• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Disclaimer & Policy

Elan Shudnow's Blog

MVP Logo
  • Azure
  • Exchange
  • Lync

Office Communications Server 2007 R2 Enterprise Deployment – Part 1

January 5, 2009 by Elan Shudnow 90 Comments

Now that Office Communications Server (OCS) 2007 R2 is RTM, I thought it would be nice to create an article on how to deploy a single Enterprise Edition OCS Server which is connected to an x64 SQL Server 2008 RTM Back-End Server. This article will be based off the OCS 2007 R2 RTM version.  This article series is very similar to My OCS 2007 R1 RTM series here but will be based off the R2 RTM version instead of the R1 RTM version.

This article is to guide you through the entire OCS deployment process from scratch. This article will include the following:

  1. Certificate Services installation
  2. Single Enterprise Front End Server (No more expanded configurations) – with information on what to do to get a second Front End Server installed behind a Hardware Load Balancer
  3. Edge Server (Only Consolidated Edge Servers now) – NIC Configurations
  4. Dual-Homed ISA 2006 Installation to reverse proxy internal services

Part 1

Part 2

Part 3

Part 4

Part 5

Lab Setup

Guest Virtual Machines

One Server 2008 Enterprise (Standard can be used) SP1 x64 Domain Controller which Certificate Services will be installed as the Enterprise Root Certificate Authority. Exchange 2007 SP1 is installed on separate computers. The purpose of Exchange in this lab is for Group Expansion where a Universal Distribution Group can be mail-enabled for it to be expanded within Office Communication 2007.  Alternatively, a Distribution Group can be given an e-mail address in its AD properties which satisfies the requirements of Group Expansion.

Two Server 2008 Enterprise (Standard can be used) x64 (x64 required) Member Servers where OCS 2007 R2 will be installed. One of these servers will be the Consolidated Edge Server which will contain 4 NICs.

One Server 2003 Enterprise (Standard can be used) x86 (x86 required) Member Server where ISA 2006 will be installed as a dual-homed box.

One Server 2008 Enterprise (Standard can be used) x64 (x86 can be used) Member Server where SQL 2008 is installed.

IMPORTANT: OCS 2007 R2 introduces some new AD requirements:

  • All Global Catalogs in the forest must be at least Windows 2003 SP1
  • All Domains which will have OCS 2007 R2 or users enabled for OCS 2007 R2 will need to be at least Windows 2003 Domain Functional Level which is obvious due to the next requirement.  These Domain Controllers must be at least Windows 2003 SP1.
  • The forest in which OCS 2007 R2 will be deployed needs to be at least Server 2003 Functional Level.

Assumptions

  • You have a domain that contains at least one Server 2003 SP2 Domain Controller (DC)
  • You have configured the IP settings accordingly for all servers to be on the same subnet. I have provided the IP scheme of my lab below, but this will vary depending on your needs and Virtualization Software configuration. One exception to this is one NIC on the ISA Server will belong to a different subnet. This NIC would be the NIC that lives in the DMZ in a production environment.
  • Exchange 2007 Hub Transport Server, Client Access Server, and Mailbox Server are already installed in the environment. This article does not go over the installation or configuration of these roles but will go over mail-enabling a Distribution Group(s).
  • You have at least SQL 2005 SP2 server installed. We will be using SQL 2008 installed on Server 2008 Enterprise.  SQL 2005 SP1 is NOT supported for OCS 2007 R2 as it was for OCS 2007 RTM.
  • You have a copy of Office Communicator (OC) 2007 R2. We will be installing our copy of OC 2007 R2 on our Exchange CAS.

Computer Names

OCS Front End Server – SHUD-OCSFE1

OCS Edge Server – SHUD-OCSEDGE1

Domain Controller / Exchange Server / Root Enterprise CA – SHUD-DC2

ISA 2006 Server – SHUD-ISA1

SQL Server – SHUD-SQL1

Configuration of  Domain Controller / Root Enterprise CA

Processor: 4

Memory: 512MB

Network Type – External NIC

Virtual Disk Type – System Volume (C:\): 50GB Dynamic

Note: In a real-world environment, depending on the needs of the business and environment, it is best practice to install your database and logs on separate disks/spindles. We will be installing Active Directory, Certificate Services, and Exchange 2007 SP1 on the same disks/spindles for simplicity sakes for this lab.

Configuration of SQL 2008

Processor: 4

Memory: 512MB

Network Type – External NIC

Disk Type – System Volume (C:\): 50GB Dynamic

Configuration of ISA 2006 SP1

Processor: 2

Memory: 384MB

Network Type – External NIC

Network Type – External NIC

Virtual Disk Type – System Volume (C:\): 25GB Dynamic

Configuration of OCS 2007 R2 Edge

Processor: 4

Memory: 512 MB

Network Type – External NIC – used for internal NIC

Network Type – External NIC – used for Audio/Video Edge NIC

Network Type – External NIC – used for Web Conferencing Edge NIC

Network Type – External NIC – used for Access Edge NIC

Virtual Disk Type – System Volume (C:\): 50 GB Dynamic

Note: There are few different ways the NICs could be set up on the Edge Roles. I have included a mini-write up below entitled, “Various Edge Server NIC Setups.”

Configuration of OCS 2007 R2 Front End

Processor: 4

Memory: 512MB

Network Type – External NIC

IP Addressing Scheme (Corporate Subnet)

IP Address – 192.168.1.x

Subnet Mask – 255.255.255.0

Default Gateway – 192.168.1.1

DNS Server – 192.168.1.150 (IP Address of the Domain Controller/DNS Server)

IP Addressing Scheme (DMZ Subnet)

IP Address – 10.10.10.x

Default Gateway – 10.10.10.x

Subnet Mask – 255.255.255.0

Preparation of ISA 2006 SP1 Node

Network Interface Card (NIC) Configuration

First thing we will want to do is configure the IP Configuration of both the Public DMZ NIC and Internal Corporate NIC.

We will want to rename our Publc DMZ NIC connection to Public and our Internal Corporate NIC connection to Private. To do so, go to Start > Control Panel. Once in the Control Panel, Double Click on Network Connections.

Now you will be presented with the Network Connections window. This is where you can modify the network properties for each NIC in your server. For your Internal Corporate Connection, rename your Local Area Connection to Internal. Likewise, for your Public DMZ Connection, rename your Local Area Connection to Public. After you have done this, it will look something similar to the following:

Note: Do not forget that part of the assumptions earlier in this article as that you have a properly configured TCP/IP Network where all nodes are properly connected to the TCP/IP Network. Because of this, I will skip the actual TCP/IP Configuration. The IP for the Internal NIC is 192.168.1.170/24. The IP for the Public NIC is 10.10.10.153/24 that would typically have a Public IP NAT’d to this Public IP via Static Network Address Translation (NAT) rule.

Important: In a production environment, you would generally have the Default Gateway on your public NIC. Depending on the communication and configuration of firewalls, you would want to create a static route so your internal communications would go directly to a router on the inside of your network that is more open to communications. This way, you would not have to open ports on your Edge firewall when not necessary. For example, if you were doing LDAPs and your DMZ Edge Firewall blocked port 636. You would need to create a static route so traffic destined to your internal corporate network would go to the internal router that allows 636. You would not need to do this if your DMZ Edge Firewall allowed port 636 and knew how to route to the internal corporate network.

To ensure you reduce the attack surface of your ISA Server, open the Public NIC properties, open the TCP/IP Properties > go into the Advanced NIC configuration settings by clicking the Advanced button. From there, you will navigate to DNS tab and de-select “Register this connection’s addresses in DNS.”

Select the WINS tab and de-select “Enable LMHOSTS lookup” and configure the NetBIOS setting to “Disable NetBIOS over TCP/IP.”

Once you are done configuring the Advanced settings, press OK three times and you will be back at the Network Connections screen. From here, choose Advanced and select Advanced Settings…

You will be presented with the Binding Order for your current NICs. Ensure that the Internal NIC is on top by selecting Internal and pressing the green up arrow key on the right-hand side of the dialog. The reason you want Internal on top is because your Corporate communications happen on this NIC and things like DNS are configured on this NIC.

Rename Computer and Join to Active Directory Domain

Make sure you name your ISA box to a name that complies with your naming convention and then join your ISA box to the domain. For purposes of this lab, we will be naming this box, SHUD-ISA1. A lot of Administrators believe that joining the ISA box to the domain is a security threat, but that is not so. Please refer to this article explaining why.

Preparation of Edge Node

Follow through the same exact steps you did for the ISA 2006 node except for a few things. Instead of 2 NICs, add 4 instead. Also, do not join it to the domain.

A summary of the steps involved consist of:

  • Create 4 NICs
  • Rename the NIC that is wired to the Internal Corporate Network to Internal
  • Rename the NICs that are wired to the DMZ appropriate to their function. Our Access Edge NIC will be named AccessEdge. Our Web Conferencing Edge NIC will be named WebConfEdge. Our Audio/Video Conferencing Edge NIC will be named AudioVideoConfEdge.
  • Assign the appropriate IP Addresses to each NIC. In OCS R2, when you have a single Edge Server, you no longer need to have a Public IP directly on the NIC.  When load balancing Edge Servers, the Audio/Video server also has a private IP but the VIP of the load balancer will need to have a Public IP for the A/V Role. This will be discussed more in detail below.
  • Create Static Routes if necessary
  • Disable the Public NICs from registering in DNS
  • Disable the Public NICs NetBIOS settings
  • Modify the Binding Order so the Internal NIC is on the top of the list.
  • Rename the Computer
  • Do NOT join it to the domain

Certificate Authority Configuration

IMPORTANT: Just as a note, the instructions below are for setting up a Certificate Authority in Server 2003 and is from my previous article series on setting up a OCS 2007 RTM.  My lab has the certificate authority set up on my Server 2008 Domain Controller and has already been deployed prior to this article series.  The process for setting up the Certificate Authority is virtually identical.  Because of this, I am not going to set it up all over again just to have the updated pictures via a Server 2008 GUI.  the only difference is that in my existing lab environment where the CA lives on Server 2008, the Root CA will be simply named CA.

So as for how to set up a CA on Windows Server 2003 SP2, we will want to make sure that we have the SP2 binaries and our CD1 for our Windows Server 2003 Enterprise installation. It will be required when we install Certificate Services.

To begin the CA installation, go to Start > Control Panel. Once in the Control Panel, Double Click on Add or Remove Programs.

Click Add/Remove Windows Components.

Place a checkmark in the checkbox next to Certificate Services. You will automatically be prompted with a prompt warning you to not modify the computer name. Ensure your computer name is set correctly before continuing. Once you have your computer name set. Click Yes and then Next to Continue.

Because we will be choosing an Enterprise Root CA, leave the defaults selected. Click Next to Continue.

Note: Choosing an Enterprise Root CA can be considered a security risk to many. Make sure a proper design for a PKI infrastructure is done for both functionality, security, etc. before deploying an internal PKI solution for your organization. I am using an Enterprise Root CA because I am doing this in a test environment and it reduces the amount of resources needed for the lab.

We will name our Root CA OCS-CAROOT. Keep in mind, this is not our machine name. This is what the root certificate’s name will be. As stated earlier, this is the CA name we specified in the OCS 2007 RTM article series.  If you want to follow along more closely and have the naming convention the same as the rest of the OCS 2007 R2 article series, name the Common Name CA. Click Next to Continue.

Specify where you want to store your Certificate Database and Logs. For purposes of this lab, we will install it on our System Partition (C:\). Click Next to Continue to begin installation. As stated earlier, make sure you have the SP2 binaries and CD1 of your Server 2003 Installation CD.

If you’re like me and always forget to install Internet Information Services (IIS) prior to installing Certificate Services, you will get the following prompt. Don’t worry, we’ll fix this after our Certificate Services installation completes. If you did get this prompt, Click OK to Continue.

Now our Certificate Services Installation should complete successfully. If you did forget to install IIS before Certificate Services installation began and you received the prompt above, go install IIS by following the instructions here. You will also need your SP2 binaries and CD1 of your Server 2003 Installation CD.

Once IIS is installed, to create the CertSrv subfolder within IIS, type the following command:

Certutil -vroot

Various Edge Server NIC Setups

When going over the NIC configuration of our Edge Servers, it has been noted that we will be using 4 NICs for our Consolidated Edge Server. This would be Method #1 below. As you can see, there are two other ways the NIC Setup could be configured.

Note: The IPs in the above diagram do not represent IPs we will be using in our lab. They are only a representation of what you may see in a production environment.

Method #1

Every Role has its’ own dedicated NIC. This is recommended due to people having issues in the past with communications when roles share IP Addresses on the same NIC.

Method #2

It is also possible to use one NIC for the Audio/Video Edge Server, Web Conferencing Edge Server, as well as the Access Edge Server. Because of this, all 3 Edge Server Roles would have Private IPs meaning they can all be on the same NIC. You would then use a dedicated NIC for the Internal NIC.

Update 1/17/2009 – I used to have a recommendation to use Method #1.  This worked just fine out of the box with Windows 2003 and still does.  Windows 2008 and using Windows 2008 R2 (not yet supported) both use the new Strong Host networking model which introduce some complications when using Method #1.  There are some security differences with the Strong Host model than what the Weak Host model used.  For example, if traffic comes in on one interface, it’s going to leave back out that same interface.  But with Windows 2003 networking, you can only have one default gateway.  So there are some tricks to do with multiple NICs such as assigning multiple Default Gateways and tweaking your Windows routes.  Jeff Schertz, OCS MVP, details this on his blog article here.  Generally, Method #1 will give you greater performance benefits but with how OCS scales and its sizing guidance, 2 NICs are fine.  I’ve generally been using Method #2.

Private IP on Audio/Video

In OCS R1, an Audio/Video Edge Server needed a Public IP directly on the NIC.  In OCS R2, when you are doing a single Edge deployment with no load balancer, you can have a private IP directly on the Audio/Video Edge NIC.  When load balancing, you can also utilize a private IP on the Audio/Vide NIC, but the load balancer IP must be a public IP Address which then NAT’s to the Private IP Address of the Audio/Video Edge NIC.

As you can see, when utilizing Load Balancing on an Edge, you must now use DNAT for incoming connections with a public IP of 192.0.2.1 which then NAT’s to the private IP on the Audio/Video Edge NIC of 10.10.10.1.  The same happens outbound except for SNAT being used instead of DNAT.  The incoming DNAT and outbound SNAT is a requirement.

Summary

Well folks, that is all for Part 1 of this article. For Part 2, I will go over the preparation and installation of a Front End OCS 2007 R2 Server Pool.

Share this:

  • Twitter
  • LinkedIn
  • Reddit

Filed Under: OCS Tagged With: OCS

Reader Interactions

Comments

  1. HTTP://www.gather.com/viewArticle.action?articleId=281474981777511 says

    May 12, 2013 at 4:40 am

    Thank you for the good writeup. It in fact was a amusement account it.

    Look advanced to more added agreeable from you! By the way, how could we communicate?

    Reply
  2. fitness tips and motivation says

    March 14, 2013 at 4:31 am

    Your payments will not only get to you faster but it will provide you with a history of your
    earnings for your records. We know because they have done so for millions of other people.
    Stretching will help you prevent injuries and it will help you loosen up your muscles.

    Feel free to visit my weblog – fitness tips and motivation

    Reply
  3. Salim Jamadar says

    May 20, 2011 at 6:03 am

    Hi Elan,

    Just we installed exchange 2007 in our organization now the issue Iam facing that we are using CRM software and Iam unable to send mail from CRM to the customers (outside) internally working fine Error is the server one or more recipient addresses. the server response was 550 5.7.1 unable to relay

    Reply
  4. John Jennings says

    April 4, 2011 at 4:55 pm

    Hey Elan,

    I was just wondering if you can point me in the right direction to remove a 2007 R2 Edge server from a depoyment? The client still wants to use OCS internally, but wants to remove the ability to access outside the network, federate, etc.

    Any tips?

    Reply
    • Elan Shudnow says

      April 17, 2011 at 4:23 pm

      http://technet.microsoft.com/en-us/library/dd5728…

      Reply
  5. tunji says

    March 2, 2011 at 10:05 am

    hi Elan, please i need you to end me link to your exchange server 2007

    Reply
  6. Madushka says

    November 3, 2010 at 3:18 am

    Dear Sir,

    We have done OCS 2007R2 POC in Sri lanka(UTC + 5.30) here its working fine in this domain, But we have try to connected client in Nederalnd ,Spain and few places .but show like a error its Time Zone Problem.
    the different time zones client's not connected.

    Please explain me how this correct.

    regards

    Madushka

    Reply
    • Elan Shudnow says

      November 18, 2010 at 9:53 am

      It may not be a time zone problem, but the time may be skewed somewhere. If the time on a client or server (this case probably client) is more than 5 minutes (by default in Group Policy) off from DCs, connectivity issues will ensue.

      Reply
  7. Philo says

    September 17, 2010 at 3:17 pm

    should the DNS server for name resolution be on the internal (talking to internal DNS) or external (talking to public DNS) interface on the edge server?

    Reply
    • Elan Shudnow says

      September 20, 2010 at 11:38 am

      I always let the internal DNS Servers handle recursion for DNS. Keep in mind, if you want NAT for AV Edge (requires that you not be load balancing), the Edge Server will need to the public IP for this FQDN. You can do that in the hosts file or in internal dns.

      Reply
  8. bw201 says

    August 30, 2010 at 10:19 am

    Can you help with this one.
    I need to define the process of how Communicator 2007R2 locates the pool in their specific region. There are two pools one in New York (pool0.nyc.mydomain.com) and one in London (pool1.LON.mydomain.com). How does Communicator knows which pool to attach to. Does anyone have a step by step process of how this happens. Would this be the same step for existing Communicator 2005 as well. One other questions do we make any changes to Communicator 2005 settings when we move users from their current pool to the new OCS 2007 R2 pool. FYI all clients workstation is has static IP's.

    Reply
    • Elan Shudnow says

      August 30, 2010 at 10:36 am

      You’re in luck since I wrote an article on this:
      https://www.shudnow.io/2008/09/04/automatic-logons-directors-and-client-redirections/

      Reply
  9. kc571 says

    August 6, 2010 at 12:00 am

    I've been going crazy with this one. I used your guide and other resources. I can make calls from PSTN GW > MED > OCS > MOC. But, when I call from MOC > OCS > MED > PSTN GW, the call fails. I've isolated that the issue is specific to the 5061 closing upon the initial TLS negotiaion. Firewall is off. I think the certs are ok. I've made the changes to the local security policy. I have three VMs running WS2008R2 (1 with AD/DNS/CA, 1 with OCS, and 1 with Mediation). I appreciate any feedback.

    Reply
    • kc571 says

      August 10, 2010 at 1:21 pm

      I figured it out. Never mind.

      Reply
  10. Joey Freyre says

    June 9, 2010 at 7:23 pm

    Hi Elan!

    First off I'd like to echo everyone’s sentiments on this forum and offer a hearty thank you! This is an extremely helpful piece of work. The time you dedicated out of what I’m sure is a very busy schedule is certainly appreciated!

    I have one question. I currently have TMG 2010 in my environment acting as both a firewall (VPN tunnel endpoint) and Exchange Edge server. The later role requires that the TMG NOT be a domain member. For purposes of OCS you mention that you "SHOULD" join the reverse proxy to the domain. I’m wondering if this is a hard requirement. What if any functionality will be lost if the reverse proxy is not joined? Will it still "work"? Your help is very truly appreciated! Thank you sir! Hope to hear from you soon.

    Regards,

    Joey Freyre

    Reply
    • eshudnow says

      June 29, 2010 at 4:42 pm

      I don't think I've ever said that you "should." I would say it would depend on the environment. There are Pros/Cons to each method but I typically push for the Domain-Joined model if possible. The following articles will talk about pros/cons: http://blogs.isaserver.org/shinder/2006/06/04/to-…

      Reply
  11. Dean says

    May 12, 2010 at 9:12 am

    Hi Elan,

    am about to deploy OCS 2007 R2 here at work. Do you think your guide will help someone to install it from scratch, step by step? Obviously you wrote it with IT people in mind, but say, do you think a basic IT person can follow it?

    thanks

    Dean

    Reply
  12. abidg says

    March 28, 2010 at 7:13 am

    hi elan,

    congrats for nice work and helping others by quick reply, i want to install im feature just for few users, we have exchange 2007 production with ISA 2006 for publishing OWA etc, i have two virtual servers 64bit with 4 gb RAM and sql i can use the existing one, i want to know from where i should start, already i have downloaded the OCS r2 and once i feel ok then i will update the license

    Reply
    • Elan Shudnow says

      March 30, 2010 at 2:40 am

      Just deploy a Front End Server. You can use the Standard Edition which will install SQL Express 2005 or you can use OCS Enterprise which will allow you to use your existing SQL Server. You can use a second box as an Edge Server. Then use ISA to publish the Web Components role that lives in the Front End to give you access to distribution group expansion, address book, etc…

      Reply
  13. Kwadwo says

    March 21, 2010 at 11:49 am

    Hello Elan,

    Can please tell me how many servers i need to be able to implement all the roles on my network, also which of the roles can run parallel on one server(so i can consolidate some of the roles and cut cost).

    Thanks,

    Kwadwo

    Reply
  14. Kings says

    February 7, 2010 at 12:19 am

    Good job,
    Some questions, When I setup OCS test environment in enterprise environment, what is needed when user is outside the network using ISDN connecting through firewall to the company network? Is it possible through Mediation server (Romote access enable), a Remote users from internet can call from office communicator client to office communication client into company network without edge server inplace?

    Reply
    • Elan Shudnow says

      March 23, 2010 at 1:34 pm

      No, a Mediation Server does not allow any Remote Access. An Edge Server is needed. In fact, when deploying a Mediation Server for PSTN Voice, you still specify the A/V Edge so OCS users can relay PSTN Audio through the A/V Edge to the Mediation Server which will then send that audio out to the PSTN which will eventually get transcoded to G.711. So, you'll always need an Edge.

      Reply
  15. althaf says

    February 1, 2010 at 12:56 pm

    Hi All,

    I am althaf, working for a tech support mnc company.. I would like to install OCS 2007 R2 on Win 2008. tried several times and havent succeeded.

    I want some basic information like… whether can we install OCS 2007 R2 on a Single VM Windows 2008 machine. if its yes. Please suggest the steps which one is to install prior to the levels.

    So far i had tried several times and got struck up at Setup Delegation Wizard… pls find below is the error message it throws all the times
    Failure "[0x8007001F] A device attached to the system is not functioning."

    I would appreciate you guys to suggest or any help in this regard.

    Thanks n Regards,
    Althaf

    Reply
    • Elan Shudnow says

      February 4, 2010 at 6:35 pm

      althaf,

      For my labwork, I always virtualize. Keep in mind though, that most roles for virtualization are not supported and should not be done in production. This does not mean that you cannot, just that you risk having issues and/or not receiving support from Microsoft.

      Make sure your time is in sync, timezone is set correctly, Also, make sure that you are not using some extensive password with not so typical passwords as I have seen this break an install. Also, you may want to try running the ocsanfix.exe as I have seen that break certain parts of an install process. That exe is located from here: http://support.microsoft.com/kb/974571

      Hope that helps

      Reply
  16. gareth says

    January 28, 2010 at 2:04 pm

    This is fantastic – cheers for posting!

    Reply
  17. Shabir says

    January 20, 2010 at 7:18 pm

    Hi Elan

    Thanks for the effort for the installation in details. It really helpful.

    But, I do have one problem, which is i have received this “distribution group service could not perform this action” when i’m using ISA Server 2006 as a proxy for my IE. If i removed it(and using Cisco Transparent Proxy), office coomunicator able to retrieved the distribution group.

    Hope U may help on this on how to change the setting at ISA Server to allow distribution group is retrievable.

    Reply
  18. Shahid says

    December 22, 2009 at 4:41 am

    Soon I shall have an interview for OCS administration job and I have never learnt it. I am reading the book but
    but want to do practical also.

    Could someone in this world please help me with the questions I have as follow:

    I do not have a 64 bit machine. Is there any possibility of installing,OCS 2007 R2 on Server 2003 x86?
    Can I do it on virtual Machines?
    Can I download OCS 2007(not R2) from anywhere?
    What could be the possible interview questions, any tips?

    Thank you in advance.

    Reply
    • Elan Shudnow says

      December 22, 2009 at 4:58 am

      Hi Shahid. OCS 2007 was x86 only (no x64 out there) and OCS 2007 R2 is x64 only (no x86 out there).

      You can run them in VMs. OCS 2007 has no virtualization support and OCS 2007 R2 has some virtualization support. You can read the virtualization support policy here: http://communicationsserverteam.com/archive/2009/…

      You can download OCS 2007 R2 Evaluation here: http://technet.microsoft.com/en-us/evalcenter/bb6…

      More documentation here including a doc specific to OCS Administration: http://www.microsoft.com/downloads/details.aspx?f…

      Hope that helps and good luck on the interview.

      Reply
  19. Liz says

    December 14, 2009 at 9:11 am

    Hi Elan

    Thanks for all the info, it has been really useful.

    I have a question regarding Edge services. We are a fairly large organisation that shares a secure external WAN with other similar organisations with which we would like to federate. We also need to enable external client access and possible federation with external partners from the Internet. Is it possible to support this configuration i.e. communication via the external WAN where available, otherwise via the Internet? If so, how is this best achieved?

    Reply
  20. Netpros says

    December 2, 2009 at 1:22 pm

    Hi Elan,

    Great article, Currently planning to deploy OCS Server and Exchange 2010 for small business client, I think a guide which combines these as full unified communication solution would be very helpful to our community.

    I just created a lab for it to start with it.

    Thanks

    Netpros

    Reply
  21. Melvin says

    October 16, 2009 at 4:19 pm

    We are deploying OCS 2007 R2 Enterprise in single server and empty root domain environment. We have three Windows 2008 AD site domains, the FE OCS server will sit in one of those sites. Is there any special configurations that I need to consider to allow the users from the other two sites to access OCS; for example do I have to run the Domain Prep in each domain?

    Reply
    • Elan Shudnow says

      October 16, 2009 at 8:23 pm

      You just need to make sure you domain prep any domain that will contain users who will be enabled for OCS.

      Reply
  22. Manish Malik says

    October 9, 2009 at 4:18 am

    Hi, In my setup I already have Edge with ISA Reverse Proxy and pretty soon I am going to deploy CWA as well. I was just wondering, can I use same ISA server for CWA External which I used for Edge Server.

    If yes, then do I need to assign another public IP to frontend NIC of ISA Server and get that address published on Public DNS for CWA. Is that how it works?

    Please help!

    ~Manish

    Reply
    • Elan Shudnow says

      October 12, 2009 at 11:18 pm

      Not necessarily. You can use the same listener and configure your rule to bypass pre-auth. That means to configure your rule so the authentication delegation tab allows all clients to authenticate directly and then assigning "All users" to use the rule instead of "Authenticated Users." Or you can use a new public IP and create a new listener.

      Reply
  23. Umesh Chaurasia says

    September 16, 2009 at 2:51 am

    Hi Elan,

    We are main UC application developer. Till now we have develop multiple application for Cisco UC infrastructure. Now we are plannning to start work on Microsoft OCS. As we are new for OCS we have some basic queries regarding installation of oCS –
    1) How many server will be required to deploy MS OCS 2007R2. Is it possible to deploy on single server?
    2) Can I get OCS installation guide somewhere?
    3) How I will get SSL certificates?

    Thanks & Regards,
    Umesh

    Reply
  24. Shams says

    September 6, 2009 at 4:02 am

    Dear Mr. Elan,
    You have written a very nice post. While preparing the AD I am facing the below problem:
    We have One root domain controller a single domain & forest and 20 additional domain controller including all branches.

    Root Domain Admin: True
    Forest Settings: Not Ready
    ————
    Failure
    [0xC3EC7800] The forest schema is not prepared to host Office Communications Server.

    Reply
    • Elan Shudnow says

      September 6, 2009 at 1:26 pm

      Sounds like you have a replication problem somewhere in the environment.

      Reply
  25. Derek says

    September 2, 2009 at 6:49 pm

    Great article Elan. I am trying to figure out how many load balancers are required for a 2 edge server configuration. I would think I only need one but it seems from other documentation on the web that I may in fact need 2; one for the external VIP and another load balancer to do the internal nice Vip. Is this correct?

    Reply
  26. Raj Hans says

    September 1, 2009 at 5:39 am

    Hi Elan, Great article.

    Thanks for posting this article, it will helps much for deployment.

    Really this is great achivement..

    Reply
  27. Elan Shudnow says

    August 13, 2009 at 9:11 pm

    Sure, you can do that.

    Reply
  28. Max says

    August 13, 2009 at 11:12 am

    I assume File/Printer sharing be disabled on the public (DMZ) interfaces for ISA and Edge servers?

    Reply
  29. Elan Shudnow says

    August 12, 2009 at 12:51 pm

    You should be able to post. Shoot me over an e-mail with the post you’re trying to post to and what the page says such as access denied?

    Reply
  30. Nomi says

    August 12, 2009 at 5:50 am

    Hi, can someone tell me why I can’t submit comments. I’m planning to setup 1x edge server for external user and have some question, i can post my comments to other post except this.

    Appreciate your help.

    Reply
  31. ally_r says

    July 31, 2009 at 3:36 am

    Thanks for the reply Elan. I thought it was a bad idea (which is why I hadn’t do it yet). I guess we will either have to procure another 64bit server or implement 32bit R1. Thanks again, you’ve been bookmarked!

    Reply
  32. Augus says

    July 28, 2009 at 10:11 am

    Hi Elan,
    be grateful of your harwork! now a planning to Install a Trail version of OCS2007 on my network to test and evaluvate, for this I may required to have 8 server or I can use DC -1no, FE, Edge, SQL – 1no, Exchange2k3, Cert SRV-1 nos,for FW am using Fortigate100A. can you confirm me te above requirements enough or not.

    Thanks,
    Augus

    Reply
  33. ally_r says

    July 28, 2009 at 5:39 am

    Hi Elan,
    Great article. I have been testing OCS 2007 R1 for our company and I’m now looking to implement R2 fully. However we have a shortage of 64bit servers in our network. Are you aware of any issues installing OCS 2007 R2 on the same server as Exchange 2007? There are only 50 or so users in the whole company and the server has plenty of spare resources. I remember reading something when initially looking into implementing R1 however I’m, unable to track this down now. Any info would be great.

    Cheers

    Ally

    Reply
    • Elan Shudnow says

      July 29, 2009 at 7:58 pm

      Don’t do this. Both will want to use the Default Website and the certs and such will conflict. Not to mention other possible issues. It’s plainly just not supported and I wouldn’t try getting it to work. You’ll basically be trying to Frankenstein a solution together.

      Reply
  34. Una says

    July 1, 2009 at 9:35 pm

    Thanks Elan, that’s exactly what I needed to know.

    Reply
    • Elan Shudnow says

      July 1, 2009 at 11:14 pm

      You’re welcome. Thanks for posting!

      Reply
  35. Elan Shudnow says

    May 27, 2009 at 9:21 am

    Multiple certs on the same server are fine. When using OCS, for each service, you choose what certificate you want to use. For Exchange, you can enable your services to use a certificate and then it’ll use some logic to determine which is the best certificate to use (expiration is set to a further date, is a PKI certificate over a self-signed, etc.)

    Personally, I would most definitely use a separate certificate with Exchange and OCS. The reason being is for OCS, for your Edge Server, you should have your Access Edge FQDN as your SN and the rest you can have as a SAN. Keep in mind, it’s only supported to have every service having their own certificate. Access Edge should have its own cert, Web Conferencing should have its own cert, etc… A/V doesn’t need a public facing certificate but should have an A/V Authentication certificate that should be signed using your internal CA and should be a different certificate than your regular internal certificate.

    Reply
  36. OCS says

    May 26, 2009 at 11:18 pm

    Hi Elan,

    I have a question on configuring certs for Exchange 2007 and OCS in the same environment with an F5 firewall.

    MS recommends using internal CA for the internal components of OCS and a 3rd party cert for external OCS components and also a 3rd party cert for OWA/ActiveSync and Outlook Anywhere. Can I request, using one UC cert with my 14xSAN’s, and then add the same 3rd party cert to all my Exchange and OCS servers?

    What happens if there are multiple certs on one server – so a self signed/a windows internally generated cert and a 3rd party cert? What will OCS and Exchange use, will it cause any conflicts?

    Many Thanks
    Una

    Reply
  37. Elan Shudnow says

    May 24, 2009 at 8:34 am

    I already included the steps in my article. :) Contact your MS Licensing Rep and they’ll help you get started. Everything is fine in what you listed. I would recommend getting SP1 for MS Office 2007 as it helps with some Outlook/Communicator integration issues.

    Reply
  38. shabab says

    May 24, 2009 at 1:08 am

    Hi Elan, Great article.

    By the way could you help me to do this, as we need to test office communicator on our existing office internally.

    1) we don’t have exchange server yet (going to implement soon).
    2) DC and File servers are MS windows 2008 32 bit.
    3) All Domain got vista business and ultimate.
    4) MS Office 2007 Standard version installed on client machines.
    5) One machine already installed Windows 2008 64 bit and added to the domain.

    what are the steps I need to take and from where I can download OCS 2007 R2?

    Thanks
    Shabab

    Reply
  39. Elan Shudnow says

    May 14, 2009 at 9:16 am

    Thanks. I have not done a Standard guide and have no plans on doing so.

    Reply
  40. dean says

    May 14, 2009 at 3:46 am

    Hi Elan,

    good work, you dont have any step by step how to’s on installing the standard edition do you please?

    We have OCS 2007 R1 in our environment using as an internal system only. We want to upgrade to RC2 but cannot find any step by steps for that verison.

    thanks

    Dean

    Reply
  41. Gagan says

    April 7, 2009 at 11:55 pm

    hi Elan

    We are actually depoloying OCS 2007 R2 in our company.
    The First thing we came to know is that we actually need 8 machines for each Server roles.

    Now the confusing part is do we need one Extra machine for Active Directory and DNS

    or it can be colocated with any of the above

    Thanks
    Gagan

    Reply
  42. Elan Shudnow says

    April 3, 2009 at 2:20 pm

    Run through the setup wizard again and it’ll install all the pieces it needs. You “may” need to do some re-configuration depending on what you uninstalled.

    Reply
  43. angel says

    April 3, 2009 at 12:43 am

    hi Elan,
    I mistakenly uninstalled Office Communication Server 2007 R2 ,the first application from Add and Remove Programs. now I cant see the Office communication server 2007 R2 in Administrative tool but all other applicatins running successfully. Will all run well. How can i reinstall that particular file? please help.

    Reply
  44. Elan Shudnow says

    March 17, 2009 at 9:36 am

    Well, doing that makes things easier for administration since you don’t have to bother with NAT’ing, you have the same subnet range on your NICs, etc… It’s all relative to your outlook on things.

    One thing to keep in mind is the notion that people think that putting Public IPs on a NIC is not secure. This is completely false. NAT was not designed to secure systems. It was designed to save IP Addresses. A Public IP can still be behind a firewall. You just configure the firewall to route the traffic out of a specific port to a switch on which the Edge Server would be on or directly to the server.

    Now with that in mind, if you were using NAT, that server is still reachable on the internet. It still hits the same firewall. The only difference is that it NAT’s it on the firewall to a private IP Address. But even if you were using a Public IP Address on the NIC, you can still put it behind a firewall.

    So to me, there’s no real difference from a security standpoint whether you use Public IPs on the NICs as long as they’re still behind a firewall.

    Reply
  45. 9ja4lyf says

    March 17, 2009 at 9:16 am

    Hi Elan!

    This stuffs you posted out here is insanely tight! Thanks a mill. I read in a Syngress Publishing book “How to cheat at Adminstering OCS 2007” the author recommended to have public IP’s rather than private IP’s on the edge server roles, what’s ur take on this?

    Reply
  46. Elan Shudnow says

    March 2, 2009 at 8:39 am

    I haven’t tried a wildcard certificate. I’m not sure if it will work or not, but it’s definitely not supported. You can publish CWA with ISA for it to be available from the outside or give it its own public IP and NAT to it over 443.

    Mediation Server is never available from the outside. When you configure your Mediation Server, one of the settings is what A/V Server you want to use. The reason you specify this his when a user is outside the network, the audio stream from OCS SIP Endpoints use that Audio/Video Server for streaming that audio to the OCS environment allowing for Enterprise Voice. The actual call part always happens from Mediation to FE and Mediation to Gateway/PBX and doesn’t need to touch a user directly.

    Reply
  47. Ronald says

    March 2, 2009 at 6:27 am

    Hi Elan,
    is there a role on the Edge server which does not have to be available from the outside ? Of course this depends on your requirements, but what is a common approach ? I know what you meant with your previous statements about the public IPs, so forgive me =)

    Too bad CWA and Front End cannot be collocated, for sure you want your CWA available from the outside. Is there any other service that I forget that should be available outside ? I will use a Mediation server, but have an internal supplier in my DC for a SIP trunk.

    About the certs, willa wild card not work, or not supported ? have tried it ? Or will there be a number of devices that wil have problems to connect (eg. WM5 devices).

    Grtz,
    Ronald

    Reply
  48. Elan Shudnow says

    March 2, 2009 at 4:13 am

    Ronald, since every NIC requires its own IP Address as I show in my article, you’ll want a different Public IP NAT’ing to each NIC. The same goes for ISA which will do reverse proxy for several Front End Services. So yes, if you want all OCS Services available from the outside, you’ll want 4 Public IPs. And when I stated I mentioned no such requirement, I’m talking about public IPs directly on the NIC.

    As far as CWA on Front End, this was recently changed by Microsoft so the CWA Server can no lonoger by collocated with any other server role.
    http://technet.microsoft.com/en-us/library/dd425201(office.13).aspx

    Reply
  49. Ronald says

    March 2, 2009 at 3:20 am

    Hi Elan,

    To reach the Edge server from the internet you need to NAT public IPs to the private IPs on the Edge server. I have an ISA 2006 in front, so my question is if I do need 3 public IPs to NAT to the private IPs of the Edge server, one for each Edge service ? And then there is also a dedicated IP for the SSL bridge to the Front End server. So in total I require 4 public IPs. Is that correct ?

    And can I combine the CWA on the Front End server using the same certificate? Or do I need a new web site for the CWA with its own cert ? In the last case this would mean another public IP for the SSL bridge.

    Thanks for your info !

    BR,

    Ronald

    Reply
  50. Elan Shudnow says

    March 1, 2009 at 9:38 am

    Hm, where did you get the public IP requirement? I mentioned no such thing anywhere in my article. Look at the diagram, it shows private IPs on the NICs. You can use public ips on the NICs if you want, but don’t have to. Of course you still need public IPs NAT’d to the private IPs anyway.

    As for certs, to be in a supported Microsoft configuration, you’ll need a dedicated SSL certificate for each NIC (Access/Web Conf/AV).

    Reply
  51. Ronald says

    March 1, 2009 at 8:33 am

    Hi Elan,

    Got the internal stuff up and running, thanks for the article, especially the DNS SRV part. This is where it went wrong before.

    For external user access, do I understand correctly that I need three public IPs, one for each Edge service (Access, AV and WebConf) ? But if I have a wildcard cert and a consolidated Edge deployement, are three public ips still mandatory ?

    BR,

    Ronald

    Reply
  52. Elan Shudnow says

    February 20, 2009 at 12:31 am

    Start here:
    http://technet.microsoft.com/en-us/library/dd441152(office.13).aspx

    Reply
  53. Ronald says

    February 19, 2009 at 4:51 pm

    Hi Elan,

    Thanks for your comment, I d rather not hack myself a way into it. It might break in next releases and is not supported I guess. Is there a document that described the ports in use for each edge service ?

    BR,

    Ronald

    Reply
  54. Elan Shudnow says

    February 19, 2009 at 3:21 pm

    I’ve seen a way to do it but it requires quite a bit of hacking and I highly recommend not doing that. You’ll want to use 3 Public IPs, each one mapped to the IP for each service on the Edge. Also, the hack I was talking about was for OCS R1 and have never heard of it being tried for OCS R2.

    Not sure where the forum post is that explains the process but I’m sure through some searching on the technet forums, you’d be able to find it.

    Reply
  55. Ronald says

    February 19, 2009 at 1:44 pm

    Hi Elan,

    Great article. One question, can you use one IP address for the external access of the edge server ? Or are there overlapping ports there ? I have a limited amount of public IP’s. I need to minimize on those.

    Is there a description of which ports are used by the edge services ?

    Thanks !

    BR,

    Ronald

    Reply
  56. Elan Shudnow says

    February 14, 2009 at 9:26 am

    BBF, Here’s the firewall requirements for the Edge Server in OCS R1. You’ll have to check the OCS R2 documentation (not on the library yet) for any differences in OCS R2:
    http://technet.microsoft.com/en-us/library/bb803617.aspx

    Martin, thanks!

    Reply
  57. Martin says

    February 14, 2009 at 2:22 am

    Really nice work Elan!

    i followed your guide so far and made an internal setup. Next week I will be deploying the edge server and ISA, so thanks a bunch for this site!

    Reply
  58. BBF says

    February 13, 2009 at 9:14 pm

    Elan,
    Your blogs are all VERY informative… Thanks!
    I usually find that it is a hard sell to get the network guys to allow a DMZ server to directly plug into the LAN. You mentioned earlier that you can configure the “Internal NIC” with a DMZ address and then open the ports. What ports must be opened from the Internal NIC that has a DMZ address to the LAN based Front End server(s)?

    Reply
  59. henock says

    February 2, 2009 at 9:27 am

    Thanks for the great posts

    Reply
  60. Elan Shudnow says

    February 2, 2009 at 9:08 am

    Yes, that’s fine. I have seen all Public IPs before on an Edge.

    Reply
  61. henock says

    February 2, 2009 at 7:08 am

    hi elan

    Excellent work. I have one question. is it mandatory to have natting on the firewall. can you assign all the edge roles a public ip address and have the firewall open for the necessay ports?

    we only have an external firewall and the network guys seem to think this should work.

    thanks

    Reply
  62. Elan Shudnow says

    January 14, 2009 at 7:34 pm

    Thanks Abdul. On your internal NIC, you will want to use a private IP on one of your subnets. You can use a DMZ IP if you want to be more secure and open up the ports on the internal firewall or put a private IP that lives on the same subnet as your Front End which is less secure. On your Edge NIC, you can use public IPs on your NIC and have your firewall route out of a specific port for each public IP or use all DMZ private IPs on this NIC and create Static NAT entries to it.

    Reply
  63. Abdul Rauf says

    January 14, 2009 at 12:34 pm

    Hi Alan,

    You have done a great work. Currently I am installing a OCS Edge server installation. Now scenario is that I have only one firewall which is protecting internal users. WHat configuration do I need. our internal network is using 192.168.1.0 IP’s . I am using 2 NICS on the edge server. on one NIC the ip will be like 192.168.1.15 and what about the other NIC. should I use DMZ IP’s like 10.0.0.2 or I can use the public routable IP’s?

    Reply
  64. Michael says

    January 13, 2009 at 9:49 am

    Thanks for the great posts.

    Reply
  65. Elan Shudnow says

    January 13, 2009 at 8:45 am

    You would still need to place Edge in DMZ. Access Edge would be all you need for federation partners. If you want external IM, you’d still need a Reverse Proxy if you want Address Book lookups and Group Expansion. There are other things a Reverse Proxy are used for but nothing you’d need for only Federation and external users using IM. You can see what else a Reverse Proxy in Part 4 (which will be out early next week).

    Reply
  66. Michael says

    January 13, 2009 at 6:38 am

    Hi Elan

    One clarification question. I am planning a PoC of OCS R2 and since the documentation is not yet available I am unclear about the Edge placement.

    Is it OK to place the Edge server on the Internal network with each of the 4 NICs having private IP (providing the loadbalaners IP’s are setup per your sample above) or only the Internal NIC is on the internal network and the other three NICs need IPs from a DMZ subnet.

    Also do I assume correctly that if I only require Public IM federation all I need is the Access Edge role with 5061 (SIP/MTLS) open to the federation partners and reverse proxy is not required. if you could elaborate on the PIC connectivity requirements it would be greatly appreciated.

    Kind regards,
    Michael

    Reply
  67. Elan Shudnow says

    January 12, 2009 at 8:34 pm

    Thanks Joachim

    Reply
  68. Joachim Farla [MVP] says

    January 9, 2009 at 2:38 pm

    good work!

    Reply
  69. Elan Shudnow says

    January 6, 2009 at 10:59 pm

    For a single 2007 R2 Edge:
    Static NAT for all 4 OCS Edge NICs. So Public IP > Private IP on OCS R2 NIC

    For several 2007 R2 Edge Servers behind a Load Balancer:
    Static NAT as well. But for Access Edge and Web Conferencing, you would have Public IP Static NAT to a Private IP on the Load Balancer which then communicates with the Private IP on the Access Edge NIC and Web Conferencing Edge NIC. For the Audio/Video Conferencing, you would have Public IP directly on your Load Balancer VIP and then have that NAT to your Private IP on your Audiop/Video Conferencing Edge NIC.

    I would assume that the hardware load balancer vendors such as Cisco/F5/Etc should have documentation on how to configure the load balancers for OCS R2 sometime in the future.

    Reply
  70. JT says

    January 6, 2009 at 9:56 pm

    Hi Elan, could you please clarify something please? In our environment, we have 15 public ip’s we use – 216.134.2XX.XX-ZZ. On our firewall, we do a 1:1 translation of these public ip’s to our internal private ip’s of 192.168.44.a-z for various services. Can you explain a quick SAMPLE scenario in how I could accomodate OCS R2 with the configurations you describe pertaining to NAT / IP scheme? I am still a bit unclear on some terminology regarding what kind of NAT, how you perform your NAT, what’s acceptable, etc. Again, in my sample, we have 1:1 done right at the firewall using SonicWall so please go from that point to clarify. Thank you.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • LinkedIn
  • RSS
  • Twitter
  • YouTube

More to See

Azure Event Grid and Serverless PowerShell Functions – Part 1

March 16, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 3

March 6, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 2

March 6, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 1

March 5, 2020 By Elan Shudnow

Tags

ACR Always Encrypted Ansible Azure Azure AD Connect Azure Application Gateway Azure Disk Encryption Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CCR CDN DevOps Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Forefront Function App Hyper-V ISA iSCSI Log Analytics Logic App Lync Management Groups NLB OCS Office Office 365 Personal PowerShell RBAC SCOM SQL Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Footer

About Me

Chicagoland consultant focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and Powershell.

Previously a 6x Microsoft MVP in Exchange Server then Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) and participating in my 14 year old Stepson’s sports.

Recent

  • Azure Event Grid and Serverless PowerShell Functions – Part 2
  • Azure Event Grid and Serverless PowerShell Functions – Part 1
  • Retrieving Activity Log Data from Azure Log Analytics – Part 3
  • Retrieving Activity Log Data from Azure Log Analytics – Part 2
  • Retrieving Activity Log Data from Azure Log Analytics – Part 1

Search

Tags

ACR Always Encrypted Ansible Azure Azure AD Connect Azure Application Gateway Azure Disk Encryption Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CCR CDN DevOps Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Forefront Function App Hyper-V ISA iSCSI Log Analytics Logic App Lync Management Groups NLB OCS Office Office 365 Personal PowerShell RBAC SCOM SQL Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Copyright © 2021 · Magazine Pro on Genesis Framework · WordPress · Log in