Before you setup your Edge Servers, you need to obtain the correct certificates that you will use when configuring the Edge Servers. Following is a list of the certificates:

  1. Access Edge External (Public Certificate).In our sample topology, the subject name and subject alternative name (SAN) would be set to sip.contoso.com, the fully qualified domain name (FQDN) of the Access Edge Server external interface.

  2. Web Conf External (Public Certificate).In our sample topology, subject name would be set to webconf.contoso.com, the FQDN for the Web Conferencing Edge Server external interface.

  3. Access Edge Internal (Corporate Certificate).In our sample topology, the subject name would be set to ocsedge.contoso.com, the FQDN of the Edge Server internal interface.

  4. A/V Authentication Internal (Corporate Certificate).In our sample topology, the subject name would be set to ocsedge.contoso.com, the FQDN of the Edge Server internal interface.

  5. Reverse Proxy External.In our sample topology, the subject name would be set to ocsweb.contoso.com, the FQDN of the reverse proxy listener that handles the Office Communications Server Web components.

These certificates come with an exportable private key, so keep them in a secure location. When importing into the relevant reverse proxy or Edge Servers, set the private key as non-exportable. This ensures that if one of your servers is compromised, an attacker will not be able to transfer the certificate to another computer.

Setup Reverse Proxy Servers

First, setup your two reverse proxy servers. Follow the setup instructions for your particular reverse proxy to set up the appropriate Web listeners. Then, assign the Web certificate(s) that you obtained previously. Be sure to import the root certificate of the corporate certification authority (CA), because the reverse proxy will establish Transport Layer Security (TLS) connections to servers within the corporation that have been issued by the corporate CA.

Setup Edge Servers

Next, set up your new Edge Servers that you want to use in the load balanced array. To do this, follow the Edge Server installation procedure. In our example, this involves the following:

  1. Obtain a new physical server, and install the pre-requisite Windows Server operating system for Office Communications Server 2007 R2. Ensure that the server has two physical network interface cards (NICs).

  2. Name the machine ocsedge01.

  3. On the external NIC, assign it the following three IP addresses: 128.95.1.41, 128.95.1.51, and 128.95.1.61. Assign the proper subnet and default gateway according to the topology diagram.

  4. On the internal NIC, assign the IP address: 172.24.1.41.

  5. Import the root certificate of the corporate network along with the four Edge Server certificates that you obtained earlier.

  6. Run the Office Communications Server 2007 R2 Enterprise Edge Server installation.

  7. Install files for Office Communications Server 2007 R2.

  8. Assign the appropriate certificates and associate the IP addresses to the corresponding services on the Edge Server.

  9. Add your production pool and test pool FQDNs to the trusted server list.

  10. Set a static IP route for all traffic destined for the corporate network 10.0.x.x/16 to route through the internal interface.

  11. In a one-armed topology, set the default gateway to the external firewall IP address (that is, 128.95.0.1). In a two-armed topology, set the default gateway to the Load Balancer (that is, 128.95.1.1).

  12. Set the next hop to be your test pool.

  13. Start all services.

  14. Repeat the previous steps on the second Edge Server ocsedge02, using the corresponding IP addresses for the second Edge Server.

Ensure that the following requirements are maintained:

  • The A/V Edge Server external IP addresses needs to be routable from the public Internet.

  • The A/V Edge Server internal IP address needs to be routable from the corporate network.

See Also