Professional Documents
Culture Documents
Communications
Server 2007 (Public
Beta) Edge Server
Deployment Guide
Published: March 2007
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of
the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying
with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, MSN, SharePoint are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
Terminology
Anonymous user. An external user who does not have credentials in the Active Directory®
Domain Services.
A/V. audio/video.
Edge server An Office Communications Server that resides in the perimeter network and
provides connectivity for external users and public IM connections. Each edge server has one or
more of the following roles: Access Edge Server, a Web Conferencing Edge Server, or an A/V
Edge Server.
External user. A user connecting from outside the corporate firewall. External users include
anonymous users, federated users, and remote users.
Federated user. An external user who possesses valid credentials with a federated partner and
who therefore is treated as authenticated by Office Communications Server.
Internal IP address. An IP address that is accessible from the internal network of an
organization (also referred to as a private IP address). The Computer Management and
Administration Tools for Office Communications Server use the term private for this address.
PSOM. Persistent Shared Object Model protocol. A custom protocol for transporting Web
conferencing content.
External IP address. An IP address that is accessible from an external network (a network
outside of an organization, such as the Internet). Also referred to as a public IP address. The
Computer Management and Administration Tools for Office Communications Server use the
term public for this address.
Public IP address. See External IP address.
Remote user. An external user with a persistent Active Directory identity within the
organization.
SIP. Session Initiation Protocol, a signaling protocol for Internet telephony.
Web farm. A collection of IIS servers or an IIS server hosting content.
Additional details about when you need each edge server is provided in the following sections.
Note
To conform to the requirement of a publicly routable IP
address of the A/V Edge Server, the external firewall of
the perimeter network must not act as a NAT (Network
Address Translator) for this IP address.
• To prevent port conflicts, if multiple edge servers (such as an A/V Edge Server and a Web
Conferencing Edge Server) are collocated on a single computer, each edge server should
have its own external IP address.
• Each collocated edge server must use a unique port and IP address combination.
6 “Office Communications Server 2007 Edge Server Deployment Guide
• If you configure the Access Edge Server, A/V Edge Server, or Web Conferencing Edge
Server to use a port other than 443, an attempt by a remote user to sign in by using Office
Communicator 2007 or to join a conference from within another organization’s intranet may
fail. This situation can occur because many organizations prevent traffic traveling through
their firewall over non-default ports.
The following table summarizes the supported edge server topologies, which are listed in order
of increasing complexity.
Note
To avoid port conflicts when running all server roles on a
single computer, use a different IP address for each server
role.
A/V Edge
Server:
Internet
Internal Deployment
Access Edge Server:
Web Conferencing Edge Server
Load Balanced
A/V Edge
Servers :
Internet
Internal Deployment
Load balanced
Access Edge
Server:
Web Conferencing
Edge Server
Data Center
A/V Edge
Server :
Internet
Internal
Deployment Log on
Logon
Load balanced
Access Edge
Server &
Web Conferencing
Edge Server
Remote Site
A/V Edge
Server
Internal
Deployment Web Conferencing
Edge Server
Audio/Video Requirements
The following section summarizes some key requirements for audio/video in an Office
Communications Server deployment:
• We recommend that A/V Conferencing Servers and A/V Edge Servers be deployed on a 1GB
Ethernet LAN.
• We recommend that you run the Quality of Service scheduler on each A/V Conferencing
Server or A/V Edge Server to monitor audio and video traffic flow across the network.
• If you anticipate a high volume of audio/video traffic or experience packet loss after you
deploy, use Appendix D, “Optimizing Your Network Interface Card,” to optimize A/V traffic
flow.
Note
To prevent DNS SRV spoofing and ensure that certificates
provide valid ties from the user URI to real credentials, Office
Communications Server 2007 requires that the name of the
DNS SRV domain match the server name on the certificate.
The subject name (SN) must point to sip.<domain>.com.
The actual DNS records required depend on which edge servers you deploy and on your
deployment topology, as covered in this section. The following tables provide details about each
DNS record required for each topology.
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the consolidated edge topology.
Note
The port numbers referenced in the following tables and later
in this document are typically the default ports. If you use
different port settings, you will need to modify the procedures
in this guide accordingly.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 15
Table 3 DNS records for the consolidated edge topology
16 “Office Communications Server 2007 Edge Server Deployment Guide
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the single-site edge topology.
Table 4 DNS records for the single-site edge topology
Interfac Server DNS Settings
e
18 “Office Communications Server 2007 Edge Server Deployment Guide
External Collocated Access Edge An external DNS SRV record for all Access
Server and Web Edge Servers that points to
Conferencing Edge _sipfederationtls._tcp.<domain>, over port
Server 5061 (where <domain> is the name of the SIP
domain of your organization). This SRV should
point to an A record with the external FQDN of
the Access Edge Server. If you have multiple
SIP domains, you need a DNS SRV record for
each SIP domain.
An external DNS SRV (service location) record
for _sip._tls.<domain>, over port 443 where
<domain> is the name of your organization’s
SIP domain. This SRV record must point to the
A record of the Access Edge Server. If you
have multiple SIP domains, you need a DNS
SRV record for each. This SRV record supports
federated partners and remote access by
means of direct connection to the Access Edge
Server.
Note: Configuring multiple SRV records
for the same SIP domain is not
supported. If multiple DNS records are
returned to a DNS SRV query, the
Access Edge Server will always pick the
DNS SRV record with the lowest
numerical priority and highest
numerical weight.
For each supported SIP domain in our
organization, an external DNS A record for sip.
<domain>.com that points to the external IP
address of the Access Edge Server. If you have
multiple SIP domains, you need a DNS SRV
record for each. If a client cannot perform an
SRV record lookup to connect to the Access
Edge server it will use this A record as a
fallback.
An external DNS A record that resolves the
external FQDN of the Web Conferencing Edge
Server to its external IP address.
Internal Collocated Access Edge An internal DNS A record that resolves the
Server and Web internal FQDN of the collocated Access Edge
Conferencing Edge Server and Web Conferencing Edge Server to
Server its internal IP address.
A/V Edge Server An internal DNS A record that resolves to the
internal FQDN of the A/V Edge Server to its
internal IP address.
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the scaled single-site edge topology.
Table 5 DNS records for the scaled single-site edge topology
Interfac Server DNS Settings
e
20 “Office Communications Server 2007 Edge Server Deployment Guide
External Access Edge Server An external DNS SRV record for all Access
Web Conferencing Edge Edge Servers that points to
Server _sipfederationtls._tcp.<domain>, over port
5061 (where <domain> is the name of the SIP
domain of your organization). This SRV should
point to an A record with the external FQDN of
the Access Edge Server. If you have multiple
SIP domains, you need a DNS SRV record for
each.
An external DNS SRV (service location) record
for _sip._tls.<domain>, over port 443, where
<domain> is the name of your organization’s
SIP domain. This SRV record must point to the
A record of the Access Edge Server. If you
have multiple SIP domains, you need a DNS
SRV record for each. This SRV record supports
federated partners and remote access by
means of direct connection to the Access Edge
Server.
Note: Configuring multiple SRV records
for the same SIP domain is not
supported. If multiple DNS records are
returned to a DNS SRV query, the
Access Edge Server will always pick the
DNS SRV record with the lowest
numerical priority and highest
numerical weight.
Internal Access Edge Server An internal DNS A record that resolves the
Web Conferencing Edge internal FQDN of the Access Edge Server array
Server to the virtual IP address used by the Access
Edge Servers on the internal load balancer.
An internal DNS A record that resolves the
internal FQDN of each Web Conferencing Edge
Server to its internal IP address.
A/V Edge Server An internal DNS A record that resolves the
internal FQDN of the A/V Edge Server array to
the virtual IP address used by the A/V Edge
Servers on the internal load balancer.
The data center configuration for the multiple-site edge topology is the same as that for the
scaled single-site edge topology, but additional configuration is required for the remote site. The
following table describes the DNS records that must be configured for the external interface and
the internal interface of edge servers in the remote site of the multiple-site edge topology.
Table 6 DNS records for the multiple-site edge topology remote site
Interfac Remote Site Server DNS Settings
e
External Web Conferencing Edge An external DNS A record that resolves to the
Server external FQDN of the Web Conferencing Edge
Server in the remote site to its external IP
address.
A/V Edge Server An external DNS A record that resolves the
external FQDN of the A/V Edge Server in the
remote site to its external IP address. This IP
address must be a publicly routable IP
address.
Reverse proxy An external DNS A record that resolves the
external Web farm FQDN to the external IP
address of the reverse proxy. The client uses
this record to connect to the reverse proxy.
Internal Web Conferencing Edge An internal DNS A record that resolves to the
Server internal FQDN of the Web Conferencing Edge
Server in the remote site to its internal IP
address.
A/V Edge Server An internal DNS A record that resolves the
internal FQDN of the A/V Edge Server to its
internal IP address.
The following sections provide additional information about each port to be configured for each
server role in each topology, as well as a mapping of the numbers in the previous figure to the
respective port descriptions.
In the following tables, the direction for firewall policy rules that is indicated as outbound is
defined as follows:
• On the internal firewall, it corresponds to traffic from servers on the internal (private)
network to the edge server in the perimeter network.
24 “Office Communications Server 2007 Edge Server Deployment Guide
• On the external firewall, it corresponds to traffic from the edge server in the perimeter
network to the Internet.
The following table describes the firewall policy rules to be configured for the Access Edge
Server.
Table 8 Firewall Settings for the Access Edge Server
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 5061 TCP (SIP/MTLS) 5
nal Direction: Inbound (for remote user access and
federation)
Remote Port: Any
Local IP address: The internal IP address of the Access
Edge Server
Remote IP: The IP address of the next hop server. If a
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 25
The following table describes the firewall policy rules to be configured for the Web Conferencing
Edge Server.
Note
PSOM is the Microsoft proprietary protocol used for Web
conferencing.
Servers)
Remote Port: Any
Local IP: The internal IP address of the Web
Conferencing Edge Server
Remote IP: Any IP address
Exter Local Port: 443 TCP (PSOM/TLS) 6
nal Direction: Inbound (for access of remote, anonymous,
and federated users to internal Web conferences)
Remote Port: Any
Local IP: The external IP address of the Web
Conferencing Edge Server
Remote IP: Any IP address
The following table describes the firewall policy rules to be configured for the A/V Edge Server.
Table 10 Firewall Settings for the A/V Edge Server
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 443 TCP (STUN/TCP) 12
nal Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
Remote IP: Any IP address
Local Port: 5062 TCP (SIP/MTLS) 13
Direction: Outbound (For authentication of A/V users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server.
Remote IP: Any IP Address
The following table describes the firewall policy rules to be configured for the Access Edge
Server.
The following table describes the firewall policy rules to be configured for the Web Conferencing
Edge Server.
Note
PSOM is the Microsoft proprietary protocol used for Web
conferencing.
The following table describes the firewall policy rules to be configured for the A/V Edge Server.
Table 14 Firewall Settings for the A/V Edge Server
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 443 TCP (STUN/TCP) 12
nal Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
Remote IP: Any IP address
Local Port: 5062 TCP (SIP/MTLS) 13
Direction: Outbound (For A/V authentication of users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
Remote IP: Any IP Address
The following table describes the firewall policy rules to be configured for the Access Edge
Server.
Table 16 Firewall Settings for the Access Edge Server
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 5061 TCP (SIP/MTLS) 5
nal Direction: Inbound (for remote user access and
federation)
Remote Port: Any
Local IP address: The internal IP address of the Access
Edge Server
Remote IP: The IP address of the next hop server. If a
Director is deployed, use the IP address of the Director
or VIP of the load balancer, if the Directors are load
balanced.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 33
The following table describes the firewall policy rules to be configured for the Web Conferencing
Edge Server.
Note
PSOM is the Microsoft proprietary protocol used for Web
conferencing.
The following table describes the firewall policy rules to be configured for the A/V Edge Server.
Table 18 Firewall Settings for the A/V Edge Server
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 443 TCP (STUN/TCP) 12
nal Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Local IP: The VIP address used by the A/V Edge Server
array on the internal load balancer.
Remote IP: Any IP address
Local Port: 5062 TCP (SIP/MTLS) 13
Direction: Outbound (For A/V authentication of users)
Remote Port: Any
Local IP: The VIP address used by the A/V Edge Server
array on the internal load balancer.
Remote IP: Any IP Address
Local Port: 3478 UDP (STUN/UDP) 14
Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
and the VIP address used by the A/V Edge Server array
on the internal load balancer.
Remote IP: Any IP Address
Note: If you are using ISA Server as your firewall, you
must configure the rule for send/receive.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 35
Multiple Edge Site Topology Firewall Policy Rules for the Remote
Site
The following tables explain the firewall policy rules required on each server in the perimeter
network in the remote site when you deploy edge servers in the multiple edge site topology. The
firewall policy rules that are required in the central data center are the same as those required in
the scaled single site topology described in the previous section. Because the users in the remote
site use the Access Edge Server in the central site, there is no table for the Access Edge Server in
this section.
The following table describes the firewall policy to be configured for the reverse proxy.
36 “Office Communications Server 2007 Edge Server Deployment Guide
Table 19 Firewall Settings for the Reverse Proxy
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 443 TCP (SIP/TLS) 2
nal Direction: Inbound (for external user access to Web
conferences)
Remote Port: Any
Local IP: The internal IP address of the reverse proxy in
the remote site
Remote IP: Any
Exter Local Port: 443 TCP (HTTP(S)) 1
nal Direction: Inbound
Remote Port: Any
Local IP address: The external IP address of the HTTP
reverse proxy in the remote site
Remote IP: Any
Note: If you want your users to be able to connect from
inside your intranet to external conferences hosted by
other companies, then you will also need to open port
443 outbound.
The following table describes the firewall policy rules to be configured for the Web Conferencing
Edge Server.
Note
PSOM is the Microsoft proprietary protocol used for Web
conferencing.
The following table describes the firewall policy rules to be configured for the A/V Edge Server.
Table 21 Firewall Settings for the A/V Edge Server
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 443 TCP (STUN/TCP) 12
nal Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
in the remote site
Remote IP: Any IP address
Local Port: 5062 TCP (SIP/MTLS) 13
Direction: Outbound (For A/V authentication of users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
in the remote site.
Remote IP: Any IP Address
Local Port: 3478 UDP (STUN/UDP) 14
Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
in the remotes site.
Remote IP: Any IP Address
Note: If you are using ISA Server as your firewall, you
must configure the rule for send/receive.
38 “Office Communications Server 2007 Edge Server Deployment Guide
Note
ISA Server 2004 can also be set up to use a single network
adapter. For more information, see Configuring ISA Server
2004 on a Computer with a Single Network Adapter at
http://www.microsoft.com/technet/isa/2004/plan/single_adapte
r.mspx.
40 “Office Communications Server 2007 Edge Server Deployment Guide
To configure the network adapter cards on the reverse proxy
computer.
1. On the server running ISA Server 2004, open Network Connections. Click Start, point to
Settings, and then click Network Connections.
2. Right-click the external network connection to be used for the external interface, and then
click Properties.
3. On the Properties page, on the General tab, in the This connection uses the following
items list, click Internet Protocol (TCP/IP), and then click Properties.
4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS
server addresses as appropriate for the network to which the network adapter is attached.
5. Click OK twice.
In Network Connections, right-click the internal network connection to be used for the internal
interface, and then click Properties Repeat steps 3 through 5 to configure the internal network
connection.
To install ISA Server 2004
• Install ISA Server 2004 SP2 according to the setup instructions that are included with the
product, as well as all hotfixes.
To request and configure a digital certificate for SSL
• The root certification authority (CA) certificate for the CA that issued the server certificate
on the Web server needs to be installed on the server running ISA Server 2004. This
certificate should match the published FQDN of the external Web farm where you are
hosting meeting content and Address Book files.
Note
If you are using separate IIS servers to host meeting content
and Address Book data, you need to configure the ISA server
with two certificates (each matching the published external
FQDN of each of the two external Web sites) and install a
second IP address on the external network interface of the ISA
Server. ISA can bind only one certificate to one IP address. If
you configure an ISA server with multiple sites, you can use a
certificate that uses a wildcard. However, if you do, ensure
that you do not use the same certificate for IIS for the internal
site. For information about how to publish multiple Web sites
with a wildcard certificate, see Using a Single Certificate to
Publish Multiple Secure Web Sites at
http://www.microsoft.com/technet/isa/2004/maintain/wildcard.
mspx
Note
You also have the option of selecting Tunneling, but SSL
Bridging is recommended, and so it is the option documented
in the following procedure. SSL bridging protects against
attacks that are hidden in SSL-encrypted connections. For SSL-
enabled Web applications, after receiving the client's request,
ISA Server decrypts it, inspects it, and terminates the SSL
connection with the client computer. The Web publishing rules
determine how ISA Server communicates the request for the
object to the published Web server. If the secure Web
publishing rule is configured to forward the request using
Secure HTTP (HTTPS), ISA Server initiates a new SSL
connection with the published server. Because the ISA Server
computer is now an SSL client, it requires that the published
Web server responds with a server-side certificate
Note
The following procedure is for the Default Web Site in IIS. You
must also verify or configure authentication and certification
on each front-end Web server in the Microsoft Office
SharePoint® Portal Server deployment.
Sample Configuration
The following figure shows how a load balancer is configured for collocated Access Edge
Servers and Web Conferencing Edge Servers and two dedicated A/V Edge Servers. In the
diagram below, two Access Edge Servers are collocated with Web Conferencing Edge Servers in
an array. These servers are called A and B. Two dedicated A/V Edge Servers are called C and D.
These servers are configured as follows:
• Each server role—A/V Edge Server, Web Conferencing Edge Server and Access Edge
Server—has its own external FQDN that resolves to a separate VIP on the external load
balancer. In this example:
• Access Edge Servers use the external FQDN of AccessExternalLB.contoso.com
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 49
• Web Conferencing Edge Servers use the external FQDN of
WebExternalLB.contoso.com
• A/V Edge Servers use the external FQDN of AVExternalLB.contoso.com
• The Access Edge Servers and the A/V Edge Servers each have a unique internal FQDN that
resolves to a separate VIP on the internal load balancer. In this example:
• Access Edge Servers use the internal FQDN of AccessInternalLB.corp.contoso.com
• A/V Edge Servers use the internal FQDN of AVInternalLB.corp.contoso.com
• The Web Conferencing Edge Servers are not load balanced on the internal side.
Internally, a Front-End Server, a Web Conferencing Server, and an A/V Conferencing Server are
installed together on three Enterprise Edition Servers in an Enterprise pool in the consolidated
configuration (Servers E, F, and G). This internal topology is for illustration purposes only. You
may install any of the internally supported topologies as discussed in the Planning Guide.
50 “Office Communications Server 2007 Edge Server Deployment Guide
DNS records
The following DNS SRV records are required by the Access Edge Server:
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 51
• If you are enabling public IM connectivity or enhanced federation, an external SRV record
for all edge servers that points to _sipfederationtls._tcp.contoso.com over port 5061 (where
contoso.com is the name of the SIP domain of this organization). This SRV record should
point to an A record with the external FQDN of the Access Edge Server that resolves to the
VIP on the external load balancer that is used by the Access Edge Servers. In this example,
because there is only one SIP domain, only one SRV record like this is needed. If you have
multiple SIP domains, you need a DNS SRV record for each. This is required only if you are
enabling enhanced federation or public IM connectivity.
• A DNS SRV (service location) record for _sip._tls.contoso.com over port 443 where
contoso.com is the name of your organization’s SIP domain. This SRV record must point to
an A record with the external FQDN of the Access Edge Server that resolves to the VIP on
the external load balancer used by the Access Edge Servers. If you have multiple SIP
domains, you need a DNS SRV record for each. This SRV record supports automatic
configuration for remote users for instant messaging and conferencing.
The following external DNS A records are required.
• ExternalAccessLB.contoso.com resolves to the VIP of the external load balancer in the
perimeter network used by the Access Edge Servers. It is used by external clients and other
Access Edge Servers to reach the Access Edge Server from the Internet.
• An external A record for sip.ExternalAccessLB.contoso.com that points to the VIP address
used by the Access Edge Servers on the external load balancer in the perimeter network.
(One A record for each SIP domain).
• ExternalWebLB.contoso.com resolves to the VIP address used by the Web Conferencing
Edge Servers on the external load balancer in the perimeter network.
• ExternalAVLB.contoso.com resolves to the VIP address used by the A/V Edge Servers on
the external load balancer in the perimeter network.
The following internal DNS A records are required.
• InternalAccessLB.corp.contoso.com, points to the VIP of the internal load balancer in the
perimeter network used by the Access Edge Servers.
• InternalAVLB.corp.contoso.com, points to the VIP of the internal load balancer in the
perimeter network used by the A/V Edge Servers.
• InternalLB.corp.contoso.com points to the VIP of the load balancer of the Enterprise pool to
which the internal A/V Conferencing Servers and Web Conferencing Servers are attached.
• SrvrA.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on
Server A
• SrvrB.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on
Server B
Certificates
The certificates are configured in the following way
Access Edge Servers
52 “Office Communications Server 2007 Edge Server Deployment Guide
• The external interface of the load balancer he Access Edge Server has a certificate with a
subject name (SN) of ExternalAccessLB.contoso.com. You would configure this certificate
on server A and mark it as exportable and then import it to Server B. (Each server in the Web
Conferencing Edge Server and Access Edge Server array must use the same certificate).
• The external interface of the Web Conferencing Edge Server has a certificate with a subject
name (SN) of ExternalWebLB.contoso.com. You would configure this certificate on server A
and mark it as exportable and then import it to Server B. (Each server in the Web
Conferencing Edge Server and Access Edge Server array must use the same certificate).
• No certificate is required on the external interface of the A/V Edge Server.
• The internal interface of each Access Edge Server has a certificate with an SN of
InternalAccessLB.corp.contoso.com. This certificate is shared with the internal edge of the
Web Conferencing Edge Server You would configure this certificate on server A and mark it
as exportable and then import it to Server B. (Each server in the Web Conferencing Edge
Server and Access Edge Server array must use the same certificate).
• The internal edge of the A/V Edge Server has a certificate with an SN of
InternalAVLB.corp.contoso.com. You would configure this certificate on server A and mark
it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge
Server and Access Edge Server array must use the same certificate).
• The internal edge of the A/V Edge Server is configured with an additional certificate used
for A/V authentication. The same A/V authentication certificate must be installed on each
A/V Edge Server. This means that the certificate must be from the same issuer and use the
same private key.
Internal Web Conferencing Servers in Your Enterprise Pool
Each internal Web Conferencing Server in the Enterprise pool has a certificate with the subject
name (SN) of InternalLB.corp.contoso.com.
Internal A/V Conferencing Servers
Each internal A/V Conferencing Server has a certificate with the subject name (SN) of
InternalLB.corp.contoso.com .
You deploy edge servers by using the Office Communications Server 2007 Deployment Wizard,
which you access by running Setup.exe from the Office Communications Server 2007
installation CD or, if you are deploying over the network, from the network share. From the
Deployment Wizard, you can access multiple individual wizards that facilitate completion of
edge server deployment tasks. You can use these wizards, as covered in this section, to complete
the following procedures:
• Install the edge server. When you install an edge server, the installation process copies the
required edge server files to the local computer.
56 “Office Communications Server 2007 Edge Server Deployment Guide
• Activate the edge server. When you activate an edge server, you configure it to have one or
more edge server roles.
• Configure the edge server. Configuration includes specifying the settings that are necessary
for the edge server to work.
• Configure certificates for the edge servers.
To install an edge server
1. Log on to the computer on which you want to install your edge server as a member of the
Administrators group.
2. If Systems Management Server (SMS) is running on the computer, stop the SMS service.
3. Start Setup and launch the Deployment Wizard by doing one of the following:
• If installing the edge server from the Office Communications Server 2007 installation
CD, insert the CD. If Setup does not start automatically, from the Start menu, click
Run. In the Open box, type \Setup\I386\Setup.exe, and then click OK.
• If you are installing the edge server from a network share, go to the \Setup\I386 folder,
and then double-click Setup.exe.
4. Click Deploy Other Server Roles.
5. Click Deploy Edge Server.
6. Next to Step 1: Install Files for Edge Server, click Install to start the Install Files for Edge
Server Setup Wizard.
7. On the Welcome page, click Next.
8. On the License Agreement page, if you agree to the licensing terms, click I accept the
terms in the licensing agreement, and then click Next.
9. On the Customer Information page, in User name and Organization, type your name and
the name of your organization.
10. Use the product key that is automatically supplied, and then click Next.
11. On the Install Location page, in Location, type the location where you want to install the
edge server files, and then click Next.
12. On the Confirm Installation page, click Next.
13. On the completion page, click Close.
Note
An A/V Edge Server and a Web Conferencing Edge Server
cannot be activated together on a single computer without
also activating an Access Edge Server on the same computer.
4. On the Select Service Account page, select Create a new account or Use an existing
account, type the account name and password to be used for the edge server, enter a
password, and then click Next.
5. On the Ready to Activate Edge Server page, review the settings, and then click Next.
6. On the completion page, select the View the log when you click ‘Finish’ checkbox, and
then click Finish.
7. When the Office Communications Server 2007 Deployment Log opens in a Web browser
window, verify that Success appears under Execution Result in the action column on the far
right side of the screen. Optionally, expand each individual task and verify that the
Execution Result shows Success for the task. When you finish, close the log window.
Note
If you are collocating edge server roles on a computer, each
should have a separate IP address. If you do not use a
separate IP address for each, you must use separate ports for
each collocated edge server role.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 59
7. Click Next.
8. Select from the following options:
• If you are installing only A/V Edge Server on this computer, skip to step 12 to complete
the wizard.
• If you are installing Access Edge Server and Web Conferencing on this computer,
proceed with the next step.
• If you are installing a Web Conferencing Edge Server only, skip to step 13.
9. On the Enable Features on Access Edge Server page, select the features that you want to
enable on this Access Edge Server as follows:
• To make it possible for remote users to connect to Office Communications Server 2007
from the Internet to view presence information and exchange instant messages with
internal users using this Access Edge Server, select the Allow remote user access to
your network check box.
o To make it possible for external anonymous users to join conferences through
this Access Edge Server, select the Allow anonymous user to join meetings
check box. Anonymous users are external users who do not have credentials in
the Active Directory® Domain Services.
60 “Office Communications Server 2007 Edge Server Deployment Guide
o In your edge server deployment, you can optionally use one Access Edge
Server for remote user access and a different Access Edge Server for federation
and public IM connectivity. In this configuration on the Access Edge Server
used for remote access, if you plan to enable federation or public IM
connectivity for your remote users, click the Allow remote users to
communicate with federated contacts; otherwise, your remote users cannot
send messages to federated or public IM contacts.
• To enable federation or public IM connectivity through this Access Edge Server, select
the Enable federation check box.
o To use DNS to automatically locate Access Edge Servers of your federated
partners, select the Allow discovery of federation partners using DNS check
box. We recommend this configuration.
o To enable public IM connectivity through this Access Edge Server, select the
Federation with selected public IM providers check box, and then and select
the IM providers that you want to use with federated partners.
Important
Before you can connect to these IM providers, you must
purchase additional service licenses and provision the
connections by using the Microsoft provisioning page
(http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provisio
n). Public IM connectivity will not work without this license.
The license you purchase permits communications to MSN,
AOL, and the Yahoo IM providers. If you want to limit public IM
connectivity to a specific provider, you can disable the public
IM providers you do not want to connect with.
Note
Additional configuration of anonymous users and federation is
described in “Step 4. Configure the Environment” later in this
guide.
The following table summarizes the certificate requirements for the internal interface of each
edge server role in the scaled single site edge topology.
Table 27 Internal Certificates for the scaled single-site edge topology
Server role Certificate
Access Edge A certificate configured on the internal interface
Server with a subject name that matches the internal
Web FQDN of the VIP address used by the Access
Conferencing Edge Server on the internal load balancer. This
Edge Server certificate is shared between the Web
Conferencing Edge Server and Access Edge
Server and must be configured on the internal
interface of the Web Conferencing Edge Server
and the Access Edge Server. This certificate must
be marked as exportable on the first computer
where you configure the certificate and then
imported onto each additional computer in the
Access Edge Server and Web Conferencing Edge
Server array.
Note
If the Enterprise CA is reachable from the edge server, you
can use the Send the request immediately to an online
certification authority option. Since this is typically, not the
case, this procedure and other certificate request procedures
in this guide do not cover the use of that option.
Additionally, be aware that once you create a request, it is
pending and the Certificate Wizard will not let you create
another request until you have processed the pending one.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 67
6. On the Name and Security Settings page, type a friendly name for the certificate, and
specify the bit length (typically, the default of 1024), select the Mark certificate as
exportable check box, and then click Next.
7. On the Organization Information page, enter the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click Next.
8. On the Your Server’s Subject Name page, type or select the subject name and subject
alternate name of the edge server. The subject name should match the FQDN of the edge
server published by the internal firewall for the internal interface on which you are
configuring the certificate:
• For the internal interface of the edge server, this subject name should match the name
that your internal servers use to connect to the edge server (typically, the FQDN of the
internal interface for the edge server).
• If you are using a load balancer, the edge server traffic still uses the FQDN of the
internal edge of the server (server name), but if you are using a virtual IP address for the
edge server, the certificate should match the server FQDN of the virtual IP address used
by this server role on the internal load balancer. For the internal interface, this is
typically the published DNS name for the perimeter network that maps to the edge
server.
9. Click Next.
10. On the Geographical Information page, type the location information, and then click Next.
11. On the Certificate Request File Name page, type the full path and file name to which the
request is to be saved in the File name box (or click Browse to locate and select the
certificate), and then click Next. For example, C:\certrequest_AccessEdge.txt
12. On the Request Summary page, click Next.
13. On the wizard completion page, verify successful completion, and then click Finish.
14. Submit this file to your CA (by e-mail or other method supported by your organization for
your Enterprise CA) and, when you receive the response file, copy the new certificate to this
computer so it is available for import.
15. Repeat this procedure for each edge server.
To import the certificate for the internal interface
1. On the Access Edge Server on which you created the certificate request, in Deployment
Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the
Edge Server, click Run to start the Communications Certificate Wizard.
2. On the Welcome page, click Next.
3. On the Pending Certificate Request page, click Process the pending request and import
the certificate, and then click Next.
4. On the Process a Pending Request page, in Path and file name, type the full path and file
name of the certificate that you requested and received for the internal interface of this edge
server (or click Browse to locate and select the certificate), and then click Next.
5. On the wizard completion page, verify successful completion, and then click Finish.
68 “Office Communications Server 2007 Edge Server Deployment Guide
To export the certificate for the internal interface for import to other
edge servers
1. On the edge server on which you requested and imported the certificate, in Deployment
Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the
Edge Server, click Run to start the Communications Certificate Wizard.
2. On the Welcome page, click Next.
3. On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then
click Next.
4. On the Available Certificates page, in Select a certificate, click the certificate that you
imported to this edge server (as covered in the previous procedure), and then click Next.
5. On the Export Certificate page, in Path and file name, type the full path and file name of
to which you want to export the certificate (or click Browse to locate and select the
certificate), and then click Next.
6. In the Export Certificate Password page, in Password, type the password that will be used
to import the certificate on the other edge servers, and then click Next.
7. On the wizard completion page, verify successful completion, and then click Finish.
8. Copy the exported file to a location or media that is accessible by the other edge servers.
To import the certificate for the internal interface on the other edge
servers
1. On each of the other edge servers, in Deployment Wizard, on the Deploy Edge Server
page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the
Communications Certificate Wizard.
2. On the Welcome page, click Next.
3. On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and
then click Next.
4. On the Import Certificate page, in Path and file name, type the full path and file name of
the certificate that you exported from the first edge server (or click Browse to locate and
select the certificate), clear the Mark certificate as exportable check box, and then click
Next.
5. In the Import Certificate Password, in Password, type the password that you typed when
you exported the certificate from the first server, and then click Next.
6. On the wizard completion page, verify successful completion, and then click Finish.
7. Repeat this procedure for each edge server that will use the same certificate.
To assign the certificate to the internal interface of the edge servers
1. On each edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to
Step 4: Configure Certificates for the Edge Server, click Run to start the
Communications Certificate Wizard.
2. On the Welcome page, click Next.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 69
3. On the Available Certificate Tasks page, click Assign an existing certificate, and then
click Next.
4. On the Available Certificates page, select the certificate that you requested for the internal
interface of this edge server, and then click Next.
5. On the Available Certificate Assignments page, select the Edge Server private interface
check box (the server interface on which you want to install the certificate), and then click
Next.
6. On the Configure the Certificate Settings of Your Server page, review your settings, and
then click Next to assign the certificates.
7. On the wizard completion page, click Finish.
8. Repeat this procedure for each edge server to which you assigned this certificate.
Note
It is possible to use your Enterprise subordinate CA for direct
federation, as well as for testing or trial purposes if all
partners agree to trust the CA or cross-sign the certificate.
Table 29 External Certificates for the edge server in the consolidated edge
topology
Server role Certificate
Access Edge A certificate configured on the external interface
Server with a subject name that matches the external
FQDN of the edge server. If you have multiple SIP
domains, each supported SIP domain must be
entered as sip.<domain> in the Subject
Alternate Name of the certificate. For example, if
your organization supports two domains
a.contoso.com and b.contoso.com,
SN=sip.a.contoso.com, SAN=sip.a.contoso.com,
sip.b.contoso.com
Web A certificate configured on the external interface
Conferencing that matches the external FQDN of the Web
Edge Server Conferencing Edge Server.
A/V Conferencing Not required
Edge Server
The following table summarizes the certificate requirements for the external interface of each
edge server role in the single site edge topology.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 71
Table 30 External Certificates for the single-site edge topology
Server role Certificate
Access Edge A certificate configured on the external interface
Server with a subject name that matches the external
FQDN of the computer with the Access Edge and
Web Conferencing Edge Servers collocated. If
you have multiple SIP domains, each supported
SIP domain must be entered as sip.<domain> in
the Subject Alternate Name of the certificate. For
example, if your organization supports two
domains a.contoso.com and b.contoso.com,
SN=sip.a.contoso.com, SAN=sip.a.contoso.com,
sip.b.contoso.com
Web A certificate configured on the external interface
Conferencing with a subject name that matches the external
Edge Server FQDN of Web Conferencing Edge Server
A/V Conferencing Not required
Edge Server
The following table summarizes the certificate requirements for the external interface of each
edge server role in the scaled single site edge topology.
The following table summarizes the certificate requirements for the external interface of each
edge server in the remote site in a multiple edge site topology. The servers in the central site will
use the same certificates as those in the scaled single site topology.
Table 32 External Certificates for the remote site in a multiple site edge
topology
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 73
Note
When you request a certificate from an External CA, the
credentials provided must have rights to request a certificate
from that CA. Each CA has a security policy that defines which
credentials (specific user and group names) are allowed to
request, issue, manage, or read certificates.
To create the certificate request for the external interface of the edge
server
1. On the edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to
Step 4: Configure Certificates for the Edge Server, click Run to start the
Communications Certificate Wizard.
2. On the Welcome page, click Next.
3. On the Available tasks page, click Create a new certificate, and then click Next.
4. On the Delayed or Immediate Request page, select the Prepare the request now, but send
later check box, and then click Next.
5. On the Name and Security Settings page, type a friendly name for the certificate, specify
the bit length (typically, the default of 1024), select the Mark certificate as exportable
check box, and then click Next.
6. On the Organization Information page, type the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click Next.
74 “Office Communications Server 2007 Edge Server Deployment Guide
7. On the Your Server’s Subject Name page, type or select the subject name and subject
alternate name of the edge server:
• The subject name should match the FQDN of the server published by the external
firewall for the external interface on which you are configuring the certificate. For the
external interface of the Access Edge Server, this certificate subject name should be
sip.<domain>.
• If multiple SIP domain names exist and they do not appear in Subject alternate name,
type the name of each additional SIP domain as sip.<domain>, separating names with a
comma. Domains entered during configuration of the Access Edge Server are
automatically added to this box.
8. Click Next.
9. On the Geographical Information page, type the location information, and then click Next.
10. On the Certificate Request File Name page, type the full path and file name of the file to
which the request is to be saved (or click Browse to locate and select the file), and then click
Next.
11. On the Request Summary page, click Next.
12. On the Certificate Wizard Completed page, verify successful completion, and then click
Finish.
13. Copy the output file to a location from which it can be submitted to the public CA.
To submit a request to a public certification authority
1. Open the output file.
2. Copy and paste the contents of the CSR into the appropriate text box beginning with:
-----BEGIN NEW CERTIFICATE REQUEST-----
And ending with:-
----END NEW CERTIFICATE REQUEST
3. If prompted, select the following options:
• Microsoft as the server platform
• IIS as the version
• Web Server as the usage type
• PKCS7 as the response format
4. When the public CA has verified your information, you will receive an e-mail message
containing text required for your certificate.
5. Copy the text from the e-mail message and save the contents in a text file (.txt) on your local
computer.
6. Download the root CA chain of the public CA and install it on the local computer store of
each edge server.
Note
Appendix B provides an example of a certificate request and a
sample procedure for requesting a certificate from a public CA.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 75
To import the certificate for the external interface of the edge server
1. Log on to the edge server as a member of the Administrators group.
2. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure
Certificates for the Edge Server, click Run to start the Communications Certificate
Wizard.
3. On the Welcome page, click Next.
4. On the Available certificate tasks page, click Process the pending request and import the
certificate, and then click Next.
5. Type the full path and file name of the certificate that you requested for the external interface
of the edge server (or click Browse to locate and select the certificate), and then click Next.
6. Click Finish.
7. Repeat this procedure for each edge server in your deployment that requires a certificate on
the external interface.
To assign the certificate for the external interface of the edge server
1. In Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure
Certificates for the Edge Server, click Run to start the Communications Certificate
Wizard.
2. On the Welcome page, click Next.
3. On the Available Certificate Tasks page, click Assign an existing certificate, and then
click Next.
4. On the Available Certificates page, select the certificate that you requested for the external
interface of the edge server, and then click Next.
5. On the Available certificate assignments page, select the external interface where you want
to install the certificate, and then click Next.
6. Review your settings, and then click Next to assign the certificates.
7. On the wizard completion page, click Finish.
8. Repeat this procedure for each edge server in your deployment that requires a certificate on
the external interface.
Note
The steps of these procedures are based on using a Windows
Server 2003 Enterprise CA or a Windows Server 2003 R2
Enterprise CA and using the same certification path as you did
in “Step 3.6 Set Up Certificates for the Internal Interface.” If
you are not using the same certification path, you will need to
download the certification path, install it, and verify that it is
in the list of trusted root CAs, as covered in internal interface
procedure. For step-by-step guidance for using any other CA,
consult the documentation of the CA.
Note
After using this procedure to configure DNS-based discovery,
you can use the procedures in the Office Communications
Server 2007 Administration Guide to manage the trust levels
of specific domains.
5. In the Anonymous participants box, click the global policy that you want to enforce:
• Allow users to invite anonymous participants. This policy allows all users in your
organization to invite anonymous users to meetings.
• Disallow users from inviting anonymous participants. This policy prevents all users
in your organization from inviting anonymous users to meetings.
• Enforce per user. This policy requires that you configure each individual user account
that you want to be able to invite anonymous users feature (as covered in next
procedure). All other users are prevented from inviting anonymous users.
Note
By default, the global policy does not allow Anonymous users,
unless you selected the Anonymous users option on the
Features that Will Be Enabled on this Access Edge
Server page when you configured your edge servers, as
explained in Step 3.4 earlier in this guide. You can use the
above options to change the global policy. If you choose the
Enforce per user option, the global policy prevents all users
from inviting anonymous users to participate in meetings,
except for any individual accounts that you specifically
configure to be allowed to invite anonymous users as
explained later in this section.
84 “Office Communications Server 2007 Edge Server Deployment Guide
6. To configure a global meeting policy, do the following:
• Under Policy Settings, click the name of the policy that you want to use in the Global
policy list.
• To view or modify a policy, under Policy Definition, click the name of the policy, click
Edit, and then modify the policy, as appropriate.
7. If you chose to enforce anonymous participation using the Enforce per user setting on the
Meeting tab, use the next procedure to configure initial settings for each user that is to be
allowed to invite anonymous users.
To configure settings so an individual user can invite anonymous users
(if using the Enforce per user option)
1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a
server with the Office Communications Server 2007 administration tools installed as a
member of the RTCUniversalUserAdmins or a group with equivalent user rights.
2. Open Office Communications Server 2007. Click Start, point to Programs, point to
Administrative Tools, and then click Office Communications Server 2007,
Administrative Tools.
3. In the console tree, locate the Standard Edition server node or Enterprise pool node
containing the user account that you want to enable, expand the node, and then click Users.
4. In the details pane, right-click the name of the user account that you want to allow to invite
anonymous participants, and then click Properties.
5. On the Communications tab, under Meetings, select the Allow anonymous participants
check box.
Note
This option is available only if you selected Enforce per user
option in the previous procedure.
9. On the Route External SIP Traffic page, click Route traffic through a Director, and then
click Use this pool or server as the Director for routing external traffic.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 87
10. Click Next.
11. On the Trusted Access Edge Servers page, type the FQDN of the each Access Edge Server,
click Add after each. If you are using an array of Access Edge Servers type the FQDN of the
VIP of the internal load balancer. The FQDNs that you enter on this page are added to the
list of authorized Access Edge Servers on the Edge Server tab in Global Properties.
12. Under Specify the Access Edge Server that internal servers will use to route traffic,
select the FQDN of the Access Edge Server to which you want all outbound traffic routed
from your internal servers and then click Next.
13. On the Web Conferencing Edge Server page, click Next. You configure each internal
server and pool to route to the appropriate Web Conferencing Edge Server. Directors do not
route Web Conferencing traffic.
14. On the Trusted A/V Edge Servers page, enter the internal FQDN of each A/V Edge Server
authorized to connect to your internal servers. The FQDNs that you enter on this page are
added to the list of authorized A/V Edge Servers on the Edge Server tab in Global
Properties.
15. On the A/V Edge Server Used by This Server or Pool page, click Next. You configure
each internal server and pool to route to the appropriate A/V Edge Server. Directors do not
route A/V traffic.
16. On the Ready to Configure Server or Pool page, review the settings that you specified, and
then click Next to configure the Standard Edition Server.
17. When the files have been installed and the wizard has completed, verify that the View the
log when you click ‘Finish’ check box is selected, and then click Finish.
18. In the log file, verify that <Success> appears under the Execution Result column. Look for
<Success> Execution Result at the end of each task to verify Standard Edition Server
configuration completed successfully. Close the log window when you finish.
Configuring Other Internal Servers and Pools for External User
Access
Use the following procedure to configure your internal servers or pools for external access. The
procedure will vary slightly depending on whether or not you use a Director.
To connect your internal server with your edge servers
1. Log on to your internal Standard Edition Server or Enterprise pool with an account that is a
member of the RtcUniversalServerAdmins group.
2. Start the Deployment Wizard by doing one of the following:
• If you have the Office Communications Server 2007 installation CD, insert the CD. If
Setup does not start automatically, from the Start menu, click Run, type
\Setup\I386\Setup.exe, and then click OK.
• If the Office Communications Server 2007 files reside on a network share, go to the
\Setup\I386 folder, and then double-click Setup.exe.
3. Do one of the following:
• On a Standard Edition server, click Deploy Standard Edition Server.
88 “Office Communications Server 2007 Edge Server Deployment Guide
• On an Enterprise Edition server, click Deploy Pool in a Consolidated Topology or
Deploy Pool in an Expanded Topology.
4. Next to Configure Server or Configure Pool, click Run to start the Pool/Server
Configuration Wizard.
5. On the Welcome page, click Next.
6. On the Server or Pool to Configure page, in the list, click the pool or server that you want
to configure, and then click Next.
7. Continue through the wizard, specifying the settings that are appropriate to your pool or
server configuration, until you reach the External User Access page
8. On the External User Access Configuration page, click Configure for external user access
now.
9. On the Routing External SIP Traffic page, do one of the following:
• If you plan to route all traffic sent to and from the edge servers through a Director, click
Route traffic through a Director and, if this is the Director, select the Use this pool or
server as the Director for routing external traffic check box, click Next, and then
perform the remaining steps in this procedure.
• If you do not plan to route all traffic sent to and from the edge servers through a
Director, click Route directly to and from internal pools and servers.
10. Click Next.
11. On the Trusted Access Edge Servers page, do the following
• In the top box, type the FQDNs of each Access Edge Server that is authorized to
connect to your internal servers and pools, clicking Add after typing each name.
• In the Specify the Access Edge Server that internal servers will use for outbound
traffic list, click the name of the Access Edge Server to which internal servers and pools
will route outbound traffic.
12. On the Web Conferencing Edge Server page, do the following:
• In Internal FQDN, type the FQDN of each internal interface that will be used by
internal servers to connect to the Web Conferencing Edge Server, clicking Add after
typing each FQDN.
• In External FQDN, type the FQDN of each external interface that will be used by
external users to connect to the Web Conferencing Edge Server, clicking Add after
typing each FQDN.
13. Click Next.
14. On the Trusted A/V Edge Servers page, type the FQDN of the internal interface that will be
used to connect to the A/V Edge Server in the FQDN box, type the port number to be used
for the internal interface in the Port box, and then click Add. Repeat for each FQDN to be
used. Servers are added to list of authorized A/V Edge Servers on the Edge Server tab in
Global Properties.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 89
15. On the A/V Edge Server Used by This Server or Pool page, type the FQDN of the internal
interface of the A/V Edge Server that this server or pool will use for A/V authentication. This
FQDN is added to the A/V Properties at the “pool” level for an Enterprise pool or Standard
Edition Server.
16. Click Next.
17. On the Ready to Configure Server or Pool page, review the settings that you selected, and
then click Next.
18. On the completion page, click Finish.
DIR1
AP1 I
V V R V
I I E I
IP1 IP5
P P W P
0 1 A 2
DIR2
AP2
L
L
Internal
Perimeter Network
Network
In the configuration shown in the figure, the following virtual IP addresses are assigned to the
load balancers as follows:
• VIP0 is virtual IP address of the external interface of the Access Edge Server array (AP1 and
AP2).
• VIP1 is virtual IP address of the internal interface of the Access Edge Server array (AP1 and
AP2).
• VIP2 is virtual IP address of the Directory array (DIR1 and DIR 2), which is visible to the
perimeter network.
In the figure, the IP address of each network element is labeled below the network element. For
illustrative purposes, assume that the following FQDN for each network element is as shown in
the following table.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 93
Depending on whether you deploy an Enterprise pool with a Back-End Database that contains no
user data or multiple Standard Edition Servers as an array, the configuration of the array will
vary. The primary differences are as follows:
• The certificates that are installed on the Standard Edition servers must have the computer
FQDN in the SUBJECT field and the FQDN of the virtual IP address of the Director must be
listed in the SUBJECT_ALT_NAME field.
• At the forest level, the global default route for federation must point to the FQDN of the
virtual IP address of the Director. In the case of an Enterprise pool, it must point to the
FQDN of the Enterprise pool.
• The default route for federation on each of the Standard Edition servers in the Director array
must point to the FQDN of the virtual IP address of the Access Edge Server array. This
setting is configured on the Federation tab of each Standard Edition Server or Enterprise
pool. If an Enterprise pool is used as a Director, this setting would be made only once, at the
pool level.
• Individual server names must be listed in the “trusted internal servers” list on the Access
Edge Servers, in addition to the FQDN of the virtual IP address of the Director.
• DNS entries must be added for each Standard Edition Server in the perimeter network, in
addition to the FQDN of the virtual IP address.
172.78.89.1 dir1.corp.contoso.com
172.78.89.2 dir2.corp.contoso.com
Note
We recommend that you use a hosts file only if the Access
Edge Server does not have access to the internal DNS server.
If there are FQDNs that the Access Edge Server is not able to
resolve, you can add them to the hosts file.
Note
The subject line in the PolicyFileIn.Inf file must contain the
following information:
Subject=”CN=FQDN of your Access Edge Server or Array
;OU=ProjectName;O=CompanyName;L=City;S=fullNameofSta
te;C=two-letter country/region abbreviation
Most public CAs require strict compliance with the above
information.
Examples:
CN=AP1..fabrikam.com;OU=LCS;O=Fabrikam;L=Eugene;S=Or
egon;C=US
CN=AParry.marketing.proseware.com
;OU=LCS;O=Proseware;L=Portland;S=Maine;C=US
Field Notes
L :City
S: Full state or province name (no
abbreviations are accepted)
C: Two-letter country/region code
KeySpec=1 Indicates both encryption and
signing (standard TLS requirement)
KeyLength = 1024 Must be a power of 2 between 1024
and 4096, inclusive.
Exportable = FALSE (single Access FALSE for a single Access Edge
Edge Server) Server
Exportable=TRUE (array of Access TRUE for an array of Access Edge
Edge Servers) Servers
MachineKeySet = TRUE Specifies that the certificate will be
put into the local computer store
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE This field must be set to FALSE;
otherwise, RTCSRV will not be able to
use it.
UseExistingKeySet = FALSE This field must be set to FALSE to
generate a new private key.
ProviderName = "Microsoft RSA SCHANNEL (Windows TLS provider)
Schannel Cryptographic Provider" requirement
ProviderType = 12 SCHANNEL (Windows TLS provider)
requirement
RequestType = PKCS10 Can be PKCS10 or PKCS7. Almost all
CAs accept PKCS10, so you should
leave the request type as PKCS10.
KeyUsage = 0xa0 Similar to KeySpec field. This value
indicates that this certificate can be
used for both encryption and
signing.
OID=1.3.6.1.5.5.7.3.1 Enhanced key usage for server
authorization
98 “Office Communications Server 2007 Edge Server Deployment Guide
Important
This procedure is an example, and it demonstrates the
process of requesting a trial certificate. The exact process may
vary, depending on your certificate provider. For production
use, you must purchase a valid certificate, not a trial
certificate.
Note
The following procedure provides steps to change these
settings on a typical network interface card. The procedure
will vary depending on your manufacturer.
9. In the Value box, change the value to three times the default value, and then click OK.
10. Under Settings, click Transmit Descriptors.