Perimeter Network Configuration for IM and Conferencing
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Office Communications Server 2007 allows users working outside the enterprise network to participate in on-premise conferences, complete with data collaboration and the ability to relay audio and video through your organizations firewall. Office Communications Server 2007 also enhances existing support for remote access, federation, and public IM connectivity, which were introduced in Live Communications Server 2005 and Live Communications Server 2005 SP1.
Enabling conferencing and the ability to share data and media with users outside the corporate firewall requires two edge server roles that are new with Office Communications Server 2007: the Web Conferencing Edge Server and the A/V Edge Server.
The HTTP reverse proxy is not an Office Communications Server 2007 role, but it is required for to provide external access to Address Book file information, the ability to expand membership in distribution groups, and access to meeting content in Web conferences.
Figure 10 shows the servers that are required in the Office Communications Server 2007 perimeter network and the protocols they use to communicate with Internet clients on one side and with Enterprise Edition servers on the other.
Figure 10. Office Communications Server 2007 external configuration
.jpg "6d5d152a-2250-4419-8eaa-ee1e95d12a53")
Required servers in the Office Communications Server 2007 perimeter network are as follows.
Access Edge Server
Formerly known as the Access Proxy, the Access Edge Server handles all SIP traffic across the corporate firewall. The Access Edge Server handles only the SIP traffic that is necessary to establish and validate connections. It does not handle data transfer, nor does it authenticate users. Authentication of inbound traffic is performed by the Director or the Front End Server. For more information, see the Microsoft Office Communications Server 2007 Planning Guide. A Director is an Office Communications Server 2007 Standard Edition server or Enterprise pool that does not home users and that resides inside the organizations firewall. A Director is not mandatory but is strongly recommended. If a Director is not deployed, this authentication is performed on the Front End Server on the pool or Standard Edition server that you designate to do so. (Active Directory access is required to perform authentication, which the edge servers do not have because they are deployed in the perimeter network outside Active Directory.) The Access Edge Server is essential for all external user scenarios, including conferencing, remote user access, federation, and public IM connectivity.
Web Conferencing Edge Server
The Web Conferencing Edge Server proxies PSOM (Persistent Shared Object Model) traffic between the Web Conferencing Server and external clients. External conference traffic must be authorized by the Web Conferencing Edge Server before it is forwarded to the Web Conferencing Server. The Web Conferencing Edge Server requires that external clients use TLS connections and obtain a conference session key.
A/V Edge Server
The A/V Edge Server provides a single trusted connection point through which inbound and outbound media traffic can securely traverse NATs (network address translators) and firewalls. The industry standard solution for multimedia traversal of firewalls is ICE (Interactive Connectivity Establishment), which is based on the STUN (Simple Traversal Underneath NAT) and TURN (Traversal Using Relay NAT) protocols. The A/V Edge Server is a STUN server. All users are authenticated to secure both access to the enterprise and use of the firewall traversal service that is provided by the A/V Edge Server. To send media inside the enterprise, an external user must be authenticated and must have an authenticated internal user agree to communicate with him or her through the A/V Edge Server.
The media streams themselves are exchanged by using SRTP (Secure Real-time Transport Protocol), which is an industry standard for real-time media transmission and reception over IP.
HTTP Reverse Proxy
Office Communications Server 2007 conferencing support for external users also requires deploying an HTTP reverse proxy in the perimeter network for the purpose of carrying HTTP and HTTPS traffic for external users. The HTTP reverse proxy is used to download the following data for external users:
Address Book Server files
Web conferencing content
Expanded distribution lists for group IM
The reverse proxy does not run Office Communications Server 2007 or carry SIP traffic.