Professional Documents
Culture Documents
®
Microsoft Office
Communications
Server 2007
Published: July 2007
Updated: October 2007
2 Migrating to Microsoft Office Communications Server 2007
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Windows, Windows Server, Active Directory, SQL Server, and MSN are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
Contents
Introduction......................................................................................5
Terminology.................................................................................5
Before You Begin...............................................................................6
Planning Your Migration....................................................................6
Third-Party Applications...............................................................9
Coexistence with Live Communications Server 2005 with SP1.....9
Phase 1: Upgrade Your Perimeter Network and Director.................12
Overview of Steps......................................................................12
Step 1 Configure DNS Records for Your Edge Servers................16
Step 2 Configure a Reverse Proxy..............................................20
Step 3 Deploy a New Edge Server..............................................20
Step 4 Configure Certificates on the Internal Interface of Your Edge
Servers.......................................................................................22
Step 5 Configure Certificates on the External Interface of Your Access
Edge Server................................................................................33
Step 6 Start Services..................................................................41
Step 7 Configure Federation on Your Access Edge Server..........42
Step 8 Configure Your Internal Environment to Use the New Edge
Server .......................................................................................43
Step 9 Change Your Firewall Settings or DNS Settings to Use the IP
Address of Your New Access Edge Server..................................45
Step 10 Validate the Configuration of Your Access Edge Server.46
Step 11 Test Connectivity Between Remote Users, Federated Users
and Public IM Connectivity.........................................................47
Step 12 Deploy an Office Communications Server 2007 Director
(optional)....................................................................................47
Step 13 Remove Your Live Communications Server 2005 SP1 Director
and Access Proxy.......................................................................55
User Experience in Phase 1........................................................56
Phase 2: Deploy Internal Office Communications Servers and Migrate
Users...............................................................................................56
Step 2.1 Deploy Standard Edition Server or Enterprise Pool ......57
Step 2.2 Deploy Archiving and CDR Server If Required..............58
Step 2.3 Verify that User Replication Completed........................61
Step 2.4 Back Up User Data on the Existing Live Communications
Server 2005 with SP1.................................................................63
Step 2.5 Export User Data from Live Communications Server 2005 with
SP1.............................................................................................63
4 Migrating to Microsoft Office Communications Server 2007
Step 2.6 Move Users to Office Communications Server 2007.....65
Step 2.7 Configure Users............................................................67
Step 2.8 Transfer Remote Call Control Settings As Necessary. . .69
Step 2.9 Validate the Configuration and Connectivity of the Server or
Pool............................................................................................72
User Experience in Phase 2........................................................74
Phase 3: Enable Pilot Users for Enhanced Presence and New Features and
Deploy New Clients.........................................................................75
Step 3.1 Enable Enhance Presence for Your Pilot Users.............76
Step 3.2 Deploy Office Communicator 2007 to Your Pilot Users. 77
Step 3.3 Deploy the Live Meeting 2007 Client to Your Pilot Users77
User Experience in Phase 3........................................................77
Phase 4: Introduce New Edge Server Roles.....................................77
User Experience in Phase 4........................................................78
Phase 5: Continue Phased Migration for Additional User Groups.....78
Phase 6: Deprecate Your Live Communications Server 2005 SP1 Servers
........................................................................................................78
Remove Live Communications Server 2005 SP1 Standard Edition78
Remove Live Communications Server 2005 with SP1 Enterprise Edition
...................................................................................................79
Phase 1: Upgrade Your Perimeter Network and Director 5
Introduction
Migrating to Microsoft Office Communications Server 2007 guides you through the process of
upgrading from Microsoft® Office Live Communications Server 2005 with Service Pack 1 to
Microsoft Office Communications Server 2007 and for deploying Office Communications Server
2007 in an existing Live Communications Server 2005 SP1 deployment. If you intend for your
Office Communications Server 2007 deployment to coexist with a Live Communications Server
2005 SP1 deployment, this guide includes some essential information for operating such a mixed
environment.
This guide provides information specific to upgrading your existing deployment. It does not
explain how to change your existing topology. Because many of the detailed planning and
deployment information and procedures are provided in other Office Communications Server
2007 documentation, that information is not duplicated in this guide. When a detailed procedure
is documented elsewhere, this guide directs you to the appropriate document.
In addition to this guide, you need the following documentation:
• Microsoft Office Communications Server 2007 Planning Guide
• Microsoft Office Communications Server 2007 Edge Server Deployment Guide
• Microsoft Office Communications Server 2007 Active Directory Guide
• Microsoft Office Communications Server 2007 Enterprise Edition Deployment Guide
• Microsoft Office Communications Server 2007 Standard Edition Deployment Guide
• Microsoft Office Communications Server 2007 Archiving and CDR Server
Deployment Guide
• Microsoft Office Communicator 2007 Deployment Guide
• Deploying the Microsoft Office Live Meeting 2007 Client with Office
Communications Server 2007
Terminology
Anonymous user An external user who does not have credentials in the Active Directory®
Domain Services.
A/V audio/video
Direct federation In Live Communications Server 2005, a form of federation in which two
organizations explicitly designate each other as trusted federated partners. In Office
Communications Server 2007, this term is not used; you achieve the same functionality by not
configuring your Access Edge Server to automatically discover federated partners by using DNS.
Edge server An Office Communications Server 2007 server that resides in the perimeter
network and provides connectivity for external users, federated partners, and public IM
connections. Each edge server has one or more of the following roles: Access Edge Server, Web
Conferencing Edge Server, or A/V Edge Server.
6 Migrating to Microsoft Office Communications Server 2007
Enhanced federation In Live Communications Server 2005, an organization-to-organization
federation that uses DNS-SRV resolution to identify the Access Proxy for each partner. In Office
Communications Server 2007, this term is not used. You can achieve this functionality to
configure your Access Edge Server to use DNS to automatically discover federated partners.
External user A user who connects from outside the organization’s firewall. External users
include anonymous users, federated users, and remote users.
External IP address An IP address that is accessible from the Internet or from another network
that is outside the organization.
Federated user An external user who possesses valid credentials with a federated partner and
who is therefore treated as authenticated by Office Communications Server.
Internal IP address An IP address that is accessible from the internal network of an
organization.
PSOM Persistent Shared Object Model. A custom protocol for transporting Web conferencing
content.
Remote user An external user with a persistent Active Directory identity within the
organization.
Side-by-side migration Deploying an upgraded software version on a separate computer from
the one that is running the original version, transferring essential data to the new computer,
making the new computer operational, and then taking the legacy computer offline. Note: Side-
by-side migration is not supported for Access Proxy and an Office Communications Server 2007
Access Edge Server.
SIP Session Initiation Protocol, a signaling protocol for Internet telephony.
Web farm A collection of server computers that host a single Web site.
Third-Party Applications
If you are running third-party applications on your Live Communications Server 2005 SP1
servers, be aware that changes have been made to the server and protocol infrastructure that
might affect these programs. You still need to test these applications to ensure that they work
properly with Office Communications Server 2007. For more information, contact the vendor of
your applications.
If you are running applications that are based on code examples from the Live Communication
2005 with SP1 Software Development Kit, the applications must be updated before they will
work with Office Communications Server 2007. For more information, see the Office
Communications Server 2007 SDK documentation.
The Live Communications Server 2005 with SP1 Network of Origination Icon sample is not
supported on Office Communications Server 2007. In Office Communications Server 2007, for
federated users on a user’s Contacts list, the user sees the same icon for all contacts that are
outside the organization instead of seeing the icon for the network of origin. If the user moves the
pointer over the contact in Office Communicator, the SIP URI for the federated user appears.
Archiving Interoperability
You must archive all traffic on Office Communications Server 2007 servers by using an Office
Communications Server 2007 Archiving and CDR Server. Similarly, you must archive all traffic
on Live Communications Server 2005 SP1 servers by using the Live Communications Server
2005 with SP1 Archiving Service.
The default behavior is different for the different versions. In Office Communications Server
2007, both the global archiving and individual user archiving are disabled by default, but Live
Communications Servers retain their existing global settings. This means that if archiving is
enabled in global settings on all your Live Communications Servers, this setting is retained on all
your Live Communications Server 2055 with SP1 servers.
In a coexistence scenario, conversations initiated by a user hosted on a Live Communications
Server 2005 with SP1 server use the forest-level settings enabled in the Live Communications
Server 2005 SP1 environment. Conversations initiated by a user hosted on Office
Communications Server 2007 use the global settings configured in Office Communications
Server 2007.
Note
To access the global archiving settings, right-click the forest
node, point to Properties, click Global Properties, and then
click the Archiving tab. For more information, see the
Microsoft Office Communications Server 2007 Administration
Guide.
Phase 1: Upgrade Your Perimeter Network and Director 11
Using Load Balancers
Servers of different versions cannot coexist in a single pool or an edge server array. You can,
however, connect a Live Communications Server 2005 with SP1 pool and an Office
Communications Server 2007 pool to the same load balancer. For example, if you have an array
of Live Communications Server 2005 with SP1 Access Proxies attached to a load balancer, you
can also simultaneously attach an Office Communications Server 2007 edge server array to the
same load balancer.
Administrative Snap-Ins
In general, you must use the administrative snap-in that corresponds to the server version that
you want to manage. The only exception is that you use the Office Communications Server 2007
snap-in to move users from Live Communications Server 2005 with SP1 to Office
Communications Server 2007.
12 Migrating to Microsoft Office Communications Server 2007
Use the 2005 Administrative Snap-In
• To manage Live Communications Server 2005 SP1 users and servers. You can also
use Active Directory Users and Computers on Live Communications Server 2005
SP1 or on a computer with the Live Communications Server 2005 SP1 administrative
snap-in installed.
• Although Office Communications Server pools are available from Live
Communications Server 2005 SP1, you should use only Office Communications
Server to move users hosted on Office Communications Server. Moving Office
Communications Server users from the 2005 administrative snap-in is not supported.
Use the 2007 Administrative Snap-In
• To move Live Communications Server 2005 SP1 users to Office Communications
Server 2007.
• To manage users on Office Communications Server 2007 after moving them from
Live Communications Server 2005 SP1.
• To manage all Office Communications Server 2007 servers.
The Live Communications Server 2005 SP1 administrative snap-in and the Office
Communications Server 2007 administrative snap-in cannot be installed on the same computer.
Overview of Steps
Upgrading your perimeter network involves the following steps:
1. Configuring necessary DNS records for your new edge server.
2. Deploy your Office Communications Server 2007 Access Edge Server before any
internal servers. The single site edge topology or scaled single-site edge topology is
recommended for your initial edge deployment. This topology allows you to add a
load balancer later for growth.
Phase 1: Upgrade Your Perimeter Network and Director 13
Deploy the new edge server topology alongside your existing Live Communications Server
2005 SP1 Access Proxy, but do not change your firewall setting to point to the new IP
address used by the Office Communications Server 2007 edge servers until you have
completed the following steps. You must use an internal and external IP address that is
different from your existing Access Proxy.
It is strongly recommends that you use the same external FQDN for your new Access Edge
Server as you did for your Live Communications Server 2005 SP1 Access Proxy. If you do
this, you can use the same certificate. If you have purchased a license for public IM
connectivity, you do not need to go through the provisioning process again. If you use a
different FQDN, you must obtain new certificates and re-provision public IM connectivity.
Additionally, you must notify any federated partners of the change to your external FQDN.
These partners can then change their configurations to point to your new FQDN to federate
with your organization or if they are using enhanced federation or using an Office
Communications Server 2007 Access Edge Server with automatic DNS discovery, they can
simply add your domain on the Allow tab. Also, if you use manual configuration for your
Office Communicator clients, you must update this configuration to point to the new Access
Edge Server FQDN.
3. Configure certificates on your new Office Communications Server 2007 edge server.
This process varies depending on the following conditions:
• Internal certificate configuration.
o If your organization has a firewall between the Live Communications
Server 2005 SP1 Access Proxy and your internal servers, you can use
the same certificate on the internal interface of your new Access Edge
Server as you used on the internal interface of your existing Access
Proxy.
o If your organization does not have an internal firewall, the Director or
your internal Standard Edition server or Enterprise pool that is used for
the global federation route needs to differentiate the new Access Edge
Server from the 2005 Access Proxy so you can either use a new
certificate on the Access Edge Server or update DNS settings.
o If you use a different internal FQDN on your new edge server, you must
obtain a new certificate from the certificate authority you use for
internal certificates.
• External certificate configuration.
o If you use the same external FQDN for your Access Edge Server, and
do not want your Access Edge Server to be discoverable through DNS
SRV records for multiple SIP domains in your organization, you can
use the same certificate on the external interface of your Access Edge
Server as you did on your Live Communications Server 2005 Access
Proxy.
7. Test your new topology by signing in with Office Communicator 2005 user and
testing communications scenarios between internal users, remote users, federated
users, and users on a public IM network (if you use public IM connectivity).
8. If you do not use a Director, skip this step. If you use a Director, after confirming
that external traffic is flowing correctly from the new Access Edge Server to the
Live Communications Server 2005 SP1 Director, install and configure an Office
Communications Server 2007 Director so that it communicates with your new Edge
Server and configure your new Edge Server to route to the 2007 Director. Although
a Director is not required, it is strongly recommended. If problems occur, you can
simply point your Access Edge Server back to your existing Live Communications
Server 2005 SP1 Director.
At this point, your topology should now look similar to the following:
16 Migrating to Microsoft Office Communications Server 2007
Figure 2 New Access Edge Server and Director in Your Existing Topology
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the scaled single-site edge topology.
Phase 1: Upgrade Your Perimeter Network and Director 19
Note
The procedures in this section are based on a Microsoft
Windows Server® 2003 Enterprise CA or a Windows Server
2003 R2 CA. For step-by-step guidance for any other CA, see
the documentation that is provided by the CA. By default, all
authenticated users have the necessary user rights to request
certificates.
15. On the Export file format page, click Personal Information Exchange – PKCS
#12 (.PFX).
16. Select the Include all certificates in the certification path if possible check box.
17. Clear the Enable strong protection check box, and then click Next.
18. Complete the wizard by accepting all remaining default values and by indicating the
disk or network share where you want to save the certificate.
Step 4.1.2 Import the certificate for the internal interface on the
first edge server
Use the following procedure to import the certificate to the internal interface of your Access
Edge Server or of the first Access Edge Server in an array.
Note
The procedures in this section are based on using a Windows
Server 2003 Enterprise CA or a Windows Server 2003 R2 CA.
For step-by-step guidance for any other CA, see the
documentation that is provided by the CA. By default, all
authenticated users have the necessary user rights to request
certificates.
Note
If the Enterprise CA is reachable from the edge server, you can
use the Send the request immediately to an online
certification authority option. Because this is usually not the
case, this procedure and other certificate request procedures in
this guide do not cover the use of that option.
8. On the Name and Security Settings page, type a friendly name for the certificate,
and then specify the bit length (typically, the default of 1024). Select the Mark cert
as exportable check box, and then click Next.
9. On the Organization Information page, enter the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click
Next.
10. On the Your Server’s Subject Name page, type or select the subject name and
subject alternate name of the edge server. The subject name should match the FQDN
of the edge server that is published by the internal firewall for the internal interface
on which you are configuring the certificate:
• For the internal interface of the edge server, the subject name should match the
name that your internal servers use to connect to the edge server (typically, the
FQDN of the internal interface for the edge server).
• If you are using a load balancer, the edge server traffic still uses the FQDN of the
internal edge of the server (server name). If you are using a virtual IP address for
the edge server, the certificate should match the FQDN of the virtual IP address
that is used by this server role on the internal load balancer. For the internal
interface, this is typically the published DNS name for the perimeter network
that maps to the edge server.
11. Click Next.
12. On the Geographical Information page, type the location information, and then
click Next.
13. On the Certificate Request File Name page, type the full path and name of the file
to which the request is to be saved in the File name box (or click Browse to locate
and select the file), and then click Next. A typical path and file name is
C:\certrequest_AccessEdge.txt.
14. On the Request Summary page, click Next.
15. On the wizard completion page, verify successful completion, and then click Finish.
Phase 1: Upgrade Your Perimeter Network and Director 31
16. Submit this file to your CA by e-mail or another method that is supported by your
organization for your Enterprise CA. When you receive the response file, copy the
new certificate to this computer so that it is available for import.
Step 4.2.5 Import the certificate on the internal interface
For each Access Edge Server that you deploy, use the following procedure to import the
certificate on the internal interface of the Access Edge Server.
To import the certificate for the internal interface
1. On the Access Edge Server on which you created the certificate request, log on as a
member of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then click Setup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, click Run to start the Certificate
Wizard.
4. On the Welcome page, click Next.
5. On the Available certificate tasks page, click Process the pending request and
import the certificate, and then click Next.
6. Type the full path and file name of the certificate that you requested for the internal
interface of the edge server (or click Browse to locate and select the certificate), and
then click Next.
7. Click Finish.
Step 4.2.6 Export the certificate (if you have an Access Edge
Server array)
If you are using an Access Edge Server array, use the following procedure to export the
certificate from your Access Edge Server so that you can import it to other Access Edge Servers
in your array.
To export the certificate for the internal interface for importing to
other edge servers
1. On the edge server on which you requested and imported the certificate, log on as a
member of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then click Setup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, click Run to start the Certificate
Wizard.
4. On the Welcome page, click Next.
5. On the Available Certificate Tasks page, click Export a certificate to a .pfx file,
and then click Next.
6. On the Available Certificates page, click the certificate that you imported to this
edge server in Select a certificate list as described in the previous procedure, and
then click Next.
32 Migrating to Microsoft Office Communications Server 2007
7. On the Export Certificate page, type the full path and file name to which you want
to export the certificate in the Path and file name box (or click Browse to locate
and specify a location and file), and then click Next.
8. On the Export Certificate Password page, type the password to used to import the
certificate on the other edge servers in the Password box, and then click Next.
9. On the wizard completion page, verify successful completion, and then click Finish.
10. Copy the exported file to a location or media that is accessible by the other edge
servers.
Step 4.2.7 Import the certificate for additional Access Edge
Servers (if you have an Access Edge Server array)
If you are using an Access Edge Server array, use the following procedure to import the
certificate to each Access Edge Server in the array.
To import the certificate for the internal interface of each Access Edge
Server
1. On the other Access Edge Servers where you will import the certificate, log on as a
member of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then click Setup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, click Run to start the Certificate
Wizard.
4. On the Welcome page, click Next.
5. On the Available Certificate Tasks page, click Import a certificate from a .pfx
file, and then click Next.
6. On the Import Certificate page, type the full path and file name of the certificate
that you exported from the first edge server in the Path and file name box (or click
Browse to locate and select the certificate), clear the Mark cert as exportable
check box, and then click Next.
7. On the Import Certificate Password page, type the password that you typed when
you exported the certificate from the first server in the Password box, and then click
Next.
8. On the wizard completion page, verify successful completion, and then click Finish.
Step 4.2.8 Assign the certificate on the internal interface of each
Access Edge Server
Use the following procedure to assign the certificate to the internal interface of each Access Edge
Server in the array.
To assign the certificate to the internal interface of the edge server
1. Log on to your Office Communications Server 2007 Access Edge Server as a
member of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then click Setup.exe.
Phase 1: Upgrade Your Perimeter Network and Director 33
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, click Run to start the Certificate
Wizard.
4. On the Welcome page, click Next.
5. On the Available Certificate Tasks page, click Assign an existing certificate, and
then click Next.
6. On the Available Certificates page, select the certificate that you requested for the
internal interface of this edge server, and then click Next.
7. On the Available Certificate Assignments page, select the Edge Server private
interface check box (the server interface on which you want to install the
certificate), and then click Next.
8. On the Configure the Certificate(s) of Your Server page, review your settings, and
then click Next to assign the certificates.
9. On the wizard completion page, click Finish.
Note
It is possible to use your Enterprise subordinate CA for direct
federation, as well as for testing or trial purposes, as long as all
partners agree to trust the CA or to cross-sign the certificate.
How you configure the certificate on the external interface depends on whether you are
deploying in a single-site edge topology or a scaled single-site edge topology:
• Single-site edge topology. The subject name of the certificate must match the
external FQDN of the Access Edge Server computer. If you have multiple SIP
domains, each supported SIP domain must be entered as sip.<domain> in the Subject
Alternate Name box of the certificate. For example, if your organization supports
two domains, a.contoso.com and b.contoso.com, and the external FQDN of the
computer is sip.a.contoso.com, configure your certificate as follows:
SN=sip.a.contoso.com
SAN=sip.a.contoso.com, sip.b.contoso.com
34 Migrating to Microsoft Office Communications Server 2007
• Scaled single-site edge topology. The subject name must match the external FQDN
of the VIP (virtual IP) address of the external load balancer that is used by the Access
Edge Server. This certificate must be marked as exportable on the first computer
where you configure the certificate, and it must then be imported onto each additional
computer in the Access Edge Server array.
Note
If your Access Edge Server is not discoverable through DNS SRV
records, organizations federating with your organization must
manually add your SIP domains and your Access Edge Server
FQDN in the Allow List on their Access Edge Servers.
If you enable automatic discovery and want to add additional
SIP domains to those supported in your Live Communications
Server 2005 SP1 environment, you must get a new certificate
with all the supported SIP domains in the SAN.
• If you use a different external FQDN for your Access Edge Server, you must
configure a new certificate for the external interface.
Note
The procedures in this section are based on a Microsoft
Windows Server 2003 Enterprise CA or a Windows Server 2003
R2 CA. For step-by-step guidance for any other CA, see the
documentation that is provided by the CA. By default, all
authenticated users have the necessary user rights to request
certificates.
15. On the Export File Format page, click Personal Information Exchange – PKCS
#12 (.PFX).
16. Select the Include all certificates in the certification path if possible check box.
17. Clear the Enable strong protection check box, and then click Next.
18. Complete the wizard by accepting all remaining default values and by indicating the
disk or network share where you want to save the certificate.
Step 5.1.2 Import the certificate for the external interface of
each Access Edge Server
Use the following procedure to import the certificate to the external interface of your Access
Edge Server or of each Access Edge Server in an array.
To import the certificate for the external interface
1. Log on to your Office Communications Server 2007 Access Edge Server as a
member of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, and
then click Setup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, click Run to start the Certificate
Wizard.
Phase 1: Upgrade Your Perimeter Network and Director 37
4. On the Welcome page, click Next.
5. On the Available Certificate Tasks page, click Import a certificate from a .pfx file,
and then click Next.
6. On the Import Certificate page, type the full path and file name of the certificate
that you exported from the Access Proxy in the Path and file name box (or click
Browse to locate and select the certificate), clear the Mark cert as exportable
check box, and then click Next.
7. On the Import Certificate Password page, type the password that you used when
you exported the certificate from the Access Proxy in the Password box, and then
click Next.
8. On the wizard completion page, verify successful completion, and then click Finish.
Step 5.1.3 Verify that the CA is on the list of trusted root CAs
For each Access Edge Server that you deploy, use the following procedure to verify that the CA
for the edge server is on the list of trusted root CAs.
To verify that your CA is on the list of trusted root CAs
1. On the Access Edge Server, open an MMC console: Click Start, and then click
Run. In the Open box, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. In the Add Standalone Snap-ins box, click Certificates, and then click Add.
4. In the Certificate snap-in dialog box, click Computer account, and then click
Next.
5. In the Select Computer dialog box, ensure that the Local computer: (the
computer this console is running on) check box is selected, and then click Finish.
6. Click Close, and then click OK.
7. In the console tree, expand Certificates (Local Computer), expand Trusted Root
Certification Authorities, and then click Certificates.
8. In the details pane, verify that your CA is on the list of trusted CAs.
Step 5.1.4 Assign the certificate on the Access Edge Server
For each Access Edge Server that you deploy, use the following procedure to assign the
certificate to the external interface.
To assign the certificate to the external interface of the edge server
1. Log on to your Office Communications Server 2007 Access Edge Server as a
member of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, and
then click Setup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, click Run to start the Certificate
Wizard.
38 Migrating to Microsoft Office Communications Server 2007
4. On the Welcome page, click Next.
5. On the Available Certificate Tasks page, click Assign an existing certificate, and
then click Next.
6. On the Available Certificates page, select the certificate that you requested for the
external interface of this edge server, and then click Next.
7. On the Available Certificate Assignments page, select the Access Edge Server
Public Interface check box (the server interface on which you want to install the
certificate), and then click Next.
8. On the Configure the Certificate(s) of Your Server page, review your settings, and
then click Next to assign the certificates.
9. On the wizard completion page, click Finish.
Note
If the Enterprise CA is reachable from the edge server, you can
use the Send the request immediately to an online
certification authority option. Because this is usually not the
case, this procedure and other certificate request procedures in
this guide do not cover the use of that option.
Phase 1: Upgrade Your Perimeter Network and Director 39
8. On the Name and Security Settings page, type a friendly name for the certificate,
specify the bit length (typically, the default of 1024), select the Mark cert as
exportable check box, and then click Next.
9. On the Organization Information page, type the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click
Next.
10. On the Your Server’s Subject Name page, type or select the subject name and
subject alternate name of the edge server:
• The subject name should match the FQDN of the server that is published by the
external firewall for the external interface on which you are configuring the
certificate. For the external interface of the Access Edge Server, this certificate
subject name should be sip.<domain>.
• If multiple SIP domain names exist and they do not appear in the Subject
alternate name box, type the name of each additional SIP domain as
sip.<domain>, separating names with a comma. Domains entered during
configuration of the Access Edge Server are automatically added to this box.
11. Click Next.
12. On the Geographical Information page, type the location information, and then
click Next.
13. On the Certificate Request File Name page, type the full path and name of the file
to which the request is to be saved in the File name box (or click Browse to locate
and select the file), and then click Next. A typical path and file name is
C:\certrequest_AccessEdge.txt.
14. On the Request Summary page, click Next.
15. On the wizard completion page, verify successful completion, and then click Finish.
16. Submit this file to your CA by e-mail or another method that is supported by your
organization for your Enterprise CA. When you receive the response file, copy the
new certificate to this computer so that it is available for import.
Step 5.2.2 Submit the request to your public CA
Use the following procedure to submit a request to your public CA.
To submit a request to a public certification authority
1. Open the output file.
2. Copy and paste the contents of the certificate signing request CSR into the
appropriate text box beginning with:
-----BEGIN NEW CERTIFICATE REQUEST-----
And ending with:
----END NEW CERTIFICATE REQUEST
3. If you are prompted, select the following options:
• Microsoft as the server platform
40 Migrating to Microsoft Office Communications Server 2007
• IIS as the version
• Web Server as the usage type
• PKCS7 as the response format
4. When the public CA has verified your information, you receive an e-mail message
containing text that is required for your certificate.
5. Copy the text from the e-mail message to a text file (.txt) on your local computer and
note the file name and location for later.
6. Download the root CA chain of the public CA, and then install it on the local
computer store of each edge server.
Note
Appendix B provides an example of a certificate request and a
sample procedure for requesting a certificate from a public CA.
Note
The following steps detail how to start services by using the
Deployment Wizard, but you can also start services from the
Office Communications Server 2007 administrative snap-in. For
details, see the Microsoft Office Communications Server 2007
Administration Guide.
Note
In Office Communications Server 2007, any federated
connection that is not configured on the Allow tab is actively
monitored for higher than average activity. Any partners that
are not explicitly configured on the Allow tab are subject to
connection throttling if their federated activity with your
organization exceeds some preset limits. It is recommended
that you always add trusted federated partners to your Allow
tab. For more information about how connection throttling
works, see the Microsoft Office Communications Server 2007
Administration Guide.
Step 8.1 Add the Access Edge Server to the Trusted Server List
or Update Your Internal Firewall Setting
If you use an internal firewall between your internal servers and your Access Edge Server, the
global properties in Active Directory route traffic to your internal firewall. In that case, you
simply change the internal firewall setting to point to the internal IP address of your new Access
Edge Server; you do not need to update global properties.
For specific firewall procedures, see your firewall documentation.
If you use a different FQDN on the internal interface of your Office Communications Server
2007 Access Edge Server, you must add this server to the Trusted Access Proxy list in Active
Directory so that Live Communications Servers within your forest accept messages from the
Access Edge Server.
To add the Access Edge Server to the trusted server list
1. Log on to an internal Live Communications Server 2005 with SP1 that is joined to
an Active Directory domain or log on to a computer that has the Live
Communications Server 2005 SP1 Administrative Tools installed, as a member of
the RTCDomainServerAdmin group.
44 Migrating to Microsoft Office Communications Server 2007
2. Click Start, point to All Programs, point to Administrative Tools, and then click
Live Communications Server 2005.
3. Expand Microsoft Live Communications Server 2005.
4. Right-click the forest node, and then click Properties.
5. On the Access Proxy tab, click Add.
6. In the Access Proxy address box, type the FQDN (fully qualified domain name) of
your Access Edge Server, and then click OK.
Step 8.2 Identify Your Access Edge Server as the Next Hop
Server for Your Director or Internal Servers
How you identify your Access Edge Server as the next hop for external traffic depends on
whether your environment includes a Director. Use the appropriate option for your environment:
• Option 1: If you are using a Director to route all external traffic to and from the
Access Edge Server, you must update the next hop server on the Director.
• Option 2: If you are not using a Director, use the procedure immediately following
this one to configure the Access Edge Server as the FQDN to which all internal
servers route external traffic.
Option 1: To configure the Director to route to the Access Edge Server
1. Log on to an internal Live Communications Server 2005 SP1 server that is a member
of an Active Directory domain, or log on to a computer that has the Live
Communications Server 2005 with SP1 Administrative Tools installed, as a member
of the RTCDomainServerAdmin and RTCUniversalServerAdmins groups.
2. Click Start, point to All Programs, point to Administrative Tools, and then click
Live Communications Server 2005.
3. In the console tree, expand Microsoft Office Live Communications Server 2005.
4. Expand the forest node.
5. Expand subsequent nodes under the Domains node until you reach the domain in
which your Director resides.
6. Expand the Live Communications servers and pools node.
7. Right-click the Director, and then click Properties.
8. On the Federation tab, type the FQDN of the Access Edge Server in the Network
address box.
9. In the Port number box, accept the default port of 5061 unless you are using a
different port number for the Access Edge Server. (It is recommended that you use
port 5061.)
Option 2 To configure your internal servers to route to the Access
Edge Server
1. Log on to an internal Live Communications Server 2005 SP1 server that is a member
of an Active Directory domain, or log on to a computer that has the Live
Phase 1: Upgrade Your Perimeter Network and Director 45
Communications Server 2005 with SP1 Administrative Tools installed, as a member
of the RTCDomainServerAdmin and RTCUniversalServerAdmins groups.
2. Click Start, point to All Programs, point to Administrative Tools, and then click
Live Communications Server 2005.
3. Right-click the forest node, and then click Properties.
4. Click the Federation tab.
5. In the Network address box, enter the FQDN of the new Access Edge Server.
Important
During this step, there are service interruptions to your users.
Note
If you change the external DNS A record for your Access Edge
Server and you have enabled public IM connectivity, you must
update your provisioning information as described at
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provision.
Note
If you change the external DNS A record for your Access Edge
Server and have enabled public IM connectivity, you must
update your provisioning information as described at
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provision.
If there is a problem with connectivity, you can simply redirect your firewall to your existing
Live Communications Server 2005 SP1 Access Proxy to avoid an extended outage. To do so,
follow the procedure outlined in Step 9 Change Your Firewall Settings or DNS Settings to Use
the IP Address of Your New Access Edge Server, but point to the Live Communications Server
2005 with SP1 Access Proxy.
Important
Your users experience an interruption in service when you
perform this step.
Step 12.7 Configure Your Access Edge Server to Use the New
Director
Your deployment continues to use the existing Live Communications Server 2005 with SP1
Director until you configure the Access Edge Server to use the new Director.
To switch to the new Director
1. Log on to your Office Communications Server 2007 Access Edge Server as a
member of the Administrators group and the RTC Local Administrators group.
2. Open Computer Management: Right-click My Computer, and then click Manage.
3. In the console tree, expand Services and Applications.
4. Right-click Microsoft Office Communications Server 2007, and then click
Properties.
5. Click the Internal tab.
6. In the Next hop network address box, type the FQDN of the Office
Communications Server 2007 Director.
7. Under Internal servers authorized to connect to this server, click Add Server.
8. In the Office Communications Server box, type the FQDN of your Office
Communications Server 2007 Director.
Note
Do not deploy Office Communicator 2007 during Phase 1. The
Office Communicator 2007 client does not work until you deploy
new internal computers running Office Communication Server
2007 Standard Edition or Enterprise pools and move users to
these servers or pools (as described in Phase 2).
3. Verify that User Replication completed successfully on the new server or pool.
4. Back up user data on the existing Live Communications Server 2005 with SP1.
5. Export user data from Live Communications Server 2005 with SP1.
6. Move users to Office Communications Server 2007. You might want to transfer a
small number of users at first to test the configuration.
7. Configure users on Office Communications Server 2007.
8. Transfer remote call control settings as necessary.
9. Validate the configuration and connectivity of the server or pool.
At this point, the users who were moved to Office Communications Server 2007 are still using
Office Communicator 2005 as their client. They are able to use the following features as if they
are still using Live Communications Server SP1:
• Internal IM and presence
• Remote user access
• Federation
• Public IM connectivity
Note
If you are using a pool with a single Enterprise Edition Server,
you still must use a separate computer for the SQL database.
Installing the back-end database on a computer with Enterprise
Edition Server installed is not supported.
Note
If your organization has compliance-related applications
currently running on Live Communications Server 2005 with
SP1, be aware of the following changes to the way instant
messages are formatted and archived:
• Office Communicator 2007 sends instant
messages in rich-text format (RTF). These messages
are archived by Office Communications Server in the
same format in the Office Communications Server
2007 archiving database.
• Office Communicator 2007 includes the first IM
message as a base 64 encoded parameter “ms-
body” within the “ms-text-format” header.
Any applications that are based on the Live Communications
Server 2005 Management API and that intercept IM messages
for compliance purposes might need to be updated for these
changes.
Notes
The new Office Communications Server 2007 Dbimpexp.exe
tool is required for this operation. Do not use the Live
Communications Server 2005 with SP1 version of this tool.
The Office Communications Server 2007 User Services database
(the RTC database) must be available when you perform this
procedure, but users should not sign in while you are running
the DBimpexp tool. To prevent users from signing in, stop rtcsrv
services on both servers (the Live Communications Server
service on the Live Communications Server 2005 SP1 server
and the Communications Server service on the Office
Communications Server 2007 server).
Running this tool on a Microsoft SQL Server cluster is not
supported.
Note
If the users are currently homed on multiple Live
Communications Server 2005 with SP1 pools or servers, you
must export the user data that is stored on each Enterprise pool
or Standard Edition server. To do this, repeat steps 1 through 4
on each server or pool on which users are homed.
Phase 1: Upgrade Your Perimeter Network and Director 65
Note
The following procedure uses the Office Communications Server
2007 administrative snap-in to move users. You can run the
snap-in from any computer that is running Office
Communications Server 2007. You can also move users by
using Active Directory Users and Computers on any server in
the domain on which the Office Communications Server 2007
administrative snap-in is installed.
Note
Running the Move Users Wizard twice can clean up Active
Directory attributes in instances where a move was
unsuccessful. If a user is having problems, run the Move Users
Wizard again after Active Directory replication is completed.
Note
If the Move Users operation succeeded but the users do not
appear under the Users node for the Enterprise pool or
Standard Edition server, force Active Directory replication or
wait for replication to complete and then refresh the data.
Note
If you enable anonymous participation in meetings, your
internal users can invite people from outside your organization
to participate in your on-premise Web conference meetings. By
default, all users are allowed to organize meetings that include
anonymous participants.
Note
To configure a particular voice setting for a specific user, the
corresponding setting under the forest’s Voice properties must
be configured to allow enforcement on a per-user basis.
11. Verify the status of each user configuration operation, and then click Finish.
Phase 1: Upgrade Your Perimeter Network and Director 69
Note
To manually configure a client
If you want to manually configure your clients, you need to
perform this step when you deploy Office Communicator to your
users.
Phase 1: Upgrade Your Perimeter Network and Director 71
1. On the user’s computer, open Office Communicator 2007.
2. In the title bar, click the Menu button, point to Tools, and then click Options.
3. Click the Phones tab.
4. Click Advanced.
Note
To manually configure a client
If you want to manually configure your clients, you need to
perform this step when you deploy Office Communicator to your
users.
72 Migrating to Microsoft Office Communications Server 2007
1. Open Communicator 2007.
2. In the title bar, click the Menu button, point to Tools, and then click Options.
3. Click the Phones tab.
4. Click Advanced.
Important
Because this user account will be converted to use enhanced
presence, ensure that you use a test account.
9. In the Server or Pool list, click the name of the server or Enterprise pool on which
the user account is hosted.
10. Click Next.
11. On the Second user account page, type the account name, user sign-in name, and
password of a second test user who is enabled for SIP. This account will be used
with the first account that you specified to test IM functionality between two users.
Important
Because this user account will be converted to use enhanced
presence, ensure that you use a test account.
12. In the Server or Pool list, click the name of the server or Enterprise pool on which
the user account is hosted, and then click Next.
13. If you have configured federation or public IM connectivity, , select the Test
between internal user and federated users check box on the Federation and
Public IM Connectivity page. In the Enter SIP User Accounts for federated use
box, type the SIP URI of one or more federated user accounts (separated by
semicolons) that you want to use to test this functionality. If you have not configured
federation or public IM connectivity, go to the next step.
14. Click Next.
15. On the wizard completion page, verify that the View the log when you click Finish
check box is selected, and then click Finish.
16. When the Office Communications Server 2007 Deployment Log opens in a Web
browser window, verify that Success appears under Execution Result in the action
column. Optionally, expand each individual task and verify that the Execution
Result shows Success for the task. When you finish, close the log window.
Important
If you enable enhanced presence for a user and the user signs
in to Office Communications Server 2007 using the
Communicator 2007 client, the user account is converted to use
enhanced presence. The user is then no longer able to sign in to
Live Communications Server 2005 SP1 and cannot use any
previous version of Office Communicator, Communicator Web
Access, or Communicator Mobile to sign in.
2. Deploy Office Communicator 2007 to all client computers for these users.
3. Deploy the Microsoft Office Live Meeting 2007 client to all client computers for
these users.
Note
You can also access the Configure Users Wizard from the Active
Directory Users and Computers snap-in by right-clicking users in
an OU (organizational unit) and then clicking Configure User
Settings.
6. In the Configure Operations Status page review the settings, and then click Finish.
Phase 1: Upgrade Your Perimeter Network and Director 77
Note
If you do not retain the user database (the default setting), user
data for this server is lost.
Important
Before you begin this process, verify that no users are still
assigned to the pool.
80 Migrating to Microsoft Office Communications Server 2007
Use the following procedures to uninstall Live Communications Server 2005 with SP1 Standard
Edition. This involves the following tasks:
1. Deactivating each server in the Enterprise pool.
2. Removing the files on all but the last server in the pool.
3. Removing the Enterprise pool.
To deactivate a server in the Enterprise pool
1. Log on as a member of the DomainAdmins group to a Live Communications Server
that is a member of the same domain as the Live Communications Server 2005 with
SP1 Enterprise Edition server that you are deactivating. If the domain is a child
domain, you must also be logged on as a member of the
RTCDomainServerAdmins group. The Standard Edition server can be anywhere in
the enterprise, as long as it is joined to a domain and the user has the necessary
group memberships. You can also perform this task from a domain member server
that has the Live Communications Server 2005 with SP1 administrative snap-in
installed.
2. Open the Live Communications Server 2005 with SP1 snap-in: Click Start, point to
All Programs, point to Administrative Tools, and then click Live
Communications Server 2005.
3. In the console tree, expand Live Communications Server 2005 with SP1.
4. Expand subsequent nodes under the Domains node until you reach the domain in
which the server or pool resides.
5. Expand Live Communications servers and pools.
6. Right-click the FQDN of the server, and then click Deactivate.
To remove the Live Communications Server files on all but the last
server in the pool
1. Log on to the Live Communications Server 2005 with SP1 server as a member of the
Administrators group.
2. Click Start, point to Control Panel, and then click Add or Remove Programs.
3. In Add or Remove Programs, click Live Communications Server 2005 with SP1, and
then click Change.
4. In the Setup Wizard, click Next.
5. On the Program Maintenance page, confirm that the action is set to Remove, and
then click Next.
Remove the Enterprise pool only after you have deactivated and removed the files from all but
one server in the pool. Do not remove a pool unless you are certain that the pool is no longer
used by any servers or users. After you remove this pool, you must delete its configuration from
the load balancer.
To remove a pool
Phase 1: Upgrade Your Perimeter Network and Director 81
1. Log on as a member of the RTCDomainServerAdmins group to a Live
Communications Server that is a member of the same domain as the Enterprise pool
that you are removing. The computer can be anywhere in the enterprise, as long as it
is joined to a domain and the user account has the necessary group membership.
2. Click Start, point to All Programs, point to Administrative Tools, and then click
Live Communications Server 2005.
3. In the console tree, expand Live Communications Server 2005 with SP1.
4. Expand nodes under the Domains node until you reach the domain in which the
server or pool resides.
5. Expand Live Communications servers and pools.
6. Right-click the pool, and then click Remove pool.
7. Deactivate and remove Live Communications Server 2005 with SP1 from this server
as described earlier in this section.