PointBridge Blogs

OCS Edge Server Configuration Topologies

By: Jeff Schertz Posted: November 28, 2007 at 10:57 PM

Although deploying Office Communications Server 2007 for use internally is quite straight-forward, things begin to get complicated when adding in the components used for external client connectivity. The most misunderstood portions of deployment seem to be the correct configuration of the reverse proxy, and the networking configuration of the Edge Server itself.

OCS Edge Server Configuration

The Edge Server Deployment guide covers a variety of support topologies but the Consolidated Edge Topology is probably the most common, yet least understood. When deploying a single Edge Server role into a test, pilot or production environment it is important to correctly design and configure the networking component of the Windows Server before installing OCS. I've seen both first-hand and online many scenarios where an attempt to stray, even slightly, from the recommended deployment parameters can cause major communications problems across the board.

IP Addressing

Most importantly the deployment guide recommends that a different IP address should be assigned to each server role. Unless you enjoy spending an inordinate amount of time reading through tracing logs or troubleshooting strange connectivity errors I suggest you heed this advice. Yes, you can modify default ports for separate OCS communications and pile-on services into a single-IP address, but why? Unless there is some major limiting factor in your specific environment or Santa only gave one IP address to you for Christmas, save yourself some grief and stick to the recommendations as best as you can.

I suggest closely reading Step 1.2 in the OCS 2007 Edge Server Deployment Guide describing the deployment topology. Each of the bulleted items should be fully understood before moving forward. Also, page 102 in the OCS 2007 Planning Guide goes into some detail about the specific requirement of a Public IP address assigned directly to a physical interface on the Edge Server. This is not simply a 'recommendation' and has been documented in multiple blogs and forum discussions.

Network Interfaces

The same logic applies to the assignment of network interface cards and IP subnets as well. The absolute bare minimum number of NICs on an Edge Server is two. All of the best practice recommendations throughout the deployment guides define an internal and external interface for a server deployed in a perimeter network between 2 firewalls, an external perimeter firewall and internal perimeter firewall:

The diagram below outlines this topology along with the often misunderstood Reverse Proxy rule which is shown on a completely seperate physical server than the Edge Server:

But since only one public IP addresses is required for the A/V role, and not for the Access Edge or Web Conferencing roles, an additional network interface can be added to the Edge Server to Route to the public IP and NAT the two private IP addresses. If an the external firewall does not have dedicated ports for routing traffic then this configuration can allow for only the A/V Server interface to be connected outside the firewall and not all three Edge Server roles. This is a less secure approach but many smaller environments may not have the ability to directly route public IP addresses through the firewall and will need to connect to the Edge Server directly to the Internet; this configuration can help reduce the attack surface.

One final note I'd like to add about the configuration above is that in a server-class system it's routine to have a couple dual-port network interface cards so using all four interfaces is probably best from a performance standpoint, as well as potentially side-stepping any other undocumented problems that might arise from services sharing an interface. There are many possible configurations in even a consolidated topology, but it seems that the more resources (both physical and virtual) which can be dedicated to the Edge server, the better.

3-Leg Perimeter (DMZ) Configuration

Let's say for the sake of argument you have a simpler design of a DMZ network 'hanging' off of a single firewall appliance or ISA server in a 3-Leg configuration and you want to deploy a consolidated OCS Edge server with a single interface. On paper this would appear to be possible if assigning IP addresses to the Internal Interface and Access Edge Server in the same subnet and then use NAT on the firewall to publish the Access Edge IP address. Well, I tried this in a pilot rollout and had connectivity working in Windows Server 2003 for all required traffic but OCS would simply fail to correctly pass connections from external client onto the internal Front-End server(s). So the second important lesson is that the Edge Server must have separate Internal and External interfaces.

Given these parameters, here are two choices for valid configurations which are driven by the IP subnet used in the current perimeter network:

Perimeter Network uses Private IP Addresses

ISA Server Network Relationships
1. NAT relationship between the External and Perimeter Networks
2. Route relationship between the Internal and Perimeter Networks
3. NAT relationship between the Internal and External Networks.

Edge Server Network Interfaces
1. NIC1 (Internal) routed to ISA Server
  1. Assign IP Addresses from existing private subnet
  2. Assign to Edge Internal Interface
1. NIC2 (External Private) routed to ISA Server
  1. Assign two IP Addresses from existing private subnet
  2. Assign to both Access Edge and Edge Web Conferencing
1. NIC3 (External Public) routed to external Firewall Appliance (or Internet)
  1. Assign IP Addresses from public subnet

In this scenario three separate network interfaces are needed on the Edge Server because of two conflicting requirements: (1) the need for separate physical internal and external interfaces, and (2) the use of two different IP subnets between the three external Edge Server roles.

Perimeter Network uses Public IP Addresses

ISA Server Network Relationships
1. Route relationship between the External and Perimeter Networks
2. NAT relationship between the Internal and Perimeter Networks
3. NAT relationship between the Internal and External Networks.

Edge Server Network Interfaces
1. NIC1 (Internal) routed directly to the internal network (bypassing ISA Server)
  1. Assign IP Addresses from existing private subnet
  2. Assign to Edge Internal Interface
1. NIC2 (External) routed to ISA Server
  1. Assign three IP Addresses from existing public subnet
  2. Assign to Access Edge, Edge Web Conferencing, and Edge A/V Servers

If the current Perimeter network uses public IP addresses and 3 addresses can be spared, then a consolidated Edge Server can be deployed with just two interfaces, placing three public IP addresses in the same subnet on the External interface.

Certificates

To take this one-to-one theme a step further, Certificates should also be a dedicated to each service. The deployment guide mentions in a couple spots that the A/V Edge Server does not require a certificate, and wildcard certificates are currently not supported in OCS. Special attention should also be paid to the Subject Alternative Name field of certificates and how OCS uses that information, and how ISA doesn't!

Below is an outline of how the certificates can be deployed:

Edge Server
- Internal Interface
  - Issued by internal Windows Enterprise CA
  - Subject Name is the server's FQDN (e.g. ocsedge.internal.contoso.com)
- Access Edge Server
  - Issued by trusted third-party certificate authority
  - Subject Name is the FQDN used by the client to connect (e.g. sip.contoso.com)
- Web Conferencing Edge Server
  - Issued by trusted third-party certificate authority
  - Subject Name is unique FQDN (e.g. webconf.contoso.com)
- A/V Authentication Edge Server
  - Issued by either internal Windows Enterprise CA (recommended) or trusted third-party certificate authority
  - Subject Name is unique FQDN (e.g. av.contoso.com)

ISA Server Reverse Proxy
- Internal Communications (OCS to ISA)
  - Issued by internal Windows Enterprise CA during Front-End deployment
  - Subject Name is the server's FQDN (e.g. ocsfe1.internal.contoso.com)
- External Communications (ISA to external client)
  - Issued by trusted third-party certificate authority
  - Subject Name is the external Web Farm FQDN (e.g. abs.contoso.com)

OCS Reverse Proxy with ISA 2006

Using ISA Server 2006 we need to create a publish a web site rule to allow external clients access to address book and meeting information which is hosted on the internal Standard or Enterprise server via the IIS Default Web Site. Following the instructions under section 2.1 of the Edge deployment guide can be a little tricky at first, but makes much more sense once a few specifics are more clearly understood.

The paragraph below is very confusing as it's actually referring to two different certificates but reads like they are talking about just one:

Request and Configure a Certificate for Your Reverse HTTP Proxy

The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web components) needs to be installed on the server running ISA Server 2006. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.

The first statement basically says that you need to export the root CA certificate from your internal CA and import it into the Trusted Root Certification Authorities store on the ISA computer; simple enough. But the second sentence is now talking about a second certificate that should be requested from a third-party CA and will be used by external clients to connect to ISA via the published External Web Farm FQDN. What this 'Web Farm" FQDN actually refers to is the external name that clients will use to connect to the IIS web site which is running on the internal OCS front-end server. This is NOT the FQDN used by clients to connect to the Access Edge, A/V service, or Web Conferencing service. In this example I will use abs.domain.com as the external FQDN, which will be configured in the OCS Edge deployment wizard and is part of the in-band configuration information to is passed to the external client once it makes a connection to the Access Edge service.

So to summarize that, the internally issued certificate which is assigned to the Front-End server's default web site will be trusted by the ISA Server, and a second third-party certificate needs to be installed on the ISA Server in order to assign to the web listener for the external client to accept. ISA will terminate the connection from the requesting external client using one certificate and then create a second connection (using the other certificate) to the internal web site, essentially bridging the entire connection.

And if it's not completely clear by looking at the first diagram in this article, then let me restate the obvious: the Reverse Proxy is not configured on the Edge Server itself, it's simply a way to allow external users access to a web site running on the internal OCS server. Installing ISA on the Edge Server for this rule is not advisable (and probably not even possible; I can't imagine even attempting to host both ISA and OCS on the same physical server!)

Once these important points are understood then working through the rest of the deployment guide should be pretty straight-forward. The resulting ISA publishing rule and web listener configuration would look something like this:

Update: Microsoft has recently released a white paper on how to design a perimeter network with OCS 2007 in mind. I haven't had a chance to read the entire document yet but it includes a number of scenarios with detailed diagrams and IP addressing examples.

Comments

Add Comment

Share It

	Your Name:
	Your Email:		**will not be displayed
	Comment Title:
*	Comments:
		If you cannot read the code, please click here to get a new one. You won't lose your comments by doing so.
*	Security Code:

*	Your Name:
*	Your Email:		**will not be displayed
*	Recipient's Email:
*	Subject:
		If you cannot read the code, please click here to get a new one. You won't lose your comments by doing so.
*	Security Code:

Routing with Server 2k8

By: Jason Fare | Posted: January 19, 2010 at 2:17 PM

I've read your other article about Strong Host Model and it seems that I could make it work with the first picture shown above (all three external services on same subnet), but how would I do the routing on the OCS Server if the configuration was setup as the second one (A/V on separate subnet from other two)? I'm running OCS 2007 R2 on Server 2008. Thanks, -Jason

Re: OCS Edge Topologies with R2

By: Jeff Schertz | Posted: November 13, 2009 at 3:07 PM

This article covers interface configuration support: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33

OCS Edge Topologies with R2

By: Ed M. | Posted: November 13, 2009 at 2:31 PM

What are the architectural changes with OCS 2007 R2 and Edge Servers, outside of consolodation? Single NICs supported?

Anything changed for R2?

By: Paul Brown | Posted: June 9, 2009 at 8:42 AM

This is a great writeup. I'm still new to a lot of these concepts, though, and I am wondering if anything has changed for OCS 2007 R2? Just trying to wrap my head around it all. Thanks!

1-1 nat

By: adi | Posted: December 4, 2008 at 3:51 AM

I actually have a workin config usin 1-1 nat for A/V edge server, I'm using m0n0wall as the firewall and I can make voice calls to my internal users and PABX user. still having problem with live meeting though, can anyone help ?

NAT v Subnet v Internal V External

By: Andrew | Posted: November 14, 2008 at 11:54 AM

My edge server currently has one interface configured with all the Edge roles with separate IP’s, also the internal interface which has a separate ip but in the same subnet. Looking at what you’re saying this config simply will not do. Would it be wise to enable the other NIC on the box give this an IP address from the LAN and directly connect this. Or should that go through a firewall from the LAN to this new second NIC. I only have one firewall and my DMZ sits as a 3rd leg config. If I need a second firewall to go between the LAN interface on the edge and the LAN then that will need to be purchased, but I guess it’s a requirement – any help greatly appreciated – the more I read the more confused I am getting !

ISA, Edge and public IP-addresses

By: Johann Deutinger | Posted: July 19, 2008 at 9:28 AM

I have 4 public addresses available and want to setup consolidated Edge topology using ISA as external firewall and reverse proxy. Is that possible? How would I assign addresses to ISA interfaces? Thanks a lot, Johann

By: iamme | Posted: May 27, 2008 at 8:44 AM

This might seem like a novice question, but is there a special place you request your ISA certificate for the external web farm fqdn? Is there a special place within OCS for this or do you use the certificates MMC for this?

Follow Up...

By: SV | Posted: May 21, 2008 at 9:57 AM

First sorry about that repost - I just refreshed and it reposted. Pretend I have a firewall and then behind it the rest of the internal network. Since I can not have the certain Edge roles with NAT, do I put a switch in front of the firewall (between Cisco transparent bridge router and firewall)? I would then hang of the public interface of the edge server roles off of this hub? Maybe a sample like this: Internet --> Cisco Router (transparent bridge) --> hub or switch --> Edge Server public interface --> Firewall --> Internal network and also Edge Servers internal interface Sounds about right for a sample?

Re: 1:1 NAT

By: Jeff Schertz | Posted: May 21, 2008 at 9:42 AM

Only for the Access Edge and Webconf roles. As explained in the article you cannot use NAT on the A/V Authentication Edge role, it must have a public IP applied to the server's interface.

1:1 NAT

By: SV | Posted: May 21, 2008 at 9:25 AM

For the Edge Servers and their respective public IPs - can I have 1:1 mapping of the public ip to the respective internal server's private ip? Can 1:1 work (again NOT port forwarding but 1-to-1)?

Technician

By: Magnus | Posted: May 16, 2008 at 2:55 AM

If i have an edge server with 3 nics. internal, external1 for AE and Webconf and external2 for A/V. How do i configure the routing?. Static routes to internal networks, DG on external1. but for external2 im not sure? Route –p add 0.0.0.0 mask 0.0.0.0 111.111.111.111 metric 10 if 0x3 0x3 = External2, 111.111.111.111 is the DG for the interface. Hope you can help me with this one :) Regards Magnus

ocs edge

By: Essam | Posted: May 5, 2008 at 4:36 AM

thanx

Re: Web conferrencing

By: Jeff Schertz | Posted: March 24, 2008 at 6:40 AM

Only the Access Edge FQDN is needed by the external client. Once a client connection and authentication is successful, the locations of other services (like the Web Conferencing server or the Address Book) are 'in-band' settings which the server automatically passes down to the client.

Web conferrencing

By: Eyal | Posted: March 19, 2008 at 5:34 AM

Since the A/P allows different IPs to different services (I.E. one IP/name to the access proxy, and a different IP/name for the Webconf proxy) but has only one SRV record for SIP, what needs to be configured in order to provide automatic (No input) access for the webconf for external users?

Why?

By: Santosh | Posted: March 17, 2008 at 10:51 PM

As a Technical Architect at Idea integration, not sure why Microsoft does not allow it. Guess I better learn lab on this first.

RE: Reverse Proxy Configuration

By: Jeff Schertz | Posted: March 17, 2008 at 7:04 AM

No, as the Edge Server and ABS Server are completely different hosts, residing in different network segments; that is not a supported configuration.

Reverse Proxy Configuration

By: Santosh | Posted: March 16, 2008 at 11:06 PM

Can I use the same External FQDN (Ex:sip.company.com) for both the Address Book Sync and as the External Server Name in the office Communicator.

Thanks+Question

By: Cristian | Posted: February 12, 2008 at 10:18 AM

Jeff, great information. Beleive me, if I had this post before I deployed a standalone Edge Server in our org. everything would have been easier. Just a quick question. Have you tried using MPOP (same OCS user logged in from more than one Communicator) together with RCC?

clarifying 3 leg perimiter DMZ configuration

By: Ashley Mothershaw | Posted: February 4, 2008 at 5:13 AM

Hi Jeff, firstly I would like to say great artical, I have no doubt it will help many in thier deployments of OCS. Regards Ashley

Re: OCS Edge setup

By: Jeff Schertz | Posted: January 30, 2008 at 10:57 AM

It is possible to have multiple default routes, although not typically recommended as it requires a good understanding of how to configure it correctly. More commonly a persistent route would be added to the Windows Server's routing table to facilitate traffic for that additional external interface.

OCS Edge setup

By: Thomas | Posted: January 25, 2008 at 3:54 PM

If I going to use one of the setup having 1 public IP for the A/V (IP = 199.244.34.5)and two DMZ IP for web and sip (IP = 192.168.0.3 and 192.168.0.4), how can you manage the default gateway, since Windows 2003 server only allow you to have one default gateway, how can I have one set of default gatway to apply to the public and the DMZ network

Re: ISA Server

By: Jeff Schertz | Posted: January 10, 2008 at 1:38 PM

ISA Server 2006 is the Microsoft supported and recommended solution for the OCS Reverse HTTP Proxy, but you are not limited to that product. The TechNet OCS forums have covered some non-MS solutions to this. You can search there for "ISAPI Rewrite" to find some of those threads.

Re: DNS questions and alternate domains

By: Jeff Schertz | Posted: January 10, 2008 at 1:34 PM

Nick, thanks for your input. Regarding any specific technical questions please post them in the Microsoft TechNet OCS forums: http://forums.microsoft.com/unifiedcommunications/default.aspx?siteid=57

ISA Server

Posted: January 10, 2008 at 2:14 AM

Do i have to use isa or any firewall?

DNS questions and alternate domains

Posted: January 3, 2008 at 2:23 PM

Thanks for putting together such a concise and complete guide. I am normally pretty good at decoding tech docs but the edge server deployment guide had my head spinning. That said I am left with a couple of questions...

Re: ISA server Acess Rules

By: Jeff Schertz | Posted: December 19, 2007 at 3:35 PM

If Public IPs are used in the Perimeter network then you can simply assign dedicated IPs to each external Edge Server role and simplify any routing to/from external hosts. Take close look at Figure 7 (Firewall ports for the perimeter network) in the Edge Server Deployment Guide. Depending on which roles you will deploy you can setup any firewall rules to allow that traffic.

ISA server Acess Rules

Posted: December 15, 2007 at 7:00 AM

Hi, Can you elaborate a little bit about the access rules required in ISA server for the case where the Perimeter Network uses Public IP Addresses.? tks.

Re: Another Consolidated Edge Topology with ISA Server

By: Jeff Schertz | Posted: December 6, 2007 at 7:24 AM

Nóri, Yes, that is also another valid configuration scenario, although it requires adding an additional interface to the ISA server itself for the second perimeter network, which may or may not be desirable. I might consider adding that to the blog as well as there are some additional valid topoligies for a single server deployment, but I didn't plan to cover them all. Thanks for your input.

Another Consolidated Edge Topology with ISA Server

Posted: December 5, 2007 at 6:54 PM

What I did is create two Perimeter networks on the ISA Server since I don't have two ISA firewalls. One with public IP addresses and a route relationship to External and a second with private IP addresses with a router relationship to Internal. This way I can have ISA Server control all the traffic. So the Edge server has the external interface connected to the Perimeter - Public network and the internal interface is connected to the Perimeter - Private Network. Regards, Nóri

Subscribe to Jeff's Blog

See all of Jeff's Posts

About Jeff Schertz

Senior ConsultantJeff Schertz is a senior consultant for PointBridge, focused on unified communications. He has over 10 years of experience in the IT industry ranging from family-owned businesses to global product dev... [more]