Microsoft Office Communicator Web Access (2007 Release) Guide To Lab Deployment

Microsoft Office
Communicator Web
Access
(2007 release)
Guide to Lab
Deployment
Published: July 2007
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, Windows Vista, Active Directory, and Internet Explorer are either registered trademarks or
trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.

Contents
Contents...........................................................................................3
Introduction......................................................................................1
Overview of Lab Scenarios...........................................................1
Supported Browsers.....................................................................2
Lab Scenario 1: Built-in Authentication........................................2
Lab Scenario 1 System Requirements.....................................4
Setting Up contosodc.contoso.com.........................................8
Setting Up ocs2k7.contoso.com............................................10
Setting Up cwaserver.contoso.com.......................................11
Configuring the Client Computers.........................................19
Performing Lab Scenario 1 Exercises....................................23
Lab Scenario 2: Configuring SSO Using ISA Server 2006............26
Lab scenario 2 System Requirements...................................29
Setting Up the Internet DNS Server.......................................30
Setting Up isa2006.contoso.com and cwaserver.contoso.com31
Configuring client1.contoso.com and Testing the Deployment55
Performing Lab Scenario 2 Exercises....................................58
Introduction
Microsoft® Office Communicator Web Access (2007 release) provides browser-based client
access to Microsoft Office Communications Server 2007. Office Communications Server 2007
and Communicator Web Access (2007 release) build on the foundation established by Live
Communications Server 2005 with SP1 and Communicator Web Access (2005 release).
This document describes the steps that are necessary to deploy Communicator Web Access (2007
release) in a lab environment with a single-forest, single-domain topology.
Overview of Lab Scenarios

This guide contains the following lab scenarios:
• Lab Scenario 1: Built-in authentication deployment. Lab scenario 1 demonstrates
the requirements and installation steps for deploying Communicator Web Access
with built-in authentication. You use built-in authentication for testing the Unified
Communications JavaScript Libraries and the new Unified Communications AJAX
API. Built-in authentication does not support single sign-on (SSO). For information
about SSO, see the Microsoft Office Communicator Web Access (2007 release)
Planning and Deployment Guide. For information about the Unified Communications
AJAX API and the Unified Communications JavaScript Libraries, see the Microsoft
Unified Communications AJAX SDK.
• Lab Scenario 2: Custom authentication deployment. Lab scenario 2 demonstrates
the requirements and installation steps for deploying Communicator Web Access
configured for custom authentication and deploying ISA (Internet Security and
Acceleration) Server 2006 Standard Edition or Enterprise Edition with SSO enabled.
When SSO is enabled in ISA Server 2006 (the default configuration for ISA Server),
an ISA sign-in form prompts users for credentials. The user’s credentials are cached
on the computer that is running ISA Server after successful authentication. The
cached credentials are used to provide the user with an SSO experience. If an
application to which a user is signing in is SSO-aware, the sign-in information is
passed on to it and other SSO-aware applications so that the user does not have to
sign in again. This experience is referred to as single sign-on. Single sign-on
authentication provides users with an automatic sign-in experience after initial
authentication. SSO is gaining in importance as Web-based portal solutions combine
several applications into a single interface. It is also important when users are
accessing multiple Web-based programs during a single session.
Completion of Lab scenario 1 is a prerequisite for Lab scenario 2. For information about custom
authentication, automatic logon, and SSO, see the Microsoft Office Communicator Web Access
(2007 release) Planning and Deployment Guide. For information about the Unified
Communications AJAX API and the Unified Communications JavaScript Libraries, see the
Microsoft Unified Communications AJAX SDK.
Note
The deployment scenarios that are described in this document
are intended for test-lab purposes only. They might not be
suitable for a production environment.
2 Microsoft Office Communicator Web Access (2007 release) Guide to Lab Deployment
Supported Browsers
Supported browsers for Communicator Web Access (2007 release) are shown in the following
table.
Table 1. Supported Browsers
Operating Internet Authentication
System Browser Mechanism
Microsoft Microsoft Internet NTLM
Windows® 2000 Explorer® 6 SP1 Kerberos
SP4
Forms-based
Custom
Windows XP SP2 Internet Explorer NTLM
6 SP2 Kerberos
Windows Internet Forms-based
Explorer 7
Custom
Mozilla Firefox 2.0 Forms-based

with latest update Custom
Windows Vista®, Internet Explorer NTLM
Enterprise Edition 7 Kerberos
Forms-based
Custom
Mozilla Firefox Forms-based
2.0.0.3 and later Custom
Mac OS X 10.4.9 Safari 2.0.4 Forms-based
Firefox 2.0.latest Custom
Lab Scenario 1: Built-in Authentication

In Lab Scenario 1, you will deploy Communicator Web Access (2007 release) with built-in
authentication in a lab setting that employs a single-forest, single-domain topology. The resulting
environment supports testing of the new Unified Communications JavaScript Libraries, the new
Unified Communications AJAX API, and automatic sign-in scenarios other than SSO-enabled
ISA Server 2006 scenarios. The environment simulates a corporate Windows network with users
for which Microsoft Office Communicator 2007 is not an option. These users might include:
• Macintosh users
• UNIX users
• Users of supported Windows platforms who are not authorized to install the
Microsoft Office Communicator 2007 client
Microsoft Office Communicator Web Access (2007 release) Guide to Lab
Deployment 3
Communicator Web Access provides users with an installation-free solution for accessing the
instant messaging, presence features, and other features of Microsoft Office Communications
Server 2007 that you deploy and enable.
In Lab Scenario 1, you will set up a development lab environment for a single-forest, single-
domain topology in which Communicator Web Access (2007 release) is deployed. In this
simulated corporate user environment, you can perform the following tasks:
• Set up Communicator Web Access
• Sign in to Communicator Web Access
• Search for users to add to the Contact List
• Add contacts to, and delete them from, the Contact List
• Send an instant message by using Communicator Web Access
• Change presence status
• Set presence status to Do Not Disturb
In this scenario, the fictitious Contoso Corporation network includes the following:
• A domain controller that runs Microsoft Active Directory® Domain Services, DNS
Server, and a private certification authority
• A server that runs Microsoft Office Communications Server 2007, Standard Edition
Important
Running Office Communications Server 2007 on a domain
controller is not supported.
• A Communicator Web Access (2007 release) server

• One hub
• Two clients
Note
Installing Communicator Web Access (2007 release) and any
server role of Office Communications Server 2007 on the same
physical server is not supported.
Figure 1. Topology for Lab Scenario 1
In this lab scenario, you will perform the following tasks:

1. Set up contosodc.contoso.com. This server functions as the Active Directory domain
controller, the DNS Server, and the Microsoft Windows Server® 2003 SP1 enterprise
root certification authority (CA).
2. Set up ocs2k7.contoso.com. This server runs Microsoft Office Communications
Server 2007, Standard Edition.
Note
3. Set up cwaserver.contoso.com. This server functions as the Communicator Web

Access server.
4. Prepare the clients. Each client computer connects to Communicator Web Access
through a browser.
5. Perform Lab scenario 1 exercises. The lab exercises demonstrate end-user tasks
such as adding contacts, sending instant messages, and changing presence.
Lab Scenario 1 System Requirements

You need three “bare-metal” servers, two client computers, and one hub, as shown previously in
Figure 1.
Deployment 5
Server: contosodc.contoso.com
Table 2 shows the minimum system requirements for contosodc.contoso.com. For this lab
scenario, the root CA issues certificates required for secure communications in Office
Communications Server 2007, Standard Edition, and Communicator Web Access.
Table 2. Minimum Requirements for contosodc.contoso.com
Component Requirement
contosodc.contoso.com - Domain Controller: IP Address = 10.10.10.1/24
Software
Operating System Windows Server 2003 SP1 or later (Standard
Edition, Enterprise Edition, or Datacenter
Edition)
Directory Service Active Directory
Name Resolution DNS Server
Public Key Infrastructure Windows Server 2003 SP1 or later
Enterprise Root CA
Certificate services Web IIS 6.0
enrollment support
QFEs KB 917283
http://support.microsoft.com/kb/917283
KB 922770
Group memberships DomainAdmins
Administrators
Hardware
Processor
See:
Networking http://technet.microsoft.com/en-
Memory us/windowsserver/bb430827.aspx.
Disk Space
You install IIS 6.0 from the Windows Control Panel. For details, see the Windows Server
documentation.
To download Service Pack 1 for Windows Server 2003, go to
http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx.
Server: ocs2k7.contoso.com
Table 3 shows the minimum system requirements for ocs2k7.contoso.com.
Table 3. Minimum Requirements for ocs2k7.contoso.com
ocs2k7.contoso.com – Office Communications Server 2007: IP Address =

10.10.10.30/24
Software
Edition)
Office Communications Office Communications Server 2007,
Server 2007 Standard Edition
Office Communications IIS 6.0
Server 2007 Web
Components support
Other software required for .NET Framework Version 2.0 or later
Office Communications
ASP.NET 2.0
Server 2007
QFEs KB 915066
KB913297
KB 917283
KB 922770
Group memberships DomainAdmins
Administrators
Hardware
Processor Dual 3.2-GHz CPU
Networking 1-Gigabit Ethernet network adapter
Memory 4 GB of RAM
Disk Space 2 × 36-GB NTFS-formatted hard drives
For details about installing Office Communications Server, Standard Edition, see the Microsoft
Office Communications Server 2007, Standard Edition Deployment Guide available on the Office
Communications Server 2007 installation media.
You install IIS 6.0 from the Windows Control Panel. For details, see the Windows Server
documentation.
To download Service Pack 1for Windows Server 2003, go to
http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx.
To download the .NET Framework, go to http://www.microsoft.com/downloads/details.aspx?
familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en.
Deployment 7
Server: cwaserver.contoso.com
Table 4 shows the minimum system requirements for cwaserver.contoso.com. On this server, you
will install Communicator Web Access.
Table 4: cwaserver.contoso.com Minimum Requirements
cwaserver.contoso.com – Communicator Web Access - IP Address =
10.10.10.35/24
Software
Disk format NTFS
Edition)
Other software required .NET Framework Version 2.0 or later
for Communicator Web
IIS 6.0
Access
ASP.NET 2.0
Communicator Web Access
Office Communications Server 2007, Unified
Communications Managed API v1.0 (installed
during setup)
Hardware
Processor Dual 3.2-GHz CPU
Networking 1-Gigabit Ethernet network adapter
Memory 4 GB of RAM
Disk Space 1 × 36-GB NTFS-formatted hard drives
Group memberships
To install Communicator User must be a member of Administrators
Web Access group.
To activate Communicator User must be a member of the DomainAdmins
Web Access group.
To create a virtual server User must be a member of Administrators
group.
Client Computers
Each client computer runs the Microsoft Windows XP with SP2 operating system with the
Microsoft Internet Explorer® 7 Internet browser. You can optionally add Office Communicator
2007 to one or both of the client computers.
Table 5. Minimum Requirements for Client 1 and Client 2
Client 1 - Member client; name=Client1; IP Address=10.10.10.4/24
Client 2 - Member client; name=Client2; IP Address= 10.10.10.5/24
Software
Operating System Windows 2000 with Service Pack 41
Browser/Client Internet Explorer 6.0 with SP11
Other software Office Communicator 2007
Hardware
Processor 300-MHz CPU
Networking One network adapter
Memory 128 MB of RAM
Disk space 20 GB
1
Other operating systems or browsers can be used. For a list of supported operating
systems and browsers, see the Microsoft Office Communicator Web Access (2007
release) Planning and Deployment Guide.
Setting Up contosodc.contoso.com
Preparing contosodc.contoso.com consists of the following steps:
1. Configure a static IP Address.
2. Prepare Active Directory using dcpromo and configure DNS.
3. Configure the server as a Windows Server 2003 SP1 or later Enterprise Root CA.
The following sections explain these steps in detail, assuming you are using a classic style start
menu.
Configure Static IP Address for contosodc
Connect the Server to Hub 1, and then configure the server with a static IP address.
To configure a static IP address for contosodc
1. Click Start, point to Settings, and then click Network Connections.
2. Right-click the connection for which you want to configure a static IP address, and
then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following
IP address.
5. In the IP address box, type 10.10.10.1.
6. In the Subnet mask box, type 255.255.255.0.
7. Click Use the following DNS server addresses.
8. In the Preferred DNS server box, type 10.10.10.1.
Deployment 9
9. Click OK twice, and then close the Network Connections window.
Prepare Active Directory by Using dcpromo and configure DNS
Use dcpromo to install Active Directory and promote contosodc.contoso.com to a domain
controller, and then configure DNS. You will need your Windows Server 2003 installation media
in order to complete the procedure.
To prepare Active Directory using dcpromo and configure DNS
1. Click Start, and then click Run.
2. In the Open box, type dcpromo, and then click OK.
3. On the Active Directory Installation Wizard Welcome page, click Next.
4. On the Operating System Compatibility page, click Next.
5. On the Domain Controller Type page, accept the default Domain controller for a
new domain, and then click Next.
6. On the Create New Domain page, accept the default Domain in a new forest, and
then click Next.
7. On the New Domain Name page, enter contoso.com in the text box, and then click
Next.
8. On the NetBIOS Domain Name page, accept the default CONTOSO, and then click
Next.
9. On the Database and Log Folders page, accept the default locations, and then click
Next.
10. On the Shared System Volume page, accept the default location, and then click
Next.
11. On the DNS Registration Diagnostics page, click Install and configure the DNS
server on this computer, and set this computer to use this DNS server as its
preferred DNS server, and then click Next.
12. On the Permissions page, accept the default Permissions compatible only with
Windows 2000 or Windows Server 2003 operating systems, and then click Next.
Office Communications Server 2007 requires native mode.
13. On the Directory Services Restore Mode Administration Password page, enter the
same password in both boxes, and then click Next.
14. On the Summary page, click Next.
15. If prompted, type the full path to the Windows Server 2003 installation folder or CD,
and then click Continue.
16. Click Finish.
17. Ensure that the domain controller is in native mode. See
http://support.microsoft.com/kb/322692.
Configure contosodc.contoso.com as a Windows Server 2003
Enterprise Root CA
Install certificate services and configure the server as an enterprise root certification authority.
To install certificate services and configure the server as an Enterprise
root CA
1. Click Start, point to Settings, click Control Panel, and then click Add or Remove
Programs.
2. Click Add or Remove Windows Components.
3. In the Windows Components Wizard, click Certificate Services.
4. On the Microsoft Certificate Services page, click Yes, and then click Next.
5. On the CA Type page, click Enterprise root CA, and then click Next.
6. On the CA Identifying Information page, type cwaserver in the Common name
for this CA box, and then click Next.
7. On the Certificate Database Settings page, click Next.
8. If prompted, type the full path to the Windows Server 2003 installation folder or CD,
and then click Continue.
9. In the Microsoft Certificate Services message, click Yes to allow IIS to be
temporarily stopped.
10. In the Microsoft Certificate Services message, click Yes to enable ASP and IIS.
After you have installed Microsoft Certificate Services, prepare the CA for issuing certificates by
duplicating the Web server certificate template. During this procedure, you must grant Enroll
and Auto enroll permissions for the following groups in all domains: AuthenticatedUsers,
DomainAdmins, DomainComputers, and EnterpriseAdmins. See the Microsoft Office
Communications Server 2007, Standard Edition Deployment Guide for the procedure to do this.
Setting Up ocs2k7.contoso.com
Preparing ocs2k7.contoso.com consists of the following steps:
1. Configure a static IP Address.
2. Install and configure Office Communications Server 2007, Standard Edition.
Note
3. Request and configure certificates for Office Communications Server 2007.

The following sections explain these steps in detail.
Configure Static IP Address for ocs2k7.contoso.com
Connect the Server to Hub 1, and then configure the server with a static IP address.
To configure a static IP address for ocs2k7.contoso.com
Deployment 11
IP address.
Request Certificates for Office Communications Server 2007,
Standard Edition
For details about requesting certificates, see the Microsoft Office Communications Server 2007,
Standard Edition Deployment Guide.
Note
The MTLS (mutual TLS) certificates for both Office
Communications Server 2007, Standard Edition, and
Communicator Web Access must be issued from the same
certification authority (CA) and must use a duplicated Web
server template in which the Mark keys as exportable option
is enabled.
Install and Configure Office Communications Server 2007,

Standard Edition
See the Microsoft Office Communications Server 2007, Standard Edition Deployment Guide.
Setting Up cwaserver.contoso.com
For this lab scenario, cwaserver.contoso.com functions as the Communicator Web Access server.
Preparing cwaserver for this role consists of the following steps:
1. Configure a static IP address and name resolution.
2. Add cwaserver to the contoso.com domain.
3. Request the required certificates for Communicator Web Access.
4. Install and configure Communicator Web Access.
The following sections describe these steps in detail.
Configure the Static IP Address
Connect cwaserver to Hub1, and then configure cwaserver with a static IP address.
To configure cwaserver with a static IP address
1. Click Start, point to Settings, and click Network Connections.
3. In the Properties dialog box, click Internet Protocol (TCP/IP), and then click
Properties.
IP address.
Add cwaserver to the contoso Domain
The cwaserver server must be a member server in the contoso.com domain.
To add cwaserver to the contoso domain
1. Right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the Computer Name tab, and then click
Change.
3. In the Computer Name Change dialog box, click Domain.
4. In the Domain box, type contoso.com, and then click OK.
5. In the Authentication dialog box, type the user name and password of a member of
the DomainAdmins group, and then click OK.
6. On the Computer Name Changes authentication page, type the Domain Admin
credentials, and then click OK.
7. In the Confirmation/Welcome dialog box, click OK.
8. In the Restart notification dialog box, click OK.
9. In the Restart confirmation dialog box, click OK to restart the server.
Request a Certificate
Because you have set up contosodc.contoso.com as a Windows Server 2003 enterprise CA and
enabled autoenrollment, cwaserver.contoso.com will receive the enterprise CA certificate chain
when it is added to the domain. However, you will need to request a Web server certificate with
the FQDN (fully qualified domain name) cwaserver.contoso.com. You will be asked to choose
this certificate during the Communicator Web Access setup process.
Deployment 13
Notes
The certificates for Office Communications Server 2007,
Standard Edition and Communicator Web Access must be
issued from the same certification authority and must use a
duplicated Web server template in which the Mark keys as
exportable option is enabled. See the Microsoft Office
Communications Server 2007 Standard Edition Deployment
Guide for the procedure detailing how to do this.
Lab scenario 1 uses the Microsoft certification authority (CA)
that you set up on contosodc.contoso.com, and the procedures
in this document assume the use of an internal CA. You can use
an external CA for this lab scenario, but you might need to
modify the certificate procedures to comply with the
requirements of the external CA, in addition to the certification
requirements of Office Communications Server 2007 and
Communicator Web Access.
The Communicator Web Access server requires an MTLS (mutual TLS) certificate and an SSL
IIS certificate. For this lab scenario, you can use the same certificate for both. The Communicator
Web Access certificate requirements for this lab scenario are as follows:
• MTLS certificates must be issued from the same CA from which the Office
Communications Server 2007, Standard Edition MTLS certificates are issued.
• Certificates must use a duplicated Web server template in which the Mark keys as
exportable option is enabled.
For this lab scenario, in which the FQDN of the server is cwaserver.contoso.com, the certificate
FQDN is cwaserver.contoso.com; however, if the server name differs for your deployment, use a
certificate with the FQDN of the server on which you are installing Communicator Web Access.
The following procedure assumes that cwaserver.contoso.com and the user who is signed in have
permission to access the internal CA on contosodc.contoso.com by using the physical network
and Certificate Services Web enrollment feature.
To request the certificate
1. On cwaserver.contoso.com, open a Web browser.
2. In the Address box, type http://contosodc.contoso.com/certsrv, and then press
ENTER.
3. Click Request a Certificate.
4. Click Advanced certificate request.
5. Click Create and submit a request to this CA.
6. In the Certificate Template list, select the name of the duplicated Web server
template that you created for the Office Communications Server 2007, Standard
Edition certificates.
7. In the Identifying Information for Offline Template box, type
cwaserver.contoso.com.
8. Verify that the Mark keys as exportable check box is selected (the default for the
duplicated Web server template). If the check box is cleared, select it.
9. In the Key Options area, select the Store certificate in the local computer
certificate store check box.
10. Click Submit.
11. If a potential scripting violation warning appears, and you understand and accept the
implications, click Yes.
Now that you have requested the certificate, you can install it.
To install the certificate on the computer
1. Click Install this certificate. If a potential scripting violation warning appears, and
you understand and accept the implications, click Yes.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the list of Available Standalone Snap-ins, click Certificates.
6. Click Add.
7. Click Computer account, and then click Next.
8. In the Select Computer dialog box, ensure that the Local computer: (the computer
this console is running on) check box is selected, and then click Finish.
9. Click Close, and then click OK.
10. In the left pane of the Certificates console, expand Certificates (Local Computer),
expand Trusted Root Certification Authorities, and then click Certificates.
11. Confirm that the certificate that you just requested and installed contains an FQDN of
cwaserver.contoso.com and is located in this folder. If it is not, copy it from the
Certificates folder under the Personal folder node, just above.
Install and Configure Communicator Web Access
Installing and configuring Communicator Web Access involves the following procedures:
1. Install Communicator Web Access.
2. Activate the Communicator Web Access server.
3. Create the Communicator Web Access virtual server.
Deployment 15
To install Communicator Web Access on cwaserver.contoso.com
1. Log on to cwaserver.contoso.com as a member of the Administrators group.
2. From the Office Communications Server 2007 installation media, double-click
setup.exe.
3. On the Office Communications Server 2007, Standard Edition Deployment
page, click Deploy Other Server Roles.
4. On the Deploy Other Server Roles page, click Deploy Communicator Web
Access.
5. On the Deploy Office Communications Server 2007, Communicator Web Access page,
under Step 1: Install Communicator Web Access, click Install.
6. On the Welcome page, click Next.

7. On the License Agreement page, click I accept, and then click Next.
Deployment 17
8. On the Customer Information page, type a name and organization in User Name
and Organization, and then click Next.
9. On the Ready to install page, accept the default location, and then click Next.
10. On the Ready to install page, click Install.
11. On the Setup complete page, click Finish.
Do not close the window. Continue directly with the next procedure.
To activate the Communicator Web Access Server
Note
Activating the server creates the account CWAService in Active
Directory.
1. Under Step 2: Activate Communicator Web Access, click Run.

3. On the Select domain service account page, accept the default Account name,
create and type a strong password to be used for the account in the Password box and
the Confirm password box, and then click Next.
4. On the Select Server Certificate page, click Select Certificate.
5. On the Select Certificate page, click cwaserver.contoso.com in the Issued to
column.
6. On the Select Server Certificate page, click Next. Verify that the Issued to box
contains CN=cwaserver.contoso.com.
7. On the Ready to activate Communicator Web Access page, click Next.
8. On the Success page, click Finish.
Do not close the window. Continue directly with the next procedure.
To create the Communicator Web Access virtual server
Note
The first virtual server is created during this step. You can
create additional virtual servers in Office Communicator Web
Access Manager (2007 release).
1. Under Step 3: Create a Virtual Server, click Run.

3. On the Select Virtual Server Type page, accept Internal, and then click Next.
4. On the Select Authentication Type page, Use built-in authentication is selected

by default. Click Next.
5. On the Select authentication method page, accept the default, and then click
Next.
Deployment 19
6. On the Select Browser Connection Type page, accept the default of HTTPS
(recommended), and then click Select Certificate.
7. On the Select Certificate page, click the certificate with the FQDN of
cwaserver.contoso.com or the server name that you are using, and then click OK.
8. On the Select Browser Connection Type page, click Next.
9. On the Select IP address and port setting page, accept all defaults, and then
click Next.
10. On the Name the Virtual Server page, accept the default name Communicator
Web Access, and then click Next.
11. On the Automatically Start Virtual Server page, accept the default, and then click
Next.
12. On the Review Settings page, click Next.
Configuring the Client Computers

For lab scenario 1, each client computer connects to Communicator Web Access through a
supported browser. The clients can also optionally host the Office Communicator 2007 client.
Installing both Communicator Web Access and Office Communicator 2007 provides you with
the opportunity to contrast and compare each client’s features. To prepare each client computer
for this role, do the following:
1. Configure the static IP address and name resolution for both client computers.
2. Install Office Communicator 2007 on one or both client computers.
3. Configure users for each client computer in Active Directory on
contosodc.contoso.com.
Configure the Static IP Address and Name Resolution for Both
Client Computers
Follow this procedure for each client computer, entering the IP address noted for each one. When
you have configured the static IP address, connect the client to the hub.
To configure the static IP address and name resolution
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
IP address.
5. In the IP address box, type the IP address for the client:
a. For client 1, type 10.10.10.4.
b. For client 2, type 10.10.10.5.
9. Click Advanced.
10. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
11. On the DNS tab, click Append primary and connection specific DNS suffixes, and
then click Append parent suffixes of the primary DNS suffix.
12. In the DNS suffix for this connection box, type contoso.com.
13. Select the Register this connection’s addresses in DNS check box, and then select
the Use this connection’s DNS suffix in DNS registration check box.
14. Click OK twice, and click Close twice to close the Network Connections window.
15. Connect the client to hub.
Install Office Communicator 2007 for One or Both Clients
(Optional)
This step is optional. Install Office Communicator 2007 if you want to compare Communicator
Web Access with Office Communicator 2007.
Deployment 21
Add the Client Computers to the Domain
Join both client computers to the domain.
To join a client computer to the domain
1. Click Start, right-click My Computer, and then click Properties.
2. Click the Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, click Domain.
4. Under Domain, type contoso.com, and then click OK.
5. In the Authentication dialog box, enter the credentials of a member of the
DomainAdmins group, and then click OK.
6. On the Confirmation/Welcome page, click OK.
7. On the Restart notification page, click OK.
Configure Users for Each Client in Active Directory on
contosodc.contoso.com
Add the users Bob and Alice to Active Directory so that you have two users to use during testing.
Grant each user the permission to access Office Communications Server 2007, Standard Edition,
and therefore, Communicator Web Access.
Using the configuration for this lab scenario as shown in Figure 1, you can add users on either the
domain controller (contosodc.contoso.com) or the Office Communications Server 2007 server
(ocs2k7.contoso.com).
To add users on contosodc.contoso.com, you must install the Office Communications Server
2007 Administrative Tools on contosodc.contoso.com.
To add users on ocs2k7.contoso.com (or cwaserver.contoso.com), you can use Dsa.msc. You can
download the Windows Server 2003 Service Pack 1 Administration Tools Pack from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885-f0c7-436a-a392-
25793a25bad7&DisplayLang=en.
To configure a user in Active Directory
1. On contosodc.contoso.com, ocs2k7.contoso.com, or cwaserver.contoso.com
depending upon your choice above, open the Active Directory Users and
Computers snap-in. To open the snap-in click Start, point to Programs, point to
Administrative Tools, and click Active Directory Users and Computers.
2. In the tree view pane, expand contoso.com, expand Users, right-click Users, point to
New, and then click User.
3. In the First name and Last name boxes, type the user's first name and last name.
4. In the User logon name box, type the user's network account name, and then click
Next.
5. Set the password policy for the user.
6. In the Password field and in the Confirm Password box, type the same password,
click Next, and then click Finish.
7. In the Active Directory Users and Computers snap-in, in the tree view pane, under
Users, right-click the user, and then click Properties.
8. Click the Communications tab, and then select the Enable Communications for
this user check box. Type a sign-in name, and select a domain in the @ field.
9. In the Server or pool field, click the arrow, select ocs2k7.contoso.com from the list,
and then click Configure.
10. On the Other Options page, select the Enable remote user check box, and then
click OK.
11. Click Apply, and then click OK.
Sign in to Communicator Web Access
To test the deployment on client 1, sign in to Communicator Web Access as bob with domain
credentials by performing the following procedure on each client.
To sign in to Communicator Web Access
1. On the client1.contoso.com computer, open a supported browser.
2. In the Address box of the browser, type https://cwaserver.contoso.com.
3. In the Security Alert message box, click Yes if you understand the implications and
are comfortable with them.
4. On the Communicator Web Access sign-in page, set a presence level by clicking the
arrow next to Sign In and select the presence, and then click Sign In.
Note
If you wish to sign in as a user other than the account with
which you are signed in to the computer, click Sign in with a
different account and enter the sign-in address for the
account that you want to use, click Sign In, enter account
information in the Connect to dialog box, and then click OK.
Deployment 23
5. On client 2, repeat this procedure for alice@contoso.com.
Performing Lab Scenario 1 Exercises

To test Communicator Web Access features perform the following exercises:
1. Log on to client 1 and sign in to Communicator Web Access as Bob, and then log on
to client 2 and sign in to Communicator Web Access as Alice.
2. From Bob’s account, add Alice to the Contact List, and then add Bob to the Contact
List from Alice’s account.
3. Send an instant message from Bob to Alice.
4. Send a response from Alice to Bob.
5. Change Bob’s presence status, and then note the change on Alice’s Contact List.
6. Set Alice’s presence status to Do Not Disturb, and then try to send an instant message
from Bob to Alice.
7. Remove Alice from Bob’s Contact List.
8. Test your solution.
Table 6 shows the procedures for these lab exercises.
Table 6: Lab scenario 1 Exercises (1-7)
Step Action Result
Exercise 1: Sign in as bob@contoso.com on Client 1 and alice@contoso.com on Client 2
1 Log on to client 1 as Bob. N/A
2 Start Internet Explorer. In the Address A security alert appears.
box, type
https://cwaserver.contoso.com, and
then click Go.
3 Click Yes in the security alert. The Communicator Web Access sign-in
page appears.
4 Click Sign In. The authentication dialog box appears.
5 Repeat for alice@contoso.com on client 2. See above.
Exercise 2: Add Alice to Bob’s Contact List
1 With both client computers running, on N/A
Bob’s computer, type Alice in the Search
box of the Communicator Web Access
client.
2 Press the Enter key. Alice appears in the Search Results box.
3 Right-click Alice, point to Add Contact To, Alice is added to Bob’s Contact List. Alice is
and then click Other Contacts. also sent a message informing her that Bob
has added her to his Contact List and giving
Alice the option of adding Bob to her
Step Action Result

Contact List. Accept the option.
Exercise 3: Send an instant message from Bob to Alice.
1 From Bob’s computer, double-click Alice in The Alice - Conversation dialog box
the Contact List. opens.
2 From Bob’s computer, type a message in The message appears in the message box
the message box, and then press ENTER. as you type. When you press ENTER, the
message is sent to Alice, which causes a
desktop alert to pop up in the notification
area of Alice’s computer.
Exercise 4: Send an instant message response from Alice to Bob.
1 From Alice’s computer, click the desktop The Bob-Conversation dialog box
alert that pops up as a result of Bob appears.
sending an instant message.
2 From Alice’s computer, type an instant The message appears in the text box as
message response in the text box of the you type. When you press the Enter key,
Conversation dialog box. Alice’s response appears in the Alice -
Conversation dialog box on Bob’s
computer.
Exercise 5: Change Bob’s presence status.
1 On Bob’s computer, close the Alice - Alice is notified that the conversation has
Conversation window. been terminated by Bob.
2 On Bob’s computer, click Bob at the top of Bob’s presence is shown as Away on both
the Communicator Web Access main page, client computers.
and then click Away.
Exercise 6: Set Alice’s presence status to Do Not Disturb, and then send an instant message from
Bob to Alice.
1 On Alice’s computer, close the Bob - N/A
Conversation window.
2 On Alice’s computer, click Alice at the top Alice’s presence is shown as Do Not
of the Communicator Web Access main Disturb on both client computers.
page, and then click Do Not Disturb.
3 From Bob’s computer, send Alice an instant A message in Bob’s Communicator Web
message as described previously. Access page indicates that Alice’s status is
Do Not Disturb.
Exercise 7: Remove Alice from Bob’s Contact List
1 On Bob’s computer, on the main Bob is prompted to confirm that he wants
Communicator Web Access page, under to remove Alice from his Contact List.
Other Contacts, right-click Alice, and
then click Remove from Contact List.
2 In the confirmation message, click OK. Alice is removed from Bob’s Contact List.
Deployment 25
Step Action Result
Lab Scenario 2: Configuring SSO Using ISA Server

2006
In lab scenario 2, you will deploy Communicator Web Access, configure Communicator Web
Access for custom authentication, and deploy Microsoft ISA (Internet Security and Acceleration)
Server 2006, Standard Edition, and enable it for SSO (single sign-on). The only supported
configuration is to use SSL on the ISA Server 2006 server to publish the external site as an
HTTPS site. HTTP is not supported.
For more information about ISA Server 2006, see:
• ISA Server 2006 home page at http://www.microsoft.com/isaserver/default.mspx.
• Trial version download:
http://www.microsoft.com/technet/downloads/isa/2006/trials/default.mspx.
Lab scenario 2 simulates an SSO user experience for Communicator Web Access by deploying
ISA Server 2006 enabled for SSO. You will perform the following tasks:
• Configure custom authentication for the Communicator Web Access virtual server
• Enable an SSO user experience by deploying ISA Server 2006 enabled for SSO
• Use the SSO features of an ISA Server 2006 SSL Web listener
• Deploy server isolation
• Sign in to Communicator Web Access
• Traverse the ISA Server 2006 enabled for SSO
• Search for users to add to the Contact List
• Add contacts to, and delete them from, the Contact List
• Send an instant message by using Communicator Web Access
• Change presence status
• Use forms-based authentication
• Use public and private timeouts
• Test your solution consisting of at a minimum, SSO, and optionally the Unified
Communications JavaScript Libraries or code accessing the Unified Communications
AJAX API
Lab scenario 2 builds on the topology that you deployed in lab scenario 1. To the existing
deployment, you will add ISA Server 2006 Standard Edition, enabled for SSO, and an additional
hub.
Note
Installing Communicator Web Access (2007 release) and any
server role of Office Communications Server 2007 on the same
physical server is not supported.
Deployment 27
In lab scenario 2, the fictitious Contoso Corporation network includes the following:
• A domain controller that runs Microsoft Active Directory Domain Services, DNS
Server, and a private certification authority.
• Office Communications Server 2007, Standard Edition, deployed on server
ocs2k7.contoso.com.

• A Communicator Web Access server that uses custom authentication

(cwaserver.contoso.com)
• Two hubs
• Two clients
• A server with two network adapters that runs ISA Server 2006, Standard Edition,
enabled for SSO (isa2006.contoso.com)
• An Internet DNS server
For details about deploying ISA Server 2006 in a production environment, see:
• https://www.microsoft.com/technet/isa/2006/secure_web_publishing.mspx
Figure 8 shows the topology for lab scenario 2.
Figure 8. Topology for Lab Scenario 2
In lab scenario 2, you will perform the following tasks:

8. Add an Internet DNS server. Add a DNS server to resolve the external client
(client1.contoso.com) and the external ISA Server 2006 NIC (cwa.contoso.com).
9. Create an external Communicator Web Access (2007 release) virtual server.
Create the external virtual server configured to use custom authentication.
10. Add isa2006.contoso.com to the deployment from Lab scenario 1. For this lab
scenario, isa2006 functions as the ISA Server 2006 enabled for SSO.
11. Configure and test the external client (Client1). To simulate external access by the
client for this lab scenario, change the IP address of client1.contoso.com and test
connectivity.
12. Test the ISA Server 2006 enabled for SSO deployment. Test the lab-simulated
environment in which a client has an SSO experience when connecting to
Communicator Web Access by traversing the ISA Server 2006 enabled for SSO. The
user’s credentials are entered once in the ISA sign-in form and are cached by ISA
Server 2006 enabled for SSO. Subsequent sign-ins are not challenged.
13. Perform Lab scenario 2 exercises. The lab exercises demonstrate SSO, adding
contacts, sending instant messages, and changing presence.
Deployment 29
Lab scenario 2 System Requirements
The topology that is shown in Figure 8 is built on the topology of lab scenario 1, with the
addition of a server that runs Internet Security and Acceleration (ISA) Server 2006 Standard
Edition and an additional hub.
Server: Internet DNS Server
For the DNS server, you have a number of options:
1. Deploying a standalone DNS server for this lab scenario.
2. Adding IP addresses to a Hosts file.
3. Deploying Windows Server 2003 SP1 or later as the operating system for
client1.contoso.com and running the DNS server on client1.contoso.com for this lab
scenario only. Running the Communicator Web Access (2007 release) client on
Windows Server 2003 is not supported for production environments.
Server: contosodc.contoso.com
You configured contosodc.contoso.com during lab scenario 1. The contosodc.contoso.com server
is the Active Directory domain controller, the DNS server, and the internal CA.
Note
In addition to issuing certificates that are required for Office Communications Server 2007,
Standard Edition, Communicator Web Access, and Office Communicator 2007,
contosodc.contoso.com also issues the certificates that are required by ISA Server 2006 when it
is enabled for SSO. For production environments, a certificate that is issued from a public CA
can eliminate the need for installing the root certificate on external client computers.
Server: ocs2k7.contoso.com
You configured ocs2k7.contoso.com during lab scenario 1. The ocs2k7.contoso.com server runs
Windows Server 2003 SP1 or later and Office Communications Server 2007.
Server: cwaserver.contoso.com
You configured cwaserver.contoso.com during lab scenario 1. The cwaserver.contoso.com server
runs Windows Server 2003 SP1 or later and Communicator Web Access and will be configured
in lab scenario 2 with an external virtual server configured to use custom authentication.
Server: isa2006.contoso.com
The isa2006.contoso.com server is running ISA Server 2006 Standard Edition. The next table
shows the minimum system requirements for isa2006.contoso.com.
Table 7: Minimum Requirements for isa2006.contoso.com
isa2006.contoso.com - 10.10.10.55/24 (internal) and 192.168.1.5/24

(external)
Software
Operating System Windows Server 2003 SP1 or later
SSO Server ISA Server 2006 Standard Edition
Software
Hardware
Processor
Networking See:
http://www.microsoft.com/technet/isa/2006/installatio
Memory n_se/afdf7384-040e-4813-8e9a-aa05ddb7d4b6.mspx
Disk Space
Permissions
To install ISA Membership in Administrators group
Server 2006
Client Computers
Each client computer runs the Microsoft Windows XP with SP2 operating system and the
Internet Explorer 7 Internet browser. You can optionally add Office Communicator 2007 to the
clients. Otherwise, the configuration of the client computers is the same as that for lab scenario 1,
except for a change of the IP address for client1.
Setting Up the Internet DNS Server

Choose one of the three DNS options for this lab scenario, mentioned earlier, and deploy the
DNS server for the Internet. For this lab scenario, it is assumed that the DNS server IP address is
192.168.1.x/24 and resolves the following:
Table 8: Lab scenario 2 Name Resolution
Name IP Address Subnet Mask

client1.contoso.com 192.168.1.6 255.255.255.0
cwa.contoso.com 192.168.1.5 255.255.255.0
Internet DNS 192.168.1.x 255.255.255.0
remote.contoso.com This is the “internet” DNS zone name.
isa2006.contoso.co 10.10.10.55 255.255.255.0
m
cwaserver.contoso.c 10.10.10.35 255.255.255.0
om
Deployment 31
ocs2k7.contoso.com 10.10.10.30 255.255.255.0
contosodc.contoso.c 10.10.10.1 255.255.255.0
om
client2.contoso.com 10.10.10.5 255.255.255.0
Setting Up isa2006.contoso.com and cwaserver.contoso.com

For this lab scenario, isa2006.contoso.com publishes the Communicator Web Access (2007
release) virtual server that is configured for custom authentication. To configure
isa2006.contoso.com for this role, you will do the following:
1. Install Windows Server 2003 SP1 or later on a server with two network adapters,
even though ISA Server 2006 supports a dual-homed, single NIC.
2. Configure a static IP address for each network adapter.
3. Set the interface order.
4. Add each IP address to the respective DNS server.
5. Install ISA Server 2006 Standard Edition.
6. Keep isa2006 in the workgroup, but set the DNS Suffix and NetBIOS Computer
Name to contoso.com.
7. Configure certificates for isa2006.contoso.com.
8. Create the external Communicator Web Access virtual server using custom
authentication.
9. Configure ISA Server 2006 to publish the virtual server using custom authentication.
10. Configure the Web listener to point to the LDAP Validation Server.
11. Create a Web listener, enabled with SSO on isa2006.contoso.com.
12. Publish the Communicator Web Access virtual server using custom authentication.
13. Redirect ssoServer traffic to port 444 on the internal network.
14. Prepare the client to test SSO.
15. Perform the lab exercises.
The following sections explain these steps in detail, and assume you are using the classic style
start menu.
The following table summarizes the naming.
Table 9: Naming Conventions for Lab Scenario 2
Name Description
ISA Server 2006 enabled The ISA Server 2006 server that must be deployed in
for SSO order to provide SSO for the Communicator Web
Access (2007 release) virtual server that is
configured for custom authentication.
cwa.contoso.com The FQDN of the ISA Server external interface

isa2006.contoso.com The FQDN of the ISA Server internal interface
internal The ISA internal interface
external The ISA external interface
CWA The internal Communicator Web Access (2007
release) virtual server
cwaSSO The external Communicator Web Access (2007
release) virtual server configured for custom
authentication.
ssoServer Web listener on ISA Server 2006
ssoCWA The Web Publishing Rule on ISA Server 2006 that
publishes the cwaSSO virtual server configured for
custom authentication.
sso The LDAP Validation Server Set name
Install Windows Server 2003 SP1 or later on a Server with Two

Network Adapters
See the Windows Server 2003 SP1 or later documentation.
Configure Static IP Addresses for isa2006 Network Adapters
To distinguish the two interfaces, this document refers to the two ISA Server 2006 network
adapters as the internal network adapter and the external network adapter. Connect the internal
adapter to hub 1, and then connect the external adapter to hub 2. Configure each adapter with a
static IP address.
To configure the internal network adapter on isa2006 with a static IP
address
1. With the classic style start menu, click Start, point to Settings, and then click
Network Connections.
2. Right-click the internal network adapter connection, and then click Properties.
IP address.
9. Click OK twice.
Deployment 33
To configure the external network adapter on isa2006 with a static IP
address
2. Right-click the external network adapter connection, and then click Properties.
IP address.
8. In the Preferred DNS server box, type 192.168.1.x.
9. Click OK twice.
Set the isa2006 Interface Order
Now set the interface order. Listing the ISA Server 2006 internal interface first in the list of
network connections can improve name resolution performance. Any failure to resolve names
prevents the Web site from being published successfully.
To set the interface order
1. Click Start, point to Settings, and click Network Connections.
2. On the Advanced menu, click Advanced Settings.
3. On the Adapters and Bindings tab of Advanced Settings, under Connections, click
Internal (the name of the ISA internal interface in this example).
4. Click the up arrow to move the internal interface to the top of the list.
5. Click OK.
Add the isa2006 Internal IP Address to the
contosodc.contoso.com DNS Server
Now add the internal interface IP address to the DNS server.
To add the internal IP address to the DNS server
1. On contosodc.contoso.com, click Start, point to Programs, point to Administrative
Tools, and then double-click DNS.
2. In the console tree, expand Forward Lookup Zones.
3. Right-click the contosodc.contoso.com node (using the example naming), and then
click Properties.
4. In the contosodc.contoso.com Properties dialog box, select the Named Servers tab,
and then click Add.
5. On the New Resource Record page, type isa2006.contoso.com in the Server FQDN
box.
6. In the IP address box, type 10.10.10.55, click Add, and then click OK.
7. In the console tree, expand Reverse Lookup Zones.
8. Right-click the 10.10.10.in-addr.arpa node (using the example naming), and then
click Properties.
9. In the 10.10.10.in-addr.arpa Properties dialog box, click the Named Servers tab,
and then click Add.
10. In the New Resource Record dialog box, type isa2006.contoso.com in the Server
FQDN box.
11. In the IP address box, type 10.10.10.55, click Add, click OK, and then click Apply.
12. Click OK.
13. Close the DNS console.
Add the isa2006 External IP Address to the Internet DNS Server
Now add the ISA Server 2006 external interface IP address to the “Internet” DNS server.
To add the external IP address to the Internet DNS server
1. On the “Internet” DNS server, click Start, point to Programs, point to
Administrative Tools, and then click DNS.
2. In the console tree, expand Forward Lookup Zones.
3. Right-click the remote.contoso.com node (using the example naming), and then
click Properties.
4. In the remote.contoso.com Properties dialog box, select the Named Servers tab,
and then click Add.
5. In the New Resource Record dialog box, type cwa.contoso.com in the Server
FQDN box. This is the URL that is used by external users to access the published
Communicator Web Access (2007 release) external virtual server that is configured
for custom authentication.
6. In the IP address box, type 192.168.1.5, click Add, and then click OK.
7. In the console tree, expand Reverse Lookup Zones.
8. Right-click the 1.168.192.in-addr.arpa node (using the example naming), and then
click Properties.
9. In the 1.168.192.in-addr.arpa Properties dialog box, click the Named Servers tab,
and then click Add.
10. In the New Resource Record dialog box, type cwa.contoso.com in the Server
FQDN box.
11. In the IP address box, type 192.168.1.5, click Add, click OK, and then click Apply.
12. Click OK.
13. Close the DNS console.
Deployment 35
Install ISA Server 2006, Standard Edition
Install ISA Server 2006, Standard Edition. You can get a free 180-day trial of ISA Server 2006 at
http://www.microsoft.com/isaserver/2006/trial-software.mspx.
To install ISA Server 2006 for this lab scenario
1. Double-click IsaAutorun.exe.
2. Click Install ISA Server 2006.
4. On the License Agreement page, click I accept, and then click Next.
5. On the Customer Information page, enter the appropriate information in the User
Name, Organization, and Product Serial Number boxes, and then click Next.
6. On the Setup Type page, select Typical, and then click Next.
7. On the Internal Network page, click Add.
8. On the Addresses page, click Add Adapter.
9. On the Select Network Adapters page, click the adapter that is connected to the
trusted network hub, click OK twice, and then click Next back on the Internal
Network page.
10. On the Firewall Client Connections page, verify that the check box is cleared (the
default), and then click Next.
11. On the Services Warning page, click Next.
12. On the Ready to Install the Program page, click Install.
13. On the Installation Wizard Completed page, click Finish.
Keep isa2006 in the Workgroup
The ISA Server in this lab is not a member server of a domain. Even so, the IP address of both
network interface cards on the ISA Server must have the connection-specific DNS suffix of
contoso.com. You do this from the Properties page of each network interface and from the DNS
Suffix and NetBIOS computer name page of System Properties.
To set the DNS Suffix
1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System, and then click the Computer Name tab.
3. Click Change, and on the Computer Name Changes, click More.
4. On the DNS Suffix and NetBIOS computer name page, in the Primary DNS suffix
of this computer box, type contoso.com, and then click OK.
5. Restart the computer.
Configure Certificates on the ISA Server
You must request an SSL certificate and download the CA certificate chain to the Trusted Root
Certification Authorities, Certificates folder for the external ISA Server 2006 server interface.
The ssoServer interface certificate for this lab scenario should have an FQDN of
cwa.contoso.com.
When you create the Web listener in ISA Server 2006, you assign an IP address on which the
Web listener listens for traffic. You also bind an SSL certificate to the Web listener and enable
SSO on the Web listener, thereby enabling SSO for the internal domain that is accessed by that
Web publishing rule. Using a certificate that is issued from a public CA is supported for binding
to the Web listener. If you use a certificate that is issued from a private CA, you must install the
root CA certificate for the private CA on the ISA server.
Important
The MTLS certificates must be issued from the same CA as the
certificates that are used for the Communicator Web Access
(2007 release) server and the Office Communications Server
2007 server and must use a duplicated Web server template. A
certificate issued from a public CA is supported.
For details about certificate requirements and procedures, see Digital Certificates for ISA Server
2004 at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/digitalcertificates.mspx.
Create the Communicator Web Access Virtual Server Using
Custom Authentication
Now create the external virtual server that will handle SSO-enabled traffic. The virtual server
must be configured to use custom authentication, and it must be published to the Web by an
SSO-enabled ISA Server 2006. Users must enter the exact URL that is configured in ISA Server
2006 to get the SSO experience. The user then must enter domain credentials when they first
access the SSO-enabled site. The credentials are cached on ISA Server 2006 so that subsequent
access by the same user is not challenged.
To create the Communicator Web Access external virtual server using
custom authentication
1. Click Start, point to Programs, point to Administrative Tools, and then click
Communicator Web Access (2007 release).
2. In the scope pane, right-click the server FQDN node, and then click Create Virtual
Web Server.
Deployment 37
4. On the Select Virtual Server Type page, click External, and then click Next.
5. On the Select Authentication Type page, click Use custom authentication, enter
?Cmd=logoff, and click Next.
6. On the Select Connection Type page, click HTTPS (recommended), and then click
Select Certificate.
7. On the Select Certificate page, select the certificate for cwaserver.contoso.com, and
then click OK.
Deployment 39
8. On the Select Connection Type page, click Next.
9. On the Select IP Address and Port Settings page, in the Port box, type 444, and
click Next. This port number must be different from the port number (443) that you
used for the other Communicator Web Access virtual server (lab scenario 1).
10. On the Server Description page, type cwaSSO, and then click Next.
11. On the Start Server Option page, click Next.
12. On the Review Settings before Virtual Server Creation page, click Next.

Deployment 41
14. In the scope pane of the Microsoft Office Communicator Web Access Manager
(2007 release) windows, the cwaSSO node is added.
Configure the ISA Server 2006 Server to Publish the External

Virtual Server
To provide an SSO experience by using ISA Server 2006, enable SSO for the Web listener on
ISA Server 2006 that publishes the Communicator Web Access external virtual server
(ssoServer) that is configured for custom authentication.
First, specify the LDAP verification server. Then, enable SSO for the Web listener on ISA Server
2006. Finally, publish the Communicator Web Access external virtual server that is configured to
use custom authentication.
Specify the LDAP Verification Server
You must specify the set of LDAP server that ISA will use to validate users. You can specify this
server before you create the Web listener (the next step) or during the step to create the Web
listener. Regardless of when you specify the LDAP servers, the process includes creating a user
set to which you can add only the users and groups that require authentication by the LDAP
validation server.
For example, you can create a group in Active Directory called remoteCWAusers and add this
group to the LDAP User Set that you create. To the remoteCWAusers group, add only users that
require external access to the published Communicator Web Access Web site and that are the
only users who will be authenticated on the LDAP validation server. You can also remove users
from this group.
Before you create the Web listener, you can use the ISA Server 2006 management snap-in to
specify the LDAP servers that will validate users, as shown in the next figure. In the result pane,
click Specify RADIUS and LDAP Servers to display the RADIUS and LDAP Server
configuration tabs.
Figure 9: Specify RADIUS and LDAP Servers on General Tab
If you choose to specify the LDAP server when you create the Web listener in the next step, the
New Web Listener Wizard will provide a page where you can do so. In either case, for details
about how to specify the LDAP server, see the Secure Application Publishing paper at
https://www.microsoft.com/technet/isa/2006/secure_web_publishing.mspx.
Create the SSO-Enabled Web Listener
You will now create the SSO-enabled Web listener that listens on the external ssoServer network
interface card.
To create the SSO-enabled Web listener
1. On isa2006.contoso.com, open the ISA server snap-in: click Start, point to
Programs, point to Microsoft ISA Server, and then click ISA Server
Management.
Deployment 43
2. On the Firewall Policy (default) result pane, on the Toolbox tab on the right side
of the result pane, select Network Objects, click New, and then click Web Listener.
3. On the Welcome page, enter ssoServer in the Web listener name box, and then
click Next.
4. On the Client Connection Security page, accept the default Require SSL
secured connections with clients, and then click Next.
5. On the Web Listener IP Addresses page, under Listen for incoming Web requests
on these networks, select the External check box, and then click Select IP
Addresses.
6. On the External Network Listener IP Selection page, select Specified IP

addresses on the ISA Server computer in the selected network.
Deployment 45
7. Select the item in the Available IP Addresses list box.
8. Click Add, and then click OK.
9. On the Web Listener IP Addresses page, click Next.

10. On the Listener SSL Certificates page, click Select Certificate.
11. On the Select Certificate page, select the certificate you created for the ssoServer
Web listener. This certificate should have the FQDN of the URL used to access the
ssoServer listener; in this case, cwa.contoso.com. Click Select.
Deployment 47
12. On the Listener SSL Certificates page, click Next.
13. On the Authentication Settings page, select HTML Form Authentication, select
LDAP (Active Directory), and then click Next.
14. On the Single Sign On Settings page, select the Enable SSO check box. In the SSO
domain name box, enter .contoso.com (notice the leading “.” in .contoso.com), and
then click Next.
Deployment 49
15. If you did not configure the LDAP verification server before creating the Web
listener, you can configure it now on the page that appears. If you have already configured
the server, skip to the next step.
16. On the Completing the New Web Listener Wizard page, click Finish.
17. In the ISA MMC Firewall Policy result pane, click Apply.
18. On the Saving Configuration Changes page, click OK.
19. In the ISA Server snap-in, right-click the Server node in the scope pane, and then
click Refresh.
Publish the Communicator Web Access ssoServer Virtual Server
Use the following procedure to create an SSL Web publishing rule for the Communicator Web
Access ssoServer virtual server that is configured for custom authentication, and then attach the
listener to that publishing rule.
To publish the Communicator Web Access ssoServer site
1. In the scope pane of the ISA Server snap-in, click the Firewall Policy node.
2. Click the Tasks tab, and then click Publish Web Sites.
3. On the Welcome page, in the Web publishing rule name box, type ssoCWA,
and then click Next.
Deployment 51
4. On the Select Rule Action page, click Allow, and then click Next.
5. On the Publishing Type page, verify that Publish a single Web site or load
balancer is selected, and then click Next.
6. On the Server Connection Security page, select the Use SSL to connect to the
published Web server or server farm check box, and then click Next. Using SSL is
required.
7. On the Internal Publishing Details page, in the Internal site name box, type the
name of the internal site (cwaserver.contoso.com). If necessary, specify the computer name
or IP address: select the Use a computer name or IP address to connect to the published
server check box, and then, in the Computer name or IP address box, type
cwaserver.contoso.com. When this page is as you want it, click Next.
8. On the next page, which is also titled Internal Publishing Details, type /* and then
click Next.
Deployment 53
9. On the Public Name Details page, in the Public name box, type
cwa.contoso.com, and then click Next.
10. On the Select Web Listener page, in the Web listener list, click ssoServer, and then
click Next.
11. On the Authentication Delegation page, click Basic authentication, and then click
Next.
12. On the User Sets page, click Next.
13. On the Completing the New Web Publishing Rule Wizard page, click Finish.
Deployment 55
14. In the snap-in, click Apply, click OK, and then refresh the ISA server node: in the
scope pane, right-click the server node, and then click Refresh.
Configure ISA Server to Redirect ssoServer Traffic to Port 444
Now configure ISA Server to redirect ssoServer traffic from port 443 to the Communicator Web
Access ssoServer virtual server that is running on port 444 on cwaserver.contoso.com.
To configure ISA to redirect https://cwa.contoso.com requests to port
444 on cwaserver
1. In the ISA Server Management scope pane, click the Firewall Policy node.
2. In the result pane, right-click the ssoServer Web Publishing rule, and then click
Properties.
3. On the ssoServer Properties page, click the Bridging tab.
4. On the Bridging tab, click Web server.
5. Clear the Redirect requests to HTTP port check box, click Redirect requests to
SSL port, and then type 444 in box next to it. You do not need to select a certificate
on this page.
6. Click Apply, and then click OK.
7. On the main ISA management console, click Apply to commit the changes.
8. On the Apply New Configuration confirmation box, click OK.
Configuring client1.contoso.com and Testing the Deployment

To configure the SSO client and test the SSO deployment, you will perform the following tasks:
1. Prepare the ssoServer client.
2. Test the ssoServer connection.
3. Test the internal connection.
4. Test SSO.
The following sections describe these steps in detail.
Prepare the ssoServer Client (client1.contoso.com)
Prepare the ssoServer client.
To prepare the ssoServer Client 1
1. Attach the client 1 computer to hub2.
2. On contosodc.contoso.com or ocs2k7.contoso.com , whichever has the appropriate
administrative tools, add a User object in Active Directory and name it Ted.
Configure Ted as an Office Communications Server 2007 user with the SIP address
sip:ted@contoso.com.
3. On client 1, in Network Connections, change the network connections (see the
procedure for lab 1) to:
• IP Address = 192.168.1.6.
• Subnet mask = 255.255.255.0.
• DNS Server = 192.168.1.x
4. Add cwa.contoso.com = 192.168.1.5 to contosodc.contoso.com DNS server and to
the client1.contoso.com hosts file.
Client 1, when the computer was added to contoso.com as a domain member computer, should
have the root certificate and CA chain of the CA that issued the certificate for the ISA Server
2006 ssoServer interface downloaded and trusted.
Test the ssoServer Connection
On client 1, open a supported browser, and then go to https://cwa.contoso.com. Add the site as a
trusted site so that you do not have problems with your browser’s security settings. If this is the
first time that client 1 has accessed this site, enter contoso domain credentials in the form that is
presented by ISA.
Deployment 57
Figure 10: Default ISA Server 2006 Logon Page
The Communicator Web Access Contact List appears, as seen in the next figure.
Figure 11: Signed In
The Call-Forwarding button, seen in the next figure, will appear only if the user has been enabled
for Enterprise Voice.
Testing the Internal Connection

On client 2, open a browser. In the Address box of the browser, type
https://cwaserver.contoso.com, and then press ENTER. Communicator Web Access opens
without challenging you for credentials. Client 2 accesses the Communicator Web Access virtual
server that is configured to use built-in authentication and does not go through the ISA Server
2006 that is enabled for SSO.
Note
Clients cannot connect directly to the SSO-enabled
Communicator Web Access external virtual server without first
traversing an ISA Server 2006 that is enabled for SSO.
Performing Lab Scenario 2 Exercises

To test the Communicator Web Access features for users who sign in by using SSO, perform the
following exercises:
1. Log on to client 1 and sign in to Communicator Web Access as Ted. Sign in to client
2 and sign in to Communicator Web Access as Alice.
2. On Ted’s computer, add Alice to Ted’s Contact List, and on Alice’s computer, add
Ted to Alice’s Contact List.
3. From Ted’s computer, send an instant message to Alice.
4. From Alice’s computer, send a response to Ted.
5. Change Ted’s presence status, and verify that the change is reflected in Alice’s
Contact List.
6. Change Alice’s presence status to Do Not Disturb. From Ted’s computer, send Alice
an instant message.
7. On Ted’s computer, remove Alice from Ted’s Contact List.
8. Test SSO for ssoServer users.
Table 10 shows the procedures for these exercises.
Table 10: Lab scenario 2 Exercises
Step Action Result
Exercise 1: Sign in as ted@contoso.com on Client 1 and alice@contoso.com on Client 2
1 Log on to Client 1 as Ted. N/A
2 Start Internet Explorer. In the Address Add the site as a trusted site to avoid
box, type https://cwa.contoso.com, and problems with browser security settings.
then click Go. Enter contoso domain credentials in the
form that the ISA Server 2006 enabled for
SSO presents.
Deployment 59
3 Click Yes in the security alert. The Communicator Web Access sign-in
page appears.
4 Enter Ted’s credentials, and then click The authentication dialog box appears.
Sign In.
5 Repeat for alice@contoso.com on Client 2. See above.
Enter https://cwaserver.contoso.com
in Internet Explorer, and then click Go.
Exercise 2: Add Alice to Ted’s Contact List
1 With both client computers running, on N/A
Ted’s computer, type Alice in the Search
box of the Communicator Web Access
client.
2 Press the Enter key. Alice appears just below the Search box.
3 Right-click Alice, point to Add Contact Alice is added to Ted’s Contact List. Alice
To, and then click Other Contacts. is also sent a message informing her that
Ted has added her to his Contact List. The
message also gives Alice the option of
adding Ted to her Contact List. Accept the
option.
Exercise 3: Send an instant message from Ted to Alice.
1 On Ted’s computer, under All Contacts, The Alice - Conversation dialog opens.
double-click Alice.
2 From Ted’s computer, type a message in The message appears in the message box
the message box and press ENTER. as you type. When you press ENTER, the
message is sent to Alice, which causes a
desktop alert to pop up in the notification
area of Alice’s computer.
Exercise 4: Send a response from Alice to Ted.
1 From Alice’s computer, clicks the desktop The Ted-Conversation dialog box opens.
alert that pops up as a result of Ted
sending an instant message.
2 From Alice’s computer, type a response in The message appears in the text box as
the message box of the Conversation you type. When you press the Enter key,
dialog box. Press the Enter key. the response appears in the Alice -
Conversation dialog box on Ted’s
computer
Exercise 5: Change Ted’s presence, which is reflected in Alice’s Contact List.
1 On Ted’s computer, close the Alice - Alice is notified that the conversation has
Conversation window. been terminated by Ted.
2 On Ted’s computer, click Ted at the top of Ted’s presence is shown as Away on both
the Communicator Web Access main client computers.
page. On the menu that appears, click
Away.
Exercise 6: Set Alice’s presence status to Do Not Disturb and send Alice an instant message from
Ted.
1 On Alice’s computer, close the Ted - N/A
Conversation dialog box.
2 On Alice’s computer, click Alice at the top Alice’s presence is shown as Do Not
of the Communicator Web Access main Disturb on both client computers.
page. On the menu that appears, click Do
Not Disturb.
3 From Ted’s computer, send Alice an A message in Ted’s Communicator Web
instant message as described previously. Access page indicates that Alice’s status
is Do Not Disturb.
Exercise 7: Remove Alice from Ted’s Contact List
1 On Ted’s computer, on the main Ted is prompted to confirm that he wants
Communicator Web Access page, under to remove Alice from his Contact List.
Other Contacts, right-click Alice, and
then click Remove from Contact List.
2 In the confirmation dialog box, click OK. Alice is removed from Ted’s Contact List.
Exercise 8: Test SSO for ssoServer users
1 On the ssoServer client, open a browser You are challenged for credentials, with
window and go to Communicator Web an ISA form before gaining access to
Access at https://cwa.contoso.com in the Communicator Web Access for initial
browser. attempts in a browser instance when
persistent cookies are not enabled.
2 Enter domain credentials. You access the main Communicator Web
Access page.
3 Sign out of the Communicator Web Access You see just the Parent browser with the
page: On the toolbar, click Connect, and Sign In Again button.
then click sign out. Close the child
browser page, but do not close the parent
browser page.
4 On the main browser page, click Sign In You gain access to Communicator Web
Again. Access without being challenged for
credentials.
5 Test your solution. A user experience as designed.

Microsoft Office Communicator Web Access (2007 Release) Guide To Lab Deployment

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Office Communicator Web Access (2007 Release) Guide To Lab Deployment

Uploaded by

Copyright:

Available Formats

Microsoft Office

© 2007 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Overview of Lab Scenarios

Mozilla Firefox 2.0 Forms-based

Lab Scenario 1: Built-in Authentication

• A Communicator Web Access (2007 release) server

In this lab scenario, you will perform the following tasks:

3. Set up cwaserver.contoso.com. This server functions as the Communicator Web

Lab Scenario 1 System Requirements

ocs2k7.contoso.com – Office Communications Server 2007: IP Address =

3. Request and configure certificates for Office Communications Server 2007.

Install and Configure Office Communications Server 2007,

6. On the Welcome page, click Next.

1. Under Step 2: Activate Communicator Web Access, click Run.

1. Under Step 3: Create a Virtual Server, click Run.

4. On the Select Authentication Type page, Use built-in authentication is selected

Configuring the Client Computers

Performing Lab Scenario 1 Exercises

Step Action Result

Lab Scenario 2: Configuring SSO Using ISA Server

Running Office Communications Server 2007 on a domain

• A Communicator Web Access server that uses custom authentication

In lab scenario 2, you will perform the following tasks:

isa2006.contoso.com - 10.10.10.55/24 (internal) and 192.168.1.5/24

Setting Up the Internet DNS Server

Name IP Address Subnet Mask

Setting Up isa2006.contoso.com and cwaserver.contoso.com

cwa.contoso.com The FQDN of the ISA Server external interface

Install Windows Server 2003 SP1 or later on a Server with Two

13. On the Success page, click Finish.

Configure the ISA Server 2006 Server to Publish the External

6. On the External Network Listener IP Selection page, select Specified IP

7. Select the item in the Available IP Addresses list box.

8. Click Add, and then click OK.

9. On the Web Listener IP Addresses page, click Next.

10. On the Listener SSL Certificates page, click Select Certificate.

12. On the Listener SSL Certificates page, click Next.

18. On the Saving Configuration Changes page, click OK.

12. On the User Sets page, click Next.

Configuring client1.contoso.com and Testing the Deployment

Testing the Internal Connection

Performing Lab Scenario 2 Exercises

You might also like