After you deploy Office Communications Server 2007 R2, you can use the following procedure to verify that devices outside of your organization"s firewall can access Device Update Service through the reverse proxy. If this test fails, verify that your deployment is properly configured for external access, and then try this test again. For details, see "Configure Access for External Devices" in Device Update Service.

Security Note:
In previous releases of Office Communications Server, UC devices operating outside the firewall connected to the update service by using anonymous access. In this release, to enhance security, UC devices by default must use NTLM authentication. This means that a user must be logged on to the device with a valid user account in order for an external device to connect to Device Update Service and receive updates. For details on deployment requirements for external device access, see Device Update Service.
Security Note:
If your organization has external devices that were deployed with the previous version of Office Communications Server 2007, and you want to use Office Communications Server 2007 R2 to update them, you must enable Anonymous access for the RequestHandlerExt virtual directory in Internet Information Services (IIS). For security reasons, once all previously deployed devices have been updated, you should disable anonymous access on this virtual directory. Office Communications Server 2007 R2 devices can be updated without Anonymous access. For more information, see the Office Communications Server migration content.

To verify external access to Device Update Service

  1. Add a Communicator Phone Edition test device to the Device Update Service Management Console, as described in Adding Test Devices.

  2. Connect the test device to a network that is external to your organization"s firewall.

  3. Turn off the test device and turn it back on again, and then sign in to the device. The device will then send an update request to Device Update Service.

    If you do not sign in to the device with a valid user account, Device Update Service will deny the update request. When this occurs, the device displays a status of be 0x0/401 for a credentials error, and an error is logged in Internet Information Services (IIS) also.
  4. In the audit log, locate the entry for the test device request.

    Communicator Phone Edition devices can be identified by their Media Access Control (MAC) addresses.

    For Office Communications Server 2007 R2 Enterprise Edition, audit log files are located in Logs\Server\Audit\imageUpdates\ folder under the shared updates folder. For Office Communications Server 2007 R2 Standard Edition, the log files are located in %ProgramFiles%\Microsoft Office Communications Server 2007 R2\Web Components\DeviceUpdateFiles\Logs\Server\Audit\imageUpdates\. Each physical server has its own audit logs. You may need to look in more than one log to find the entry for your test device.
  5. Verify that the entry exists and that it was generated at the date and time you performed the test.

    For details about the audit log information, see Update Audit Log Schema.

See Also


Managing Device Updates

Other Resources

Deploying Edge Servers for External User Access