Monday, October 22, 2007

Setting up Office Communications Server 2007 in a lab

While I found the installation of each component quite easy, there are gaps in the documented processes of the Edge Server and Standard Edition Server guides.

Overall setup:

1 Edge Server
1 Standard Edition Server

Internal Domain name: contoso.local
External Domain name: contoso.com

Server names:

serverA = Standard Edition server hosting users and serving as a Director
serverB = Edge server hosting the Access, Web, and A/V roles
firewall1 = ISA Server 2006 used to reverse proxy the Web Components traffic

Certificates:

sip.contoso.com (for the external port 5061 traffic)
ocs.contoso.com (for the port 443 Web Components traffic such as Live Meeting's whiteboard functionality)
meeting.contoso.com (for the port 443 Live Meeting functionality)

serverA.contoso.local (generated by an internal certificate authority such as Microsoft Certificate services and bound to the Standard Edition Server/Director)

NOTE: The above certificate MUST have a subject alternate name of serverA.contoso.com as well (see below for more).

serverB.contoso.local (also generated by the internal CA and bound to the private interface of the Edge server)

IP Addresses:

192.168.10.100 = serverA.contoso.local
192.168.10.101 = serverB.contoso.local
10.1.1.1 = Access role on serverB.contoso.com
10.1.1.2 = Web Conferencing role on serverB.contoso.com

150.100.2.1 = ISA Server public interface (will be NAT'd to perimeter network)
150.100.2.2 = ISA Server public interface (will be NAT'd to perimeter network)
150.100.2.3 = ISA Server public interface (will be NAT'd to internal network)
10.1.1.100 = ISA perimeter network interface
192.168.10.1 ISA Server private internal network interface

External DNS records:

"A" record for sip.contoso.com pointing to 150.100.2.1
"A" record for meeting.contoso.com pointing to 150.100.2.2
"A" record for ocs.contoso.com pointing to 150.100.2.3
"SRV" record for _sip._tls.contoso.com pointing to sip.contoso.com on port 5061

Internal DNS records:

"A" record for serverA.contoso.local
"A" record for serverB.contoso.local
"SRV" record for _sip._tls.contoso.local pointing to serverA.contoso.local on port 5061

IMPORTANT!! --> "A" record for serverA.contoso.com = 192.168.10.100

The above entry is critical since the ISA server will be performing reverse proxy HTTPS access on the public side with "ocs.contoso.com" and then establishing a new HTTPS connection with "serverA.contoso.local". The issue I ran into is that the ISA server cannot change the domain suffix from .com to .local. The host name only changes on the internal HTTPS request. What makes this VERY difficult to troubleshoot is the fact that the firewall logs show a connection to:

http://serverA.contoso.local:443/conf/int/...

If you look at the ISA alerts or the server's application log you will notice that it complains about the target name being incorrect. It's trying to connect to serverA.contoso.com and not serverA.contoso.local. The end result is an HTTP 500 on the client browser if you test the web component functionality (https://ocs.contoso.com/conf/ext/tshoot.html).

Just remember, you MUST have a subject alternate name with "serverA.contoso.com" for your internal certificate on the standard edition server.

ISA Server firewall rules:

NOTE: Rules have already been set up to NAT traffic from the perimeter network to the Internet.
  • Allow OCS_SIP from External (150.100.2.1) to 10.1.1.1 via port 5061
  • Allow HTTPS Server from External (150.100.2.2) to 10.1.1.2 <---NOTE this is a non-web server traffic publishing rule
  • A web publishing rule for HTTPS traffic to "ocs.contoso.local" on 150.100.2.3 going to serverA.contoso.com which is actually 192.168.10.100
With this setup I can remotely use Office Communicator 2007 along with the Live Meeting client to establish anonymous meetings with 3rd party clients.

Cheers!

14 comments:

  1. Hi.
    just one question.. what kind of template you used to generate the certificate for the internal interface of the edge server???
    the MS documentation doesn´t specify wich one of all the PKI templates should be user...
    Thanks!

    ReplyDelete
  2. I have a Windows 2003 Domain Controller with Certificate Services installed.

    I used the same method for my OCS internal standard edition server.

    Use the Certificate Wizard and submit to an "online" authority which will end up being your internal certificate server.

    (Don't use the web based http://server/certsrv web site for any certificate request).

    Does that help?

    ReplyDelete
  3. can this accomplished with isa server 2004. I ask, because I am using sbs 2003 which does not support isa 2006. also the 3 public IPs are a requirement?

    many thanks.

    ReplyDelete
  4. You sure can. ISA Server 2004/6 will work just fine.

    If you want Live Meeting, Office Communicator, and Web Conferencing components such as whiteboarding and file sharing you will need 3 public IP's.

    ReplyDelete
  5. what about the A/V Role? I was told that it needs a non NAT ip.

    In my environemt i have sbs with isa 2004 two nics and my ocs sits behind in the internal network, with all the roles. Do I need to move the ocs to a dmz network? I believe sbs with 3 nics is not supported...

    why not attach the ocs directly to the router?, and if so which ports do i need to open for all the roles?

    also assuming i will use external trusted certificates should i name the cert request with the external name of the server and alternate name with internal name of the server?

    sorry for asking so much, I am really puzzled..

    Many thanks!

    ReplyDelete
  6. I didn't set up my A/V server role for that very reason. First off my ISP won't give me a block of IP's which I think is actually required.

    I don't have a dual firewall topology like the Microsoft documentation asks for. So for simplicity I opted out of the A/V role.

    As for the certificates, you need one for your web components external name, one for the web conferencing role, and one for the access role.

    The web components certificate is the only one you need on the ISA server since you can set up port forwarding for the other two roles.

    ReplyDelete
  7. Jason,
    Did you configure Enterprise Voice as well?

    I wonder how to configure user to user calls (Line URI parameter) to allow let's say 4-digit extension calling.

    ReplyDelete
  8. Enterprise voice has not been configured as I don't have a media gateway or mediation server in my topology.

    I'm planning on setting up this type of configuration in our lab some time in the new year.

    ReplyDelete
  9. Hi,

    after reading the edge server deployment guide, I realized that I needed to configure my isa server as a reverse proxy for the web components.

    and since my default listeners was already being used for another ssl publication, i had to configure an additional listener with another ip address bound to external interface.

    my question is about the certicate. From your article I learned that it needs to match the subject alternate name of the internal ocs certificate. however this certificate is issued by a trusted source - godaddy, whereas the internal certificate has been issued by our internal CA.

    will this work?

    ReplyDelete
  10. The SSL listener will have the GoDaddy certificate bound to it. When you specify the server name in the "to" tab, it must meet two criteria...

    1. The fqdn listed must match the subject alternate name of your internal OCS server.

    2. If the internal domain is different than the external domain, you must enter the fqdn with the hostname of the server and the domain name of your external domain.

    ...so if your internal server is called "ocs1" in a domain called "contoso.local", the "to" tab of the ISA rule should say "ocs1.contoso.com"

    ReplyDelete
  11. what if i select the option in the publishing rule that says

    "forward the original host header instead of actual one specified above"?

    isnt this the same?

    ReplyDelete
  12. Then you need to make sure the fqdn of your certificate on your internal OCS server matches the external fqdn.

    ReplyDelete
  13. Your domain controller is located on edge server or standard server? Domains are configured on domain controller? Internal Domain is configured on standard server, and external domain is configured on edge server?

    ReplyDelete
  14. I am curious if you think wildcard certificates *.conteso.com will work on the ISA server.

    I guess I am actually asking which certificate is passed to the edge server? The external or the internal?

    ReplyDelete