You are on page 1of 25

Microsoft Office Communications Server 2007 R2

Mediation Server Replacement Walkthrough

Published: July 2009 Updated: April 2010

For the most up-to-date version of the Mediation Server Replacement Walkthrough documentation and the complete set of the Microsoft® Office Communications Server 2007 R2 online documentation, see the Office Communications Server TechNet Library at http://go.microsoft.com/fwlink/?LinkID=132106. Note: In order to find topics that are referenced by this document but not contained within it, search for the topic title in the TechNet library at http://go.microsoft.com/fwlink/?LinkID=132106.

1

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Copyright © 2010 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Outlook, SQL Server, Visio, Visual C++, Windows, Windows Media, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

2

...................................................................................................................................................................................................................................................................................9 Walkthrough: Configure a Certificate on the new Mediation Server.......................2 Interface Cards for Mediation Server...................................21 Required Order of Operations for Removing Mediation Server Components ...............20 Walkthrough: Deactivate the old Mediation Server......................................1 Walkthrough: New Server Recommendation..21 Remove Server Components...................................................................3 Walkthrough: IP Addressing for New Mediation Server...........................19 Walkthrough: Remove old Mediation Server from route............................5 Walkthrough: Installing a New Mediation Server..............................................................................................................................................................................................................1 Walkthrough: Planning the Mediation Server Replacement.......1 Required Software.................................................................................................................................................................22 3 ........................................................................................................................Contents Microsoft Office Communications Server 2007 R2.........................................................................................................................................................................................................................................................................................................................................................................................20 Walkthrough: Removing the old Mediation Server....................................................................2 Media Bandwidth Requirements.............7 Walkthrough: Configure the new Mediation Server..........................4 Walkthrough: Building Mediation Server host and Join to the Domain.....21 To remove a server...............1 Contents................................................................................................19 Walkthrough: Remove old Mediation Server................................1 Mediation Server Replacement Walkthrough............................13 Walkthrough: Start the new Mediation Server.......................................................................4 Testing the Host Server Build......................................................................................................................................................7 Walkthrough: Install and Activate the new Mediation Server..................................................16 Walkthrough: Transition Route to New Mediation Server.....................16 Walkthrough: Configure Media Gateway.....................................................................2 Required Hardware for Mediation Server........................................17 Gateway Configuration Requirements.........................................................................................................17 Walkthrough: Add new Mediation Server to route....................4 Operating System..........................................................................................................................3 Mediation Server Replacement Walkthrough.....................................................................5 Next steps in installing a new Mediation Server.................................

This document does not cover how to size or replace the media gateway device. In This Document • • • • Walkthrough: Planning the Mediation Server Replacement Walkthrough: Installing a New Mediation Server Walkthrough: Transition route to new Mediation Server Walkthrough: Remove old Mediation Server Walkthrough: Planning the Mediation Server Replacement When you are planning to replace your Mediation Server. In both cases.Mediation Server Replacement Walkthrough The Mediation Server exists in two forms: the stand-alone Mediation Server. For details. and complex Active Directory topologies. when you experience a hardware failure or network reconfiguration). • • • Walkthrough: New Server Recommendation Walkthrough: IP Addressing for New Mediation Server Walkthrough: Building Mediation Server host and Join to the Domain Walkthrough: New Server Recommendation Choosing a new server is the first step in replacing your Mediation server. In addition. and joining the new server to the Active Directory domain. This document is targeted at IT Professionals who have a thorough understanding of Microsoft server technologies. and that is 64-bit. arranging for discrete IP addressing before you start can make the new server deployment run more smoothly. building the new host server hardware. Virtualization of the Mediation Server is not recommended. you need to acquire a new server that meets the recommended minimum requirements. and the basic hybrid gateway. you need to replace one Mediation Server with another Mediation Server. In certain situations (for example. Ensure that you choose server hardware that can support your expected call load. including arranging for IP addressing for the new server. The general requirements for a Mediation server are the same as for the other Office Communications Server 1 . either a stand-alone or a gateway device) with a stand-alone Mediation Server. networking technologies. see Enterprise Voice Server-Side Components in the Planning and Architecture documentation. the management of the Mediation Server role is the same. The focus of this document is on replacing the Mediation Server (that is. that has two network interface cards.

or the 64-bit edition of Windows Server 2008 Enterprise • Windows Server 2003 R2 Standard x64 Edition with SP2. 2 . dual-core 2. Mediation Server Hardware component Minimum requirement CPU • • Dual processor. install Mediation Server on a computer that is equipped with two network interface cards (NICs). Table 1.0 GHz+ 4-way processor. One card faces the gateway. or Windows Server 2003 Enterprise x64 Edition with SP2 Required Hardware for Mediation Server The following table outlines the recommended hardware requirements for a Mediation Server. multiple cores. or Windows Server 2003 R2 Enterprise x64 Edition with SP2 • Windows Server 2003 Standard x64 Edition with SP2. 15K or 10K RPM. dual network interface cards. Required Software One of the following operating system is required for Mediation Server: • The 64-bit edition of Windows Server 2008 Standard. and a RAID disk array.0 GHz+ Memory Disk Network 8 GB 2x 72 GB. quad-core 2. and the second card faces the Office Communications Server 2007 R2 server that acts as the Mediation Servers internal next hop. RAID 0 (striped) or equivalent 2 x 1 Gbps network adapter The minimum hardware configuration (for up to 125 concurrent calls or 5 T1) is as follows: • • • Single Processor Dual Core running at 3GHz 2GB RAM 30GB hard disk Interface Cards for Mediation Server To help ensure the physical as well as logical separation of your Enterprise Voice infrastructure from the media gateways.2007 R2 server roles: x64 CPU.

you cannot connect and call traffic will be directed to an interface that is not listening for Office Communications Server traffic instead of to the one that is listening. Media Bandwidth Requirements For basic media gateways. For Office Communications Server 2007 R2. Reducing the port range greatly reduces server capacity and should be undertaken only for specific reasons by an administrator who is knowledgeable about media port requirements and scenarios. The Gateway listening IP address is the address on the Mediation Server that listens to traffic from a basic media gateway or basic hybrid media gateway. Until advanced media gateways are available.000. both on the General tab of the Mediation Server Properties dialog box. this address corresponds to the network card that serves as the internal edge of the Mediation Server. the Deployment Wizard detects the presence of the two network cards and writes their IP addresses to the Office Communications Server listening IP address list and the Gateway listening IP address list.When you install Mediation Server. the bandwidth requirement is considerably lower. but it is not recommended. 3 . Note: It is possible to configure both edges on a single adapter card. this address corresponds to the network card that serves as the external edge of the Mediation Server. we recommend that you do not alter the default port range. The Office Communications Server listening IP address is the address on an advanced media gateway that listens for call traffic from Office Communications Server. High-bandwidth traffic such as voice and video tends to stress poorly provisioned networks. you are advised to accept the default media port gateway range of 60.000 to 64. Limiting media traffic to a known range of ports makes it easier to troubleshoot these types of problems. If the two addresses do not match the IP address listed in DNS for your FQDN. On the Office Communications Server side. the bandwidth requirement between gateway and Mediation Server is 64 kilobits per second (Kbps) for each concurrent call. Multiplying this number by the number of ports for each gateway is a fair estimate of the required bandwidth on the gateway side of the Mediation Server. When configuring Mediation Server. For this reason. Important: The IP address that you select from the Office Communications Server listening IP address must match the address that is returned by a Domain Name System (DNS) query on the fully qualified domain name (FQDN) of the Mediation Server.

0. install one of the following operating systems: • The 64-bit edition of Windows Server 2008 Standard.2.1. but it is not recommended. You can use two IP addresses on one network interface.50.x.16. No other software is needed before you install the Mediation Server.x.2. 4 . As part of the Mediation Server configuration. In addition.16. you want to use one address in the internal network IP subnet for the Mediation Server and an IP address from the subnet that hosts the media gateway.50 address to face the pool.1. join the server to your Active Directory domain.16.Walkthrough: IP Addressing for New Mediation Server Mediation Servers communicate with internal pool servers and the media gateway. and the 172. In general. You use the 192. and the telephony subnet is 172.50 and 172. you need to know the addresses of the Mediation Server-facing network card in the media gateway device. if your internal network (that is. Operating System After assembling the host server hardware. Note: Office Communications Server 2007 R2 uses IPv4 only. the network with the pool) is 192. Walkthrough: Building Mediation Server host and Join to the Domain Before you install Mediation Server. For example. you should get two addresses for the Mediation Server: 192. When your host server is prepared with Windows Server.2. you also need to know the IP address of the media gateway. or the 64-bit edition of Windows Server 2008 Enterprise • Windows Server 2003 R2 Standard x64 Edition with SP2.0. or Windows Server 2003 R2 Enterprise x64 Edition with SP2 • Windows Server 2003 Standard x64 Edition with SP2.50 address to face the media gateway. Note: Follow your organization’s procedures for joining servers to the Active Directory domain. you must prepare the host server and join the host server to your Active Directory domain.1. or Windows Server 2003 Enterprise x64 Edition with SP2 Note: Follow your organization’s guidance for applying updates and patches to the host server operating system.0.

Important: If you specify TLS as the SIP transport to be used by your basic or basic-hybrid media gateway. there are potentially many attributes that must be set. but the attributes specific to Enterprise Voice are as follows: • The fully qualified domain name (FQDN) or IP Address of the Mediation Server that is associated with the gateway. • The listening port (5060) that is used for Transmission Control Protocol (TCP) or Transport Layer Security (TLS) connections to the Mediation Server. refer to the manufacturer's product documentation.Testing the Host Server Build After the host server is prepared and joined to the domain. Depending on the vendor. Walkthrough: Installing a New Mediation Server You can deploy a third-party Basic Media Gateway either before or after you deploy a Mediation Server. • Verify that the new Mediation Server host can ping the other Office Communications Servers by name and by IP. but for details about how to configure these settings on a given gateway. Each gateway must be configured according to the vendor's documentation. For details about selecting gateways for Enterprise Voice. • Verify that the other Office Communications Servers can ping the new Mediation Server host by name and by IP. but whichever order you choose. For details about how to configure a Mediation Server for TLS. For details about configuring a Mediation Server. these two components must be configured to function as a logical unit. the connection between the gateway and Mediation Server will fail. see Configuring a Mediation Server in the Deploying Enterprise Voice documentation. If the settings do not match. see Configuring a Mediation Server in the Deploying Enterprise Voice documentation. 5 . Important: The previous settings must match those of corresponding settings for the Mediation Server. see Enterprise Voice Server-Side Components in the Planning and Architecture documentation. The settings that you must configure on your Basic Media Gateway are specified in the following list. you must also configure the corresponding Mediation Server for TLS. • Session Initiation Protocol (SIP) Transport – specify either TLS (recommended) or TCP. you need to verify the following items: • Check the Domain Name System (DNS) to ensure that the new Mediation Server host is registered and that the fully qualified domain name (FQDN) is valid. • Verify that the new Mediation Server host can ping the media gateway device that you plan to use as the next hop server for the new Mediation Server.

allowing the user to 6 Not used: Send media packets using RTP. and making sure that the certificate has not been revoked. • The CN part of the subject field should be set to the FQDN of the gateway. This ensures the caller ID can be matched to a Communicator contact. If SRTP cannot be negotiated. . • Note: All three options for SRTP are supported by the Mediation Server. This number will also appear in e-mails notifying the user of missed calls and voice mail. but do not use encryption if negotiation for SRTP is not successful. • Each gateway should be configured to pass only E. • Optional: Attempt to negotiate the use of SRTP to secure media packets. If the FQDNs do not match. • If you configure TLS for the SIP transport link between the IP Gateway and the Mediation Server.164 number. • Each gateway should be configured to convert the source number (the number presented as caller ID) to a normalized E. Note: Port 5060 is the default destination port used by the Mediation Server. • The Mediation Server validates the certificate provided by the gateway by checking that the FQDN on the certificate exactly matches the gateway FQDN configured on the Mediation Server. the gateway must be configured with a certificate for purposes of authentication during the mutual TLS (MTLS) handshake with the Mediation Server. an Outlook contact. The gateway must provide this chain as part of its TLS handshake with the Mediation Server.164 numbers to the Mediation Server. use Real-time Transport Protocol (RTP).164. • Each gateway should be configured so that the E. The certificate on the gateway must be configured as follows: • The certificate may be directly signed by the trusted certification authority (CA) configured in the Mediation Server. a certificate chain may have to be traversed to verify the certificate provided by the gateway. thereby enabling Communicator to provide additional information about the caller. the session is terminated. or a member of the corporate directory. Gateways from various manufacturers may not support all of these options. the certificate must also contain a subject alternate name (SAN) that lists the expected and configured FQDN for the gateway.164 numbers routed by Enterprise Voice to the gateway are normalized to a locally dialable format. If the FQDN in the CN part of the subject field does not match the expected and configured FQDN for the gateway. Please see each gateway vendor's documentation for specific instructions on how to normalize source phone numbers to E. Alternatively. Additional validation includes checking the signature and expiration date.• If the SIP transport for the link between the gateway and the Mediation Server is set to TLS. • You must specify the port that each gateway is listening to for incoming SIP connections. you must specify whether Secure RTP (SRTP) encryption is: • Required: SRTP should be attempted.

164. Please see each gateway vendor's documentation for specific instructions on how to normalize source phone numbers to E. the normalization rules defined by the location profile will be applied when returning a call. Activation performs two tasks: • • Creates Mediation Server objects in Active Directory. set the Windows Management Instrumentation (WMI) setting called RemovePlusFromRequestURI to TRUE (the default value is FALSE). but it does not activate the service.click the phone number in order to quickly return a call. Walkthrough: Start the new Mediation Server Walkthrough: Install and Activate the new Mediation Server Office Communications Server 2007 R2 Mediation Server and a third-party basic media gateway function as a single logical unit to enable communication between the users enabled for Enterprise Voice and the public switched telephone network or a Session Initiation Protocol (SIP) trunking provider. 7 . This step describes how to install and activate Mediation Server. see the "New Configuration Options in Mediation Server" section in Enterprise Voice Server-Side Components in the Planning and Architecture documentation. • If you want the Mediation Server to strip the plus sign (+) prefix from the Request Uniform Resource Identifier (URI). see Partners by Capability: Hardware at the Microsoft Web site: http://go. For a list of media gateway vendors. It might be necessary to add normalization rules to a location profile to handle numbers that cannot be normalized by the gateway. For details about this setting.com/fwlink/?LinkID=129616. Walkthrough: Install and Activate the new Mediation Server 2. If the number has been normalized by the gateway. the Microsoft Office Communications Server 2007 Deployment Tool copies the required files to a local computer. When you install and activate Mediation Server. no further processing is required.164 numbers of outgoing calls to the gateway. Walkthrough: Configure the new Mediation Server 3. Mediation Server deployment is an integrated component of Office Communications Server 2007 setup. If for some reason the number cannot be normalized by the gateway. The activation step becomes available only after installation is complete. and the From URI of E. Walkthrough: Configure a Certificate on the new Mediation Server 4. the To URI. Requirements To install or activate Mediation Server you must be a member of the RTCUniversalServerAdmins group or have been delegated to perform these tasks by a member of that group.microsoft. Next steps in installing a new Mediation Server 1. Activates the domain service account on the server.

exe. • To optimize performance. and click Next. if you agree to the licensing terms. click Close. At Step 1: Install Files for Mediation Server. At the Deploy Other Server Roles screen. On the Welcome page. Log on to a computer on which you want to activate Mediation Server. 9. and disable all unnecessary applications and services on the computer. 2. click Next. Note: If you are installing from a network share. At the welcome screen click Deploy Other Server Roles. and then double-click SetupEE. but each Mediation Server must have a corresponding basic media gateway or SIP trunk connection. 7. 6. and then click Enterprise Edition. If you are planning to install multiple Mediation Servers. and then click Enterprise Edition. 8. Recommendations • Even if you enable TLS on the gateway link. Insert the Office Communications Server 2007 R2 CD. click Next. 10. click Deploy Mediation Server. 5. Insert the Office Communications Server 2007 R2 CD. 8 . select the location where you want to install the Mediation Server files. 3. A certificate is required. To activate Mediation Server 1. On the Installation Complete page. two network interface cards are recommended on the Mediation Server for additional security: one card to communicate with the gateway and a separate card to communicate with the Office Communications Server internal infrastructure. Log on to a computer on which you want to install Mediation Server. On the Confirm Installation page. click I accept the terms in the licensing agreement. 4. On the License Agreement page. On the Install location page. and then click Next. do not collocate Mediation Server with any other Communications Server 2007 R2 server role. go to the \Setup\amd64\ folder. To install Mediation Server files 1. you would do well to install and test a single Mediation Server before attempting to deploy them all. 2. • You can install Mediation Server on multiple computers. click Install.The hardware and software requirements in Internal Office Communications Server Component Requirements in the Supported Topologies and Infrastructure Requirements documentation must be met.

you must specify the following: 9 . • If you choose to create a new account. Caution: Care must be taken in deactivating a Mediation Server. either media gateways or a Session Initiation Protocol (SIP) trunking service provider on the other. you may drop calls. select the View the log when you click the Finish check box. Optionally. 5. review your settings. To configure a Mediation Server. and then double-click SetupEE. look for Success as the Execution Result at the end of each task to verify its successful completion. click Next. and then click Next. and then click Next. At the welcome screen. 10. click Create a New Account. and then click Finish. see SIP Trunking Topology in the Technical Overview in the Getting Started documentation. In the log file. At the Deploy Other Server Roles screen. click Run. 9. On the Ready to Activate Mediation Server page.Note: If you are installing from a network share. see Deactivating a Mediation Server in Administering Office Communications Server 2007 R2 in the Operations documentation. go to the \Setup\amd64\ folder. click Deploy Mediation Server. type a new Account Name and Password. type the password for the service account. 3. Note: You must install Mediation Server before you can activate it. verify that Success appears under the Execution Result column. 6. a new feature in Office Communications Server 2007 R2. On the Activate Mediation Server Wizard Has Completed page. 8. and then click Next. For instructions on how to properly deactivate a Mediation Server. On the Welcome page of the activation wizard. At Step 2: Activate Mediation Server. 4. click Deploy Other Server Roles. Close the log window when you finish. you have two choices: • If you accept the existing account (recommended). On the Select Service Account page. Walkthrough: Configure the new Mediation Server You must configure Mediation Server to communicate with Office Communications Server 2007 on one side and. For details about SIP trunking. If you remove it from service without first taking precautionary steps. 7.exe. Note: The default account is MCU and Web component services account.

• The fully qualified domain name (FQDN) of the collocated A/V Edge Server and Media Relay Authentication Server for this Mediation Server. this server is a Director. calls to and from the PSTN are encrypted end-to-end. but it is not recommended. In most cases. which provides encrypted signaling between the Mediation Server and the media gateway that is connected to the public switched telephone network (PSTN). 5. To configure Mediation Server 1. a Standard Edition server. Expand the Mediation Servers node. • The FQDN or the IP address and port for the media gateway or SIP trunk to which this Media Server is connected. • It is possible to configure the Mediation Server to use TCP instead of TLS. • The FQDN and port of the Communications Server internal next hop. For this reason. that link presents a potential security vulnerability. or an Enterprise Edition Front End Server. The Gateway or SIPtrunk listening IP address is the IP address of the external (that is. the gateway. make sure the FQDN listed matches that of the Mediation Server 10 . • TLS is the recommended transport. To configure Mediation Server you must be a member of the RTCUniversalServerAdmins group or have been delegated to perform this task by a member of that group. • • The default location profile used by this Mediation Server. 3. and then click Office Communications Server 2007.• The SIP transport used to communicate with a media gateway. Click Start. 2. There are two choices: Transport Layer Security (TLS) or Transmission Control Protocol (TCP). the Communications Server-facing) edge of the Mediation Server. In the FQDNbox. If you configure the gateway link for TCP. Important: The link between Mediation Server and the internal Communications Server 2007 infrastructure is always configured for TLS. even in cases where the gateway link is configured for TCP. you must also configure a certificate on the gateway. Expand the appropriate forest node. and then click the General tab. right-click the Mediation Server to be configured. Log on to a Communications Server 2007 Mediation Server. click Properties. 4. The Communications Server listening IP address is the IP address of the internal (that is. The default Media port range. This requirement means that you must always configure a certificate on the Mediation Server.or SIP-trunkfacing) edge of the Mediation Server. point to Administrative Tools. it is good practice to install two network interface cards. If you configure your gateway link for TLS. If you configure the gateway link for TLS. • The IP addresses on which the Mediation Server listens for call traffic from Communications Server on one side and media gateways or SIP trunking providers on the other. one facing the media gateway and the other facing the internal network.

which causes connections to fail unpredictably. using the FQDN displayed on the Mediation Server General tab. In the Default location profile list. 9.000 to 64. Note: The address selected in step 8 can be that of either a media gateway or a Private Branch Exchange (PBX). For this reason. and then press ENTER. In Media port range accept the default range of 60. Note: You should configure only the Office Communications Server-facing IP address for dynamic DNS registration.000. then the A/V Edge Server on which the service is collocated has not been entered into the A/V Edge Servers list on the Edge Servers tab of the Global Properties page. select the default location profile for this Mediation Server. From the list of IP addresses displayed in the Communications Server listening IP address list. From the A/V Edge Server list. and type nslookup <FQDN of Mediation Server>. the FQDN resolves to both IP addresses. select the IP address returned in step 6. see Office Communications Server 2007 R2 Edge Server Deployment Guide in the Deployment documentation. you reduce server capacity. 10. 7. You need to add the A/V Edge Server to the previous list before it appears in the A/V Edge Server list on the Mediation Server tab. the one not already selected in step 7). Open a command prompt. An administrator who is knowledgeable about media port requirements and scenarios should do this only for specific reasons.you have selected. altering the default port range is not recommended. Important By reducing the port range greatly. 11. Important: If the IP address selected in step 7 does not match the IP address in step 6. select the other IP address (that is. Communications Server traffic will be directed toward an interface that is not listening for such traffic and away from the one that is. 8. For details. Otherwise. 6. select the A/V Edge Server that hosts the A/V Authentication Service for this Mediation Server. Important: If the A/V Edge Server that hosts the A/V Authentication Service for this Mediation Server does not appear in the list. change to the root directory. From the list of two IP addresses displayed in the Gateway listening IP address list. Organizations that employ Internet Protocol security (IPSec) for packet security are advised to disable it for media ports because the security handshake required by 11 .

If you clicked TCP in the Transport box. see the "New Configuration Option in Mediation Server" section in Enterprise Voice Server-Side Components in the Planning and Architecture documentation. you must specify an FQDN. For details about this setting. • In the Transport box. this is the only option that is available. click Support encryption. see the "New Configuration Option in Mediation Server" section in Enterprise Voice Server-Side Components in the Planning and Architecture documentation. select TLS if the SIP signaling between the IP Gateway and the Mediation Server is protected by TLS. select the FQDN of the next-hop internal server. select the level of SRTP that you want to use to protect media traffic: • If you do not want to use SRTP. set the WMI setting called QoSEnabled to TRUE (the default value is FALSE). If you want to enable Quality of Service (QoS) marking on the Mediation Server. • To specify that SRTP must be used. 12 . accept the default of 5060 for TCP or TLS. • In the Encryption Level box. On the Next Hop Connections tab.IPSec delays call setup. and then under Office Communications Server next hop. 15. • In the Port box. click Do not support encryption. click Require encryption. Note: This server could be a Director or pool. IPSec is unnecessary for media ports because Secure RealTime Transport Protocol (SRTP) encryption secures all media traffic between the Mediation Server and the internal Communications Server network. • To specify that SRTP should be attempted but no encryption should be used if negotiation for SRTP is not successful. under PSTN Gateway next hop. do the following: • In the Address box. If you want the Mediation Server to strip the plus sign (+) prefix from the Request Uniform Resource Identifier (URI). set the Windows Management Instrumentation (WMI) setting called RemovePlusFromRequestURI to TRUE (the default value is FALSE). and the From URI of outgoing calls to the gateway. 13. For details about this setting. 12. 14. specify the IP address or FQDN of the PSTN Gateway or the PBX associated with this Mediation Server. If TLS is enabled. If you are not using TLS. the To URI. Click OK. • In the Port box. select TCP. accept the default of 5061 for TLS. 16. do the following: • In the FQDN list. Click the Next Hop Connections tab.

and then click OK. In the File Download dialog box. Step 4: Create the certificate request for the Mediation Server. Step 5: Import the certificate for the Mediation Server. This topic describes the following procedures that you must perform to configure a certificate for Mediation Server: • Step 1: Download the certification authority (CA) certificate chain for the Mediation Server. For step-by-step guidance for any other CAs. click Download a CA certificate. With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA Server online. To download the CA certificate chain for the Mediation Server 1. Click Start. Certificate Chain. certificate chain. Under Select a task. and then click Deploy 13 . The steps of these procedures are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. click Download CA certificate chain. You can use the Communications Certificate Wizard to complete most of these procedures. Step 6: Assign the certificate for the Mediation Server. Note: If you open this file. consult the documentation of the CA. type http://<name of your Issuing CA Server>/certsrv. Under Download a CA Certificate. These procedures describe how to access the Communications Certificate Wizard from the Office Communications Server 2007 R2 Deployment Wizard. click Save. In the Deployment Wizard. log on to the Mediation Server as a member of the RTCUniversalServerAdmins group. Step 3: Verify that the CA is in the list of trusted root CAs of the Mediation Server. open the server certificate and then click the certification path. 3. Save the .p7b file to the hard disk on the server. and then copy it to a folder on the Mediation Server. or CRL. the file contains all of the certificates that are in the certification path. You can also access it from the Office Communications Server 2007 R2 snap-in on each Mediation Server. or CRL. 6.Walkthrough: Configure a Certificate on the new Mediation Server The Mediation Server must be configured with a server certificate to connect to other Office Communications Servers. 4. • • • • • Step 2: Install the CA certificate chain for the Mediation Server. 5. To install the CA certificate chain for the Mediation Server 1. 2. click Run. click Deploy Other Server Roles. To view the certification path.

ensure that the Local computer: (the computer this console is running on) check box is selected. expand Certificates (Local Computer). next to Step 3. click Import a certificate chain from a . Configure Certificates for the Mediation Server. 6. 5. and then click Next. 5. 3. In the details pane. On the Available certificate tasks page. 8. In the console tree. On the Available Certificate Tasks page. and then click Add. 2. Click Close. 2. 6. click Next. and then click Next. click Run. typing mmc in the Open box. On the Welcome page of the Communications Certificate Wizard. and then click OK. Note: If you choose this option. and then click Certificates. 4. In the Add Standalone Snap-ins box. In Deployment Wizard. and then clicking OK. Click Finish. To verify that your CA is in the list of trusted root CAs 1. and then click Next. On the Welcome page of the Communications Certificate Wizard.p7b file. 3. click Create a new certificate. 4. on the Deploy Mediation Server page. In the Certificate snap-in dialog box. click Browse to locate the . and then click Next. you have to import the certificate and assign it to 14 . click Next. click Assign an Existing Certificate and continue with steps 3 through 7 in the procedure To Assign the Certificate to the Mediation Server later in this topic. click Computer account. Open an MMC console by clicking Start. click Add/Remove Snap-in. select one of the following options: • If you intend to output your request to a text file and then send that file to an offline CA. On the File menu. 4. To create the certificate request for the Mediation Server 1. 2. click Certificates. click the file. and then click Add.Mediation Server. 7. On the Delayed or Immediate Request page.p7b file. clicking Run. and then click Finish. verify that your CA is on the list of trusted CAs. next to Step 4 Configure Certificates. click Run. but send later check box. On Import Certificate Chain page. and then click Next. 3. On the Deploy Mediation Server page. expand Trusted Root Certification Authorities. Note: If you already have a certificate available. In the Select Computer dialog box. select the Prepare the request now.

" To import the certificate for the Mediation Server 1. and then click Next. 8. On the Your Server's Subject Name page. and then click Next. 11. click Next. and then click Next. type the location information. Note The subject name should match the FQDN of the Mediation Server. verify successful completion. select the Mark certificate as exportable check box. a dialog box appears. 6. on the Deploy Mediation Server page. type the same name that you typed in Subject name. when you receive the response file.the Mediation Server later. If your deployment includes multiple SIP domain names. If you type an external CA name. and then click Next. type the file name and path to which the request is to be saved. a division or department). On the Certificate Wizard Completed page. 15 . 12. the default of 1024). type a friendly name for the certificate. On the Request Summary page. next to Step 4. and then click Next. type the name for the organization and the organizational unit (for example. On the Name and Security Settings page. entitled "To assign the certificate to the Mediation Server. 10. and then click Add. On the Organization Information page. in Subject alternate name. copy the new certificate to this computer so that it is available for import. type or select the subject name and subject alternate name of the Mediation Server. In Deployment Wizard. 7. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and. On the Geographical Information page. Note: If you obtained your certificate from an online CA skip the next procedure and proceed directly to the procedure that follows it. • If you selected Prepare the request now but send later in Step 4. Type each additional SIP domain name. • If you want to send the request immediately. Type the user name and password for the external CA. 5. select your CA from the list or type the name of your CA in the Certification Authority box. Click Next. and then click Finish. and then click Next. click OK. and specify the bit length (typically. The next page you see depends on which option you chose in Step 4: • If you selected Send the request immediately to an online CA in Step 4. select the Send the request immediately to an online CA check box. 9. separating each name with a comma.

and the click Finish. To assign the certificate to the Mediation Server 1. click Run. select the certificate that you requested for the Mediation Server. and then click Next. To replace the old Mediation Server with the new Mediation Server. verify successful completion. perform the following tasks: 16 . Walkthrough: Transition Route to New Mediation Server Select a time period when traffic is low to transition to the new Mediation Server. On the Available Certificates page. click Finish. 6. On the wizard completion page. In the Path and file name box. and then verify that Office Communications Server Mediation appears in the list of services. 2. use the following procedure to start the server. click Run. 3. 5. you should experience no more than 15 minutes of downtime. By following the procedures in this section. On the Certificate Wizard Completed page. 3. Right-click the appropriate Mediation Server. Typically. click Next. click Next. and then click Next. On a Front End Server. Walkthrough: Start the new Mediation Server After configuring the Mediation Server. and then click Next. open the Windows Start menu.Configure Certificates. and then click Office Communications Server 2007. On the Available certificate tasks page. Configure Certificates. Expand the Mediation Servers node. 2.msc. and then click Next. 4. and then click Next. 4. type services. system administrators schedule this transition either after hours or over a weekend. and then click Start. Review your settings. On the Pending certificate tasks page. On the Welcome page of the Communications Certificate Wizard. on the Deploy Mediation Server page. 4. type the full path and file name of the certificate that you requested for the Mediation Server. In the Deployment Wizard. On the Welcome page of the Communications Certificate Wizard. point to Programs. point to Administrative Tools. click Run. 2. click Assign an existing certificate. click Process a pending request and import the certificate. On the Mediation Server. click Start. 3. next to Step 4. To start Mediation Server 1. 5.

Consult your vendor documentation for the specific procedures to change your media gateway. you must also configure the corresponding Mediation Server for TLS. Remove the old Mediation Server from the location profile route. • Session Initiation Protocol (SIP) Transport – specify either TLS (recommended) or TCP. The certificate on the gateway must be configured as follows: • The certificate may be directly signed by the trusted certification authority (CA) configured in the Mediation Server. the connection between the gateway and Mediation Server will fail. Important: If you specify TLS as the SIP transport to be used by your basic or basic-hybrid media gateway. but the attributes specific to Enterprise Voice are as follows: Gateway Configuration Requirements • The fully qualified domain name (FQDN) and IP address of the Mediation Server that is associated with the gateway. • The listening port (5060) that is used for Transmission Control Protocol (TCP) connections to the Mediation Server. Add the new Mediation Server to the location profile route. the gateway must be configured with a certificate for purposes of authentication during the mutual TLS (MTLS) handshake with the Mediation Server. a certificate chain may have to be 17 . If the settings do not match. Each gateway must be configured according to the vendor’s documentation. refer to the manufacturer’s product documentation. Alternatively. but for details about how to configure these settings on a given gateway. Important: The previous settings must match those of corresponding settings for the Mediation Server. there are potentially many attributes that must be set. 3. • If the SIP transport for the link between the gateway and the Mediation Server is set to TLS. Depending on the vendor. 2. Modify the media gateway device to connect to the new Mediation Server.1. Note: Steps for configuring or modifying the media gateway device are beyond the scope of this document. This section contains the following topics: • • • Walkthrough: Configure Media Gateway Walkthrough: Add new Mediation Server to route Walkthrough: Remove old Mediation Server from route Walkthrough: Configure Media Gateway The settings that you must configure on your basic media gateway are specified in the following list.

• Each gateway should also be configured to convert numbers in E. This ensures the caller ID can be matched to an Office Communicator contact. the normalization rules defined by the location profile will be applied when returning a call. and making sure that the certificate has not been revoked. It might be necessary to add normalization rules to a location profile to handle numbers that cannot be normalized by the gateway. see each gateway vendor’s documentation. the session is terminated. If the number has been normalized by the gateway. Additional validation includes checking the signature and expiration date. • Each gateway should be configured to convert the source number (the number presented as caller ID) to a normalized E. For details about how to normalize source phone numbers to E. The port assignments should be configured as follows: • • TLS link between media gateway and Mediation Server: 5060. • Each gateway must also be configured to pass only E. The gateway must provide this chain as part of its TLS handshake with the Mediation Server.164 number. • Each gateway must be configured so that the E.164. allowing the user to click the phone number in order to quickly return a call. no further processing is required. the certificate must also contain a subject alternate name (SAN) that lists the expected and configured FQDN for the gateway. or a member of the corporate directory.164. If the FQDNs do not match.164 numbers routed by Enterprise Voice to the gateway are normalized to a locally dialable format. a Microsoft Office Outlook contact. The Mediation Server validates the certificate provided by the gateway by checking that the FQDN on the certificate exactly matches the gateway FQDN configured on the Mediation Server. If for some reason the number cannot be normalized by the gateway. If the FQDN in the CN part of the subject field does not match the expected and configured FQDN for the gateway. the gateway should strip the +1425 if the gateway is in Redmond. thereby enabling Office Communicator to provide additional information about the caller. • If the SIP transport for the link between the gateway and the Mediation Server is set to TLS. because these prefixes are not required for a local call.164 numbers to the Mediation Server. when +1425xxxxxx is dialed. see each gateway vendor’s documentation. For example. TLS link between Mediation Server and Office Communications Server pool: 5061. For details about how to normalize source phone numbers to E.164 format into a format that will be accepted on the PSTN network. separate ports must be opened for the TLS connection to the gateway and the TLS connection to the Office Communications Server pool.traversed to verify the certificate provided by the gateway. This number will also appear in e-mail messages notifying the user of missed calls and voice mail. • The CN part of the subject field should be set to the FQDN of the gateway. 18 .

In the console pane. point to Properties. click the Route tab. 19 . from individual users if you are using per-user location profiles). To add Mediation Server to the route 1. 3. To verify that the new Mediation Server is started 1. 4. and then click Start. Note: If the Start selection is unavailable. you must edit the route serviced by the new Mediation Server. right-click the Forest node. right-click the new Mediation Server name. 2. in the Gateways section. Walkthrough: Remove old Mediation Server from route After you add the new Mediation Server to the location profile route. you need to remove the old Mediation Server from the route. right-click the Mediation Server node. Select the route you wish to modify.Walkthrough: Add new Mediation Server to route Location profiles specify how Office Communications Server 2007 R2 is to interpret and route phone numbers that are dialed from various locations (or. and then click OK. select the new Mediation Server. and then click Voice Properties. Open the Office Communications Server 2007 R2 snap-in: Click Start. the Mediation Server is started. In the console pane. point to Administrative Tools. and then click Edit. and then click OK. 7. In Office Communications Server Voice Properties. 6. click the Route tab. Open the Office Communications Server 2007 R2 snap-in: Click Start. In Edit Route. click OK. 5. In Add Route Gateway. click Add. In Office Communications Server Voice Properties. In the console pane. In Edit Route. point to Administrative Tools. To remove the old Mediation Server from the route 1. Open the Office Communications Server 2007 R2 snap-in: Click Start. 8. point to Administrative Tools. 3. right-click the Forest node. and then click Office Communications Server 2007 R2. In Office Communications Server Voice Properties. and then click Office Communications Server 2007 R2. 2. and then click Office Communications Server 2007 R2. point to Properties. click Apply. 2. and then click Voice Properties. To add the new Mediation Server to the location profile.

as appropriate: • Deactivate the Mediation Server on the weekend or holiday. and then click OK. do the following. select the old Mediation Server. • Change routes on the Office Communications Server so that no new calls are routed through the Mediation Server that is to be deactivated. and then click Remove. • • Walkthrough: Deactivate the old Mediation Server Walkthrough: Removing the old Mediation Server Walkthrough: Deactivate the old Mediation Server If you remove a Mediation Server from service without first taking appropriate precautionary steps. After you have the new Mediation Server in service and handling the load. 6. you need to plan carefully. you must consider the load on the existing Mediation Server and plan on proceeding with deactivation when users are no longer placing calls that go out through the Mediation Server/media gateway pair. but only after you have checked the call logs to make sure nobody is using that particular gateway.com/fwlink/?LinkID=132106. but only after all calls are completed. in the Gateways section. or during other off-peak hours. including causing active calls to be dropped. In Office Communications Server Voice Properties. 5. click Apply. • Do a combination of the first two options by changing routes on the Office Communications Server during off-peak hours. and then click Edit. the easiest method to start the removal of the old Mediation Server is to ensure that the Office Communications Server location profile(s) do not include the old Mediation Server in the route information.4. click OK. 7. This option is riskier than the first option because midcall transfers and other types of call routing might be broken if the routes have been deleted. ensure that all data and settings have been backed up and appropriate restoration procedures are in place. you can significantly impact the availability of service. Walkthrough: Remove old Mediation Server When you remove the old Mediation Server. Caution: Deactivating a Mediation Server can result in the loss of data and settings. For details about backing up data and settings. and then wait for all calls to hang up.microsoft. In Edit Route. In Edit Route. 20 . Before you start the deactivation procedure in this section. If the Mediation Server is still in service. Before deactivating a Mediation Server. see Backup and Restoration in the Operations documentation at http://go. Select the route you want to modify.

an Archiving Server. Expand Services and Applications. Walkthrough: Removing the old Mediation Server Sometimes one or more servers or server roles need to be removed from the Office Communications Server environment. changes in topology. deactivate server roles to remove Active Directory objects that are associated with it. recovery from software or hardware corruption. a Monitoring Server. and then click Next. 4. Important: The deactivation status that is shown in the log must indicate success before you deactivate any other server role or take other Office Communications Server actions. If any task does not complete successfully. see Deactivating Server Roles in the Administering Office Communications Server 2007 R2 documentation. use the procedure described in this section to remove a server. a Mediation Server. Open Computer Management. Examples of this situation include upgrades. 3. Required Order of Operations for Removing Mediation Server Components Remove the Office Communications Server 2007 R2 components in the following sequence: 21 . a server in an Enterprise pool. and then click Finish. 5. right-click Office Communications Server 2007 R2. You can use Add or Remove Programs to remove an Office Communications Server 2007 R2 server role. select the View the log when you click Finish check box.To deactivate a Mediation Server 1. Remove Server Components After you stop and deactivate the necessary services. 6. resolve the problem and run the Deactivation Wizard again to complete the deactivation. 2. Use the log file to verify that the deactivation status in the Execution Result column (including the status of each deactivation task) for a server role is Success. Log on to the Mediation Server as a member of the RTCUniversalServerAdmins group. and an Edge Server. When the wizard is complete. including a Standard Edition server. or other scenarios in which a server or server role needs to be changed or removed while the Office Communications Server environment remains intact. and then click Deactivate Mediation Server. Note: Before you remove a Mediation Server. review the information on each page. In the Deactivation Wizard. For details.

If the Administrative Tools are installed.• • • Microsoft Office Communications Server 2007 R2. do one of the following: • In Windows Server 2008. 4. 2. click the Office Communications Server 2007 R2 server role you want to remove. • In Windows Server 2003. 5. Unified Communications Managed API 2. and then click Change or Remove Programs. Note: After you successfully remove the server components. follow the instructions to complete the wizard. Core Components • Microsoft Office Communications Server 2007 R2. remove them first. 6. Repeat steps 3 through 5 for each server role on the server. 3. in the sequence described earlier in this topic. open Programs and Features. In the list of installed programs. 22 .0 Core Redistribution package Note: Your Mediation Server may not have the Administrative Tools installed. Log on to the Office Communications Server 2007 R2 server as a member of the local Administrators group. Mediation Server Microsoft Office Communications Server 2007 R2. Administrative Tools Microsoft Office Communications Server 2007 R2. Click Change. In Control Panel. follow your organization’s guidelines for decommissioning excess server hardware. open Add or Remove Programs. To remove a server 1. In the Office Communications Server 2007 R2 Setup Wizard. Use the information provided previously in this section to determine which server to remove first.