Managing Connectivity between Internal Servers and Edge Servers
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Managing connectivity between internal servers and edge servers includes the following:
Specifying Edge Servers and Internal Domains
Managing Inbound and Outbound Connections
Specifying Servers and Domains for Edge Servers
Controlling external connectivity includes the following:
Specifying Trusted Edge Servers
Specifying Supported Internal SIP Domains for Edge Servers
Specifying Authorized Internal Servers
Specifying Trusted Edge Servers
For internal Office Communications Server 2007 servers to recognize an edge server and communicate with it, the edge server must be in the appropriate trusted edge server lists:
Access Edge and Web Conferencing Edge Servers. The list includes the FQDNs of each Access Edge Server and Web Conferencing Edge Server that your internal Office Communications Server 2007 servers trust to route SIP traffic, meeting content, and audio-video streams between internal and external users. Your internal Office Communications Server 2007 servers only send outbound traffic to trusted Access Edge and Web Conferencing Edge Servers on this list.
A/V Edge Servers. This list includes the FQDNs and ports used for A/V authentication for each Audio/Video (A/V) Edge Server that your internal Office Communications Server 2007 servers trust for A/V conferencing between internal and external users. Your internal Office Communications Server 2007 servers only send outbound A/V traffic to edge servers on this list. All A/V traffic must be authenticated by the A/V Edge Server.
To specify a trusted edge server
Open Office Communications Server 2007.
In the console tree, right-click the forest node, click Properties, and then click Global Properties.
Click the Edge Servers tab.
.jpg "bba0ed5f-96a0-4d42-9a15-8e92d26c7658")
Under Access Edge and Web Conferencing Edge Servers, do one of the following:
To select an edge server from the FQDN list, click the name of the edge server.
To add a new edge server, click Add. In the Add Edge Server dialog box, in FQDN, type the FQDN of the server to be added—if using an array of Access Edge Servers, specify the FQDN of the virtual IP address of the internal load balancer.
To remove an edge server from the list, click the name of the server, and then click Remove.
Under A/V Edge Servers, do the following:
To add a new edge server, click Add. In the Add A/V Edge Server dialog box, in Internal FQDN, type the FQDN used for access from the internal network—if using an array of A/V Edge Servers, specify the FQDN of the virtual IP address of the internal load balancer. In A/V authentication port, type the number of the port to be used by the Office Communications Server Audio/Video Authentication service.
To remove an edge server from the list, click the server name, and then click Remove.
Specifying Supported Internal SIP Domains for Edge Servers
Add each internal SIP domain used in your organization to the list of domains authorized to connect to the edge servers. The list should not include any external domains or domains of federated partners.
Note
If the A/V Edge Server and Access Edge Server are not collocated on a single computer, you must specify supported internal SIP domains on the Access Edge Server, as well as the A/V Edge Server.
To specify a supported SIP domain
On the edge server, open Computer Management.
In the console tree, expand Services and Applications, right-click Office Communications Server 2007, and then click Properties.
Click the Internal tab.
.jpg "fd700c85-3fcd-4b26-a251-05eb97bf3e27")
Under Domains, click Add Domain.
In the Add SIP Domain dialog box, type the FQDN of the internal SIP domain.
Specifying Authorized Internal Servers
You can add an internal server to the list of servers authorized to connect to an edge server. The list should include:
All servers that can send messages to the Access Edge Server from within the internal network.
All internal servers that can establish connections to the Web Conferencing Edge Server or A/V Edge Server.
All servers to which a script or managed application running on the edge server can route messages.
To add an authorized internal server
On the edge server, open Computer Management.
In the console tree, expand Services and Applications, right-click Office Communications Server 2007, and then click Properties.
On the Internal tab, under Servers, click Add Server.
In the Add Office Communications Server dialog box, in Server name, type the FQDN of the internal Standard Edition Server or Enterprise pool that you want to authorize to connect to the edge server.
Managing Inbound and Outbound Connections
Managing Outbound Connections includes the following tasks:
Enabling Federation and public IM connectivity, and configuring routing of inbound and outbound SIP traffic.
Configuring routing of Web conferencing traffic.
Configuring A/V Conferencing remote user authentication.
Configuring A/V Conferencing media encryption.
Specifying the next hop network address and port number for Access Edge Servers.
Enabling and configuring remote user access.
Enabling and configuring anonymous participation in meetings.
Enabling Federation and Public IM Connectivity and Configuring Routing of Inbound and Outbound SIP Traffic
Enabling Federation and public IM connectivity makes it possible for internal users to communicate with federated partners and use public IM providers. To implement federation and public IM connectivity, you must enable this functionality and configure a default route for your internal Office Communications Server 2007 servers to use to send outbound SIP traffic. You may have already configured support for federation and public IM connectivity when you deployed your servers, but you can also enable or disable support after deployment, as well as change the routing for outbound SIP traffic.
The default route for outbound SIP traffic specifies the next hop server for all communication requests that do not match the SIP domains supported by your organization. The FQDN you specify for the route can be any of the following:
If a Director is deployed, the FQDN of the Director that is used to route SIP traffic outside your organization. A Director is recommended for security and scalability. Depending on your configuration this FQDN can be one of the following:
If you are using a single Standard Edition Server as a Director, specify the FQDN of that server.
If you are using an array of Standard Edition Servers connected to a load balancer, specify the FQDN of the virtual IP address of the load balancer used by the array.
If you are using an Enterprise pool, specify the FQDN of the virtual IP address of the load balancer used by the pool.
If a Director is not deployed, specify the internal FQDN of the Access Edge Server. Depending on your configuration, this FQDN can be one of the following:
If you are using a single Access Edge Server, specify the internal FQDN of the server.
If you are using an array of Access Edge Servers, specify the FQDN of the virtual IP address used by the Access Edge Servers on the internal load balancer.
Configuration of the default route includes the following:
Configure the global default route. You must define the global-level default route for the forest to enable internal users to exchange SIP messages with users outside the organization network, including federated partners, public IM service providers, and remote users, as well as to track the presence of these external users. The default route is specified at the global level, so it is the default for all Standard Edition Server servers and Enterprise pools in the forest. The default route can be overridden for any single Standard Edition Server or Enterprise pool. When you run the Configuration Wizard, the default route is automatically configured at the global level (for the forest).
Override the default route for an individual Enterprise pool and Standard Edition Server. To use a different route than the global default route to send outbound SIP traffic from specific servers or pools, you can configure the pool-level settings to override the global default route. If you are using a Director, it is typically configured as the next hop server at the global level, but on the Director itself, you override this setting and configure the Access Edge Server as the next hop server.
Use the procedures in this section, as appropriate, to configure the global default route and, if appropriate, to override the global default route for a specific Standard Edition Server or Enterprise pool. After you enable federation and public IM connectivity, you enable federation, public IM connectivity, or both for each individual user account.
Note
After you configure the global policy for federation and public IM connectivity, you need to manage federated partner access by configuring access by federated partners, and then monitor and manage access on an ongoing basis. For information and procedures, see the Managing Federated Partner Access section of this guide.
To enable federation and public IM connectivity and specify the global default route
Log on to an Office Communications Server 2007 Standard Edition or Enterprise Edition server or a server with Office Communications Server 2007 installed as a member of the RTCUniversalServerAdmins group or a group with equivalent user rights.
Open Office Communications Server 2007.
In the console tree, right-click the forest node, click Properties, and then click Global Properties.
Click the Federation tab.
.jpg "9b2d5ac3-a7f9-4285-9e39-7e825f67ca90")
Select the Enable Federation and Public IM connectivity check box, and then do the following:
In FQDN, specify the FQDN of the Access Edge Server, Director, or load balancer through which outbound SIP traffic is to be routed.
In Port, accept the default value of 5061.
To override the global default route for an Enterprise pool or a Standard Edition Server
Log on to an Office Communications Server 2007 Standard Edition or Enterprise Edition server or a server with Office Communications Server 2007 installed as a member of the RTCUniversalServerAdmins group or a group with equivalent user rights.
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click Front Ends, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click Front End Properties.
.jpg "6e9e86eb-7911-495f-b09d-a5eaf1f832b9")
On the Federation tab, in FQDN, specify the name of the next hop server.
In Port, specify the port number. The default port is 5061.
Configuring Routing of Web Conferencing Traffic
To support Web Conferencing, you need to specify the Web Conferencing Edge Server to which your internal Web Conferencing Server is to send external Web conferencing traffic to external users and receives inbound Web conferencing traffic originating from outside the intranet.
During deployment of your edge servers, if you completed the Configure Server or Pool Wizard and configured your Enterprise pool or Standard Edition Server for external user access, the routing should have been automatically configured. If you want to change the settings, you can use the Office Communications Server 2007 administrative snap-in to view or update the settings for the Web Conferencing Edge Server or add or remove a server.
Use the following procedures to configure routing of outbound traffic to a Web Conferencing Edge Server, including the following:
Specify the internal and external FQDNs of the Web Conferencing Edge Server.
Specify the ports used to communicate with the Web Conferencing Edge Server. The same ports are used for all Web Conferencing Edge Servers of an Enterprise pool or Standard Edition Server.
To specify the internal and external FQDNs of the Web Conferencing Edge Server
Open Office Communications Server 2007.
In the console tree, do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click Web Conferencing, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click Web Conferencing Properties.
Click the Web Conferencing Edge Server tab.
.jpg "965811df-3bb5-4315-a61b-26746fd9ef4e")
On the Web Conferencing Edge Server tab, do one or more of the following:
To add a Web Conferencing Edge Server, click Add. In the Add Web Conferencing Edge Server FQDN dialog box, type the internal FQDN and the external FQDN for the server you want to add, and then click OK.
To edit an existing Web Conferencing Edge Server, click the server name, and then click Edit. Under Web Conferencing Edge Server FQDNs, modify the internal FQDN and the external FQDN, as appropriate, and then click OK.
To remove a Web Conferencing Edge Server, click the name of the server to be removed, and then click Remove.
To specify the ports used to communicate with a Web Conferencing Edge Server
Open Office Communications Server 2007.
In the console tree, do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click Web Conferencing, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click Web Conferencing Properties.
Click the Web Conferencing Edge Server tab.
On the Web Conferencing Edge Server tab, do the following:
In External port, type the external port number that is used by the Web Conferencing Edge Server. External clients use this port to connect to the Web Conferencing Edge Server. This port must be open on all Web Conferencing Edge Servers. The default is 443.
In Internal port, type the internal port number that is used by the Web Conferencing Edge Server. Internal servers use this port to connect to the Web Conferencing Edge Server. This port must be open on all Web Conferencing Edge Servers. The default is 8057.
Configuring A/V Conferencing Remote User Authentication
Remote users connecting to A/V conferences must be authenticated at the A/V Edge Server. The Office Communications Server Audio/Video Authentication service authenticates users participating in A/V conferencing. To do this, the A/V Conferencing Server must be configured with the appropriate A/V authentication settings. The settings you specify at the pool level apply to inbound and outbound A/V connections (RTP/RTCP streams) on all A/V Conferencing Servers in a pool.
To configure authentication for A/V Conferencing
Open Office Communications Server 2007.
In the console tree, do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click A/V Conferencing, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click A/V Conferencing Properties.
Click the General tab.
.jpg "7f58bca5-570b-487e-8d52-0e2e98b1ff6c")
On the General tab, in the first drop-down list box, click the internal FQDN and port to be used for the A/V authentication. A colon separates the FQDN and port (for example, AVEdge.contoso.com:5062). If you completed the Configure Server or Pool Wizard during deployment of your edge server or afterwards, the available A/V Edge Servers are listed here. If you want to change these settings, you can use the Office Communications Server 2007 administrative snap-in to view or update the settings for the A/V Edge Server using Office Communications Server Global Properties.
Configuring A/V Conferencing Media Encryption
To provide security, media streams used in conferencing can be encrypted.
To configure A/V Conferencing media encryption
Open Office Communications Server 2007.
In the console tree, do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click A/V Conferencing, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click A/V Conferencing Properties.
Click the General tab.
On the General tab, in the Encryption level drop-down list box, click one of the following:
Require encryption. Inbound and outbound audio and video connections to the A/V Conferencing Servers in this pool must be encrypted using SRTP. If you require encryption, a participant whose computer is not capable of SRTP encryption will be unable to join any audio/video conferences that are hosted by the A/V Conferencing Servers in this pool. (Office Communicator 2007 clients support SRTP encryption. Legacy clients, such as Office Communicator 2005, support 3DES encryption.)
Support encryption. Inbound and outbound audio and video connections to the A/V Conferencing Servers in this pool can be encrypted using Secure Real-Time Transport Protocol (SRTP) for clients that support it.
Do not support encryption. Inbound and outbound audio and video connections to the A/V Conferencing Servers in this pool are not encrypted.
Specifying the Next Hop Network Address and Port Number for Access Edge Servers
The server you specify in the next hop address is the server to which the Access Edge Server routes all incoming messages. This server is usually your Director.
To specify the next hop network address and port number
On the Access Edge Server, open Computer Management.
In the console tree, expand Services and Applications, right-click Office Communications Server 2007, and then click Properties.
Click the Internal tab.
In Next hop network address, type the FQDN of the Access Edge Servers next internal hop.
In Port, specify the port number 5061. The default is 5061.
Enabling and Configuring Remote User Access
You enable and configure remote access to control whether remote users can collaborate with internal Office Communications Server users. Remote users have a persistent Active Directory identity within the organization. They include employees working at home or on the road, and other remote workers, such as trusted vendors, who have been granted enterprise credentials. Remote users can create and join conferences and act as presenters.
You control remote access on two levels:
On the Access Edge Server, you specify whether or not to allow incoming remote access connections. Use the procedure in this section to specify whether or not to allow incoming remote access connections. If you configured this functionality when you deployed your edge servers, you do not need to do so again, unless you want to change an option.
At the user account level, you specify which users can make incoming connections from remote locations. To specify which users can connect remotely, see the Managing User Accounts section of this guide.
To configure the edge server for remote access with federated contacts and anonymous participation in meetings
On the Access Edge Server, open Computer Management.
In the console tree, expand Services and Applications, right-click Office Communications Server 2007, and then click Properties.
.jpg "548d0606-48e0-46cb-8f80-e49459cb72be")
On the Access Methods tab, select the Allow remote user access to your network check box, and then, if appropriate, do either or both of the following:
To enable anonymous external users to join meetings, select the Allow anonymous users to join meetings check box. For more information about additional configuration required to support this option, see the Enabling and Configuring Anonymous Participation in Meetings section of this guide, in Managing Connectivity between Internal Servers and Edge Servers.
If this edge server is configured as an Access Edge Server dedicated to remote user access (with another Access Edge Server configured for federation and public IM connectivity), select the Allow remote users to communicate with federated contacts check box to enable remote users connecting through this Access Edge Server to communicate with federated users that connect through another Access Edge Server. If the Federate with other domains check box on this tab is selected, the Allow remote users to communicate with federated contacts option is not available.
Enabling and Configuring Anonymous Participation in Meetings
Anonymous participation in meetings enables anonymous users, that is, users whose identity is verified through the meeting or conference key only, to join your meetings. By default, all users are disallowed from inviting anonymous users to participate in a meeting, unless you configure support as follows:
On the Access Edge Server, you specify whether or not to allow incoming remote access connections and whether to allow anonymous users to join meetings. To specify whether or not to allow incoming remote access connections and anonymous participation see the Enabling and Configuring Remote User Access section of this guide, in Managing Connectivity between Internal Servers and Edge Servers. If you configured this functionality when you deployed your edge servers, you do not need to do so again, unless you want to change the option.
At the global level, you specify the policy to be applied:
Allow all users in your organization to invite anonymous users to participate in meetings.
Block all users in your organization from inviting anonymous users.
Allow anonymous participation for your entire organization or on a per user basis.
Use the procedure later in this section to specify the global policy.
At the user account level, if you set the global level policy to control anonymous participation on a per user basis, only the user accounts for which you enable this support can invite anonymous participants. If you set the global level policy to control anonymous participation on a per user basis, use the information in the Allowing or Disallowing Invitation of Anonymous Participants to Meetings by Individual Users section of this guide, in Configuring Individual Office Communications Server User Account Properties, to enable specific users to invite anonymous participants.
Note
Anonymous users are external users, but are not remote users because remote users have domain credentials. To enable anonymous users to participate in meetings, though, you must enable remote users, because that setting controls incoming traffic for individual users.
To configure the global policy for anonymous participation in meetings
Log on to an Office Communications Server 2007 Standard Edition or Enterprise Edition server or a server with Office Communications Server 2007 installed as a member of the RTCUniversalServerAdmins group or a group with equivalent user rights.
Open Office Communications Server 2007.
In the console tree, right-click the forest node, click Properties, and then click Global Properties.
Click the Meetings tab.
.jpg "60822665-3de7-4d63-9129-4d9515ca3663")
In the Anonymous participants drop-down list box, click the global policy that you want to enforce:
Allow users to invite anonymous participants. This policy allows all users in your organization to invite anonymous users to meetings.
Disallow users from inviting anonymous participants. This policy prevents all users in your organization from inviting anonymous users to meetings.
Enforce per user. This policy requires that you configure each individual user account that you want to be able to invite anonymous users feature (as covered in the next procedure). All other users are prevented from inviting anonymous users.
If an appropriate global meeting policy has not been assigned, you can configure one as follows:
Under Policy Settings, in the Global policy drop-down list box, click the name of the policy that you want to use for meetings.
To view or modify a policy, under Policy definition, click the name of the policy, click Edit, modify the policy, as appropriate, and then click OK.
Note
For more information about the Global policy and policy definition, see the Configuring Meeting Policies section of this guide, in Managing Support for On-Premise Web Conferencing Meetings.