For Office Communications Server Edge Server deployments, a Microsoft Internet Security and Acceleration (ISA) Server or other reverse proxy in the perimeter network is required for the following:

The following table shows the specific directories used by the Web Components Server. We recommend that you configure your HTTP reverse proxy to use all directories.

Directories used by Web Components Server

Directory Use

https:// ExternalFQDN/etc/place/null

Stores meeting content.

https:// ExternalFQDN/GroupExpansion/ext/service.asmx

Stores distribution group expansion information. The external URL to the Web Components Server running the Address Book Web Query service.

https:// <ExternalFQDN>/ABS/ext/Handler

Stores Address Book Server files.

https:// <external server FQDN>/RequestHandler/ucdevice.upx

The external URL to the Web Components Server running Device Update Service. For details, see Device Update Servicein the Office Communications Server 2007 R2 Planning and Architecture documentation.

https:// <ExternalFQDN>DeviceUpdateFiles_Ext

The external URL to the Web Components Server where the device updates are located.

The detailed steps in this section describe how to configure an ISA Server 2006 as a reverse proxy. If you are using a different reverse proxy, consult the documentation for that product.

You can use the information in this section to set up the reverse proxy, which requires completing the following procedures:

Before You Begin

When you set up your Enterprise pools and Standard Edition servers, you had the option to configure an external Web farm fully qualified domain name (FQDN) on the Web Farm FQDNspage in the Create Pool wizard or the Deploy Server wizard. If you did not configure this URL when you ran these wizards, you need to manually configure these settings. To do so, open a command prompt and type the following command:

lcscmd.exe /web /action:updatepoolurls /externalwebfqdn:<ext web farm FQDN> /poolname:<pool name>

Configure Network Adapters

You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter. For details about deploying ISA Server with a single network adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at http://go.microsoft.com/fwlink/?LinkId=129592 . This document also applies to ISA Server 2006.

In the following procedures, the ISA Server computer has two network adapters:

  • A public, or external, network adapter, which is exposed to the clients that will attempt to connect to your Web site (usually over the Internet).

  • A private, or internal, network interface, which is exposed to the internal Web servers.

You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter.

To configure the network adapter cards on the reverse proxy computer

  1. On the server running ISA Server 2006, open Network Connectionsby clicking Start, pointing to Settings, and then clicking Network Connections.

  2. Right-click the external network connection that you want to use for the external interface, and then click Properties.

  3. On the Propertiespage, click the Generaltab, click Internet Protocol (TCP/IP)in the This connection uses the following itemslist, and then click Properties.

  4. On the Internet Protocol (TCP/IP) Propertiespage, configure the IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.

  5. Click OK, and then click OK.

  6. In Network Connections, right-click the internal network connection that you want to use for the internal interface, and then click Properties.

  7. Repeat steps 3 through 5 to configure the internal network connection.

Install ISA Server 2006

Install ISA Server 2006 according to the setup instructions included with the product. For details about installing ISA Server, see ISA Server 2006 - Getting Started at http://go.microsoft.com/fwlink/?LinkId=129596 .

Request and Configure a Certificate for Your Reverse HTTP Proxy

You need to install the root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (that is, the IIS server running your Office Communications Server Web components) on the server running ISA Server 2006.

You must install a Web server certificate on your ISA Server. This certificate should match the published FQDN of your external Web farm where you are hosting meeting content and Address Book files.

If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN.

Configure Web Publishing Rules

ISA Server uses Web publishing rules to securely publish internal resources, such as a meeting URL, over the Internet. Publishing information to Internet users makes computing resources inside the internal network available to users outside the network.

Use the following procedure to create Web publishing rules.

Note:
This procedure assumes that you have installed ISA Server 2006 Standard Edition.

To create a Web server publishing rule on the computer running ISA Server 2006

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.

  3. On the Welcome to the New Web Publishing Rulepage, type a friendly name for the publishing rule (for example, OfficeCommunicationsWebDownloadsRule), and then click Next.

  4. On the Select Rule Actionpage, select Allow, and then click Next.

  5. On the Publishing Typepage, select Publish a single Web site or load balancer, and then click Next.

  6. On the Server Connection Securitypage, select Use SSL to connect to the published Web server or server farm, and click Next.

  7. On the Internal Publishing Detailspage, type the FQDN of the internal Web farm that hosts your meeting content and Address Book content in the Internal Site namebox.

    Note:
    If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is the internal Web farm FQDN.

    The ISA Server must be able to resolve the FQDN to the IP address of the internal Web server. If the ISA Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP addressbox, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the ISA Server and that the ISA Server can reach an internal DNS server or a DNS server that resides in the perimeter network.
  8. On the Internal Publishing Detailspage, in the Path (optional)box, type /*as the path of the folder to be published, and then click Next.

    Note:
    In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.
  9. On the Publish Name Detailspage, confirm that This domain nameis selected under Accept Requests for, type the external Web farm FQDN in the Public Namebox, and then click Next.

  10. On Select Web Listenerpage, click New(this opens the New Web Listener Definition Wizard).

  11. On the Welcome to the New Web Listener Wizardpage, type a name for the Web listener in the Web listener namebox (for example, Web Servers), and then click Next.

  12. On the Client Connection Securitypage, select Require SSL secured connections with clients, and then click Next.

  13. On the Web Listener IP Addresspage, select External, and then click Select IP Addresses.

  14. On the External Listener IP selectionpage, select Specified IP address on the ISA Servercomputer in the selected network, select the appropriate IP address, click Add, and then click OK.

  15. Click Next.

  16. On the Listener SSL Certificatespage, select Assign a certificate for each IP address, select the IP address you just added, and then click Select Certificate.

  17. On the Select Certificatepage, select the certificate that matches the public name specified in step 9, click Select, and then click Next.

  18. On the Authentication Settingpage, select No Authentication, and then click Next.

  19. On the Single Sign On Settingpage, click Next.

  20. On the Completing the Web Listener Wizardpage, verify that the Web listenersettings are correct, and then click Finish.

  21. Click Next.

  22. On the Authentication Delegationpage, select No delegation, but client may authenticate directly, and click Next.

  23. On the User Setpage, click Next.

  24. On the Completing the New Web Publishing Rule Wizardpage, verify that the Web publishing rule settings are correct, and then click Finish.

  25. Click Applyin the details pane to save the changes and update the configuration.

To modify the properties of the Web publishing rule

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the left pane, expand ServerName, and then click Firewall Policy.

  3. In the details pane, right-click the secure Web server publishing rule that you created in the previous procedure (for example, OfficeCommunicationsServerExternal Rule), and then click Properties.

  4. On the Propertiespage, click the Fromtab:

    • In the This rule applies to traffic from these sourceslist, click Anywhere, and then click Remove.

    • Click Add.

    • In the Add Network Entitiesdialog box, expand Networks, click External, click Add, and then click Close.

  5. If you need to publish another path on the Web server, click the Pathstab. Then Click Add, type /*for the path to be published, and then click OK.

  6. Click Applyto save changes, and then click OK.

  7. Click the Applybutton in the details pane to save the changes and update the configuration.

Verify or Configure Authentication and Certification on IIS Virtual Directories

Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly. Perform the following procedure on each IIS Server in your internal Office Communications Server.

Note:
The following procedure is for the Default Web Site in IIS.

To verify or configure authentication and certification on IIS virtual directories

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In Internet Information Services (IIS) Manager, expand ServerName, and then expand Web Sites.

  3. Right-click < default or selected> Web Site, and then click Properties.

  4. On the Web Sitetab, verify that the port number is 443in the SSL portbox, and then click OK.

  5. On the Directory Securitytab, click Server Certificateunder Secure communications.

  6. On the Welcome to the Web Server Certificate Wizardpage, click Next.

  7. On the Server Certificatepage, click Assign an existing certificate, and then click Next.

  8. On the SSL Portpage, verify that the value is 443in the SSL port this Web site should usebox, and then click Next.

  9. On the Certificate Summarypage, verify that settings are correct, and then click Next.

  10. Click Finish.

  11. Click OKto close the Default Web Site Propertiesdialog box.

Create a DNS Record

Create an external DNS A record pointing to the external interface of your ISA Server, as described in Configure DNS.

Verify Access through Your Reverse Proxy

Use the following procedure to verify that your users can access information on the reverse proxy. You may need to complete the firewall configuration and DNS configuration before access will work correctly.

To verify that you can access the Web site through the Internet

  1. Deploy the Live Meeting 2007 client as described in Live Meeting 2007 Client Deployment Guide.

  2. Open a Web browser, type the URLs in the Addressbar that clients use to access the Address Book files and the Web site for Web conferencing as follows:

    • For Address Book Server, type a URL similar to the following: https:// externalwebfarmFQDN/abs/extwhere externalwebfarmFQDNis the external FQDN of the Web farm that hosts Address Book server files. The user should receive an HTTP challenge, because directory security on the Address Book Server folder is configured to Microsoft Windows authentication by default.

    • For Web conferencing, type a URL similar to the following: https:// externalwebfarmFQDN/conf/ext/Tshoot.htmlwhere externalwebfarmFQDNis the external FQDN of the Web farm that hosts meeting content. This URL should display the troubleshooting page for Web conferencing.

    • For distribution group expansion, type a URL similar to the following: https:// ExternalwebfarmFQDN/GroupExpansion/ext/service.asmx. The user should receive an HTTP challenge, because directory security on the distribution group expansion service is configured to Microsoft Windows authentication by default.