Step 5. Deploy a Media Gateway
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
You can deploy a third-party Basic Media Gateway either before or after you deploy a Mediation Server, but whichever order you choose, these two components must be configured to function as a logical unit. For information about configuring a Mediation Server, see Configure Mediation Server, later in this topic.
The settings that you must configure on your Basic Media Gateway are specified in the following list, but for information about how to configure these settings on a given gateway, refer to the manufacturer's product documentation. For information about selecting gateways for Enterprise Voice, see Plan for Media Gateways in Office Communications Server.
Each gateway must be configured according to the vendor's documentation. Depending on the vendor, there are potentially many attributes that must be set, but the attributes specific to Enterprise Voice are as follows:
The FQDN and IP Address of the Mediation Server that is associated with the gateway.
The listening port (5060) that is used for TCP connections to the Mediation Server
Important
The previous settings must match those of corresponding settings for the Mediation Server. If the settings do not match, the connection between the gateway and Mediation Server will fail.
SIP Transport – specify either TLS (recommended) or TCP.
Important
If you specify TLS as the SIP transport to be used by your basic or basic-hybrid media gateway, you must also configure the corresponding Mediation Server for TLS. For instructions on how to configure a Mediation Server for TLS, see Configure Mediation Server.
If the SIP transport for the link between the gateway and the Mediation Server is set to TLS, the gateway must be configured with a certificate for purposes of authentication during the MTLS handshake with the Mediation Server. The certificate on the gateway must be configured as follows:
The certificate may be directly signed by the trusted CA configured in the Mediation Server. Alternatively, a certificate chain may have to be traversed to verify the certificate provided by the gateway. The gateway must provide this chain as part of its TLS handshake with the Mediation Server.
The CN part of the subject field should be set to the FQDN of the gateway. If the FQDN in the CN part of the subject field does not match the expected and configured FQDN for the gateway, the certificate must also contain a SAN (subject alternate name) that lists the expected and configured FQDN for the gateway.
The Mediation Server validates the certificate provided by the gateway by checking that the FQDN on the certificate exactly matches the gateway FQDN configured on the Mediation Server. If the FQDNs do not match, the session is terminated. Additional validation includes checking the signature and expiration date, and making sure that the certificate has not been revoked.
If the SIP transport for the link between the gateway and the Mediation Server is set to TLS, separate ports must be opened for the TLS connection to the gateway and the TLS connection to the Office Communications Server pool. The port assignments should be configured as follows:
TLS link between media gateway and Mediation Server: 5060
TLS link between Mediation Server and Office Communications Server pool:5061
Each gateway must be configured so that the E.164 numbers routed by Enterprise Voice to the gateway are normalized to a locally dialable format.
Each gateway must also be configured to pass only E.164 numbers to the Mediation Server. Please see each gateway vendor's documentation for specific instructions on how to normalize source phone numbers to E.164.
Each gateway should be configured to convert the source number (the number presented as caller ID) to a normalized E.164 number. This ensures the caller ID can be matched to a Communicator contact, an Outlook contact, or a member of the corporate directory, thereby enabling Communicator to provide additional information about the caller. This number will also appear in e-mails notifying the user of missed calls and voice mail, allowing the user to click the phone number in order to quickly return a call. If the number has been normalized by the gateway, no further processing is required. If for some reason the number cannot be normalized by the gateway, then the normalization rules defined by the location profile will be applied when returning a call. It might be necessary to add normalization rules to a location profile to handle numbers that cannot be normalized by the gateway. Please see each gateway vendor's documentation for specific instructions on how to normalize source phone numbers to E.164.
For a list of media gateway vendors, see https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=IPpbxVend.
Install and Activate Mediation Server
Communications Server 2007, Mediation Server and a third-party basic media gateway function as a single logical unit to enable communication between the users enabled for Enterprise Voice and the public switched telephone network. This step describes how to install and activate Mediation Server.
Mediation Server deployment is an integrated component of Office Communications Server 2007 setup. When you install and activate Mediation Server, the Communications Server 2006 Deployment Tool copies the required files to a local computer, but it does not activate the service. The activation step becomes available only after installation is complete. Activation performs two tasks:
Creates Mediation Server objects in Active Directory.
Activates the domain service account on the server.
Requirements
To install or activate Mediation Server you must be a member of the RTCUniversalServerAdmins group or have been delegated to perform these tasks by a member of that group.
Mediation Server must be installed on Windows Server 2003 SP1 (or later) and must not be installed with any other application.
Microsoft .NET Framework 2.0 (available on the Communications Server 2007 CD) must be installed on the Mediation Server.
The minimum recommended hardware configuration (for up to 125 concurrent calls or 5 T1) is as follows. For more details, see Mediation Server Hardware Requirements, in Plan for Media Gateways in Office Communications Server.
Single Processor Dual Core running at 3GHz
2GB RAM
30GB hard disk
A single network interface card is the minimal requirement, but two cards are recommended for all deployments, including those where TLS has been enabled for the gateway link.
A certificate is required.
Recommendations
Even if you enable TLS on the gateway link, two network interface cards are recommended on the Mediation Server for additional security: one card to communicate with the gateway and a separate card to communicate with the Office Communications Server internal infrastructure.
You can install Mediation Server on multiple computers, but each Mediation Server must have a corresponding basic media gateway. If you are planning to install multiple Mediation Servers, it is good practice to install and test a single Mediation Server before attempting to deploy them all.
To optimize performance, Mediation Server should not be collocated with any other Communications Server 2007 server role, and all unnecessary applications and services should be disabled on the computer.
To install Mediation Server files
Log on to a computer on which you want to install Mediation Server.
Insert the Office Communications Server 2007 CD. Setup starts and launches the Deployment Tool. If you are installing from a network share, navigate to the \Setup\i386 folder, and then double-click Setup.exe.
.jpg "81851359-e45e-4d71-a1c3-8ffd017a3c0f")
At the welcome screen click Deploy Other Server Roles.
.jpg "367b870f-9301-4e5c-90bf-29edb35c93d6")
At the Deploy Other Server Roles screen, click Deploy Mediation Server.
.jpg "fd0dd9c1-21d4-448d-8fb5-7f7feee42af2")
At Step 1: Install Files for Mediation Server, click Install.
On the Welcome page, click Next.
On the License Agreement page, if you agree to the licensing terms, click I accept the terms in the licensing agreement, and then click Next.
On the Install location page, select the location where you want to install the Mediation Server files, and click Next.
On the Confirm Installation page, click Next to confirm.
On the Installation Complete page, click Close.
Note
You must install Mediation Server before you can activate it.
To activate Mediation Server
Log on to a computer on which you want to activate Mediation Server.
Insert the Office Communications Server 2007 CD. Setup starts and launches the Deployment Tool. If you are installing from a network share, navigate to the \Setup\i386 folder, and then double-click Setup.exe.
At the welcome screen, click Deploy Other Server Roles.
At the Deploy Other Server Roles screen, click Deploy Mediation Server.
At Step 2: Activate Mediation Server, click Run.
On the Welcome page of the activation wizard, click Next.
On the Select Service Account page, you have two choices:
If you accept the existing account (recommended), enter password for the service account, and then click Next. The default account is MCU and Web component services account.
If you choose to create a new account, click Create a New Account and type a new Account Name and Password. When you are done, click Next.
On the Ready to Activate Mediation Server page, review your settings. If your Current Settings are incorrect, click Back and make whatever corrections are required. If your Current Settings are correct, click Next.
On the Activate Mediation Server Wizard Has Completed page, select the View the log when you click the Finish check box, and then click Finish.
In the log file, verify that "Success" appears under the Execution Result column. Optionally, look for "Success" Execution Result at the end of each task to verify its successful completion. Close the log window when you finish.
Warning
Care must be taken in deactivating a Mediation Server. If you remove it from service without first taking precautionary steps, you may drop calls. For instructions on how to properly deactivate a Mediation Server, see Deactivating a Mediation Server, in Chapter 4: Managing Enterprise Voice.
Configure Mediation Server
You must configure Mediation Server to communicate with Communications Server 2007 on one side and media gateways on the other. To configure a Mediation Server, you must specify the following:
The SIP transport used to communicate with a media gateway. There are two choices: TLS or TCP.
TLS: The recommended transport is TLS, which provides encrypted signaling between the Mediation Server and the media gateway, which is connected to the PSTN. If you configure your gateway link for TLS, then calls to and from the PSTN are encrypted end to end.
TCP: It is possible, but not recommended, to configure the Mediation Server to use TCP instead of TLS. If you configure the gateway link for TCP, that link presents a potential security vulnerability. For this reason, it is good practice to install two network interface cards, one facing the media gateway and the other facing the internal network.
Important
The link between Mediation Server and the internal Communications Server 2007 infrastructure is always configured for TLS, even in cases where the gateway link is configured for TCP. This requirement means that you must always configure a certificate on the Mediation Server. If you configure the gateway link for TLS, you must also configure a certificate on the gateway.
The IP addresses on which the Mediation Server listens for call traffic from Communications Server on one side and media gateways on the other. The Communications Server listening IP address is the IP address of the internal (that is, the Communications Server-facing) edge of the Mediation Server. The Gateway listening IP address is the IP address of the external (that is, the gateway-facing) edge of the Mediation Server.
The FQDN of the collocated A/V Edge Server and Media Relay Authentication Server for this Mediation Server.
The default location profile used by this Mediation Server.
The default Media port range.
The FQDN and port of the Communications Server internal next hop. This server will likely be a Director, a Standard Edition Server, or an Enterprise Edition Front End Server.
The IP address and port for the media gateway to which this Media Server is connected.
To configure Mediation Server you must be a member of the RTCUniversalServerAdmins group or have been delegated to perform this task by a member of that group.
Note
Most Mediation Server configuration is performed using the Office Communications Server 2007 administrative snap-in. Support for TLS, however, requires running a configuration file, MediationServerSvc.exe.config. To obtain this configuration file you must download and install Office Communcation Server Mediation Server hotfix package as described below in the procedure “To configure gateway link for TLS”.
To configure Mediation Server
Log on to a Communications Server 2007 Mediation Server.
Click Start, point to Administrative Tools, and then click Office Communications Server 2007.
Expand the appropriate forest node.
Expand the Mediation Servers node, right-click the Mediation Server to be configured, click Properties, and then click the General tab.
.jpg "0b1cde3e-9234-4a33-8e9e-31e0e96eb99f")
In the FQDN box, make sure the FQDN listed matches that of the Mediation Server you have selected.
Open a command prompt, change to the root directory, and type nslookup <FQDN of Mediation Server>, using the FQDN displayed on the Mediation Server General tab, and then press ENTER.
From the list of IP addresses displayed in the Communications Server listening IP address list, select the IP address returned in step 6.
Important
If the IP address selected in step 7 does not match the IP address in step 6, Communications Server traffic will be directed toward an interface that is not listening for such traffic and away from the one that is.
From the list of two IP addresses displayed in the Gateway listening IP address list, select the other IP address (that is, the one not already selected in step 7).
Note
The address selected in step 8 can be that of either a media gateway or a PBX.
From the A/V Edge Server list, select the A/V Edge Server that hosts the A/V Authentication Service for this Mediation Server.
Important
If the A/V Edge Server that hosts the A/V Authentication Service for this Mediation Server does not appear in the list, then the A/V Edge Server on which the service is collocated has not been entered into the A/V Edge Servers list on the Edge Servers tab of the Global Properties page. You will need to add the A/V Edge Server to the previous list before it will appear in the A/V Edge Server list on the Mediation Server tab. For more information, see the Microsoft Office Communications Server 2007 Edge Server Deployment Guide.
In the Default location profile list, select the default location profile for this Mediation Server.
Important
The default range media port range enables the server to handle up to 1000 simultaneous calls. Reducing the port range greatly reduces server capacity and should be undertaken only for specific reasons by an administrator who is knowledgeable about media port requirements, and scenarios. For this reasons, altering the default port range is not generally recommended.
Organizations that employ IPSec for packet security are advised to disable it for media ports because the security handshake required by IPSec delays call setup. IPSec is unnecessary for media ports because SRTP encryption secures all media traffic between the Mediation Server and the internal Communications Server network.In Media port range accept the default range of 60,000 to 64,000.
Click the Next Hop Connections tab.
.jpg "529143ba-76de-4b62-8cf6-faf29c77faf3")
On the Next Hop Connections tab under Office Communications Server next hop:
In the FQDN list, select the FQDN of the next-hop internal server. This server could be a Director or pool.
In the Port box, accept the default of 5061 for TLS.
On the Next Hop Connections tab under PSTN Gateway next hop:
In the IP address box, specify the IP address of the PSTN Gateway or the PBX associated with this Mediation Server.
In the Port box, accept the default of 5060 for TCP.
Click OK.
To configure the media gateway link for TLS
Download and install the two following hotfixes from https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=MediationServerHotFix.:
Office Communications Server 2007, Unified Communications Managed API v1.0 Redist: December 17, 2007 KB 944285 Version 3.0.6362.36
Description of the Update for Office Communication Server 2007, Mediation Server: December 17, 2007 KB 944285 Version 3.0.6362.36
Configure a certificate on the media gateway. This certificate must be from a CA that is trusted by the Mediation Server.
In a text editor, create an XML file in the following format:
<?xml version="1.0" encoding="utf-8" ?> <configuration> <appSettings> <add key="GatewayTls" value="On" /> <add key="GatewayFqdn" value="gateway.domain.com" /> </appSettings> </configuration>The GatewayTls property can have a value of either “On” or “Off”. To enable TLS on the gateway link, this property must be set to “On”. If you set the value to “Off”, the transport protocol for the gateway link will revert to TCP. Setting the value to “Off” is the same as deleting the file. However, should you have reason to temporarily revert to TCP, you can enable TLS once again by resetting the property back to “On” and saving the file.
The GatewayFqdn property must match the FQDN in the certificate provided by the gateway. For more information on certificate requirements for a media gateway, see Deploy a Media Gateway.
Configure a Certificate for Mediation Server
The Mediation Server must be configured with a server certificate to connect to other Office Communications Servers. Step 3 describes the following procedures that you must perform to configure a certificate for Mediation Server:
Download the CA certification path for the Mediation Server.
Install the CA certification path for the Mediation Server.
Verify that the CA is in the list of trusted root CAs of the Mediation Server.
Create the certificate request for the Mediation Server.
Import the certificate for the Mediation Server.
Assign the certificate for the Mediation Server.
You can use the Communications Certificate Wizard to complete most of these the following certificate setup procedures. These procedures describe how to access the Communications Certificate Wizard from the Office Communications Server 2007 Deployment Wizard. You can also access it from the Office Communications Server 2007 Administrative Tools interface on each mediation server.
Note
The steps of these procedures are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CAs, consult the documentation of the CA.
To download the CA certification path for the Mediation Server
With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA Server online, log on to the Mediation Server as a member of the RTCUniversalServerAdmins group.
Click Start, click Run, type http://<name of your Issuing CA Server>/certsrv, and then click OK.
Under Select a task, click Download a CA certificate, certificate chain, or CRL.
Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.
In the File Download dialog box, click Save.
Save the .p7b file to the hard disk on the server, and then copy it to a folder on the Mediation Server. If you open this file, the file should contain all the certificates that are in the certification path. To view the certification path, open the server certificate and click the certification path.
To install the CA certification chain for the Mediation Server
In the Deployment Wizard (which should still be open), click Deploy Other Server Roles, and then click Deploy Mediation Server.
On the Deploy Mediation Server page, next to Step 4 Configure Certificates, click Run to start the Communications Certificate Wizard.
On the Welcome page, click Next.
.jpg "963971a5-7247-4d36-98fc-6c8c2b2ff6b6")
On the Available certificate tasks page, click Import a certificate chain from a .p7b file, and then click Next.
On Import Certificate Chain page, click Browse to locate the .p7b file, locate the file, and then click Next.
Click Finish.
To verify that your CA is in the list of trusted root CAs
Open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
In the Add Standalone Snap-ins box, click Certificates, and then click Add.
In the Certificate snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
Click Close, and then click OK.
In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
In the details pane, verify that your CA is on the list of trusted CAs.
To create the certificate request for the Mediation Server
In Deployment Wizard, on the Deploy Mediation Server page, next to Step 3, Configure Certificates for the Mediation Server, click Run to start the Communications Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
Note
If you already have a certificate available, click Assign an Existing Certificate and continue with steps 3 through 7 in the procedure To Assign the Certificate to the Mediation Server later in this section.
On the Delayed or Immediate Request page, select one of the following options:
Prepare the request now, but send later, if you intend to output your request to a text file and then send that file to an offline CA.
Note
If you choose this option, you will later have to import the certificate and assign it to the Mediation Server.
Send the request immediately to an online CA, in which case you will not have to import the certificate but will still have to assign it to the Mediation Server.
When you are done, click Next.
On the Name and Security Settings page, type a friendly name for the certificate, and specify the bit length (typically, the default of 1024), select the Mark certificate as exportable check box, and then click Next.
On the Organization Information page, enter the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next.
On the Your Server's Subject Name page, type or select the subject name and subject alternate name of the Mediation Server. The subject name should match the FQDN of the Mediation Server:
If your deployment includes multiple SIP domain names, in Subject alternate name, do the following:
Type the same name that you typed in Subject name, and then click Add.
Type each additional SIP domain name, separating each name with a comma.
Click Next.
On the Geographical Information page, type the location information, and then click Next.
The next page you see depends on which option you chose in Step 4:
If you selected Send the request immediately to an online CA in Step 4, then on the Choose a Certification Authority page, select your certification authority (CA) from the list or type the name of your CA in the Certification Authority box. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, and then click OK. When you are finished, click Next.
If you selected Prepare the request now but send later in Step 4, then type the file name and path to which the request is to be saved, and then click Next. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so it is available for import.
On the Request Summary page, click Next.
On the Certificate Wizard Completed page, verify successful completion, and then click Finish.
Note
If you obtained your certificate from an online CA skip the next procedure and proceed directly to the procedure that follows it. This procedure is titled "To assign the certificate to the Mediation Server."
To import the certificate for the Mediation Server
In Deployment Wizard, on the Deploy Mediation Server page, next to Step 4, Configure Certificates, click Run to start the Communications Certificate Wizard.
On the Welcome page, click Next.
On the Pending certificate tasks page, click Process a pending request and import the certificate, and then click Next.
In the Path and file name box, type the full path and file name of the certificate that you requested for the Mediation Server (or click Browse to locate and select the certificate), and then click Next.
On the wizard completion page, verify successful completion, and the click Finish.
To assign the certificate to the Mediation Server
In the Deployment Wizard, on the Deploy Mediation Server page, next to Step 4, Configure Certificates, click Run to start the Communications Certificate Wizard.
On the Welcome page, click Next.
On the Available certificate tasks page, click Assign an existing certificate, and then click Next.
On the Available Certificates page, select the certificate that you requested for the Mediation Server, and then click Next.
Review your settings, and then click Next to assign the certificates.
On the Certificate Wizard Completed page, click Finish.
Start Mediation Server
After configuring the Mediation Server, start it as follows.
To start Mediation Server
On a Front End Server, click Start, point to Programs, point to Administrative Tools, and then click Office Communications Server 2007.
Expand the Mediation Servers node.
Right-click the appropriate Mediation Server, and then click Start.
On the Mediation Server, open the Windows 2003 Start menu, click Run, and then type services.msc. Verify that Office Communications Server Mediation appears in the list of services.