• Article

Step 4. Configure Your Reverse Proxy (For External Access Only)

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

To enable devices to connect to the Software Update Service from outside your organizations firewall, a Microsoft Internet Security and Acceleration (ISA) Server or other reverse proxy in the perimeter network is required.

The following table shows the specific directories used by the Web components for the Software Update Service. We recommend configuring your HTTP reverse proxy to use all directories.

Table 2 Directories Used by Web Components Server

Directory Use

https://<external server FQDN>/RequestHandler/ucdevice.upx

The external URL to the Web Components Server running Software Update Service

https://<ExternalFQDN>/sites/ucupdateserver

Note

This directory is not accessible from the outside because it does not allow anonymous access.
UC devices use a fully qualified path to the specific update they require.

The external URL for the SharePoint Update site

The detailed steps in this section describe how to configure an ISA 2006 server as a reverse proxy. If you are using a different reverse proxy, consult the documentation for that product. If you already have an ISA Server or another reverse proxy configured for external user access for Office Communications Server, proceed to Request and Configure a Certificate for Your Reverse HTTP Proxy.

You can use the information in this section to set up ISA as the reverse proxy, which requires completing the following procedures.

  • Configure Network Adapters

  • Install ISA Server 2006

  • Request and Configure a Certificate for Your Reverse Proxy

  • Configure Web Publishing Rules

  • Verify or Configure Authentication

  • Create a DNS Record

  • Verify Access through Your Reverse Proxy

ISA Server uses Web publishing rules to securely publish internal resources, such as a meeting URL, over the Internet. Publishing information to Internet users makes computing resources inside the internal network available to users outside the network.

Configuring Network Adapters

You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter. For information about deploying ISA Server with a single network adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site. This document also applies to ISA Server 2006.

In the following procedures, the ISA Server computer has two network adapters:

  • A public, or external, network adapter, which is exposed to the clients that attempt to connect to your Web site (usually over the Internet)

  • A private, or internal, network interface, which is exposed to the internal Web servers to which outside users connect

Procedures

To configure the network adapter cards on the reverse proxy computer

  1. On the server running ISA Server 2006, open Network Connections. Click Start, point to Settings, and then click Network Connections.

  2. Right-click the external network connection to be used for the external interface, and then click Properties.

  3. On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.

  4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached, and then click OK twice.

  5. In the Network Connections dialog box, right-click the internal network connection to be used for the internal interface, and then click Properties.

  6. Repeat steps 3 through 4 to configure the internal network connection

Intalling ISA Server 2006

Install ISA Server 2006 according to setup instruction included with the product. For more information about installing ISA Server, see Microsoft ISA Server 2006 - Getting Started at the Microsoft TechNet Web site.

Note

fter completing the ISA Server setup, a default access rule denying traffic to all network resources is present. You need to configure your firewall rules as defined in the previous procedure to resolve this denial.

Requesting and Configuring a Certificate for Your Reverse HTTP Proxy

The root CA certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web Components) needs to be installed on the server running ISA Server 2006. This certificate should match the published FQDN of the external Web farm where you are hosting the Software Update Service (the external FQDN of the Web Components r servers).

  • You must install a Web server certificate on your ISA Server. This certificate should match the published FQDN of your external Web farm where you are hosting the Software Update Service.

  • If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN.

Configuring Web Publishing Rules

Use the following procedure to create Web publishing rules.

Note

This procedure assumes that ISA Server 2006 Standard Edition is installed.

Procedures

To create a Web server publishing rule on the ISA Server 2006 computer

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.

  3. On the Welcome to the New Web Publishing Rule page, enter a friendly name for the publishing rule, and then click Next. For example, the name of the rule can be OfficeCommunicationsWebDownloadsRule.

  4. On the Select Rule Action page, select Allow, and then click Next.

  5. On the Publishing Type page, select Publish a single Web site or load balancer, and then click Next.

  6. On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and then click Next.

  7. On the Internal Publishing Details page, enter the FQDN of the internal Web farm that hosts the Software Update Service in the Internal Site name box, and then click Next.

  8. On the Internal Publishing Details page, enter /* as the path of the folder to be published in the Path (optional) box, and then click Next.

    Note

    The ISA Server must be able to resolve the FQDN to the IP address of the internal Web server. If the ISA Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then enter the IP address of the internal Web server in the Computer name or IP address box. If you do this, you must ensure that the ISA Server has port 53 opened and can reach an internal DNS server or a DNS server that resides in the perimeter network.

    • If your internal server is a Standard Edition, this FQDN is the Standard Edition server FQDN.

    • If your internal server is an Enterprise pool, this FQDN is the internal Web farm FQDN.

    Note

    In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.

  9. On the Publish Name Details page, confirm that This domain name is selected for Accept Requests for, type the external Web farm FQDN for the Software Update Service in the Public Name box, and then click Next.

  10. On the Select Web Listener page, click New to create a new Web listener.

  11. On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in the Web listener name box, and then click Next. For example, type Web Servers.

  12. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.

  13. On the Web Listener IP Address page, select External, and then click Select IP Addresses.

  14. On the External Listener IP selection page, select Specified IP address on the ISA Server computer in the selected network, select the appropriate IP address, click Add, and then click OK.

  15. Click Next.

  16. On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address you just added, and then click Select Certificate.

  17. On the Select Certificate page, select the certificate that matches the public name specified in step 10, click Select, and then click Next.

  18. On the Authentication Setting page, select No Authentication, and then click Next.

  19. On the Single Sign On Setting page, click Next.

  20. On the Completing the Web Listener Wizard page, review the Web listener settings, and then click Finish.

  21. Click Next.

  22. On the Authentication Delegation page, select No delegation, but the client might authenticate directly, and then click Next.

  23. On the User Set page, click Next.

  24. On the Completing the New Web Publishing Rule Wizard page, review the Web publishing rule settings, and then click Finish.

  25. In the details pane, click Apply to save the changes and update the configuration.

Procedures

To create a Web server publishing rule on the ISA Server 2006 computer for the SharePoint site

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.

  3. On the Welcome to the New Web Publishing Rule page, enter a friendly name for the publishing rule, and then click Next. For example, the name of the rule can be OfficeCommunicationsWebDownloadsRule.

  4. On the Select Rule Action page, select Allow, and then click Next.

  5. On the Publishing Type page, select Publish a single Web site or load balancer, and then click Next.

  6. On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and then click Next.

  7. On the Internal Publishing Details page, enter the internal FQDN of the SharePoint Service hosting the Software Update Service site in the Internal Site name box, and then click Next.

  8. On the Internal Publishing Details page, enter /* as the path of the folder to be published in the Path (optional) box, and then click Next.

    Note

    The ISA Server must be able to resolve the FQDN to the IP address of the internal Web server. If the ISA Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, enter the IP address of the internal Web server. If you do this, you must ensure that the ISA Server has port 53 opened and can reach an internal DNS server or a DNS server that resides in the perimeter network.

    Note

    In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.

  9. On the Publish Name Details page, confirm that This domain name is selected for Accept Requests for, type the external FQDN for the SharePoint Service hosting the Software Update Service site in the Public Name box, and then click Next.

  10. On the Select Web Listener page, click New to create a new Web listener.

  11. On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in the Web listener name box, and then click Next. For example, type Web Servers.

  12. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.

  13. On the Web Listener IP Address page, select External, and then click Select IP Addresses.

  14. On the External Listener IP selection page, select Specified IP address on the ISA Server in the selected network, select the appropriate IP address, click Add, and then click OK.

  15. Click Next.

  16. On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address you just added, and then click Select Certificate.

  17. On the Select Certificate page, select the certificate that matches the public name specified in step 9, click Select, and then click Next.

  18. On the Authentication Setting page, select No Authentication, and then click Next.

  19. On the Single Sign On Setting page, click Next.

  20. On the Completing the Web Listener Wizard page, review the Web listener settings, and then click Finish.

  21. Click Next.

  22. On the Authentication Delegation page, select No delegation, but the client might authenticate directly, and then click Next.

  23. On the User Set page, click Next.

  24. On the Completing the New Web Publishing Rule Wizard page, review the Web publishing rule settings, and then click Finish.

  25. In the details pane, click Apply in the details pane.

Procedures

To modify the properties of the Web publishing rule

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the left pane, expand ServerName, and then click Firewall Policy.

  3. In the details pane, right-click the secure Web server publishing rule that you created in the previous procedure (for example, OfficeCommunicationsServerExternal Rule), and then click Properties.

  4. On the Properties page, click the From tab, and then:

    • In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove.

    • Click Add.

    • In the Add Network Entities dialog box, expand Networks, click External, click Add, and then click Close.

  5. If you need to publish another path on the Web server, click the Paths tab.

  6. Click Add, type /* for the path to be published, and then click OK.

  7. Click Apply to save changes, and then click OK.

  8. In the details pane, click Apply to save the changes and update the configuration.

Verifying or Configuring Authentication and Certification on IIS Virtual Directories

Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly.

Note

Perform the following procedure on each IIS Server in your internal Office Communications Server.
The following procedure is for the default Web site in IIS.

Procedures

To verify or configure authentication and certification on IIS virtual directories

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand ServerName, and then expand Web Sites.

  3. Right-click <default or selected> Web Site, and then click Properties.

  4. On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click OK.

  5. On the Directory Security tab, click Server Certificate under Secure communications.

  6. In the Welcome to the Web Server Certificate Wizard, click Next.

  7. On the Server Certificate page, click Assign an existing certificate, and then click Next.

  8. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use box, and then click Next.

  9. On the Certificate Summary page, verify that settings are correct, and then click Next.

  10. Click Finish.

  11. Click OK to close the Default Web Site Properties dialog box.

Creating a DNS Record

Create an external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The device uses this record to connect to the reverse proxy.

Verifying Access through Your Reverse Proxy

Procedures

Use the following procedure to verify that your users can access information on the reverse proxy. You might need to complete the firewall configuration and DNS configuration before access works correctly

To verify that you can access the Web site through the Internet

  1. Access your internal SharePoint Software Update Service site.

  2. Under Updates, click UCPhone.

  3. Select a vendor folder, select a model folder, select the hardware revision and software locale, and then select the update type.

  4. At the specific folder containing the update, right-click one of the update files, and then click Properties.

  5. In the Properties dialog box, copy the URL in the Address field, and then paste it into a browser.

  6. The URL looks similar to the following example.

    http://<internalSharePointServerFQDN>/sites/UCUpdateServer/Updates/UCPhone/Polycom/CX700/A/ENU/CPE/CPE.cat

  7. Change internalSharePointFQDN to the external FQDN of the SharePoint Service, so your URL appears as follows

    http://<externalSharePointServerFQDN>/sites/UCUpdateServer/Updates/UCPhone/Polycom/CX700/A/ENU/CPE/CPE.cat

  8. From outside your intranet, open a browser and ensure you can access the URL.