This action might not be possible to undo. Are you sure you want to continue?
If you have questions about the information presented in this guide, please view my blog post series, where hundreds of questions have been asked, and answered, in the comments section (at the bottom of each post).
Now that Office Communications Server (OCS) 2007 R2 is RTM, I thought it would be nice to create an article on how to deploy a single Enterprise Edition OCS Server which is connected to an x64 SQL Server 2008 RTM Back-End Server. This article will be based off the OCS 2007 R2 RTM version. This article series is very similar to My OCS 2007 R1 RTM series here but will be based off the R2 RTM version instead of the R1 RTM version. This article is to guide you through the entire OCS deployment process from scratch. This article will include the following: 1. Certificate Services installation 2. Single Enterprise Front End Server (No more expanded configurations) – with information on what to do to get a second Front End Server installed behind a Hardware Load Balancer 3. Edge Server (Only Consolidated Edge Servers now) – NIC Configurations 4. Dual-Homed ISA 2006 Installation to reverse proxy internal services
Guest Virtual Machines One Server 2008 Enterprise (Standard can be used) SP1 x64 Domain Controller which Certificate Services will be installed as the Enterprise Root Certificate Authority. Exchange 2007 SP1 is installed on separate computers. The purpose of Exchange in this lab is for Group Expansion where a Universal Distribution Group can be mail-enabled for it to be expanded within Office Communication 2007. Alternatively, a Distribution Group can be given an e-mail address in its AD properties which satisfies the requirements of Group Expansion. Two Server 2008 Enterprise (Standard can be used) x64 (x64 required) Member Servers where OCS 2007 R2 will be installed. One of these servers will be the Consolidated Edge Server which will contain 4 NICs. One Server 2003 Enterprise (Standard can be used) x86 (x86 required) Member Server where ISA 2006 will be installed as a dual-homed box.
One Server 2008 Enterprise (Standard can be used) x64 (x86 can be used) Member Server where SQL 2008 is installed. IMPORTANT: OCS 2007 R2 introduces some new AD requirements:
All Global Catalogs in the forest must be at least Windows 2003 SP1 All Domains which will have OCS 2007 R2 or users enabled for OCS 2007 R2 will need to be at least Windows 2003 Domain Functional Level which is obvious due to the next requirement. These Domain Controllers must be at least Windows 2003 SP1. The forest in which OCS 2007 R2 will be deployed needs to be at least Server 2003 Functional Level.
You have a domain that contains at least one Server 2003 SP2 Domain Controller (DC) You have configured the IP settings accordingly for all servers to be on the same subnet. I have provided the IP scheme of my lab below, but this will vary depending on your needs and Virtualization Software configuration. One exception to this is one NIC on the ISA Server will belong to a different subnet. This NIC would be the NIC that lives in the DMZ in a production environment. Exchange 2007 Hub Transport Server, Client Access Server, and Mailbox Server are already installed in the environment. This article does not go over the installation or configuration of these roles but will go over mail-enabling a Distribution Group(s). You have at least SQL 2005 SP2 server installed. We will be using SQL 2008 installed on Server 2008 Enterprise. SQL 2005 SP1 is NOT supported for OCS 2007 R2 as it was for OCS 2007 RTM. You have a copy of Office Communicator (OC) 2007 R2. We will be installing our copy of OC 2007 R2 on our Exchange CAS.
Computer Names OCS Front End Server – SHUD-OCSFE1 OCS Edge Server – SHUD-OCSEDGE1 Domain Controller / Exchange Server / Root Enterprise CA – SHUD-DC2 ISA 2006 Server – SHUD-ISA1 SQL Server – SHUD-SQL1 Configuration of Domain Controller / Root Enterprise CA Processor: 4 Memory: 512MB
Network Type - External NIC Virtual Disk Type – System Volume (C:\): 50GB Dynamic Note: In a real-world environment, depending on the needs of the business and environment, it is best practice to install your database and logs on separate disks/spindles. We will be installing Active Directory, Certificate Services, and Exchange 2007 SP1 on the same disks/spindles for simplicity sakes for this lab. Configuration of SQL 2008 Processor: 4 Memory: 512MB Network Type - External NIC Disk Type – System Volume (C:\): 50GB Dynamic Configuration of ISA 2006 SP1 Processor: 2 Memory: 384MB Network Type - External NIC Network Type - External NIC Virtual Disk Type – System Volume (C:\): 25GB Dynamic Configuration of OCS 2007 R2 Edge Processor: 4 Memory: 512 MB Network Type - External NIC – used for internal NIC Network Type - External NIC – used for Audio/Video Edge NIC Network Type - External NIC – used for Web Conferencing Edge NIC Network Type - External NIC – used for Access Edge NIC Virtual Disk Type – System Volume (C:\): 50 GB Dynamic
go to Start > Control Panel.x Default Gateway – 10.1.255.0 Default Gateway – 192. “Various Edge Server NIC Setups. To do so.255.255.1 DNS Server – 192.x Subnet Mask – 255.x Subnet Mask – 255. Once in the Control Panel.1.168. I have included a mini-write up below entitled.10. We will want to rename our Publc DMZ NIC connection to Public and our Internal Corporate NIC connection to Private.0 Preparation of ISA 2006 SP1 Node Network Interface Card (NIC) Configuration First thing we will want to do is configure the IP Configuration of both the Public DMZ NIC and Internal Corporate NIC.” Configuration of OCS 2007 R2 Front End Processor: 4 Memory: 512MB Network Type .10.10.Note: There are few different ways the NICs could be set up on the Edge Roles.1. Double Click on Network Connections.255.168.External NIC IP Addressing Scheme (Corporate Subnet) IP Address – 192.10.150 (IP Address of the Domain Controller/DNS Server) IP Addressing Scheme (DMZ Subnet) IP Address – 10.168. .
10. For your Internal Corporate Connection.1. From there. you would not have to open ports on your Edge firewall when not necessary. You would need to create a static route so traffic destined to your internal corporate network would go to the internal router that allows 636. To ensure you reduce the attack surface of your ISA Server. open the Public NIC properties. for your Public DMZ Connection. I will skip the actual TCP/IP Configuration. For example. After you have done this. The IP for the Internal NIC is 192.153/24 that would typically have a Public IP NAT’d to this Public IP via Static Network Address Translation (NAT) rule. Depending on the communication and configuration of firewalls. it will look something similar to the following: Note: Do not forget that part of the assumptions earlier in this article as that you have a properly configured TCP/IP Network where all nodes are properly connected to the TCP/IP Network. rename your Local Area Connection to Internal. The IP for the Public NIC is 10. Likewise. This way.168. Because of this.170/24.Now you will be presented with the Network Connections window. You would not need to do this if your DMZ Edge Firewall allowed port 636 and knew how to route to the internal corporate network.10. you would generally have the Default Gateway on your public NIC. you would want to create a static route so your internal communications would go directly to a router on the inside of your network that is more open to communications. if you were doing LDAPs and your DMZ Edge Firewall blocked port 636. you will navigate to DNS tab and de-select “Register this connection’s addresses in DNS.” . open the TCP/IP Properties > go into the Advanced NIC configuration settings by clicking the Advanced button. Important: In a production environment. rename your Local Area Connection to Public. This is where you can modify the network properties for each NIC in your server.
Select the WINS tab and de-select “Enable LMHOSTS lookup” and configure the NetBIOS setting to “Disable NetBIOS over TCP/IP.” .
Ensure that the Internal NIC is on top by selecting Internal and pressing the green up arrow key on the right-hand side of the dialog. The reason you want Internal on top is because your Corporate communications happen on this NIC and things like DNS are configured on this NIC.Once you are done configuring the Advanced settings. press OK three times and you will be back at the Network Connections screen. choose Advanced and select Advanced Settings… You will be presented with the Binding Order for your current NICs. Rename Computer and Join to Active Directory Domain . From here.
do not join it to the domain. The process for setting up the Certificate Authority is virtually identical. Instead of 2 NICs. . My lab has the certificate authority set up on my Server 2008 Domain Controller and has already been deployed prior to this article series. A summary of the steps involved consist of: Create 4 NICs Rename the NIC that is wired to the Internal Corporate Network to Internal Rename the NICs that are wired to the DMZ appropriate to their function. when you have a single Edge Server. add 4 instead. the Root CA will be simply named CA.Make sure you name your ISA box to a name that complies with your naming convention and then join your ISA box to the domain. Preparation of Edge Node Follow through the same exact steps you did for the ISA 2006 node except for a few things. you no longer need to have a Public IP directly on the NIC. In OCS R2. Please refer to this article explaining why. we will be naming this box. For purposes of this lab. the Audio/Video server also has a private IP but the VIP of the load balancer will need to have a Public IP for the A/V Role. Also. A lot of Administrators believe that joining the ISA box to the domain is a security threat. I am not going to set it up all over again just to have the updated pictures via a Server 2008 GUI. Our Audio/Video Conferencing Edge NIC will be named AudioVideoConfEdge. Our Access Edge NIC will be named AccessEdge. Rename the Computer Do NOT join it to the domain Certificate Authority Configuration IMPORTANT: Just as a note. Because of this. Assign the appropriate IP Addresses to each NIC. the only difference is that in my existing lab environment where the CA lives on Server 2008. When load balancing Edge Servers. SHUD-ISA1. Create Static Routes if necessary Disable the Public NICs from registering in DNS Disable the Public NICs NetBIOS settings Modify the Binding Order so the Internal NIC is on the top of the list. the instructions below are for setting up a Certificate Authority in Server 2003 and is from my previous article series on setting up a OCS 2007 RTM. Our Web Conferencing Edge NIC will be named WebConfEdge. but that is not so. This will be discussed more in detail below.
.So as for how to set up a CA on Windows Server 2003 SP2. Double Click on Add or Remove Programs. You will automatically be prompted with a prompt warning you to not modify the computer name. Click Yes and then Next to Continue. Place a checkmark in the checkbox next to Certificate Services. Click Add/Remove Windows Components. Ensure your computer name is set correctly before continuing. To begin the CA installation. It will be required when we install Certificate Services. Once in the Control Panel. Once you have your computer name set. we will want to make sure that we have the SP2 binaries and our CD1 for our Windows Server 2003 Enterprise installation. go to Start > Control Panel.
If you want to follow along more closely and have the naming . Click Next to Continue. I am using an Enterprise Root CA because I am doing this in a test environment and it reduces the amount of resources needed for the lab. this is the CA name we specified in the OCS 2007 RTM article series. this is not our machine name. As stated earlier. Keep in mind. etc. before deploying an internal PKI solution for your organization. Make sure a proper design for a PKI infrastructure is done for both functionality. leave the defaults selected. security.Because we will be choosing an Enterprise Root CA. Note: Choosing an Enterprise Root CA can be considered a security risk to many. This is what the root certificate’s name will be. We will name our Root CA OCS-CAROOT.
we will install it on our System Partition (C:\). Specify where you want to store your Certificate Database and Logs. Click Next to Continue. name the Common Name CA.convention the same as the rest of the OCS 2007 R2 article series. As stated earlier. For purposes of this lab. Click Next to Continue to begin installation. . make sure you have the SP2 binaries and CD1 of your Server 2003 Installation CD.
type the following command: Certutil -vroot . Don’t worry. to create the CertSrv subfolder within IIS. If you did forget to install IIS before Certificate Services installation began and you received the prompt above.If you’re like me and always forget to install Internet Information Services (IIS) prior to installing Certificate Services. If you did get this prompt. Now our Certificate Services Installation should complete successfully. we’ll fix this after our Certificate Services installation completes. go install IIS by following the instructions here. Click OK to Continue. You will also need your SP2 binaries and CD1 of your Server 2003 Installation CD. you will get the following prompt. Once IIS is installed.
Note: The IPs in the above diagram do not represent IPs we will be using in our lab. it has been noted that we will be using 4 NICs for our Consolidated Edge Server. As you can see.Various Edge Server NIC Setups When going over the NIC configuration of our Edge Servers. They are only a representation of what you may see in a production environment. there are two other ways the NIC Setup could be configured. Method #1 . This would be Method #1 below.
Generally.0. This is recommended due to people having issues in the past with communications when roles share IP Addresses on the same NIC. Windows 2008 and using Windows 2008 R2 (not yet supported) both use the new Strong Host networking model which introduce some complications when using Method #1. Method #2 It is also possible to use one NIC for the Audio/Video Edge Server.1 which then NAT’s to the private IP on the Audio/Video Edge NIC of 10. Jeff Schertz. 2 NICs are fine. when you are doing a single Edge deployment with no load balancer. but the load balancer IP must be a public IP Address which then NAT’s to the Private IP Address of the Audio/Video Edge NIC. if traffic comes in on one interface. Summary . it’s going to leave back out that same interface. I’ve generally been using Method #2. you must now use DNAT for incoming connections with a public IP of 192. So there are some tricks to do with multiple NICs such as assigning multiple Default Gateways and tweaking your Windows routes.10. For example. You would then use a dedicated NIC for the Internal NIC. But with Windows 2003 networking. you can only have one default gateway. all 3 Edge Server Roles would have Private IPs meaning they can all be on the same NIC. Update 1/17/2009 – I used to have a recommendation to use Method #1. As you can see. you can also utilize a private IP on the Audio/Vide NIC. There are some security differences with the Strong Host model than what the Weak Host model used. as well as the Access Edge Server.1.Every Role has its’ own dedicated NIC. OCS MVP. The same happens outbound except for SNAT being used instead of DNAT. when utilizing Load Balancing on an Edge. In OCS R2. Because of this.10. The incoming DNAT and outbound SNAT is a requirement. When load balancing. Method #1 will give you greater performance benefits but with how OCS scales and its sizing guidance.2. details this on his blog article here. you can have a private IP directly on the Audio/Video Edge NIC. Private IP on Audio/Video In OCS R1. Web Conferencing Edge Server. an Audio/Video Edge Server needed a Public IP directly on the NIC. This worked just fine out of the box with Windows 2003 and still does.
For Part 2. Part 2 Welcome to Part 2 of this article series.5 and Microsoft Visual C++ 2008. We first discussed what the lab setup is going to be using Hyper-V. Start Services 6. Configure Pool 2. There are some prerequisites for installing OCS such as . Click Yes to Continue. we can insert our OCS CD.Well folks. To begin the Active Directory preparation process. In this Part. that is all for Part 1 of this article. Configure Web Components Server Certificate 4. Insert the CD and let’s begin the installation process. Create Enterprise Pool 3. Validate Server and Pool Functionality Note: We will not be able to go over all the steps in this Part 2 due to the amount of steps and sub-steps required to perform. you would perform the following steps: 1. In Part 1. Deploy Hardware Load Balancer 4. That goal is how to deploy a single Enterprise Edition OCS 2007 R2 Server which is connected to an x64 SQL Server 2008 Back-End Server. You will be asked to install the Microsoft Visual C++ 2008 Redistributable. Prepare Environment Prepare Active Directory (Step 1) Our Domain Controller with Windows Server 2008 SP1 is installed and fully functional. Add Enterprise Edition Server to Pool 1. and then proceeded to the configuration of our Enterprise Certificate Authority. Prepare Environment 1. I will go over the preparation and installation of a Front End OCS 2007 R2 Server Pool. Front End OCS 2007 R2 Server Installation When installing OCS in a consolidated Enterprise Edition deployment. Verify Replication 5. Configure Certificate 3. but this is all taken care of during the installation. we started off by discussing the goal of this lab. . Prepare Active Directory 2.Net Framework 3. Add Server to Pool 2. I will go over the Environment Preparation.
you will be presented with the Deployment Wizard.5 is installed.NET Framework 3. Click Prepare Active Directory to Continue.You will then be asked to install the Microsoft .NET Framework 3. . Once Microsoft . you will see that the preparation of Active Directory is partially done. Click Yes to Continue.5. We will want to begin preparation of our Environment. If you previously had OCS 2007 installed. Click Prepare Environment to Continue. We are now on Step 1 which is to Prepare Active Directory.
2. You can take care of this easily by opening a Command Prompt and typing ServerManagerCMD -i RSAT. 4. 5. . Prepare Schema Verify Replication of Schema Partition Prep Forest Verify Replication of Global Settings and Global Catalog Prep Current Domain Verify Replication of the Domain Delegate Setup and Administration Click Run for Prepare Schema to Continue. 6. This will require a reboot. 7. you will need to install the Remote Server Administration Tools due to the nature of the modular design of Server 2008. If you are installed OCS 2007 R2 on a Server 2008 machine and are using this machine to Prepare AD. You will be quite aware of needing this installed if you encounter the following screen.We are now presented with sub-steps to perform to complete our Active Directory Preparation. 3. These sub-steps include: 1.
. On the Welcome Screen. Click Run for Prepare Schema to Continue. let’s restart the installation and get back to the Prepare Active Directory section.Now that RSAT has been installed if you have Server 2008 and your server is rebooted.” Click Next to Continue. Select “Default: Schema files are located in the same directory as Setup. Click Next to Continue.
Click Finish.You are now ready to Prepare the Schema. When the Schema Preparation is finished. . Click Next to Begin Schema Preparation. You will be given the option to view the log which I advise you to do to ensure everything went OK.
In a production environment where you have more than one Domain Controller (hopefully).We are brought back to the Deployment Wizard. I highly advise you to ensure replication for each step has completed successfully before continuing. Verify Replication of Global Settings and Global Catalog. and Verify Replication of the Domain) due to the fact we have only 1 Domain Controller in this lab. We will skip through all the Replication Steps (Verify Replication of Schema Partition. The Prep Schema step has been complete as is shown next to the Run button. .
Click Run for Prep Forest to Continue. follow this diagram provided in the OCS 2007 R2 documentation with more detailed information about each selection process. You are presented with two options: System Container in the Root Domain Configuration Partition To decide which option to choose. Click Next to Continue. . On the Welcome Screen.We are now ready to run the Prep Forest step.
In my OCS RTM article series. I chose System container because the lab contained only one Domain Controller. . we are presented with the following screen. My existing lab which had OCS RTM was deployed using the Configuration Partition. Because of this.
As you can see, since we deployed OCS RTM previously, we are unable to choose an option. If you chose System Container in a previous deployment, Microsoft has provided a tool to migrate System Container over to a Configuration Partition configuration. This tool is availabile here. If this is a pristine environment you are deploying OCS R2 in, you can choose either option. I would highly recommend choosing the Configuration Partition. This is to ensure availability of your OCS Data in your environment and not having to worry about 100% connectivity to your system container in your root domain to ensure OCS availability. Click Next to Continue. We will want to store our Universal Groups in our shudnow.net domain. In the case of this lab, we will have to due to the fact that this is our only domain. Select shudnow.net and Click Next to Continue.
We will use our Active Directory domain name shudnow.net for OCS routing. Click Next to Continue.
You are now ready to Prepare the Forest. Click Next to Begin Forest Preparation. When the Forest Preparation is finished, Click Finish. You will be given the option to view the log which I advise you to do to ensure everything went OK.
We are brought back to the Deployment Wizard where we will now run the Prep Current Domain. This step should be run in any domain that will contain users that will be OCS (SIP) enabled. Click Run for Prepare Current Domain to Continue.
On the Welcome Screen, Click Next to Continue. On the next screen that provides Domain Preparation Information, read the excerpt provided and Click Next to Continue.
we will not have to configure Delegation. Because we are doing everything using a Domain/Enterprise/Schema Administrator account.net domain. ABS . Creating File Shares Because our Universal Groups have been created. our current settings will display as shudnow. we can now create file shares that are necessary for the following functions: Presentations – Meeting presentations to be downloaded or streamed by conference attendees. Click Finish.Address Book information that is used by the Address Book Server. When the Domain Preparation is finished. in order to provide global address list information to Office Communicator 2007 and Office Communicator 2005 clients on a daily basis. which is included with the Web Components Server. You will be given the option to view the log which I advise you to do to ensure everything went OK.You are now ready to prepare the domain. The final step is to Delegate Setup and Administration. Because we have only 1 domain and are running this step in our shudnow. .net. Click Next to Continue. Metadata – Meeting information (metadata) that is used internally by the Web Conferencing Server component for the pool.
MeetingCompliance (optional) – Meeting activities and content uploaded during meetings. Within those four folders. We will talk about how to enable Meeting Compliance in a future Part. . Updates – Files used by the client version control mechanism to update Office Communicator clients and by the Device Update Service to update devices. the RTCUniversalServerAdmins group. and any other user or group responsible for creating pools. Remove Read permission from the Everyone group except for Presentations since all users will need to read this folder to download Live Meeting Content and Upload Presentation Data. We will use a share name that matches the folder name for simplicity sake. These shares can be created on a File Server in your environment. Grant Full Control on each of these shared folders to the Administrator. we will create the following six folders: Presentations Metadata ABS Updates Applications MeetingComp As you can see. We will create a folder called C:\OCS on our OCS Server. We will be creating these shares on our OCS FE Server which means that our OCS Server will also be our Web Components Server. the above folders have been shared out. Applications – Application files that are used internally by the application server component for the pool. This is a requirement.
We can d this by going to Start > Control Panel > Windows Firewall with Advanced Security. we need to log on to our OCS Back End Database server as a member of RTCUniversalServerAdmins and DomainAdmins group and create the pool there. . In production. when using SQL 2008. Because we are running SQL Server 2008 x64. we need to modify the Windows Firewall. In OCS Release 2. we’d create the pool on an x86 system which would be our OCS Server most likely. Also. we can add these permissions on C:\OCS and they will flow down to our sub folders through inheritance.Make sure you provide both RTCUniversalServerAdmins and Administrators Full Control via NTFS permissions as well. If you are using a 32-bit version of SQL Server. if you are using an x64 SQL Server. Because our folders are in the OCS folder. Create Enterprise Pool (Step 2) The guidance on what server you create the pool is different from R2 than it was with OCS Release 1 RTM.. create the pool by using the computer that you plan to use as the Front End Server. On OCS Release 1 RTM. I would assign them manually to each folder as each folder requires a different set of permissions. if you are using a 64-bit version of SQL Server. we will need to create our pool on our SQL 2008 Server.
Select TCP and specify 1433 as a local port. Select Port and click Next to Continue. .Right-Click Inbound Rules and choose New Rule. Click Next to Continue.
Select Allow the Connection. . Click Next to Continue.
You can also use SQL Server 2000 SP4+. Click Run to Continue. This is where you will definitely need to have your SQL Back End fully configured. . We are now on Step 2 which is to Create an Enterprise Pool. Click Next to Continue and go through through the rest of the options such as giving the rule a name. You can use SQL Server 2005 (x86 or x64) with SP1+.Select Domain and Private and Clear the checkbox in Public.
Click Next to Continue. RTCUniversalServerAdmins. . make sure that File Sharing is enabled. we must select a name that won’t match any other existing records currently housed in DNS. We must now decide what we want our Pool Name to be. Because of that. But since we are using Enterprise Edition. Our SQL Server was installed using the Default Instance. and has permissions to create and manage SQL Databases. We will use the name. On both your SQL 2008 and OCS 2007 R2 server. your Pool name is the name of your server. OCSPool. On an OCS Standard Edition Server. Click Next to Continue. all we will need to do is ensure we are logged on with an account that is a member of Domain Admins.On the Welcome Screen.
Click Next to Continue. I would recommend configuring this during the install as you cannot modify this through the OCS Administrative GUI. If you do not have splitdns. as well as expansion of Exchange Universal Distribution Groups. the documentation states that since we are using an x64 SQL Back End. the OCS Pool DNS would be pointed to your Hardware Load Balancer Virtual IP Address which would then direct the traffic to one of your Front End Servers. I did initially try to run all of this on the Front End and encountered issues. This should be the pool name. It allows you to reverse proxy (publish) your Address Book.net name is my AD Domain. We will want to leave our Internal web farm FQDN alone. If you are going to be installing multiple Front End Servers behind a Hardware Load Balancer.shudnow. create the pool on the SQL Server. our SIP Domain is exchange.shudnow. Note: I used the FQDN of ExtWebFarm.shudnow. You can use the guide here to modify the External web farm FQDN should you decide you don’t want to set this FQDN during install or wish to change it at a later time. So I can easily just do ExtWebFarm. since it’s an x64 Back End.net.net. that we should be creating the Pool on our SQL Server. For example. . So as the documentation states.exchange. the shudnow. Web Conferencing Meeting Content. as stated earlier.net. you can use the same namespace that you will be SIP enabling users. Taking a look at this from a perspective of a production environment. Just an FYI.We can now proceed to creating our Pool. The External Web Farm FQDN is used by your ISA Server.
I am selecting to overwrite any existing database since I did use my SQL Server for a previous OCS installation. .
OCS is smart enough to detect whether SQL has any volumes that are now the system volume. When it does detect these separate volumes. If they do work. The time has now come to specify the location of the shares we created above. . Click Next to Continue. I will link to it as it does become available. public documentation on Database storage guidance will become available. These should be: Presentations – \\SHUD-OCSFE1\Presentations Metadata – \\SHUD-OCSFE1\Metadata ABS – \\SHUD-OCSFE1\ABS MeetingComp – \\SHUD-OCSFE1\MeetingComp Applications – \\SHUD-OCSFE1\Applications Updates – \\SHUD-OCSFE1\Updates Make sure you test all of the Universal Naming Convention (UNC) paths work prior to proceeding. it will try to optimize the locations as much as possible. Click Next to Continue. enter the UNC paths as is displayed in my screenshot. Because I do have a separate LUN/volume on my SQL Server. As OCS comes closer to release. Make any changes here as you wish. OCS automatically used the E:\ volume to separate the RTCDYN log from everything else.
Click Next to Continue. .Configure the remaining UNC Paths as follows.
Since we will not be enabling Archiving . When satisfied. . leave the following settings unchecked. CDR. Click Next to Continue. We are finally ready to create our Enterprise Pool! Review your Current Settings. Click Next to Continue. or QOE in our environment.
Click Finish. Configure Pool (Step 4) We are now on Step 4 which is to Configure our Pool and Configure DNS. The hardware load balancing planning information will be linked to as documentation becomes available. you will need to use a Hardware Load Balancer such as an F5 BIGIP with the LTM Module. Click Run to Continue.When the Pool Creation is finished. Deploy Hardware Load Balancer (Step 3) If you are going to be doing any type of redundancy. You will be given the option to view the log which I advise you to do to ensure everything went OK. The steps required to configure a Load Balancer is out of the scope of this article as we are deploying a single Front End server which does not require a Hardware Load Balancer. You can resume your OCS installation on your Front End Server. The hardware load balancing deployment information will be linked to as documentation becomes availble. . Note: One thing that is important is that DNAT is no longer supported on a Front End Pool configuration.
local while their SMTP namespace will be domain. You will then be prompted to install the Core Components since no other OCS components installed on this server.shudnow. we will be using a SIP domain that is different from our Active Directory domain. In the case of our lab. in many organizations. I am only using Exchange to show distribution group expansion within OCS.shudnow. staff.shudnow.local. let me show some examples: Example 1: Active Directory Domain Namespace.net. So just to ensure you understand. For example. As long as your distribution group has a value in the “mail” attribute field.local.shudnow. group expansion will work.net OCS Namespace – shudnow. etc… OCS Namespace – exchange. You would have an Active Directory domain. Click Next to Continue which will begin the installation process of the Core Components.shudnow.net.net Exchange Namespace – shudnow. You don’t have much of a choice here and you must install these tools. This is the actually recommended. staff.net (can be different from OCS Namespace) On the Welcome Screen. This SIP domain is called exchange. you can use the same namespace for both Exchange and OCS. their domain may be domain. But in a production environment. Note: A person by the name of Simo notified me that Exchange is not required for group expansion. The method I am using would be the same thing.shudnow.As stated previously. . shudnow.net. The reason I am doing this is to show you how you can set up your SIP namespace to be different from your Active Directory domain which is not uncommon.net Example 2: Active Directory Domain Namespace. and then use a different namespace for SMTP/SIP.shudnow. Click Next to Continue.net (can be different from Exchange Namespace) Exchange Namespace – exchange.com.
shudnow.net. Considering we only have one pool. leave the selection (don’t have much of a choice) at OCSPool. Click Next to Continue.We now must choose what Pool we want to configure. .
The Outside Voice Control is used to allow Communicator Mobile Edition access to Voice which is used if you want capabilities such as Single Number Reach. The Response Group Service is used if you want to route calls to multiple participants. Least Cost Routing.The following four options are dependent on what services you will be deploying in your environment. Etc… . The first two Conferencing options are utilized when using Dial-in Audio Conferencing.
We are now presented with the SIP domains in our environment. .
shudnow. we would ensure that “Use this server or pool to authenticate and redirect automatic client logon requests” is checked.shudnow. Click Next to Continue. we will need to add that in there. we chose our Active Directory domain for SIP Routing. you can configure it to automatically connect or to manually connect. when we did our Forest Prep. Because of this. Do not remove shudnow. You will then want to type in exchange.net. . we will have two SIP domains. We will configure OCS to allow for automatic client logons. If we had multiple pools and we wanted users who connected to this Pool to be redirected to another Pool.net and click Add. If you recall.Since we will be using exchange. Click Next to Continue. When you set Communicator to connect to your OCS pool.net as a SIP domain. one for routing and one for user access.
shudnow. we must specify which SIP domains will be allowed for automatic logons. This way. Choose exchange. .Since we are enabling our Pool to allow automatic logons. Note: We will not be doing the actual DNS configuration to support our new SIP namespace until we get to the part where will be connecting via Communicator. you can see step by step what fails and how to rectify the failure to ensure a successful automatic logon.net and then Next to Continue.
you can configure external access as an OCS R1 Edge Server can proxy data to an OCS R2 Front End Server. “Do not configure for external user access now” and then Next to Continue. the migration strategy for OCS R2 is inside out. In fact. The recommended method of deploying a new OCS organization is to bring up your internal servers and then your Edge Servers. If you are migrating from OCS.We do not have our Edge Topology up and running. . Select.
When satisfied. you can review your Current Settings. .We are finally ready to Configure our Enterprise Pool. Click Next to Continue.
Summary Well folks. Add Enterprise Edition Server to Pool 1. Click Finish. We will begin the steps needed to validate our configuration to make sure the Front End OCS Server is healthy. Prepare Active Directory (Completed in Part 2) 2.The configuration will now commense which will be pretty quick. You will be given the option to view the log which I advise you to do to ensure everything went OK. Configure Pool (Completed in Part 2) 2. Configure Certificate 3. we started off by discussing the goal of this lab. In Part 2. and adding our Front End Server to our newly created pool that uses a SIP namespace (exchange. you would perform the following steps: 1. I will go over the remaining steps required to deploying our Front End Server in an Enterprise Pool Deployment.net). Deploy Hardware Load Balancer (Completed in Part 2) 4. Configure Web Components Server Certificate 4. Front End OCS 2007 R2 Server Installation When installing OCS in a consolidated Enterprise Edition deployment.shudnow.shudnow.net) that is separate than our AD Namespace (shudnow. When the Pool Configuration is finished. That goal is how to deploy a single Enterprise Edition OCS 2007 R2 Server which is connected to an x64 SQL Server 2008 Back-End Server. and then proceeded to the configuration of our Enterprise Certificate Authority. that is all for Part 2 of this article. In this Part. it’s too quick for me to grab a screenshot. In Part 1. we went over the Environmental Preparation for our OCS 2007 R2 environment.net) that is separate than our AD Namespace (shudnow. Validate Server and Pool Functionality . certificates. This includes going through the initial configuration of the pool. We will begin the steps needed to validate our configuration to make sure the Front End OCS Server is healthy. We first discussed what the lab setup is going to be using Hyper-V. Create Enterprise Pool (Completed in Part 2) 3. Verify Replication 5. Part 3 Welcome to Part 3 of this article series. certificates. and adding our Front End Server to our newly created pool that uses a SIP namespace (exchange.net). Start Services 6. I will go through the initial configuration of the pool. For Part 3. Add Server to Pool 2. Prepare Environment (Completed in Part 2) 1. In fact.
With Kernel Mode Authentication enabled.webServer> When I went to look for the above (from the OCS R2 docs). OCS runs its services under the context of a user account. make sure you install Windows Authentication and all IIS 6 Management Compability Role Services. you’ll need to install IIS by following the instructions here for Server 2003 and here for Server 2008. Open the %windir%system32inetsrvconfigApplicationHost. I didn’t find any useAppPoolCredentials but I did see windowsAuthentication and set it to true which you can do via the IIS Manager. you will have to restart Setup. Click Next to Continue. Click Run to Continue. Once IIS has been installed. You may also need your SP2 binaries and CD1 of your Server 2003 Installation CD. For all folders under the Default Web Site location path. For example: <system.config File. For Server 2008. As a prerequisite.config file in a text editor. our IIS version will be 7.webServer> <security> <authentication> <windowsAuthentication enabled=”true” useAppPoolCredentials=”true” /> </authentication> </security> </system. set the value of the WindowsAuthentication element and the useAppPoolCredentials attribute to true. . We are now on Step 1 which is to Add Server to Pool. Kerberos tickets will fail. Instead of disabling kernel mode authentication in IIS. Kernel Mode Authentication runs under the context of a computer account. On the Welcome Screen and Licensing Information (after reading all the licensing information and choosing that you agree if you agree with the licensing terms). Because of this OCS 2007 R2 disabled Kernel Mode Authentication on IIS during installation. you can configure IIS to use the Web application pool’s identity for internal virtual directories used by OCS.Add Enterprise Edition Server to Pool Add Server to Pool (Step 1) Because we are using Server 2008. Once back at the Deploy Pool in a Consolidated Topology. We can do so by modifying Windows Authentication on the Default Website of the Web Components Server using the ApplicationHost.
The configuration will now commence which will install all of the OCS roles onto this Front End Server due to it being Consolidated Front End. When satisfied. . You can review your Current Settings. Click Next to Continue.Specify where you want OCS to be installed. We are ready to Add our Server to our Enterprise Pool. Click Next to Continue. We will use the default location.
.Once the roles have been installed on your Front End Server. Considering we only have one pool.shudnow. Click Next to Continue.net. leave the selection (don’t have much of a choice) at OCSPool. you will have to specify what Pool we want to join this server to.
I recommend to use long secure passwords. You can view this and this site which assist in choosing strong passwords.You will now be prompted to specify passwords for your Service Accounts. . You will have to do this for several Service Accounts: RTCService RTCComponentService RTCGuestAccessUser Once you have set a password for all three accounts. Click Next to Continue.
. You can review your Current Settings. Click Next to Continue.We are ready to Activate our Components. When satisfied.
we will want to Choose to Create a new certificate. When the Activation is finished. Click Next to Continue. The next screen will be familiar to many of you. Click Finish. You will be given the option to view the log which I advise you to do to ensure everything went OK. It’s going through the process of creating a certificate request.The server will go through a procedure which activates each OCS Server role on our Front End Server. Click Next to Continue. Configure Certificate (Step 2) We are now on Step 2 which is to Configure our Certificate. Click Run to Continue. Since we have not created a certificate for our Front End Server. On the Welcome Screen. .
this would be the FQDN of the pool name. we can send the request immediately to an online certificate authority. Click Next to Continue. Note: The Certificate Name is not the Subject Name (SN) / Common Name (CN) of the certificate. Change this to the FQDN of the Enterprise Pool. but I always match the SN / CN of the certificate to the Certificate Name. By default. . You would then export this certificate after you have obtained the certificate and place the certificate on all other Front End Servers. not the server name. the Certificate Name will be set to your server name. Click Next to Continue. When deploying OCS in an Enterprise Pool. this would be the FQDN of the server’s computer name.Because we have an internal CA installed. On a Standard Edition Server.
You will be asked for your Organization information.TLD). we want this name to be the FQDN of our Enterprise Pool.net).net (sip.shudnow. You will now be asked for your SN / CN. Because we will be using a second SIP domain (exchange. Click Next to Continue. The SAN should automatically be filled in for you due to Step 4 which is when we Configured our Pool. Click Next to Continue. .SIPDomainName. As stated previously. because we created an Enterprise Pool.shudnow. we will need to add a Subject Alternative Name (SAN) for sip.exchange. Enter it appropriately.
Choose SHUDDC2. Enter it appropriately. OCS will search for an Issuing CA.netCA as our CA. Click Next to Continue.You will be asked for your Geographical information. The name of our CA (not server name but the name of the CA) is CA. Click Next to Continue. . OCS will display this server as the CA to use. Since we specified the OCS Certificate Request to send the request immediately to an online certificate authority.shudnow.
We are ready to Request our Certificate. You can review your Current Settings. . When satisfied. Click Next to Continue.
Click Next to Continue. Choose Assign certificate immediately.We should now have our certificate. .
You can continue through the remaining prompts to finish the certificate request and assign it to your server Configure Web Components Server Certificate (Step 3) We are now on Step 3 which is a really straight forward manual step. It consists of opening IIS (Start > Control Panel > Administrative Tools > Internet Information Services Manager). . Go to the ServerName > Sites > Default Website >IIS > Authentication > Select Bindings from the Action Pane.
Choose https and select our Pool Certificate. Click Ok then Close to Continue. . Make sure IP address is set to All Unassigned.
Click Run to start the OCS Services. Remember setting up the share for this? Because clients access this Address Book via SSL and the ABS folder within IIS is set to use SSL. . clients won’t be able to access the ABS and will get an ABS error when using Communicator. I disabled the service but do not do this. I have disabled this service. you can safely disable this service and patch your servers without worry (hopefully. IMPORTANT UPDATE: As I said. Make sure you install Message Queuing as an OCS April Update doesn’t work properly and will try to mess with this service and render your OCS Server in an unworkable state. Click Help to see the LCSCMD commands used to verify replication. Because we didn’t choose to deploy QOE. I then noticed in the Event Viewer that this service is for QOE and it can’t start because it can’t create an administrative message queue. This is a manual step that I will not go over. Verify Replication (Step 4) We are now on Step 4 which is to Verify Replication. If you don’t. Future patches such as ones after June state that they don’t have this problem. So if you plan on installing June update or later. you can set up QOE and re-enable this service. we need to make sure IIS uses a certificate to grant SSL access to ABS. If QOE is needed in the future. I will not provide screenshots of this process as it is extremely straightforward.Note: The reason why you want to assign the certificate to IIS is because the Address Book is a part of the web components server. Note: I did notice an issue with the Monitoring Agent not being able to start. Start Services (Step 5) We are now on Step 5 which is to Start Services.) You can read more about this issue here.
I am dividing this step between 2 steps. This step helps us ensure that our environment is working properly. To do this. I want to not to DNS yet so we can go through the Communicator logon step by step without DNS and see how to get automatic client logon working. the user will retain all user configuration/settings that are stored on the server. I created the following two users: OCS User 1 (username of ocsuser1) OCS User 2 (username of ocsuser2) Once these users are created. Part of this. Tip: One of these options is to Move a User from one pool to another. Step 6 which is to Validate Server and Pool Functionality. To do this. So now that ADUC is open.shudnow. go ahead and create a couple accounts.Validate Server and Pool Functionality (Step 6A) We are now finally on our final Step. If you do this while the source server is up.shudnow. I also mailbox enabled them after creating a new Accepted Domain for exchange. is to go through with the validation. Step 6a and Step 6b. we will finish Step 6 in the next Part.net and setting up a new e-mail address policy so they obtain a primary e-mail address domain of exchange. Server and Pool Validation requires you to have a SIP enabled user account. Right-Click the User and choose Enable users for Communications Server. you can move the user .net. But because. as I stated earlier. For these user’s. go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers. we must use Active Directory Users and Computers on our OCS server. For some reason if you have a catastrophic failure on one server. DNS needs to be set up.
leave the selection (don’t have much of a choice) at OCSPool.shudnow. Here is where we can assign the user as either shudnow.to another pool without the source server being up.net or exchange. Click Next to Continue.shudnow. Considering we only have one pool.net.net. but that user will lose all of its server stored configuration/settings.net to allow for automatic sign-on so we will want to make sure we . We now must choose what Pool we want to assign this user to. Click Next to Continue. We only specified exchange.shudnow. On the Welcome Screen.
net domain for SIP. click Finish to Finish.net to allow for automatic logon by re-running the previous wizards. But let’s say you wanted some users to have a different OCS SIP Address than their Exchange address. For purposes of this lab.net name as long as you set those users to manually log on and you configure DNS appropriately. Once this is complete.lastname@SIPDomain or sAMAccountName@SIPDomain.shudnow.assign our users as exchange.net. I will use the user’s e-mail address since they are mailbox enabled and I don’t want users to have to know more than two sets of login usernames (one for Exchange/AD and a different one for OCS). You could choose the following option although you can e ither choose only firstname. . Click Next which will begin the OCS-Enable process. You can allow shudnow. Or even if you wanted to use the shudnow. You can use the shudnow.
Summary Well folks. For Part 4. Once finished. I will then begin preparation of our Edge Servers followed by configuring our ISA 2006 Server. Part 4 . you can refresh ADUC and verify these users have a Communications Server address. I will go through the installation of our Office Communicator 2007 client and get it connected through OCS by configuring DNS.I would now go ahead and OCS enable your second user. that is all for Part 3 of this article.
In Part 1. I will then begin preparation of our Edge Servers followed by configuring our ISA 2006 Server. Prepare Environment (Completed in Part 2) 1. Deploy Hardware Load Balancer (Completed in Part 2) 4. Configure Pool (Completed in Part 2) 2. we talked about holding off on DNS additions so when we install MOC. In Part 2. I won’t go over the installation steps as it is like installing any other application. I will go through the installation of our Office Communicator 2007 R2 client and get it connected through OCS by configuring DNS.net. The user we will log on as is OCS User 1 that has a SIP Address of ocsuser1@exchange. Configure Certificate (Completed in Part 3) 3.Welcome to Part 4 of this article series. and then proceeded to the configuration of our Enterprise Certificate Authority. That goal is how to deploy a single Enterprise Edition OCS 2007 R2 Server which is connected to an x64 SQL Server 2008 Back-End Server. Prepare Active Directory (Completed in Part 2) 2. Front End OCS 2007 Server Installation When installing OCS in a consolidated Enterprise Edition deployment. we will get the following error message: . In this Part. When we try to log on. Configure Web Components Server Certificate (Completed in Part 3) 4. So let’s try logging on with one of the users we created in Part 3.shudnow. we started off by discussing the goal of this lab. In Part 3. Logging onto MOC In Part 3. Add Enterprise Edition Server to Pool (Completed in Part 3) 1. we went over the remaining steps required to deploying our Front End Server in an Enterprise Pool Deployment. Create Enterprise Pool (Completed in Part 2) 3. you would perform the following steps: 1. Validate Server and Pool Functionality (Completed in Part 3) Microsoft Office Communicator (MOC) 2007 R2 Installing MOC Installing MOC is a rather straightforward process. Start Services (Completed in Part 3) 6. We first discussed what the lab setup is going to be using Hyper-V. we went over the Environmental Preparation for our OCS 2007 R2 environment. Add Server to Pool (Completed in Part 3) 2. Verify Replication (Completed in Part 3) 5. we can see what DNS is required to allow our client to log on.
.shudnow. the IP Address in this host file will be pointing to your hardware load balancer.So let’s start adding DNS by entering our DNS MMC by going to Start > Administrative Tools > DNS. We will then create a host record for our Pool (ocspool.net). Note: If you have multiple Front End Servers and are deploying behind a hardware load balancer.
shudnow. But because we are using a separate namespace of exchange.net zone.net. Once your exchange. Create an SRV record within the exchange.shudnow.net. I elected to create an entire new zone. .shudnow.shudnow. we will need to create either a new Primary DNS Zone for exchange.shudnow.net or by creating a new domain called exchange within our shudnow.exchange. we will need to create an SRV record so MOC clients can find DNS and automatically locate the OCS Front End Server.net zone that contains the following information.shudnow.net zone is created.After that host record has been created.net zone for sip. we will then need to create a host record inside our new exchange.
If you want to allow your clients to connect to TCP.exchange.shudnow.shudnow. we created our sip.exchange. So let me explain what is going on here.net zone.shudnow.net and sip.168. So essentially the following happens in order: 1. we would just create our OCSPool A Record.SIPDomain (in our case _sipinternaltls.net.163 which is the IP Address of our Front End Server. if you would have SIP enabled them for shudnow.net zone. We then created the DNS SRV record for automatic client logon to point to the sip. change the above to _SipInternal and change the port to 5060.shudnow.shudnow. and then create the SRV record to point to OCSpool. OCSPool.shudnow. we needed to create a new zone._tcp.net. Typically._tcp.exchange.net.exchange. Because SRV records have to point to a DNS name within its own domain. it had DNS names of OCSpool. If you recall. Client looks for an SRV record for _sipinternaltls. when we retreived our certificate.Note: Internal clients can connect using either TLS or TCP while external clients can only connect to TLS.net.shudnow.net points to 192. Client logs on using automatic logon 2.net A record within the exchange.net name which is a name in our certificate request.shudnow. Because our users are SIP Enabled for exchange.shudnow.1. We created our DNS Pool record in our shudnow.net) .
net as the service from the SRV record 4. We can add this group to our contacts list and we can expand the group information. Client connects to sip.3. . As long as the distribution group has the e-mail attribute filled in. Client is successfully enable to start communications with the Front End Server Adding Distribution Groups to MOC I have created a universal distribution group named Sales. Searching for Sales. A user named Simo notified me that a distribution group doesn’t necessarily have to be created within Exchange.shudnow. Our Sales distribution group was created within Exchange.exchange. OCS expansion will function.1.net and resolves that to 192. DNS Server successfully returns sip.168.exchange.shudnow. we will see that it will display our Sales group.163 5.
” The Address Book gets updated in OCS every 24 hours which can be expedited by navigating to the following directory and running the following commands: Preparation of OCS 2007 R2 Edge Node Network Interface Card (NIC) Configuration .Your Communicator client will refresh the membership information every 24 hours against the web farm FQDN and update the cache file located at the following directory: %LocalAppData%\Microsoft\Communicator\sip_user@domain. This information gets stored on our client as GalContacts. It also providers other functionality such as Phone Number Normalization when doing Remote Call Control.com\.db in “%userprofile%\ Local Settings\Application Data\Microsoft\Communicator\. For those that do not know. the Address Book files is what allow our clients to search for SIP enabled users and Distribution Groups.
your Internal NIC would be placed on your Internal Network while external adapters would be on a separate subnet such as a DMZ. we will later ensure that this NIC is at the top of the binding order. I put all NICs on VMNet8 to ensure that there is IP Connectivity all around. On our Internal Edge NIC. we want to configure the IP Configuration as follows. In a production network. For example. This NIC will contain the default gateway and DNS Settings.In Part 1. The first thing I always do is rename the NICs appropriately so you know what NIC you are working with. I stated that I would put all other NICs on VMNet7. The reason for this is I don’t have VMNet7 and VMNet8 routed with each other. I would following the OCS Planning Guide to ensure your networks are configured properly. . Becuase of this. When bringing up this server. I put the Internal NIC on our VMNet8 which is our NAT Network.
Our Audio/Video Edge NIC will be configured as follows. .
Our Access Edge NIC will be configured as follows. .
.Our Web Conferencing Edge NIC will be configured as follows.
It is the NIC that has DNS applied to it and will be talking to the rest of the internal servers. This is because this is our internal corporations communications NIC. .Binding Order Set the Internal NIC to be at the top of the binding order.
you must manually obtain the Root Certificate.ISA 2006 Configuration Root Certificate The first thing we will want to do is take the root certificate from our internal CA and place it into the Root Computer Certificate Store on ISA. Open the Certificates MMC by going to Start > Run > MMC. we will need to trust the internal FQDN which has a certificate requested from our internal CA. I am doing this on the SHUD-OCSFE1 server. For any other type of CA configuration. Go to our Trusted Root Certification Authorities and find our Root Certificate. If your ISA box is part of the domain. To do this. go onto any domain joined server that has been rebooted since your CA was created. . Once you find it. your ISA box will automatically retrieve this certificate upon rebooting. The reason we we need this Root Certificate is because when we Bridge our external connection to our internal connection via SSL. Export the Certificate and transfer this exported certificate to ISA 2006. Go to File > Add/Remove Snap-In > Add > Certificates > Computer Account. if your CA is an Enterprise Root CA.
Back on our ISA Box, open the Computer Certificates Snap-In just as we did on our CA. In the same location (Trusted Root Certification Authorities > Certificates), we will import the certificate that we exported on our CA. Once you choose Import, navigate to the location of the exported certificate and import it.
External Web Farm Certificate Now let’s go ahead and get a certificate that matches the external Web Farm FQDN that we specified when deploying our Pool. This name is ExtWebFarm.shudnow.net. To do this, I installed IIS on ISA to request the certificate. In IIS, go onto your Default Website > Properties > Directory Security Tab. You will see a section entitled Secure Communications. Click Server Certificate to begin the process of requesting a certificate. Choose Create New Certificate. Click Next to Continue.
In a production environment, you will choose to Prepare the request now, but send it later and submit the request to a 3rd party certificate authority such as Entrust. This is because you’ll want internet clients to be able to automatically trust this certificate. For purposes of this lab, I will just choose to Send the request imediately to an online certificate authority to expedite the process. Click Next to Continue. Note: I left the Prepare the request now, but send it later selected by default. If you are doing a lab scenario like I am, feel free to select the second option (like me) to expedite the process. The rest of the screenshots will be using the second expedited method.
By default, the Certificate Name will be set to your web site name. Change this to the FQDN of the External Web Farm FQDN. Click Next to Continue. Note: The Certificate Name is not the Subject Name (SN) / Common Name (CN) of the certificate, but I always match the SN / CN of the certificate to the Certificate Name.
OCS will search for an Issuing CA.net Click Next to Continue. You will now be asked for your SN / CN. Enter it appropriately. The name of our CA (not server name but the name of the CA) is OCS-ROOTCA.You will be asked for your Organization information. Choose OCS-DC1.shudnow. OCS will display this server as the CA to use. . Enter it appropriately. Since we specified the OCS Certificate Request to send the request immediately to an online certificate authority. Click Next to Continue. Specify the name to be ExtWebFarm. Click Next to Continue. You will be asked for your Geographical information.net\OCS-ROOTCA as our CA. Click Next to Continue.shudnow.
you will see the View Certificate button light up.cer file to your request. you will see the certificate has a CN of ExtWebFarm. Once the certificate is properly assigned. you must ensure you export the certificate with its private key and import it into the Local Computer Certificate Store on ISA. The procedures for importing a certificate are listed above. When you assign your certificate. and save the file as a . you create a private key on your IIS Server. If you click on View Certificate. You will then go back into IIS and Assign the . .net If you performed these procedures on an IIS instance located on a server that is not your IIS Server. you essentially bind your public/private key to form a certificate. The vendor will take some information appropriate to your private key and create a public key that associates itself with your private key. The only difference is the store you import it into. place it into a text file.shudnow. You will take this text. What essentially happens is when you create your CSR.Now in a production environment where you submitted your CSR to a vendor such as Entrust. This will allow you to attach the certificate to the web listener we will be creating. they will provide you some text information back.cer file.
make sure you turn it off (uninstall) otherwise ISA will fail to proxy due to a port conflict between IIS and the Web Listener. we will want to create a Web Site Publishing Rule. ISA Configuration We will need to configure ISA to proxy requests for the following three functions: To enable external users to download meeting content for your meetings To enable external users to expand distribution groups To enable remote users to download files from the Address Book Service To enable Communicator Phone Edition to connect to the Software Update Service (documentation says Software Update Service but it’s actually been renamed to Device Update Service) and update themselves The Web Components Server will use the following directories to allow external clients to connect through using the External Web Farm FQDN.Once you are finished with your certificate request. . To start creating the configuration for ISA. if IIS is still enabled on ISA. We will name it OCS External Web Farm.
. Click Next to Continue.Select Allow.
Click Next to Continue. The reason why we only publish a single website is because the server we connect to will be our pool name (Ocspool. This will essentially load balance our ISA request to both of our Front End Servers. Select Use SSL to connect to the published Web server or server farm. Click Next to Continue. .Select Publish a single Web site or load balancer.shudnow.net).
. Click Next to Continue. If we are deploying multiple Front End Servers behind a Hardware Load Balancer. Since we only deployed one Front End Server. This internal site name should match our pool name. this IP Address would be the Virtual IP (VIP) of our Hardware Load Balancer. Enter the IP Address for our Enterprise Pool.Enter our Internal Site name which is the Internal Farm FQDN we specified when we created our Enterprise Pool. this IP Address is the address of our Front End.
We will want to use /* for our Path so we can create one rule to allow us to proxy all data destined to our External Web Farm FQDN to our Front End Server. Click Next to Continue. .
We will want to enter our External Web Farm FQDN as our Public Name. . Click Next to Continue.
. Because we haven’t created one. Name this Web Listener OCS External Web Farm. Click Next to Continue. Click Next to Continue. We will definitely want to require SSL secured connections with clients. go ahead and select New.We are now prompted to select a Web Listener.
Select External since we will allowing Internet Clients to use this listener in which the DNS will be pointing to the Selected IP Address for our External connection. To select the IP Address for our External connection. Click the Select IP Addresses button. .
Click OK and then Next to Continue.x address is because our 192.168. You select your internal subnets when installing ISA. . The reason why it doesn’t show the IP Address for our 192.1.x.x.Select the IP Address that we will be using for our External NIC.x network is selected as our Internal Network.
We must now choose our ExtWebFarm.net certificate for this listener. .shudnow. Click OK and then Next to Continue.shudnow. Choose Select Certificate and choose our ExtWebFarm.net Certificate.
No Authentication will be used. Click Next to Continue. .
. Click Next to Continue. you will want to ensure that you select No Delegation.When back in the rule configuration. but client may authenticate directly.
Click OK to Finish. . Remove Anywhere and add External.All the remaining options should be left at default. The last modification we need to make is to go into the properties of our rule (not listener) and go to the From Tab. All you need to do now is configure a HOST (A) record on your external DNS solution so ExtWebFarm.net points to the IP Address of your ISA Server whether that is with a public IP Address directly on ISA or through a NAT’d Address.shudnow.
that is all for Part 4 of this article. configured our ISA box. So far in this article series. . For Part 5. make sure you turn it off (uninstall) otherwise ISA will fail to proxy due to a port conflict between IIS and the Web Listener. tested connectivity with Communicator 2007 R2. we have deployed an Enterprise Pool. I will go through the installation and configuration of our Consolidated OCS 2007 Edge Server. Part 5 Welcome to Part 5 of this article series. and prepared our Edge Servers. if IIS is still enabled on ISA. configured our Pool. Summary Well folks. set up DNS.Note: Again.
but this is all taken care of during the installation. There are some prerequisites for installing OCS such as .NET Framework 3. Install Files for Edge Server Activate Edge Server Configure Edge Server Configure Certificates for Edge Server Start Services Validate Edge Server Install Files for Edge Server (Step 1) To begin the Edge Server installation process.5 SP1. .Net Framework 3. 5. Click Yes to Continue. Insert the CD and let’s begin the installation process. you would perform the following steps: Note: Edge Server should not be joined to your Corporate Active Directory. OCS 2007 R2 Edge Server Installation When installing an OCS 2007 R2 Edge Server.In this Part. I will go through the part of the configuration of our Consolidated OCS Edge Server using a separate NIC for each Edge Role. we can insert our OCS CD (Standard can be used for Edge). 4. 6. You will then be asked to install the Microsoft . 2. 1. Click Yes to Continue. 3. You will be asked to install the Microsoft Visual C++ 2008 Redistributable.5 SP1.
Enter them appropriately..5 SP1 is installed. Enter the location you want your files to be installed. Click Deploy Other Server Roles > Deploy Edge Server to Continue. Select “I accept the terms in the license agreement . Click Next to Continue. We will want to deploy our Edge Server in a Consolidated fashion. Name. you will be presented with the Deployment Wizard. . Click Next to Continue. Activate Edge Server (Step 2) Click Run for Active Edge Server to Continue.Once Microsoft . You will be asked for Customer Information such as Product Key.NET Framework 3. you should see the Installation Interface update the Step 1 Status showing as Completed. On the Welcome Screen. Click Install for Install Files for Edge Server to Continue after meeting the Prerequisites (being a local Administrator). You are now ready to start the Installation. if you agree.” Click Next to Continue. We are now on Step 1 which is to Install Files for Edge Server. After fully reading the License Agreement. Once you completed the File Installation. and your Organization Name. Click Next to Continue. I chose the default location.
you’d be prompted for what roles to install. . you will not be prompted for roles to install. Review your Current Settings.On the Welcome Screen. In OCS 2007 R2. I recommend to use long secure passwords. You will now be prompted to specify passwords for your Service Accounts. Click Next to Continue. You will have to do this for several Service Account: RTCProxyService Once you have set a password. Click Next to Continue. You are now ready to Activate your Edge Server. In OCS 2007 R1. After satisfied. Because of this. Click Next to Continue. there are only Consolidated Edge Servers. You can view this and this site which assist in choosing strong passwords.
Configure Edge Server (Step 3) Click Run for Confingure Edge Server to Continue. You will be given the option to view the log which I advise you to do to ensure everything went OK. Once you completed the Activation. . you should see the Installation Interface update the Step 2 Status showing as Completed. On the Welcome Screen. you will be prompted with a warning recommending that you stop all OCS Services. Click Finish.When the Activation is finished.
and at the end of the configuration. This file is great to use if we are deploying multiple Edge Servers that will be load balanced. . Click Next to Continue. it would ask me to export the configuration so I can import it on my second Edge Server. Nifty! Because this is our first and only Edge Server. I would configure my first Edge Server. The next screen asks us if we have a Configuration File to use. We must choose the Internal IP of our Edge Server as well as its’ FQDN. it would be useful if I was going to be deploying two Edge Servers behind a Hardware Load Balancer. For example.Go ahead and stop all services (mine were already stopped). Click Next to Continue. We are presented with the following options.
we will need to manually add the DNS record in our Active Directory DNS due to the nature of Active Directory Secure DNS Zones only allowing domain members to add records to our zone. One of these NICs was the Internal NIC which we configured as follows. we will want to choose 192.net (computername. Remember back in Part 4 we configured four NICs.1. and IPs associated with them So in our Edge Configuration.168. We will also want to set the FQDN as shud-ocsedge01.domain. Because our server is not a domain member. . their associated Edge Role. Here is a list of NIC Names. We also configured a dedicated NIC and IP for each Edge Role.com).180 for our Internal NIC.shudnow. Click Next to Continue.You may be wondering which IP to choose.
shudnow. When a client connects to the Access Edge Server. The same applies for the A/V Edge Server. . Exchange.net is our Internet DNS Zone. So when a Live Meeting Client tries to connect to a web conference. our Access Edge will communicate with the client telling it the FQDN for the web conferencing edge. we will configure our Web Conferencing Edge Server to use webconf. For example.We now must configure the IPs and FQDNs for all three Edge Roles.shudnow.exchange. the Access Server will return the URLs needed for the client to successfully communicate with services in the OCS organization. You can refer to the Excel List above to determine what IPs are associated with which role. Enter in the IP Configuration and FQDN accordingly. Click Next to Continue.net.
select those features as you see fit. If you plan on allowing your users to talk with public IM providers such as AOL. you’ll disable Remote User Access and enable Federation. one one Access Edge you’ll disable Federation which will light up the currently greyed out option. and Public IM Connectivity through our Consolidated Edge. Now keep in mind this is optional. Federation.We will want to use this Edge Server to allow anonymous users to join meetings as well as enable federation. and Yahoo. Now let me explain why Allow remote users to communicate with federated contacts is greyed out. we can choose the options as follows which will enable Remote User Access. It is possible to set up two Edge Servers and use one Access Edge for Remote User Access and another for Federation and Public IM connectivity. . If you decide to do this. Click Next to Continue. MSN. On the second Access Edge. Because we will be utilizing one Consolidated Edge Server.
Because we deployed an Enterprise Pool.net. we would enter the Director (or FQDN of hardware load balancer).We want our Edge Server to be able to talk to the internal OCS Servers. we would enter the Standard Pool FQDN which would be the server’s FQDN. Click Next to Continue. we will use the FQDN of the Enterprise Pool. Enter the Enterprise Pool FQDN OCSPool. We have a few options. . If we are using a Standard Server as our next hop. If we deployed a Director.shudnow.
.Because our SIP Domain will be exchange.shudnow. Click Next to Continue.net. that is what we will choose when specifying what our Authorized Internal SIP Domains are.
If you have more than one Pool or Standard Edition Server. .We will then want to enter our internal OCS Pool Name for Authorized Internal Servers. Review your Current Settings. After satisfied. enter them here. You are now ready to Apply your Edge Server Configuration. Click Next to Continue. Click Next to Continue.
When the Configuration is finished. you should see the Installation Interface update the Step 3 Status showing as Completed.You are now ready to apply your configuration. Click Next to Continue. You will be given the option to view the log which I advise you to do to ensure everything went OK. . Review your Current Settings. After satisfied. This is also where you’ll have the change to export your configuration if you’re deploying a second Edge Server for Hardware Load Balancing. Configure Certificates for Edge Server (Step 4) Click Run for Configure Certificates for the Edge Server to Continue. Click Finish. Once you completed the Configuration.
The third certificate will be our A/V Authentication certificate. Click Next to Continue. A SAN certificate for both will work though. we will be using our internal namespace that is also used as our default SIP routing domain. The second certificate will consist of the names of our Access/Web external edge roles.net Now keep in mind the reason the namespaces our different is because the internal NIC is connected to our internal infrastructure and will be utilized internally only.exchange. This is because each certificate for the internal interface will be unique due to the name of every server being different.shudnow.On the Welcome Screen.exchange. Microsoft considers it to be insecure by using the same certificate for both the Internal and A/V Authentication services. Our . well. I will be obtaining three certificates.shudnow. Because of that. If you have multiple servers.exchange. can’t I just use two certificates? One for internal and A/V edge.shudnow. Certificate Three (A/V Authentication) CN = av. One is for our Internal NIC that consists of the FQDN of our Server (shud-ocsedge01. Well in our case. The A/V Authentication name will be the same and exported/imported on multiple servers. Now you may be thinking.net Note: Microsoft’s Official Support Policy requires you to have a separate certificate for each interface.exchange.net Certificate Two (Access/Web Server Roles): CN = sip. Certificate One (Internal Interface): CN = shud-ocsedge01.net SAN = sip.shudnow. I’m going to skip through a lot of this section as it consists of how to obtian a Certificate which I already went through in Part 4 when we discussed configuring our ISA Server.net).shudnow. Also.shudnow. no. probably.net SAN = webconf.
One you have done this. You will want to go through the rest of the configuration which includes entering your Organization Name.shudnow. you have to ensure it contains the Root Certificate from our Internal CA. The A/V Edge role doesn’t need an Internet Facing Certificate. Click Next to Continue.edge servers will be contacted using the external DNS namespace. For purposes of this lab. You will also have to submit the request. Because our Edge Server is not a domain member.cer file manually and import it manually due to our Edge server not being a domain member. Company Name. . Etc… As I said. I will obtain all certificates from our internal CA. you will want to make sure you select only your Edge Server Private Interface. you will use the CN of shud-ocsedge01. If you are using split-DNS where your internal namespace is hosted on external DNS. approve it. and submit the . you can use either namespace. Both your A/V Authentication and Internal Interface NICs will be provided by your Internal CA.net. We will first choose to Create a new Certificate. you will be requesting your Access/Web Conferencing Certificates from a Third Party Vendor. when you are at the screen which consists of what FQDN to use. Note: In a production environment.
Cer file you obtained from your Certificate Authority and binding it to your request. you will see the Step being partially finished. Follow this procedure with the remaining certificates.Once you are finished preparing the request. Your Access/Web Conferencing Edge Certificate request will look like: . You will now want to go through the motions of taking the . Click Run again to Continue. Refer to the certificate CN/SAN names above as to what entries should be on your certificate.
Your A/V Certificate request will look like: .
.Once you completed the Certificate Configuration. visit this site here. All this information is out of the scope of this article. If you are interested in doing this (and you will have to connect your Front End Servers to your Edge Servers). TIP: To adminster the Edge Server. The only remaining steps are to enable users. configure federation. you should see the Installation Interface update the Step 4 Status showing as Completed. It consists of Starting Services and Validating your Configuration. and enable your Front End Servers to talk with your Edge Servers. type Start > Run > Compmgmt. Remaining Steps I will not be going through the remaining steps.msc.
Summary Well folks. But hopefully the article gave you enough knowledge to know where to look and how the overall deployment process works. Hopefully these articles have helped you understand more on how the deployment of OCS works. but the entire article series. Much more than what I went into. that is all for not just Part 5. . There is a lot more to the configuration of OCS and especially the deployment when you get into load balancing.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.