OCS EdgeServerDeploy

Microsoft Office
Communications
Server 2007 (Public
Beta) Edge Server
Deployment Guide
Published: March 2007
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of
the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying
with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, MSN, SharePoint are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Contents
Contents............................................................. ..............................3
Introduction..................................................................................... ..1
How to Use this Guide.................................................. ................1
Terminology............................................................................ ......2
Step 1. Get Ready for Edge Server Deployment................................2
Step 1.1. Decide Which Servers You Need in Your Edge Server
Deployment................................................................................. .3
Step 1.2. Choose the Deployment Topology.................................5
Step 1.3. Establish Your Deployment Process.............................11
Step 1.4. Verify Prerequisites..................................................... .12
Step 2. Set Up the Infrastructure for Edge Servers..........................13
Step 2.1. Configure DNS..................................................... ........14
Step 2.2. Configure Firewalls.................................... ..................21
Step 2.3. Configure a Reverse Proxy..........................................38
Step 2.4. Configure a Director (Optional, but Recommended)....44
Step 3. Set Up Edge Servers................................. ..........................47
Step 3.1. Deploy Load Balancers...................................... ..........47
Configuring Your Load Balancer............................................. .....54
Step 3.2. Install Edge Servers....................................................54
Step 3.3. Activate Edge Servers............................... ..................56
Step 3.4. Configure Edge Servers....................................... ........57
Step 3.5. Set Up Certificates for the Internal Interface...............61
Step 3.6. Set Up Certificates for the External Interface..............69
Step 3.7. Set Up Certificates for A/V Authentication...................76
Step 3.8 Start Services...................................................... .........80
Step 4. Configure the Environment.................................................80
Step 4.1. Configure Federation......................................... ..........80
Step 4.2. Configure Settings for Anonymous Users....................83
Step 4.3 Configure Users for Federation, Public IM Connectivity, and
Remote User Access......................................................... ..........85
Step 4.4. Connect Your Internal Servers with Your Edge Servers 86
Step 5. Validate Your Edge Configuration........................................90
Appendix A: Configuring an Array of Standard Edition Servers as a Director
........................................................................................................ 92
Creating Certificates for an Array of Standard Edition Servers,
configured as Director................................................... .............94
Configuring DNS Resolution for Directors on the Access Edge Server
.............................................................................................. .....95
Configuring the FQDN of the Array on the Host Authorization List95
Appendix B: Sample Certificate................................................. ......96
Sample Certificate Request....................................... .................96
Example Using a Verisign Trial Certificate..................................99
Appendix C Manually Configuring a Client for Remote User Access100
Appendix D Optimizing Your Network Interface Card for High A/V Traffic
...................................................................................................... 100
Introduction
If you need to communicate with users and organizations outside your internal network by using
your Microsoft® Office Communications Server 2007 (Public Beta) deployment, you need to
deploy one or more edge servers. You install edge servers in your perimeter network (also known
as screened subnet) so that users outside your organization’s firewall are authorized before they
obtain access to your Office Communications Server deployment.
This document guides you through the deployment of edge servers in your Office
Communications Server 2007 topology. You typically deploy edge servers after you have
deployed Office Communications Server in your internal network.
You can use the information in this guide to deploy your edge servers by completing the
following steps:
• Step 1. Get Ready for Edge Server Deployment. This includes deciding which edge servers
you need, meeting prerequisites, establishing your deployment process, and choosing
deployment topologies.
• Step 2. Set Up the Infrastructure for Edge Servers. This includes configuring DNS, firewalls,
and a reverse proxy, as well as configuring a Director (if appropriate).
• Step 3. Set Up Edge Servers. This includes deploying and configuring a load balancer,
individual edge servers, and certificates.
• Step 4. Configure the Environment. This includes configuring anonymous participation
settings, connecting internal servers with edge servers, and configuring users for external
connectivity (federation, remote access, and public IM connectivity).
• Step 5. Validate Your Edge Configuration. This includes validating server configuration, as
well as verifying that the edge servers can communicate with internal servers.
Additionally, you can use the information in Appendix A to configure an array of Standard
Edition servers that are connected to a load balancer as a Director.
How to Use this Guide

This document presents the step-by-step tasks you need to deploy Office Communications Server
2007 edge servers. You should complete all deployment steps in the sequence shown in this
guide.
Before starting deployment, you should use the Office Communications Server 2007 Planning
Guide to determine your deployment options and strategy. The planning guide provides an in-
depth discussion of planning considerations and guidance on designing your Office
Communications Server topology. Also, the process of deploying edge servers requires that you
perform some tasks that are described in detail in other documents, which are noted in specific
sections of this document where they are required.
2 “Office Communications Server 2007 Edge Server Deployment Guide
Terminology
Anonymous user. An external user who does not have credentials in the Active Directory®
Domain Services.
A/V. audio/video.
Edge server An Office Communications Server that resides in the perimeter network and
provides connectivity for external users and public IM connections. Each edge server has one or
more of the following roles: Access Edge Server, a Web Conferencing Edge Server, or an A/V
Edge Server.
External user. A user connecting from outside the corporate firewall. External users include
anonymous users, federated users, and remote users.
Federated user. An external user who possesses valid credentials with a federated partner and
who therefore is treated as authenticated by Office Communications Server.
Internal IP address. An IP address that is accessible from the internal network of an
organization (also referred to as a private IP address). The Computer Management and
Administration Tools for Office Communications Server use the term private for this address.
PSOM. Persistent Shared Object Model protocol. A custom protocol for transporting Web
conferencing content.
External IP address. An IP address that is accessible from an external network (a network
outside of an organization, such as the Internet). Also referred to as a public IP address. The
Computer Management and Administration Tools for Office Communications Server use the
term public for this address.
Public IP address. See External IP address.
Remote user. An external user with a persistent Active Directory identity within the
organization.
SIP. Session Initiation Protocol, a signaling protocol for Internet telephony.
Web farm. A collection of IIS servers or an IIS server hosting content.
Step 1. Get Ready for Edge Server

Deployment
Before starting deployment of your edge servers, you need to complete the following steps:
1. Decide which edge server you need in your organization.
2. Choose the deployment topology that best meets the needs of your organization.
3. Establish a deployment process for how you will deploy edge servers.
4. Meet all edge server deployment prerequisites.
Appendix D Optimizing Your Network Interface Card for High A/V Traffic 3
Step 1.1. Decide Which Servers You Need in Your

Edge Server Deployment
Edge servers enable your internal users and external users to communicate using Microsoft
Office Communicator or the Microsoft Office Live Meeting 2007 client. Depending on your
needs, you install edge servers in one or more of the following roles:
• Access Edge Server
• Web Conferencing Edge Server
• Audio/Video Conferencing Edge Server
In addition to these Office Communications Server 2007 roles, you might need to install a
Reverse Proxy.
The following table provides an overview of how these servers are used.
Table 1 Edge server requirements overview
Server Required to Corresponding Protocol
Support Internal Server
Required
Access Edge Server Any external Office Session Initiation
user scenario, Communications Protocol (SIP)
including public Server 2007 server
IM connectivity, or pool and,
remote user optionally, a
access, Director
federation,
external access
to conferences,
and external
access to voice
functionality
Web Conferencing External Web Web Conferencing Persistent Shared
Edge Server conferencing Server Object Model
(PSOM)
A/V Edge Server A/V conferences A/V Conferencing RTP/RTCP, Simple
with external Server Traversal of UDP
users through NAT
Point-to-point (STUN)/
A/V calls with
external users
Reverse Proxy Group Web server (IIS) HTTP(s)
expansion,
address book
file download,
and access to
meeting content
Server Required to Corresponding Protocol

Support Internal Server
Required
(such as slides)
for Web
conferencing
Additional details about when you need each edge server is provided in the following sections.
When You Need an Access Edge Server

If you want to enable external or remote users to collaborate with any Office Communications
Server users in your organization, you must deploy an Access Edge Server, in addition to any
other edge servers and internal servers you might deploy.
The Access Edge Server provides the core functionality for collaboration between your internal
users and users outside your internal network who are using Communicator or the Live Meeting
2007 client. The Access Edge Server provides a single, trusted connection point for both
outbound and inbound Session Initiation Protocol (SIP) traffic.
Like the Microsoft Office Live Communications Server 2005 Access Proxy, the Office
Communications Server 2007 Access Edge Server enables the following capabilities:
• Federation. Internal users can communicate with external users of a federated organization
by using IM or conferencing. You can also configure federation with an audio conferencing
provider (ACP) to provide telephony integration.
• Remote user access. Remote or roaming users of your organization can access servers
running Office Communication Server from outside your intranet.
• Public IM connectivity. Employees can use IM to communicate with users of instant
messaging services that are provided by the MSN® network of Internet services, Yahoo!®,
and AOL®. Public IM connectivity requires a separate license.
When You Need a Web Conferencing Edge Server

If you want external users to participate in your internal conference meetings, you can deploy a
Web Conferencing Edge Server.
The Web Conferencing Edge Server permits external users to join on-premise meetings by using
the Live Meeting 2007 client. When your organization deploys a Web Conferencing Edge Server,
internal users can invite remote users to meetings, including users from a federated domain
(federated users) or other external users (anonymous users, who do not have an identity in the
Active Directory® Domain Services either in your organization or in a domain that is federated
with your organization).
Enterprise users and federated users are authenticated using their Active Directory credentials.
Anonymous users are authenticated by using a per-meeting conference key provided to them
inside the invitation conference organizers send. All recipients of an e-mail containing a
conference key are authenticated using the same conference key. For more information about
anonymous users, see the Office Communications Server 2007 Technical Overview.
When You Need an Audio/Video Edge Server
Add an A/V Edge Server if you want to make it possible to share audio and video with external
users, such as vendors or employees who are working from home. With an A/V Edge Server,
users can:
• Add audio and video data to meetings with external participants.
• Share audio and video directly with an external user (point-to-point).
An A/V Edge Server provides a single, trusted connection point through which media traffic
enters and exits your network. The A/V Edge Server also provides remote connectivity through
any intermediate network address translation (NAT) devices and firewalls.
Step 1.2. Choose the Deployment Topology

Office Communications Server 2007 supports a variety of topologies for edge server deployment.
This section describes the supported topologies and explains the considerations for choosing the
edge server topology that best addresses the needs of your organization, as well as for deploying
components in the internal topology to support edge servers.
The size, geographical distribution, and needs of your organization are the primary determinants
of which edge server topology is most appropriate for your organization. This section describes
technical considerations for locating edge servers and the various edge server topologies and
considerations for choosing the topology that is best suited for your organization.
Although your business requirements should drive your topology decisions, your decisions
should also take into account the following technical considerations:
• A single server can provide multiple edge server roles.
• A load balancer is required to support multiple Access Edge Servers, multiple Web
Conferencing Edge Servers, and multiple A/V Edge Servers.
• Each edge server role requires a single external interface to which users can connect by
using the fully qualified domain name (FQDN).
• The external IP address of the A/V Edge Server must be a external IP address that is directly
contactable by external parties
Note
To conform to the requirement of a publicly routable IP
address of the A/V Edge Server, the external firewall of
the perimeter network must not act as a NAT (Network
Address Translator) for this IP address.
• To prevent port conflicts, if multiple edge servers (such as an A/V Edge Server and a Web
Conferencing Edge Server) are collocated on a single computer, each edge server should
have its own external IP address.
• Each collocated edge server must use a unique port and IP address combination.
• If you configure the Access Edge Server, A/V Edge Server, or Web Conferencing Edge
Server to use a port other than 443, an attempt by a remote user to sign in by using Office
Communicator 2007 or to join a conference from within another organization’s intranet may
fail. This situation can occur because many organizations prevent traffic traveling through
their firewall over non-default ports.
The following table summarizes the supported edge server topologies, which are listed in order
of increasing complexity.
Table 2 Supported Edge Server Topologies

Topology Description
Consolidated Edge Topology The Access Edge Server, Web Conferencing Edge
Server, and A/V Edge Server are collocated on a
single computer.
Single-Site Edge Topology The Access Edge Server and Web Conferencing
Edge Server are collocated.
The A/V Edge Server is on a separate computer.
Scaled Single-Site Edge Topology Two or more Web Conferencing and Access Edge
Server are collocated and load balanced.
Two or more A/V Edge Servers are each installed
on separate computers and load balanced.
Multiple-Site Edge Topology In the data center:
• The Web Conferencing Edge Server and
Access Edge Server are collocated and load
balanced.
• Two or more A/V Edge Servers are each
installed on separate computers and load
balanced.
In each remote location:
Either:
• The Web Conferencing Edge Server should be
on a dedicated computer.
• The A/V Edge Server should be on a
dedicated computer.
OR
• Two or more A/V Edge Servers are each
installed on separate computers and load
balanced.
• Two or more Web Conferencing Edge Servers
are each installed on separate computers
and load balanced.
Consolidated Edge Topology
The consolidated edge topology is appropriate for small organizations.
In the consolidated edge topology, all three edge server roles (Access Edge Server, Web
Conferencing Edge Server, and A/V Edge Server) are collocated on a single physical computer.
This topology offers:
• Reduced server cost.
• Ease of deployment and administration.
This topology does not:
• Scale easily.
• Provide load balancing.
• Provide high availability.
Note
To avoid port conflicts when running all server roles on a
single computer, use a different IP address for each server
role.
The following figure illustrates the consolidated edge topology.
Figure 1. Consolidated edge topology

Single-Site Edge Topology
The single-site edge topology is appropriate for medium to large organizations.
In the single-site edge topology:
• The Access Edge Server and Web Conferencing Edge Server are collocated on a single
physical computer.
• The A/V Edge Server is installed on a separated dedicated computer.
This topology is recommended because it offers:
• Flexibility.
• Efficient bandwidth utilization (because the A/V Edge Server, which uses the most
bandwidth, is on a separate computer).
• The fewest number of computers to manage.
This topology does not:
• Scale easily.
• Provide load balancing.
• Provide high availability.
Figure 2 illustrates the single-site edge topology.
A/V Edge
Server:
Internet
Internal Deployment
Access Edge Server:
Web Conferencing Edge Server
Figure 2. Single-site edge topology

Scaled Single-Site Edge Topology
The scaled single-site edge topology is appropriate for large organizations.
This topology is recommended because it:
• Provides load balancing.
• Provides high availability
• Scales easily.
The scaled single-site edge topology is the single-site edge topology scaled out in the following
ways:
• A load balancer is connected to two or more computers, with Access Edge Server and Web
Conferencing Edge Server collocated on each computer.
• Another load balancer is connected to two or more separate computers, each of which serves
as an A/V Edge Server.
Figure 3 illustrates the scaled single-site edge topology.
Load Balanced
A/V Edge
Servers :
Internet
Internal Deployment
Load balanced
Access Edge
Server:
Web Conferencing
Edge Server
Figure 3. Scaled single-site edge topology

Multiple-Site Edge Topology
The multiple-site edge topology is appropriate for organizations with remote sites that are
geographically dispersed and are connected by using a WAN.
In the multiple-site edge topology, you integrate remote locations into a scaled topology by
deploying:
• The scaled topology in your data center (as specified in the scaled single-site edge topology).
• Local A/V Conferencing and Web Conferencing Edge Servers and a local Standard Edition
server or pool in each remote location.
In this topology, traffic from remote or federated users in the remote location travels across the
WAN only to contact the Access Edge Server for authentication and instant messaging and
presence, which incurs lower bandwidth cost. The Access Edge Server returns the local pool or
Standard Edition Server for users at the remote site, and the pool or server points the user to the
local A/V or Web Conferencing Edge Server. A/V traffic and traffic from the Web Conferencing
Server remain local, which results in a better user experience and lower bandwidth usage of the
WAN.
Figure 4 illustrates a multiple-site edge topology.
Data Center
A/V Edge
Server :
Internet
Internal
Deployment Log on
Logon
Load balanced
Access Edge
Server &
Web Conferencing
Edge Server
Remote Site
A/V Edge
Server
Internal
Deployment Web Conferencing
Edge Server
Figure 4 Multiple-site edge topology

In the remote office, you can also scale the edge topology to provide high availability for external
access. In a scaled edge topology of a remote office, one or more A/V Edge Servers are deployed
on dedicated servers and Web Conferencing Edge Servers are deployed on separate dedicated
computers. All edge servers are connected to a hardware load balancer.
Scaled Remote Site Edge Topology
As a variation to the multiple-site edge topology, if you have large remote sites or want to enable
high availability in these sites, you can scale the topology in the remote sites by load-balancing
your Web Conferencing Edge Servers and your A/V Edge Servers in a topology similar to the
following.
Connecting to Internal Servers

When you deploy an Access Edge Server, you can connect it to your internal network
components in either of the following ways:
• Connecting directly to an internal server or Enterprise pool.
• Using a Director. A Director is optional but is strongly recommended in all topologies that
involve connections across the Internet, especially those that support remote users. The
Director is an Office Communications Server 2007 server that does not host users but that,
as a member of an Active Directory domain, has access to Active Directory for purposes of
authenticating remote users and routing traffic to the appropriate server or Enterprise pool.
By authenticating inbound SIP traffic from remote users, the Director helps insulate home
servers and Enterprise pools from potentially malicious traffic, while relieving them of the
overhead of performing authentication.
You can deploy either a single Director or an array of Directors behind a load balancer. In a large
deployment with significant external traffic, the load balancer provides a significant
improvement in performance.
Step 1.3. Establish Your Deployment Process

Your deployment process should contain all the details that are required to deploy your edge
servers, including what you want to deploy and how to deploy all components. You can use this
guide as the starting point for your deployment process, tailoring it as appropriate to your
deployment needs.
To enhance edge server performance and security, as well as to facilitate deployment, use the
following guidelines when establishing your deployment process:
• Deploy edge servers only after you have finished deploying Office Communications
Server 2007 inside your organization, unless you are migrating from Microsoft® Office Live
Communications Server 2005 with Service Pack 1 to Microsoft Office Communications
Server 2007. For information about the migration process, see Migrating to Office
Communications Server 2007.
• Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation
and keeps the Active Directory® Domain Services out of the perimeter network. Locating
Active Directory in the perimeter network can present a significant security risk
• Deploy your edge servers in a staging or lab environment before deploying them in your
production environment. Deploy the edge servers in your perimeter network only when you
are satisfied that the test deployment meets your requirements and that it can be incorporated
successfully in a production environment.
• Deploy at least one Director to act as an authentication gateway for inbound external traffic.
• Deploy edge servers on dedicated computers that do not run anything that is not required.
This includes disabling unnecessary services and running only essential programs on the
computer, such as programs embodying routing logic that are developed by using MSPL
(Microsoft SIP Processing Language) and the Office Communications Server API.
• Enable monitoring and auditing as early as possible on the computer.
• Use a computer that has two network adapters to provide physical separation of the internal
and external network interfaces.
• Deploy the edge server between two firewalls (an internal firewall and an external firewall)
to ensure strict routing from one network edge to the other.
In addition to these recommendations, your edge server deployment process should build on the
information provided in the Microsoft Office Communications Server 2007
Planning Guide and the topology information in the following section of this guide.
Step 1.4. Verify Prerequisites

Before you deploy your edge servers, ensure that your IT infrastructure, network, and systems
meet the following requirements:
• Each computer on which you plan to use as an edge server is running one of the following
operating systems:
• Microsoft Windows Server® 2003, Standard Edition, Service Pack 1 or later
• Windows Server 2003, Enterprise Edition Service Pack 1 or later
• Windows Server 2003, Datacenter Edition Service Pack 1 or later
• Microsoft Windows Server® 2003 R2, Standard Edition, Service Pack 1 or later
• Windows Server 2003 R2, Enterprise Edition Service Pack 1 or later
• Windows Server 2003 R2, Datacenter Edition Service Pack 1 or later
• All hardware for your edge server meets the recommended system requirements as
documented in the Office Communications Server 2007 Planning Guide.
• PKI (Public Key Infrastructure) is deployed and configured to use a certification authority
(CA) infrastructure that is provided by either Microsoft or another provider.
• A perimeter network that supports the assignment of a publicly routable IP address to A/V
Edge Servers.
• Your perimeter firewalls can support opening the ports that are described in the following
section.
• A reverse HTTP proxy is deployed in your perimeter network and can be configured as
described in “Configuring a Reverse Proxy” later in this document.
• All users that require any of the new functionality that is provided by an Office
Communications Server 2007 edge server install the Live Meeting 2007 client and
Communicator 2007.
Audio/Video Requirements
The following section summarizes some key requirements for audio/video in an Office
Communications Server deployment:
• We recommend that A/V Conferencing Servers and A/V Edge Servers be deployed on a 1GB
Ethernet LAN.
• We recommend that you run the Quality of Service scheduler on each A/V Conferencing
Server or A/V Edge Server to monitor audio and video traffic flow across the network.
• If you anticipate a high volume of audio/video traffic or experience packet loss after you
deploy, use Appendix D, “Optimizing Your Network Interface Card,” to optimize A/V traffic
flow.
Step 2. Set Up the Infrastructure for

Edge Servers
Before deploying your edge servers, you need to set up your infrastructure to support the edge
server deployment. To set up the infrastructure, use the procedures in this section to do the
following:
• Configure DNS
• Configure the firewalls
• Configure a reverse proxy
• Configure a Director (optional)
Step 2.1. Configure DNS

As covered earlier in this document, when collocating multiple server roles on a single computer,
you should use a separate external IP address for each role. Specific DNS settings must be
configured on each external and internal interface of each edge server. In general, this includes
configuring DNS records to point to appropriate servers in the internal network and configuring
DNS records as appropriate for each edge server.
Note
To prevent DNS SRV spoofing and ensure that certificates
provide valid ties from the user URI to real credentials, Office
Communications Server 2007 requires that the name of the
DNS SRV domain match the server name on the certificate.
The subject name (SN) must point to sip.<domain>.com.
The actual DNS records required depend on which edge servers you deploy and on your
deployment topology, as covered in this section. The following tables provide details about each
DNS record required for each topology.
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the consolidated edge topology.
Note
The port numbers referenced in the following tables and later
in this document are typically the default ports. If you use
different port settings, you will need to modify the procedures
in this guide accordingly.
Table 3 DNS records for the consolidated edge topology
Internal/Exte Server DNS Settings

rnal Record
External Collocated An external SRV record for all Access Edge Servers that
Access Edge points to _sipfederationtls._tcp.<domain>, over port
Server, Web 5061 (where <domain> is the name of the SIP domain of
Conferencing your organization). This SRV should point to an A record
Edge Server, with the FQDN of the Access Edge Server. If you have
and A/V Edge multiple SIP domains, you need a DNS SRV record for
Server each. This is required only if enabling enhanced
federation or public IM connectivity.
A DNS SRV (service location) record for
_sip._tls.<domain>, over port 443 where <domain> is
the name of your organization’s SIP domain. This SRV
record must point to the A record of the Access Edge
Server. If you have multiple SIP domains, you need a DNS
SRV record for each. This SRV record supports automatic
configuration for remote users for instant messaging and
conferencing.
Note: Configuring multiple SRV records for the
same SIP domain is not supported. If multiple
DNS records are returned to a DNS SRV query,
the Access Edge Server will always pick the DNS
SRV record with the lowest numerical priority and
highest numerical weight.
For each supported SIP domain in your organization, an
external A record for sip.<domain>.com that resolves to
the external IP address of the Access Edge Server for
each SIP domain. If a client cannot perform an SRV
record lookup to connect to the Access Edge server it will
use this A record as a fallback.
An external DNS A record that resolves to the external
name of the Web Conferencing Edge Server to the
external IP address of the Web Conferencing Edge Server.
An external DNS A record that resolves the external
name of the A/V Edge Server to the external IP address of
the A/V Edge Server. This IP address must be a publicly
routable IP address.
Reverse proxy An external DNS A record that resolves the external Web
farm FQDN to the external IP address of the reverse
proxy. The client uses this record to connect to the
reverse proxy.
Internal Collocated An internal DNS A record that resolves the internal FQDN
Access Edge of the edge server to internal IP address of the edge
Server, Web server. Office Communications Server 2007 servers
Conferencing within the organization use this DNS A record to connect
Edge Server, to the internal interface of the edge server.
and A/V Edge
Server
and the internal interface of edge servers in the single-site edge topology.
Table 4 DNS records for the single-site edge topology
Interfac Server DNS Settings
e
External Collocated Access Edge An external DNS SRV record for all Access
Server and Web Edge Servers that points to
Conferencing Edge _sipfederationtls._tcp.<domain>, over port
Server 5061 (where <domain> is the name of the SIP
domain of your organization). This SRV should
point to an A record with the external FQDN of
the Access Edge Server. If you have multiple
SIP domains, you need a DNS SRV record for
each SIP domain.
An external DNS SRV (service location) record
for _sip._tls.<domain>, over port 443 where
<domain> is the name of your organization’s
SIP domain. This SRV record must point to the
A record of the Access Edge Server. If you
have multiple SIP domains, you need a DNS
SRV record for each. This SRV record supports
federated partners and remote access by
means of direct connection to the Access Edge
Server.
Note: Configuring multiple SRV records
for the same SIP domain is not
supported. If multiple DNS records are
returned to a DNS SRV query, the
Access Edge Server will always pick the
DNS SRV record with the lowest
numerical priority and highest
numerical weight.
For each supported SIP domain in our
organization, an external DNS A record for sip.
<domain>.com that points to the external IP
address of the Access Edge Server. If you have
multiple SIP domains, you need a DNS SRV
record for each. If a client cannot perform an
SRV record lookup to connect to the Access
Edge server it will use this A record as a
fallback.
An external DNS A record that resolves the
external FQDN of the Web Conferencing Edge
Server to its external IP address.
A/V Edge Server An external DNS A record that points to the

external FQDN of the A/V Edge Server to its
external IP address. This IP address must be a
publicly routable IP address.
Reverse proxy An external DNS A record that resolves the
external Web farm FQDN to the external IP
address of the reverse proxy. The client uses
this record to connect to the reverse proxy.
Internal Collocated Access Edge An internal DNS A record that resolves the
Server and Web internal FQDN of the collocated Access Edge
Conferencing Edge Server and Web Conferencing Edge Server to
Server its internal IP address.
A/V Edge Server An internal DNS A record that resolves to the
internal FQDN of the A/V Edge Server to its
internal IP address.
and the internal interface of edge servers in the scaled single-site edge topology.
Table 5 DNS records for the scaled single-site edge topology
Interfac Server DNS Settings
e
External Access Edge Server An external DNS SRV record for all Access
Web Conferencing Edge Edge Servers that points to
Server _sipfederationtls._tcp.<domain>, over port
5061 (where <domain> is the name of the SIP
domain of your organization). This SRV should
point to an A record with the external FQDN of
the Access Edge Server. If you have multiple
SIP domains, you need a DNS SRV record for
each.
An external DNS SRV (service location) record
for _sip._tls.<domain>, over port 443, where
<domain> is the name of your organization’s
SIP domain. This SRV record must point to the
A record of the Access Edge Server. If you
have multiple SIP domains, you need a DNS
SRV record for each. This SRV record supports
federated partners and remote access by
means of direct connection to the Access Edge
Server.
Note: Configuring multiple SRV records
for the same SIP domain is not
supported. If multiple DNS records are
returned to a DNS SRV query, the
Access Edge Server will always pick the
DNS SRV record with the lowest
numerical priority and highest
numerical weight.
For each supported SIP domain in your

organization, an external A record for
sip.<domain>.com that points to the external
IP address of the virtual IP address used by the
Access Edge Server on the external load
balancer. If a client cannot perform an SRV
record lookup to connect to the Access Edge
server, it uses this A record as a fallback.
An external DNS A record that resolves the
external FQDN the Web Conferencing Edge
Server array to the VIP address used by the
Web Conferencing Edge Server array on the
external load balancer.
A/V Edge Server An external DNS A record that resolves the

external FQDN of the A/V Edge Server array to
the virtual IP address used by the A/V Edge
Servers on the external load balancer on the
external edge.
Internal Access Edge Server An internal DNS A record that resolves the
Web Conferencing Edge internal FQDN of the Access Edge Server array
Server to the virtual IP address used by the Access
Edge Servers on the internal load balancer.
An internal DNS A record that resolves the
internal FQDN of each Web Conferencing Edge
Server to its internal IP address.
A/V Edge Server An internal DNS A record that resolves the
internal FQDN of the A/V Edge Server array to
the virtual IP address used by the A/V Edge
Servers on the internal load balancer.
The data center configuration for the multiple-site edge topology is the same as that for the
scaled single-site edge topology, but additional configuration is required for the remote site. The
following table describes the DNS records that must be configured for the external interface and
the internal interface of edge servers in the remote site of the multiple-site edge topology.
Table 6 DNS records for the multiple-site edge topology remote site
Interfac Remote Site Server DNS Settings
e
External Web Conferencing Edge An external DNS A record that resolves to the
Server external FQDN of the Web Conferencing Edge
Server in the remote site to its external IP
address.
A/V Edge Server An external DNS A record that resolves the
external FQDN of the A/V Edge Server in the
remote site to its external IP address. This IP
address must be a publicly routable IP
address.
address of the reverse proxy. The client uses
this record to connect to the reverse proxy.
Internal Web Conferencing Edge An internal DNS A record that resolves to the
Server internal FQDN of the Web Conferencing Edge
Server in the remote site to its internal IP
address.
A/V Edge Server An internal DNS A record that resolves the
internal FQDN of the A/V Edge Server to its
internal IP address.
Step 2.2. Configure Firewalls

Configuring firewalls includes configuring both of the following:
• Internal firewall between the perimeter network and your internal network.
• External firewall between the perimeter network and the Internet.
How you configure your firewalls is largely dependent on the specific firewalls you use in your
organization, but each firewall also has common configuration requirements that are specific to
Office Communications Server 2007. Follow the manufacturer’s instructions for configuring
each firewall, along with the information in this section, which describe the settings that must be
configured on the two firewalls.
The following figure shows the default firewall ports for each server in the perimeter network.
Figure 5 Firewall ports for the perimeter network
The following sections provide additional information about each port to be configured for each
server role in each topology, as well as a mapping of the numbers in the previous figure to the
respective port descriptions.
In the following tables, the direction for firewall policy rules that is indicated as outbound is
defined as follows:
• On the internal firewall, it corresponds to traffic from servers on the internal (private)
network to the edge server in the perimeter network.
• On the external firewall, it corresponds to traffic from the edge server in the perimeter
network to the Internet.
Consolidated Edge Topology Firewall Policy Rules

The following tables explain the firewall policy rules that are required on each server in the
perimeter network when you deploy edge servers in the consolidated edge topology.
The following describes the firewall policy to be configured for the reverse proxy.
Table 7 Firewall Settings for the Reverse Proxy
Fire Policy Rules Figure
wall Mappi
ng
Inter Local Port: 443 TCP (SIP/TLS) 2
nal Direction: Inbound (for external user access to Web
conferences)
Remote Port: Any
Local IP: The internal IP address of the reverse proxy
Remote IP: Any
Exter Local Port: 443 TCP (HTTP(S)) 1

nal Direction: Inbound
Remote Port: Any
Local IP address: The external IP address of the HTTP
reverse proxy
Remote IP: Any
Note: If you want your users to be able to connect from
inside your intranet to external conferences hosted by
other companies, then you will also need to open port
443 outbound.
The following table describes the firewall policy rules to be configured for the Access Edge
Server.
Table 8 Firewall Settings for the Access Edge Server
wall Mappi
ng
Inter Local Port: 5061 TCP (SIP/MTLS) 5
nal Direction: Inbound (for remote user access and
federation)
Remote Port: Any
Local IP address: The internal IP address of the Access
Edge Server
Remote IP: The IP address of the next hop server. If a
Director is deployed, use the IP address of the Director

or VIP of the load balancer, if the Directors are load
balanced.
nal Direction: Outbound (for remote user access and
federation)
Remote Port: Any
Edge Server
Remote IP: If no Director is deployed, you must use any
IP address. If a Director is deployed, use the IP address
of the Director or VIP of the load balancer, if the
Directors are load balanced.
Exter Local Port: 5061 TCP (SIP/MTLS) 3
nal Direction: Inbound/Outbound (federation)
Remote Port: Any
Local IP: The external IP address of the Access Edge
Server
Remote IP: Any IP address
Local Port: 443 TCP (SIP/TLS) 4

Direction: Inbound (for remote user access)
Remote Port: Any
Server.
The following table describes the firewall policy rules to be configured for the Web Conferencing
Edge Server.
Note
PSOM is the Microsoft proprietary protocol used for Web
conferencing.
Table 9 Firewall Settings for the Web Conferencing Edge Server

wall Mappi
ng
Inter Local Port: 8057 TCP (PSOM/MTLS) 7
nal Direction: Outbound (for traffic between internal Web
Conferencing Servers and the Web Conferencing Edge
Servers)
Remote Port: Any
Local IP: The internal IP address of the Web
Conferencing Edge Server
Exter Local Port: 443 TCP (PSOM/TLS) 6
nal Direction: Inbound (for access of remote, anonymous,
and federated users to internal Web conferences)
Remote Port: Any
Local IP: The external IP address of the Web
The following table describes the firewall policy rules to be configured for the A/V Edge Server.
Table 10 Firewall Settings for the A/V Edge Server
wall Mappi
ng
Inter Local Port: 443 TCP (STUN/TCP) 12
nal Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server
Local Port: 5062 TCP (SIP/MTLS) 13
Direction: Outbound (For authentication of A/V users)
Remote Port: Any
Local IP: The internal IP address of the A/V Edge Server.
Remote IP: Any IP Address
Local Port: 3478 UDP (STUN/UDP) 14

Direction: Outbound (for internal users to send media to
external users)
Remote Port: Any
Note: If you are using ISA Server as your firewall, you
must configure the rule for send/receive.
Exter Local Port: 443 TCP (STUN/TCP) 8

nal Direction: Inbound (for external users access to media
and A/V sessions)
Remote Port: Any
Local IP: The external IP address of the A/V Edge Server
Local Port Range: 50,000-52,999 TCP (RTP /TCP) 9

Direction: Inbound/Outbound (for media transfer)
Remote Port: Any
Local IP: The external IP address of the A/V Edge Server.
This IP address must be a publicly routable IP address.

Direction: Inbound (for external users connecting to
media or A/V sessions)
Remote Port: Any
Local Port Range: 50,000-52,999 UDP (RTP/UDP) 11
Remote Port: Any
Single Site Edge Topology Firewall Policy Rules

The following tables explain the firewall policy rules required on each server in the perimeter
network when you deploy edge servers in the single site edge topology.
The following table describes the firewall policy to be configured for the reverse proxy.
wall Mappi
ng

conferences)
Remote Port: Any
Remote IP: Any

Remote Port: Any
reverse proxy
Remote IP: Any
443 outbound.
Server.

wall Mappi
ng
federation)
Remote Port: Any
Edge Server
balanced.
federation)
Remote Port: Any
Edge Server

Exter Local Port: 5061 TCP (SIP/MTLS) 3
nal Direction: Inbound/Outbound (federation)
Remote Port: Any
Server

Remote Port: Any
Server
Edge Server.
Note
conferencing.

wall Mappi
ng
Servers)
Remote Port: Any

Remote Port: Any
wall Mappi
ng
external users)
Remote Port: Any
Direction: Outbound (For A/V authentication of users)
Remote Port: Any

external users)
Remote Port: Any

and A/V sessions)
Remote Port: Any
Local Port Range: 50,000-52,999 TCP (RTP/TCP) 9

Remote Port: Any

Remote Port: Any
Remote Port: Any
Scaled Single Site Edge Topology Firewall Policy Rules

network when you deploy edge servers in the single site edge topology.
wall Mappi
ng

conferences)
Remote Port: Any
Remote IP: Any

nal Direction: Inbound Remote Port: Any
reverse proxy
Remote IP: Any
443 outbound.
Server.
wall Mappi
ng
federation)
Remote Port: Any
Edge Server
balanced.

federation)
Remote Port: Any
Edge Server
Remote Port: Any
Local IP: The VIP address used by the Access Edge
Server array on the external load balancer.
Edge Server.
Note
conferencing.

wall Mappi
ng
Servers)
Remote Port: Any
Local IP: The internal IP addresses of the Web
Conferencing Edge Servers
Remote Port: Any
Local IP: The VIP address used by the Web Conferencing
Edge Server array on the external load balancer
wall Mappi
ng
external users)
Remote Port: Any
Local IP: The VIP address used by the A/V Edge Server
array on the internal load balancer.
Remote Port: Any
array on the internal load balancer.
external users)
Remote Port: Any
and the VIP address used by the A/V Edge Server array
on the internal load balancer.

and A/V sessions)
Remote Port: Any
array on the external load balancer.
Local Port Range: 50,000-52,999 TCP (RTP/TCP) 9
Remote Port: Any

Remote Port: Any
and the VIP address used by the A/V Edge Server array
on the external load balancer
Remote Port: Any
Multiple Edge Site Topology Firewall Policy Rules for the Remote
Site
network in the remote site when you deploy edge servers in the multiple edge site topology. The
firewall policy rules that are required in the central data center are the same as those required in
the scaled single site topology described in the previous section. Because the users in the remote
site use the Access Edge Server in the central site, there is no table for the Access Edge Server in
this section.
wall Mappi
ng
conferences)
Remote Port: Any
Local IP: The internal IP address of the reverse proxy in
the remote site
Remote IP: Any
Remote Port: Any
reverse proxy in the remote site
Remote IP: Any
443 outbound.
Edge Server.
Note
conferencing.

wall Mappi
ng
Servers)
Remote Port: Any
Conferencing Edge Server in the remote site

Remote Port: Any
Conferencing Edge Server in the remote site
wall Mappi
ng
external users)
Remote Port: Any
in the remote site
Remote Port: Any
in the remote site.
external users)
Remote Port: Any
in the remotes site.

and A/V sessions)
Remote Port: Any
in the remote site
Local Port Range: 50,000-52,999 TCP (RTP /TCP) 9
Remote Port: Any
in the remote site. This IP address must be a publicly
routable IP address.
Remote Port: Any
in the remote site.
Remote Port: Any
Step 2.3. Configure a Reverse Proxy

For Microsoft Office Communications Server 2007, a reverse proxy, such as provided by
Microsoft Internet Security and Acceleration (ISA) Server, although not required by any of the
edge server components, is required by the internal Web server for the following purposes:
• To enable external users to download meeting content for your meetings.
• To enable remote users to expand distribution groups.
• To enable remote users to download files from the Address Book Service.
ISA Server 2004 is used only to publish information from the internal IIS server.
In addition to deploying ISA Server 2004 as a reverse proxy, you can also use ISA Server 2004 as
a firewall. This guide covers only deployment of ISA Server 2004 as a reverse proxy. For more
information about using ISA Server 2004 as a firewall, see the ISA Server 2004 product
documentation.
The detailed steps in this section describe how to configure an ISA 2004 server as a reverse
proxy. You can use the information in this section to set up the reverse proxy, which requires
completing the following procedures:
• Configure the network adapter cards.
• Install ISA Server 2004
• Request and configure a digital certificate for SSL.
• Perform the initial configuration.
• Create a Web server publishing rule.
• Configure SSL bridging.
• Verify that the secure Web server publishing rule properties are correct
• Verify or configure authentication and certification on IIS virtual directories.
• Create an external DNS entry.
• Verify that you can access the portal site through the Internet.
If you are using a different reverse proxy, consult the documentation for that product.
ISA Server uses Web publishing rules in order to securely publish internal resources, such as a
meeting URL, over the Internet. Publishing information to Internet users makes computing
resources inside the internal network available to users outside the network.
In the following procedures, the ISA Server computer has two network adapters:
• A public, or external, network adapter, which is exposed to the clients that will attempt to
connect to your portal site (usually over the Internet).
• A private, or internal, network interface, which is exposed to the internal Web servers to
which outside users will connect.
You must assign one or more IP addresses to the external network adapter and at least one IP
address to the internal network adapter.
Note
ISA Server 2004 can also be set up to use a single network
adapter. For more information, see Configuring ISA Server
2004 on a Computer with a Single Network Adapter at
http://www.microsoft.com/technet/isa/2004/plan/single_adapte
r.mspx.
To configure the network adapter cards on the reverse proxy
computer.
1. On the server running ISA Server 2004, open Network Connections. Click Start, point to
Settings, and then click Network Connections.
2. Right-click the external network connection to be used for the external interface, and then
click Properties.
3. On the Properties page, on the General tab, in the This connection uses the following
items list, click Internet Protocol (TCP/IP), and then click Properties.
4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS
server addresses as appropriate for the network to which the network adapter is attached.
5. Click OK twice.
In Network Connections, right-click the internal network connection to be used for the internal
interface, and then click Properties Repeat steps 3 through 5 to configure the internal network
connection.
To install ISA Server 2004
• Install ISA Server 2004 SP2 according to the setup instructions that are included with the
product, as well as all hotfixes.
To request and configure a digital certificate for SSL
• The root certification authority (CA) certificate for the CA that issued the server certificate
on the Web server needs to be installed on the server running ISA Server 2004. This
certificate should match the published FQDN of the external Web farm where you are
hosting meeting content and Address Book files.
Note
If you are using separate IIS servers to host meeting content
and Address Book data, you need to configure the ISA server
with two certificates (each matching the published external
FQDN of each of the two external Web sites) and install a
second IP address on the external network interface of the ISA
Server. ISA can bind only one certificate to one IP address. If
you configure an ISA server with multiple sites, you can use a
certificate that uses a wildcard. However, if you do, ensure
that you do not use the same certificate for IIS for the internal
site. For information about how to publish multiple Web sites
with a wildcard certificate, see Using a Single Certificate to
Publish Multiple Secure Web Sites at
http://www.microsoft.com/technet/isa/2004/maintain/wildcard.
mspx
To create a Web server publishing rule on the ISA Server 2004

computer
1. Open ISA Server Management. Click Start, point to Programs, point to Microsoft ISA
Server, and then click ISA Server Management.
2. In the console tree, expand ServerName, right-click Firewall Policy, point to New, and then
click Secure Web Server Publishing Rule to start the New SSL Web Publishing Rule
Wizard.
3. On the Welcome page, in SSL Web publishing rule name, type a friendly name for the
publishing rule, and then click Next. For example, the name of the rule could be
OfficeCommunicationsServerExternalRule.
4. On the Publishing Mode page, click SSL Bridging, and then click Next.
Note
You also have the option of selecting Tunneling, but SSL
Bridging is recommended, and so it is the option documented
in the following procedure. SSL bridging protects against
attacks that are hidden in SSL-encrypted connections. For SSL-
enabled Web applications, after receiving the client's request,
ISA Server decrypts it, inspects it, and terminates the SSL
connection with the client computer. The Web publishing rules
determine how ISA Server communicates the request for the
object to the published Web server. If the secure Web
publishing rule is configured to forward the request using
Secure HTTP (HTTPS), ISA Server initiates a new SSL
connection with the published server. Because the ISA Server
computer is now an SSL client, it requires that the published
Web server responds with a server-side certificate
To configure SSL bridging

1. On the Select Rule Action page, click Allow.
2. On the Bridging Mode page, click Secure connection to clients and Web server, and then
click Next.
3. On the Define Website to Publish page, type the FQDN of the internal Web farm that hosts
your meeting content and Address Book content in the Computer name or IP address box.
4. Select from the following options:
• If you are using an Office Communications Server 2007 Standard Edition server, this
FQDN will be the Standard Edition server FQDN.
• If you are using an Office Communications Server 2007 Enterprise pool, this FQDN
will be the internal Web farm FQDN.
• If you are hosting Address Book content and meeting content on different servers or
pools, you must run this procedure twice—one time for the server that hosts the meeting
content and one time for the server or pool that hosts the Address Book content.
5. Click Next.
6. On the Public Name Details page, type a name for the IIS server in the Public name box.
This name will be seen by outside users.
7. Click Next.
8. On the Select Web Listener page, click New.
9. In the New Web Listener Definition Wizard, type a friendly name for the Web listener (for
example, ServerExternalWebListener) in the Web listener name box, and then click Next.
10. To select a specific IP address for the Web Listener, on the IP Addresses page, in Available
IP Addresses, select External check box, and then click Address.
11. On the External Network Listener IP Selection page, do the following:
• Under Listen for requests on, click Specified IP addresses on the ISA Server
computer in the selected network.
• In Available IP Addresses, click an IP address, click Add, and then click OK.
• Click Next.
12. On the Port Specification page, do the following:
• Under HTTP, clear the Enable HTTP check box.
• Under SSL, select Enable SSL and verify that the SSL port is 443 (the default value),
and then in Certificate, and then click Select.
13. In the Select Certificate dialog box, click the certificate that matches the external name that
you specified in step 4, and then click OK.
14. On the completion page, verify successful completion, and then click Finish.
15. In the New Web Publishing Rule Wizard, click Next.
16. In User Sets, click Next, and then click Finish.
17. In Microsoft Internet Security and Acceleration Server 2004, at the top of the center
pane, click Apply.
To verify that the secure Web server publishing rule properties are
correct
1. Open ISA Server Management. Click Start, point to Programs, point to Microsoft ISA
Server, and then click ISA Server Management.
2. In the console tree, expand ServerName, and then click Firewall Policy.
3. In the details pane, right-click the secure Web server publishing rule that you created by
using the previous procedure (to create a Web server publishing rule on the ISA Server 2004;
for example, OfficeCommunicationsServerExternalRule), and then click Properties.
4. On the Properties page, click the From tab, and then do the following:
a. In the This rule applies to traffic from these sources list, click Anywhere, and then
click Remove.
b. Click Add.
c. In the Add Network Entities dialog box, expand Networks, click External, click
Add, and then click Close.
5. On the To tab, click Requests appear to come from the ISA Server computer, and then
click OK.
Note
The following procedure is for the Default Web Site in IIS. You
must also verify or configure authentication and certification
on each front-end Web server in the Microsoft Office
SharePoint® Portal Server deployment.
To verify or configure authentication and certification on IIS virtual

directories
1. Open Internet Information Services Manager. Click Start, point to All Programs, point to
Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the left pane, expand ServerName, and then expand Web Sites.
3. Right-click Default Web Site, and then click Properties.
4. On the Web Site tab, ensure that the port number is 443 in the SSL port box.
5. On the Directory Security tab, under Secure communications, click Server Certificate.
6. On the Welcome to the Web Server Certificate Wizard page, click Next.
7. On the Server Certificate page, click Assign an existing certificate, and then click Next.
8. On the Available Certificates page, click the certificate you want to use for your Web server
in the Select a certificate list, and then click Next.
9. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should
use list, and then click Next.
10. On the Certificate Summary page, verify that the settings are correct, and then click Next.
11. On the completion page, click Finish, and then click OK.
12. Repeat this procedure for each additional front-end Web server in the SharePoint Portal
Server deployment, modifying as appropriate for each front-end Web server.
To create an external DNS entry
• Create an external DNS A record that points to the external interface of your ISA server. For
information about how to create a DNS A record, see your DNS documentation.
To verify that you can access the portal site through the Internet
1. Deploy the Microsoft Office Live Meeting 2007 client as described in the Microsoft Office
Live Meeting 2007 Client Quick Reference.
2. Open a Web browser, and then in the Address bar, type the URLs that are used by clients to
access the Address Book files and the portal site for Web conferencing.
• For Address Book Server type a URL similar to the following:
https://externalwebfarmFQDN/abs/ext where externalwebfarmFQDN is the external
FQDN of the Web farm that hosts Address Book server files. User should receive an
HTTP challenge, because directory security on the Address Book Server folder is
configured to Microsoft Windows® authentication by default.
• For Web conferencing, type a URL similar to the following:
https://externalwebfarmFQDN/conf/ext/Tshoot.html where externalwebfarmFQDN is
the external FQDN of the Web farm that hosts meeting content. This URL should
display the troubleshooting page for Web conferencing.
Step 2.4. Configure a Director (Optional, but

Recommended)
The Office Communications Server 2007 Director is the recommended internal next-hop server
to which an Access Edge Server routes inbound SIP traffic destined to internal servers. The
Director authenticates inbound requests and distributes them among the servers in the Enterprise
pool or to the appropriate Standard Edition Server.
Office Communications Server 2007 supports the following Director configurations:
• A single Standard Edition Server that is configured as a Director.
• An array of Standard Edition Servers that are configured as a Director (requires an
Enterprise CA).
• An Enterprise pool that is configured as a Director.
You deploy a Director in a manner similar to the way that you deploy any other Office
Communications Server 2007 server, and you configure it as a Director by using the Deployment
Wizard.
In a load balanced edge server topology (a scaled single-site topology or a multiple-site edge
topology), the next hop server on the Director must target the virtual IP address of the Edge
Server array’s internal load balancer. Some special configuration steps are required if you choose
to deploy an array of Standard Edition servers as a Director. See Appendix A for more
information.
Deploy Your Director

To deploy a Director in your organization, you need to set up certificates and DNS as you would
for any internal Office Communications Server. The following procedure guides you through the
process of configuring a Standard Edition Server as a Director.
To configure a Standard Edition Server as a Director
1. Configure your DNS records as described in the Office Communications Server 2007
Standard Edition Deployment Guide.
2. Insert the Microsoft Office Communications Server CD. Setup starts and launches the
Deployment Tool. If you are installing from a network share, navigate to the \Setup\I386
folder, and then double-click Setup.exe.
3. Click Deploy Standard Edition Server.
4. At Configure Server, click Run.
5. On the Welcome to the Configure Pool/Server Wizard page, click Next.
6. On the Server or Pool to Configure page, select the server from the list, and then click
Next.
7. On the SIP domains page, verify that your SIP domain appears in the list box. If it does not,
click the SIP domains in your environment box, type your SIP domain, and then click
Add. Repeat these steps for all other SIP domains that the Standard Edition Server will
support. When you are finished, click Next.
8. On the Client Logon Settings page, do one of the following:
• If the Communicator and Live Meeting clients in your organization will use DNS to
locate the pool, click Some or all clients will use DNS SRV records for automatic
logon.
o Do not select the Use this server or pool as a Director for automatic logon
check box if you are configuring a Director for external access only. This
setting allows internal clients to log on through a Director, and the Director
then routes requests to the appropriate server or pool.
• If the Communicator clients in your organization will not use DNS to logon to the pool
and you plan to manually configure clients to connect to the pool, click Clients will be
manually configured for logon.
9. When you are finished, click Next.
10. On the SIP Domains for Automatic Logon page, do one of the following:
• If in the previous step you selected Some or all clients will use DNS SRV records for
automatic logon, select the check box for the domains that will be supported by the
server for automatic sign-in, and then click Next.
• If, in the step 8, you selected Clients will be manually configured for logon, skip to
the next step.
11. On the External User Access Configuration page, click Do not configure external user
access now, and then click Next.
12. On the Ready to Configure Server or Pool page, review the settings that you specified, and
then click Next to configure the Standard Edition Server.
13. When the files have been installed and the wizard has completed, verify that the View the
log when you click ‘Finish’ check box is selected, and then click Finish.
14. In the log file, verify that <Success> appears under the Execution Result column. Look for
<Success> Execution Result at the end of each task to verify Standard Edition Server
configuration completed successfully. Close the log window when you finish.
Deactivate Server Roles and Unnecessary Components
(Optional)
As a security best practice, you should deactivate and uninstall the server roles that that Director
does not require. This practice involves deactivating and uninstalling the Web Conferencing, A/V
Conferencing and Web Component roles on this server and deactivating the Address Book
Server.
To deactivate the roles not required for a Director
1. Log on to the Director with an account that is a member of the local administrators group
and a member of RTCUniversalServerAdmins.
2. Open the Office Communications Server 2007 Administration tools: Click Start, point to All
Programs, point to Administrative Tools, and then click Office Communications Server
2007.
3. Select one of the following:
• For a Standard Edition Server, expand Standard Edition Server, expand the Standard
Edition that you just deployed:
1. Right-click the FQDN of the server, point to Deactivate, and then click Web
Conferencing and complete the wizard.
2. Right-click the FQDN of the server, point to Deactivate, and then click A/V
Conferencing and complete the wizard.
3. Right-click the FQDN of the server, point to Deactivate, and then click Web
Components and complete the wizard.
• For an Enterprise pool, expand Enterprise pools, expand the pool that you just
deployed:
1. Expand Web Conferencing, right-click the FQDN of the server, and then click
Deactivate and complete the wizard.
2. Expand A/V Conferencing, right-click the FQDN of the server, and then click
3. Expand Web Components, right-click the FQDN of the server, and then click
To deactivate the Address Book Server
1. Open a Command Prompt window: Click Start, point to Run and then type cmd.
2. At the command prompt, type wbemtest.
3. In Namespace, type root\cimv2, and then click Connect.
4. Click Enum Classes, and then click OK.
5. Select MSFT_SIPAddressBookSetting.
6. Click Instances.
7. Select your SQL database instance.
8. Double-click Outputlocation.
9. In the Value field, click Null.
10. Click Save Property.
11. Click Save Object.
12. Click Close.
Step 3. Set Up Edge Servers

After setting up the infrastructure for edge servers, you need to set up edge servers in the
perimeter network. You can use the procedures in this section to do this by completing the
following steps:
1. Deploy a load balancer, if appropriate.
2. Install edge servers.
3. Activate edge servers.
4. Configure edge servers.
5. Set up certificates for the internal interface.
6. Set up certificates for the external interface.
7. Set up A/V Conferencing certificates for the internal network.
8. Configure the load balancer, if appropriate.
Deploying a load balancer and configuring the load balancer are required only in the scaled
single-site edge topology and the data center of the multiple-site edge topology. Deployment of a
load balancer for the remote site of the multiple-site edge topology is not recommended or
supported.
Step 3.1. Deploy Load Balancers

You can use load balancers to distribute incoming connections across multiple edge servers. If
you are deploying edge servers in a scaled single-site edge topology or a multiple-site edge
topology, you must deploy a load balancer for the collocated Access Edge Servers and Web
Conferencing Edge Servers and the A/V Edge Servers in the perimeter network of the data center.
You deploy load balancers for traffic from both the external network and traffic from the internal
network. A single load balancer can be used for all three server roles; however, using separate
virtual IP addresses (VIPs) for each server role is highly recommended. Microsoft recommends
port 443 for all three server roles, and because a different port/IP combination is required for
each server role, separate VIPs support the recommended configuration.
For load-balanced Web Conferencing Edge Servers and A/V Edge Servers in the perimeter
network of the data center, outgoing requests are connected directly to a specific Web
Conferencing Edge Server or A/V Edge Server. These outgoing requests are handled as follows:
• Each time an internal Web Conferencing Server starts up, it looks up the Web Conferencing
Edge Servers that are configured in its environment, and then it looks up the DNS A record
of each. The internal Web Conferencing Server then initiates four outbound TCP connections
to the internal IP and port of each Web Conferencing Edge Server.
• The load balancer for the A/V Edge Servers routes each A/V request to one of the A/V Edge
Servers, which then manages the connection until it ends.
Additional information about load balancing, including an example, is provided in the “Planning
for Load Balancing” section of the Office Communications Server 2007 Planning Guide. You
should use the information provided there to help you determine the appropriate configuration for
load balancing. The basic requirements for load balancing are as follows:
• If you want to load balance Web Conferencing Edge Servers, you must collocate each Web
Conferencing Edge Server with an Access Edge Server. The A/V Edge Server must not be
collocated on the same server.
• The external interfaces of multiple collocated Access Edge Servers and Web Conferencing
Edge Servers must be load balanced. However, only the internal interface of the Access Edge
Servers in this configuration should be load balanced. The internal interface of the Web
Conferencing Edge Servers must not be load balanced.
• All Access Edge Servers and Web Conferencing Edge Servers that are connected to the load
balancer must be configured identically, including identical internal and external ports,
Allow lists, Block lists, federated partners, internal domain lists, internal server lists, remote
user settings, and proxy connections.
• Certificates must be installed and configured to support load balancing (as covered Step 3.6,
Step 3.7, and Step 3.8 of this guide, which cover deployment of certificates for edge
servers).
• Federated partner Access Edge Servers, and remote user clients must target the virtual IP
address used by the Access Edge Server array on the external load balancer.
• The internal next hop server (typically, a Director) must target the virtual IP address that is
used by the Access Edge Server on the internal load balancer. If you are deploying a Director
for an Enterprise Pool, you do this as part of the Director configuration, as covered in Step
2.4. Configure a Director for an Enterprise Pool.
Sample Configuration
The following figure shows how a load balancer is configured for collocated Access Edge
Servers and Web Conferencing Edge Servers and two dedicated A/V Edge Servers. In the
diagram below, two Access Edge Servers are collocated with Web Conferencing Edge Servers in
an array. These servers are called A and B. Two dedicated A/V Edge Servers are called C and D.
These servers are configured as follows:
• Each server role—A/V Edge Server, Web Conferencing Edge Server and Access Edge
Server—has its own external FQDN that resolves to a separate VIP on the external load
balancer. In this example:
• Access Edge Servers use the external FQDN of AccessExternalLB.contoso.com
• Web Conferencing Edge Servers use the external FQDN of
WebExternalLB.contoso.com
• A/V Edge Servers use the external FQDN of AVExternalLB.contoso.com
• The Access Edge Servers and the A/V Edge Servers each have a unique internal FQDN that
resolves to a separate VIP on the internal load balancer. In this example:
• Access Edge Servers use the internal FQDN of AccessInternalLB.corp.contoso.com
• A/V Edge Servers use the internal FQDN of AVInternalLB.corp.contoso.com
• The Web Conferencing Edge Servers are not load balanced on the internal side.
Internally, a Front-End Server, a Web Conferencing Server, and an A/V Conferencing Server are
installed together on three Enterprise Edition Servers in an Enterprise pool in the consolidated
configuration (Servers E, F, and G). This internal topology is for illustration purposes only. You
may install any of the internally supported topologies as discussed in the Planning Guide.
DNS records
The following DNS SRV records are required by the Access Edge Server:
• If you are enabling public IM connectivity or enhanced federation, an external SRV record
for all edge servers that points to _sipfederationtls._tcp.contoso.com over port 5061 (where
contoso.com is the name of the SIP domain of this organization). This SRV record should
point to an A record with the external FQDN of the Access Edge Server that resolves to the
VIP on the external load balancer that is used by the Access Edge Servers. In this example,
because there is only one SIP domain, only one SRV record like this is needed. If you have
multiple SIP domains, you need a DNS SRV record for each. This is required only if you are
enabling enhanced federation or public IM connectivity.
• A DNS SRV (service location) record for _sip._tls.contoso.com over port 443 where
contoso.com is the name of your organization’s SIP domain. This SRV record must point to
an A record with the external FQDN of the Access Edge Server that resolves to the VIP on
the external load balancer used by the Access Edge Servers. If you have multiple SIP
domains, you need a DNS SRV record for each. This SRV record supports automatic
configuration for remote users for instant messaging and conferencing.
The following external DNS A records are required.
• ExternalAccessLB.contoso.com resolves to the VIP of the external load balancer in the
perimeter network used by the Access Edge Servers. It is used by external clients and other
Access Edge Servers to reach the Access Edge Server from the Internet.
• An external A record for sip.ExternalAccessLB.contoso.com that points to the VIP address
used by the Access Edge Servers on the external load balancer in the perimeter network.
(One A record for each SIP domain).
• ExternalWebLB.contoso.com resolves to the VIP address used by the Web Conferencing
Edge Servers on the external load balancer in the perimeter network.
• ExternalAVLB.contoso.com resolves to the VIP address used by the A/V Edge Servers on
the external load balancer in the perimeter network.
The following internal DNS A records are required.
• InternalAccessLB.corp.contoso.com, points to the VIP of the internal load balancer in the
perimeter network used by the Access Edge Servers.
• InternalAVLB.corp.contoso.com, points to the VIP of the internal load balancer in the
perimeter network used by the A/V Edge Servers.
• InternalLB.corp.contoso.com points to the VIP of the load balancer of the Enterprise pool to
which the internal A/V Conferencing Servers and Web Conferencing Servers are attached.
• SrvrA.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on
Server A
• SrvrB.corp.contoso.com points to the internal interface of Web Conferencing Edge Server on
Server B
Certificates
The certificates are configured in the following way
Access Edge Servers
• The external interface of the load balancer he Access Edge Server has a certificate with a
subject name (SN) of ExternalAccessLB.contoso.com. You would configure this certificate
on server A and mark it as exportable and then import it to Server B. (Each server in the Web
Conferencing Edge Server and Access Edge Server array must use the same certificate).
• The external interface of the Web Conferencing Edge Server has a certificate with a subject
name (SN) of ExternalWebLB.contoso.com. You would configure this certificate on server A
and mark it as exportable and then import it to Server B. (Each server in the Web
Conferencing Edge Server and Access Edge Server array must use the same certificate).
• No certificate is required on the external interface of the A/V Edge Server.
• The internal interface of each Access Edge Server has a certificate with an SN of
InternalAccessLB.corp.contoso.com. This certificate is shared with the internal edge of the
Web Conferencing Edge Server You would configure this certificate on server A and mark it
as exportable and then import it to Server B. (Each server in the Web Conferencing Edge
Server and Access Edge Server array must use the same certificate).
• The internal edge of the A/V Edge Server has a certificate with an SN of
InternalAVLB.corp.contoso.com. You would configure this certificate on server A and mark
it as exportable and then import it to Server B. (Each server in the Web Conferencing Edge
Server and Access Edge Server array must use the same certificate).
• The internal edge of the A/V Edge Server is configured with an additional certificate used
for A/V authentication. The same A/V authentication certificate must be installed on each
A/V Edge Server. This means that the certificate must be from the same issuer and use the
same private key.
Internal Web Conferencing Servers in Your Enterprise Pool
Each internal Web Conferencing Server in the Enterprise pool has a certificate with the subject
name (SN) of InternalLB.corp.contoso.com.
Internal A/V Conferencing Servers
Each internal A/V Conferencing Server has a certificate with the subject name (SN) of
InternalLB.corp.contoso.com .
Edge Server Configuration

The FQDN of the VIP of the load balancer, InternalLB.corp.contoso.com is configured on the
internal server list on each Edge Server and port 5061 is configured as the port. (The edge server
wizard allows you to configure this, or this setting can be configured on Computer Management
on the Internal tab of the edge server properties page.)
Trusted Edge Server List in Active Directory
The trusted edge server list in Active Directory is configured when you run the Configure Pool or
Server wizard and configure external access or you can configure it manually on the Edge
Server tab in Global Properties. (See the Administration Guide for step-by-step instructions) This
list defines edge servers that internal servers allow to connect to them. The FQDN of each VIP on
the internal load balancer of the edge servers must be added to this list. In this example:
InternalAccessLB.corp.contoso.com and InternalAV.corp.contoso.com.
Web Conferencing Edge Servers Configured on the Pool or Server
The list of trusted Web Conferencing Edge Servers contains an entry for each Web Conferencing
Edge Server with its internal and external FQDN and port number. These entries are configured
when you run the Configure Pool or Server wizard and configure external access or you can
configure these entries manually on the Web Conferencing Edge Server tab in the pool or
server properties.
In the example, the internal pool would have these entries
Server A:
Internal FQDN: SrvrA.corp.contoso.com
Internal port: 8057
External FQDN ExternalWebLB.contoso.com
External port: 443
Server B
Internal FQDN: SrvrB.corp.contoso.com
Internal port: 8057
External FQDN ExternalWebLB.contoso.com
External port: 443
A/V Edge Servers Configured on the Pool or Server
The list of trusted A/V Edge Servers contains an entry for each A/V Edge Server with its internal
and external FQDN and port number and the external port range. It is configured when you run
the Configure Pool or Server wizard and configure external access or you can configure it
manually on the A/V Edge Server tab in the pool or server properties.
In the example, the internal pool would have these entries
Server C:
Internal FQDN: InternalAVLB.corp.contoso.com
Internal port: TCP: 443, 5062, UDP:3478
External FQDN: ExternalAVLB.contoso.com
External port: TCP: port 443 UDP: port 3478
Server D
Internal FQDN: InternalAVLB.corp.contoso.com
Internal port: TCP: 443, 5062, UDP:3478
External FQDN: ExternalAVLB.contoso.com
External port: TCP: port 443; UDP: port 3478
Configuring Your Load Balancer

If you are deploying edge servers in a scaled single-site edge topology or a multiple site edge
topology, and you deployed a load balancer as described in Step 3.1, you now need to configure
the load balancers. After configuring edge servers in the perimeter network of your data center,
ensure that they are correctly connected to the load balancer, and then ensure that the ports listed
in the following tables are open on the internal interface of the load balancer and on the external
interface of the load balancer, respectively.
Table 22 Internal Load Balancer Port Settings
Component Port
Access Edge Server TCP 5061
Web Conferencing N/A

Edge Server
A/V Edge Server TCP 5062 TCP 443, UDP 3478
Table 23 External Load Balancer Port Settings

Component Port
Access Edge Server TCP 5061, 443
Web Conferencing TCP 443

Edge Server
A/V Edge Server TCP 443, UDP 3478
Step 3.2. Install Edge Servers

Your edge server topology determines the computers on which you must complete the edge
server installation procedure. The following table shows the edge server installation requirements
for each topology.
Table 24 Server installation requirements for each topology
Location Consolidated Single-Site Edge Scaled Single Multiple Site
Edge Topology Topology Site Edge Edge Topology
Topology
Data Deploy all Deploy the Deploy the Same as the
center server roles Access Edge Access Edge scaled single-
together on one Server and the Server and the site edge
computer. Web Web topology.
Conferencing Conferencing
Server together Edge Server
on one together on one
computer. computer
(scaled as
Location Consolidated Single-Site Edge Scaled Single Multiple Site

Edge Topology Topology Site Edge Edge Topology
Topology
Deploy the A/V appropriate).
Edge Server on Deploy the A/V
a separate Edge Server on
computer. a separate
computer
(scaled as
appropriate).
Remote N/A N/A N/A Deploy the Web
site Conferencing
Edge Server on
a separate
computer.
Deploy the A/V
Edge Server on
a separate
computer.
OR
Deploy two or
more A/V Edge
Servers each
installed on
separate
computers and
load balance
them.
Deploy two or
more Web
Conferencing
Edge Servers
are each on
separate
computers and
load balance
them.
You deploy edge servers by using the Office Communications Server 2007 Deployment Wizard,
which you access by running Setup.exe from the Office Communications Server 2007
installation CD or, if you are deploying over the network, from the network share. From the
Deployment Wizard, you can access multiple individual wizards that facilitate completion of
edge server deployment tasks. You can use these wizards, as covered in this section, to complete
the following procedures:
• Install the edge server. When you install an edge server, the installation process copies the
required edge server files to the local computer.
• Activate the edge server. When you activate an edge server, you configure it to have one or
more edge server roles.
• Configure the edge server. Configuration includes specifying the settings that are necessary
for the edge server to work.
• Configure certificates for the edge servers.
To install an edge server
1. Log on to the computer on which you want to install your edge server as a member of the
Administrators group.
2. If Systems Management Server (SMS) is running on the computer, stop the SMS service.
3. Start Setup and launch the Deployment Wizard by doing one of the following:
• If installing the edge server from the Office Communications Server 2007 installation
CD, insert the CD. If Setup does not start automatically, from the Start menu, click
Run. In the Open box, type \Setup\I386\Setup.exe, and then click OK.
• If you are installing the edge server from a network share, go to the \Setup\I386 folder,
and then double-click Setup.exe.
4. Click Deploy Other Server Roles.
5. Click Deploy Edge Server.
6. Next to Step 1: Install Files for Edge Server, click Install to start the Install Files for Edge
Server Setup Wizard.
7. On the Welcome page, click Next.
8. On the License Agreement page, if you agree to the licensing terms, click I accept the
terms in the licensing agreement, and then click Next.
9. On the Customer Information page, in User name and Organization, type your name and
the name of your organization.
10. Use the product key that is automatically supplied, and then click Next.
11. On the Install Location page, in Location, type the location where you want to install the
edge server files, and then click Next.
12. On the Confirm Installation page, click Next.
13. On the completion page, click Close.
Step 3.3. Activate Edge Servers

After installing the required files, as covered in Step 2.2, you continue with the Deployment
Wizard (using the following procedure) to activate the edge server. The Deployment Wizard
provides an activation wizard that simplifies activation of the edge server, which requires the
following:
• Assigning one or more edge server roles to the edge server
• Specifying a service account to use for the edge server.
Complete the following activation procedure on each computer being deployed as an edge server
in the perimeter network of the data center or a remote site. After you have activated a server role
on the computer, you can rerun the activation wizard at a later time to add another server role, as
appropriate.
To activate an edge server
1. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 2: Activate Edge
Server, click Run to start the Activate Office Communications Server 2007 Wizard.
3. On the Edge Server Roles page, select the one or more of the following check boxes:
• Activate Access Edge Server
• Activate Web Conferencing Edge Server
• Activate A/V Edge Server
Note
An A/V Edge Server and a Web Conferencing Edge Server
cannot be activated together on a single computer without
also activating an Access Edge Server on the same computer.
4. On the Select Service Account page, select Create a new account or Use an existing
account, type the account name and password to be used for the edge server, enter a
password, and then click Next.
5. On the Ready to Activate Edge Server page, review the settings, and then click Next.
6. On the completion page, select the View the log when you click ‘Finish’ checkbox, and
then click Finish.
7. When the Office Communications Server 2007 Deployment Log opens in a Web browser
window, verify that Success appears under Execution Result in the action column on the far
right side of the screen. Optionally, expand each individual task and verify that the
Execution Result shows Success for the task. When you finish, close the log window.
Step 3.4. Configure Edge Servers

After activating an edge server, as covered in Step 2.2, you continue with the Deployment
Wizard (using the following procedure) to configure the edge server. The Deployment Wizard
provides a Configuration Wizard that simplifies the configuration of settings that are necessary
for your edge server to work, including the following:
• Configuration of the external and internal interfaces for each server role you have activated
on the computer.
• Selection of the features that you want to enable.
• Configuration of the way that routing to and from your internal servers is handled.
Complete the following configuration procedure on each computer being deployed as an edge
server in the perimeter network of the data center or a remote site.
To configure an edge server
1. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 3: Configure
Edge Server, click Run to start the Configure Office Communications Server 2007 Edge
Server Wizard.
3. On the Import Settings from a Configuration File page, do one of the following:
• If you want to configure this server as a new edge server (you do not have settings that
you want to import from a previously installed edge server), click Next.
• If you have previously set up an edge server and exported the settings from it to a
configuration file that you want to import on this edge server (as covered in step 16 of
this procedure), select the Import settings check box, type the full path and name of the
file containing the settings you want to import (or click Browse to locate and select the
file), and then click Next.
4. On the Internal Interface page, do the following:
• In Internal Interface IP Address box, click the internal interface IP address. If this
server will be connected to a load balancer, use the IP address of the local computer.
• In FQDN for the internal interface, type the FQDN of the internal interface. If this
server will be connected to a load balancer, use the virtual IP address of the load
balancer.
5. Click Next.
6. On the External Interface page, configure the IP address and the FQDN for the external
interfaces of the roles that you are activating on this server. For load balanced edge servers,
specify the IP address and FQDN as follows:
• For an Access Edge Server that will be connected to a load balancer, specify the IP
address of the edge server and FQDN of the virtual IP address of the load balancer. The
default federation port is set to 5061 and cannot be changed. The default TCP port for
remote access is 5061. To specify a port other than 5061 for remote user access, click
either 443 or Other. If you click Other, type the port number.
• For a Web Conferencing Edge Server that will be connected to a load balancer, specify
the IP address of the edge server and the FQDN of the virtual IP address of the load
balancer. The default TCP port if 443. To specify a port other than 443, click Other, and
then type the port number.
• For an A/V Edge Server that will be connected to a load balancer, specify the IP address
of the edge server and the FQDN of the virtual IP address of the load balancer. The
default TCP port is 443. To specify a port other than 443, click Other, and then type the
port number.
Note
If you are collocating edge server roles on a computer, each
should have a separate IP address. If you do not use a
separate IP address for each, you must use separate ports for
each collocated edge server role.
7. Click Next.
8. Select from the following options:
• If you are installing only A/V Edge Server on this computer, skip to step 12 to complete
the wizard.
• If you are installing Access Edge Server and Web Conferencing on this computer,
proceed with the next step.
• If you are installing a Web Conferencing Edge Server only, skip to step 13.
9. On the Enable Features on Access Edge Server page, select the features that you want to
enable on this Access Edge Server as follows:
• To make it possible for remote users to connect to Office Communications Server 2007
from the Internet to view presence information and exchange instant messages with
internal users using this Access Edge Server, select the Allow remote user access to
your network check box.
o To make it possible for external anonymous users to join conferences through
this Access Edge Server, select the Allow anonymous user to join meetings
check box. Anonymous users are external users who do not have credentials in
the Active Directory® Domain Services.
o In your edge server deployment, you can optionally use one Access Edge
Server for remote user access and a different Access Edge Server for federation
and public IM connectivity. In this configuration on the Access Edge Server
used for remote access, if you plan to enable federation or public IM
connectivity for your remote users, click the Allow remote users to
communicate with federated contacts; otherwise, your remote users cannot
send messages to federated or public IM contacts.
• To enable federation or public IM connectivity through this Access Edge Server, select
the Enable federation check box.
o To use DNS to automatically locate Access Edge Servers of your federated
partners, select the Allow discovery of federation partners using DNS check
box. We recommend this configuration.
o To enable public IM connectivity through this Access Edge Server, select the
Federation with selected public IM providers check box, and then and select
the IM providers that you want to use with federated partners.
Important
Before you can connect to these IM providers, you must
purchase additional service licenses and provision the
connections by using the Microsoft provisioning page
(http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provisio
n). Public IM connectivity will not work without this license.
The license you purchase permits communications to MSN,
AOL, and the Yahoo IM providers. If you want to limit public IM
connectivity to a specific provider, you can disable the public
IM providers you do not want to connect with.
Note
Additional configuration of anonymous users and federation is
described in “Step 4. Configure the Environment” later in this
guide.
10. Click Next.

11. On the FQDN of the Internal Next Hop Server page, in the FQDN of next hop server
box, type or click the FQDN of the next hop server to which this Access Edge Server routes
internal traffic or, if you are using a Director to route incoming traffic, type the FQDN of the
Director, and then click Next.
12. On the Authorized Internal SIP Domains page:
• If you are activating an Access Edge Server on this computer, for each SIP domain to be
supported in your Office Communications Server 2007 deployment, in the box, type the
name of the SIP domain, and then click Add. After adding all SIP domains to be
supported, click Next.
• If you are activating an A/V Edge Server on a dedicated computer, enter the SIP domain
used for default routing, click Add, and then click Next.
Note If you are activating a Web Conferencing Server on a

dedicated computer, this screen does not appear. Proceed to
the next step.
13. On the Authorized Internal Servers page, do the following:

• If you are installing the Access Edge Server on this computer, specify each internal
server that can connect to your Access Edge Server. If you are routing all outbound
traffic through a Director, type only the FQDN of the Director, and then click Add. If
you are not using a Director, type the FQDN of each Enterprise pool and Standard
Edition server in your organization, clicking Add after each.
• If you are installing the Web Conferencing Edge Server on this computer, type the
FQDN of each Web Conferencing Server or each Enterprise pool or Standard Edition
server that hosts a Web Conferencing Server, clicking Add after typing each FQDN.
• If you are installing A/V Edge Server, type the FQDN of each Enterprise pool or
Standard Edition Server that can connect to the A/V Edge Server, clicking Add after
typing each FQDN.
14. Click Next.
15. On the summary page, review the settings that you selected, and then click Next.
16. On the wizard completion page, do the following:
• Select the View the log when you click ‘Finish’ check box.
• If you want to export the server settings to a configuration file so that they can be
imported to another edge server (to streamline the setup of that server), select Export,
specify a location and name for the XML file to which you want to save the server
settings, and then click Save.
• Click Finish.
Step 3.5. Set Up Certificates for the Internal

Interface
A certificate is required for MTLS communication between the edge servers and internal servers
(including the A/V Conferencing Server and Mediation Server). For information about the
Mediation Server, see the Office Communications Server 2007 Voice Guide.
The certificate requirements are summarized below, and the subsequent tables detail the specific
requirements for each edge server topology.
Certificate Requirements for the Internal Interface
The following summarizes the certificate requirements for the internal interface of your edge
servers.
• Each edge server in the perimeter network of the data center requires a certificate for the
internal interface:
• If you are deploying a load balancer with multiple collocated Access Edge Servers and
Web Conferencing Edge Servers, use a single certificate with a subject name that
matches the FQDN for the virtual IP address used by the Access Edge Servers on the
internal load balancer of the servers, for example:
Certificate SN = accessedge_array.contoso.perimeter
• For Web Conferencing Edge Servers (collocated on the computer with the Access Edge
Server), by default, this certificate is shared by the Web Conferencing Edge Server. If an A/V
Edge Server is also collocated on the server, it also shares this certificate by default. If the
servers are not collocated, you must use separate certificates for each server role.
• The A/V Edge Server in the perimeter network of the data center requires a certificate for the
internal interface if it is running on a separate computer than the Access Edge Server. If you
are deploying multiple A/V Edge Servers (with a load balancer), use a single certificate with
a subject name that matches the FQDN for the virtual IP address used by the A/V Edge
Server on the internal load balancer, for example:
Certificate SN = avedge_array.contoso.perimeter
• The Web Conferencing Edge Server in each remote site of a multiple-site edge topology
requires a certificate on the internal interface with a subject name that matches the FQDN
published on the internal interface of the firewall in the data center, and mapping to the Web
Conferencing Edge Server in the remote site.
• The A/V Edge Server in each remote site of a multiple-site edge topology requires a
certificate on the internal interface with a subject name that matches the FQDN published on
the internal interface of the firewall in the data center, and mapping to the A/V Edge Server
in the remote site.
Certificate Requirements for Each Topology

The following table summarizes the certificate requirements for the internal interface of each
edge server role in the consolidated edge topology.
Table 25 Certificates for internal interface of the edge server in the
consolidated edge topology
Server role Certificate
Access Edge A single, shared certificate configured on the
Server , Web internal interface with a subject name that
Conferencing matches the internal FQDN of the edge server.
Edge Server
A/V Edge Server
edge server role in the single site edge topology.
Table 26 Internal Certificates for the single-site edge topology
Access Edge A certificate configured on the internal interface
Server with a subject name that matches the internal
Web FQDN of the computer with the Access Edge and
Conferencing Web Conferencing Edge Servers collocated
Edge Server
A/V Conferencing A certificate configured on the internal interface
Edge Server with a subject name that matches the internal
FQDN of the A/V Edge Server.
edge server role in the scaled single site edge topology.
Table 27 Internal Certificates for the scaled single-site edge topology
Access Edge A certificate configured on the internal interface
Server with a subject name that matches the internal
Web FQDN of the VIP address used by the Access
Conferencing Edge Server on the internal load balancer. This
Edge Server certificate is shared between the Web
Conferencing Edge Server and Access Edge
Server and must be configured on the internal
interface of the Web Conferencing Edge Server
and the Access Edge Server. This certificate must
be marked as exportable on the first computer
where you configure the certificate and then
imported onto each additional computer in the
Access Edge Server and Web Conferencing Edge
Server array.
A/V Conferencing A certificate configured on the internal interface

Edge Server with a subject name that matches the internal
FQDN of the VIP address used by the A/V Edge
Server on the internal load balancer. This
certificate must be marked as exportable on the
first computer where you configure the
certificate and then imported onto each
additional computer in A/V Conferencing Edge
Server array.
edge server in the remote site in a multiple edge site topology. The servers in the central site will
use the same certificates as those in the scaled single site topology.
Table 28 Internal Certificates for the remote site in a multiple site edge
topology
Access Edge No Access Edge Server is deployed in the remote
Server site.
Web A certificate configured on the internal interface
Conferencing with a subject name that matches the internal
Edge Server FQDN of the Web Conferencing Edge Server in
the remote site.
A/V Edge Server A certificate configured on the internal interface
with a subject name that matches the internal
FQDN of the A/V Edge Server in the remote site.
Configuring the Certificates on Your Internal Interface

To set up a certificate on the internal interface for an edge server, use the procedures in this
section to do the following:
1. Download the CA certification path for the internal interface.
2. Install the CA certification path for the internal interface.
3. Verify that the CA is in the list of trusted root CAs.
4. Create the certificate request for the internal interface.
5. Import the certificate for the internal interface on the first edge server.
6. Export the certificate.
7. Import the certificate on other edge servers.
8. Assign the certificate for the internal interface to each edge server.
You can use the Communications Certificate Wizard to complete most of the certificate setup
procedures for the internal interface. You can start this wizard from the Office Communications
Server 2007 installation media, as covered in the following procedures, or from the
Administrative Tools interface on which Office Communications Server 2007 has already been
installed.
Note the CA certification path for the internal interface

To download
The steps of the procedures in this section are based on using
a Windows Server 2003 Enterprise CA or a Windows Server
2003 R2 CA. For step-by-step guidance for any other CA,
consult the documentation of the CA. By default, all
authenticated users have rights to request certificates.
This procedure also assumes that all edge servers are in the
central site and use the same certificate. If you use separate
certificates for the Web Conferencing Server(s) or the A/V
Edge Server, you will need to repeat the procedures in this
section for each separate certificate. If you are deploying
certificates in remote sites, modify the procedures as
appropriate for the edge servers in the remote sites.
1. With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA Server
online, log on to Office Communications Server 2007 server in the internal network (not the
edge server) as a member of the Administrators group.
2. Click Start, click Run, type http://<name of your Issuing CA Server>/certsrv, and then
click OK.
3. Under Select a task, click Download a CA certificate, certificate chain, or CRL.
4. Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA
certificate chain.
5. In the File Download dialog box, click Save.
6. Save the .p7b file to the hard disk on the server, and then copy it to a folder on each edge
server. If you open this file, the file should contain all the certificates that are in the
certification path. To view the certification path, open the server certificate and click the
certification path.
To import the CA certification path for the internal interface

1. On each edge server in your deployment, in the Deployment Wizard, on the Deploy Edge
Server page, next to Step 4: Configure Certificates for the Edge Server, click Run to
start the Communications Certificate Wizard.
3. On the Available Certificate Tasks page, click Import a certificate chain from a .p7b file,
and then click Next.
4. On Import Certificate Chain page, type the full path and name of the .p7b file (or click
Browse to locate and select the file), and then click Next.
5. Click Finish.
6. Repeat this procedure on each edge server.
To verify that your CA is in the list of trusted root CAs
1. On each edge server, open an MMC console. Click Start, and then click Run. In the Open
box, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. In the Add Standalone Snap-ins box, click Certificates, and then click Add.
4. In the Certificate snap-in dialog box, click Computer account, and then click Next.
5. In the Select Computer dialog box, ensure that the Local computer: (the computer this
console is running on) check box is selected, and then click Finish.
6. Click Close, and then click OK.
7. In the console tree, expand Certificates (Local Computer), expand Trusted Root
Certification Authorities, and then click Certificates.
8. In the details pane, verify that your CA is on the list of trusted CAs.
9. Repeat this procedure on each edge server.
To create the certificate request for the internal interface
1. On one edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to
Step 4: Configure Certificates for the Edge Server, click Run to start the
Communications Certificate Wizard.
3. On the Available Certificate Tasks page, click Create a new certificate, and then click
Next.
4. On the Select the Component for Which the Certificate Is Requested page, select the
Edge Server Private Interface check box, and then click Next.
5. On the Delayed or Immediate Request page, select the Prepare the request now, but send
it later check box, and then click Next.
Note
If the Enterprise CA is reachable from the edge server, you
can use the Send the request immediately to an online
certification authority option. Since this is typically, not the
case, this procedure and other certificate request procedures
in this guide do not cover the use of that option.
Additionally, be aware that once you create a request, it is
pending and the Certificate Wizard will not let you create
another request until you have processed the pending one.
6. On the Name and Security Settings page, type a friendly name for the certificate, and
specify the bit length (typically, the default of 1024), select the Mark certificate as
exportable check box, and then click Next.
7. On the Organization Information page, enter the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click Next.
8. On the Your Server’s Subject Name page, type or select the subject name and subject
alternate name of the edge server. The subject name should match the FQDN of the edge
server published by the internal firewall for the internal interface on which you are
configuring the certificate:
• For the internal interface of the edge server, this subject name should match the name
that your internal servers use to connect to the edge server (typically, the FQDN of the
internal interface for the edge server).
• If you are using a load balancer, the edge server traffic still uses the FQDN of the
internal edge of the server (server name), but if you are using a virtual IP address for the
edge server, the certificate should match the server FQDN of the virtual IP address used
by this server role on the internal load balancer. For the internal interface, this is
typically the published DNS name for the perimeter network that maps to the edge
server.
9. Click Next.
10. On the Geographical Information page, type the location information, and then click Next.
11. On the Certificate Request File Name page, type the full path and file name to which the
request is to be saved in the File name box (or click Browse to locate and select the
certificate), and then click Next. For example, C:\certrequest_AccessEdge.txt
12. On the Request Summary page, click Next.
13. On the wizard completion page, verify successful completion, and then click Finish.
14. Submit this file to your CA (by e-mail or other method supported by your organization for
your Enterprise CA) and, when you receive the response file, copy the new certificate to this
computer so it is available for import.
15. Repeat this procedure for each edge server.
To import the certificate for the internal interface
1. On the Access Edge Server on which you created the certificate request, in Deployment
Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the
Edge Server, click Run to start the Communications Certificate Wizard.
3. On the Pending Certificate Request page, click Process the pending request and import
the certificate, and then click Next.
4. On the Process a Pending Request page, in Path and file name, type the full path and file
name of the certificate that you requested and received for the internal interface of this edge
server (or click Browse to locate and select the certificate), and then click Next.
To export the certificate for the internal interface for import to other
edge servers
1. On the edge server on which you requested and imported the certificate, in Deployment
Wizard, on the Deploy Edge Server page, next to Step 4: Configure Certificates for the
Edge Server, click Run to start the Communications Certificate Wizard.
3. On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then
click Next.
4. On the Available Certificates page, in Select a certificate, click the certificate that you
imported to this edge server (as covered in the previous procedure), and then click Next.
5. On the Export Certificate page, in Path and file name, type the full path and file name of
to which you want to export the certificate (or click Browse to locate and select the
certificate), and then click Next.
6. In the Export Certificate Password page, in Password, type the password that will be used
to import the certificate on the other edge servers, and then click Next.
8. Copy the exported file to a location or media that is accessible by the other edge servers.
To import the certificate for the internal interface on the other edge
servers
1. On each of the other edge servers, in Deployment Wizard, on the Deploy Edge Server
page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the
3. On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and
then click Next.
4. On the Import Certificate page, in Path and file name, type the full path and file name of
the certificate that you exported from the first edge server (or click Browse to locate and
select the certificate), clear the Mark certificate as exportable check box, and then click
Next.
5. In the Import Certificate Password, in Password, type the password that you typed when
you exported the certificate from the first server, and then click Next.
7. Repeat this procedure for each edge server that will use the same certificate.
To assign the certificate to the internal interface of the edge servers
1. On each edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to
3. On the Available Certificate Tasks page, click Assign an existing certificate, and then
click Next.
4. On the Available Certificates page, select the certificate that you requested for the internal
interface of this edge server, and then click Next.
5. On the Available Certificate Assignments page, select the Edge Server private interface
check box (the server interface on which you want to install the certificate), and then click
Next.
6. On the Configure the Certificate Settings of Your Server page, review your settings, and
then click Next to assign the certificates.
7. On the wizard completion page, click Finish.
8. Repeat this procedure for each edge server to which you assigned this certificate.
Step 3.6. Set Up Certificates for the External

Interface
After setting up certificates for the internal interface, you are ready to set up the certificates for
the external interface.
The following sections summarize the certificate requirements for the external interface of your
edge servers and detail the specific requirements for each topology.
Certificate Requirements for the External Interface

The certificate requirements for the external interface include the following:
• For each unique IP address on the external interface that you use for the Access Edge Server
and Web Conferencing Edge Server, you will need a separate certificate. We recommend that
you use a separate external IP addresses for each server role, even if all servers are
collocated. An external certificate is not required on the A/V Edge Server.
• For the scaled single site edge topology, we recommend that each server role use a separate
VIP address on the external load balancer. A separate certificate matching the FQDN of each
VIP address used by each Access Edge and Web Conferencing Edge server role must be
installed on that server. For example, the Web Conferencing Edge Servers must have a
certificate that matches the VIP addressed used by the Web Conferencing Edge Servers on
the external load balancer. The certificate must be marked as exportable on the first physical
computer where you configure the certificate and then imported into each additional
computer in the array. An external certificate is not required for the A/V Edge Server array
on the external interface.
• If you are deploying a multiple-site topology, the Web Conferencing Edge Server in the
perimeter network of each remote site requires a certificate with a subject name that matches
the external FQDN of the Web Conferencing Edge Server in the remote site. A certificate is
not required for the external interface of the A/V Edge Server.
• If you are supporting public IM connectivity with AOL, AOL requires a certificate
configured for both client and server authorization. (For MSN and Yahoo!, a Web certificate
will suffice).
• Public certificates are required if you enable Web conferencing and enable your users to
invite anonymous participants (individuals from outside your organization that do not have
Active Directory credentials).
• Public certificates are required for public IM connectivity, and they are highly recommended
for enhanced federation. The public certificate must be from a public CA that is on the
default list of trusted root CAs installed on the server.
Note
It is possible to use your Enterprise subordinate CA for direct
federation, as well as for testing or trial purposes if all
partners agree to trust the CA or cross-sign the certificate.
Certificate Requirements for Each Topology

The following tables summarize the certificate requirements for each topology.
The following table summarizes the certificate requirements for the external interface of each
edge server role in the consolidated edge topology.
Table 29 External Certificates for the edge server in the consolidated edge
topology
Access Edge A certificate configured on the external interface
Server with a subject name that matches the external
FQDN of the edge server. If you have multiple SIP
domains, each supported SIP domain must be
entered as sip.<domain> in the Subject
Alternate Name of the certificate. For example, if
your organization supports two domains
a.contoso.com and b.contoso.com,
SN=sip.a.contoso.com, SAN=sip.a.contoso.com,
sip.b.contoso.com
Web A certificate configured on the external interface
Conferencing that matches the external FQDN of the Web
Edge Server Conferencing Edge Server.
A/V Conferencing Not required
Edge Server
edge server role in the single site edge topology.
Table 30 External Certificates for the single-site edge topology
FQDN of the computer with the Access Edge and
Web Conferencing Edge Servers collocated. If
you have multiple SIP domains, each supported
SIP domain must be entered as sip.<domain> in
the Subject Alternate Name of the certificate. For
example, if your organization supports two
domains a.contoso.com and b.contoso.com,
sip.b.contoso.com
Conferencing with a subject name that matches the external
Edge Server FQDN of Web Conferencing Edge Server
A/V Conferencing Not required
Edge Server
edge server role in the scaled single site edge topology.
Table 31 External Certificates for the scaled single-site edge topology


FQDN of the VIP address used by the Access
Edge Server on the external load balancer. If you
have multiple SIP domains, each supported SIP
domain must be entered as sip.<domain> in the
Subject Alternate Name of the certificate.
Example, if your organization supports two
domains a.contoso.com and b.contoso.com,
sip.b.contoso.com.
This certificate must be marked as exportable on
the first computer where you configure the
additional computer in the Access Edge Server
and Web Conferencing Edge Server array. This
certificate must be used as the certificate on the
external interface of the Access Edge Server.

Edge Server FQDN of the VIP address used by the Web
Conferencing Edge Server on the external load
balancer.
This certificate must be marked as exportable on
the first computer where you configure the
additional computer in the Access Edge Server
and Web Conferencing Edge Server array. This
certificate must be used as the certificate on the
external interface of the Web Conferencing Edge
Server.
A/V Conferencing Not required.

Edge Server
edge server in the remote site in a multiple edge site topology. The servers in the central site will
use the same certificates as those in the scaled single site topology.
Table 32 External Certificates for the remote site in a multiple site edge
topology

Access Edge No Access Edge Server is deployed in the remote
Server site.
Edge Server FQDN of the Web Conferencing Edge Server in
the remote site.
A/V Conferencing Not required.
Edge Server
Configuring the Certificates on the External Interfaces

To set up a certificate for the external interface of an Access Edge Server or Web Conferencing
Edge Server, complete all of the procedures in this section, which include the following:
1. Create the certificate request for the external interface of the edge server.
2. Submit the request to your public CA.
3. Import the certificate for the external interface of each edge server.
4. Assign the certificate for the external interface of each edge server.
Note
When you request a certificate from an External CA, the
credentials provided must have rights to request a certificate
from that CA. Each CA has a security policy that defines which
credentials (specific user and group names) are allowed to
request, issue, manage, or read certificates.
To create the certificate request for the external interface of the edge
server
1. On the edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to
3. On the Available tasks page, click Create a new certificate, and then click Next.
later check box, and then click Next.
5. On the Name and Security Settings page, type a friendly name for the certificate, specify
the bit length (typically, the default of 1024), select the Mark certificate as exportable
check box, and then click Next.
6. On the Organization Information page, type the name for the organization and the
7. On the Your Server’s Subject Name page, type or select the subject name and subject
alternate name of the edge server:
• The subject name should match the FQDN of the server published by the external
firewall for the external interface on which you are configuring the certificate. For the
external interface of the Access Edge Server, this certificate subject name should be
sip.<domain>.
• If multiple SIP domain names exist and they do not appear in Subject alternate name,
type the name of each additional SIP domain as sip.<domain>, separating names with a
comma. Domains entered during configuration of the Access Edge Server are
automatically added to this box.
8. Click Next.
10. On the Certificate Request File Name page, type the full path and file name of the file to
which the request is to be saved (or click Browse to locate and select the file), and then click
Next.
11. On the Request Summary page, click Next.
12. On the Certificate Wizard Completed page, verify successful completion, and then click
Finish.
13. Copy the output file to a location from which it can be submitted to the public CA.
To submit a request to a public certification authority
1. Open the output file.
2. Copy and paste the contents of the CSR into the appropriate text box beginning with:
-----BEGIN NEW CERTIFICATE REQUEST-----
And ending with:-
----END NEW CERTIFICATE REQUEST
3. If prompted, select the following options:
• Microsoft as the server platform
• IIS as the version
• Web Server as the usage type
• PKCS7 as the response format
4. When the public CA has verified your information, you will receive an e-mail message
containing text required for your certificate.
5. Copy the text from the e-mail message and save the contents in a text file (.txt) on your local
computer.
6. Download the root CA chain of the public CA and install it on the local computer store of
each edge server.
Note
Appendix B provides an example of a certificate request and a
sample procedure for requesting a certificate from a public CA.
To import the certificate for the external interface of the edge server
1. Log on to the edge server as a member of the Administrators group.
2. In the Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure
Certificates for the Edge Server, click Run to start the Communications Certificate
Wizard.
4. On the Available certificate tasks page, click Process the pending request and import the
certificate, and then click Next.
5. Type the full path and file name of the certificate that you requested for the external interface
of the edge server (or click Browse to locate and select the certificate), and then click Next.
6. Click Finish.
7. Repeat this procedure for each edge server in your deployment that requires a certificate on
To assign the certificate for the external interface of the edge server
1. In Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure
Wizard.
click Next.
4. On the Available Certificates page, select the certificate that you requested for the external
interface of the edge server, and then click Next.
5. On the Available certificate assignments page, select the external interface where you want
to install the certificate, and then click Next.
6. Review your settings, and then click Next to assign the certificates.
8. Repeat this procedure for each edge server in your deployment that requires a certificate on
Step 3.7. Set Up Certificates for A/V Authentication

After configuring the edge certificates for the external and internal interfaces, you are ready to
set up the A/V authentication certificates on A/V Edge Servers. The private key of the A/V
authentication certificate is used to generate authentication credentials. As a security precaution,
you should not use the same certificate for A/V authentication that you use for the internal
interface of the A/V Edge Server (covered earlier in this guide).
The same A/V authentication certificate must be installed on each A/V Edge Server if multiple
servers are deployed in a load balanced array. This means that the certificate must be from the
same issuer and use the same private key.
To set up certificates for A/V Edge Servers, use the procedures in this section to do the following:
1. Create the A/V certificate request on the A/V Edge Server.
2. Import certificate on the first A/V Edge Server.
3. Export the certificate.
4. Import the certificate on other edge A/V Edge Servers.
5. Assign certificate to each A/V Edge Server.
Note
The steps of these procedures are based on using a Windows
Server 2003 Enterprise CA or a Windows Server 2003 R2
Enterprise CA and using the same certification path as you did
in “Step 3.6 Set Up Certificates for the Internal Interface.” If
you are not using the same certification path, you will need to
download the certification path, install it, and verify that it is
in the list of trusted root CAs, as covered in internal interface
procedure. For step-by-step guidance for using any other CA,
consult the documentation of the CA.
To create the A/V authentication certificate request for A/V Edge

Servers
1. On the A/V Edge Server (if in an array, any one of the A/V Edge Servers), in the
Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure
Wizard.
3. On the Available Certificate Tasks page, click Create a new certificate, and then click
Next.
4. On the Select the Component for Which Certificate Is Requested page, select the A/V
Edge Server Public Interface check box.
it later check box, and then click Next.
6. On the Name and Security Settings page, type a friendly name for the certificate, specify
the bit length (typically, the default of 1024), select the Mark the certificate as exportable
checkbox, and then click Next.
7. On the Organization Information page, type the name for the organization and the
8. On the Your Server’s Subject Name page, in Subject name, type or select the subject
name of the A/V Edge Server. The subject name should match the external FQDN of the A/V
Edge Server or the FQDN of the VIP used by the A/V Edge Server array on the external load
balancer if the A/V Edge Servers are load balanced
9. Click Next.
11. On the Certificate Request File Name page, type the full path and file name to which the
request is to be saved (or click Browse to locate and select the certificate), and then click
Next.
12. On the Request Summary page, review the certificate information, and then click Next.
13. On the Certificate Wizard completed page, verify successful completion, and then click
Finish to submit the request. The Enterprise CA then creates the request.
14. Submit this file to your CA (by e-mail or other method supported by your organization for
your Enterprise CA) and, when you receive the response file, copy the new certificate to a
location that is accessible by the A/V Edge Server on which you requested the certificate.
To import the A/V authentication certificate on the first A/V Edge
Server
1. On the A/V Edge Server on which you created the certificate request, in the Deployment
Wizard, in Deploy Other Server Roles, in Deploy Edge Server, next to Step 4: Configure
Wizard.
3. On the Available certificate tasks page, click Process the pending request and import the
certificate, and then click Next.
4. On the Process a Pending Request page, type the full path and file name of the certificate
that you requested for A/V authentication in the Path and file name box (or click Browse to
locate and select the file), and then click Next.
To export the certificate for A/V authentication
1. On the A/V Edge Server on which you requested and imported the certificate, in
Deployment Wizard, on the Deploy Edge Server page, next to Step 4: Configure
Wizard.
3. On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then
click Next.
4. On the Available Certificates page, in Select a certificate, click the certificate that you
imported to this edge server (as covered in the previous procedure), and then click Next.
5. On the Export Certificate page, in Path and file name, type the full path and file name of
to which you want to export the certificate (or click Browse to locate and select the
certificate), and then click Next.
6. In the Export Certificate Password page, in Password, type the password that will be used
to import the certificate on the other edge servers, and then click Next.
8. Copy the exported file to a location or media that is accessible by the other A/V Edge
Servers.
To import the certificate for A/V authentication on the other edge
servers
1. On each of the other edge servers, in Deployment Wizard, on the Deploy Edge Server
page, next to Step 4: Configure Certificates for the Edge Server, click Run to start the
3. On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and
then click Next.
4. On the Import Certificate page, in Path and file name, type the full path and file name of
the certificate that you exported from the first A/V Edge Server (or click Browse to locate
and select the certificate), clear the Mark certificate as exportable check box, and then
click Next.
5. In the Import Certificate Password, in Password, type the password that you typed when
you exported the certificate from the first server, and then click Next.
7. Repeat this procedure for each A/V Edge Server that will use the same certificate.
To assign the A/V authentication certificate on the A/V Edge Servers
1. On each A/V Edge Server, in the Deployment Wizard, on the Deploy Edge Server page,
next to Step 4: Configure Certificates for the Edge Server, click Run to start the
click Next.
4. On the Available Certificates page, select the certificate that you requested for the A/V
Edge Server (in the previous procedure), and then click Next.
5. On the Available Certificate Assignments page, select the A/V Edge Server check box.
6. On the Configure the Certificate Settings of Your Server page, review your settings, and
then click Next.
7. After assigning the certificate on each A/V Edge Server, open the Certificate snap-in on each
server, expand Certificates (Local computer), expand Personal, click Certificates, and
then verify in the details pane that the A/V authentication certificate is listed. Do this on each
A/V Edge Server.
8. If your deployment includes an array of A/V Edge Servers, repeat this procedure for each
A/V Edge Server.
Step 3.8 Start Services

After completing the set up of the edge servers and load balancers, you need to start the service
on each edge server.
To start the services
1. On each edge server, in the Deployment Wizard, on the Deploy Edge Server page, next to
Step 6: Start Services, click Run to start the Communications Certificate Wizard.
3. On the Ready to Start Office Communications Server 2007 Services page, review the list
of services, and then click Next to start the services.
4. When the services have started and the wizard has completed, verify that the View the log
when you click ‘Finish’ check box is selected, and then click Finish.
Step 4. Configure the Environment

After you have set up your edge servers and load balancers, you need to set up your environment,
including access restrictions and user settings, as appropriate to your organization. To do this, use
the procedures in this section to do the following:
• Configure federation with federated partners or audio conferencing providers (ACP).
• Configure global settings for anonymous users.
• Configure users for federation, remote user access, and public connectivity.
• Connect your internal servers with your edge servers.
Step 4.1. Configure Federation

Federation provides you organization with the ability to communicate with other organizations’
Access Edge Server to share IM and presence. You can also federate with an audio conferencing
provider using either of the two methods below. The process of configuring federation with an
organization or an audio conferencing provider is identical.
If you have enabled federation on the Access Edge Server, access by federated partners,
including audio conferencing providers (ACPs), is controlled using one of the following
methods:
• Allow automatic DNS-based discovery of Access Edge Servers for federated partners. This
is the default option during initial configuration of an Access Edge Server because it offers a
good level of security and features that facilitate configuration and management. For
instance, when you enable enhanced federation on your Access Edge Server, Office
Communications Server 2007 automatically evaluates incoming traffic from enhanced
federation partners and limits or blocks that traffic depending on trust level, amount of
traffic, and administrator settings.
• Do not allow DNS-based discovery and limit access of federated partners to only the FQDNs
of each Access Edge Server for which you want to enable connections. Connections with
federated partners are allowed only with the specific Access Edge Servers you add to your
Allow list. This method offers the highest level of security, but does not offer the ease of
management and other features available with DNS-based discovery. If an FQDN of an
Access Edge Server changes, you must manually change the FQDN of the server in the
Allow list.
When you ran the Configure Edge Server Wizard, if you chose not to allow automatic discovery
of federation partners, you must add each federation partner to the Allow tab of your edge server
for federation to work.
If you chose to use DNS-based discovery of Access Edge Servers, you can use the Allow tab to
grant a higher level of trust to some federated partners. This is necessary if you expect to have
legitimate higher than average volume of traffic from some federation partners.
If a federated party has sent requests to more then 1000 URIs (valid or invalid) in the local
domain, the connection first placed on the Watch list. Any additional requests are then blocked by
the Access Edge Server. If the Access Edge Server detects suspicious traffic on a connection, it
will limit the federation partner to a low message rate of 1 msg/sec. The Access Edge Server
detects suspicious traffic by calculating the ratio of #successful to #failed responses. The Access
Edge server also limits legitimate federated partner connections (unless added to the allow list) to
20 messages/sec.
If you know that you will have more than 1000 requests sent by a legitimate federated partner or
a volume of over 20 messages per second sent to your organization, to allow these volumes, you
must add the federated partner to the Allow tab.
After configuring federation, you can use Office Communications Server 2007 administrative
tools to monitor and manage federated partner access on an ongoing basis. For more information,
see the Microsoft Office Communications Server 2007 Administration Guide.
To enable DNS-based discovery of Access Edge Servers of federated
partners
1. Log on to the Access Edge Server as a member of Administrators group or a group with
equivalent user rights.
2. Open Computer Management. Click Start, click All Programs, click Administrative Tools,
and then click Computer Management.
3. In the console tree, expand Services and Applications, right-click Microsoft Office
Communications Server 2007, and then click Properties.
4. On the Access Methods tab, select the Federate with other domains check box.
5. On the Allow tab, click Add.
6. In the Add Federated Partner dialog box, do the following:
• In the Federated partner domain name box, type the domain of each federated partner
domain.
• If you did not configure automatic discovery of federated domains, type the FQDN of
the federated partners Access Edge Server in the Federated partner Access Edge
Server box.
• Click OK.
7. Repeat steps 5 and 6 for each federated partner you want to add to your Allow list, and then
click OK.
Note
After using this procedure to configure DNS-based discovery,
you can use the procedures in the Office Communications
Server 2007 Administration Guide to manage the trust levels
of specific domains.
To restrict federated partner access to specific Access Edge Servers

1. Log on to the Access Edge Server as a member of Administrators group or a group with
equivalent user rights.
2. Open Computer Management. Click Start, click All Programs, click Administrative Tools,
and then click Computer Management.
3. In the console tree, expand Services and Applications, right-click Microsoft Office
Communications Server 2007, and then click Properties.
4. On the Access Methods tab, ensure that the Federate with other domains check box is
selected, but clear the Allow discovery of federation partners check box.
5. On the Allow tab, click Add.
6. In the Add Federated Partner dialog box, do the following:
• In the Federated partner domain name box, type the name of the federated partner
domain that you want to add to your Allow list.
• In the Federated partner Access Edge Server box, type the name of each Access Edge
Server that you want to add to your Allow list. Only names that you add to the list are
allowed to discover your Access Edge Server.
• Click OK.
7. Repeat steps 5 and 6 for each federated partner you want to add to your Allow list, and then
click OK.
Step 4.2. Configure Settings for Anonymous Users

As described previously in this guide, anonymous participation in meetings enables a user whose
identity is verified only through the meeting or conference key to join meetings. When you ran
the Configuration Wizard on your edge servers, you had the option to allow anonymous users,
but you can also configure specific settings to control anonymous participation. This includes
configuring the global policy and implementing user-level settings to control participation by
anonymous users. Use the procedures in this section to do the following:
• Configure the settings on the Meeting tab in Global Properties in to specify how
anonymous participation is implemented in your organization (allow anonymous users,
disallow anonymous users, or allow only specific users to invite anonymous users).
• When you configure the settings on the Meeting tab, if you choose the option to enforce
anonymous participation on a user-by-user basis, you also need to configure settings for each
of the individual users that you want to allow to invite anonymous users to meetings.
To configure the global policy for anonymous participation in meetings
1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition server or a
server with the Office Communications Server 2007 administration tools installed as a
member of the RTCUniversalUserAdmins or a group with equivalent user rights.
2. Open Office Communications Server 2007, Administrative Tools. Click Start, point to All
Programs, point to Administrative Tools, and then click Office Communications Server
2007Administrative Tools.
3. In the console tree, right-click the forest node, point to Properties, and then click Global
Properties.
4. Click the Meetings tab.
5. In the Anonymous participants box, click the global policy that you want to enforce:
• Allow users to invite anonymous participants. This policy allows all users in your
organization to invite anonymous users to meetings.
• Disallow users from inviting anonymous participants. This policy prevents all users
in your organization from inviting anonymous users to meetings.
• Enforce per user. This policy requires that you configure each individual user account
that you want to be able to invite anonymous users feature (as covered in next
procedure). All other users are prevented from inviting anonymous users.
Note
By default, the global policy does not allow Anonymous users,
unless you selected the Anonymous users option on the
Features that Will Be Enabled on this Access Edge
Server page when you configured your edge servers, as
explained in Step 3.4 earlier in this guide. You can use the
above options to change the global policy. If you choose the
Enforce per user option, the global policy prevents all users
from inviting anonymous users to participate in meetings,
except for any individual accounts that you specifically
configure to be allowed to invite anonymous users as
explained later in this section.
6. To configure a global meeting policy, do the following:
• Under Policy Settings, click the name of the policy that you want to use in the Global
policy list.
• To view or modify a policy, under Policy Definition, click the name of the policy, click
Edit, and then modify the policy, as appropriate.
7. If you chose to enforce anonymous participation using the Enforce per user setting on the
Meeting tab, use the next procedure to configure initial settings for each user that is to be
allowed to invite anonymous users.
To configure settings so an individual user can invite anonymous users
(if using the Enforce per user option)
2. Open Office Communications Server 2007. Click Start, point to Programs, point to
Administrative Tools, and then click Office Communications Server 2007,
Administrative Tools.
3. In the console tree, locate the Standard Edition server node or Enterprise pool node
containing the user account that you want to enable, expand the node, and then click Users.
4. In the details pane, right-click the name of the user account that you want to allow to invite
anonymous participants, and then click Properties.
5. On the Communications tab, under Meetings, select the Allow anonymous participants
check box.
Note
This option is available only if you selected Enforce per user
option in the previous procedure.
Step 4.3 Configure Users for Federation, Public IM

Connectivity, and Remote User Access
You enable federation, public IM connectivity, and remote user access for specific users to
control the methods that users can use to communicate with external users.
Note individual users to communicate with external users

To configure
The following procedure covers how to configure individual
users for federation, public IM connectivity, and remote
access. You can also configure a group of users by right-
clicking Users or the OU containing the user accounts (or
clicking Users or the OU, and selecting specific user accounts
in the details pane), and then clicking Configure
Communications Users. For more information, see the
Microsoft Office Communications Server 2007 Administration
Guide.
1. Log on as a member of the DomainAdmins group to an Enterprise Edition Server or a
server that is a member of an Active Directory domain and that has the Office
Communications Server administration tools installed.
2. Open Active Directory Users and Computers. Click Start, click All Programs, click
Administrative Tools, and then click Active Directory Users and Computers.
3. In the console tree, expand the Users container or the other organization unit (OU) that
contains the user account for which you want to enable federation, public IM connectivity, or
remote user access, right-click the user account name, and then click Properties.
4. On the Communications tab, click Configure next to Additional options.
5. In User Options, under Federation, do the following:
• To enable the user account for federation, select the Enable Federation check box.
• To enable the user account for public IM connectivity, select the Enable public IM
connectivity check box.
• To enable user account for remote access, select the Enable remote user access check
box.
6. Click OK twice.
Step 4.4. Connect Your Internal Servers with Your

Edge Servers
To connect your internal servers to your edge servers and configure the internal servers to route
outbound traffic to the edge servers, you need to run the Configure Server Wizard or Configure
Pool Wizard on each server or pool in your organization, as well as on the Director (if you
deployed a Director, as recommended).
Configuring a Director
When your run the Configure Pool or Server Wizard and configure external access on a Director,
you configure the following settings:
• Add your Director as the next hop server through which all external SIP traffic is routed.
This setting is configured on the Federation tab in Global Properties.
• Add your Access Edge Server to the authorized Access Edge Server list on the Edge Server
tab in the Global Properties.
• Override the “next hop” setting that is used globally by internal serves and pools so that the
Director routes all outbound traffic directly to the Access Edge Server. This setting is
configured at the pool or Standard Edition Server level on the Federation tab.
To configure your Director for external user access
1. Log on to your Director with an account that is a member of the
RtcUniversalServerAdmins group.
2. Start the Deployment Wizard by doing one of the following:
• If you have the Office Communications Server 2007 installation CD, insert the CD. If
Setup does not start automatically, from the Start menu, click Run, type
\Setup\I386\Setup.exe, and then click OK.
• If the Office Communications Server 2007 files reside on a network share, go to the
\Setup\I386 folder, and then double-click Setup.exe.
3. Do one of the following:
• On a Standard Edition server, click Deploy Standard Edition Server.
• On an Enterprise Edition server, click Deploy Pool in a Consolidated Topology or
Deploy Pool in an Expanded Topology.
4. At Configure Server, click Run.
5. On the Welcome to the Configure Pool/Server Wizard page, click Next.
6. On the Server or Pool to Configure page, select the server from the list, and then click
Next.
7. Accept the default settings until you reach the External User Access Configuration page.
8. On the External User Access Configuration page, click Configure for external user
access now, and then click Next.
9. On the Route External SIP Traffic page, click Route traffic through a Director, and then
click Use this pool or server as the Director for routing external traffic.
10. Click Next.
11. On the Trusted Access Edge Servers page, type the FQDN of the each Access Edge Server,
click Add after each. If you are using an array of Access Edge Servers type the FQDN of the
VIP of the internal load balancer. The FQDNs that you enter on this page are added to the
list of authorized Access Edge Servers on the Edge Server tab in Global Properties.
12. Under Specify the Access Edge Server that internal servers will use to route traffic,
select the FQDN of the Access Edge Server to which you want all outbound traffic routed
from your internal servers and then click Next.
13. On the Web Conferencing Edge Server page, click Next. You configure each internal
server and pool to route to the appropriate Web Conferencing Edge Server. Directors do not
route Web Conferencing traffic.
14. On the Trusted A/V Edge Servers page, enter the internal FQDN of each A/V Edge Server
authorized to connect to your internal servers. The FQDNs that you enter on this page are
added to the list of authorized A/V Edge Servers on the Edge Server tab in Global
Properties.
15. On the A/V Edge Server Used by This Server or Pool page, click Next. You configure
each internal server and pool to route to the appropriate A/V Edge Server. Directors do not
route A/V traffic.
16. On the Ready to Configure Server or Pool page, review the settings that you specified, and
then click Next to configure the Standard Edition Server.
17. When the files have been installed and the wizard has completed, verify that the View the
log when you click ‘Finish’ check box is selected, and then click Finish.
18. In the log file, verify that <Success> appears under the Execution Result column. Look for
<Success> Execution Result at the end of each task to verify Standard Edition Server
configuration completed successfully. Close the log window when you finish.
Configuring Other Internal Servers and Pools for External User
Access
Use the following procedure to configure your internal servers or pools for external access. The
procedure will vary slightly depending on whether or not you use a Director.
To connect your internal server with your edge servers
1. Log on to your internal Standard Edition Server or Enterprise pool with an account that is a
member of the RtcUniversalServerAdmins group.
2. Start the Deployment Wizard by doing one of the following:
• If you have the Office Communications Server 2007 installation CD, insert the CD. If
Setup does not start automatically, from the Start menu, click Run, type
\Setup\I386\Setup.exe, and then click OK.
• If the Office Communications Server 2007 files reside on a network share, go to the
\Setup\I386 folder, and then double-click Setup.exe.
3. Do one of the following:
• On a Standard Edition server, click Deploy Standard Edition Server.
• On an Enterprise Edition server, click Deploy Pool in a Consolidated Topology or
Deploy Pool in an Expanded Topology.
4. Next to Configure Server or Configure Pool, click Run to start the Pool/Server
Configuration Wizard.
6. On the Server or Pool to Configure page, in the list, click the pool or server that you want
to configure, and then click Next.
7. Continue through the wizard, specifying the settings that are appropriate to your pool or
server configuration, until you reach the External User Access page
8. On the External User Access Configuration page, click Configure for external user access
now.
9. On the Routing External SIP Traffic page, do one of the following:
• If you plan to route all traffic sent to and from the edge servers through a Director, click
Route traffic through a Director and, if this is the Director, select the Use this pool or
server as the Director for routing external traffic check box, click Next, and then
perform the remaining steps in this procedure.
• If you do not plan to route all traffic sent to and from the edge servers through a
Director, click Route directly to and from internal pools and servers.
10. Click Next.
11. On the Trusted Access Edge Servers page, do the following
• In the top box, type the FQDNs of each Access Edge Server that is authorized to
connect to your internal servers and pools, clicking Add after typing each name.
• In the Specify the Access Edge Server that internal servers will use for outbound
traffic list, click the name of the Access Edge Server to which internal servers and pools
will route outbound traffic.
12. On the Web Conferencing Edge Server page, do the following:
• In Internal FQDN, type the FQDN of each internal interface that will be used by
internal servers to connect to the Web Conferencing Edge Server, clicking Add after
typing each FQDN.
• In External FQDN, type the FQDN of each external interface that will be used by
external users to connect to the Web Conferencing Edge Server, clicking Add after
typing each FQDN.
13. Click Next.
14. On the Trusted A/V Edge Servers page, type the FQDN of the internal interface that will be
used to connect to the A/V Edge Server in the FQDN box, type the port number to be used
for the internal interface in the Port box, and then click Add. Repeat for each FQDN to be
used. Servers are added to list of authorized A/V Edge Servers on the Edge Server tab in
Global Properties.
15. On the A/V Edge Server Used by This Server or Pool page, type the FQDN of the internal
interface of the A/V Edge Server that this server or pool will use for A/V authentication. This
FQDN is added to the A/V Properties at the “pool” level for an Enterprise pool or Standard
Edition Server.
16. Click Next.
17. On the Ready to Configure Server or Pool page, review the settings that you selected, and
then click Next.
18. On the completion page, click Finish.
Step 5. Validate Your Edge

Configuration
After you have deployed your edge topology and set up the environment, you should run the
Validation Wizard on each individual edge server in order to verify its configuration and
connectivity.
To validate your server configuration
1. Log on to each edge server as a member of the RTCLocalServerAdmins group or a group
with equivalent user rights.
2. In the Deployment Wizard, beside Validate Server Functionality, click Run to start the
Validation Wizard.
4. On the Select Validation Steps page, select the options you want to validate:
• Select the Validate SIP Logon (1-Party) and IM (2-Party) check box. This option
verifies if your enabled users can log on, and it can only be run after you create and
enable your users. You need to run this check on an internal server to validate internal
connectivity and verify communications with the edge servers, as described in the next
procedure.
• Select the Validate Local Server Configuration checkbox to validate that the server on
which you are running is configured correctly.
• Select the Validate Connectivity check box to verify that the server has connectivity to
internal servers.
5. Click Next.
6. On the User Account page, do the following:
• Type the account name, user sign-in name, and password of a test user or other user who
is enabled for SIP.
• In the Server or Pool list, click the name of the server or Enterprise pool on which the
user account is hosted.
7. Click Next.
8. On the Second user account page, do the following
• Type the account name, user sign-in name, and password of a second test user or other
user who is enabled for SIP. This account will be used with the first account that you
specified to test IM functionality between two users.
9. Click Next.
10. In the wizard completion page, verify that the Check this box to view log files results check
box is selected, and then click Finish to exit.
To verify that your edge servers can communicate with internal
servers
2. In the Deployment Wizard, beside Validate Server Functionality or Validate Pool
Functionality, click Run to start the Validation Wizard.
4. On the Select Validation Steps page:
• Select the Validate SIP Logon (1-Party) and IM (2-Party) check box. This option
verifies that the user accounts you created and enabled can be used to log on and
connect.
• Select the Validate Local Server Configuration checkbox to validate that the server on
which you are running is configured correctly.
• Select the Validate Connectivity check box to verify that the server has connectivity to
the back-end database and other internal servers.
5. On the User Account page, do the following:
• Type the account name, user sign-in name, and password of a test user or other user who
is enabled for SIP.
6. Click Next.
7. On the Second user account page, do the following
• Type the account name, user sign-in name, and password of a second test user or other
user who is enabled for SIP. This account will be used with the first account that you
specified to test IM functionality between two users.
8. Click Next.
9. If you have configured federation or public IM connectivity, on the Federation and Public
IM Connectivity page, do the following:
• Select the Test between internal user and federated users check box.
• In the Enter SIP User Accounts for federated use box, type the SIP URI of one or
more federated user accounts (separated by semicolons) that you want to use to test this
functionality. Otherwise, leave the check box cleared.
10. Click Next.
11. On the wizard completion page, verify that the View the log when you click Finish check
box is selected, and then click Finish.
Appendix A: Configuring an Array of

Standard Edition Servers as a
Director
For larger deployments with external access enabled, you might want to deploy an array Office
Communications Servers to function as a Director. Servers in this array are connected through a
load balancer and share a virtual IP address. The load balancer routes each incoming
communication to a computer in the array, which then routes the communication to the internal
Office Communications Server 2007 server or Enterprise pool.
Figure 6 Access Edge Server Topology with two Directors
DIR1
AP1 I
V V R V
I I E I
IP1 IP5
P P W P
0 1 A 2
DIR2
AP2
L
L
IP0 IP2 IP3 IP4 IP6
Internal
Perimeter Network
Network
In the configuration shown in the figure, the following virtual IP addresses are assigned to the
load balancers as follows:
• VIP0 is virtual IP address of the external interface of the Access Edge Server array (AP1 and
AP2).
• VIP1 is virtual IP address of the internal interface of the Access Edge Server array (AP1 and
AP2).
• VIP2 is virtual IP address of the Directory array (DIR1 and DIR 2), which is visible to the
perimeter network.
In the figure, the IP address of each network element is labeled below the network element. For
illustrative purposes, assume that the following FQDN for each network element is as shown in
the following table.
Table 33 Network elements and associated FQDNs

Network Element FQDN
VIP0 sip.contoso.com
AP1 ap1.contoso.com
AP2 ap2.contoso.com
VIP1 apbank.corp.contoso.co
m
VIP2 dirpool.corp.contoso.co
m
DIR1 dir1.corp.contoso.com
DIR2 dir2.corp.contoso.com
Depending on whether you deploy an Enterprise pool with a Back-End Database that contains no
user data or multiple Standard Edition Servers as an array, the configuration of the array will
vary. The primary differences are as follows:
• The certificates that are installed on the Standard Edition servers must have the computer
FQDN in the SUBJECT field and the FQDN of the virtual IP address of the Director must be
listed in the SUBJECT_ALT_NAME field.
• At the forest level, the global default route for federation must point to the FQDN of the
virtual IP address of the Director. In the case of an Enterprise pool, it must point to the
FQDN of the Enterprise pool.
• The default route for federation on each of the Standard Edition servers in the Director array
must point to the FQDN of the virtual IP address of the Access Edge Server array. This
setting is configured on the Federation tab of each Standard Edition Server or Enterprise
pool. If an Enterprise pool is used as a Director, this setting would be made only once, at the
pool level.
• Individual server names must be listed in the “trusted internal servers” list on the Access
Edge Servers, in addition to the FQDN of the virtual IP address of the Director.
• DNS entries must be added for each Standard Edition Server in the perimeter network, in
addition to the FQDN of the virtual IP address.
Creating Certificates for an Array of Standard

Edition Servers, configured as Director
A certificate that is installed on a Standard Edition Server that is part of a Director array must
meet the following requirements:
• The FQDN of the Server is used for the subject (SUBJECT of the certificate).
• The FQDN of the virtual IP address of the Director and the FQDN of the Server must be
used as the subject alternate name (SUBJECT_ALT_NAME of the certificate).
By default, the Microsoft Enterprise subordinate CA does not allow issuing a certificate with a
subject alternate name, so issuing a certificate with a Subject alternate name on a Microsoft
Enterprise subordinate CA requires changing some settings on the CA. For example, in the
example described earlier in this appendix, the FQDN for the virtual IP address of the Director is
dirpool.corp.contoso.com and one of the server names is dir1.corp.contoso.com.
The subject alternate name must contain both the server name and the FQDN of the virtual IP
address, or else the certificate cannot be correctly loaded by the Security Service Provider
Interface (SSPI). Additionally, because each certificate lists the individual server name in
addition to the FQDN of the virtual IP address, each server must be installed with a different
certificate: a common certificate cannot be shared across all the servers in the array.
These requirements are in addition to the standard certificate requirements for Office
Communications Server 2007, such as having the Encrypted Key Usage set for both client and
server authentication.
Configuring DNS Resolution for Directors on the

Access Edge Server
The individual IP addresses of the Director servers must be visible to the Access Edge Server, in
addition to the virtual IP address of the Director. This requirement is in addition to the
requirements for using a pool for a Director.
For example, if you are using hosts files on the Access Edge Server, the hosts files are as follows:
172.67.89.80 dirpool.corp.contoso.com
172.78.89.1 dir1.corp.contoso.com
172.78.89.2 dir2.corp.contoso.com
Note
We recommend that you use a hosts file only if the Access
Edge Server does not have access to the internal DNS server.
If there are FQDNs that the Access Edge Server is not able to
resolve, you can add them to the hosts file.
Configuring the FQDN of the Array on the Host

Authorization List
After you have set up your certificates and configured DNS records for your Director array, you
must add the FQDN of the VIP of the load balancer to each internal server or pool on the Host
Authorization tab.
To add the VIP of the array to the Host Authorization list
1. Log on to an Office Communications Server 2007 server joined to a domain or another
computer with the Office Communications Server 2007 administration tools installed with
an account that is a member of the RTCUniversalServerAdmins group.
2. Expand Enterprise pools, and then expand the pool name.
3. Right-click Front Ends, and then click Properties.
4. Click the Host Authorization tab.
5. Click Add and enter the FQDN of the VIP of the load balancer used by the Director array.
6. Repeat steps 2 through 5 for each Enterprise pool in your organization.
7. Expand Standard Edition Servers.
8. Right-click the server name, point to Properties, and then click Front End Properties.
9. Click the Host Authorization tab.
10. Click Add and enter the FQDN of the VIP of the load balancer used by the Director array.
11. Repeat steps 7 through 9 for each Standard Edition Server in your environment.
Appendix B: Sample Certificate

The CSR (certificate signing request) generated by the Communications Certificate Wizard that
you use to request your certificate will vary, depending on the CA you choose. In general it
contains the information shown in the following figures.
Sample Certificate Request

For a Single Access Edge Server (Exportable=FALSE)
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject= "CN=server1.contoso.come;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US"
KeySpec = 1
KeyLength = 1024
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
For an array of Access Edge Servers (Exportable=TRUE)
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject= "CN=server1.contoso.come;OU=LCS;O=Contoso;L=Redmond;S=Washington;C=US"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
Note
The subject line in the PolicyFileIn.Inf file must contain the
following information:
Subject=”CN=FQDN of your Access Edge Server or Array
;OU=ProjectName;O=CompanyName;L=City;S=fullNameofSta
te;C=two-letter country/region abbreviation
Most public CAs require strict compliance with the above
information.
Examples:
CN=AP1..fabrikam.com;OU=LCS;O=Fabrikam;L=Eugene;S=Or
egon;C=US
CN=AParry.marketing.proseware.com
;OU=LCS;O=Proseware;L=Portland;S=Maine;C=US
Table 34 Fields in PolicyFileIn.inf

Field Notes
Signature=$Windows NT$”
Subject=”CN=FQDN;OU=Organizati CN: The fully qualified domain name
onal unit;O=Company ;L=city of your Access Edge Server or Access
S=state;C=country/region Edge Server array (the server or
array on which you are installing the
certificate)
OU: Some division or department
O: Company name
Field Notes
L :City
S: Full state or province name (no
abbreviations are accepted)
C: Two-letter country/region code
KeySpec=1 Indicates both encryption and
signing (standard TLS requirement)
KeyLength = 1024 Must be a power of 2 between 1024
and 4096, inclusive.
Exportable = FALSE (single Access FALSE for a single Access Edge
Edge Server) Server
Exportable=TRUE (array of Access TRUE for an array of Access Edge
Edge Servers) Servers
MachineKeySet = TRUE Specifies that the certificate will be
put into the local computer store
SMIME = FALSE
UserProtected = FALSE This field must be set to FALSE;
otherwise, RTCSRV will not be able to
use it.
UseExistingKeySet = FALSE This field must be set to FALSE to
generate a new private key.
ProviderName = "Microsoft RSA SCHANNEL (Windows TLS provider)
Schannel Cryptographic Provider" requirement
ProviderType = 12 SCHANNEL (Windows TLS provider)
requirement
RequestType = PKCS10 Can be PKCS10 or PKCS7. Almost all
CAs accept PKCS10, so you should
leave the request type as PKCS10.
KeyUsage = 0xa0 Similar to KeySpec field. This value
indicates that this certificate can be
used for both encryption and
signing.
OID=1.3.6.1.5.5.7.3.1 Enhanced key usage for server
authorization
Example Using a Verisign Trial Certificate

The following procedure guides you through the process of selecting a trial certificate from
Verisign.
Important
This procedure is an example, and it demonstrates the
process of requesting a trial certificate. The exact process may
vary, depending on your certificate provider. For production
use, you must purchase a valid certificate, not a trial
certificate.
To request a trial certificate from Verisign

1. In your browser, go to http://www.verisign.com/.
2. On the right side of the page, click Free SSL trial.
3. In the new window that opens, complete the form by entering your contact and other
requested information, and then click Submit.
4. Review the information on the Before you start page, and then click Continue.
5. On the Welcome page, review the process for request a certificate, and then click Continue.
6. Enter your technical information, and then click Continue.
7. In the Select Server Platform and Paste Certificate Signing Request box, do the
following:
• In Select Server Platform, click Microsoft.
• In Select Version, click IIS 6.0.
• In Paste Certificate Signing Request (CSR) obtained from your server, paste the
contents of the CRS generated by the LcsCertutil tool.
8. In What do you plan to use this SSL certificate for, select Web Server.
9. Click Continue.
10. On the Verify CSR information page, review the CSR information. If you want to make a
change, click Change CSR to return to the previous page. Otherwise continue to the next
step.
11. In the Challenge Phrase box, enter a challenge phrase and enter a reminder question. This
phrase will be required when you import the certificate.
12. On the Order Summary and Acceptance page, review the information and then click
Accept.
Appendix C Manually Configuring a

Client for Remote User Access
Use the following procedure to manually configure a client to point to an Access Edge Server for
remote user access.
To manually configure a client:
1. Open Communicator.
2. Click the Presence icon.
3. Click Options.
4. Click Advanced.
5. In Advanced Connections setting, under Configure settings, in External Server name or
IP address, enter the <external FQDN of the Access Edge Server>:443. For example,
sipalt.access.contoso.com:443
Appendix D Optimizing Your Network

Interface Card for High A/V Traffic
For many deployments, you can use the default settings on your network interface. However, in
the following situations, you should optimize for A/V traffic flow by increasing receive and
transmit buffers settings to three times their default value on your network interface cards:
• You anticipate audio and video traffic on any particular A/V Conferencing Server or A/V
Edge Server to exceed 200 to 250Mbps.
• Your servers experience packet loss on the network.
Note
The following procedure provides steps to change these
settings on a typical network interface card. The procedure
will vary depending on your manufacturer.
To change your network interface card settings

1. Log on to the computer running A/V Conferencing Server or A/V Edge Server with local
administrator permissions.
2. Right-click Computer Manager, and then click Manage.
3. In the console pane, click Device Manager.
4. In the details pane, expand Network adaptors
5. Right-click your network adapter, and then click Properties.
6. Click the Advanced tab.
7. Under Settings, click Performance Options.
8. Under Settings, click Receive Descriptors.
9. In the Value box, change the value to three times the default value, and then click OK.
10. Under Settings, click Transmit Descriptors.

OCS EdgeServerDeploy

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OCS EdgeServerDeploy

Uploaded by

Copyright:

Available Formats

Microsoft Office

© 2007 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

How to Use this Guide

Step 1. Get Ready for Edge Server

Step 1.1. Decide Which Servers You Need in Your

Server Required to Corresponding Protocol

When You Need an Access Edge Server

When You Need a Web Conferencing Edge Server

Step 1.2. Choose the Deployment Topology

Table 2 Supported Edge Server Topologies

The following figure illustrates the consolidated edge topology.

Figure 1. Consolidated edge topology

Figure 2. Single-site edge topology

Figure 3. Scaled single-site edge topology

Figure 4 Multiple-site edge topology

Connecting to Internal Servers

Step 1.3. Establish Your Deployment Process

Step 1.4. Verify Prerequisites

Step 2. Set Up the Infrastructure for

Step 2.1. Configure DNS

Internal/Exte Server DNS Settings

A/V Edge Server An external DNS A record that points to the

For each supported SIP domain in your

A/V Edge Server An external DNS A record that resolves the

Step 2.2. Configure Firewalls

Consolidated Edge Topology Firewall Policy Rules

Exter Local Port: 443 TCP (HTTP(S)) 1

Director is deployed, use the IP address of the Director

Local Port: 443 TCP (SIP/TLS) 4

Table 9 Firewall Settings for the Web Conferencing Edge Server

Local Port: 3478 UDP (STUN/UDP) 14

Exter Local Port: 443 TCP (STUN/TCP) 8

Local Port Range: 50,000-52,999 TCP (RTP /TCP) 9

Local Port: 3478 UDP (STUN/UDP) 10

Single Site Edge Topology Firewall Policy Rules

Inter Local Port: 443 TCP (SIP/TLS) 2

Exter Local Port: 443 TCP (HTTP(S)) 1

Table 12 Firewall Settings for the Access Edge Server

IP address. If a Director is deployed, use the IP address

Local Port: 443 TCP (SIP/TLS) 4

Table 13 Firewall Settings for the Web Conferencing Edge Server

nal Direction: Inbound (for access of remote, anonymous,

Local Port: 3478 UDP (STUN/UDP) 14

Exter Local Port: 443 TCP (STUN/TCP) 8

Local Port Range: 50,000-52,999 TCP (RTP/TCP) 9

Local Port: 3478 UDP (STUN/UDP) 10

Scaled Single Site Edge Topology Firewall Policy Rules

Inter Local Port: 443 TCP (SIP/TLS) 2

Exter Local Port: 443 TCP (HTTP(S)) 1

Inter Local Port: 5061 TCP (SIP/MTLS) 5

Table 17 Firewall Settings for the Web Conferencing Edge Server

Remote IP: Any IP address

Exter Local Port: 443 TCP (STUN/TCP) 8

Local Port: 3478 UDP (STUN/UDP) 10

Table 20 Firewall Settings for the Web Conferencing Edge Server

nal Direction: Inbound (for access of remote, anonymous,

Exter Local Port: 443 TCP (STUN/TCP) 8

Step 2.3. Configure a Reverse Proxy

To create a Web server publishing rule on the ISA Server 2004

To configure SSL bridging

To verify or configure authentication and certification on IIS virtual

Step 2.4. Configure a Director (Optional, but