Step 1.2. Choose the Deployment Topology

Step 1.2. Choose the Deployment Top...

Microsoft Office Communications Server 2007

Office Communications Server 2007 supports a variety of topologies for edge server deployment. This section describes the supported topologies and explains the considerations for choosing the edge server topology that best addresses the needs of your organization, as well as for deploying components in the internal topology to support edge servers.

The size, geographical distribution, and needs of your organization are the primary determinants of which edge server topology is most appropriate for your organization. This section describes technical considerations for locating edge servers and the various edge server topologies and considerations for choosing the topology that is best suited for your organization.

Although your business requirements should drive your topology decisions, your decisions should also take into account the following technical considerations:

A single computer can provide multiple edge server roles.
A load balancer might be required to support multiple Access Edge Servers, multiple Web Conferencing Edge Servers, and multiple A/V Edge Servers. You must always use a load balancer to support multiple Access Edge Servers or A/V Edge Servers in a single location.
Each edge server role requires a single external interface to which users can connect by using the fully qualified domain name (FQDN).

The external IP address of the A/V Edge Server must be a external IP address that is directly contactable by external parties. This requirement does not apply to Access Edge Servers and Web Conferencing Edge Servers. These server roles do not require a publicly routable IP address on the external interface.

Note:
To conform to the requirement of a publicly routable IP address of the A/V Edge Server, the external firewall of the perimeter network must not act as a NAT (Network Address Translator) for this IP address. Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge Server. The internal IP address of the A/V Edge Server must be fully routable from the internal network to the internal IP address of the A/V Edge Server.

Note:

To conform to the requirement of a publicly routable IP address of the A/V Edge Server, the external firewall of the perimeter network must not act as a NAT (Network Address Translator) for this IP address.

Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge Server. The internal IP address of the A/V Edge Server must be fully routable from the internal network to the internal IP address of the A/V Edge Server.

To prevent port conflicts, if multiple edge servers (such as an A/V Edge Server and a Web Conferencing Edge Server) are collocated on a single computer, each edge server should have its own external IP address.
Each collocated edge server must use a unique port and IP address combination on both the internal and external interfaces.
If you configure the Access Edge Server, A/V Edge Server, or Web Conferencing Edge Server to use a port other than 443, an attempt by a remote user to sign in by using Office Communicator 2007 or to join a conference from within another organizations intranet may fail. This situation can occur because many organizations prevent traffic traveling through their firewall over non-default ports.

The following table summarizes the supported edge server topologies, which are listed in order of increasing complexity.

Table 2 Supported Edge Server Topologies

Topology	Description
Consolidated Edge Topology	The Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server are collocated on a single computer.
Single-Site Edge Topology	The Access Edge Server and Web Conferencing Edge Server are collocated. The A/V Edge Server is on a separate computer.
Scaled Single-Site Edge Topology	Computers with a Web Conferencing and Access Edge Server role collocated on them are load balanced. Two or more A/V Edge Servers are each installed on separate computers and load balanced.
Multiple Site with a Remote Site Edge Topology	In the data center: Computers with a Web Conferencing and Access Edge Server role collocated on them are load balanced. Two or more A/V Edge Servers are each installed on separate computers and load balanced. In each remote location: One ore more Web Conferencing Edge Server are installed on a dedicated computer. The A/V Edge Server is installed on a dedicated computer.
Multiple Site with a Scaled Remote Site Edge Topology	In the data center: Two or move computers with a Web Conferencing and Access Edge Server role collocated on them are load balanced. Two or more A/V Edge Servers are each installed on separate computers and load balanced. In each remote location: Two or more A/V Edge Servers are each installed on separate computers and load balanced. Two or more Web Conferencing Edge Servers are each installed on separate computers and load balanced.

Consolidated Edge Topology

The consolidated edge topology is appropriate for small organizations.

In the consolidated edge topology, all three edge server roles (Access Edge Server, Web Conferencing Edge Server, and A/V Edge Server) are collocated on a single physical computer.

This topology offers:

Reduced server cost.
Ease of deployment and administration.

This topology does not:

Scale easily.
Provide load balancing.
Provide high availability.

Note:
To avoid port conflicts when running all server roles on a single computer, use a different IP address for each server role.

Note:
To avoid port conflicts when running all server roles on a single computer, use a different IP address for each server role.

The following figure illustrates the consolidated edge topology.

Figure 1. Consolidated edge topology
Bb663789.1928fd54-ac21-4bf2-ad98-b090c6de6436(en-us,office.12).gif

Single-Site Edge Topology

The single-site edge topology is appropriate for medium to large organizations.

In the single-site edge topology:

The Access Edge Server and Web Conferencing Edge Server are collocated on a single physical computer.
The A/V Edge Server is installed on a separated dedicated computer.

This topology is recommended because it offers:

Flexibility.
Efficient bandwidth utilization (because the A/V Edge Server, which uses the most bandwidth, is on a separate computer).
The fewest number of computers to manage.

This topology does not:

Scale easily.
Provide load balancing.
Provide high availability.

The following figure illustrates the single-site edge topology.

Figure 2. Single-site Edge topology
Bb663789.1a7a4f4e-38ed-42f3-ac87-b78ae67f67c5(en-us,office.12).gif

Scaled Single-Site Edge Topology

The scaled single-site edge topology is appropriate for large organizations.

This topology is recommended because it:

Provides load balancing.
Provides high availability
Scales easily.

The scaled single-site edge topology is the single-site edge topology scaled out in the following ways:

A load balancer is connected to two or more computers, with Access Edge Server and Web Conferencing Edge Server collocated on each computer.
Another load balancer is connected to two or more separate computers, each of which serves as an A/V Edge Server.

The following figure illustrates the scaled single-site edge topology.

Figure 3. Scaled single-site edge topology
Bb663789.9298eac6-ee64-436e-9c5e-def20cc1ce06(en-us,office.12).gif

Multiple-Site with Remote Site-Edge Topology

The remote-site edge topology supports multiple sites and is appropriate for organizations with remote sites that are geographically dispersed and are connected by using a WAN.

In the multiple-site edge topology using a remote site, you integrate remote locations into a scaled topology by deploying:

The scaled topology in your data center (as specified in the scaled single-site edge topology).
Local A/V Conferencing and Web Conferencing Edge Servers and a local Standard Edition server or pool in each remote location.

In this topology, traffic from remote or federated users in the remote location travels across the WAN only to contact the Access Edge Server for authentication and instant messaging and presence, which incurs lower bandwidth cost. The Access Edge Server returns the local pool or Standard Edition server for users at the remote site, and the pool or server points the user to the local A/V or Web Conferencing Edge Server. A/V traffic and traffic from the Web Conferencing Server remain local, which results in a better user experience and lower bandwidth usage of the WAN.

In a remote site topology, you can have one or more stand-alone Web Conferencing Edge Servers but only a single A/V Edge Server. If you need more than one A/V Edge Server, use the scaled remote site topology for the A/V Edge Servers.

Note:
If you want to add more than one Web Conferencing Edge Server in a remote site, we recommend load balancing them, as described in the scaled remote edge topology section.

The following figure illustrates a remote site topology in multiple-site edge deployment.

Figure 4. Multiple-site edge topology with remote site
Bb663789.3027bf6c-96a4-49c8-9ac2-b638180b0168(en-us,office.12).gif

In the remote office, you can also scale the edge topology to provide high availability for external access. In a scaled edge topology of a remote office, one or more A/V Edge Servers are deployed on dedicated servers and Web Conferencing Edge Servers are deployed on separate dedicated computers. All edge servers are connected to a hardware load balancer.

Multiple-Site with Scaled Remote-Site Edge Topology

As a variation to the multiple-site edge topology, if you have large remote sites or want to enable high availability in these sites, you can scale the topology in the remote sites by load-balancing your Web Conferencing Edge Servers and your A/V Edge Servers in a topology similar to Figure 5.

Figure 5. Scaled Remote-site Edge Topology
Bb663789.af155b53-2536-47f9-9669-84a8ce393fef(en-us,office.12).gif

Connecting to Internal Servers

When you deploy an Access Edge Server, you can connect it to your internal network components in either of the following ways:

Connecting directly to an internal server or Enterprise pool.
Using a Director. A Director is optional but is strongly recommended in all topologies that involve connections across the Internet, especially those that support remote users. The Director is an Office Communications Server 2007 Standard Edition server or Enterprise pool that does not host users but that, as a member of an Active Directory domain, has access to Active Directory for purposes of authenticating remote users and routing traffic to the appropriate server or Enterprise pool. By authenticating inbound SIP traffic from remote users, the Director helps insulate home servers and Enterprise pools from potentially malicious traffic, while relieving them of the overhead of performing authentication.

You can deploy either a single Director as a Standard Edition server or Enterprise pool or as an array of Standard Edition servers behind a load balancer that function as a Director. In a large deployment with significant external traffic, an Enterprise pool Director or Standard Edition array Director with a load balancer provides a significant improvement in performance.

However you decide to connect to internal servers, ensure that you should only have one inbound MTLS listener configured on your Director (or your Front End Servers if you are not using a Director). This is the default configuration, which is recommended. If you have more than one listener configured on your Director (or your Front End Servers if you are not using a Director), all other listeners besides the default connection (MTLS on port 5061) must be configured to use TLS or TCP. Having more than one MTLS listener can result in problems communicating with external users and attending external conferences. If you have a requirement for more than one MTLS listener, verify that the port numbers corresponding to each MTLS listener are open on the internal firewall for communication between the Access Edge Server and Director ((or your Front End Servers if you are not using a Director).