Publishing a Virtual Server to the Web for Remote User Access
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Remote users sign in to Communicator Web Access by using a virtual server that has been configured for external users, as described earlier in this guide. Although you can make the external virtual server directly accessible to remote users, we strongly recommend that a reverse proxy be used to publish the virtual server to the Web.
If you do not intend to use single sign-on (SSO), any reverse proxy server can be used to Web publish a Communicator Web Access virtual server. If you do intend to use single sign-on, the only reverse proxy that is supported is Microsoft Internet Security and Acceleration (ISA) Server 2006 with SSO enabled on the Web listener.
Regardless of your choice of reverse proxy, for security reasons we recommend that the reverse proxy be a workgroup member and not a member server of the internal, trusted domain. Even so, both configurations are supported. Additionally, you must use SSL to publish the URI of Communicator Web Access as an HTTPS address. Using HTTP is not supported for remote access to Communicator Web Access.
The DNS suffix and the NetBIOS computer name of the proxy server must match the external DNS name, for example, contoso.com.
The reverse proxy can also be used as an alternative to a VPN for external users of your deployment of Communicator Web Access. The reverse proxy serves as a boundary between perimeter network and the internal network.
Note
When you publish a Communicator Web Access virtual server through a reverse proxy, the reverse proxy can internally reference the Communicator Web Access server by its FQDN, host name, or IP address. If the reverse proxy will communicate with the internal Web server over HTTPS, we recommend the following:
The reserve proxy should reference the Communicator Web Access server by a name that either matches the subject name of the SSL certificate (not the MTLS certificate) on the Communicator Web Access server or that is included in the subject alternative name attribute of the certificate.
The name that the reverse proxy uses should be registered with the internal DNS servers as either the FQDN or one of the DNS alias names of the Communicator Web Access server.
For details about additional configuration of the reverse proxy, such as registering a friendly alias name in external DNS servers, see the documentation for your reverse proxy.
We recommend that all network adapters on the reverse proxy be configured with static IP addresses.
Requirements for the Reverse Proxy
The following is required:
An internal DNS A record that matches the external virtual server that you want to reach (typically internal FQDN of the Communicator Web Access Server).
An external DNS A record for the external FQDN of the reverse proxy.
Any failure to resolve names will prevent the Web site from being published successfully.
Certificate on the reverse proxy with a subject name that matches the FQDN of the Communicator Web Access Server.
Using the default configuration, port 443 must be open on the firewall. If you are running multiple virtual servers on a single server, you will need to use a different port for the server that you want to be externally available or use a different port for your internal virtual server.
For performance reasons, we recommend that no other software be installed on the reverse proxy.
For details about Web publishing using SSL in a production environment, see "Secure Application Publishing" at https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=WebPubSSL.
Configure Certificates on the Reverse Proxy
You must request an SSL certificate and download the CA certificate chain to the Trusted Root Certification Authorities, Certificates folder for the external reverse proxy server interface. As stated earlier, certificate should have a subject name that matches the FQDN of the Communicator Web Access Server.
Important
The certificates must be issued from the same CA as the certificates that are used for the Communicator Web Access server and the Office Communications Server 2007 server, and they must use a duplicated Web server template. A certificate issued from a public CA is supported.
For details about certificate requirements and procedures, see "Digital Certificates for ISA Server 2004" at https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=CertISA2004.
Testing the Web Site
To verify that the virtual server is published properly, on a computer that is outside your organizations firewall, open the Internet browser and go to the URI of the virtual server. If you are not using single sign-on, you should be prompted for your sign-in credentials. Sign in. You should see the Communicator Web Access client.
If you are using single sign-on and you have previously signed in, you should immediately see the Communicator Web Access client.
.jpg "22edfb43-51c3-43d0-acce-3dcba57e21c3")