A Mediation Server mediates signaling and media between the Enterprise Voice infrastructure and another gateway, such as a media gateway. A media gateway translates signaling and media between the PSTN or PBX and Office Communications Server Directors and Front End Servers.

The existence of media gateways in an Office Communications Server 2007 R2 network creates a potential security loophole. Because these gateways do not support Managed Key Infrastructure (MKI), Transport Layer Security (TLS), or Secure Real-Time Transport Protocol (SRTP), they cannot be trusted. To help ensure the physical as well as logical separation of the Enterprise Voice infrastructure from the media gateways, the Mediation Server is generally installed on a computer that has two network adapters:

Each network adapter is configured with a separate listening address so that there is always clear separation between trusted traffic that originates in the Office Communications Server network and untrusted traffic from the public switched telephone network (PSTN).

A Mediation Server must be able to pass SIP requests and media between the Enterprise Voice infrastructure and a media gateway connected to the PSTN. Media flowing both directions between the Mediation Server and the Office Communications Server network is encrypted by using SRTP. Organizations that rely on Internet Protocol security (IPsec) for packet security are strongly advised to create an exception on a small media port range if they plan to deploy Enterprise Voice. The security negotiations required by IPsec work well for normal User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) connections, but they can slow down call setup to unacceptable levels.

Network settings for the Mediation Server include the following:

For basic media gateways, the bandwidth requirement between gateway and Mediation Server is 64,000 bits per second (bps) per concurrent call. Multiplying this number by the number of ports for each gateway is a fair estimate of the required bandwidth on the gateway side of the Mediation Server. On the Office Communications Server side, the bandwidth requirement is considerably lower. The default media port range enables the server to handle up to 1,000 simultaneous voice calls. Reducing the port range greatly reduces server capacity. Changing the port range should be undertaken only for specific reasons by an administrator who is knowledgeable about media port requirements and scenarios.

A Mediation Server also requires a certificate, which must be assigned to the Mediation Server.

Note:
All of the settings in the previous list except the FQDN of the Mediation Server can be configured in the Office Communications Server 2007 R2 snap-in. Changes to any of these settings except the default location profile, the A/V Edge Server, the media port range, and the certificate take effect only after you restart the Office Communications Server Mediation service. Changes to the default location profile and A/V Edge Server take effect only after Active Directory replication completes.

To configure a Mediation Server

To configure the Mediation Server, use the information in this topic and the following procedure.

  1. Log on to an Office Communications Server 2007 R2 Mediation Server.

  2. Click Start, point to Administrative Tools, and then click Office Communications Server 2007.

  3. Expand the appropriate forest node.

  4. Expand the Mediation Serversnode, right-click the Mediation Server to be configured, click Properties, and then click the Generaltab.

  5. In the FQDNbox, make sure the FQDN listed matches that of the Mediation Server you have selected.

  6. Open a command prompt, change to the root directory, and type nslookup < FQDN of Mediation Server >, using the FQDN displayed on the Mediation Server Generaltab, and then press ENTER.

    Note:
    You should configure only the Office Communications Server-facing IP address for dynamic Domain Name System (DNS) registration. Otherwise, the FQDN resolves to both IP addresses, which causes connections to fail unpredictably.
  7. From the list of IP addresses displayed in the Communications Server listening IP addresslist, select the IP address returned in step 6.

    Important:
    If the IP address selected in step 7 does not match the IP address in step 6, Office Communications Server traffic is directed toward an interface that is not listening for such traffic and away from the one that is.
  8. From the list of two IP addresses displayed in the Gateway listening IP addresslist, select the other IP address (that is, the one not already selected in step 7).

    Note:
    The address selected in step 8 can be that of either a media gateway or a Private Branch Exchange (PBX).
  9. In the Portbox, accept the default value of 5060 for TCP.

  10. From the A/V Edge Serverlist, select the A/V Edge Server that hosts the A/V Authentication Service for this Mediation Server.

    Important:
    If the A/V Edge Server that hosts the A/V Authentication service for this Mediation Server does not appear in the list, then the A/V Edge Server on which the service is collocated has not been entered into the A/V Edge Serverslist on the Edge Serverstab of the Global Propertiespage. You need to add the A/V Edge Server to the previous list before it appears in the A/V Edge Server list on the Mediation Server tab. For details, see the Deploying Edge Servers for External User Accessdocumentation.
  11. In the Default location profilelist, select the default location profile for this Mediation Server.

  12. In Media port range, accept the default range of 60,000 to 64,000.

    Important:
    By reducing the port range greatly, you reduce server capacity. An administrator who is knowledgeable about media port requirements and scenarios should do this only for specific reasons. For this reason, altering the default port range is not recommended.

    Organizations that employ IPsec for packet security should disable it for media ports, because the security handshake required by IPsec delays call setup. IPsec is unnecessary for media ports, because SRTP encryption secures all media traffic between the Mediation Server and the internal Office Communications Server network.
  13. Click the Next Hop Connectionstab, and then under Office Communications Server next hop, do the following:

    • In the FQDNlist, select the FQDN of the next hop internal server.

      Note:
      This server can be a Director or a pool.
    • In the Portbox, accept the default of 5061 for TLS.

  14. On the Next Hop Connectionstab, under PSTN Gateway next hop, do the following:

    • In the Addressbox, specify the IP address or FQDN of the PSTN Gateway or the PBX associated with this Mediation Server. If TLS is enabled, you must specify an FQDN.

    • In the Transportbox, click TLSif the SIP signaling between the IP Gateway and the Mediation Server is protected by TLS. If you are not using TLS, click TCP.

    • In the Encryption Levelbox, select the level of SRTP that you want to use to protect media traffic:

      • If you do not want to use SRTP, click Do not support encryption. If you clicked TCPin the Transportbox, this is the only option that is available.

      • To specify that SRTP must be used, click Require encryption.

      • To specify that SRTP should be attempted but no encryption should be used if negotiation for SRTP is not successful, click Support encryption.

    • In the Portbox, accept the default of 5060 for TCP or TLS.

  15. Click OK.

  16. If you want the Mediation Server to strip the plus sign (+) prefix from the RequestUniform Resource Identifier (URI), the ToURI, and the FromURI of outgoing calls to the gateway, set the Windows Management Interface (WMI) setting called RemovePlusFromRequestURIto TRUE (the default value is FALSE). For details about this setting, see the "New Configuration Option in Mediation Server" section in Enterprise Voice Server-Side Componentsin the Planning and Architecture documentation.

  17. If you want to enable Quality of Service (QoS) marking on the Mediation Server, set the Windows Management Interface (WMI) setting called QoSEnabledto TRUE (the default value is FALSE). For details about this setting, see the "New Configuration Option in Mediation Server" section in Enterprise Voice Server-Side Componentsin the Planning and Architecture documentation.