Perimeter Network Topologies (2007 R2 Beta)
[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]
Edge Server is a server role that is deployed in a perimeter network to support access by external users. External users include remote, federated, and anonymous users. Office Communications Server supports connectivity with one or more of the following public IM service providers: AOL, MSN, and Yahoo!.
Note
In this discussion, external users who access the network by using a VPN connection are considered to be internal users.
An Edge Server runs three services: Access Edge service, A/V Edge service, and Web Conferencing Edge service. All three services are automatically installed with an Edge Server.
In addition to one or more Edger Servers, HTTP reverse proxies are also required in the perimeter network. Collocation of an Edge Server with a reverse proxy or with an internal or external firewall is not supported.
The components support external access as follows:
- The Access Edge service validates and forwards SIP signaling traffic between internal and external users.
- The A/V Edge service enables audio and video conferencing and A/V peer-to-peer communications with external users who are equipped with a supported client. For details, see Supported Clients
- The Web Conferencing Edge service enables external users to participate in conferences that are hosted by an internal Web Conferencing Server.
- The HTTP reverse proxy is required for downloading Address Book information, expanding membership in distribution groups, and downloading Web conference content.
The following edge topologies, each with a single HTTP reverse proxy in each physical location, are supported in the perimeter network:
- Single consolidated edge topology
A single Edge Server computer. - Scaled consolidated edge topology
Two or more Edge Server computers behind a load balancer. - Multiple-site consolidated edge topology
One primary location (the datacenter) has a scaled consolidated edge topology, and one or more remote sites deploy a single consolidated edge topology or a scaled consolidated edge topology behind a load balancer.
For deployments with multiple locations, only a single Edge Server or a single load-balanced array of Edge Servers is supported for federation and for public IM connectivity. Multiple Access Edge Servers in multiple locations are supported for remote user access.
If the next hop internally from the Edge Server is to a load-balanced array of Directors, you must use the virtual IP address of the Director array for the next hop when you configure the Edge Server.
An Edge Server is supported by both the Standard Edition Server license or product key and the Enterprise Edition Server license or product key.
Joining the Edge Server to a domain is supported but not recommended. An Edge Server should never be part of domain in the internal network.
Certificates
Each Edge Server must have an internal certificate. All three edge services on that server share this certificate. The subject name of the certificate must match the internal FQDN of the Access Edge service of that Edge Server.
Each Edge Server requires two external certificates—one for the Access Edge service, and one for the Web Conferencing Edge service. Each of these certificates must have a subject name that matches the external FQDN of that edge service on that server.
An additional certificate is required for audio/video authentication. The private key of the A/V authentication certificate is used to generate authentication credentials. This can be an internal certificate, but as a security precaution, you should not use the same certificate for A/V authentication that you use for any of the Edge Server services.
For details about certificate requirements, see Planning for External User Access
Internal and External Interfaces
Each of the three services running on an Edge Server has a separate external and internal interface and can use a separate physical network adapter (recommended), or all services can use a single multi-homed network adapter. The recommended configuration is for each of the three services to have different IP addresses, so that each service can use its default port settings.
Using different DNS names for each of the two interfaces is required. A unique IP address and a unique domain name are required for the internal and external interface. A multi-homed network adapter that uses the same DNS name, and therefore the same IP address, for both internal and external interfaces is not supported.
For single, non-scaled Edge Server deployments (single Edge Server in a location), it is recommended that the IP address of the external interface of the A/V Edge service is publicly routable. However, the external firewall can function as a NAT (network address translation) for this IP address in this scenario.
For scaled Edge Server deployments (multiple Edge Servers in a location), the IP address of the external interface of the A/V Edge service must be publicly routable. The external firewall must not function as a NAT for this IP address. This requirement does not apply to other Edge Server services.
The internal firewall must not function as a NAT for the internal IP address of the A/V Edge service. The internal IP address of the A/V Edge service must be fully routable from the internal network to the internal IP address of the A/V Edge service.