DNS Requirements for External User Access
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2015-03-09
An Edge Server runs three services—Access Edge service, Web Conferencing Edge service, and A/V Edge service. Each of these services has a separate external and internal interface. Each of these services requires a separate external IP address/port combination; the recommended configuration is for each of the three services to have different IP addresses, so that each service can use its default port settings.
Specific Domain Name System (DNS) settings must be configured on each external and internal interface. In general, this includes configuring DNS records to point to appropriate servers in the internal network and configuring DNS records as appropriate for each service.
Note
To prevent DNS SRV spoofing and ensure that certificates provide valid ties from the user Uniform Resource Identifier (URI) to real credentials, Office Communications Server 2007 R2 requires that the name of the DNS SRV domain match the server name on the certificate. The subject name (SN) must point to sip.<domain>.
The following table provides details about each DNS record required for the Edge Servers.
Note
The port numbers referenced in the following table and elsewhere in this documentation are typically the default ports. If you use different port settings, you will need to modify the procedures in this documentation accordingly.
Table 1. Required DNS Records for Edge Servers
| Internal/external record | Server | DNS settings |
|---|---|---|
External |
Edge Server |
To support DNS discovery of your domain by federation partners. An external SRV record for one Edge Server for _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the external fully qualified domain name (FQDN) of the Access Edge service. If you have multiple SIP domains, you need a DNS SRV record for each domain. The Edge Server you choose for this SRV record will be the Edge Server through which all federation traffic will flow. To support external user access through Microsoft Office Communicator and the Microsoft Office Live Meeting client. A DNS SRV record for _sip._tls.<domain>, over port 443, where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge service. If you have multiple SIP domains, you need a DNS SRV record for each domain—each SRV record can point to a different Edge Server, if you want, to spread the workload. Note If multiple DNS records are returned to a DNS SRV query, the Access Edge service always picks the DNS SRV record with the lowest numerical priority and highest numerical weight. If multiple DNS SRV records with equal priority and weight are returned, the Access Edge service will pick the SRV record that came back first from the DNS server. To resolve domain lookups for the Access Edge service. For each supported SIP domain in your organization, an external A record for sip.<domain> that resolves to the external IP address of the Access Edge service (or to the virtual IP address used by the Access Edge services on the external load balancer, if you have multiple Edge Servers deployed). If a client cannot perform an SRV record lookup to connect to the Access Edge service, it uses this A record as a fallback. To resolve domain lookups for the Web Conferencing Edge service. An external DNS A record that resolves the external name of the Web Conferencing Edge service to the external IP address of the Web Conferencing Edge service (or to the virtual IP address used by the Web Conferencing Edge services on the external load balancer, if you have multiple Edge Servers deployed). To resolve domain lookups for the A/V Edge Service. An external DNS A record that resolves the external FQDN of the A/V Edge service to the external IP address of the A/V Edge service (or to the virtual IP address used by the A/V Edge services on the external load balancer, if you have multiple Edge Servers deployed). |
External |
Reverse proxy |
To support Web conferencing for external users. An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy. To support access to Device Update Service by external devices. An external DNS A record that resolves the external IP address of the reverse proxy to the IP address of the Office Communications Server 2007 R2 Enterprise pool or Standard Edition server hosting Device Update Service. For details, see Device Update Service. |
Internal |
Edge Server |
You must set up internal DNS A records so that Office Communications Server 2007 R2 servers within the organization can connect to the internal interface of the Edge Server. If you have a single Edge Server at one site:
If you have multiple Edge Servers at one site, you need the following DNS records:
|
Note
You can use the Office Communications Server Remote Connectivity Analyzer tool to test remote unified communications client connectivity with the external edge interface of your Office Communications Server deployment. This tool can identify DNS name resolution issues for both the manual TLS and automatic client sign-in, including DNS configurations issues, TLS connectivity issues, and NTLM domain credential issues for remote user sign-in. You can access and run the tool from the Office Communications Server Remote Connectivity Analyzer Web site at https://www.testocsconnectivity.com. For details about using the tool, see Validate Edge Server Configuration and Connectivity.