edition server or an Enterprise pool.
Update the External Update URL of the Software Update Service on a Standard Edition Server If you want to change the external update URL of the Software Update Service on a Standard Edition server, you can rerun the activation script (documented in a previous section) and update the ExternalWebfqdn parameter.
Update the External Update URL of the Software Update Service on an Enterprise Pool On an Enterprise pool, you can only update the external download URL and can only change the download URLs using WMI.
Introduction
49
Use the following procedure to update the URLs external download URL, the internal download URL, or the external download used by the SharePoint Update site.
To configure the external Web farm FQDN to the Software Update Service 1.
Log on to an Enterprise Edition server hosting the Update Server. Use an account that is a member of the RTCUniversalServerAdmins group or has equivalent privileges.
2.
Click Start, click Run, type cmd in the Open box, and then click OK.
3.
At the command prompt, type wbemtest.
4.
Click Connect.
5.
In the Namespace box, type root\cimv2, and then click Connect.
6.
Click Query.
7.
Select one of the following: •
On a Standard Edition server, type the following: Select * from MSFT_SipUpdatesServerSetting where BackEnd="(local)\\rtc"
•
On an Enterprise pool, type the following: Select * from MSFT_SipUpdatesServerSetting where BackEnd=”SQL database instance”
8.
Click Apply.
9.
Double-click the result returned.
10. In Object Edit, double-click the ExternalUpdatesDownloadURL property. 11. In the Value box, type the external URL used to connect with the Software Update Service using the format https://<external server FQDN>/RequestHandler/ucdevice.upx.
50
Microsoft Office Communications Server 2007 Update Server
12. Click Save Property. 13. Click Save Object. 14. Click Close. 15. Click Close again, and then click Exit to close wbemtest.