Now that Office Communications Server (OCS) 2007 is RTM, I thought it would be nice to create an article on how to deploy a single Enterprise Edition OCS Server which is connected to an x64 SQL Server 2005 SP2 Back-End Server. This article will be based off the OCS 2007 RTM version.
This article is to guide you through the entire OCS deployment process from scratch. This article will include the following:
- Certificate Services installation
- Single Enterprise Front End Server – with information on what to do to get a second Front End Server installed behind a Hardware Load Balancer
- Consolidated Edge Server – with information on what to do to deploy a Single-Site Edge Topology or a Scaled Single-Site Edge Topology instead
- Dual-Homed ISA 2006 Installation to reverse proxy internal services
Part 1
Lab Setup
Guest Virtual Machines
One Server 2003 Enterprise (Standard can be used) SP2 x64 Domain Controller which Certificate Services will be installed as the Enterprise Root Certificate Authority. Exchange 2007 SP1 will be installed with the Hub Transport Server, Client Access Server, and Mailbox Server Role. The purpose of Exchange in this lab is due to the Group Expansion requirement where a Universal Distribution Group must be mail-enabled for it to be expanded within Office Communication 2007.
Two Server 2003 Enterprise (Standard can be used) x86 (x86 required) Member Servers where OCS 2007 will be installed. One of these servers will be the Consolidated Edge Server which will contain 4 NICs.
One Server 2003 Enterprise (Standard can be used) x86 (x86 required) Member Server where ISA 2006 will be installed as a dual-homed box.
One Server 2003 Enterprise (Standard can be used) x64 (x86 can be used) Member Server where SQL 2005 SP2 will be installed.
Assumptions
- You have a domain that contains at least one Server 2003 SP2 Domain Controller (DC) – This is required due to Exchange 2007 SP1 being installed on the Domain Controller.
- You have configured the IP settings accordingly for all servers to be on the same subnet. I have provided the IP scheme of my lab below, but this will vary depending on your needs and VMware configuration. One exception to this is one NIC on the ISA Server will belong to a different subnet. This NIC would be the NIC that lives in the DMZ in a production environment.
- Exchange 2007 Hub Transport Server, Client Access Server, and Mailbox Server are installed on our Server 2003 SP2 DC. Installing Exchange 2007 on a Domain Controller is not a recommended practice for production. But for purposes of this lab, we will do so to consolidate and conserve resources. This article does not go over the installation or configuration of these roles but will go over mail-enabling a Distribution Group(s).
- You have a SQL 2005 SP1 or SP2 server installed. We will be using SP2 for purposes of this lab.
- You have a copy of Office Communicator (OC) 2007. We will be installing our copy of OC 2007 on OCS-DC1.
Computer Names
OCS Front End Server – OCS-OCS1
OCS Consolidated Edge Server – OCS-OCS2
Domain Controller / Exchange Server / Root Enterprise CA – OCS-DC1
ISA Server – OCS-ISA1
SQL Server – OCS-SQL1
Configuration of VMware Workstation for Domain Controller / Exchange Server / Root Enterprise CA
There is no official VMWare support for Server 2008 at the time of writing this article. Although we will be using Server 2003 for all Virtual Machines in this lab, the Domain Controller with Exchange 2007 SP1 can be installed on Server 2008. All other machines must be installed on Server 2003. The latest version and build is VMWare 6.0.4 build-93057. There is currently “experimental” support which you will see (if you do use Server 2008) when specifying the Operating System as you create your Virtual Machine. Through my experiences in the past, I did not encounter any real issues related to Windows Server 2008 and VMware Workstation 6.0.2 build-59824. If you do choose to use Server 2008, there will be differences in the installation and configuration of Certificate Services.
Processor: 2
Memory: 1112MB
Network Type – Public NIC – VMnet8 – Network Address Translation (Used so Virtual Machines get an IP Address without taking up IP Addresses at a client’s site while still being granted Internet access through NAT functionality)
Virtual Disk Type – System Volume (C:\): VMware SCSI 8GB
Note: In a real-world environment, depending on the needs of the business and environment, it is best practice to install your database and logs on separate disks/spindles. We will be installing Active Directory, Certificate Services, and Exchange 2007 SP1 on the same disks/spindles for simplicity sakes for this lab.
Configuration of SQL 2005 SP2
Processor: 2
Memory: 384MB
Network Type – VMnet8 – Network Address Translation (Used so Virtual Machines get an IP Address without taking up IP Addresses at a client’s site while still being granted Internet access through NAT functionality)
Virtual Disk Type – System Volume (C:\): VMware SCSI 8GB
Virtual Disk Type – SQL Database/Logs (D:\): SCSI 3GB
Note: We will be installing the Database/Logs on a separate volume to see how the OCS installation reacts to seeing extra volumes on the SQL Server.
Configuration of ISA 2006 RTM
Processor: 2
Memory: 384MB
Network Type – VMnet8 – Network Address Translation (Used so Virtual Machines get an IP Address without taking up IP Addresses at a client’s site while still being granted Internet access through NAT functionality)
Network Type – VMnet7- Used to mimic your DMZ NIC for external/internet communication
Virtual Disk Type – System Volume (C:\): VMware SCSI 8GB
Configuration of OCS 2007 RTM Consolidated Edge
Processor: 2
Memory: 384MB
Network Type – VMnet8 – Network Address Translation (Used so Virtual Machines get an IP Address without taking up IP Addresses at a client’s site while still being granted Internet access through NAT functionality)
Network Type – VMnet7- Used to mimic DMZ NIC for external/internet communication for the Audio/Video Edge Server Role
Network Type – VMnet7- Used to mimic your DMZ NIC for external/internet communication for the Access Edge Server Role
Network Type – VMnet7- Used to mimic your DMZ NIC for external/internet communication for the Web Conferencing Server Role
Virtual Disk Type – System Volume (C:\): VMware SCSI 8GB
Note: There are few different ways the NICs could be set up on the Edge Roles. I have included a mini-write up below entitled, “Various Edge Server NIC Setups.”
Configuration of OCS 2007 RTM Front End
Processor: 2
Memory: 384MB
Network Type – VMnet8 – Network Address Translation (Used so Virtual Machines get an IP Address without taking up IP Addresses at a client’s site while still being granted Internet access through NAT functionality)
IP Addressing Scheme (Corporate Subnet) – VMnet8
IP Address – 192.168.119.x
Subnet Mask – 255.255.255.0
Default Gateway – 192.168.119.2
DNS Server – 192.168.119.150 (IP Address of the Domain Controller/DNS Server)
IP Addressing Scheme (DMZ Subnet) – VMnet7
IP Address – 10.10.10.x
Default Gateway – 10.10.10.x
Subnet Mask – 255.255.255.0
Preparation of ISA 2006 Node
Network Interface Card (NIC) Configuration
First thing we will want to do is configure the IP Configuration of both the Public DMZ NIC and Internal Corporate NIC.
We will want to rename our Publc DMZ NIC connection to Public and our Internal Corporate NIC connection to Private. To do so, go to Start > Control Panel. Once in the Control Panel, Double Click on Network Connections.
Now you will be presented with the Network Connections window. This is where you can modify the network properties for each NIC in your server. For your Internal Corporate Connection, rename your Local Area Connection to Internal. Likewise, for your Public DMZ Connection, rename your Local Area Connection to Public. After you have done this, it will look something similar to the following:
Note: Do not forget that part of the assumptions earlier in this article as that you have a properly configured TCP/IP Network where all nodes are properly connected to the TCP/IP Network. Because of this, I will skip the actual TCP/IP Configuration. The IP for the Internal NIC is 192.168.119.153/24. The IP for the Public NIC is 10.10.10.153/24 that would typically have a Public IP NAT’d to this Public IP via Static Network Address Translation (NAT) rule.
Important: In a production environment, you would generally have the Default Gateway on your public NIC. Depending on the communication and configuration of firewalls, you would want to create a static route so your internal communications would go directly to a router on the inside of your network that is more open to communications. This way, you would not have to open ports on your Edge firewall when not necessary. For example, if you were doing LDAPs and your DMZ Edge Firewall blocked port 636. You would need to create a static route so traffic destined to your internal corporate network would go to the internal router that allows 636. You would not need to do this if your DMZ Edge Firewall allowed port 636 and knew how to route to the internal corporate network.
To ensure you reduce the attack surface of your ISA Server, open the Public NIC properties, open the TCP/IP Properties > go into the Advanced NIC configuration settings by clicking the Advanced button. From there, you will navigate to DNS tab and de-select “Register this connection’s addresses in DNS.”
Select the WINS tab and de-select “Enable LMHOSTS lookup” and configure the NetBIOS setting to “Disable NetBIOS over TCP/IP.”
Once you are done configuring the Advanced settings, press OK three times and you will be back at the Network Connections screen. From here, choose Advanced and select Advanced Settings…
You will be presented with the Binding Order for your current NICs. Ensure that the Internal NIC is on top by selecting Internal and pressing the green up arrow key on the right-hand side of the dialog. The reason you want Internal on top is because your Corporate communications happen on this NIC and things like DNS are configured on this NIC.
Rename Computer and Join to Active Directory Domain
Make sure you name your ISA box to a name that complies with your naming convention and then join your ISA box to the domain. For purposes of this lab, we will be naming this box, OCS-ISA1. A lot of Administrators believe that joining the ISA box to the domain is a security threat, but that is not so. Please refer to this article explaining why.
Preparation of Consolidated Edge Node
Follow through the same exact steps you did for the ISA 2006 node except for a few things. Instead of 2 NICs, add 4 instead. Also, do not join it to the domain.
A summary of the steps involved consist of:
- Create 4 NICs
- Rename the NIC that is wired to the Internal Corporate Network to Internal
- Rename the NICs that are wired to the DMZ appropriate to their function. Our Access Edge NIC will be named AccessEdge. Our Web Conferencing Edge NIC will be named WebConfEdge. Our Audio/Video Conferencing Edge NIC will be named AudioVideoConfEdge.
- Assign the appropriate IP Addresses to each NIC. In a production environment, your Audio/Video NIC will need to have a Public IP Address (Non NAT’d IP Address) assigned directly to this NIC. For more information, read here. For purposes of this lab, we’ll assign it an IP on our 10.10.10.x network since we won’t be testing Edge connectivity due to limited resources of our VM environment.
- Create Static Routes if necessary
- Disable the Public NIC from registering in DNS
- Disable the Public NIC’s NetBIOS settings
- Modify the Binding Order so the Internal NIC is on the top of the list.
- Rename the Computer
- Do NOT join it to the domain
Certificate Authority Configuration
Since we are using Windows Server 2003 SP2 for this, we will want to make sure that we have the SP2 binaries and our CD1 for our Windows Server 2003 Enterprise installation. It will be required when we install Certificate Services.
To begin the CA installation, go to Start > Control Panel. Once in the Control Panel, Double Click on Add or Remove Programs.
Click Add/Remove Windows Components.
Place a checkmark in the checkbox next to Certificate Services. You will automatically be prompted with a prompt warning you to not modify the computer name. Ensure your computer name is set correctly before continuing. Once you have your computer name set. Click Yes and then Next to Continue.
Because we will be choosing an Enterprise Root CA, leave the defaults selected. Click Next to Continue.
Note: Choosing an Enterprise Root CA can be considered a security risk to many. Make sure a proper design for a PKI infrastructure is done for both functionality, security, etc. before deploying an internal PKI solution for your organization. I am using an Enterprise Root CA because I am doing this in a test environment and it reduces the amount of resources needed for the lab.
We will name our Root CA OCS-CAROOT. Keep in mind, this is not our machine name. This is what the root certificate’s name will be. Click Next to Continue.
Specify where you want to store your Certificate Database and Logs. For purposes of this lab, we will install it on our System Partition (C:\). Click Next to Continue to begin installation. As stated earlier, make sure you have the SP2 binaries and CD1 of your Server 2003 Installation CD.
If you’re like me and always forget to install Internet Information Services (IIS) prior to installing Certificate Services, you will get the following prompt. Don’t worry, we’ll fix this after our Certificate Services installation completes. If you did get this prompt, Click OK to Continue.
Now our Certificate Services Installation should complete successfully. If you did forget to install IIS before Certificate Services installation began and you received the prompt above, go install IIS by following the instructions here. You will also need your SP2 binaries and CD1 of your Server 2003 Installation CD.
Once IIS is installed, to create the CertSrv subfolder within IIS, type the following command:
Certutil -vroot
Various Edge Server NIC Setups
When going over the NIC configuration of our Edge Servers, it has been noted that we will be using 4 NICs for our Consolidated Edge Server. This would be Method #1 below. As you can see, there are two other ways the NIC Setup could be configured.
Note: The IPs in the above diagram do not represent IPs we will be using in our lab. They are only a representation of what you may see in a production environment. For example, Public IP on Audio/Video Edge NIC, DMZ IPs on your Access Edge and Web Conferencing Edge NICs, and an Internal Corporate IP Address on your Internal NIC.
Method #1 (Recommended)
Every Role has its’ own dedicated NIC. This is recommended due to people having issues in the past with communications when roles share IP Addresses on the same NIC.
Method #2
The Audio/Video Edge Server is the only role that has a Public IP Address. Because of this, it is given its’ own NIC since the subnet it belongs to is different than all other roles. The Access Edge and Web Conferencing Edge Servers are on the same DMZ Subnet. Because of this, they are given 1 NIC to share. The internal NIC is also on a different subnet so its’ given its own NIC. The Internal NIC should always be on a dedicated NIC.
Method #3
It is also possible to use Public IPs on the Web Conferencing Edge Server as well as the Access Edge Server. Because of this, all 3 Edge Server Roles would have Public IPs meaning they can all be on the same NIC. You would then use a dedicated NIC for the Internal NIC.
Summary
Well folks, that is all for Part 1 of this article. For Part 2, I will go over the preparation and installation of a Front End OCS 2007 Server Pool.
Genie says
I just came by to learn about this place.
It appears really informative and I had a good time reading it, thank you very much for the good
stuff!
Zahir Hussain Shah says
Good Job!
Zahir
Fredie Barron Holmes says
helllllllo i have ocs 2007 with a front end server, during the installation i was prompt to provide a sql database
in which i don't have, how do i complete my installation. I am during the installation on a VMware 6.0. secondly am i force to use ISA 2006 server.
Elan Shudnow says
You'll need OCS Standard Edition then. It'll take care of SQL Express automatically during the install. You don't have to use ISA. You'll want to use it if you want certain things like Phone Updates, Address Book Updated, Distribution Group expansion, as well as Web Conferencing Uploads.
Ramadji says
Hi!
This is a great HOWTO. Very helpful.
I have a SonicWall as my front firewall and I’m using ISA Server 2006 (dual-homed) as a back firewall. I’m planning to have my Front End run the Access Edge Server role with two NICs (1 for the Internal and the other for the Access Edge Server). How do I connect my Front -End box and the ISA? My set up looks like this:
Internet —–SonicWall (x0,…x5 ports)—- Dual-Homed ISA ———LAN
Thanks for your feedback.
Elan Shudnow says
Na, you don’t have to do that; though you could if you wanted. Just rename the computer and reboot. My comment about it not being part of a domain was more or less saying to not join it to the domain and leave it in the workgroup.
Marek says
HI,
I have a question about Edge Server.
in your steps you mentioned to “rename a computer’. the server is not part of a domain. Do you imply that we have to click on “more” and put in “Primary DNS suffix of this computer” ?
if so does this name (for example ocsedge.yourdomain.com) has to have a public DNS entry that corresponds to ocsedge.yourdomain.com?
thank you so much for reply
Elan Shudnow says
On a Front End Server, all you need is more than one NIC. I typically recommend that any unused NICs are disabled.
On your Edge Server, you’d need at minimum 2 NICs. You can view the diagram of the Edge NIC configuration at the end of the article. If you don’t need Web Conferencing, no NIC/IP needed for it. If you don’t need A/V, no NIC/IP needed for it. You’ll always need at least the Access Edge NIC and Internal Edge NIC at minimum to proviee IM/Federation connectivity.
Elangovan says
Hi,
Good Article, its very helpful to me. Is is it possible to install with Single NIC, using for only Local IM not more than that?
Elan Shudnow says
Pete,
Thanks. I’d set it on either the Access Edge or the Web Conferencing Edge NIC.
Elan
pete says
Hi,
excellent guide, however I do not fully understand, how to use four NICs on the edge. On which of the NICs do I configure the default gateway?
thanks!
jordanturner says
Elan, you just shook the rust off…
OPTION 1:
————-
In essence, that was the simple answer. There is a physical port on the firewall; 3rd port. Typically it is used for DMZ which can be used for my second set of public ip ranges for OCS use. Another way could be have a hub of the first port which the Edge Server hangs off of (option 2 below).
OPTION 2:
————-
Internet—Router—Firewall——————–LAN Switch——Internal Computers
**************Firewall—-Hub on public interface port——–Edge Server
On the firewall, I would just create a rule that alows that 1 public ip for the Edge Role (A/V) to communicate with internal OCS servers.
Thanks again for inspiring and bringing clarity. These options above are SORELY missing or lacking in simplicity in Microsoft Documents or anywhere else!
Elan Shudnow says
Jordan, I’m not a firewall administrator, but my take on it, is that you can create a dedicated port on your firewall that is set to route traffic destined to a certain IP directly to a server. This way, you can still have the A/V Edge that has a public IP address behind your firewall instead of having it directly on the internet. Sorry I can’t give you a better answer here. And thanks for the positive comments.
jordanturner says
Elan, I’ve looked high and low for an excellent document like this. Thanks, now you just simplified the Edge sample configurations for me in less than 1 page! Why can’t Microsoft documents be like yours?
Since I am not a firewall person, and I only have 3 interfaces to work with (only Standard Setup with 2 servers), how do you propose I configure this? I have 10 public ip’s; 1 for the external interface if SonicWall, and 4 public ip’s as one-to-one NAT (208.x.x.x). The 2nd interface is my for my internal LAN (192.168.18.x). The last interface is not used for DMZ at all. Please note I only have two servers to work with for 50 users for OCS 2007.
How would you propose I configure my firewall to accomodate this – not how, but sample diagram or setup? My immediate question is how can I have an Edge server with a public ip with NO NAT at all – like one-to-one NAT?! How to do this with my setup? Thanks.
JSchmales says
Thank you for the reference. I have already been successful with configuring ISA Server 2006 for Reverse Proxy but have been unsuccessful in configuring ISA to allow the Office Communicator 2007 (non-web-based client) to connect to the internal OCS 2007 Server through ISA and an AE in a perimeter network. In your article, you mentioned you weren’t going to test this scenario due to “resources”.
Elan Shudnow says
I have not documented this. Here is the documentation on Technet which explains fairly well on the procedures you need to follow to configure your reverse proxy.
http://technet.microsoft.com/en-us/library/bb663639.aspx
JSchmales says
The two parts of this topic were very helpful toward setting up a UM VM enviornment. Thank you.
Question: Have you prepared any documentation that addresses the specific configuration of the ISA Server firewall policies that will allow external Office Communicator 2007 clients to connect through the ISA Server? I’ve been going around and around on this for a long time…
Ken Peterson
Elan Shudnow says
I have everything assigned with static IP addresses.
So let’s say we went with Method 1
Nic #1 – A/V Edge (Public IP)
Nic #2 – Access Edge (DMZ IP)
Nic #3 – Web Conferencing Edge (DMZ IP)
Nic #4 – Internal (Internal IP)
The Windows Operating System can only have 1 default route (0.0.0.0). This default route’s next hop is the default gateway. Because of this, you have 2 options:
Option #1 – Ensure this default gateway knows how to route to the internet, your DMZ, and all internal subnets. If it does, and you want to use this router, you will have to make sure all necessary ports are open. If this is unacceptable to you and you do not want to open all the required ports to the internal network, you can go to option #2.
Option #2 – Ensure this default gateway knows how to route to the internet and DMZ. For your internal subnets, you would create a static route to your internal network. This way, you’re creating a second gateway for certain traffic before it hits the default route. This way, your internal traffic does not go through your edge router and goes directly from OCS to the internal router which would be more secure.
For this custom route that routes traffic directly to a router on the inside of your corporate network, you would do something like:
route add 192.168.119.0 mask 255.255.255.0 192.168.119.2
So in this command, we want to send traffic destined to the 192.168.119.x network that uses a subnet of 255.255.255.0 with the next hop (gateway) being 192.168.119.2 (our router on the internal corporate network).
Does this help?
like2learn says
very good article.
could you please explain in more detail the part for the IP configuration for TCP/IP please? sorry i don’t understand :)
is the default gateway assigned by VMWare?
thanks, appreciate help.
DariusCyrus says
Hi,
I agree, this article is very good. Thanks for posting it.
Looking forward to Part 2.
Thanks,
DC
Elan Shudnow says
Hi, I’m really glad you liked the article. I’ve been really busy with work and preparing for an upcoming move next week. I may be able to get to part 2 next week, but if not, I will try to get to part 2 in a couple weeks.
johnnyphuc says
This article is very good.
Can u post the article about office – communications-server-2007-enterprise-deployment-part2 ?
I’m waiting the article part 2 of u.
Thanks.