Managing Front End Servers
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Both Standard Edition Server servers and Enterprise pools have Front End Server settings at the pool level and at the server level that require configuration. Managing these Front End Server settings includes the following tasks:
Configuring Connections for Servers
Configuring IM Conferencing for Servers
Configuring Telephony Conferencing for Servers
Configuring Certificates for Servers
Configuring Compression for Front Ends
Configuring Authentication for Front Ends
Configuring Static Routes for Pools
Configuring Authorized Hosts
Use the information and procedures in this section to configure settings for these server-level and pool-level settings. Other settings, including settings that are specific to federation, host authorization, archiving, and Enterprise Voice settings, are configured at the pool level. Use the information in the appropriate sections later in this guide to configure settings for these other pool-level settings.
Configuring Connections for Servers
Configuring a Standard Edition Server or Front End Server in an Enterprise pool requires specifying the addresses, ports, and transports that this server uses for inbound connections.
Use the following procedure to configure connection settings for a Front End Server.
To add or edit an incoming connection for a Standard Edition Server or Front End Server in an Enterprise pool
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
.jpg "77ac0a08-3935-4985-81cd-72aba2d764ce")
On the General tab, in Connections, do one of the following:
To remove a connection, click it, and then click Remove.
To temporarily disable a connection, clear the check box next to the connection.
To add an address to the list of connections, click Add.
To change the configuration of an address in the list of connections, click Edit.
.jpg "0145d107-7a38-476b-b4cd-73ec1ff1e8c5")
If adding or editing a connection, within the Add Connection or Edit Connection dialog box, in Listening Address Settings, specify the appropriate connection information:
IP address. In the list, click the IP address associated with the Front End Server or, if you do not want to use a specific IP address for this connection, click All. The default is All, which is recommended if IP addresses in your environment are assigned dynamically or if your environment uses the FQDN to refer to the server instead of the IP address.
Port. Type the number of the port you want to use to listen to the incoming connection. This is the port on which the Front End Server receives SIP messages. By default, the conventional SIP ports are used.
Transport. In the list, click the transport protocol to be used for incoming messages, including sending messages to the Front End Server over this connection. Specifying TLS or MTLS rather than TCP allows encrypted communications with this server. Removing TCP connections can make connections to this server more secure.
You can configure multiple listening addresses, but in order to avoid conflicts, you can configure only one for each transport type. When you configure a new listening address, ensure that you choose a port that is not already in use on the computer.
In Connections, ensure that the check box of each connection that you want to use is selected, and then click OK.
To remove an incoming connection for a Standard Edition Server or Enterprise pool
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
On the General tab, in Connections, click a connection, click Remove, and then click OK.
Configuring IM Conferencing for Servers
The IM Conferencing component of the Front End Server manages group IM conferences for users of Microsoft Office Communicator 2007. During installation, the Front End Server is configured with default settings for IM conferencing. On the IM Conferencing tab, you can configure the IP address and the SIP listening port to be used for group IM:
IP address: This is the IP address that is associated with the IM Conferencing component of the Front End Server.
SIP listening port: This is the port on which the IM Conferencing component of the Front End Server receives SIP signaling messages. You can configure multiple listening addresses, but in order to avoid conflicts, you can configure only one for each transport type. Use a port that is not already in use on the computer.
If you change the settings, ensure that the settings you choose do not conflict with settings for other Communications Server components that are running on the same computer.
To configure IM conferencing for a Front End Server
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, and then click Properties.
For a Standard Edition Server, expand Standard Edition Server, expand the pool, right-click the server, click Properties, and then click Front End Properties.
Click the IM Conferencing tab.
.jpg "cdfd73e6-f46a-4df6-b948-863c6268429d")
In the IP address box, click the IP address that you want to use. The default is All, which is recommended if IP addresses in your environment are assigned dynamically or if your environment will use the FQDN (fully qualified domain name) to refer to the server instead of the IP address.
In the SIP listening port box, type the port number that you want to use. Ensure that you specify a port that is not already in use on the computer.
Configuring Telephony Conferencing for Servers
The Telephony Conferencing component of the Front End Server manages group phone conferences for users of Microsoft Office Communicator 2007. During installation, the Front End Server is configured with default settings for phone conferencing, which specify the IP address and port on which the Front End Server receives messages. If you change the settings, ensure that the settings you choose do not conflict with settings for other Communications Server components that are running on the same computer.
On the Telephony Conferencing tab, you can configure the IP address and the SIP listening port used for phone conferencing:
IP address: The IP address that is associated with the Telephony Conferencing component of the Front End Server. The default is All, which we recommend if IP addresses in your environment are assigned dynamically or if your environment will use the FQDN (fully qualified domain name) to refer to the server instead. To refer to the server by using a single, specific IP address, click IP address, and then click the IP address that you want to use.
SIP listening port: The port on which the Telephony Conferencing component of the Front End Server receives SIP signaling messages.
You also enable telephony for individual users. For more information, see the Configuring Telephony for Individual Users section of this guide, in Configuring Individual Office Communications Server User Account Properties.
To configure telephony conferencing
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
Click the Telephony Conferencing tab.
.jpg "11fb2b6e-da2d-493d-9e0e-f59cd44ab77c")
In the IP address box, click the IP address that you want to use. The default is All, which is recommended if IP addresses in your environment are assigned dynamically or if your environment will use the fully qualified domain name (FQDN) to refer to the server instead.
In the SIP listening port box, type the port number that you want to use. The default value is 5064.
Configuring Certificates for Servers
Using Transport Layer Security (TLS) or Transport Layer Security with Mutual Authentication (MTLS) requires a certificate to be used for authentication of inbound connections to the Front End Server and for some outbound connections from the Front End Server. The certificate that you select from the list is provided by the server in response to authentication challenges from clients or servers that send messages to this server.
If your deployment is a Standard Edition Server or an Enterprise pool in the consolidated configuration, the certificate configuration applies to all pool server roles collocated on the computer, including the Web Conferencing and, if deployed, the A/V Conferencing. If your deployment is an Enterprise pool in an expanded configuration, you must configure the certificate for the Web Conferencing server and A/V Conferencing server individually. For information about configuring the certificate for those individual servers, see the Configuring Certificates for Web Conferencing Servers (later in this topic) and Configuring Certificates for A/V Conferencing Servers (in Managing A/V Conferencing) sections of this guide.
You should have set up the appropriate certificate using the Certificate Wizard when you deployed the Standard Edition Server or Front End Server of an Enterprise pool. If you want to change the certificate, you can do either of the following:
You can use the Certificate Wizard to guide you through the process of requesting and assigning certificates to various Office Communications Server 2007 server roles. (You can launch the Certificate Wizard from the Available tasks pane in Office Communications Server 2007 and in Computer Management for Standard Edition Servers. You can also access it from the Office Communications Server 2007 installation media).
If you want to assign a different certificate on an individual server, view a certificate, or delete a certificate, you can open the individual server's properties and configure the certificate using the Certificate tab. The procedures in this section describe how to use the Certificate tab.
Any modifications you make are only applied to future connections—existing connections continue to use the old certificate as long as the connection continues.
Note
If the default certificate does not have the name of the local server, clicking the Certificate tab of the properties sheet for the Front End Server generates a warning stating that making any changes to the certificate may mean that other clients or servers will be unable to connect to this server.
To view the certificate used for the Standard Edition Server or Front End Server in an Enterprise pool
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
On the Certificate tab, click Select Certificate.
In the Select Certificate dialog box, in the list of certificates, click the certificate you want to view, and then click View Certificate.
In the Certificate dialog box, do the following:
On the General tab, view the certificate name, to whom it is issued, who issued it, how long it is valid, and whether you have a privacy key corresponding to the certificate.
On the Details tab, view the certificate fields and their values, including the fields for any or all of the following: version 1 fields, extensions, critical extensions, and properties.
On the Certification Path tab, view the certification path and certificate status.
To change the certificate used for the Standard Edition Server or Front End Server in an Enterprise pool
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
On the Certificate tab, click Select Certificate.
In the Select Certificate dialog box, in the list of certificates, click the certificate you want to use, and then click OK twice.
If the subject name or any other setting on the new certificate other than the expiration date is different from the corresponding setting on the expiring certificate, restart the following Front End services: Front End service, IM Conferencing service, Telephony Conferencing service, Web Conferencing service, and Audio/Video Conferencing service (if the Web Conferencing Server and A/V Conferencing Server are collocated on the Front End Server computer).
To delete the certificate used for the Standard Edition Server or Front End Server in an Enterprise pool
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, expand Front Ends, right-click the Front End Server that you want to configure, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, expand the pool, right-click the server, click Properties, and then click Front End Properties.
On the Certificate tab, click Delete Certificate, and then click OK. This causes the certificate to no longer be assigned to the server for TLS or MTLS, but the certificate is not deleted from the computer.
Restart the following Front End services: Front End service, IM Conferencing service, Telephony Conferencing service, Web Conferencing service, and Audio/Video Conferencing service (if the Web Conferencing Server and A/V Conferencing Server are collocated on the Front End Server computer).
Configuring Compression for Front End Servers
Compressing connections between servers and clients can help improve performance on your network by reducing the bandwidth used by Office Communications Server. You can enable compression for outgoing server-to-server connections from servers in the pool, client-to-server connections, or both.
To configure compression for Front Ends
Log on to the Office Communications Server 2007 server as a member of the RTCUniversalServerAdmins group.
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click Front Ends, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click Front End Properties.
Click the Compression tab.
.jpg "87b3a7d4-4a17-4eb7-abd8-9c877d2f1b42")
On the Compression tab, do either or both of the following:
In Server Compression, select or clear the Request compression on outgoing server-to-server connections check box. If you select this check box, then in Maximum number of server-to-server connections, type a number from 0 through 65535 to specify the maximum allowable connections from the servers in this pool to other servers.
In Client Compression, select or clear the Enable compression on client-to-server connections check box. Selecting this check box causes incoming connections between the clients and servers in the pool to be compressed.
Configuring Authentication for Front End Servers
The authentication protocol you specify for each pool determines which challenges servers in the pool issue to clients. The available protocols are:
Kerberos. The servers in the pool issue challenges using only Kerberos authentication.
NTLM. The servers in the pool issue challenges using only Windows NT LAN Manager (NTLM)
Both NTLM and Kerberos. The servers in the pool issue challenges using either NTLM or Kerberos authentication, depending on the capabilities of the client.
To specify the authentication protocol for Front End Servers
Log on to the Office Communications Server 2007 server as a member of the RTCUniversalServerAdmins group.
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click Front Ends, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click Front End Properties.
Click the Authentication tab.
.jpg "61aae834-7289-402f-80fb-5e35e03a92ce")
On the Authentication tab, in the Authentication protocol list, click the protocol you want to use:
Kerberos is the strongest password-based authentication scheme available to clients, but it is normally available only to enterprise clients because it requires client connection to a Key Distribution Center (Kerberos domain controller). This setting is appropriate if the server authenticates only enterprise clients.
NTLM is the password-based authentication available to clients that use a challenge-response hashing scheme on the password. This is the only form of authentication available to clients without connectivity to a Key Distribution Center (Kerberos domain controller), such as outside users. If a server only authenticates outside users, or Kerberos is otherwise undesirable, NTLM is the preferred choice.
Both NTLM and Kerberos is the best choice when a sever supports authentication for both outside and enterprise users. The edge server and internal servers communicate to ensure that only NTLM authentication is offered to outside clients. If only Kerberos is enabled on these servers, they cannot authenticate outside users. If enterprise users also authenticate against the server, they choose Kerberos over NTLM.
Configuring Static Routes for Pools
You configure static routes for each pool to specify the routes for all outbound connections from all servers in the pool. A static route directs traffic to a specific entity. For example, you can create a static route to handle messages with phone URIs. With such a static route, all inbound messages to the pool that contain a phone URI are sent to the address specified as the next hop computer in the static route. That next hop computer can be an Internet Protocol public switched telephone network (IP-PSTN) gateway that routes the call so that the phone number associated with the phone URI receives a call.
For Enterprise Voice users, an outbound call made by the user is subject to the routing rules specified in the outbound routing application. If Enterprise Voice is not enabled for users, a static route is required to route the outbound call, and the request URI must match the route. Optionally, you can configure a static route for use by Enterprise Voice users, but the static route will only be applied to those users if you disable the OutboundRouting application. For more information about the OutboundRouting application, see the Managing Applications section of this guide.
Configuration of the static route includes the following:
Matching URI. This specifies a fixed uniform resource identifier (URI) that will use the static route for an outbound network connection.
Next hop. This specifies the computer that is the next hop in the route. To specify the computer, you specify the following:
Next hop computer. You specify the computer using either of the following:
Fully qualified domain name (FQDN). You can only specify the next hop server's FQDN if you configure the route to use TLS as the transport.
IP address of the next hop computer on the route. You can only specify the next hop server's IP address if you configure the route to use TCP as the transport.
Transport protocol. This is the protocol to be used to send messages to the next hop computer:
TCP. This specifies that the message sent to the next hop computer will use the Transmission Control Protocol (TCP).
TLS. This specifies that the message sent to the next hop computer will use the Transport Layer Security (TLS) protocol.
Port. This specifies the port on the next hop computer to which messages will be sent.
Replace host in request URI. Select this option to specify that the host part of the request URI in the incoming message be replaced with the address of an Internet Protocol public switched telephone network (IP-PSTN) gateway.
You can create multiple static routes but, to avoid routing conflicts, static routes cannot include the same matching URI.
If you create a static route, but messages are not routed as you expect, ensure the static route is configured properly. You can edit an existing static route so that it better matches the incoming messages that you want to route using the static routing rules. If a message that you expect to use the static routing rules does not use it, confirm that the routing rule is not too restrictive regarding the domain name. Also confirm that the next hop computer can be reached by all the servers in the pool.
To configure a static route for outbound proxy requests or PSTN gateway calls
Log on to the Office Communications Server 2007 server as a member of the RTCUniversalServerAdmins group.
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click Front Ends, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the pool, click Properties, and then click Front End Properties.
Click the Routing tab.
.jpg "0e104872-dc76-4fc1-9c0e-d0ba407dd7e9")
On the Routing tab, do the following:
To specify a new static route, click Add.
To change the configuration of an existing static route, click the static route, and then click Edit.
.jpg "7e0de122-edd5-4a4d-9a55-76fefa2dc1fe")
In the Add Static Route dialog box or Edit Static Route dialog box, under Matching URI, do the following:
In Domain, type the domain name (or wildcard domain name) that an incoming network connection must use in order for the static route to be applied to the subsequent outbound connection.
If this is a phone URI, select the Phone URI check box.
Under Next hop, do the following:
In the Transport box, click TCP to use the Transport Control Protocol for routing connections to the next hop computer or click TLS to use the Transport Layer Security protocol.
If you are using TLS, type the FQDN of the computer that is defined as the next hop in FQDN.
If you are using TCP, type the IP address of the computer that is defined as the next hop in IP address.
In Port, type the port number of the next hop computer to which matching incoming network connections on the servers in the pool are to be routed.
To specify that the host part of the request URI in the incoming message be replaced with the address of an IP-PSTN gateway, select the Replace host in request URI check box.
Configuring Authorized Hosts
An authorized host is a server, client, or gateway that you explicitly designate as trusted. For example, an authorized host might be a server or client that has already performed authentication but does not appear on the trusted server list. Or it might be an IP-PSTN gateway or other entity that does not perform authentication but can be trusted anyway. When specifying an authorized host, you need to specify the following:
Server. You can identify the server using either the FQDN or IP address.
Settings. You can specify the following settings for each authorized host:
Outbound only. This specifies that a server in this pool can only make outbound connections to the authorized host. When you select this option, the authorized host cannot open a connection to the servers in this pool. When you do not select this option, the remote authorized host can open connections to the servers in this pool. This setting is only used in conjunction with a static route.
Throttle as server. This specifies that connections made to the authorized host are throttled as though the authorized host is a server instead of a client computer. When you select this option, greater throughput to the authorized host is enabled than is allowed when connecting for client connections. If you do not select this option, the authorized host is throttled as a client, meaning that greater restrictions are imposed on the connection.
Treat as authenticated. This specifies that connections made to the authorized host are considered to have already been authenticated and, therefore, are not challenged by the servers in the pool. If you select this option, you should mitigate the risks by implementing additional security measures, such as a firewall or IPSec, around the authorized host.
To add or edit an authorized host for a Standard Edition Server or Enterprise pool
Open Office Communications Server 2007.
In the console tree, expand the forest node, and then do one of the following:
For an Enterprise pool, expand Enterprise pools, expand the pool, right-click Front Ends, and then click Properties.
For a Standard Edition Server, expand Standard Edition servers, right-click the name of the pool, click Properties, and then click Front End Properties.
Click the Host Authorization tab.
.jpg "3a50370d-eba1-4824-826d-847d800cad47")
On the Host Authorization tab, do one of the following:
To add an authorized host, click Add.
To change the configuration an authorized host, click Edit.
.jpg "ee891696-b485-487f-8c85-e9ec0b1a374e")
In the Add Authorized Host or Edit Authorized Host dialog box, specify the appropriate information:
Under Server, click FQDN and type the FQDN of the authorized host, or click IP address and type the IP address of the authorized host. Specify the FQDN of the authorized host if you configured a static route on the pool that specifies the next hop computer by its FQDN. Specify the IP address of the authorized host if you configured a static route on the pool that specifies the next hop computer by its IP address. The IP address 0.0.0.0 is not allowed. Multicast addresses ranging from 224.0.0.0 to 239.255.255.255 are also not allowed. All other IP addresses are allowed.
Under Settings, select the check boxes of the options that you want to implement (Outbound Only, Throttle As Server, and Treat As Authenticated). If you select the Treat As Authenticated option, you should implement additional security measures (such as a firewall or IPSec) around the authorized host.