Export (0) Print
Expand All

Device Update Service

Communications Server 2007 R2

Topic Last Modified: 2009-06-08

In the previous release of Office Communications Server, the update service for devices, which was called Software Update Service, required a separate, somewhat complex installation. In the current release the update service, now called Device Update Service, is automatically installed along with the Web Components service, greatly simplifying deployment.

You will need to set up the infrastructure for the update service, performing such steps as creating a file system location for update files, configuring DNS records, and configuring proxy settings for external access. This topic provides background information about Device Update Service deployment and also covers the steps to set up the infrastructure. It refers to the detailed infrastructure requirements for Device Update Service that are covered in other topics that provide comprehensive requirements for all Office Communications Server components.

This topic provides the following information about Device Update Service:

  • Required components
  • Scaling considerations
  • Technical prerequisites
  • Deployment steps

This section describes the technologies and components required to deploy Device Update Service.

Servers

During Office Communications Server 2007 R2 installation, Device Update Service is automatically installed on all servers running the Web Components Server role. You do not need to plan for additional servers to support Device Update Service.

Device Update File Storage

Device Update Service uses a number of files that must be stored on a file system. The location is different, depending on which edition of Office Communications Server 2007 R2 you are running.

  • Office Communications Server 2007 R2 Enterprise Edition. Before running the Create Enterprise Pool wizard during deployment, you must create a shared folder for both client and device update files. Device Update Service creates folders within this shared folder in which to store update image files, log files, and configuration files. The shared folder will also be used by Office Communications Server for storing Office Communicator update files. During installation you will need to provide the UNC path of this folder.
  • Office Communications Server 2007 R2 Standard Edition. The installer automatically creates the DeviceUpdateFiles folder in the Web Components folder under the Office Communications Server 2007 R2 installation folder on the local computer. This folder is not shared, and it inherits the permissions of the installation folder. Device Update Service creates folders within the DeviceUpdateFiles folder in which to store update image files, log files, and configuration files.

Two virtual directories in Internet Information Services (IIS) refer to these folders:

  • The DeviceUpdateFiles_int virtual directory points internal devices to the updates folder.
  • The DeviceUpdateFiles_ext virtual directory points external devices to the updates folder.

For details about the virtual directories created for Office Communications Server 2007 R2, see Internet Information Services (IIS) Requirements.

Security

Device Update Service uses the authentication configured for the Web Components Server, so you do not need to take any additional steps to implement this security for Device Update Service, unless you are migrating external Communicator Phone Edition devices from the previous version Office Communications Server 2007. In this case, there are additional security configuration tasks to perform. For details, see the Migration from Office Communications Server 2007 Migration documentation. For details about performing the configuration for the Web Components Server, see Configure the Web Components Server IIS Certificate in Deploying Office Communications Server 2007 R2 Enterprise Edition in the Deployment documentation.

DNS Records

Communicator Phone Edition devices typically receive information about the pool or Standard Edition server hosting Device Update Service through in-band provisioning, when a user logs into that device. If a user has never logged into that device, however, the device uses DNS to discover the server hosting Device Update Service and obtain updates. RoundTable devices also use a DNS record to discover and connect to Device Update Service. To enable this discovery, you must create an internal DNS record. For details, see DNS Requirements for Servers.

If you plan to allow devices outside your organization’s firewall to access Device Update Service and obtain updates, you must also configure an external DNS record. For details, see DNS Requirements for External User Access.

External Device Access

If unified communications (UC) devices will be used outside of your corporate network, and you want to enable the devices to automatically update, the following prerequisites are required:

  • A supported edge topology must exist in your perimeter network.
  • A reverse proxy must be implemented in your perimeter network.
  • Remote user access must be enabled for users of UC devices.

For details about these requirements, see External User Access Components. For details about the specific configuration steps required to allow access for external devices, see ″Configure External Access for Devices″ later in this topic.

This section covers the technical prerequisites for Device Update Service to function correctly in your environment.

Configure Security Accounts

Device Update Service administrators must be members of the RTCUniversalServerAdmins security group.

Create the Shared Updates Folder

Device Update Service is automatically installed on all servers running the Office Communications Server 2007 R2 Web Components Server role. You do not need to take any specific installation steps.

As described previously, with Office Communications Server 2007 R2 Enterprise Edition, prior to installation you must create a file share that will be used to store both the device update files and the client update files. You will be asked to provide the UNC path of this share when using the Enterprise Pool deployment tool. So that the installer can access the share to create the necessary subfolders for the update files, you should grant Full Control permissions on the share to the RTCUniversalServerAdmins and DomainAdmins groups. For details, see Create the Pool in Deploying Office Communications Server 2007 R2 Enterprise Edition in the Deployment documentation. The installer sets the following discretionary access control list (DACL) on the share.

Table 1. DACL on the Shared Updates Folder and Subfolders

Security account Permissions

RTCUniversalServerAdmins

Read/Write

RTCHSUniversalServices

Read-only

RTCUniversalGuestAccessGroup

Read-only

With Office Communications Server 2007 R2 Standard Edition, creating a shared folder is not necessary, because the device update files, log files, and configuration files are stored on the local computer in a folder named DeviceUpdateFiles found in the Web Components folder under the installation folder. The default path is %ProgramFiles%\Microsoft Office Communicator 2007 R2\Web Components\DeviceUpdateFiles. The installer sets the following DACL on DeviceUpdateFiles and its subfolders.

Table 2. DACL on the DeviceUpdateFiles Folder and Subfolders

Security account Permissions

TERMINAL SERVER USER

Modify

CREATOR OWNER

Full Control

SYSTEM

Full Control

Administrators [FRONTEND\Administrators]

Full Control

Power Users [FRONTEND\Power user]

Modify

Users [FRONTEND\Users]

Read and Execute

Configure External Access for Devices

If you plan to give external users access to Office Communications Server features, including enabling UC devices to use Device Update Server for automatic updates while working outside your firewalls, you must take additional deployment steps, as described in this section.

Deploy Edge Servers

Edge Server is a server role in Office Communications Server that enables users outside of your firewall to access Office Communications Server 2007 R2 features. To deploy Edge Servers, follow the instructions in Office Communications Server 2007 R2 Edge Server Deployment Guide in the Deployment documentation, taking the following steps specifically enable external access to Device Update Service:

  • In the Configure a Reverse Proxy step in the Deploying Edge Servers for External User Access documentation, you must configure the reverse HTTP proxy to use the following Device Update Service virtual directories:
    • The external URL of the Web Components Server: https://<external Server FQDN>/RequestHandlerExt/ucdevice.upx
    • The external URL for the Update site: https://<external Server FQDN>/DeviceUpdateFiles_Ext
  • In the Configure DNS step in the Deploying Edge Servers for External User Access documentation, you must create a DNS A (host) record with the name ucupdates-r2.<SIP domain> that resolves to the IP address of the Enterprise pool or Standard Edition server hosting Device Update Service.
  • You may need to take steps to enable external Communicator Phone Edition devices from the previous version of Office Communications Server 2007 to update to the current version of the firmware. For details, see Migration from Office Communications Server 2007 in the Migration documentation.

Configure Certificates

Security is implemented by the use of certificates and Kerberos authentication. Device Update Service makes use of the Web Components Server security infrastructure. An existing PKI infrastructure must be in place and devices configured with a valid certificate issued from a public CA (recommended) or a private CA that allows the devices to connect to Device Update Service from outside the intranet.

Configure IPsec

If your organization uses IPsec, it must be configured to run in boundary or request mode.

This section lists the steps to take to deploy Device Update Service on Office Communications Server 2007 R2 Standard Edition and Enterprise Edition. Details on the requirements for each step are covered earlier, in ″Technical Prerequisites.″

Deploy Device Update Service on Standard Edition

  1. If you plan to allow external devices to obtain updates, verify that you have taken the steps described earlier, in ″Configure External Access for Devices.″
  2. Install Office Communications Server 2007 R2, as described in Deploy a Standard Edition Server in Deploying Office Communications Server 2007 R2 Standard Edition in the Deployment documentation.
  3. Add Device Update Service administrators to the RTCUniversalServerAdmins security group in Active Directory Domain Services (AD DS).
  4. If you have enabled access by external devices, follow the procedure in Verifying External Device Access in Administering Device Update Service in the Administering Office Communications Server 2007 R2 documentation to ensure that devices will be able to connect to Device Update Service from outside the firewall.

For details about configuring Device Update Service and managing updates, see Administering Device Update Service in the Administering Office Communications Server 2007 R2 documentation.

Deploy Device Update Service on Enterprise Edition

  1. If you plan to allow external devices to obtain updates, verify that you have taken the steps described earlier, in ″Configure External Access for Devices.″
  2. Create a shared folder to store both client and device update files, making a note of the UNC path, which you must provide when running the Create Enterprise Pools wizard.
  3. When running the Create Enterprise Pools wizard, as described in Create the Pool in the Deploying Office Communications Server 2007 R2 Enterprise Edition documentation, on the Specify Locations of Miscellaneous Server Stores page, provide the remote UNC path of the shared folder in the Client Update Data Store box.
  4. Add Device Update Service administrators to the RTCUniversalServerAdmins security group in Active Directory Domain Services.
  5. If you have enabled access by external devices, follow the procedure in Verifying External Device Access in Administering Device Update Service in the Administering Office Communications Server 2007 R2 documentation to ensure that devices will be able to connect to Device Update Service from outside the firewall.

For details about configuring Device Update Service and managing updates, see Administering Device Update Service in the Administering Office Communications Server 2007 R2 documentation.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft