OCS Setup should be ready for the internal user
:
•
Internal users can login to the IM.
•
Internal users should be able to download
the Address Book.
•
They should be able to expand the DL.
•
They should be able to download the meeting
content.
•
External users should be able to login
through OC2k7.
Get
an external FQDN registered on the Public DNS
Server:
•
We need to get a FQDN registered on the
external DNS Server
•
Now we have one public IP Address as well
•
External OC 2k7 clients will use this fqdn
to download the address book, dl expansion
and content download.
Identify
the HW/SW for Proxy server
•
Combination of any hardware & software which
supports Web Server publishing and SSL
bridging.
•
In this presentation we’ll use ISA server as
a reverse proxy
Prepare
the Network Adapter on the Proxy server:
•
Install two NICs.
•
One NIC should have the Private IP Address,
the second should have the Public IP Address
(NATING can also be done).
•
The internal NIC should be routable to the
internal network
•
The External NIC should be routable to the
external network
•
Configure the internal DNS Servers on the
internal NIC, External DNS Servers on the
external NIC
Install
ISA Server (or any Proxy Device identified under
step 3):
•
Install the proxy server.
•
There is no list which talks about supported
proxy servers.
•
You can install any proxy server which can
be used to publish site.
•
The proxy server should have SSL bridging
feature.
Request
and configure a cert for SSL:
•
The Root CA for the CA that issued the cert
on the web server (ABS) needs to be
installed on the ISA server.
•
The Certificate should match the published
FQDN of the external web farm.
•
ISA 2006 cannot recognize the subject
alternate name so make sure the external
FQDN is the subject name on the cert. (
Reportedly this problem has been taken care
in sp 1 of ISA 2006)
Create
a Web Server publishing rule:
•
Open ISA Server Management. Click
Start,
point to
Programs,
point to
Microsoft ISA Server,
and then click
ISA Server Management.
•
In the console tree, expand
ServerName,
right-click
Firewall Policy,
point to
New,
and then click
Secure Web Server Publishing Rule
to start the New SSL Web Publishing Rule
Wizard.
•
On the Welcome page, in
SSL Web publishing rule name,
type a friendly name for the publishing
rule, and then click
Next.
For example, the name of the rule could be
OfficeCommunicationsServerExternalRule.
•
On the Publishing Mode page, click SSL
Bridging, and then click
Next.
Create
SSL bridging:
•
You can select either SSL Tunneling or SSL
Bridging
•
SSL Bridging protects against attacks that
are hidden in SSL – encrypted connections
•
SSL Tunneling doesn’t require certificate.
It doesn’t decrypt the packet to check if
the packet is authentic!
•
Microsoft recommends SSL Bridging
Verify
that you can access the external site from the
internet:
Open a Web browser from the external client, and
then in the Address bar, type the URLs that are
used by clients to access the Address Book files
and the portal site for Web conferencing.
•
For Address Book Server type a URL similar
to the following:
https://externalwebfarmFQDN/abs/ext
where
externalwebfarmFQDN
is the external FQDN of the Web farm that
hosts Address Book server files. User should
receive an HTTP challenge, because directory
security on the Address Book Server folder
is configured to Microsoft Windows®
authentication by default. (make sure you
can download the address book file by
browsing the url
https://externalwebfarmFQDN/Abs/Int/Handler/FileName.lsabs
)
•
For Web conferencing, type a URL similar to
the following:
https://externalwebfarmFQDN/conf/ext/Tshoot.html
where
externalwebfarmFQDN
is the external FQDN of the Web farm that
hosts meeting content. This URL should
display the troubleshooting page for Web
conferencing.
•
To access the Group Expansion virtual
server, enter the following URL in the
address bar of a local Web browser on the
Communications Server 2007 server:
https://externalwebfarmFQDN/GroupExpansion/Int/Service.asmx
