Now that Office Communications Server (OCS) 2007 R2 is RTM, I thought it would be nice to create an article on how to deploy a single Enterprise Edition OCS Server which is connected to an x64 SQL Server 2008 RTM Back-End Server. This article will be based off the OCS 2007 R2 RTM version. This article series is very similar to My OCS 2007 R1 RTM series here but will be based off the R2 RTM version instead of the R1 RTM version.
This article is to guide you through the entire OCS deployment process from scratch. This article will include the following:
- Certificate Services installation
- Single Enterprise Front End Server (No more expanded configurations) – with information on what to do to get a second Front End Server installed behind a Hardware Load Balancer
- Edge Server (Only Consolidated Edge Servers now) – NIC Configurations
- Dual-Homed ISA 2006 Installation to reverse proxy internal services
Part 1
Lab Setup
Guest Virtual Machines
One Server 2008 Enterprise (Standard can be used) SP1 x64 Domain Controller which Certificate Services will be installed as the Enterprise Root Certificate Authority. Exchange 2007 SP1 is installed on separate computers. The purpose of Exchange in this lab is for Group Expansion where a Universal Distribution Group can be mail-enabled for it to be expanded within Office Communication 2007. Alternatively, a Distribution Group can be given an e-mail address in its AD properties which satisfies the requirements of Group Expansion.
Two Server 2008 Enterprise (Standard can be used) x64 (x64 required) Member Servers where OCS 2007 R2 will be installed. One of these servers will be the Consolidated Edge Server which will contain 4 NICs.
One Server 2003 Enterprise (Standard can be used) x86 (x86 required) Member Server where ISA 2006 will be installed as a dual-homed box.
One Server 2008 Enterprise (Standard can be used) x64 (x86 can be used) Member Server where SQL 2008 is installed.
IMPORTANT: OCS 2007 R2 introduces some new AD requirements:
- All Global Catalogs in the forest must be at least Windows 2003 SP1
- All Domains which will have OCS 2007 R2 or users enabled for OCS 2007 R2 will need to be at least Windows 2003 Domain Functional Level which is obvious due to the next requirement. These Domain Controllers must be at least Windows 2003 SP1.
- The forest in which OCS 2007 R2 will be deployed needs to be at least Server 2003 Functional Level.
Assumptions
- You have a domain that contains at least one Server 2003 SP2 Domain Controller (DC)
- You have configured the IP settings accordingly for all servers to be on the same subnet. I have provided the IP scheme of my lab below, but this will vary depending on your needs and Virtualization Software configuration. One exception to this is one NIC on the ISA Server will belong to a different subnet. This NIC would be the NIC that lives in the DMZ in a production environment.
- Exchange 2007 Hub Transport Server, Client Access Server, and Mailbox Server are already installed in the environment. This article does not go over the installation or configuration of these roles but will go over mail-enabling a Distribution Group(s).
- You have at least SQL 2005 SP2 server installed. We will be using SQL 2008 installed on Server 2008 Enterprise. SQL 2005 SP1 is NOT supported for OCS 2007 R2 as it was for OCS 2007 RTM.
- You have a copy of Office Communicator (OC) 2007 R2. We will be installing our copy of OC 2007 R2 on our Exchange CAS.
Computer Names
OCS Front End Server – SHUD-OCSFE1
OCS Edge Server – SHUD-OCSEDGE1
Domain Controller / Exchange Server / Root Enterprise CA – SHUD-DC2
ISA 2006 Server – SHUD-ISA1
SQL Server – SHUD-SQL1
Configuration of Domain Controller / Root Enterprise CA
Processor: 4
Memory: 512MB
Network Type – External NIC
Virtual Disk Type – System Volume (C:\): 50GB Dynamic
Note: In a real-world environment, depending on the needs of the business and environment, it is best practice to install your database and logs on separate disks/spindles. We will be installing Active Directory, Certificate Services, and Exchange 2007 SP1 on the same disks/spindles for simplicity sakes for this lab.
Configuration of SQL 2008
Processor: 4
Memory: 512MB
Network Type – External NIC
Disk Type – System Volume (C:\): 50GB Dynamic
Configuration of ISA 2006 SP1
Processor: 2
Memory: 384MB
Network Type – External NIC
Network Type – External NIC
Virtual Disk Type – System Volume (C:\): 25GB Dynamic
Configuration of OCS 2007 R2 Edge
Processor: 4
Memory: 512 MB
Network Type – External NIC – used for internal NIC
Network Type – External NIC – used for Audio/Video Edge NIC
Network Type – External NIC – used for Web Conferencing Edge NIC
Network Type – External NIC – used for Access Edge NIC
Virtual Disk Type – System Volume (C:\): 50 GB Dynamic
Note: There are few different ways the NICs could be set up on the Edge Roles. I have included a mini-write up below entitled, “Various Edge Server NIC Setups.”
Configuration of OCS 2007 R2 Front End
Processor: 4
Memory: 512MB
Network Type – External NIC
IP Addressing Scheme (Corporate Subnet)
IP Address – 192.168.1.x
Subnet Mask – 255.255.255.0
Default Gateway – 192.168.1.1
DNS Server – 192.168.1.150 (IP Address of the Domain Controller/DNS Server)
IP Addressing Scheme (DMZ Subnet)
IP Address – 10.10.10.x
Default Gateway – 10.10.10.x
Subnet Mask – 255.255.255.0
Preparation of ISA 2006 SP1 Node
Network Interface Card (NIC) Configuration
First thing we will want to do is configure the IP Configuration of both the Public DMZ NIC and Internal Corporate NIC.
We will want to rename our Publc DMZ NIC connection to Public and our Internal Corporate NIC connection to Private. To do so, go to Start > Control Panel. Once in the Control Panel, Double Click on Network Connections.
Now you will be presented with the Network Connections window. This is where you can modify the network properties for each NIC in your server. For your Internal Corporate Connection, rename your Local Area Connection to Internal. Likewise, for your Public DMZ Connection, rename your Local Area Connection to Public. After you have done this, it will look something similar to the following:
Note: Do not forget that part of the assumptions earlier in this article as that you have a properly configured TCP/IP Network where all nodes are properly connected to the TCP/IP Network. Because of this, I will skip the actual TCP/IP Configuration. The IP for the Internal NIC is 192.168.1.170/24. The IP for the Public NIC is 10.10.10.153/24 that would typically have a Public IP NAT’d to this Public IP via Static Network Address Translation (NAT) rule.
Important: In a production environment, you would generally have the Default Gateway on your public NIC. Depending on the communication and configuration of firewalls, you would want to create a static route so your internal communications would go directly to a router on the inside of your network that is more open to communications. This way, you would not have to open ports on your Edge firewall when not necessary. For example, if you were doing LDAPs and your DMZ Edge Firewall blocked port 636. You would need to create a static route so traffic destined to your internal corporate network would go to the internal router that allows 636. You would not need to do this if your DMZ Edge Firewall allowed port 636 and knew how to route to the internal corporate network.
To ensure you reduce the attack surface of your ISA Server, open the Public NIC properties, open the TCP/IP Properties > go into the Advanced NIC configuration settings by clicking the Advanced button. From there, you will navigate to DNS tab and de-select “Register this connection’s addresses in DNS.”
Select the WINS tab and de-select “Enable LMHOSTS lookup” and configure the NetBIOS setting to “Disable NetBIOS over TCP/IP.”
Once you are done configuring the Advanced settings, press OK three times and you will be back at the Network Connections screen. From here, choose Advanced and select Advanced Settings…
You will be presented with the Binding Order for your current NICs. Ensure that the Internal NIC is on top by selecting Internal and pressing the green up arrow key on the right-hand side of the dialog. The reason you want Internal on top is because your Corporate communications happen on this NIC and things like DNS are configured on this NIC.
Rename Computer and Join to Active Directory Domain
Make sure you name your ISA box to a name that complies with your naming convention and then join your ISA box to the domain. For purposes of this lab, we will be naming this box, SHUD-ISA1. A lot of Administrators believe that joining the ISA box to the domain is a security threat, but that is not so. Please refer to this article explaining why.
Preparation of Edge Node
Follow through the same exact steps you did for the ISA 2006 node except for a few things. Instead of 2 NICs, add 4 instead. Also, do not join it to the domain.
A summary of the steps involved consist of:
- Create 4 NICs
- Rename the NIC that is wired to the Internal Corporate Network to Internal
- Rename the NICs that are wired to the DMZ appropriate to their function. Our Access Edge NIC will be named AccessEdge. Our Web Conferencing Edge NIC will be named WebConfEdge. Our Audio/Video Conferencing Edge NIC will be named AudioVideoConfEdge.
- Assign the appropriate IP Addresses to each NIC. In OCS R2, when you have a single Edge Server, you no longer need to have a Public IP directly on the NIC. When load balancing Edge Servers, the Audio/Video server also has a private IP but the VIP of the load balancer will need to have a Public IP for the A/V Role. This will be discussed more in detail below.
- Create Static Routes if necessary
- Disable the Public NICs from registering in DNS
- Disable the Public NICs NetBIOS settings
- Modify the Binding Order so the Internal NIC is on the top of the list.
- Rename the Computer
- Do NOT join it to the domain
Certificate Authority Configuration
IMPORTANT: Just as a note, the instructions below are for setting up a Certificate Authority in Server 2003 and is from my previous article series on setting up a OCS 2007 RTM. My lab has the certificate authority set up on my Server 2008 Domain Controller and has already been deployed prior to this article series. The process for setting up the Certificate Authority is virtually identical. Because of this, I am not going to set it up all over again just to have the updated pictures via a Server 2008 GUI. the only difference is that in my existing lab environment where the CA lives on Server 2008, the Root CA will be simply named CA.
So as for how to set up a CA on Windows Server 2003 SP2, we will want to make sure that we have the SP2 binaries and our CD1 for our Windows Server 2003 Enterprise installation. It will be required when we install Certificate Services.
To begin the CA installation, go to Start > Control Panel. Once in the Control Panel, Double Click on Add or Remove Programs.
Click Add/Remove Windows Components.
Place a checkmark in the checkbox next to Certificate Services. You will automatically be prompted with a prompt warning you to not modify the computer name. Ensure your computer name is set correctly before continuing. Once you have your computer name set. Click Yes and then Next to Continue.
Because we will be choosing an Enterprise Root CA, leave the defaults selected. Click Next to Continue.
Note: Choosing an Enterprise Root CA can be considered a security risk to many. Make sure a proper design for a PKI infrastructure is done for both functionality, security, etc. before deploying an internal PKI solution for your organization. I am using an Enterprise Root CA because I am doing this in a test environment and it reduces the amount of resources needed for the lab.
We will name our Root CA OCS-CAROOT. Keep in mind, this is not our machine name. This is what the root certificate’s name will be. As stated earlier, this is the CA name we specified in the OCS 2007 RTM article series. If you want to follow along more closely and have the naming convention the same as the rest of the OCS 2007 R2 article series, name the Common Name CA. Click Next to Continue.
Specify where you want to store your Certificate Database and Logs. For purposes of this lab, we will install it on our System Partition (C:\). Click Next to Continue to begin installation. As stated earlier, make sure you have the SP2 binaries and CD1 of your Server 2003 Installation CD.
If you’re like me and always forget to install Internet Information Services (IIS) prior to installing Certificate Services, you will get the following prompt. Don’t worry, we’ll fix this after our Certificate Services installation completes. If you did get this prompt, Click OK to Continue.
Now our Certificate Services Installation should complete successfully. If you did forget to install IIS before Certificate Services installation began and you received the prompt above, go install IIS by following the instructions here. You will also need your SP2 binaries and CD1 of your Server 2003 Installation CD.
Once IIS is installed, to create the CertSrv subfolder within IIS, type the following command:
Certutil -vroot
Various Edge Server NIC Setups
When going over the NIC configuration of our Edge Servers, it has been noted that we will be using 4 NICs for our Consolidated Edge Server. This would be Method #1 below. As you can see, there are two other ways the NIC Setup could be configured.
Note: The IPs in the above diagram do not represent IPs we will be using in our lab. They are only a representation of what you may see in a production environment.
Method #1
Every Role has its’ own dedicated NIC. This is recommended due to people having issues in the past with communications when roles share IP Addresses on the same NIC.
Method #2
It is also possible to use one NIC for the Audio/Video Edge Server, Web Conferencing Edge Server, as well as the Access Edge Server. Because of this, all 3 Edge Server Roles would have Private IPs meaning they can all be on the same NIC. You would then use a dedicated NIC for the Internal NIC.
Update 1/17/2009 – I used to have a recommendation to use Method #1. This worked just fine out of the box with Windows 2003 and still does. Windows 2008 and using Windows 2008 R2 (not yet supported) both use the new Strong Host networking model which introduce some complications when using Method #1. There are some security differences with the Strong Host model than what the Weak Host model used. For example, if traffic comes in on one interface, it’s going to leave back out that same interface. But with Windows 2003 networking, you can only have one default gateway. So there are some tricks to do with multiple NICs such as assigning multiple Default Gateways and tweaking your Windows routes. Jeff Schertz, OCS MVP, details this on his blog article here. Generally, Method #1 will give you greater performance benefits but with how OCS scales and its sizing guidance, 2 NICs are fine. I’ve generally been using Method #2.
Private IP on Audio/Video
In OCS R1, an Audio/Video Edge Server needed a Public IP directly on the NIC. In OCS R2, when you are doing a single Edge deployment with no load balancer, you can have a private IP directly on the Audio/Video Edge NIC. When load balancing, you can also utilize a private IP on the Audio/Vide NIC, but the load balancer IP must be a public IP Address which then NAT’s to the Private IP Address of the Audio/Video Edge NIC.
As you can see, when utilizing Load Balancing on an Edge, you must now use DNAT for incoming connections with a public IP of 192.0.2.1 which then NAT’s to the private IP on the Audio/Video Edge NIC of 10.10.10.1. The same happens outbound except for SNAT being used instead of DNAT. The incoming DNAT and outbound SNAT is a requirement.
Summary
Well folks, that is all for Part 1 of this article. For Part 2, I will go over the preparation and installation of a Front End OCS 2007 R2 Server Pool.
Thank you for the good writeup. It in fact was a amusement account it.
Look advanced to more added agreeable from you! By the way, how could we communicate?
Your payments will not only get to you faster but it will provide you with a history of your
earnings for your records. We know because they have done so for millions of other people.
Stretching will help you prevent injuries and it will help you loosen up your muscles.
Feel free to visit my weblog – fitness tips and motivation
Hi Elan,
Just we installed exchange 2007 in our organization now the issue Iam facing that we are using CRM software and Iam unable to send mail from CRM to the customers (outside) internally working fine Error is the server one or more recipient addresses. the server response was 550 5.7.1 unable to relay
Hey Elan,
I was just wondering if you can point me in the right direction to remove a 2007 R2 Edge server from a depoyment? The client still wants to use OCS internally, but wants to remove the ability to access outside the network, federate, etc.
Any tips?
http://technet.microsoft.com/en-us/library/dd5728…
hi Elan, please i need you to end me link to your exchange server 2007
Dear Sir,
We have done OCS 2007R2 POC in Sri lanka(UTC + 5.30) here its working fine in this domain, But we have try to connected client in Nederalnd ,Spain and few places .but show like a error its Time Zone Problem.
the different time zones client's not connected.
Please explain me how this correct.
regards
Madushka
It may not be a time zone problem, but the time may be skewed somewhere. If the time on a client or server (this case probably client) is more than 5 minutes (by default in Group Policy) off from DCs, connectivity issues will ensue.
should the DNS server for name resolution be on the internal (talking to internal DNS) or external (talking to public DNS) interface on the edge server?
I always let the internal DNS Servers handle recursion for DNS. Keep in mind, if you want NAT for AV Edge (requires that you not be load balancing), the Edge Server will need to the public IP for this FQDN. You can do that in the hosts file or in internal dns.
Can you help with this one.
I need to define the process of how Communicator 2007R2 locates the pool in their specific region. There are two pools one in New York (pool0.nyc.mydomain.com) and one in London (pool1.LON.mydomain.com). How does Communicator knows which pool to attach to. Does anyone have a step by step process of how this happens. Would this be the same step for existing Communicator 2005 as well. One other questions do we make any changes to Communicator 2005 settings when we move users from their current pool to the new OCS 2007 R2 pool. FYI all clients workstation is has static IP's.
You’re in luck since I wrote an article on this:
https://www.shudnow.io/2008/09/04/automatic-logons-directors-and-client-redirections/
I've been going crazy with this one. I used your guide and other resources. I can make calls from PSTN GW > MED > OCS > MOC. But, when I call from MOC > OCS > MED > PSTN GW, the call fails. I've isolated that the issue is specific to the 5061 closing upon the initial TLS negotiaion. Firewall is off. I think the certs are ok. I've made the changes to the local security policy. I have three VMs running WS2008R2 (1 with AD/DNS/CA, 1 with OCS, and 1 with Mediation). I appreciate any feedback.
I figured it out. Never mind.
Hi Elan!
First off I'd like to echo everyone’s sentiments on this forum and offer a hearty thank you! This is an extremely helpful piece of work. The time you dedicated out of what I’m sure is a very busy schedule is certainly appreciated!
I have one question. I currently have TMG 2010 in my environment acting as both a firewall (VPN tunnel endpoint) and Exchange Edge server. The later role requires that the TMG NOT be a domain member. For purposes of OCS you mention that you "SHOULD" join the reverse proxy to the domain. I’m wondering if this is a hard requirement. What if any functionality will be lost if the reverse proxy is not joined? Will it still "work"? Your help is very truly appreciated! Thank you sir! Hope to hear from you soon.
Regards,
Joey Freyre
I don't think I've ever said that you "should." I would say it would depend on the environment. There are Pros/Cons to each method but I typically push for the Domain-Joined model if possible. The following articles will talk about pros/cons: http://blogs.isaserver.org/shinder/2006/06/04/to-…
Hi Elan,
am about to deploy OCS 2007 R2 here at work. Do you think your guide will help someone to install it from scratch, step by step? Obviously you wrote it with IT people in mind, but say, do you think a basic IT person can follow it?
thanks
Dean
hi elan,
congrats for nice work and helping others by quick reply, i want to install im feature just for few users, we have exchange 2007 production with ISA 2006 for publishing OWA etc, i have two virtual servers 64bit with 4 gb RAM and sql i can use the existing one, i want to know from where i should start, already i have downloaded the OCS r2 and once i feel ok then i will update the license
Just deploy a Front End Server. You can use the Standard Edition which will install SQL Express 2005 or you can use OCS Enterprise which will allow you to use your existing SQL Server. You can use a second box as an Edge Server. Then use ISA to publish the Web Components role that lives in the Front End to give you access to distribution group expansion, address book, etc…
Hello Elan,
Can please tell me how many servers i need to be able to implement all the roles on my network, also which of the roles can run parallel on one server(so i can consolidate some of the roles and cut cost).
Thanks,
Kwadwo
Good job,
Some questions, When I setup OCS test environment in enterprise environment, what is needed when user is outside the network using ISDN connecting through firewall to the company network? Is it possible through Mediation server (Romote access enable), a Remote users from internet can call from office communicator client to office communication client into company network without edge server inplace?
No, a Mediation Server does not allow any Remote Access. An Edge Server is needed. In fact, when deploying a Mediation Server for PSTN Voice, you still specify the A/V Edge so OCS users can relay PSTN Audio through the A/V Edge to the Mediation Server which will then send that audio out to the PSTN which will eventually get transcoded to G.711. So, you'll always need an Edge.
Hi All,
I am althaf, working for a tech support mnc company.. I would like to install OCS 2007 R2 on Win 2008. tried several times and havent succeeded.
I want some basic information like… whether can we install OCS 2007 R2 on a Single VM Windows 2008 machine. if its yes. Please suggest the steps which one is to install prior to the levels.
So far i had tried several times and got struck up at Setup Delegation Wizard… pls find below is the error message it throws all the times
Failure "[0x8007001F] A device attached to the system is not functioning."
I would appreciate you guys to suggest or any help in this regard.
Thanks n Regards,
Althaf
althaf,
For my labwork, I always virtualize. Keep in mind though, that most roles for virtualization are not supported and should not be done in production. This does not mean that you cannot, just that you risk having issues and/or not receiving support from Microsoft.
Make sure your time is in sync, timezone is set correctly, Also, make sure that you are not using some extensive password with not so typical passwords as I have seen this break an install. Also, you may want to try running the ocsanfix.exe as I have seen that break certain parts of an install process. That exe is located from here: http://support.microsoft.com/kb/974571
Hope that helps
This is fantastic – cheers for posting!
Hi Elan
Thanks for the effort for the installation in details. It really helpful.
But, I do have one problem, which is i have received this “distribution group service could not perform this action” when i’m using ISA Server 2006 as a proxy for my IE. If i removed it(and using Cisco Transparent Proxy), office coomunicator able to retrieved the distribution group.
Hope U may help on this on how to change the setting at ISA Server to allow distribution group is retrievable.
Soon I shall have an interview for OCS administration job and I have never learnt it. I am reading the book but
but want to do practical also.
Could someone in this world please help me with the questions I have as follow:
I do not have a 64 bit machine. Is there any possibility of installing,OCS 2007 R2 on Server 2003 x86?
Can I do it on virtual Machines?
Can I download OCS 2007(not R2) from anywhere?
What could be the possible interview questions, any tips?
Thank you in advance.
Hi Shahid. OCS 2007 was x86 only (no x64 out there) and OCS 2007 R2 is x64 only (no x86 out there).
You can run them in VMs. OCS 2007 has no virtualization support and OCS 2007 R2 has some virtualization support. You can read the virtualization support policy here: http://communicationsserverteam.com/archive/2009/…
You can download OCS 2007 R2 Evaluation here: http://technet.microsoft.com/en-us/evalcenter/bb6…
More documentation here including a doc specific to OCS Administration: http://www.microsoft.com/downloads/details.aspx?f…
Hope that helps and good luck on the interview.
Hi Elan
Thanks for all the info, it has been really useful.
I have a question regarding Edge services. We are a fairly large organisation that shares a secure external WAN with other similar organisations with which we would like to federate. We also need to enable external client access and possible federation with external partners from the Internet. Is it possible to support this configuration i.e. communication via the external WAN where available, otherwise via the Internet? If so, how is this best achieved?
Hi Elan,
Great article, Currently planning to deploy OCS Server and Exchange 2010 for small business client, I think a guide which combines these as full unified communication solution would be very helpful to our community.
I just created a lab for it to start with it.
Thanks
Netpros
We are deploying OCS 2007 R2 Enterprise in single server and empty root domain environment. We have three Windows 2008 AD site domains, the FE OCS server will sit in one of those sites. Is there any special configurations that I need to consider to allow the users from the other two sites to access OCS; for example do I have to run the Domain Prep in each domain?
You just need to make sure you domain prep any domain that will contain users who will be enabled for OCS.
Hi, In my setup I already have Edge with ISA Reverse Proxy and pretty soon I am going to deploy CWA as well. I was just wondering, can I use same ISA server for CWA External which I used for Edge Server.
If yes, then do I need to assign another public IP to frontend NIC of ISA Server and get that address published on Public DNS for CWA. Is that how it works?
Please help!
~Manish
Not necessarily. You can use the same listener and configure your rule to bypass pre-auth. That means to configure your rule so the authentication delegation tab allows all clients to authenticate directly and then assigning "All users" to use the rule instead of "Authenticated Users." Or you can use a new public IP and create a new listener.
Hi Elan,
We are main UC application developer. Till now we have develop multiple application for Cisco UC infrastructure. Now we are plannning to start work on Microsoft OCS. As we are new for OCS we have some basic queries regarding installation of oCS –
1) How many server will be required to deploy MS OCS 2007R2. Is it possible to deploy on single server?
2) Can I get OCS installation guide somewhere?
3) How I will get SSL certificates?
Thanks & Regards,
Umesh
Dear Mr. Elan,
You have written a very nice post. While preparing the AD I am facing the below problem:
We have One root domain controller a single domain & forest and 20 additional domain controller including all branches.
Root Domain Admin: True
Forest Settings: Not Ready
————
Failure
[0xC3EC7800] The forest schema is not prepared to host Office Communications Server.
Sounds like you have a replication problem somewhere in the environment.
Great article Elan. I am trying to figure out how many load balancers are required for a 2 edge server configuration. I would think I only need one but it seems from other documentation on the web that I may in fact need 2; one for the external VIP and another load balancer to do the internal nice Vip. Is this correct?
Hi Elan, Great article.
Thanks for posting this article, it will helps much for deployment.
Really this is great achivement..
Sure, you can do that.
I assume File/Printer sharing be disabled on the public (DMZ) interfaces for ISA and Edge servers?
You should be able to post. Shoot me over an e-mail with the post you’re trying to post to and what the page says such as access denied?
Hi, can someone tell me why I can’t submit comments. I’m planning to setup 1x edge server for external user and have some question, i can post my comments to other post except this.
Appreciate your help.
Thanks for the reply Elan. I thought it was a bad idea (which is why I hadn’t do it yet). I guess we will either have to procure another 64bit server or implement 32bit R1. Thanks again, you’ve been bookmarked!
Hi Elan,
be grateful of your harwork! now a planning to Install a Trail version of OCS2007 on my network to test and evaluvate, for this I may required to have 8 server or I can use DC -1no, FE, Edge, SQL – 1no, Exchange2k3, Cert SRV-1 nos,for FW am using Fortigate100A. can you confirm me te above requirements enough or not.
Thanks,
Augus
Hi Elan,
Great article. I have been testing OCS 2007 R1 for our company and I’m now looking to implement R2 fully. However we have a shortage of 64bit servers in our network. Are you aware of any issues installing OCS 2007 R2 on the same server as Exchange 2007? There are only 50 or so users in the whole company and the server has plenty of spare resources. I remember reading something when initially looking into implementing R1 however I’m, unable to track this down now. Any info would be great.
Cheers
Ally
Don’t do this. Both will want to use the Default Website and the certs and such will conflict. Not to mention other possible issues. It’s plainly just not supported and I wouldn’t try getting it to work. You’ll basically be trying to Frankenstein a solution together.
Thanks Elan, that’s exactly what I needed to know.
You’re welcome. Thanks for posting!
Multiple certs on the same server are fine. When using OCS, for each service, you choose what certificate you want to use. For Exchange, you can enable your services to use a certificate and then it’ll use some logic to determine which is the best certificate to use (expiration is set to a further date, is a PKI certificate over a self-signed, etc.)
Personally, I would most definitely use a separate certificate with Exchange and OCS. The reason being is for OCS, for your Edge Server, you should have your Access Edge FQDN as your SN and the rest you can have as a SAN. Keep in mind, it’s only supported to have every service having their own certificate. Access Edge should have its own cert, Web Conferencing should have its own cert, etc… A/V doesn’t need a public facing certificate but should have an A/V Authentication certificate that should be signed using your internal CA and should be a different certificate than your regular internal certificate.
Hi Elan,
I have a question on configuring certs for Exchange 2007 and OCS in the same environment with an F5 firewall.
MS recommends using internal CA for the internal components of OCS and a 3rd party cert for external OCS components and also a 3rd party cert for OWA/ActiveSync and Outlook Anywhere. Can I request, using one UC cert with my 14xSAN’s, and then add the same 3rd party cert to all my Exchange and OCS servers?
What happens if there are multiple certs on one server – so a self signed/a windows internally generated cert and a 3rd party cert? What will OCS and Exchange use, will it cause any conflicts?
Many Thanks
Una
I already included the steps in my article. :) Contact your MS Licensing Rep and they’ll help you get started. Everything is fine in what you listed. I would recommend getting SP1 for MS Office 2007 as it helps with some Outlook/Communicator integration issues.
Hi Elan, Great article.
By the way could you help me to do this, as we need to test office communicator on our existing office internally.
1) we don’t have exchange server yet (going to implement soon).
2) DC and File servers are MS windows 2008 32 bit.
3) All Domain got vista business and ultimate.
4) MS Office 2007 Standard version installed on client machines.
5) One machine already installed Windows 2008 64 bit and added to the domain.
what are the steps I need to take and from where I can download OCS 2007 R2?
Thanks
Shabab
Thanks. I have not done a Standard guide and have no plans on doing so.
Hi Elan,
good work, you dont have any step by step how to’s on installing the standard edition do you please?
We have OCS 2007 R1 in our environment using as an internal system only. We want to upgrade to RC2 but cannot find any step by steps for that verison.
thanks
Dean
hi Elan
We are actually depoloying OCS 2007 R2 in our company.
The First thing we came to know is that we actually need 8 machines for each Server roles.
Now the confusing part is do we need one Extra machine for Active Directory and DNS
or it can be colocated with any of the above
Thanks
Gagan
Run through the setup wizard again and it’ll install all the pieces it needs. You “may” need to do some re-configuration depending on what you uninstalled.
hi Elan,
I mistakenly uninstalled Office Communication Server 2007 R2 ,the first application from Add and Remove Programs. now I cant see the Office communication server 2007 R2 in Administrative tool but all other applicatins running successfully. Will all run well. How can i reinstall that particular file? please help.
Well, doing that makes things easier for administration since you don’t have to bother with NAT’ing, you have the same subnet range on your NICs, etc… It’s all relative to your outlook on things.
One thing to keep in mind is the notion that people think that putting Public IPs on a NIC is not secure. This is completely false. NAT was not designed to secure systems. It was designed to save IP Addresses. A Public IP can still be behind a firewall. You just configure the firewall to route the traffic out of a specific port to a switch on which the Edge Server would be on or directly to the server.
Now with that in mind, if you were using NAT, that server is still reachable on the internet. It still hits the same firewall. The only difference is that it NAT’s it on the firewall to a private IP Address. But even if you were using a Public IP Address on the NIC, you can still put it behind a firewall.
So to me, there’s no real difference from a security standpoint whether you use Public IPs on the NICs as long as they’re still behind a firewall.
Hi Elan!
This stuffs you posted out here is insanely tight! Thanks a mill. I read in a Syngress Publishing book “How to cheat at Adminstering OCS 2007” the author recommended to have public IP’s rather than private IP’s on the edge server roles, what’s ur take on this?
I haven’t tried a wildcard certificate. I’m not sure if it will work or not, but it’s definitely not supported. You can publish CWA with ISA for it to be available from the outside or give it its own public IP and NAT to it over 443.
Mediation Server is never available from the outside. When you configure your Mediation Server, one of the settings is what A/V Server you want to use. The reason you specify this his when a user is outside the network, the audio stream from OCS SIP Endpoints use that Audio/Video Server for streaming that audio to the OCS environment allowing for Enterprise Voice. The actual call part always happens from Mediation to FE and Mediation to Gateway/PBX and doesn’t need to touch a user directly.
Hi Elan,
is there a role on the Edge server which does not have to be available from the outside ? Of course this depends on your requirements, but what is a common approach ? I know what you meant with your previous statements about the public IPs, so forgive me =)
Too bad CWA and Front End cannot be collocated, for sure you want your CWA available from the outside. Is there any other service that I forget that should be available outside ? I will use a Mediation server, but have an internal supplier in my DC for a SIP trunk.
About the certs, willa wild card not work, or not supported ? have tried it ? Or will there be a number of devices that wil have problems to connect (eg. WM5 devices).
Grtz,
Ronald
Ronald, since every NIC requires its own IP Address as I show in my article, you’ll want a different Public IP NAT’ing to each NIC. The same goes for ISA which will do reverse proxy for several Front End Services. So yes, if you want all OCS Services available from the outside, you’ll want 4 Public IPs. And when I stated I mentioned no such requirement, I’m talking about public IPs directly on the NIC.
As far as CWA on Front End, this was recently changed by Microsoft so the CWA Server can no lonoger by collocated with any other server role.
http://technet.microsoft.com/en-us/library/dd425201(office.13).aspx
Hi Elan,
To reach the Edge server from the internet you need to NAT public IPs to the private IPs on the Edge server. I have an ISA 2006 in front, so my question is if I do need 3 public IPs to NAT to the private IPs of the Edge server, one for each Edge service ? And then there is also a dedicated IP for the SSL bridge to the Front End server. So in total I require 4 public IPs. Is that correct ?
And can I combine the CWA on the Front End server using the same certificate? Or do I need a new web site for the CWA with its own cert ? In the last case this would mean another public IP for the SSL bridge.
Thanks for your info !
BR,
Ronald
Hm, where did you get the public IP requirement? I mentioned no such thing anywhere in my article. Look at the diagram, it shows private IPs on the NICs. You can use public ips on the NICs if you want, but don’t have to. Of course you still need public IPs NAT’d to the private IPs anyway.
As for certs, to be in a supported Microsoft configuration, you’ll need a dedicated SSL certificate for each NIC (Access/Web Conf/AV).
Hi Elan,
Got the internal stuff up and running, thanks for the article, especially the DNS SRV part. This is where it went wrong before.
For external user access, do I understand correctly that I need three public IPs, one for each Edge service (Access, AV and WebConf) ? But if I have a wildcard cert and a consolidated Edge deployement, are three public ips still mandatory ?
BR,
Ronald
Start here:
http://technet.microsoft.com/en-us/library/dd441152(office.13).aspx
Hi Elan,
Thanks for your comment, I d rather not hack myself a way into it. It might break in next releases and is not supported I guess. Is there a document that described the ports in use for each edge service ?
BR,
Ronald
I’ve seen a way to do it but it requires quite a bit of hacking and I highly recommend not doing that. You’ll want to use 3 Public IPs, each one mapped to the IP for each service on the Edge. Also, the hack I was talking about was for OCS R1 and have never heard of it being tried for OCS R2.
Not sure where the forum post is that explains the process but I’m sure through some searching on the technet forums, you’d be able to find it.
Hi Elan,
Great article. One question, can you use one IP address for the external access of the edge server ? Or are there overlapping ports there ? I have a limited amount of public IP’s. I need to minimize on those.
Is there a description of which ports are used by the edge services ?
Thanks !
BR,
Ronald
BBF, Here’s the firewall requirements for the Edge Server in OCS R1. You’ll have to check the OCS R2 documentation (not on the library yet) for any differences in OCS R2:
http://technet.microsoft.com/en-us/library/bb803617.aspx
Martin, thanks!
Really nice work Elan!
i followed your guide so far and made an internal setup. Next week I will be deploying the edge server and ISA, so thanks a bunch for this site!
Elan,
Your blogs are all VERY informative… Thanks!
I usually find that it is a hard sell to get the network guys to allow a DMZ server to directly plug into the LAN. You mentioned earlier that you can configure the “Internal NIC” with a DMZ address and then open the ports. What ports must be opened from the Internal NIC that has a DMZ address to the LAN based Front End server(s)?
Thanks for the great posts
Yes, that’s fine. I have seen all Public IPs before on an Edge.
hi elan
Excellent work. I have one question. is it mandatory to have natting on the firewall. can you assign all the edge roles a public ip address and have the firewall open for the necessay ports?
we only have an external firewall and the network guys seem to think this should work.
thanks
Thanks Abdul. On your internal NIC, you will want to use a private IP on one of your subnets. You can use a DMZ IP if you want to be more secure and open up the ports on the internal firewall or put a private IP that lives on the same subnet as your Front End which is less secure. On your Edge NIC, you can use public IPs on your NIC and have your firewall route out of a specific port for each public IP or use all DMZ private IPs on this NIC and create Static NAT entries to it.
Hi Alan,
You have done a great work. Currently I am installing a OCS Edge server installation. Now scenario is that I have only one firewall which is protecting internal users. WHat configuration do I need. our internal network is using 192.168.1.0 IP’s . I am using 2 NICS on the edge server. on one NIC the ip will be like 192.168.1.15 and what about the other NIC. should I use DMZ IP’s like 10.0.0.2 or I can use the public routable IP’s?
Thanks for the great posts.
You would still need to place Edge in DMZ. Access Edge would be all you need for federation partners. If you want external IM, you’d still need a Reverse Proxy if you want Address Book lookups and Group Expansion. There are other things a Reverse Proxy are used for but nothing you’d need for only Federation and external users using IM. You can see what else a Reverse Proxy in Part 4 (which will be out early next week).
Hi Elan
One clarification question. I am planning a PoC of OCS R2 and since the documentation is not yet available I am unclear about the Edge placement.
Is it OK to place the Edge server on the Internal network with each of the 4 NICs having private IP (providing the loadbalaners IP’s are setup per your sample above) or only the Internal NIC is on the internal network and the other three NICs need IPs from a DMZ subnet.
Also do I assume correctly that if I only require Public IM federation all I need is the Access Edge role with 5061 (SIP/MTLS) open to the federation partners and reverse proxy is not required. if you could elaborate on the PIC connectivity requirements it would be greatly appreciated.
Kind regards,
Michael
Thanks Joachim
good work!
For a single 2007 R2 Edge:
Static NAT for all 4 OCS Edge NICs. So Public IP > Private IP on OCS R2 NIC
For several 2007 R2 Edge Servers behind a Load Balancer:
Static NAT as well. But for Access Edge and Web Conferencing, you would have Public IP Static NAT to a Private IP on the Load Balancer which then communicates with the Private IP on the Access Edge NIC and Web Conferencing Edge NIC. For the Audio/Video Conferencing, you would have Public IP directly on your Load Balancer VIP and then have that NAT to your Private IP on your Audiop/Video Conferencing Edge NIC.
I would assume that the hardware load balancer vendors such as Cisco/F5/Etc should have documentation on how to configure the load balancers for OCS R2 sometime in the future.
Hi Elan, could you please clarify something please? In our environment, we have 15 public ip’s we use – 216.134.2XX.XX-ZZ. On our firewall, we do a 1:1 translation of these public ip’s to our internal private ip’s of 192.168.44.a-z for various services. Can you explain a quick SAMPLE scenario in how I could accomodate OCS R2 with the configurations you describe pertaining to NAT / IP scheme? I am still a bit unclear on some terminology regarding what kind of NAT, how you perform your NAT, what’s acceptable, etc. Again, in my sample, we have 1:1 done right at the firewall using SonicWall so please go from that point to clarify. Thank you.