Deploying the Communicator Web Access Server
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Before you deploy Communicator Web Access, you need to verify that your system infrastructure and the server on which you will install Communicator Web Access meet the requirements that are described in Server Requirements in Communicator Web Access Requirements earlier in this guide. When the environment is ready, you install certificates on the server, install Communicator Web Access, on the server, and then configure user accounts in Active Directory if you have not already done so. Table 8 provides an overview of the required steps. The rest of this section provides detailed instructions.
Table 8: Communicator Web Access Deployment
Phase | Steps |
---|---|
Prepare and install certificates |
|
Install Communicator Web Access |
|
Configure user accounts |
|
Preparing Certificates for Communicator Web Access
The Communicator Web Access server requires a certificate for MTLS and one for HTTPS. These certificates must be installed on the server before you install Communicator Web Access. The MTLS certificate used for both Office Communications Server 2007 and Communicator Web Access (2007 release) must be issued from the same certificate authority (CA).
For detailed information about the required certificate configuration for Communicator Web Access (2007 release), see Planning for Certificates earlier in this document.
Important
If you have not already decided on the PKI for Office Communications Server 2007 or if you have not successfully deployed Office Communications Server 2007 with certificates from that PKI, do not continue with the Communicator Web Access deployment.
If you are using a public CA for the MTLS and HTTPS certificates on Office Communications Server 2007, you will use the same public CA for the MTLS and HTTPS certificates on Communicator Web Access (2007 release). Follow the instructions from the public CA to obtain and install certificates for Communicator Web Access, and then skip to Installing Communicator Web Access.
If you deployed a Windows Server 2003 SP1 or later enterprise root CA for the MTLS and HTTPS certificates on Office Communications Server 2007, use the same CA when you request the MTLS and HTTPS certificates on Communicator Web Access (2007 release). To download and configure trust for the certificate chain, follow the instructions in the next section.
Download and Trust the Certificate Chain from the Certification Authority
If you set up automatic enrollment when you deployed the Windows Server 2003 public key infrastructure (PKI) for Office Communications Server 2007, users who are authenticated in Active Directory can be automatically enrolled in a certificate through a group policy.
If you are using Microsoft Windows Server 2003 SP1 or later PKI and you have not implemented automatic enrollment, use the following procedure to download a certificate chain and to request a certificate on the computer.
Note
We recommend that you not use the Web enrollment component for computers that are not in your internal network. The following procedure assumes that the server and the user can access the internal certification authority by using the physical network and Certificate Services Web enrollment.
To download the CA certification path
Log on to the server as a member of the Administrators group.
On the server where you will install Communicator Web Access, open the Web browser. In the address box, type http://<CA_FQDN>/certsrv, and then press ENTER.
http://<CA_FQDN>[:<port_number>]/certsrv
Under Select a task, click Download a CA certificate, certificate chain, or CRL.
Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.
In the File Download dialog box, click Save.
Save the .p7b file to the hard disk on your server. If you open this .p7b file, the chain will have the following two certificates:
<name of enterprise root CA> certificate
<name of enterprise subordinate CA> certificate
To install the CA certification path
Click Start, and then click Run. In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the list of Available Standalone Snap-ins, select Certificates.
Click Add.
Select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer (the computer this console is running on) is selected, and then click Finish.
Click Close, and then click OK.
In the left pane of the Certificates console, expand Certificates (Local Computer).
Expand Trusted Root Certification Authorities.
Right-click Certificates, point to All Tasks, and then click Import.
In the Import Wizard, click Next.
Click Browse, and then go to the location where you saved the certificate chain. Select the .p7b file, and then click Open.
Click Next.
Accept the default value Place all certificates in the following store. Under Certificate store, ensure that Trusted Root Certification Authorities appears.
Click Next.
Click Finish.
Request the MTLS Certificate
You are now ready to request and install the MTLS certificate.
To request the MTLS certificate
On the server where you will install Communicator Web Access, open the Web browser. In the address box, type http://<CA_FQDN>/certsrv, and then press ENTER.
Click Request a Certificate.
Click Advanced certificate request.
Click Create and submit a request to this CA.
In the Certificate Template list, select the name of the duplicated Web Server template that you duplicated for the Office Communications Server 2007 certificates.
Under Identifying Information for Offline Template in the Name box, type the FQDN of the Communicator Web Access server.
Ensure that the Mark keys as exportable check box is selected.
In the Key Options area, select the Store certificate in the local computer certificate store check box.
Click Submit.
If a potential scripting violation warning appears, and you understand and accept the implications, click Yes (required to continue).
Install the MTLS Certificate on the Computer
Now that you have requested the certificate, you can install it.
To install the MTLS certificate on the computer
On the server where you will install Communicator Web Access, open the Web browser. In the address box, type http://<CA_FQDN>/certsrv, and then press ENTER.
Click Install this certificate. If a potential scripting violation warning appears, and you understand and accept the implications, click Yes.
Click Start, and then click Run. In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the list of Available Standalone Snap-ins, click Certificates.
Click Add.
Click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
Click Close, and then click OK.
In the left pane of the Certificates console, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
Confirm that the certificate that you just requested and installed is located in this folder. If it is not, copy it from the Certificates folder under the Personal folder node, just above.
Request and Install the SSL Certificate
To request and install the SSL certificate, repeat the procedures for requesting and installing the MTLS certificate, with one possible exception: If you are deploying the server behind a load balancer, under Identifying Information for Offline Template in the Name box, type the FQDN of the load balancer.
Installing Communicator Web Access
To perform the procedures that are described in this section, you must be logged on to the server as a member of the Administrators and the DomainAdmins groups.
To install Communicator Web Access, you use the Communicator Web Access server deployment tool to perform the following tasks:
Install Communicator Web Access Files. Install the files that are needed to activate and deploy Communicator Web Access.
Activate Communicator Web Access. Create a service account in Active Directory (named CWAService by default).
Create a virtual server. Create a Communicator Web Access virtual server in IIS 6.0 by using the Deployment Tool. If you are supporting external and internal users on a single Communicator Web Access server, you can create another virtual server by using the Office Communicator Web Access Manager snap-in.
(Optional) Install the Office Communicator Web Access Manager administrative snap-in on a remote management computer. By default, Communicator Web Access Manager snap-in is installed on the computer when you install Communicator Web Access. You can optionally install the Office Communicator Web Access Manager on a remote management computer.
These steps are described in detail in the following sections.
Instead of using the deployment tool to install Communicator Web Access, you can use the command line method, as described in Installing Communicator Web Access by Using the Command Line later in this topic.
Note
If you want to install Communicator Web Access on a computer on which Communicator Web Access Manager is already installed, you must first remove Communicator Web Access Manager.
Installing Communicator Web Access by Using the Deployment Tools
To install Microsoft Office Communicator Web Access on a server, the server must be a domain member server, and you must have deployed Office Communications Server 2007 in the same forest.
Install and Activate Communicator Web Access
Installing and activating Communicator Web Access involves the following tasks:
Install Communicator Web Access.
Activate the Communicator Web Access server.
Create the virtual server.
To install Communicator Web Access
Log on to the Communicator Web Access server as a member of the Administrators group.
From the Office Communications Server 2007 installation media, double-click setup.exe.
On the Office Communications Server 2007 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
On the Deploy Office Communications Server 2007, Communicator Web Access page, under Step 1: Install Communicator Web Access, click Install.
On the Welcome page, click Next.
On the License Agreement page, click I accept, and then click Next (required to continue installation).
On the Customer Information page, in User Name and Organization, type a name and organization, and then click Next.
On the Ready to install page, accept the default location, and then click Next.
On the Ready to install page, click Install.
On the Setup complete page, click Finish.
Do not close the window. Continue directly with the next procedure.
Note
For details on how to activate Communicator Web Access without membership in the DomainAdmins group, see Appendix C: Enabling Activation Without Using DomainAdmins Credentials.
To activate the Communicator Web Access server
Under Step 2: Activate Communicator Web Access, click Run.
On the Welcome page, click Next.
On the Select domain service account page, accept the default Account name (CWAService) or type another name if you prefer. In the Password box, type a strong password to be used for the account. In the Confirm password box, type the password again, and then click Next.
On the Select Server Certificate page, click Select Certificate.
On the Select Certificate page, in the Issued to column, click the certificate with the FQDN of the server.
On the Select Server Certificate page, click Next. Verify that the Issued to box contains CN=<FQDN>, the FQDN of the server.
On the Ready to activate Communicator Web Access page, click Next.
On the Success page, click Finish.
Do not close the window. Continue directly with the next procedure.
Create the Virtual Server
The virtual server is the Web site that users will access to use the Communicator Web Access client. There must be a virtual server for internal users and another one for external users. We recommend that these be on physically separate computers. If, however, you are hosting both on a single Communicator Web Access server, you will create the second virtual server by using the Communicator Web Access Manager snap-in as described later in this guide.
To create the virtual server
Under Step 3: Create Virtual Server, click Run.
On the Welcome page, click Next.
On the Select Virtual Server Type page, click Internal or External, as appropriate, and then click Next.
On the Select Authentication Type page, click Use built-in authentication (the default) or Use custom authentication, as appropriate. If you will be using single sign-on to authenticate users, click Use custom authentication. If you selected custom authentication, in the Sign-Out URL box, you can optionally specify the URL of a Web page that users will be directed to when they sign out. If you select Use custom authentication, go to step 6.
Built-in Authentication
Custom Authentication
If you are configuring the Communicator Web Access server for internal users, on the Select authentication method page, select one or both of the check boxes to indicate whether you will use forms-based authentication, integrated Windows authentication (NTLM and Kerberos), or both.
If you are configuring the server for external users, only forms-based authentication is supported. Click Next.
Internal Users
External Users
On the Select Browser Connection Type page, accept the default of HTTPS (recommended), and then click Select Certificate. For security reasons, we strongly recommend that you use HTTPS even if your deployment does not require it.
If you click HTTP instead, go to step 9.
On the Select Certificate page, click the certificate with the FQDN of the load balancer, if one is present, or of the Communicator Web Access server, and then click OK.
On the Select Browser Connection Type page, click Next.
On the Select IP address and port setting page, accept all defaults (443 for HTTPS and 80 for HTTP), or make changes so as not to conflict with another program that uses the same IP address and port combination, and then click Next.
On the Name the Virtual Server page, accept the default name Communicator Web Access or enter another name, and then click Next.
On the Automatically Start Virtual Server page, accept the default and then click Next.
On the Review Settings page, click Next.
On the Success page, click Finish.
Completion of this procedure implements setting changes in IIS. For a complete list of IIS settings for Communicator Web Access, see Appendix D: Configuring IIS 6.0.
Installing Communicator Web Access by Using the Command Line
The Communicator Web Access program files can be installed on a server by running the following Microsoft Installer files (.msi) at a command prompt:
CWAmain.msi
Installs the Communicator Web Access program files on the server.
CWAActivateServer.msi
Opens the Activation Wizard, which you can use to create the necessary Active Directory objects, activate the domain service account, and specify an MTLS certificate.
CWACreateVirtualServer.msi
Opens the Create Virtual Server wizard, so that you can create virtual directories in IIS, specify an HTTPS certificate, and create the Communicator Web Access virtual server.
Cwammc.msi
Installs Communicator Web Access Manager. This installation is not necessary if you have already installed the Communicator Web Access program files on the server.
Note
Communicator Web Access does not support silent installation.
To install Communicator Web Access at a command prompt
Open a command prompt window: Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following, and then press ENTER:
cd <path to installation files>\setup\i386\setup\cwa
To install the program files, type one of the following at the command prompt, and then press ENTER. If you want to create a log file, include the optional /lv switch.
Msiexec.exe /i cwamain.msi [/lv<log_file_name>.txt]
Runas.exe /user:<domain\adminaccount> Msiexec.exe /I cwamain.msi
Manually Installing Office Communicator Web Access Manager on a Remote Computer (Optional)
Office Communicator Web Access Manager is automatically installed on the server when you install Communicator Web Access. You can also manually install Office Communicator Web Access Manager on a remote computer, from which you can manage the Communicator Web Access server. The computer must be in the same Active Directory forest as the Communicator Web Access server, and it must meet the minimum system requirements that are described in Snap-In Requirements in Communicator Web Access Requirements earlier in this guide.
Note
If you install Office Communicator Web Access Manager on a computer and then later want to install Communicator Web Access on the same computer, you must first remove Communicator Web Access Manager.
You can install the Office Communicator Web Access (2007 release) Manager snap-in on a computer that also has the Communicator Web Access (2005 release) Manager snap-in if the operating system meets the minimum requirements for the 2007 release as described in Snap-In Requirements in Communicator Web Access Requirements earlier in this guide.
Note
Collocating the Communicator Web Access (2007 release) Manager snap-in and the Communicator Web Access (2005 release) Manager snap-in on the same computer is supported. Each release of the snap-in can manage only the corresponding release of Communicator Web Access.
To manually install the Communicator Web Access Manager snap-in on a remote computer
On the computer where you will install the snap-in, log on as a member of the Administrators group.
From the Office Communications Server 2007 installation media, double-click setup.exe.
On the Office Communications Server 2007 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
On the Deploy Office Communications Server 2007, Communicator Web Access page, click Install Communicator Web Access Administrative Snap-in, and then follow the instructions on the screen.
Creating another Virtual Server
If you are supporting both internal users and external users on the same Communicator Web Access server, you must add a second virtual server to the computer. Although this single-server topology is supported, for security and availability reasons we recommend that you use physically separate servers for internal and external traffic if at all possible.
If you choose to deploy more than one virtual server on the same physical server, use the procedure below to create an additional virtual server. To avoid conflicts, you must use different ports when the IP addresses are identical.
To create another Communicator Web Access virtual server
Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007, Communicator Web Access Manager.
In the scope pane, right-click the FQDN of the Communicator Web Access server, and then click Create Web Access Server.
On the Welcome page, click Next.
On the Select Virtual Server Type page, click Internal or External, as appropriate, and then click Next.
On the Select Authentication Type page, select Use built-in authentication (the default) or Use custom authentication. If you selected custom authentication, in the Sign-Out URL box, you can optionally specify the URL of a Web page that users will be directed to when they sign out. If you select Use custom authentication, go to step 6.
Built-in Authentication
Custom Authentication
If you are configuring the Communicator Web Access server for internal users, on the Select authentication method page, select one or both of the check boxes to indicate whether you will use forms-based authentication, integrated Windows authentication (NTLM and Kerberos), or both.
If you are configuring the server for external users, only forms-based authentication is supported. Click Next.
Internal Users
External Users
On the Select Browser Connection Type page, accept the default of HTTPS (recommended), and then click Select Certificate. For security reasons, we strongly recommend that you use HTTPS even if your deployment does not require it.
If you click HTTP instead, go to step 9.
On the Select Certificate page, click the certificate with the FQDN of the load balancer, if one is present, or of the Communicator Web Access server, and then click OK.
On the Select Browser Connection Type page, click Next.
On the Select IP address and port setting page, choose a combination of IP address and port setting that does not conflict with the first virtual server or with another program that, and then click Next.
On the Name the Virtual Server page, accept the default name Communicator Web Access or enter another name, and then click Next.
On the Automatically Start Virtual Server page, accept the default and then click Next.
On the Review Settings page, click Next.
On the Success page, click Finish.
Figure 5 shows how multiple virtual servers on the same Communicator Web Access server appear in the Communicator Web Access Manager snap-in.
Figure 5: Multiple Virtual Servers