OCS Migration

8/8/2019 OCS Migration

1/81

Published: July 2007

Updated: October 2007

Migrating toMicrosoft OfficeCommunicationsServer 2007


2/81

2 Migrating to Microsoft Office Communications Server 2007

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwisenoted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples

herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or

event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any

form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written

permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this

document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give

you any license to these patents, trademarks, copyrights, or other intellectual property.

2007 Microsoft Corporation. All rights reserved.

Microsoft, Windows, Windows Server, Active Directory, SQL Server, and MSN are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


3/81

Phase 1: Upgrade Your Perimeter Network and Director 3

Contents

Introduction ......................................................................................5

Terminology ................................................................................. 5

Before You Begin ...............................................................................6

Planning Your Migration ....................................................................6

Third-Party Applications ............................................................... 9

Coexistence with Live Communications Server 2005 with SP1 .....9

Phase 1: Upgrade Your Perimeter Network and Director .................12

Overview of Steps ......................................................................12

Step 1 Configure DNS Records for Your Edge Servers ................16

Step 2 Configure a Reverse Proxy ..............................................20

Step 3 Deploy a New Edge Server ..............................................20

Step 4 Configure Certificates on the Internal Interface of Your EdgeServers .......................................................................................22

Step 5 Configure Certificates on the External Interface of Your AccessEdge Server ................................................................................33

Step 6 Start Services ..................................................................41

Step 7 Configure Federation on Your Access Edge Server ..........42

Step 8 Configure Your Internal Environment to Use the New EdgeServer .......................................................................................43

Step 9 Change Your Firewall Settings or DNS Settings to Use the IPAddress of Your New Access Edge Server ..................................45

Step 10 Validate the Configuration of Your Access Edge Server .46

Step 11 Test Connectivity Between Remote Users, Federated Usersand Public IM Connectivity .........................................................47

Step 12 Deploy an Office Communications Server 2007 Director(optional) ....................................................................................47

Step 13 Remove Your Live Communications Server 2005 SP1 Directorand Access Proxy .......................................................................55

User Experience in Phase 1 ........................................................56

Phase 2: Deploy Internal Office Communications Servers and MigrateUsers ...............................................................................................56

Step 2.1 Deploy Standard Edition Server or Enterprise Pool ......57

Step 2.2 Deploy Archiving and CDR Server If Required ..............58

Step 2.3 Verify that User Replication Completed ........................61

Step 2.4 Back Up User Data on the Existing Live CommunicationsServer 2005 with SP1 .................................................................63

Step 2.5 Export User Data from Live Communications Server 2005 withSP1 .............................................................................................63


4/81


Step 2.6 Move Users to Office Communications Server 2007 .....65

Step 2.7 Configure Users ............................................................67

Step 2.8 Transfer Remote Call Control Settings As Necessary . . .69Step 2.9 Validate the Configuration and Connectivity of the Server orPool............................................................................................72


Phase 3: Enable Pilot Users for Enhanced Presence and New Features andDeploy New Clients .........................................................................75

Step 3.1 Enable Enhance Presence for Your Pilot Users .............76

Step 3.2 Deploy Office Communicator 2007 to Your Pilot Users . 77

Step 3.3 Deploy the Live Meeting 2007 Client to Your Pilot Users 77


Phase 4: Introduce New Edge Server Roles .....................................77


Phase 5: Continue Phased Migration for Additional User Groups .....78

Phase 6: Deprecate Your Live Communications Server 2005 SP1 Servers........................................................................................................78

Remove Live Communications Server 2005 SP1 Standard Edition 78

Remove Live Communications Server 2005 with SP1 Enterprise Edition...................................................................................................79


5/81


IntroductionMigrating to Microsoft Office Communications Server 2007guides you through the process ofupgrading from Microsoft Office Live Communications Server 2005 with Service Pack 1 to

Microsoft Office Communications Server 2007 and for deploying Office Communications Server

2007 in an existing Live Communications Server 2005 SP1 deployment. If you intend for your

Office Communications Server 2007 deployment to coexist with a Live Communications Server

2005 SP1 deployment, this guide includes some essential information for operating such a mixed

environment.

This guide provides information specific to upgrading your existing deployment. It does not

explain how to change your existing topology. Because many of the detailed planning and

deployment information and procedures are provided in other Office Communications Server

2007 documentation, that information is not duplicated in this guide. When a detailed procedure

is documented elsewhere, this guide directs you to the appropriate document.

In addition to this guide, you need the following documentation:

Microsoft Office Communications Server 2007 Planning Guide

Microsoft Office Communications Server 2007 Edge Server Deployment Guide

Microsoft Office Communications Server 2007 Active Directory Guide

Microsoft Office Communications Server 2007 Enterprise Edition Deployment Guide

Microsoft Office Communications Server 2007 Standard Edition Deployment Guide

Microsoft Office Communications Server 2007 Archiving and CDR Server

Deployment Guide

Microsoft Office Communicator 2007 Deployment Guide

Deploying the Microsoft Office Live Meeting 2007 Client with Office

Communications Server 2007

TerminologyAnonymous user An external user who does not have credentials in the Active Directory

Domain Services.

A/V audio/video

Direct federation In Live Communications Server 2005, a form of federation in which two

organizations explicitly designate each other as trusted federated partners. In Office

Communications Server 2007, this term is not used; you achieve the same functionality by not

configuring your Access Edge Server to automatically discover federated partners by using DNS.

Edge server An Office Communications Server 2007 server that resides in the perimeter

network and provides connectivity for external users, federated partners, and public IM

connections. Each edge server has one or more of the following roles: Access Edge Server, Web

Conferencing Edge Server, or A/V Edge Server.


6/81


Enhanced federation In Live Communications Server 2005, an organization-to-organization

federation that uses DNS-SRV resolution to identify the Access Proxy for each partner. In Office

Communications Server 2007, this term is not used. You can achieve this functionality to

configure your Access Edge Server to use DNS to automatically discover federated partners.

External user A user who connects from outside the organizations firewall. External users

include anonymous users, federated users, and remote users.

External IP address An IP address that is accessible from the Internet or from another network

that is outside the organization.

Federated user An external user who possesses valid credentials with a federated partner and

who is therefore treated as authenticated by Office Communications Server.

Internal IP address An IP address that is accessible from the internal network of an

organization.

PSOM Persistent Shared Object Model. A custom protocol for transporting Web conferencing

content.Remote user An external user with a persistent Active Directory identity within the

organization.

Side-by-side migration Deploying an upgraded software version on a separate computer from

the one that is running the original version, transferring essential data to the new computer,

making the new computer operational, and then taking the legacy computer offline. Note: Side-

by-side migration is not supported for Access Proxy and an Office Communications Server 2007

Access Edge Server.

SIP Session Initiation Protocol, a signaling protocol for Internet telephony.

Web farm A collection of server computers that host a single Web site.

Before You BeginEnsure that Live Communications Server 2005 with SP1 servers have the following QFEs

installed in the following order:

1. QFE available from Microsoft Web site: http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996.


These QFEs are required for coexistence with Office Communications Server 2007. They must

be installed on all Live Communications Server 2005 with SP1 servers, with the exception of the

back-end database server for an Enterprise pool.

Planning Your MigrationThe only migration path, when you have Live Communications Server 2005 with SP1 Access

Proxies deployed, is to migrate your environment from the outside in. You must first replace
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543


7/81


your Access Proxies with Office Communications Server 2007 Access Edge Servers before you

can migrate to Office Communications Server 2007 in your internal environment.

If you are running Live Communications Server 2003, you must first migrate to LiveCommunications Server 2005 with SP1, and then you can migrate to Office Communications

Server 2007.

To minimize service downtime, we recommend a phased approach in which you upgrade all the

servers of a particular type at one time. The supported order is as follows:


2. Replace Access Proxies in the perimeter network with Access Edge Servers.

3. Replace Directors.

4. Install Enterprise pools and Standard Edition servers.

5. Install Archiving and CDR Servers as necessary.

At this point, you can move some pilot users to the new deployment to test the behavior of IM

and presence.

After you have ensured that IM and presence are working correctly in your environment, you can

deploy Web Conferencing Edge Servers and A/V Edge Servers in your perimeter network. After

you have ensured that Web conferencing and A/V conferencing work properly, you can move the

rest of your users to the new deployment and take the Live Communications Server offline.

Planning your upgrade to Office Communications Server 2007 should include the following:

Understanding the basic migration process

Understanding coexistence issues

Planning user migration

Determining your requirements for additional hardware

Table 1 summarizes the phases of the migration as they are presented in this guide. The table also

notes changes to the user experience as the migration proceeds.

Table 1 Migration Phases and User Experience

Phase Description User Experience

Phase 1:Upgradeyourperimeternetwork andDirector

Introducing new OfficeCommunications Server 2007Access Edge Servers andDirectors into your LiveCommunications Server 2005SP1 environment.

No changes. Users continue touse the Microsoft OfficeCommunicator 2005 client andhave the same IM and presencefunctionality.
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996


8/81



Phase 2:

DeployinternalOfficeCommunications Servers

Deploying a new Office

Communications Server 2007Enterprise pool or StandardEdition server and an Archivingand CDR Server, if required,and moving users to the newserver or pool

No changes. Users continue to

use Office Communicator 2005and have the same IM andpresence functionality.

Phase 3:Enable pilotusers forenhancedpresenceand roll outnew clients

Enabling selected users forenhanced presence and rollingout Microsoft OfficeCommunicator 2007 and theMicrosoft Office Live Meeting2007 client to the pilot users

Pilot users are able to use thefull functionality of OfficeCommunicator 2007 when theycommunicate with other pilotusers internally. After they areenabled for enhanced presence,these users can no longer sign

in to an Office Communicator2005 client or to previousversions of Communicator WebAccess or of the CommunicatorMobile clients.

When communicating withOffice Communicator 2005users, pilot users are able to usenew features in OfficeCommunications Server 2007.

After the Live Meeting 2007client is rolled out to your pilotusers, they can participate ininternal Web conferences that

are hosted on your OfficeCommunications Servers.

Phase 4:Introducenew edgeserver roles

Deploying Web ConferencingEdge Servers and A/V EdgeServers in your perimeternetwork

Pilot users are able to use thenew Web conferencing andaudio/video capabilities whenconnecting remotely.

Phase 5:Continuephasedmigration ofadditionalusers

Enabling users for enhancedpresence and rolling out OfficeCommunicator 2007 and theLive Meeting 2007 client to theother users

Office Communicator 2007users are able to use the fullfunctionality of OfficeCommunicator 2007 whencommunicating with other OfficeCommunicator 2007 users.

When communicating withOffice Communicator 2005users, users of the upgradedclient are not able to use newfeatures in OfficeCommunications Server 2007.


9/81



After the Live Meeting 2007

client is rolled out, users canparticipate in Web conferencesthat are hosted on your OfficeCommunications Server whetherthey are signed in internally orremotely.

Third-Party ApplicationsIf you are running third-party applications on your Live Communications Server 2005 SP1

servers, be aware that changes have been made to the server and protocol infrastructure that

might affect these programs. You still need to test these applications to ensure that they work

properly with Office Communications Server 2007. For more information, contact the vendor ofyour applications.

If you are running applications that are based on code examples from the Live Communication

2005 with SP1 Software Development Kit, the applications must be updated before they will

work with Office Communications Server 2007. For more information, see the Office

Communications Server 2007 SDK documentation.

The Live Communications Server 2005 with SP1 Network of Origination Icon sample is not

supported on Office Communications Server 2007. In Office Communications Server 2007, for

federated users on a users Contacts list, the user sees the same icon for all contacts that are

outside the organization instead of seeing the icon for the network of origin. If the user moves the

pointer over the contact in Office Communicator, the SIP URI for the federated user appears.

Coexistence with Live Communications Server2005 with SP1

Both the Standard Edition and Enterprise Edition of Office Communications Server 2007 are

designed to coexist with Live Communications Server 2005 with SP1 Standard Edition servers

and Enterprise pools. Preparing the Active Directory for Office Communications Server also

provides backward compatibility with Live Communications Server 2005 with SP1.

If you are planning to deploy Office Communications Server 2007 in a mixed environment with

Live Communications Server 2005 with SP1, there are other issues you need to be aware of:

Every domain that contains Live Communications Server 2005 SP1 users or servers

must be prepared for Office Communications Server 2007.

Archiving services for each version are compatible only with servers of the sameversion.

All servers in a pool or in an edge server array must be of the same version, but

servers or pools of different versions can be connected to the same load balancer.


10/81


Users who are enabled for enhanced presence and who sign in by using Office

Communicator 2007 can no longer use Microsoft Office Communicator 2005 or the

2005 releases of Communicator Web Access and Communicator Mobile.

Additionally, such users cannot access specific components of Live Communications

Server 2005 with SP1.

The A/V conferencing features of Office Communications Server 2007 are not

available to users who are hosted on Live Communications Server 2005 with SP1 or

to any users who are using Office Communicator 2005.

For Web conferencing, only users hosted on Office Communications Server 2007 can

organize Web conference meetings. However, any user can attend, provided they

have the ability to install the Live Meeting 2007 client. For more information about

deploying Live Meeting 2007, seeDeploying the Microsoft Office Live Meeting 2007

Client with Office Communications Server 2007.

The administrative snap-ins for Live Communications Server 2005 with SP1 and

Office Communications Server 2007 are not mutually compatible. Each can be usedto administer only servers of the corresponding version.

All external users, including federated users, can connect through Office

Communications Server 2007 Access Edge Servers and Directors, even if they are

hosted on Live Communications Server 2005 with SP1.

The following sections explain the implications of these issues.

Archiving Interoperability

You must archive all traffic on Office Communications Server 2007 servers by using an Office

Communications Server 2007 Archiving and CDR Server. Similarly, you must archive all traffic

on Live Communications Server 2005 SP1 servers by using the Live Communications Server

2005 with SP1 Archiving Service.

The default behavior is different for the different versions. In Office Communications Server

2007, both the global archiving and individual user archiving are disabled by default, but Live

Communications Servers retain their existing global settings. This means that if archiving is

enabled in global settings on all your Live Communications Servers, this setting is retained on all

your Live Communications Server 2055 with SP1 servers.

In a coexistence scenario, conversations initiated by a user hosted on a Live Communications

Server 2005 with SP1 server use the forest-level settings enabled in the Live Communications

Server 2005 SP1 environment. Conversations initiated by a user hosted on Office

Communications Server 2007 use the global settings configured in Office Communications

Server 2007.

NoteTo access the global archiving settings, right-click the forestnode, point to Properties,click Global Properties, and thenclick the Archiving tab. For more information, see theMicrosoft Office Communications Server 2007 Administration

Guide.


11/81


Using Load Balancers

Servers of different versions cannot coexist in a single pool or an edge server array. You can,

however, connect a Live Communications Server 2005 with SP1 pool and an OfficeCommunications Server 2007 pool to the same load balancer. For example, if you have an array

of Live Communications Server 2005 with SP1 Access Proxies attached to a load balancer, you

can also simultaneously attach an Office Communications Server 2007 edge server array to the

same load balancer.

Adding Live Communications Server 2005 SP1 Servers DuringCoexistence

Because Active Directory preparation is backwards compatible with the Live Communications

Server 2005 SP1 Active Directory schema, you can add new Live Communications Server 2005

with SP1 servers to any domain where domain preparation for Live Communications Server was

run before Office Communications Server 2007 Active Directory preparation.

During coexistence, if you do not run Live Communications Server 2005 Active Directory

domain preparation steps in a domain (a new domain for example) before the Office

Communications Server 2007 Active Directory preparation, you cannot install any Live

Communications Server 2005 SP1 servers.

Microsoft Office Communicator

By default, users who are homed on Office Communications Server 2007 can be enabled for

enhanced presence, but Office Communicator 2007 is required for users to take advantage of this

feature. Users who are moved from a Live Communications Server 2005 SP1 server to an Office

Communications Server 2007 can use the Microsoft Office Communicator 2005 client. Such a

user cannot, however, take advantage of the enhanced presence and A/V conferencing features of

Office Communications Server 2007.

After a user who is enabled for enhanced presence has signed in by using Office Communicator

2007, that user can no longer use Office Communicator 2005 or sign in to Live CommunicationsServer 2005 with SP1. Additionally, such a user can no longer sign in to Communicator Web

Access (2005 release) or to Communicator Mobile (2005 release).

If you plan to deploy in a mixed environment, you must make the appropriate clients available to

all your users. For details about migrating to the 2007 release of Communicator Web Access, see

the Microsoft Office Communicator Web Access (2007 release) Planning and Deployment

Guide.

Administrative Snap-Ins

In general, you must use the administrative snap-in that corresponds to the server version that

you want to manage. The only exception is that you use the Office Communications Server 2007

snap-in to move users from Live Communications Server 2005 with SP1 to Office

Communications Server 2007.


12/81


Use the 2005 Administrative Snap-In To manage Live Communications Server 2005 SP1 users and servers. You can also

use Active Directory Users and Computers on Live Communications Server 2005

SP1 or on a computer with the Live Communications Server 2005 SP1 administrative

snap-in installed.

Although Office Communications Server pools are available from Live

Communications Server 2005 SP1, you should use only Office Communications

Server to move users hosted on Office Communications Server. Moving Office

Communications Server users from the 2005 administrative snap-in is not supported.

Use the 2007 Administrative Snap-In To move Live Communications Server 2005 SP1 users to Office Communications

Server 2007.

To manage users on Office Communications Server 2007 after moving them from

Live Communications Server 2005 SP1.

To manage all Office Communications Server 2007 servers.

The Live Communications Server 2005 SP1 administrative snap-in and the Office

Communications Server 2007 administrative snap-in cannot be installed on the same computer.

External User Access

External users, such as remote users, who are hosted on Live Communications Server 2005 with

SP1 and users of Office Communicator 2005, regardless of where they are hosted, can sign in by

using the Office Communications Server 2007 Edge Servers and Directors for functionality that

is supported by Live Communications Server 2005 with SP1. These users cannot, however, take

advantage of the additional features that are offered by Office Communications Server 2007.

Phase 1: Upgrade Your PerimeterNetwork and Director

In the initial phase of migration, if you have deployed public IM connectivity, remote user access

or federation in your Live Communications Server 2005 SP1 environment, you begin by

deploying an Office Communications Server 2007 Edge Server. This server replaces your

existing Live Communications Server 2005 SP1 Access Proxy.

Overview of StepsUpgrading your perimeter network involves the following steps:

1. Configuring necessary DNS records for your new edge server.2. Deploy your Office Communications Server 2007 Access Edge Server before any

internal servers. The single site edge topology or scaled single-site edge topology is

recommended for your initial edge deployment. This topology allows you to add a

load balancer later for growth.


13/81


Deploy the new edge server topology alongside your existing Live Communications Server

2005 SP1 Access Proxy, but do not change your firewall setting to point to the new IP

address used by the Office Communications Server 2007 edge servers until you have

completed the following steps. You must use an internal and external IP address that is

different from your existing Access Proxy.

It is strongly recommends that you use the same external FQDN for your new Access Edge

Server as you did for your Live Communications Server 2005 SP1 Access Proxy. If you do

this, you can use the same certificate. If you have purchased a license for public IM

connectivity, you do not need to go through the provisioning process again. If you use a

different FQDN, you must obtain new certificates and re-provision public IM connectivity.

Additionally, you must notify any federated partners of the change to your external FQDN.

These partners can then change their configurations to point to your new FQDN to federate

with your organization or if they are using enhanced federation or using an Office

Communications Server 2007 Access Edge Server with automatic DNS discovery, they can

simply add your domain on the Allow tab. Also, if you use manual configuration for your

Office Communicator clients, you must update this configuration to point to the new AccessEdge Server FQDN.

3. Configure certificates on your new Office Communications Server 2007 edge server.This process varies depending on the following conditions:

Internal certificate configuration.

o If your organization has a firewall between the Live Communications

Server 2005 SP1 Access Proxy and your internal servers, you can use

the same certificate on the internal interface of your new Access Edge

Server as you used on the internal interface of your existing Access

Proxy.

o If your organization does not have an internal firewall, the Director or

your internal Standard Edition server or Enterprise pool that is used forthe global federation route needs to differentiate the new Access Edge

Server from the 2005 Access Proxy so you can either use a new

certificate on the Access Edge Server or update DNS settings.

o If you use a different internal FQDN on your new edge server, you must

obtain a new certificate from the certificate authority you use for

internal certificates.

External certificate configuration.

o If you use the same external FQDN for your Access Edge Server, and

do not want your Access Edge Server to be discoverable through DNS

SRV records for multiple SIP domains in your organization, you can

use the same certificate on the external interface of your Access Edge

Server as you did on your Live Communications Server 2005 Access

Proxy.

Note If your Access Edge Server is not discoverable through DNSSRV records, organizations federating with your organizationmust manually add your SIP domains and your Access EdgeServer FQDN in the Allow List on their Access Edge Servers.


14/81


o If you plan to enable automatic discovery of federated domains, and you

have multiple SIP domains, you must re-issue your external certificate

with each supported SIP domain configured as sip. in the

subject alternate name.

o If you use a different external FQDN for your Access Edge Server, you

must configure a new external certificate.

4. If you plan to enable external access to on-premise Web conferences, configure anHTTP reverse proxy for use with the Web Components. (Because this step is

independent of other configuration steps it can be performed independently of the

other steps involved.)

5. Configure your internal servers to communicate with your new Access Edge Server.Depending on whether you have a Director deployed, you make configuration

changes in one of two ways:

If you have a Live Communications Server 2005 SP1 Director deployed, after

you deploy your Access Edge Server you can simply update your Directorsettings to route external traffic to and from the new Access Edge Server.

If you do not have a Live Communications Server 2005 SP1 Director deployed,

all your internal servers and pools are routing external traffic directly to and from

the Access Proxy. After you deploy your Access Edge Server, you must

configure your internal servers and pools to route directly to the new Access

Edge Server.

6. Configure your external firewall to point to the new external IP address of the OfficeCommunications Server 2007 edge servers and update any required DNS settings. At

this point, all federation remote user access and public IM connectivity traverse

through the new Office Communications Server Edge Server.

These changes are transparent to your users. If problems occur, you can simply: Point your Director or your internal servers and pools back to the existing Live

Communications Server 2005 SP1 Access Proxy.

Point your firewall back to the external IP address of your Live Communications

Server 2005 SP1 Access Proxy.

Figure 1 New Access Edge Server in Your Existing Topology


15/81


7. Test your new topology by signing in with Office Communicator 2005 user andtesting communications scenarios between internal users, remote users, federated

users, and users on a public IM network (if you use public IM connectivity).

8. If you do not use a Director, skip this step. If you use a Director, after confirmingthat external traffic is flowing correctly from the new Access Edge Server to the

Live Communications Server 2005 SP1 Director, install and configure an Office

Communications Server 2007 Director so that it communicates with your new Edge

Server and configure your new Edge Server to route to the 2007 Director. Althougha Director is not required, it is strongly recommended. If problems occur, you can

simply point your Access Edge Server back to your existing Live Communications

Server 2005 SP1 Director.

At this point, your topology should now look similar to the following:


16/81


Figure 2 New Access Edge Server and Director in Your Existing Topology

Step 1 Configure DNS Records for Your EdgeServers

Before you deploy your edge server topology, you must configure the required DNS records. The

default port for external user access has changed from port 5061to port 443. We recommend port

443 to ensure that connectivity from Office Communicator and the Live Meeting 2007 client to

the server is not blocked by any external HTTP proxy servers or firewalls that do not allow

connectivity to 5061.

To change the remote access port from 443 to 5061, you might need to make the following

changes to your existing DNS records:

For external clients that allow Office Communications Server to configure their

connection automatically, change your DNS SRV record for _sip._tls. that

points to the external interface of the Access Edge Server to use port 443.

If your external clients are manually configured, you might need to change the

external server name using the Group Policy object. For more information, see the

Microsoft Office Communicator 2007 Deployment Guide.Table 2 describes the DNS records that you must configure for the external interface and the

internal interface of edge servers in the single-site edge topology and the scaled single-site edge

topology. If you are deploying a different topology, see the Microsoft Office Communications

Server 2007 Edge Server Deployment Guide. For information about configuring these DNS

records, see the documentation for your DNS server.


17/81


The following table describes the DNS records that must be configured for the external interface

and the internal interface of edge servers in the single-site edge topology.

Table 2 DNS Records for the Single-Site Edge TopologyInterfac

eServer DNS Settings

External Collocated AccessEdge Server

An external SRV record for all Access EdgeServers for _sipfederationtls._tcp.,over port 5061 (where is the nameof the SIP domain of your organization). ThisSRV should point to an A record with theexternal FQDN of the Access Edge Server. Ifyou have multiple SIP domains, you need aDNS SRV record for each domain. This SRVrecord supports federation and public IMconnectivity.

A DNS SRV (service location) record for_sip._tls., over port 443 where is the name of your organizationsSIP domain. This SRV record must point to theA record of the Access Edge Server. If youhave multiple SIP domains, you need a DNSSRV record for each domain. This SRV recordsupports external user access through OfficeCommunicator and the Live Meeting client.

Note: Configuring multiple SRV records for thesame SIP domain is not supported. If multipleDNS records are returned to a DNS SRV query,the Access Edge Server always picks the DNS

SRV record with the lowest numerical priorityand highest numerical weight.

For each supported SIP domain in yourorganization, an external DNS A record for sip. that points to the external interfaceof the Access Edge Server and resolves to theexternal IP address on the firewall. If you havemultiple SIP domains, you need a DNS Arecord for each. If a client cannot perform anSRV record lookup to connect to the AccessEdge server, it uses this A record as a fallback.

An external DNS A record that resolves theexternal FQDN of the Web Conferencing EdgeServer to its external IP address.

Reverse proxy An external DNS A record that resolves theexternal Web farm FQDN to the external IPaddress of the reverse proxy. The client usesthis record to connect to the reverse proxy.

Access Edge An internal DNS A record that resolves the


18/81


Server internal FQDN of the Access Edge Server to itsinternal IP address.

The following table describes the DNS records that must be configured for the external interface

and the internal interface of edge servers in the scaled single-site edge topology.


19/81


Table 3 DNS Records for the Scaled Single-Site Edge Topology

Interfac

e

Server DNS Settings

External Access Edge Server An external SRV record for all Access EdgeServers for _sipfederationtls._tcp.,over port 5061 (where is the nameof the SIP domain of your organization). ThisSRV should point to an A record that resolvesthe external FQDN of the Access Edge Serverarray to the VIP address used by the AccessEdge Server array on the external loadbalancer. If you have multiple SIP domains,you need a DNS SRV record for each domain.This SRV record supports federation andpublic IM connectivity.

A DNS SRV (service location) record for_sip._tls., over port 443 where is the name of your organizationsSIP domain. This SRV record must point to theA record of the Access Edge Server. If youhave multiple SIP domains, you need a DNSSRV record for each domain. This SRV recordsupports external user access through OfficeCommunicator and the Live Meeting client.

Note: Configuring multiple SRV records forthe same SIP domain is not supported. Ifmultiple DNS records are returned to a DNSSRV query, the Access Edge Server alwayspicks the DNS SRV record with the lowestnumerical priority and highest numericalweight.

For each supported SIP domain in yourorganization, an external DNS A record for sip. that points to the externalinterface of the Access Edge Server andresolves to the external IP address on thefirewall. If you have multiple SIP domains, youneed a DNS A record for each. If a clientcannot perform an SRV record lookup toconnect to the Access Edge server, it uses thisA record as a fallback.

An external DNS A record that resolves the

external FQDN of the Web Conferencing EdgeServer array to the VIP address used by theWeb Conferencing Edge Server array on theexternal load balancer.

Reverse proxy An external DNS A record that resolves theexternal Web farm FQDN to the external IP


20/81


address of the reverse proxy. The client usesthis record to connect to the reverse proxy.

Access Edge Server An internal DNS A record that resolves theinternal FQDN of the Access Edge Server arrayto the virtual IP address used by the AccessEdge Servers on the internal load balancer.

Step 2 Configure a Reverse ProxyFor Office Communications Server 2007, a reverse proxy, such as that provided by Microsoft

Internet Security and Acceleration (ISA) Server is used to enable:

External users to download meeting content for your Web conference meetings.

Remote users to expand distribution groups.

Remote users to download files from the Address Book Service.

This task can be performed independently of other steps in this section. For details about

deploying and configuring a reverse proxy, see the Microsoft Office Communications Server

2007 Edge Server Deployment Guide.

Step 3 Deploy a New Edge ServerIf you have Live Communications Server 2005 SP1 Access Proxies deployed, you must upgrade

your edge topology first in the migration process. Deploy a new Access Edge Server and a

Director (if you used one) before migrating your server or pool. After your internal migration is

completed, you can add A/V Edge Servers and Web Conferencing Edge Servers.

If you do not have an existing Access Proxy, skip this section and proceed to Phase 2.

Before you deploy, read the Microsoft Office Communications Server 2007 Edge Server

Deployment Guide to understand the supported topologies and which one is right for your

organization. The single-site topology and the scaled single-site topology are recommended.

To deploy an edge server

1. For each Live Communications Server 2005 with SP1 Access Proxy in yourperimeter network, install and activate an Office Communications Server 2007

Access Edge Server as described in the Microsoft Office Communications Server

2007 Edge Server Deployment Guide. Configure each Access Edge Server with the

settings that are already configured on the corresponding Live Communications

Server 2005 with SP1 Access Proxy.

2. As you run the Configuration Wizard, follow the instructions in the Edge Server

Deployment Guide until you reach the Enable Features on Access Edge Serverpage.

3. On the Enable Features on Access Edge Server page, select the features that youwant to enable:


21/81


To make it possible for remote users to use this Access Edge Server to view

presence information and exchange instant messages, select the Allow remote

user to access your networkcheck box.

To enable federation or public IM connectivity through this Access Edge Server,

select the Enable federation check box.

4. If you selected the Enable federation check box, do one of the following:

To use DNS to automatically locate the Access Edge Servers of your federated

partners, select the Allow discovery of federation partners using DNS check

box. This configuration is recommended. Select this setting if you used what was

called open enhanced federation in Live Communications Server 2005 with SP1.

To enable public IM connectivity through this Access Edge Server, select the

Federation with selected public IM providers check box,and then select the

IM providers that you want to use with federated partners.

5. When you are finished, clickNext.6. On the FQDN of the Internal Next Hop Server page, if you are using a Live

Communications Server 2005 SP1 Director, enter the FQDN of the Director. If you

are not using a Director, enter the Live Communications Server 2005 SP1 server or

pool that is used as the next hop server.

7. On the Authorized Internal SIP Domains page, for each SIP domain that yourorganization supports, type the name of the supported SIP domain, and then click

Add. When you have entered all the supported SIP domains, clickNext.

8. On the Authorized Internal Serverspage, specify each internal server that canconnect to your Access Edge Server. If you are routing all outbound traffic through a

Director, the next hop server that you specified earlier in this procedure is

automatically authorized to connect to your Access Edge Server. If you are not using

a Director, type the FQDN of each Enterprise pool and Standard Edition server inyour organization except the next hop server, clicking Add after each.

9. ClickNext.

10. On the summary page, review the settings that you selected. If they are as you wantthem, and then clickNext.

11. On the wizard completion page, select the View the log when you click Finishcheck box.

12. If you want to export the server settings to a configuration file so they can beimported to another edge server (to streamline the setup of that server), click

Export, and then specify a location and name for the XML file to which you want to

save the server settings. Configure the export settings as you want them, and then

clickSave.

13. ClickFinish.

14. If you chose the option to view the log immediately, when the OfficeCommunications Server 2007 Deployment Log opens in a Web browser window,

verify that Success appears underExecution Result in the action column on the far


22/81


right side of the screen. Optionally, expand each individual task and verify that the

ExecutionResult shows Success for the task. When you finish, close the log

window.

Step 4 Configure Certificates on the InternalInterface of Your Edge Servers

After you have installed, activated, and configured your new Access Edge Server, you must

configure certificates on it. How you configure your certificates depends on whether your Access

Edge Server is part of an array:

For a single-site edge topology, which has a single Access Edge Server, you need a

certificate configured on the internal interface with a subject name that matches the

internal FQDN of the edge server computer.

For a scaled single-site edge topology, which has a load-balanced array of Access

Edge Servers, you need a certificate configured on the internal interface with asubject name that matches the internal FQDN of the VIP address that is used by the

Access Edge Server on the internal load balancer. This certificate must be marked as

exportable on the first computer where you configure the certificate and must then be

imported on each additional computer in the Access Edge Server array.

The certificate on your internal interface of your Access Edge Server must match the DNS A

record that resolves to the internal IP address of the Access Edge Server. As explained earlier,

how you configured your new Access Edge Server determines the process you use to assign

certificates to your new edge server:

If you used the same internal FQDN on your new Access Edge Server, you can

configure the same certificate that you used on your existing Live Communications

Server 2005 with SP1 Access Proxy. Export the certificate from your Access Proxy,

and then use the Certificate Wizard to import the certificate and assign it to theinternal interface of the edge server.

If you used a different internal FQDN on your new Access Edge Server, you must

request a new certificate and assign it to the internal interface of the Access Edge

Server.

Option 4.1 Configuring the Certificate with the Same InternalFQDN as the Existing Access Proxy

If you are using the same internal FQDN for your Office Communications Server 2007 Access

Edge Server as the one that you used on your Live Communications Server 2005 with SP1

Access Proxy, use the following steps to set up a certificate on the internal interface for your

Office Communications Server 2007 Access Edge Server. These steps are explained in detail in

the following sections:

1. Export the certificate from your Live Communications Server 2005 SP1 AccessProxy.

2. Import the certificate for the internal interface on the first edge server.


23/81


3. Verify that the CA (certification authority) is on the list of trusted root CAs for eachAccess Edge Server.

4. If the edge server is part of an array, import the certificate on the other edge serversin the array.

5. Assign the certificate to the internal interface of each edge server.

After you export the certificate from your Live Communications Server 2005 SP1 Access Proxy,

use the Certificate Wizard to complete most of the certificate setup procedures for the internal

interface. You can start this wizard from the Office Communications Server 2007 installation

media, as described in the following procedures, or by using the Computer Management snap-in

on your Access Edge Server.

Step 4.1.1 Export the certificate from your Live CommunicationsServer 2005 SP1 Access Proxy.Use the following procedure to export the certificate from your Live Communications Server

2005 SP1 Access Proxy.

To export the certificate from your Live Communications Server 2005SP1 Access Proxy

1. Log on to your Access Proxy as a member of the Administrators group.

2. ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.

3. On the File menu, clickAdd/Remove Snap-in.

4. In the Add/Remove Snap-in dialog box, clickAdd.

5. In the Available Standalone Snap-ins list, select Certificates.

6. ClickAdd.

7. ClickComputer account, and then clickNext.

8. In the Select Computer dialog box, ensure that Local computer: (the computer thisconsole is running on) is selected, and then clickFinish.

9. ClickClose, and then clickOK.

10. In the console tree of the Certificates console, expand Certificates (LocalComputer).

11. Expand Personal.

12. ClickCertificates, and then in the result pane, right-click the certificate that is to beused on the internal interface, point to All Tasks, and then clickExport.

NoteThe procedures in this section are based on a MicrosoftWindows Server 2003 Enterprise CA or a Windows Server

2003 R2 CA. For step-by-step guidance for any other CA, seethe documentation that is provided by the CA. By default, allauthenticated users have the necessary user rights to requestcertificates.


24/81


13. In the Export Wizard, clickNext.

14. ClickYes, export the private key, and then clickNext.

15. On the Export file format page, clickPersonal Information Exchange PKCS

#12 (.PFX).

16. Select the Include all certificates in the certification path if possiblecheck box.

17. Clear the Enable strong protection check box, and then click Next.

18. Complete the wizard by accepting all remaining default values and by indicating thedisk or network share where you want to save the certificate.

Step 4.1.2 Import the certificate for the internal interface on thefirst edge serverUse the following procedure to import the certificate to the internal interface of your Access

Edge Server or of the first Access Edge Server in an array.

To import the certificate for the internal interface

1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the Administrators group and the RTC Local Administrators group.

2. On the Access Edge Server, insert the Office Communications Server 2007 CD, andthen clickSetup.exe.


25/81


3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate

Wizard.

4. On the Welcome page, clickNext.

5. On the Available Certificate Tasks page, click Import a certificate from a .pfx file,and then clickNext.

6. On the Import Certificate page, type the full path and file name of the certificatethat you exported from the Access Proxy in the Path and file name box (or click

Browse to locate and select the certificate), clear the Mark cert as exportable

check box, and then clickNext.

7. On the Import Certificate password page, type the password that you used whenyou exported the certificate from the Access Proxy in the Password box, and then

clickNext.

8. On the wizard completion page, verify successful completion, and then clickFinish.Step 4.1.3 Verify that the CA is on the list of trusted root CAsFor each Access Edge Server that you deploy, use the following procedure to verify that the CA

for the edge server is on the list of trusted root CAs.

To verify that your CA is on the list of trusted root CAs

1. On the Access Edge Server, open an MMC console: ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.

2. On the File menu, clickAdd/Remove Snap-in, and then clickAdd.

3. In the Add Standalone Snap-ins box, clickCertificates, and then clickAdd.

4. In the Certificate snap-in dialog box, clickComputer account, and then clickNext.

5. In the Select Computer dialog box, ensure that the Local computer: (the computerthis console is running on) check box is selected, and then clickFinish.


7. In the console tree, expand Certificates (Local Computer), expand Trusted RootCertification Authorities, and then clickCertificates.

8. In the details pane, verify that your CA is on the list of trusted CAs.

Step 4.1.4 Import the certificate on subsequent Access EdgeServers (if you are deploying an Access Edge Server array)For each Access Edge Server that you deploy, use the following procedure to import the

certificate for an additional Access Edge Server if you are using an Access Edge Server array.


1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the local Administrators group and the RTC Local Administrators

group.

2. Insert the Office Communications Server 2007 CD, and then click Setup.exe.


26/81



Wizard.


5. On the Available Certificate Tasks page, click from Import a certificatea .pfxfile, and then clickNext.

6. On the Import Certificate page, type the full path and file name of the certificatethat you exported from the Access Proxy in the Path and file name box (or click



7. On the Import Certificate Password page, type the password that you used whenyou exported the certificate from the Access Proxy in the Password box, and then

clickNext.

8. On the wizard completion page, verify successful completion, and then clickFinish.Step 4.1.5 Assign the certificate on the Access Edge ServerFor each Access Edge Server that you deploy, use the following procedure to assign the

certificate to the internal interface.

To assign the certificate to the internal interface of the edge server




Wizard.


5. On the Available Certificate Tasks page, clickAssign an existing certificate, andthen clickNext.

6. On the Available Certificates page, click the certificate that you requested for theinternal interface of this edge server, and then clickNext.

7. On the Available Certificate Assignments page, select the AccessEdge ServerPrivate Interface check box (the server interface on which you want to install the

certificate), and then clickNext.

8. On the Configure the Certificate(s) of Your Server page, review your settings, andthen clickNext to assign the certificates.

9. On the wizard completion page, clickFinish.


27/81


Option 4.2 Configuring the Certificates with a Different InternalFQDN

If you are using a different internal FQDN for your Office Communications Server 2007 AccessEdge Server than the one that you used on your Live Communications Server 2005 SP1 Access

Proxy, use the following steps to set up a certificate on the internal interface for your Office

Communications Server 2007 Access Edge Server. These steps are explained in detail in the

following sections:

1. Download the CA certification path for the internal interface.

2. Install the CA certification path for the internal interface.

3. Verify that the CA is on the list of trusted root CAs.

4. Create the certificate request for the internal interface.

5. Import the certificate for the internal interface on the first edge server.

6. Export the certificate.

7. Import the certificate on other edge servers.

8. Assign the certificate for the internal interface to each edge server.

For most of these steps, you can use the Office Communications Server Certificate Wizard. You

can start this wizard from the Office Communications Server 2007 installation media, as

described in the following procedures, or from the Computer Management snap-in on your

Access Edge Server.

Step 4.2.1 Download the CA certification path for the internalinterfaceUse the following procedure to download the CA certification path on the internal interface of

your Access Edge Server.

To download the CA certification path for the internal interface

1. With your Enterprise root CA offline and your Enterprise subordinate (issuing) CAServer online, log on to a server in the internal network (not the Access Edge Server)

as a member of the Administrators group.

2. ClickStart, clickRun, type http:///certsrv, andthen clickOK. If prompted, enter your user name and password.

3. UnderSelect a task, clickDownload a CA certificate, certificate chain, or CRL.

NoteThe procedures in this section are based on using a WindowsServer 2003 Enterprise CA or a Windows Server 2003 R2 CA.For step-by-step guidance for any other CA, see the

documentation that is provided by the CA. By default, allauthenticated users have the necessary user rights to requestcertificates.


28/81


4. UnderDownload a CA Certificate, Certificate Chain, or CRL, clickDownloadCA certificate chain.

5. In the File Download dialog box, clickSave.6. Save the .p7b file to the hard disk on the server, and then copy it to a folder on each

Access Edge Server. Verify that the file contains all the certificates that are in the

certification path. To view the certification path, open the server certificate, and then

click the certification path.

Step 4.2.2 Import the CA certification path for the internalinterfaceUse the following procedure to import the CA certification path on the internal interface of your

Access Edge Server.

To import the CA certification path for the internal interface

1. Log on to your Office Communications Server 2007 Access Edge Server as a

member of the Administrators group and the RTC Local Administrators group.2. On the Access Edge Server page, insert the Office Communications Server 2007

CD, and then clickSetup.exe.


Wizard.



29/81


5. On the Available Certificate Tasks page, clickImport a certificate chain froma .p7b file, and then clickNext.

6. On Import Certificate Chain page, type the full path and file name of the .p7b filein the Path and file name box (or clickBrowse to locate and select the file), and thenclickNext.

7. ClickFinish.

8. Repeat this procedure on each edge server.

Step 4.2.3 Verify that the CA Is on the list of trusted root CAsFor each Access Edge Server that you deploy, use the following procedure to verify that the CA



1. On the Access Edge Server, open an MMC console: ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.




5. In the Select Computer dialog box, ensure that the Local computer: (thecomputer this console is running on) check box is selected, and then clickFinish.


7. In the console tree, expand Certificates (Local Computer), expand Trusted RootCertification Authorities, and then click Certificates.


Step 4.2.4 Create the certificate request for the internal interfaceFor each Access Edge Server that you deploy, use the following procedure to create the

certificate request for the internal interface.

To create the certificate request for the internal interface

1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the local Administrators group and the RTC Local Administrators

group.


3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:

Configure Certificates for the Edge Server, clickRun to start the CertificateWizard.


5. On the Available Certificate Tasks page, clickCreate a new certificate, and thenclickNext.


30/81


6. On the Select a componentpage, select the Edge Server Private Interface checkbox, and then clickNext.

7. On the Delayed or Immediate Request page, select the Prepare the request now,but send it later check box, and then clickNext.

8. On the Name and Security Settings page, type a friendly name for the certificate,and then specify the bit length (typically, the default of 1024). Select the Mark cert

as exportable check box, and then clickNext.9. On the Organization Information page, enter the name for the organization and the

organizational unit (such as a division or department, if appropriate), and then click

Next.

10. On the Your Servers Subject Name page, type or select the subject name andsubject alternate name of the edge server. The subject name should match the FQDN

of the edge server that is published by the internal firewall for the internal interface

on which you are configuring the certificate:

For the internal interface of the edge server, the subject name should match the

name that your internal servers use to connect to the edge server (typically, the

FQDN of the internal interface for the edge server).

If you are using a load balancer, the edge server traffic still uses the FQDN of theinternal edge of the server (server name). If you are using a virtual IP address for

the edge server, the certificate should match the FQDN of the virtual IP address

that is used by this server role on the internal load balancer. For the internal

interface, this is typically the published DNS name for the perimeter network

that maps to the edge server.

11. ClickNext.

12. On the Geographical Information page, type the location information, and thenclickNext.

13. On the Certificate Request File Name page, type the full path and name of the fileto which the request is to be saved in the File name box (or clickBrowse to locate

and select the file), and then clickNext. A typical path and file name is

C:\certrequest_AccessEdge.txt.

14. On the Request Summary page, clickNext.

15. On the wizard completion page, verify successful completion, and then clickFinish.

NoteIf the Enterprise CA is reachable from the edge server, you canuse the Send the request immediately to an onlinecertification authority option. Because this is usually not thecase, this procedure and other certificate request procedures inthis guide do not cover the use of that option.


31/81


16. Submit this file to your CA by e-mail or another method that is supported by yourorganization for your Enterprise CA. When you receive the response file, copy the

new certificate to this computer so that it is available for import.

Step 4.2.5 Import the certificate on the internal interfaceFor each Access Edge Server that you deploy, use the following procedure to import the

certificate on the internal interface of the Access Edge Server.


1. On the Access Edge Server on which you created the certificate request, log on as amember of the Administrators group and the RTC Local Administrators group.

2. Insert the Office Communications Server 2007 CD, and then clickSetup.exe.


Wizard.


5. On the Available certificate tasks page, clickProcess the pending request andimport the certificate, and then clickNext.

6. Type the full path and file name of the certificate that you requested for the internalinterface of the edge server (or clickBrowse to locate and select the certificate), and

then clickNext.

7. ClickFinish.

Step 4.2.6 Export the certificate (if you have an Access EdgeServer array)If you are using an Access Edge Server array, use the following procedure to export the

certificate from your Access Edge Server so that you can import it to other Access Edge Servers

in your array.

To export the certificate for the internal interface for importing toother edge servers

1. On the edge server on which you requested and imported the certificate, log on as amember of the Administrators group and the RTC Local Administrators group.



Wizard.


5. On the Available Certificate Tasks page, clickExport a certificate to a .pfx file,and then clickNext.

6. On the Available Certificatespage, click the certificate that you imported to thisedge server in Select a certificate list as described in the previous procedure, and

then clickNext.


32/81


7. On the Export Certificate page, type the full path and file name to which you wantto export the certificate in the Path and file name box (or clickBrowse to locate

and specify a location and file), and then clickNext.

8. On the Export Certificate Password page, type the password to used to import thecertificate on the other edge servers in the Password box, and then clickNext.


10. Copy the exported file to a location or media that is accessible by the other edgeservers.

Step 4.2.7 Import the certificate for additional Access EdgeServers (if you have an Access Edge Server array)If you are using an Access Edge Server array, use the following procedure to import the

certificate to each Access Edge Server in the array.

To import the certificate for the internal interface of each Access Edge

Server1. On the other Access Edge Servers where you will import the certificate, log on as a

member of the Administrators group and the RTC Local Administrators group.



Wizard.


5. On the Available Certificate Tasks page, clickImport a certificate from a .pfxfile, and then clickNext.

6. On the Import Certificate page, type the full path and file name of the certificatethat you exported from the first edge server in the Path and file name box (or click



7. On the Import Certificate Password page, type the password that you typed whenyou exported the certificate from the first server in the Password box, and then click

Next.


Step 4.2.8 Assign the certificate on the internal interface of eachAccess Edge ServerUse the following procedure to assign the certificate to the internal interface of each Access Edge

Server in the array.

To assign the certificate to the internal interface of the edge server




33/81



Wizard.


5. On the Available Certificate Tasks page, clickAssign an existing certificate, andthen clickNext.

6. On the Available Certificates page, select the certificate that you requested for theinternal interface of this edge server, and then clickNext.

7. On the Available Certificate Assignments page, select the Edge Server privateinterface check box (the server interface on which you want to install the




Step 5 Configure Certificates on the ExternalInterface of Your Access Edge Server

If you are supporting public IM connectivity, the certificate that you configure on the external

interface of your Access Edge Server must be from a public CA (certification authority). AOL

requires the certificate for both client and server authorization. The MSN network of Internet

services and Yahoo! also require a certificate from a public CA, but a Web certificate is

sufficient. The CA must be on the default list of trusted root CAs that is installed on the Access

Edge Server.

Although a certificate from a public CA is not required for federation, it is strongly

recommended.

How you configure the certificate on the external interface depends on whether you are

deploying in a single-site edge topology or a scaled single-site edge topology:

Single-site edge topology. The subject name of the certificate must match the

external FQDN of the Access Edge Server computer. If you have multiple SIP

domains, each supported SIP domain must be entered as sip. in theSubject

Alternate Name box of the certificate. For example, if your organization supports

two domains, a.contoso.com and b.contoso.com, and the external FQDN of the

computer is sip.a.contoso.com, configure your certificate as follows:

SN=sip.a.contoso.com

SAN=sip.a.contoso.com, sip.b.contoso.com

NoteIt is possible to use your Enterprise subordinate CA for directfederation, as well as for testing or trial purposes, as long as allpartners agree to trust the CA or to cross-sign the certificate.


34/81


Scaled single-site edge topology. The subject name must match the external FQDN

of the VIP (virtual IP) address of the external load balancer that is used by the Access

Edge Server. This certificate must be marked as exportable on the first computer

where you configure the certificate, and it must then be imported onto each additional

computer in the Access Edge Server array.

Determining Whether You Need a New Certificate for the AccessEdge Server

Whether you can reuse the certificate from your existing Access Proxy or obtain a new certificate

depends on how you have configured your new Access Edge Server:

If you use the same external FQDN for your Access Edge Server that you used for

the Access Proxy that it replaces, you can use the same certificate on the external

interface of your Access Edge Server that you used on the Access Proxy.

If you use a different external FQDN for your Access Edge Server, you must

configure a new certificate for the external interface.

Option 5.1 Configuring the Certificate with the Same External

FQDN as the Existing Access ProxyIf you are using the same external FQDN for your Office Communications Server 2007 Access

Edge Server as the one that you used on your Live Communications Server 2005 with SP1

Access Proxy, use the following steps to set up a certificate on the external interface for your

Office Communications Server 2007 Access Edge Server. These steps are explained in detail in

the following sections.

1. Export the certificate from your Live Communications Server 2005 SP1 AccessProxy.

2. Import the certificate for the external interface on each Access Edge Server.

3. Verify that the CA is on the list of trusted root CAs for each Access Edge Server.

4. Assign the certificate for the external interface to each edge server.

After you export the certificate from your Live Communications Server 2005 SP1 Access Proxy,

use the Certificate Wizard to complete most of the certificate setup procedures for the external

interface. You can start this wizard from the Office Communications Server 2007 installation

media, as described in the following procedures, or by using the Computer Management snap-in

on your Access Edge Server.

NoteIf your Access Edge Server is not discoverable through DNS SRVrecords, organizations federating with your organization mustmanually add your SIP domains and your Access Edge ServerFQDN in the Allow List on their Access Edge Servers.

If you enable automatic discovery and want to add additionalSIP domains to those supported in your Live CommunicationsServer 2005 SP1 environment, you must get a new certificatewith all the supported SIP domains in the SAN.


35/81


Step 5.1.1 Export the certificate from your Live CommunicationsServer 2005 SP1 Access Proxy.Use the following procedure to export the certificate from your Live Communications Server

2005 SP1 Access Proxy.

To export the certificate from your Live Communications Server 2005SP1 Access Proxy

1. Log on to your Access Proxy as a member of the Administrators group.

2. ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.

3. On the File menu, clickAdd/Remove Snap-in.

4. In the Add/Remove Snap-in dialog box, clickAdd.

5. In the Available Standalone Snap-ins list, select Certificates.

6. ClickAdd.

7. ClickComputer account, and then clickNext.

8. In the Select Computer dialog box, ensure that Local computer: (the computer thisconsole is running on) is selected, and then clickFinish.


10. In the console tree of the Certificates console, expand Certificates (LocalComputer).

11. Expand Personal.

12. ClickCertificates, right-click the certificate that is to be used on the externalinterface in the result pane, point to All Tasks, and then clickExport.

13. In the Export Wizard, clickNext.

14. ClickYes, export the private key, and then clickNext.

NoteThe procedures in this section are based on a Microsoft

Windows Server 2003 Enterprise CA or a Windows Server 2003R2 CA. For step-by-step guidance for any other CA, see thedocumentation that is provided by the CA. By default, allauthenticated users have the necessary user rights to requestcertificates.


36/81


15. On the Export File Format page, clickPersonal Information Exchange PKCS#12 (.PFX).

16. Select the Include all certificates in the certification path if possiblecheck box.

17. Clear the Enable strong protection check box, and then clickNext.

18. Complete the wizard by accepting all remaining default values and by indicating thedisk or network share where you want to save the certificate.

Step 5.1.2 Import the certificate for the external interface ofeach Access Edge ServerUse the following procedure to import the certificate to the external interface of your Access

Edge Server or of each Access Edge Server in an array.

To import the certificate for the external interface




Wizard.


37/81



5. On the Available Certificate Tasks page, click Import a certificate from a .pfx file,

and then clickNext.6. On the Import Certificate page, type the full path and file name of the certificate

that you exported from the Access Proxy in the Path and file name box (or click



7. On the Import Certificate Password page, type the password that you used whenyou exported the certificate from the Access Proxy in the Password box, and then

clickNext.


Step 5.1.3 Verify that the CA is on the list of trusted root CAsFor each Access Edge Server that you deploy, use the following procedure to verify that the CA



1. On the Access Edge Server, open an MMC console: ClickStart,and thenclickRun. In the Open box, type mmc, and then clickOK.




5. In the Select Computer dialog box, ensure that the Local computer: (thecomputer this console is running on) check box is selected, and then clickFinish.

6. ClickClose, and then clickOK.7. In the console tree, expand Certificates (Local Computer), expand Trusted Root

Certification Authorities, and then click Certificates.


Step 5.1.4 Assign the certificate on the Access Edge ServerFor each Access Edge Server that you deploy, use the following procedure to assign the

certificate to the external interface.

To assign the certificate to the external interface of the edge server




Wizard.


38/81



5. On the Available Certificate Tasks page, clickAssign an existing certificate, and

then clickNext.6. On the Available Certificates page, select the certificate that you requested for the

external interface of this edge server, and then clickNext.

7. On the Available Certificate Assignments page, select the Access Edge ServerPublic Interface check box (the server interface on which you want to install the




Option 5.2 Configuring the Certificates on the Access EdgeServer External Interfaces When New Certificates Are Required

To set up a certificate for the external interface of an Access Edge Server, complete the following

steps. These steps are explained in detail in the following sections.

1. Create the certificate request for the external interface of the edge server.

2. Submit the request to your public CA.

3. Import the certificate for the external interface of each edge server.

4. Assign the certificate for the external interface of each edge server.

Step 5.2.1 Create the certificate requestFor each Access Edge Server that you deploy, use the following procedure to create a certificate

request for the external interface.

To create the certificate request for the external interface1. Log on to your Office Communications Server 2007 Access Edge Server as a

member of the Administrators group and the RTC Local Administrators group.



Wizard.


5. On the Available Certificate Tasks page, clickCreate a new certificate, and thenclickNext.

6. On the Select a component page, select the Access Edge Server Public Interfacecheck box, and then clickNext.

7. On the Delayed or Immediate Request page, select the Prepare the request now,but send it later check box, and then clickNext.

NoteIf the Enterprise CA is reachable from the edge server, you canuse the Send the request immediately to an onlinecertification authority option. Because this is usually not thecase, this procedure and other certificate request procedures inthis guide do not cover the use of that option.


39/81


8. On the Name and Security Settings page, type a friendly name for the certificate,specify the bit length (typically, the default of 1024), select the Mark cert as

exportable check box, and then clickNext.

9. On the Organization Information page, type the name for the organization and theorganizational unit (such as a division or department, if appropriate), and then click

Next.

10. On the Your Servers Subject Name page, type or select the subject name andsubject alternate name of the edge server:

The subject name should match the FQDN of the server that is published by the

external firewall for the external interface on which you are configuring the

certificate. For the external interface of the Access Edge Server, this certificate

subject name should be sip..

If multiple SIP domain names exist and they do not appear in the Subject

alternate name box, type the name of each additional SIP domain as

sip., separating names with a comma. Domains entered duringconfiguration of the Access Edge Server are automatically added to this box.

11. ClickNext.

12. On the Geographical Information page, type the location information, and thenclickNext.

13. On the Certificate Request File Name page, type the full path and name of the fileto which the request is to be saved in the File name box (or clickBrowse to locate

and select the file), and then clickNext. A typical path and file name is

C:\certrequest_AccessEdge.txt.

14. On the Request Summary page, clickNext.

15. On th

Documents

OCS Migration