Monday, October 22, 2007

Setting up Office Communications Server 2007 in a lab

While I found the installation of each component quite easy, there are gaps in the documented processes of the Edge Server and Standard Edition Server guides.

Overall setup:

1 Edge Server
1 Standard Edition Server

Internal Domain name: contoso.local
External Domain name: contoso.com

Server names:

serverA = Standard Edition server hosting users and serving as a Director
serverB = Edge server hosting the Access, Web, and A/V roles
firewall1 = ISA Server 2006 used to reverse proxy the Web Components traffic

Certificates:

sip.contoso.com (for the external port 5061 traffic)
ocs.contoso.com (for the port 443 Web Components traffic such as Live Meeting's whiteboard functionality)
meeting.contoso.com (for the port 443 Live Meeting functionality)

serverA.contoso.local (generated by an internal certificate authority such as Microsoft Certificate services and bound to the Standard Edition Server/Director)

NOTE: The above certificate MUST have a subject alternate name of serverA.contoso.com as well (see below for more).

serverB.contoso.local (also generated by the internal CA and bound to the private interface of the Edge server)

IP Addresses:

192.168.10.100 = serverA.contoso.local
192.168.10.101 = serverB.contoso.local
10.1.1.1 = Access role on serverB.contoso.com
10.1.1.2 = Web Conferencing role on serverB.contoso.com

150.100.2.1 = ISA Server public interface (will be NAT'd to perimeter network)
150.100.2.2 = ISA Server public interface (will be NAT'd to perimeter network)
150.100.2.3 = ISA Server public interface (will be NAT'd to internal network)
10.1.1.100 = ISA perimeter network interface
192.168.10.1 ISA Server private internal network interface

External DNS records:

"A" record for sip.contoso.com pointing to 150.100.2.1
"A" record for meeting.contoso.com pointing to 150.100.2.2
"A" record for ocs.contoso.com pointing to 150.100.2.3
"SRV" record for _sip._tls.contoso.com pointing to sip.contoso.com on port 5061

Internal DNS records:

"A" record for serverA.contoso.local
"A" record for serverB.contoso.local
"SRV" record for _sip._tls.contoso.local pointing to serverA.contoso.local on port 5061

IMPORTANT!! --> "A" record for serverA.contoso.com = 192.168.10.100

The above entry is critical since the ISA server will be performing reverse proxy HTTPS access on the public side with "ocs.contoso.com" and then establishing a new HTTPS connection with "serverA.contoso.local". The issue I ran into is that the ISA server cannot change the domain suffix from .com to .local. The host name only changes on the internal HTTPS request. What makes this VERY difficult to troubleshoot is the fact that the firewall logs show a connection to:

http://serverA.contoso.local:443/conf/int/...

If you look at the ISA alerts or the server's application log you will notice that it complains about the target name being incorrect. It's trying to connect to serverA.contoso.com and not serverA.contoso.local. The end result is an HTTP 500 on the client browser if you test the web component functionality (https://ocs.contoso.com/conf/ext/tshoot.html).

Just remember, you MUST have a subject alternate name with "serverA.contoso.com" for your internal certificate on the standard edition server.

ISA Server firewall rules:

NOTE: Rules have already been set up to NAT traffic from the perimeter network to the Internet.
  • Allow OCS_SIP from External (150.100.2.1) to 10.1.1.1 via port 5061
  • Allow HTTPS Server from External (150.100.2.2) to 10.1.1.2 <---NOTE this is a non-web server traffic publishing rule
  • A web publishing rule for HTTPS traffic to "ocs.contoso.local" on 150.100.2.3 going to serverA.contoso.com which is actually 192.168.10.100
With this setup I can remotely use Office Communicator 2007 along with the Live Meeting client to establish anonymous meetings with 3rd party clients.

Cheers!