Reverse Proxy Publishing

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-07-19

Microsoft Office Communications Server 2007 R2 required publishing of up to five web sites using a reverse proxy server:

Address book files
Distribution group expansion
Meeting content
Phone Edition upgrade files
Communicator Web Access

Publishing all five web sites typically required two Reverse Proxy certificates:

Subject Name = ExternalWebFarmFQDN (for example, ocsrp.contoso.com)
Subject Name = CWAExternalFQDN (for example, cwa.contoso.com)

Microsoft Communications Server 2010 supports publishing the same information, and now supports external publishing of simple URLs for online meetings. Also, Communicator Web Access functionality still exists but has been renamed Communicator Web App and is now available as a service on a Standard Edition Front End Server or on each Front End Server in an Enterprise Edition pool, rather than a dedicated physical sever. The client is now referred to as the Communicator Web App instead of the Communicator Web Access client and supports additional functionality. Depending on how you configured Office Communications Server 2007 R2 reverse proxy publishing; the changes in Communications Server 2010 publishing requirements can increase the number of public certificates or SAN entries required.

Communications Server Reverse Proxy Certificate Requirements

Role/Subject Name

Subject Alternate Name

Used to Publish

Subject Name Syntax Example

externalWebFarmFQDN

N/A

Address Book files

Distribution Group Expansion

Online meeting content

Phone Edition Upgrade files

ocsrp.contoso.com

Note:
Typically, ExternalWebFarmFQDN = the ReverseProxyExternalFQDN

Simple URL / AdminFQDN

N/A

AdminFQDN is not published externally. It is only used internally.

N/A

Simple URL / DialinFQDN

N/A

Dial-in Conferencing information

dialin.contoso.com

Simple URL / MeetFQDN

N/A

Online Meeting URL

meet.contoso.com

Note:
The externalWebFarmFQDN value is used for Communications Server 2010 users. In coexistence scenarios it is likely there will already be an externalWebFarmFQDN value for existing Office Communications Server 2007 R2 or Office Communications Server 2007 users. In that scenario, make a new one dedicated to Communications Server 2010. AdminFQDN is blocked from external publication for security reasons. DialinFQDN, MeetFQDN and AdminFQDN are referred to as Simple URLs in Communications Server 2010 and it is possible to save a certificate depending on how they are defined. This table assumes you have chosen dedicated Simple URLs for each role. For details about selecting a Simple URL format, see Simple URL Options.

Note:

The externalWebFarmFQDN value is used for Communications Server 2010 users. In coexistence scenarios it is likely there will already be an externalWebFarmFQDN value for existing Office Communications Server 2007 R2 or Office Communications Server 2007 users. In that scenario, make a new one dedicated to Communications Server 2010.
AdminFQDN is blocked from external publication for security reasons.
DialinFQDN, MeetFQDN and AdminFQDN are referred to as Simple URLs in Communications Server 2010 and it is possible to save a certificate depending on how they are defined. This table assumes you have chosen dedicated Simple URLs for each role. For details about selecting a Simple URL format, see Simple URL Options.

Important:
If you create and publish dedicated Simple URLs (for example, one for each role) and then setup pool front end servers based on that configuration, you cannot change to using a single Simple URL for all roles (for example, ocsrp.contoso.com/meet), unless you re-run setup on each pool front end. The same requirement applies if converting from a single Simple URL format to using dedicated Simple URLs.

Important:

If you create and publish dedicated Simple URLs (for example, one for each role) and then setup pool front end servers based on that configuration, you cannot change to using a single Simple URL for all roles (for example, ocsrp.contoso.com/meet), unless you re-run setup on each pool front end. The same requirement applies if converting from a single Simple URL format to using dedicated Simple URLs.