• Article

Deploying the Communicator Web Access Server

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

Before you deploy Communicator Web Access, you need to verify that your system infrastructure and the server on which you will install Communicator Web Access meet the requirements that are described in Server Requirements in Communicator Web Access Requirements earlier in this guide. When the environment is ready, you install certificates on the server, install Communicator Web Access, on the server, and then configure user accounts in Active Directory if you have not already done so. Table 8 provides an overview of the required steps. The rest of this section provides detailed instructions.

Table 8: Communicator Web Access Deployment

Phase Steps

Prepare and install certificates

  1. Request and install the following certificates in the certificate store for the local computer:

    • A computer certificate for MTLS that specifies the FQDN of the Communicator Web Access server as the common name.

    • A Web Server certificate for HTTPS.

  2. If necessary, install the certificate chain for the CA in the Trusted Root Certification Authorities node in the certificate store for the local computer.

Install Communicator Web Access

  1. Install Communicator Web Access.

  2. Activate Communicator Web Access.

  3. Create a virtual server.

  4. Create an additional virtual server, if necessary.

Configure user accounts

  1. In Active Directory, configure user accounts by enabling them for Live Communications, entering SIP names, and enabling remote user access.

  2. Sign in to Communicator Web Access using the URI https://<server_ FQDN>.

Preparing Certificates for Communicator Web Access

The Communicator Web Access server requires a certificate for MTLS and one for HTTPS. These certificates must be installed on the server before you install Communicator Web Access. The MTLS certificate used for both Office Communications Server 2007 and Communicator Web Access (2007 release) must be issued from the same certificate authority (CA).

For detailed information about the required certificate configuration for Communicator Web Access (2007 release), see Planning for Certificates earlier in this document.

Important

If you have not already decided on the PKI for Office Communications Server 2007 or if you have not successfully deployed Office Communications Server 2007 with certificates from that PKI, do not continue with the Communicator Web Access deployment.

If you are using a public CA for the MTLS and HTTPS certificates on Office Communications Server 2007, you will use the same public CA for the MTLS and HTTPS certificates on Communicator Web Access (2007 release). Follow the instructions from the public CA to obtain and install certificates for Communicator Web Access, and then skip to Installing Communicator Web Access.

If you deployed a Windows Server 2003 SP1 or later enterprise root CA for the MTLS and HTTPS certificates on Office Communications Server 2007, use the same CA when you request the MTLS and HTTPS certificates on Communicator Web Access (2007 release). To download and configure trust for the certificate chain, follow the instructions in the next section.

Download and Trust the Certificate Chain from the Certification Authority

If you set up automatic enrollment when you deployed the Windows Server 2003 public key infrastructure (PKI) for Office Communications Server 2007, users who are authenticated in Active Directory can be automatically enrolled in a certificate through a group policy.

If you are using Microsoft Windows Server 2003 SP1 or later PKI and you have not implemented automatic enrollment, use the following procedure to download a certificate chain and to request a certificate on the computer.

Note

We recommend that you not use the Web enrollment component for computers that are not in your internal network. The following procedure assumes that the server and the user can access the internal certification authority by using the physical network and Certificate Services Web enrollment.

To download the CA certification path

  1. Log on to the server as a member of the Administrators group.

  2. On the server where you will install Communicator Web Access, open the Web browser. In the address box, type http://<CA_FQDN>/certsrv, and then press ENTER.

    http://<CA_FQDN>[:<port_number>]/certsrv

  3. Under Select a task, click Download a CA certificate, certificate chain, or CRL.

  4. Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.

  5. In the File Download dialog box, click Save.

  6. Save the .p7b file to the hard disk on your server. If you open this .p7b file, the chain will have the following two certificates:

    • <name of enterprise root CA> certificate

    • <name of enterprise subordinate CA> certificate

To install the CA certification path

  1. Click Start, and then click Run. In the Open box, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, click Add.

  4. In the list of Available Standalone Snap-ins, select Certificates.

  5. Click Add.

  6. Select Computer account, and then click Next.

  7. In the Select Computer dialog box, ensure that Local computer (the computer this console is running on) is selected, and then click Finish.

  8. Click Close, and then click OK.

  9. In the left pane of the Certificates console, expand Certificates (Local Computer).

  10. Expand Trusted Root Certification Authorities.

  11. Right-click Certificates, point to All Tasks, and then click Import.

  12. In the Import Wizard, click Next.

  13. Click Browse, and then go to the location where you saved the certificate chain. Select the .p7b file, and then click Open.

  14. Click Next.

  15. Accept the default value Place all certificates in the following store. Under Certificate store, ensure that Trusted Root Certification Authorities appears.

  16. Click Next.

  17. Click Finish.

Request the MTLS Certificate

You are now ready to request and install the MTLS certificate.

To request the MTLS certificate

  1. On the server where you will install Communicator Web Access, open the Web browser. In the address box, type http://<CA_FQDN>/certsrv, and then press ENTER.

  2. Click Request a Certificate.

  3. Click Advanced certificate request.

  4. Click Create and submit a request to this CA.

  5. In the Certificate Template list, select the name of the duplicated Web Server template that you duplicated for the Office Communications Server 2007 certificates.

  6. Under Identifying Information for Offline Template in the Name box, type the FQDN of the Communicator Web Access server.

  7. Ensure that the Mark keys as exportable check box is selected.

  8. In the Key Options area, select the Store certificate in the local computer certificate store check box.

  9. Click Submit.

  10. If a potential scripting violation warning appears, and you understand and accept the implications, click Yes (required to continue).

Install the MTLS Certificate on the Computer

Now that you have requested the certificate, you can install it.

To install the MTLS certificate on the computer

  1. On the server where you will install Communicator Web Access, open the Web browser. In the address box, type http://<CA_FQDN>/certsrv, and then press ENTER.

  2. Click Install this certificate. If a potential scripting violation warning appears, and you understand and accept the implications, click Yes.

  3. Click Start, and then click Run. In the Open box, type mmc, and then click OK.

  4. On the File menu, click Add/Remove Snap-in.

  5. In the Add/Remove Snap-in dialog box, click Add.

  6. In the list of Available Standalone Snap-ins, click Certificates.

  7. Click Add.

  8. Click Computer account, and then click Next.

  9. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.

  10. Click Close, and then click OK.

  11. In the left pane of the Certificates console, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.

  12. Confirm that the certificate that you just requested and installed is located in this folder. If it is not, copy it from the Certificates folder under the Personal folder node, just above.

Request and Install the SSL Certificate

To request and install the SSL certificate, repeat the procedures for requesting and installing the MTLS certificate, with one possible exception: If you are deploying the server behind a load balancer, under Identifying Information for Offline Template in the Name box, type the FQDN of the load balancer.

Installing Communicator Web Access

To perform the procedures that are described in this section, you must be logged on to the server as a member of the Administrators and the DomainAdmins groups.

To install Communicator Web Access, you use the Communicator Web Access server deployment tool to perform the following tasks:

  1. Install Communicator Web Access Files. Install the files that are needed to activate and deploy Communicator Web Access.

  2. Activate Communicator Web Access. Create a service account in Active Directory (named CWAService by default).

  3. Create a virtual server. Create a Communicator Web Access virtual server in IIS 6.0 by using the Deployment Tool. If you are supporting external and internal users on a single Communicator Web Access server, you can create another virtual server by using the Office Communicator Web Access Manager snap-in.

  4. (Optional) Install the Office Communicator Web Access Manager administrative snap-in on a remote management computer. By default, Communicator Web Access Manager snap-in is installed on the computer when you install Communicator Web Access. You can optionally install the Office Communicator Web Access Manager on a remote management computer.

These steps are described in detail in the following sections.

Instead of using the deployment tool to install Communicator Web Access, you can use the command line method, as described in Installing Communicator Web Access by Using the Command Line later in this topic.

Note

If you want to install Communicator Web Access on a computer on which Communicator Web Access Manager is already installed, you must first remove Communicator Web Access Manager.

Installing Communicator Web Access by Using the Deployment Tools

To install Microsoft Office Communicator Web Access on a server, the server must be a domain member server, and you must have deployed Office Communications Server 2007 in the same forest.

Install and Activate Communicator Web Access

Installing and activating Communicator Web Access involves the following tasks:

  1. Install Communicator Web Access.

  2. Activate the Communicator Web Access server.

  3. Create the virtual server.

To install Communicator Web Access

  1. Log on to the Communicator Web Access server as a member of the Administrators group.

  2. From the Office Communications Server 2007 installation media, double-click setup.exe.

  3. On the Office Communications Server 2007 Deployment Wizard page, click Deploy Other Server Roles.

    ac1abd90-63aa-4af7-b12c-fac3647d51fc

  4. On the Deploy Other Server Roles page, click Deploy Communicator Web Access.

    3470b8ce-e984-46b5-be9b-f64f6e46a534

  5. On the Deploy Office Communications Server 2007, Communicator Web Access page, under Step 1: Install Communicator Web Access, click Install.

    cb067675-3e23-4a1b-a032-a259fa7026d1

  6. On the Welcome page, click Next.

  7. On the License Agreement page, click I accept, and then click Next (required to continue installation).

  8. On the Customer Information page, in User Name and Organization, type a name and organization, and then click Next.

  9. On the Ready to install page, accept the default location, and then click Next.

  10. On the Ready to install page, click Install.

  11. On the Setup complete page, click Finish.

    Do not close the window. Continue directly with the next procedure.

Note

For details on how to activate Communicator Web Access without membership in the DomainAdmins group, see Appendix C: Enabling Activation Without Using DomainAdmins Credentials.

To activate the Communicator Web Access server

  1. Under Step 2: Activate Communicator Web Access, click Run.

  2. On the Welcome page, click Next.

  3. On the Select domain service account page, accept the default Account name (CWAService) or type another name if you prefer. In the Password box, type a strong password to be used for the account. In the Confirm password box, type the password again, and then click Next.

  4. On the Select Server Certificate page, click Select Certificate.

  5. On the Select Certificate page, in the Issued to column, click the certificate with the FQDN of the server.

  6. On the Select Server Certificate page, click Next. Verify that the Issued to box contains CN=<FQDN>, the FQDN of the server.

  7. On the Ready to activate Communicator Web Access page, click Next.

  8. On the Success page, click Finish.

    Do not close the window. Continue directly with the next procedure.

Create the Virtual Server

The virtual server is the Web site that users will access to use the Communicator Web Access client. There must be a virtual server for internal users and another one for external users. We recommend that these be on physically separate computers. If, however, you are hosting both on a single Communicator Web Access server, you will create the second virtual server by using the Communicator Web Access Manager snap-in as described later in this guide.

To create the virtual server

  1. Under Step 3: Create Virtual Server, click Run.

  2. On the Welcome page, click Next.

  3. On the Select Virtual Server Type page, click Internal or External, as appropriate, and then click Next.

    f754d0c9-a512-49af-92b4-2cef39cf37a8

  4. On the Select Authentication Type page, click Use built-in authentication (the default) or Use custom authentication, as appropriate. If you will be using single sign-on to authenticate users, click Use custom authentication. If you selected custom authentication, in the Sign-Out URL box, you can optionally specify the URL of a Web page that users will be directed to when they sign out. If you select Use custom authentication, go to step 6.

    Built-in Authentication

    33f62a12-6066-4a44-80d6-a9b72c6e0119

    Custom Authentication

    ba7f767b-d9e2-49c6-813c-0e8eec3b7c5b

  5. If you are configuring the Communicator Web Access server for internal users, on the Select authentication method page, select one or both of the check boxes to indicate whether you will use forms-based authentication, integrated Windows authentication (NTLM and Kerberos), or both.

    If you are configuring the server for external users, only forms-based authentication is supported. Click Next.

    Internal Users

    1c22f837-7f11-42e7-b8cb-d9f0df21784f

    External Users

    a2d07164-71d2-4f97-afd9-bbd4683dcf86

  6. On the Select Browser Connection Type page, accept the default of HTTPS (recommended), and then click Select Certificate. For security reasons, we strongly recommend that you use HTTPS even if your deployment does not require it.

    If you click HTTP instead, go to step 9.

    6006abc6-b493-494c-a010-9d0965f85462

  7. On the Select Certificate page, click the certificate with the FQDN of the load balancer, if one is present, or of the Communicator Web Access server, and then click OK.

  8. On the Select Browser Connection Type page, click Next.

  9. On the Select IP address and port setting page, accept all defaults (443 for HTTPS and 80 for HTTP), or make changes so as not to conflict with another program that uses the same IP address and port combination, and then click Next.

  10. On the Name the Virtual Server page, accept the default name Communicator Web Access or enter another name, and then click Next.

    6dbfde97-b6f3-4cd3-aab3-31ea62244f48

  11. On the Automatically Start Virtual Server page, accept the default and then click Next.

  12. On the Review Settings page, click Next.

  13. On the Success page, click Finish.

    Completion of this procedure implements setting changes in IIS. For a complete list of IIS settings for Communicator Web Access, see Appendix D: Configuring IIS 6.0.

Installing Communicator Web Access by Using the Command Line

The Communicator Web Access program files can be installed on a server by running the following Microsoft Installer files (.msi) at a command prompt:

  • CWAmain.msi

    Installs the Communicator Web Access program files on the server.

  • CWAActivateServer.msi

    Opens the Activation Wizard, which you can use to create the necessary Active Directory objects, activate the domain service account, and specify an MTLS certificate.

  • CWACreateVirtualServer.msi

    Opens the Create Virtual Server wizard, so that you can create virtual directories in IIS, specify an HTTPS certificate, and create the Communicator Web Access virtual server.

  • Cwammc.msi

    Installs Communicator Web Access Manager. This installation is not necessary if you have already installed the Communicator Web Access program files on the server.

    Note

    Communicator Web Access does not support silent installation.

To install Communicator Web Access at a command prompt

  1. Open a command prompt window: Click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

  3. At the command prompt, type the following, and then press ENTER:

    cd <path to installation files>\setup\i386\setup\cwa

  4. To install the program files, type one of the following at the command prompt, and then press ENTER. If you want to create a log file, include the optional /lv switch.

    • Msiexec.exe /i cwamain.msi [/lv<log_file_name>.txt]

    • Runas.exe /user:<domain\adminaccount> Msiexec.exe /I cwamain.msi

Manually Installing Office Communicator Web Access Manager on a Remote Computer (Optional)

Office Communicator Web Access Manager is automatically installed on the server when you install Communicator Web Access. You can also manually install Office Communicator Web Access Manager on a remote computer, from which you can manage the Communicator Web Access server. The computer must be in the same Active Directory forest as the Communicator Web Access server, and it must meet the minimum system requirements that are described in Snap-In Requirements in Communicator Web Access Requirements earlier in this guide.

Note

If you install Office Communicator Web Access Manager on a computer and then later want to install Communicator Web Access on the same computer, you must first remove Communicator Web Access Manager.

You can install the Office Communicator Web Access (2007 release) Manager snap-in on a computer that also has the Communicator Web Access (2005 release) Manager snap-in if the operating system meets the minimum requirements for the 2007 release as described in Snap-In Requirements in Communicator Web Access Requirements earlier in this guide.

Note

Collocating the Communicator Web Access (2007 release) Manager snap-in and the Communicator Web Access (2005 release) Manager snap-in on the same computer is supported. Each release of the snap-in can manage only the corresponding release of Communicator Web Access.

To manually install the Communicator Web Access Manager snap-in on a remote computer

  1. On the computer where you will install the snap-in, log on as a member of the Administrators group.

  2. From the Office Communications Server 2007 installation media, double-click setup.exe.

  3. On the Office Communications Server 2007 Deployment Wizard page, click Deploy Other Server Roles.

    ac1abd90-63aa-4af7-b12c-fac3647d51fc

  4. On the Deploy Other Server Roles page, click Deploy Communicator Web Access.

    3470b8ce-e984-46b5-be9b-f64f6e46a534

  5. On the Deploy Office Communications Server 2007, Communicator Web Access page, click Install Communicator Web Access Administrative Snap-in, and then follow the instructions on the screen.

    cb067675-3e23-4a1b-a032-a259fa7026d1

Creating another Virtual Server

If you are supporting both internal users and external users on the same Communicator Web Access server, you must add a second virtual server to the computer. Although this single-server topology is supported, for security and availability reasons we recommend that you use physically separate servers for internal and external traffic if at all possible.

If you choose to deploy more than one virtual server on the same physical server, use the procedure below to create an additional virtual server. To avoid conflicts, you must use different ports when the IP addresses are identical.

To create another Communicator Web Access virtual server

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007, Communicator Web Access Manager.

  2. In the scope pane, right-click the FQDN of the Communicator Web Access server, and then click Create Web Access Server.

  3. On the Welcome page, click Next.

    6d8ddd4f-4ddd-4d75-ae92-665e86ad1095

  4. On the Select Virtual Server Type page, click Internal or External, as appropriate, and then click Next.

    f754d0c9-a512-49af-92b4-2cef39cf37a8

  5. On the Select Authentication Type page, select Use built-in authentication (the default) or Use custom authentication. If you selected custom authentication, in the Sign-Out URL box, you can optionally specify the URL of a Web page that users will be directed to when they sign out. If you select Use custom authentication, go to step 6.

    Built-in Authentication

    33f62a12-6066-4a44-80d6-a9b72c6e0119

    Custom Authentication

    ba7f767b-d9e2-49c6-813c-0e8eec3b7c5b

  6. If you are configuring the Communicator Web Access server for internal users, on the Select authentication method page, select one or both of the check boxes to indicate whether you will use forms-based authentication, integrated Windows authentication (NTLM and Kerberos), or both.

    If you are configuring the server for external users, only forms-based authentication is supported. Click Next.

    Internal Users

    1c22f837-7f11-42e7-b8cb-d9f0df21784f

    External Users

    a2d07164-71d2-4f97-afd9-bbd4683dcf86

  7. On the Select Browser Connection Type page, accept the default of HTTPS (recommended), and then click Select Certificate. For security reasons, we strongly recommend that you use HTTPS even if your deployment does not require it.

    If you click HTTP instead, go to step 9.

    6006abc6-b493-494c-a010-9d0965f85462

  8. On the Select Certificate page, click the certificate with the FQDN of the load balancer, if one is present, or of the Communicator Web Access server, and then click OK.

  9. On the Select Browser Connection Type page, click Next.

  10. On the Select IP address and port setting page, choose a combination of IP address and port setting that does not conflict with the first virtual server or with another program that, and then click Next.

    6dbfde97-b6f3-4cd3-aab3-31ea62244f48

  11. On the Name the Virtual Server page, accept the default name Communicator Web Access or enter another name, and then click Next.

  12. On the Automatically Start Virtual Server page, accept the default and then click Next.

  13. On the Review Settings page, click Next.

  14. On the Success page, click Finish.

Figure 5 shows how multiple virtual servers on the same Communicator Web Access server appear in the Communicator Web Access Manager snap-in.

Figure 5: Multiple Virtual Servers

b87fb350-3a10-4da8-9ef9-4e56a84cd486