Office Communications Server 2007 R2 supports access by external users, including:
Remote users, who are your organization’s own users who are
working while outside the organization’s firewalls.
Federated users, who are users in other organizations that
your organization has a federated relationship with.
Anonymous users, who are users from outside your
organization who are invited by one of your users to join a
Public IM service users, who are users using the public IM
services provided by the MSN network of Internet services, Yahoo!,
and AOL. Public IM connectivity requires a separate license.
Remote users can benefit from most Office Communications Server features while they are working outside your firewall. Federated users can share IM and presence data with your organization’s users. And all these types of external users can participate in on-premises conferences, complete with data collaboration and the ability to relay audio and video through your organization’s firewall.
To enable access by external users, Office Communications Server provides the Edge Server role. Edge Servers run in a perimeter network, and they provide the link between your deployment and external users.
Additionally, the HTTP reverse proxy is not an Office Communications Server 2007 R2 role, but it can be used to authenticate external users who use Microsoft Office Communicator Web Access. It is required to provide the following:
- External access to Address Book information
- The ability to expand membership in distribution groups
- Access to meeting content in Web conferences
- Device update services to remote users
Figure 1 shows the servers that are required in the Office Communications Server 2007 R2 perimeter network and the protocols they use to communicate with Internet clients on one side and with your organization’s internal servers on the other.
Required servers in the Office Communications Server 2007 R2 perimeter network are as follows.
In Office Communications Server 2007 R2, each Edge Server runs three services: Access Edge service, Web Conferencing Edge service, and A/V Edge service.
Access Edge Service
The Access Edge service handles all SIP traffic across the corporate firewall. The Access Edge service handles only the SIP traffic that is necessary to establish and validate connections. It does not handle data transfer, nor does it authenticate users. Authentication of inbound traffic is performed by the Director or the Front End Server. A Director is an Office Communications Server 2007 R2 Standard Edition server or Enterprise pool that does not home users and that resides inside the organization’s firewall. A Director is not mandatory but is strongly recommended. If a Director is not deployed, this authentication is performed on the Front End Server on the pool or Standard Edition server that you designate to do so. (Active Directory Domain Services, or AD DS, access is required to perform authentication, which the Edge Servers do not have because they are deployed in the perimeter network outside AD DS.) The Access Edge service is essential for all external user scenarios, including conferencing, remote user access, federation, and public IM connectivity.
Web Conferencing Edge Service
The Web Conferencing Edge service proxies Persistent Shared Object Model (PSOM) traffic between the Web Conferencing Server and external clients. External conference traffic must be authorized by the Web Conferencing Edge service before it is forwarded to the Web Conferencing Server. The Web Conferencing Edge service requires that external clients use TLS connections and obtain a conference session key.
A/V Edge Service
The A/V Edge Service provides a single trusted connection point through which inbound and outbound media traffic (including application sharing traffic) can securely traverse network address translations (NATs) and firewalls. The industry-standard solution for multimedia traversal of firewalls is Interactive Connectivity Establishment (ICE), which is based on the Simple Traversal Underneath NAT (STUN) and Traversal Using Relay NAT (TURN) protocols. The A/V Edge service is a TURN/STUN server. All users are authenticated to secure both access to the enterprise and use of the firewall traversal service that is provided by the A/V Edge service. To send media inside the enterprise, an external user must be authenticated and must have an authenticated internal user agree to communicate with him or her through the A/V Edge service.
HTTP Reverse Proxy
An HTTP reverse proxy in the perimeter network carries HTTP and HTTPS traffic for external users. The HTTP reverse proxy can be used to authenticate external users using Communicator Web Access. It is also required to enable external users to download the following data:
- Address Book Server information
- Web conferencing content
- Expanded distribution lists
- Client and device updates
The reverse proxy does not run Office Communications Server 2007 R2 or carry SIP traffic. The reverse proxy can run Microsoft Internet Security and Acceleration (ISA) Server 2006 or other Internet software.