Using a Reverse Proxy to Enable Remote User Access
Remote users sign in to Communicator Web Access by using a virtual server that has been configured for external users, as described in Creating a Communicator Web Access Virtual Server. Although you can make the external virtual server directly accessible to remote users, we strongly recommend that a reverse proxy be used to publish the virtual server to the Web.
The reverse proxy serves as a boundary between perimeter network and the internal network and can also be used as an alternative to a VPN for external users of your deployment of Communicator Web Access.
For detailed instructions to configure the reverse proxy, see the documentation for your reverse proxy.
This section describes the requirements and recommendations to successfully publish Communicator Web Access using a reverse proxy.
Software Requirements and Recommendations
If you intend to use single sign-on (SSO), the only reverse proxy that is supported is Microsoft Internet Security and Acceleration (ISA) Server 2006 with SSO enabled on the Web listener. If you do not intend to use SSO, any reverse proxy server can be used to Web publish a Communicator Web Access virtual server. Regardless of your choice of reverse proxy, for security reasons we recommend that the reverse proxy be a workgroup member and not a member server of the internal, trusted domain. Even so, both configurations are supported.
For performance reasons, we recommend that no other software be installed on the reverse proxy.
Address Requirements and Recommendations
You must use SSL to publish the URI of Communicator Web Access as an HTTPS address. Using HTTP is not supported for external access to Communicator Web Access. For details on Web publishing using SSL in a production environment, see “Secure Application Publishing” at http://go.microsoft.com/fwlink/?LinkId=125682.
We recommend that all network adapters on the reverse proxy be configured with static IP addresses.
Using the default configuration, port 443 must be open on the firewall. If you are running multiple virtual servers on a single computer, you will need to use a different port for the virtual server that you want to make externally available or use a different port for your internal virtual server.
Ensure that you have created the required DNS records for Communicator Web Access. For a complete list of the DNS records that are required for Communicator Web Access, including the DNS records required to successfully publish Communicator Web Access for external users, see Active Directory and Domain Name Service Requirements.
When you publish a Communicator Web Access virtual server by using a reverse proxy, the reverse proxy can internally reference the Communicator Web Access server by its FQDN, host name, or IP address. If the reverse proxy will communicate with the internal virtual server over HTTPS, we recommend the following:
- The reverse proxy should refer to the Communicator Web Access server using a name that either matches the subject name of the SSL certificate installed on the Communicator Web Access server or that is included in the subject alternate name (SAN) value of that certificate.
- The name that the reverse proxy uses should be registered with the internal DNS servers as either the FQDN or one of the DNS alias names of the Communicator Web Access server.
The DNS suffix and the NetBIOS computer name of the proxy server must match the external DNS name, for example, contoso.com. Any failure to resolve names will prevent the Web site from being published successfully.
For details about additional configuration of the reverse proxy, such as registering a friendly alias name in external DNS servers, see the documentation for your reverse proxy.
You must request an SSL certificate and download the CA certificate chain to the Trusted Root Certification Authorities, Certificates folder for the external interface of the reverse proxy. If you use a different name for the external interface than the name of the internal Communicator Web Access server, you must request two certificates: one for the external interface and one for the internal interface. The certificates must be issued from the same CA that issues the SSL certificate for the Communicator Web Access server.
The SSL certificate for the external interface of the reverse proxy should have a subject name that matches the FQDN of the reverse proxy. The SSL certificate for the internal interface of the reverse proxy should have a subject name that matches the FQDN of the Communicator Web Access Server.
When you request the SSL certificate from the CA, use a duplicated Web server template. For detailed information about SSL certificate requirements for the reverse proxy and procedures to install the certificate on the reverse proxy, see “Digital Certificates for ISA Server 2004” at http://go.microsoft.com/fwlink/?LinkID=124312.
For details about Communicator Web Access certificate configuration requirements, see Preparing Certificates for Communicator Web Access.
After you publish the virtual server for external users to the Web, you are ready to enable and configure users for Office Communications Server 2007 R2. For procedures, see Step 6: Create and Enable Users in Office Communications Server 2007 R2 deployment documentation. Ensure that users are configured for remote user access in 6.3 Configure Users, also in Office Communications Server 2007 R2 deployment documentation.
If users in your organization have already been enabled and configured for remote access to Office Communications Server, you are ready to test external access to the Communicator Web Access Web site as described in Testing the Web Site.