My life as a UC n00b...

Expected outdialing behavior for ‘Play on Phone’ scenarios in Microsoft Exchange Unified Messaging

DaveH — Tue, 09 Mar 2010 23:30:26 GMT

The Microsoft Exchange Unified Messaging ‘Play on Phone’ feature provides access to voice mail messages for UM-enabled users. However, instead of playing the media attachment from a voice mail message over their computer speakers, users can listen to voice mail messages on a telephone handset.

When UM-enabled users work in office cubicles, use a public computer, have a computer that isn't enabled for multimedia, or have a voice message that's confidential, they may not want to or may be unable to play a voice message over their computer speakers. The Play on Phone feature lets UM-enabled users play the voice message over a telephone. The Play on Phone feature is available in Exchange 2007 Outlook Web Access, Exchange 2010 Outlook Web App, and in Microsoft Office Outlook 2007.

In Exchange 2007 Unified Messaging, the default behavior for processing ‘Play on Phone’ requests can be summarized as follows:

- Accept the request from CAS (which includes telephone dial string entered by user in Outlook/OWA)
- Check dial string to determine whether it is an extension, national number, or international number (e.g. 8005551212)

- Look up user information in Active Directory (extract ADUser, mailAddress, UMExtension, UMEnabled, etc.)
- Look up IP Gateway associated with UM Dial Plan that is enabled for outbound dialing
- Check whether dial string is permitted by validating against UM Mailbox Policy:

        If dial string is ‘International’, compare against International Dialing Restrictions from UM Mailbox Policy
        If dial string is ‘National’, compare against In Country/Region Dialing Restrictions from UM Mailbox Policy
        If dial string is ‘Extension’, compare against the ‘Allow calls to users/extensions…’ options from UM Mailbox Policy

- If dial string is permitted, send to IP Gateway (e.g. 8005551212)

Although various dial code entries may be configured on the Dial Code tab of the user’s UM Dial Plan, the dial string is never manipulated. Rather, the format of the dial string remains constant throughout the entire ‘Play on Phone’ outdialing process. Please note that this behavior only applies to ‘Play on Phone’ calls which are placed by Exchange 2007 mailbox users.

In Exchange 2010 Unified Messaging, the default behavior for processing ‘Play on Phone’ requests has changed from that of Exchange 2007, and as such the default behavior can be summarized as follows:

- Accept the request from CAS (which includes telephone dial string entered by user in Outlook/OWA)
- Check dial string to determine whether it is an extension, national number, or international number (e.g. 8005551212)

- Look up user information in Active Directory (extract ADUser, mailAddress, UMExtension, UMEnabled, etc.)
- Look up IP Gateway associated with UM Dial Plan that is enabled for outbound dialing
- Get the National Number Prefix [1], Country or Region Code [1], and Outside Line Access Code [9] from the Dial Codes tab of UM Dial Plan
- Determine whether dial string should be manipulated to accommodate the configured Dial Codes from UM Dial Plan:

        If dial string is ‘International’ number, prefix with Outside Line Access Code and International Access Code (e.g. 90114412345678)
        If dial string is ‘National’ or ‘International’ number, prefix with Outside Line Access Code and National Number Prefix (e.g. 918005551212)
        If dial string is ‘Extension’, do not prefix dial string with Dial Code values

- Check whether dial string is permitted by validating against UM Mailbox Policy:

        If dial string is ‘International’, compare against International Dialing Restrictions from UM Mailbox Policy
        If dial string is ‘National’, compare against In Country/Region Dialing Restrictions from UM Mailbox Policy
        If dial string is ‘Extension’, compare against the ‘Allow calls to users/extensions…’ options from UM Mailbox Policy

- If dial string is permitted, send to IP Gateway (e.g. 918005551212)

As you can see, this change in behavior may require you to make some changes to your Dialing Rule Entries for your UM Dial Plans in Exchange 2010 Unified Messaging.

Hope this helps!

-- Dave

How to get a free DID SIP Trunk for testing your Unified Communications lab environment

DaveH — Wed, 03 Mar 2010 12:22:49 GMT

I recently stumbled on a free offering for a DID SIP Trunk (inbound calls only) from a company called IP Communications. Having already added a magicJack device to my Unified Communications lab for routing both inbound and outbound calls, an additional DID line was exactly what I needed for routing calls to my Exchange UM Auto Attendant. The SIP Trunk offered by IP Communications requires SIP registration and also leverages the UDP transport protocol. As such, a third party SIP Proxy or IP PBX (like pbxnsip) is required.

The following steps describe how to request a free DID SIP Trunk from IP Communications and how to add a new trunk in pbxnsip IP PBX to support it.

1. Visit http://www.ipcomms.net and click on the Sign Up link located at the top of the page.
2. From the packages offered, choose the Free US Phone Number option.

3. Complete the registration form (request the new SIP trunk to test features of your IP PBX).
4. Upon receiving the provisioning letter, locate the Incoming Settings details about your new SIP trunk.

Add New Trunk in pbxnsip

1. Launch Internet Explorer and navigate to your pbxnsip server (http://pbxnsip)
2. After authenticating to the system, click on the Domains option from the main menu
3. Next, click on the hyperlink for your pbxnsip domain (pbxnsip.contoso.com)
4. Under the Domain Administration menu, click on the Trunks tab
5. Locate the New Trunk option, then create a new SIP Registration trunk called IPComms Inbound

6. After creating the new IPComms Inbound trunk, click on the Edit option to edit its settings.
7. Edit the settings of the new trunk using information from the Incoming Settings of your provisioning letter.

Note: Please accept the default settings unless otherwise specified.

Name : IPComms Inbound
Type : SIP Registration
Direction : Inbound Only
Display Name : IPComms Inbound
Account : {Username value / e.g., 8035551212}
Domain : {Host value / e.g., sipconnect.ipcomms.net}
UserName : {Username value / e.g., 8035551212}
Password/Repeat : {Secret value / e.g., 1234567890}
Outbound Proxy : {Host value / e.g., sipconnect.ipcomms.net}
Override Codec Preference : {Allow value / e.g., ulaw – verify that G.711U is at top of list}
Lock Codec during Conversation : Yes
Proposed Duration : 360
Accept Redirect : Yes
Interpret SIP URI always as phone number : Yes
Is Secure : No
Send to Extension : 99999

8. Verify that the new SIP Trunk registers successfully with the IPComms.Net provider.

Add New Forwarding Extension in pbxnsip

1. Again under the Domain Administration menu, click on the Accounts tab.
2. Click Create to create a new account using the following settings:

Number : 99999
First Name : UM Auto
Last Name : Attendant
SIP Pass. : 99999
Web Pass. : 99999
PIN : 99999

3. Configure forwarding for the new account by clicking the Edit option beside it in the list of extensions.
4. In the properties of Extension 99999, click on the Redirection tab and configure forwarding as follows:

Do Not Disturb : Off
Login : Off
Call Forward All Calls to : {Pilot Number of UM Auto Attendant / e.g., 59999}

After successfully configuring the new SIP trunk in pbxnsip, calls placed to your free DID number should route successfully to your Exchange Unified Messaging Auto Attendant.

As always, I hope this helps!

-- Dave

How to configure interoperability between Microsoft Exchange Server 2010 Unified Messaging and pbxnsip IP PBX version 3.0

DaveH — Wed, 03 Mar 2010 03:43:31 GMT

Introduction

This guide describes how to configure interoperability between Microsoft Exchange Server 2010 Unified Messaging and pbxnsip IP PBX version 3.0. pbxnsip is an IP PBX solution for Windows that supports SIP communication over either the TCP or UDP transport protocols. When configured with a free permanent demo key, pbxnsip can be used for testing various call flow scenarios in lab environments which host Microsoft Unified Communications products (maximum call duration of 3 minutes).

To request a free permanent demo key for using pbxnsip Version 3 in a lab environment, visit http://www.pbxnsip.com/sales/trial.php. After completing and submitting the request form, a demo key will be sent to you in email. The Windows 32-bit pbxnsip installation package can be downloaded at http://www.pbxnsip.com/download-software/software.php, and it can be installed on either a stand-alone or domain-joined Windows 2003 or Windows 2008 server or virtual machine. At the moment, there is no publicly released 64-bit version of the pbxnsip product available for download, however.

Environment

The lab environment described by this configuration guide contains the following server and/or hardware configuration:

Configure pbxnsip

After installing the pbxnsip application, there are many options that must be configured correctly before calls can be routed successfully to or from our lab environment. To begin the configuration of the pbxnsip system, launch Internet Explorer and navigate to http://pbxnsip (or the FQDN or NetBIOS name of the server where pbxnsip was installed).

Settings Menu

The first step of setting up the pbxnsip system involves configuring the options available under the Settings menu. The options available under the Settings menu of the IP PBX affect the overall behavior of the PBX. It is also where you can find the option to enter the permanent demo key that you requested from http://www.pbxnsip.com.

Note: Please accept the default settings unless otherwise specified.

General
System Name – Enter the hostname of the computer where pbxnsip was installed
Default Language – Choose the default language for pbxnsip installation
Time Zone – Choose the correct time zone for the pbxnsip installation
Username/Password – Enter the logon credentials for pbxnsip specified during setup

License
Enter the permanent demo license key that was mailed to you from pbxnsip

Ports
RTP Port Range Start/End – Verify that this port range is accessible/not firewalled
Follow RTP – Enabled/On
Codec Preference – Choose G.711U for North America/Japan, G.711A for Europe
Lock Codec During Conversation – Enabled/On
Packet Length – 20 ms

Logging
Log Level – 5
Log Length – 300 Lines
Log Filename – pbxnsip.log
SIP Logging – Enable all SIP logging events

Other Settings
There are a number of other configuration options that can be found under the Settings menu, however the configuration of these menu options will not be covered by this guide.

Configuration – Used to import/export configuration settings for the system
Certificate – Used to enable TLS communication for the system
Music on Hold – Allows custom music on hold definition files to be enabled
Plug and Play – Provides common configuration settings for many IP phones
Access – Used to configure network restrictions based on IP/Subnet

Domains Menu

The second step of setting up the pbxnsip system involves configuring the various domains that the IP PBX will support. A default domain called sip.company.com is automatically created whenever pbxnsip is installed for the first time. Although a new domain can be created from scratch, we will instead edit the existing default domain to support our lab environment.

To begin editing the default domain, click on the Edit option beside either the localhost or sip.company.com aliases in the list of current domains.

Note: Do NOT remove the localhost domain alias. This will cause all call routing to fail.

Edit Domain
Although there are a number of configuration options available under the Edit Domain menu, only the Primary Name entry must be changed to support our lab environment. Enter the Fully Qualified Distinguished Name (FQDN) of the computer that hosts the pbxnsip application.

Note: Do NOT use the domain name sip.contoso.com. This is a common internal DNS host record used by Office Communicator clients to find the IP address of an OCS Enterprise Pool or Standard Edition Front End server.

Primary Name – Change this value to {computername}.contoso.com (e.g., pbxnsip.contoso.com)

Domain Administration Menu

After editing the Primary Name of the default domain, you will find pbxnsip.contoso.com in the list of Current Domains. Click on the hyperlink pbxnsip.contoso.com to open the Domain Administration (pbxnsip.contoso.com) configuration menu. The Domain Administration menu is where all PBX-specific configuration options can be found.

Note: Please accept the default settings unless otherwise specified.

Settings Menu
There four configuration menus that are available under the Settings tab of the Domain Administration menu. The options contained within the Domain Settings menu control voice mail settings, feature access codes, and phone provisioning information.

Domain Settings
Country Code – Enter the value ‘1’ for the United States, or your country code
Area Code – Enter ‘704’ or your area code/region code
VoiceMail Timeout – 20 seconds
Calling own extension number goes to mailbox – Yes

Other Settings
There are a number of other configuration options that can be found under the Settings menu, however the configuration of these menu options will not be covered by this guide.

Feature Codes – Short-cut key combinations for common tasks
Address Book – List of contact/numbers which are accessible by all users on the system
Buttons – Controls how IP phones are automatically provisioned by the system

Accounts Menu

You will find that there are a number of extensions which are already defined for the system, ranging from 41 – 76. These exist because we chose to edit the default domain and use it as a template rather than create a new domain altogether.
Our UM Dial Plan is based on a 5 digit extension scheme. Considering this, we need to modify a few of the entries to make them 5 digits in length, and we will remove any extensions that we do not need. To begin editing the existing extensions, click the Edit option beside extension 41.

First Name Last Name Extension UM Extension/Dial Plan

PBX UserA 60001 60001 / PBXNSIP Dial Plan

PBX UserB 60002 60002 / PBXNSIP Dial Plan

For each of these users, edit an existing account within pbxnsip by populating the following values on the General tab of each account:

Account Number – Enter 60001 or the extension of one of your users
First Name – Enter PBX or the first name of one of your users
Last Name – Enter UserA or the last name of one of your users
SIP Password – Enter 60001 (and repeat to confirm)
Web Password – Enter 60001 (and repeat to confirm)
PIN – Enter 60001 (and repeat to confirm)
Block Outgoing Caller ID – No

When completed, our list of user accounts should appear as follows:

Trunks Menu

The Trunks menu is used to configure routing targets for calls that are handled by the pbxnsip system. In our Unified Communications lab, there are two possible routing targets, as shown in the table below:

Routing Target IP Address Protocol/Transport

Exchange 2010 Unified Messaging 192.168.1.11 SIP / TCP

AudioCodes MP-114 VoIP Gateway 192.168.1.12 SIP / TCP

With this in mind, one or more SIP trunks need to be created to support call routing in our lab environment. Since we chose to edit the existing default domain rather than to create a new domain, you will find an existing ‘PSTN Gateway (1)’ entry in the list of available trunks. Not only will we edit the existing PSTN Gateway trunk to accommodate our needs, we will also create an additional trunk for Exchange 2010 Unified Messaging.

Note: Please accept the default settings unless otherwise specified.

Edit the PSTN Gateway Trunk
Name – AudioCodes MP-114
Type – SIP Gateway
Direction – Inbound and Outbound
Domain – audiocodes.contoso.com (DNS name for AudioCodes MP-114 VoIP Gateway)
Outbound Proxy – 192.168.1.12:5060;transport=tcp (IP address of AudioCodes device)
Override Codec Preference –G.711U (for North America) / G.711A (for Europe)
Lock Codec during Conversation – Yes
Accept Redirect – Yes
Interpret SIP URI always as Telephone Number – Yes

Create New Exchange 2010 Unified Messaging Trunk
Name – Exchange 2010 UM Server
Type – SIP Gateway
Direction – Inbound and Outbound
Domain – exchangeum.contoso.com (DNS name of ExchangeUM Server)
Outbound Proxy – 192.168.1.11:5060;transport=tcp (IP address of ExchangeUM Server)
Override Codec Preference –G.711U (for North America) / G.711A (for Europe)
Lock Codec during Conversation – Yes
Accept Redirect – Yes
Interpret SIP URI always as Telephone Number – Yes

Dial-Plans Menu

The Dial-Plans menu is used to configure routing logic for calls that are handled by the pbxnsip system. While trunks may provide a number of possible routing targets for an example, dial plans are used to determine which of the available trunks to use for routing the call. Likewise, each dial plan is configured with one or more pattern matching and/or number masking rules which are used to process dial strings for calls that are handled by the system.

Since we chose to edit the existing default domain rather than to create a new domain, you will find an existing ‘Standard Dialplan’ entry in the list of available Dial Plans. To begin editing the default dial plan, click on the Edit option beside the ‘Standard DialPlan’ entry.

Pref – 200 / Highest Processing Order
Trunk – Exchange 2010 UM Server
Pattern – (6[0,9][0,9][0,9][0,9])
Replacement – {Leave Empty}

Pref – 300 / Lowest Processing Order
Trunk – AudioCodes MP-114
Pattern – *
Replacement – {Leave Empty}

Status Menu

If you experience unexpected call routing issues or call processing failures, the options that are available within the Status Menu can help to troubleshoot problems. One of the most helpful tools can be found under the Logfile tab.

Email Menu

One of the nicest features of the pbxnsip product is its extensive reporting capabilities. The system can be configured to send various usage reports and/or event notifications to an external SMTP server. Although there are a number of reporting options which can be configured under the Email menu, configuring Email options for the system will not be covered by this guide.

Status Menu

The Status menu provides you with a general overview of the current health of the pbxnsip system.

Upon completing the configuration of the pbxnsip system, restart the pbxnsip server.

Configure Exchange Unified Messaging

Our next task will be to configure Microsoft Exchange 2010 Unified Messaging, which will serve as the voice mail system for pbxnsip. There are several configuration steps that must be completed for call routing to work successfully, including the following:

Create and configure UM Dial Plans, IP Gateways, and Auto Attendants
Define pilot numbers for Subscriber Access and Auto Attendants
Create mailbox enabled user accounts and enable them for UM

UM Dial Plan

1. Complete the information necessary to create a new UM Dial Plan for pbxnsip:

Name of Dial Plan : PBXNSIP Dial Plan
Digits in Extension : 5
URI Type : Telephone Extension
VoIP Security : Unsecured
Country/Region Code : 1

2. Configure the new PBXNSIP Dial Plan object as follows:

Subscriber Access
Pilot Number: 60000

Features
Allow callers to transfer to users : Enabled
Allow callers to send voice messages : Enabled
Callers can contact : Anyone in the default Global Address List

Dialing Rule Groups
Under In Country/Region Rule Groups, click Add and configure a new rule as follows:
     Name : All Outbound Calls Allowed
     Number Mask : *
     Dialed Number : *
Under International Rule Groups, click Add and configure a new rule as follows:
     Name : All Outbound Calls Allowed
     Number Mask : *
     Dialed Number : *

Dialing Restrictions
Allow calls to users within the same Dial Plan : Enabled
Allow calls to extensions : Enabled
Select In-Country/Region Groups from Dial Plan : All Outbound Calls Allowed
Select International Groups from Dial Plan : All Outbound Calls Allowed

3. Assign the PBXNSIP Dial Plan to the Exchange UM Server.

UM IP Gateway

Complete the information necessary to create a new UM IP Gateway object for pbxnsip:

Name of UM IP Gateway : PBXNSIP
IP Address : 192.168.1.13
Dial Plan : PBXNSIP Dial Plan

UM Mailbox Policy

Configure the new PBXNSIP Dial Plan Default Policy object as follows:

PIN Policies
Minimum PIN Length : 4
PIN Lifetime (days) : Disabled (Unlimited)
No. of previous PINs to disallow : 1
Allow common patterns in PIN : Enabled

Dialing Restrictions
Allow calls to users within the same Dial Plan : Enabled
Allow calls to extensions : Enabled
Select In-Country/Region Groups from Dial Plan : All Outbound Calls Allowed
Select International Groups from Dial Plan : All Outbound Calls Allowed

UM Auto Attendant

1. Complete the information necessary to create a new UM Auto Attendant object for pbxnsip:

Name of UM Auto Attendant : AutoAttendant
Associated UM Dial Plan : PBXNSIP Dial Plan
Pilot Identifier List : 69999
Create as Enabled : Enabled
Create as Speech Enabled : Enabled

2. Configure the new Unified Messaging AutoAttendant object as follows:

General
Auto Attendant is enabled for Directory Lookups: Enabled
Features
Allow callers to transfer to users : Enabled
Allow callers to send voice messages : Enabled
Callers can contact : Anyone in the default Global Address List

Dialing Restrictions
Allow calls to users within the same Dial Plan : Enabled
Allow calls to extensions : Enabled
Select In-Country/Region Groups from Dial Plan : All Outbound Calls Allowed
Select International Groups from Dial Plan : All Outbound Calls Allowed

UM Enabled Users

Complete the information necessary to create two new mailbox-enabled user accounts which are also enabled for Unified Messaging:

User Name : PBX UserA
Email Alias : PBX.UserA
Exchange Database : Default Exchange 2010 Mailbox Database
Unified Messaging Mailbox Policy : PBXNSIP Dial Plan
Manually Specify PIN : {Enter 4 Digit Value}
Manually Entered Mailbox Extension : 60001

User Name : PBX UserB
Email Alias : PBX.UserB
Exchange Database : Default Exchange 2010 Mailbox Database
Unified Messaging Mailbox Policy : PBXNSIP Dial Plan
Manually Specify PIN : {Enter 4 Digit Value}
Manually Entered Mailbox Extension : 60002

Upon completing the configuration of Exchange Unified Messaging, restart both the Microsoft Exchange Unified Messaging and Microsoft Exchange Speech Engine services.

Configure Soft Phone

Our final step involves configuring a soft phone client to connect to the pbxnsip system. One of the more popular freeware soft phone clients that can be used to connect to pbxnsip is 3CX Phone which can be downloaded at the following URL:

3CX Phone - http://tinyurl.com/ylyrrpf

After downloading and installing the 3CX Phone client, use the following configuration steps to connect your soft phone client to the pbxnsip system.

1. Launch the 3CX Phone client.

2. Click on the Home button.

3. Select the Connections option.

4. Configure the Connection settings as follows, then click OK:

Credentials
Extension: 60001
ID: 60001
Password: 60001

My Location
I am in the office – local IP: 192.168.1.13
SIP Domain: contoso.com

Advanced Settings
PBX voicemail: 60000

5. Verify that registration with the pbxnsip system was successful.

Conclusion

This information is provided AS-IS with no warranties, and confers no rights. This solution is considered UNSUPPORTED by Microsoft, and as such should not be deployed in a production capacity.

I hope that you have found this configuration guide to be helpful. As always, any questions or comments are always welcome.

-- Dave

Need an extra phone line for testing call flows in your Unified Communications lab? Why not try magicJack!

DaveH — Fri, 26 Feb 2010 12:18:00 GMT

One day while at work, my buddy Geoff Clark and I were discussing how expensive it can be to deploy a lab environment at home, especially one that supports VoIP telephony. When you combine the initial cost of purchasing new server hardware and telephony equipment with the monthly expense of one or more additional telephone lines or SIP trunks, you’ll soon find that deploying a lab environment at home is far from cheap.

Suddenly Geoff asked, “I wonder if you can connect magicJack to the FXO port on a VoIP gateway to dial out to the PSTN?”

Unless you live outside the United States (or perhaps under a rock), you’ve probably heard of magicJack. The magicJack device, roughly the size of a pack of gum, connects to the USB port of a computer. Upon installing the ad-driven software and selecting a telephone number, magicJack provides unlimited local and long distance dialing for less than $20 per year. The magicJack USB device can be purchased from a variety of major retailers or from their website at http://www.magicJack.com.

While I would never encourage anyone to drop their existing telephone service in favor of switching to magicJack, this little device can provide a cost-effective means of connecting your UC lab environment to the Public Switched Telephone Network (PSTN). Unfortunately, the magicJack service is not intended to act as either a SIP trunk or as a B2BUA. Rather, the customer is expected to connect an analog telephone to to the RJ-11 port on the device. This means that unless you have a VoIP gateway in your lab, you will not be able to place external calls through magicJack using a SIP client or IP phone.

The magicJack device must be physically connected to either a computer or thin-client. A sound card is required, even though the magicJack device is recognized by Windows to be a generic USB sound device. When you connect the magicJack device to a computer and launch the magicJack software, it quickly scans the available audio devices on the machine. After automatically determining which sound device to leverage for encoding/decoding audio for the RTP stream, several audio-related registry keys are then set under the HKCU container in the registry.

After purchasing magicJack for my own UC lab, determining where to connect the magicJack USB device was simply a no-brainer. Since my entire Unified Communications lab runs on a single Hyper-V host computer, it was the logical candidate for hosting both the magicJack device and the magicJack software. After connecting the magicJack to the USB port of my Hyper-V host computer, I used a simple telephone cable to connect the RJ-11 port on the magicJack device to one of the FXO ports on my AudioCodes MP-114 gateway.

While magicJack can potentially save you a lot of money over time, there are some … well, let’s call them nuances … that can (and probably will) drive you nuts. For example, the magicJack software runs under the context of a user account, not as a service. This means that if your host computer restarts due to patching/etc, magicJack will fail to send or receive calls until someone logs in to the computer locally. Another nuance with magicJack involves the automatic pop-up of the magicJack software whenever a new call is received, causing loss of focus if you’re working on something important. Although there are workarounds or free utilities available for addressing both of these issues, they may violate the magicJack Terms of Service.

A few of the other issues that I encountered with magicJack are as follows:

Unable to hear or understand caller

    1. Log on locally to the magicJack host computer.
    2. Launch the magicJack software (it should select a preferred audio device).
    3. Configure the audio settings within the magicJack software as follows:
         a. Click on the ‘Menu’ option, then select ‘Volume/Headset Control’.
         b. Under ‘Choose your device’, select your preferred audio device.
         c. The Speaker/Microphone settings for the audio device should be configured as follows:
                 Speaker – Move the slider all the way to the right (maximum)
                 Microphone – Move the slider all the way to the right (maximum)
    4. After committing changes, place a call to your magicJack number and test the audio levels.

Connecting remotely using RDP causes loss of audio settings

    1. Log in locally to the magicJack host computer using your Administrator account.
    2. Manually disconnect (unplug) the magicJack device from the host computer.
    3. Locate the magicJack installation folder (C:\Users\Administrator\AppData\Roaming\mjusbsp).
    4. Remove the mjusbsp installation folder or move it to another location on disk (i.e. the desktop).
    5. Launch the Registry Editor, then locate and remove the cdloader value from the following registry key:
           HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    6. Create a new user account called ‘magicJack’ and give it administrative rights.
    7. Log on locally to the magicJack host computer using the ‘magicJack’ user account.
    8. Reconnect the magicJack device (magicJack software should install automatically).
    9. Configure the audio settings in the magicJack software and verify that you can send/receive calls.
    10. Configure the settings for all RDP sessions to this computer as follows:
           - Never log on remotely as the ‘magicJack’ user account
           - Never connect to Console (mstsc /c or mstsc /admin)
           - Configure the Remote Audio Settings to ‘Leave at Remote Computer’

Oh, one last thing…

As always, I hope this helps!

-- Dave

Calls routed to Exchange 2010 Unified Messaging servers may be rejected due to URI parsing logic

DaveH — Fri, 12 Feb 2010 10:57:52 GMT

During the development of Exchange 2010 Unified Messaging, several changes were made to the URI parsing logic for calls that are handled by Unified Messaging servers. When a call is routed to Unified Messaging server, each of the URI values contained in the SIP INVITE are extracted in an effort to resolve the identities of the calling and called parties.

The format of the URI values contained in SIP INVITE requests sent to a Unified Messaging server must match the URI type of the UM Dial Plan in order for the call to be processed successfully. When you create a new UM Dial Plan object, you are prompted to choose a URI type for the Dial Plan. The available URI options include Telephone Extension (TelExtn), SIPName, or E.164, and the URI type that is selected for the UM Dial Plan directly affects how the URI values are parsed by the UM server.

For Telephone Extension (TelExtn) type UM Dial Plans, URI values must be presented in one of the following three formats for the call to be accepted and processed by an Exchange 2010 UM server:

Numeric extension
Numeric telephone number
Anonymous

There are certain IP PBXs and VoIP gateway devices which are known to send SIP INVITE requests containing a user name value in the URI of the From header (sip:user@192.168.1.101…) and an extension value in the URI of the To header (4001@192.168.1.102…). While Exchange 2007 Unified Messaging servers have traditionally accepted this type of SIP INVITE, the URI parsing logic in Exchange 2010 Unified Messaging will reject the call with the following error:

Unified Messaging server rejected an incoming call with the ID “27759cc8116497b61a94b38b7719e731@192.168.1.101".

Reason: The Unified Messaging server has received an incoming call with a SIP URI "sip:user@192.168.1.101" that is not valid for dial plan “TelExtnDialPlan”.

To determine whether you are impacted by this issue, increase the Diagnostics Logging level for UMCore from Lowest to Expert using either the Exchange Management Console or the Exchange Management Shell. Next, place a call to the Subscriber Access number of the Unified Messaging Dial Plan. Finally, open the Application Log on the Unified Messaging server, and search for Event ID 1004.

Although this article describes the default behavior for processing URI values in the initial release of Exchange Server 2010 Unified Messaging, it is expected that the URI processing logic will be updated to accommodate non-numeric URI values in a future Roll-Up or Service Pack release.

At the moment, there are three known workarounds for this issue, listed as follows:

Configure the IP PBX or VoIP gateway to provide an anonymous URI value (Anonymous)
Configure the IP PBX or VoIP gateway to provide a numeric URI value (60001)
Configure the IP PBX or VoIP gateway to prefix a non-numeric URI value with a numeric digit (1user)

As always, I hope this helps!

-- Dave

‘Sorry! Access Denied’ error received when accessing Voice Mail options in Outlook 2010

DaveH — Fri, 22 Jan 2010 03:29:51 GMT

While using Microsoft Outlook 2010, you may encounter the following error when accessing the Voice Mail options menu to modify your personal settings in the Exchange Control Panel (ECP):

Additionally, the following two errors may appear in the Application Log of the Exchange 2010 Client Access Server located in the same Active Directory Site as the Unified Messaging server:

Log Name:       Application
Source:         MSExchange Configuration Cmdlet – Management Shell
Event ID:       17
Task Category: RBAC
Level:          Error
Computer:       Ex2010CAS01.contoso.com
Description:
(Process w3wp.exe, PID 7080) “RBAC authorization returns Access Denied for user daveh@contoso.com. Reason: No role assignments associated with the specified user were found on Domain Controller CharlotteDC01.contoso.com.”

Log Name:       Application
Source:         MSExchange Control Panel
Event ID:       4
Task Category: General
Level:          Error
Computer:       Ex2010CAS01.contoso.com
Description:
Request for URL ‘https://mail.contoso.com/ecp/default.aspx?p=customize/voicemail.aspx&exsvurl=1’ failed with the following error: Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user “Contoso\daveh” isn’t assigned to any management roles.

These errors will be generated whenever an Active Directory user account has lost its association to an RBAC Role Assignment Policy. In a default configuration, each Exchange 2010 mailbox user who is enabled for Unified Messaging will be automatically assigned to the ‘Default Role Assignment Policy’. The RBAC Roles associated with this management policy are as follows:

MyBaseOptions
MyContactInformation
MyVoiceMail
MyTextMessaging
MyDistributionGroupMembership

To verify whether a given Active Directory user account is correctly associated with the ‘Default Role Assignment Policy’, use the Exchange Management Shell to enter the following command:

Get-Mailbox {username} | ft name,roleassignmentpolicy

If you find that the affected Active Directory user account is not correctly associated with the ‘Default Role Assignment Policy’, you may be able to resolve this issue by running the following command in the Exchange Management Shell:

Get-Mailbox {username} | Set-Mailbox –RoleAssignmentPolicy “Default Role Assignment Policy”

Upon re-associating the affected user to the Default Role Assignment Policy for RBAC, subsequent connection attempts to the Exchange Control Panel using Internet Explorer should be successful.

Hope this helps!

-- Dave

How PIN expiration status is calculated in Microsoft Exchange Unified Messaging

DaveH — Fri, 04 Sep 2009 22:27:03 GMT

Recently, one of my customers asked me how PIN expiration is determined in Unified Messaging. He claimed that after adding his CEO to a non-expiring UM Mailbox Policy, the CEO was prompted to change his PIN after 45 days. Having never experienced this behavior with any other customer since the release of Exchange 2007, I was admittedly skeptical of the story I was being told over the phone. So, I decided to dig in, to see whether we had a problem with our code.

There are a number of configuration objects that provide core functionality for a user who is enabled for Unified Messaging: the Dial Plan, the UM Mailbox Policy, the UM IP Gateway, and the UM Server. While the UM IP Gateway, the UM Dial Plan, and the UM server are involved in routing a call to Subscriber Access, the PIN authentication settings for the call are controlled by the user’s UM Mailbox Policy. Found under the PIN Policies tab of the UM Mailbox Policy, the PIN Lifetime option and its value determines how long the PIN can be used for authentication before a new PIN value is required.

You might be wondering, “Okay, but how does Unified Messaging enforce PIN expiration on a user-by-user basis?” To answer that question, we first need to understand the Subscriber Access authentication process, and we need to perform some basic calculations involving Windows DateTime values.

Subscriber Access Authentication

When a UM enabled user calls the Subscriber Access number associated with a Dial Plan, the Unified Messaging server will first extract the Caller ID data from the call and attempt to find the extension in Active Directory. If the UM server is unable to resolve the extension to a known EUM proxy address, the caller will be prompted to enter their extension. With the caller now known to Unified Messaging, the UM server will then retrieve the PIN authentication settings from the user’s UM Mailbox Policy, including the number of days defined in the PIN Lifetime value if enabled.

Next, the caller will be prompted to enter their PIN. The UM server will use a MAPI call to read the salted hash of the user’s PIN from their mailbox, and it will use an LDAP call to read the PIN checksum stored in the properties of the user account from Active Directory. If the PIN value was entered correctly by the caller, the UM server will retrieve the PasswordSetTime from the user’s mailbox and calculate whether the PIN is expired. If the PIN is not expired, the user is granted access to the mailbox.

PIN Expiry Calculation

PIN expiration calculations are based on the Windows DateTime structure. The DateTime value type can be described as the number of 100 nanosecond intervals (or ticks) which have occurred since 00:00 January 1 0001 A.D. (Anno Domini) in the Gregorian calendar. A second contains 10,000,000 ticks, and there are 864,000,000,000 ticks in a given 24 hour period. With this in mind, there are three time values that are used by Unified Messaging when calculating PIN expiration during a Subscriber Access logon attempt.

msExchUMPinPolicyExpiryDays

If the PIN Lifetime option is enabled in the properties of the UM Mailbox Policy, you must specify the number of days that the PIN will be considered valid, with a valid range of 1 – 999 days. If the PIN Lifetime option is disabled in the properties of the UM Mailbox Policy, a default value of 36,500 days (100 x 365 days) is used to represent an unlimited expiration value. The PIN Lifetime option in the Exchange Management Console maps to Active Directory attribute msExchUMPinPolicyExpiryDays, where its value is stored in seconds. If your PIN Lifetime on your UM Mailbox Policy is configured with a value of 45 days, the corresponding msExchUMPinPolicyExpiryDays value in Active Directory will be set to 3,888,000 seconds.

PasswordSetTime

When a PIN for a UM enabled user is either set or reset, the PasswordSetTime value in their mailbox is set to the current GMT time in binary. This value is stored in an XML blob within the IPM.Configuration.Um.Password message found in the Associated Contents table of the mailbox (MAPI property 0x7C070102).

SystemTimeUTC

At the time of the Subscriber Access logon attempt, the UM server will use the current GMT time in ticks as a base from which to calculate the expiry status of the PIN.

Upon retrieving these three values, the Exchange Unified Messaging server performs the following calculation to determine whether a PIN is expired:

PINExpiryStatus = SystemTimeUTC - (PasswordSetTime + msExchUMPinPolicyExpiryDays)

A negative PINExpiryStatus result value is indicative of a valid PIN.
A positive PINExpiryStatus result value is indicative of an expired PIN.

For example, let’s assume that a Unified Messaging server discovered the following tick values while attempting to authenticate a Subscriber Access caller:

PasswordSetTime – 633873957184350657    ( Tuesday, September 01, 2009 9:55:18 AM )
PIN Lifetime/msExchUMPinPolicyExpiryDays – 38880000000000     ( 45 Days )
SystemTimeUTC – 633876609141336861      ( Friday, September 04, 2009 11:35:14 AM )

-36228043013796 = 633876609141336861 – (633873957184350657 + 38880000000000)

With a negative tick result value, we at least know that the PIN is still valid. But for how much longer?

41.93 days = 36228043013796 (remaining ticks) / 864000000000 (ticks per day)

After presenting the results of this research and testing to my customer, we were able to conclude that PIN expiry calculations performed by Unified Messaging were occurring within specification. While we were unable to determine why the CEO was prompted to reset his PIN, I suspect that human error was likely involved.

As always, I hope this helps…

-- Dave

If you’d like to try calculating the PIN expiration value for a given mailbox, you can follow these steps. We will use a slightly less complicated method than the Unified Messaging server.

Step 1 – Get PIN Lifetime value from UM Mailbox Policy

Open the Exchange Management Console and locate UM Mailbox Policy associated with your user account. Open the properties of the UM Mailbox Policy, and select the PIN Policies tab. If the PIN Lifetime option is enabled, note the number of days as configured in the GUI. If the PIN Lifetime for your UM Mailbox Policy is disabled (i.e. unlimited), use a value of 36,500 days (100 x 365 days).

In my environment, my UM Mailbox Policy is configured with a PIN Lifetime value of 45 days.

Step 2 – Get PasswordSetTime from User’s Mailbox

You can find the PasswordSetTime for a given UM enabled user account by using the MFCMAPI utility (http://www.codeplex.com/MFCMAPI).

Create a mail profile for the user’s mailbox.
Launch MFCMAPI.
Click Session, then choose Log On and Display Store Table.
Select the profile for the user’s mailbox .
Click MDB, then choose Open Default Message Store.
If prompted, enter the logon credentials for the user account.
Verify that the CreateStoreEntryID flags value is 0x00000000 and click OK.
Highlight the Root Container from the Navigation column.
From the Actions menu, choose Open Associated Contents Table.
Check the PR_MESSAGE_CLASS (MAPI property 0x001A001E) from each listed message until you find the message containing the IPM.Configuration.Um.Password message class.
From the details of the IPM.Configuration.Um.Password message, double-click on PR_ROAMING_DICTIONARY (MAPI property 0x7C070102)
Within the XML data from MAPI tag 0x7C070102, locate the PasswordSetTime value (as highlighted in the screenshot below)
Open the Exchange Management Shell and enter the following commands to convert the binary value from PasswordSetTime to Coordinated Universal Time (UTC), based on Greenwich Mean Time (GMT).

$PasswordSetTime = [DateTime]::FromBinary(5245559975611738561)
$PasswordSetTime
The Exchange Management Shell will return the value Tuesday, September 01, 2009 9:55:18 AM and store it in the variable $PasswordSetTime.

Step 3 – Calculate the PIN Expiration

With all these two values in hand, you can now calculate the PIN expiration status for the UM enabled user account using the Exchange Management Shell.

$PasswordSetTime.AddDays(45)

The PIN for this UM enabled user will expire on Friday, October 16, 2009 9:55:18 AM (GMT).

(Part 3 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

DaveH — Mon, 17 Aug 2009 16:58:35 GMT

Configuring OCS 2007 R2 Communicator Web Access

Now we will install the OCS 2007 R2 CWA role. Although the Communicator Web Access setup program only allows you to create a single virtual server instance (internal or external), a CWA server can be configured to host both types of virtual servers on the same computer. Since I really don’t use CWA internally that much in my lab, I opted to install a single external virtual server instance on my CWA server. Both external and internal users will access the same CWA virtual server instance using https://cwa.contoso.com.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 CWA role

To configure one of the virtual machines to host the OCS 2007 R2 CWA server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for Communicator Web Access was created with the following specifications:

Role OCS 2007 R2 Communicator Web Access

Memory 512MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN CWA-R2.contoso.com (domain-joined)

IP Address 192.168.1.12

To configure the server, double-click on the Communicator Web Access virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure OCS 2007 R2 CWA Network Settings

Next, we need to configure the network settings for the Communicator Web Access virtual machine. Since we will be using only an external CWA virtual server, only one NIC is required. If you’re wondering why I suggest using an external CWA virtual directory versus an internal CWA virtual directory, the Remote Desktop Sharing functionality is offered by the CWA external virtual directory.v

A. To configure OCS 2007 R2 CWA network settings

Log on to the OCS 2007 R2 CWA Server virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Right click on the Local Area Network network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.12
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 192.168.1.10 (our internal DNS server)
     Alternate DNS Server: None
Click OK to commit your changes. Close the Network Connections dialog box, and restart the CWA virtual machine.

Step 3 – Generate a TLS certificate for Communicator Web Access

Our next step for deploying Communicator Web Access will be to request a certificate from our Enterprise CA. Although CWA will host an external virtual server that will be accessed by both internal and external clients, we will use an internally generated certificate for the CWA server. Later, we’ll request a third party PKI certificate which will be assigned to the ISA Listener that will be used to proxy all inbound SSL requests – including CWA. The easiest way to request a certificate for CWA is to use the Certificate Wizard from our Front End server.

A. To use the Certificate Wizard to request a new certificate

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Standard Edition Servers.
Expand the OCS-R2.contoso.com pool level entry, then right click on the OCS-R2.contoso.com server object. Select Certificates.
On the Welcome to the Certificate Wizard page, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
On the Name and Security Settings page, configure as follows:

a. Enter a meaningful name for the CWA server certificate (i.e., OCSR2CWACert).
b. Under Bit length, select 1024 bit length.
c. Enable the Mark cert as exportable check box.
d. Enable the Include client EKU in the certificate request check box.

When you are finished, click Next.
On the Organization Information page, type or select the name of your organization and organizational unit (enter contoso.com for both entries), and then click Next.
On the Your Server’s Subject Name page, configure as follows:

a. In Subject Name, verify that the FQDN of the OCS CWA server is displayed (i.e., CWA-R2.contoso.com)
b. In Subject Alternate Name, enter the values cwa.contoso.com,as.cwa.contoso.com,download.cwa.contoso.com.

When you are finished, click Next.
Since we are generating this certificate from the Front End server, you will receive a warning which states The Subject Name does not match the Computer FQDN. Do you wish to continue? Choose Yes.
On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory. Click Select a certificate authority from the list detected in your environment, and then select your certification authority (CA). Click Next.
On the Request Summary page, review the settings that you specified, and then click Next.
At the Assign Certificate Task screen, click the View button and verify that the Subject Name and Subject Alternative Names values are correct, then click Assign Certificate Later.
A dialog box appears and informs you that the Certificate Wizard completed with warnings. Click Finish.

At this point the certificate has been issued to the Front End server from the Certificate Authority. We need to export it from the local computer’s certificate store to a PFX file.

B. Export the new certificate from the OCS 2007 R2 Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Personal certificate store.
Click on Certificates, then locate and select the certificate that was issued to CWA-R2.contoso.com.
From the menu bar click Action, then All Tasks, then select Export.
At the Welcome to the Certificate Export Wizard screen, click Next.
At the Export with Private Key screen, choose Yes, export the private key. Click Next.
At the Export Format settings, choose Personal Information Exchange – PKCS #12 (.PFX), then click Next.
Enter a Password for the export file, then click Next.
Enter an Export Filename (i.e., c:\CWACert.pfx) and click Next.
Click Finish to complete the certificate export.
Copy the CWACert.PFX export file to the CWA server so that it can be imported.

C. Import the new certificate to the OCS 2007 R2 CWA server

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then select the Personal certificate store.
From the menu bar, click Actions, then All Tasks, then select Import.
At the Welcome to the Certificate Export Wizard screen, click Next.
Click Browse, change the Files of Type option to Personal Information Exchange (pfx), and select the CWACert.pfx file that you copied from the Front End server. Click Next.
Enter the password that you used to export the private key, then click Next.
When prompted where to place the certificate, choose the Personal certificate store. Click Next.
Click Finish to import the certificate.
Close the Certificates management console.

Step 4 – Install Internet Information Services 6.0 for Windows 2003

Communicator Web Access requires Internet Information Services 6.0 when installed on Windows Server 2003. Considering this, we need to install IIS 6.0 prior to installing the CWA server role.

A. To install Internet Information Services 6.0

Log on to the OCS 2007 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Open the Control Panel and launch Add/Remove Programs.
Click Add/Remove Windows Components.
In the Components list box, click Application Server.
Click Details.
Click Internet Information Services Manager.
Click Details to select the World Wide Web Publishing Service, Active Server Pages, and Remote Administration (HTML) components to be installed.
Click OK until you are returned to the Windows Component Wizard.
Click Next and complete the Windows Component Wizard.

Step 5 – Install OCS 2007 R2 Communicator Web Access

After installing Internet Information Services, we are now ready to install the Communicator Web Access binaries.

A. To install Communicator Web Access

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
When prompted to install the Microsoft Visual C++ 2008 Redistributable, choose Yes to install it.
When prompted to install Microsoft .NET Framework 3.5 SP1, choose Yes to install it.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
On the Deploy Communicator Web Access page, at Step 1: Install Communicator Web Access, click Install.
On the License Agreement page, click I accept the terms in the license agreement, and then click Next. If you do not accept the license terms, Setup cannot continue.
On the Install location for Microsoft Office Communications Server 2007 R2, Communicator Web Access page, in the Location box, type a path where Communicator Web Access server should be installed, or accept the default location (C:\Program Files\Microsoft Office Communications Server R2\Communicator Web Access\). Click Next.
Do not close the Deployment Wizard window. Instead, continue directly to the next procedure in order to activate Communicator Web Access.

Step 6 – Activate OCS 2007 R2 Communicator Web Access

Having successfully installed Communicator Web Access, we are now ready to activate the server.

A. To activate Communicator Web Access

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
On the Deploy Communicator Web Access page, at Step 2: Activate Communicator Web Access, click Run.
On the Welcome page, click Next.
On the Select domain service account page, select Use an existing account. Enter the name RTCComponentService in the Account name box, then type the account password in the Password box. This account is already a member of the RTCComponentUniversalServices group, which is required for the CWA service to start. Click Next.
In the Select Certificate dialog box, click the certificate you installed before beginning Setup; this was the certificate you created and imported in Step 1 above. Click OK.
On the Select Server Certificate page, click Next.
On the Confirm Installation page, click Next.
After the server has been activated, click Close on the Activation Complete page to close the Activation Wizard.
Do not close the Deployment Wizard window. Instead, continue directly to the next procedure in order to create a virtual server.

Step 7 – Create the CWA external virtual server

Once CWA has been activated, we are ready to create our external virtual server. Again, I use an external virtual server for both internal and external users, primarily for the simplicity of connecting to CWA with a single DNS name.

A. To create an external virtual server for Communicator Web Access

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
At Step 3: Create Virtual Server of the Deploy Communicator Web Access page, click Run.
On the Welcome page, click Next.
On the Select Virtual Server Type page, click External then click Next.
On the Select Authentication Type page, choose Use Built-in Authentication, then click Next.
On the Select Authentication Type page, the default value of Forms-based Authentication is already selected since this is an external virtual server. Click Next.
On the Select Connection Type page, select HTTPS then click the Select Certificate button. Choose the certificate that we generated for Communicator Web Access, then click OK. Click Next to continue.
On the Select IP Address and Port Settings page, select the IP address 192.168.1.12 or use the default value [All Unassigned]. In the Port box, type the port to be used by the virtual server, which should be 443 by default.
On the Server Description page, type a name for the virtual server in the Description box (i.e., Communicator Web Access), then click Next.
On the Select a listening port page, type 5061 as the port number that the Communicator Web Access server will use to listen for SIP messages in the Listening port box. This value must be a unique port value that is not used by any other application on the server. Click Next.
On the Select a pool page, select the fully-qualified domain name of the Office Communications 2007 R2 server that will act as a “next hop” server for anonymous users. Here we will choose OCS-R2.contoso.com, which is our Standard Edition Front End server. For the Port value, choose 5061. Click Next.
On the Start Server Option page, select Start this virtual server after the Create Virtual Server Wizard finishes and then click Next. This ensures that the virtual server will start immediately after it is created. (Virtual servers must be started before they can be accessed.) If you do not start the virtual server immediately, you can start the server later by using either the Communicator Web Access Manager or the Internet Information Services Manager snap-in.
On the Review Settings Before Virtual Server Creation page, verify that the virtual server has been configured correctly and then click Next.
On the Create Virtual Server Complete page, click Close to close the Create Virtual Server wizard.

Step 8 – Install OCS 2007 R2 Administration Console

The next step of our Communicator Web Access installation involves installing the OCS Administration Console.

A. Install the administration console

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

Step 9 – Configure Audio Conferencing for Communicator Web Access

Communicator Web Access offers support for audio conferences, or telephone calls between three or more people. (Peer-to-peer phone calls are not supported in the R2 version of CWA.) To conduct an audio conference, Communicator Web Access connects the user’s telephone to the public switched telephone network (PSTN) and then initiates calls to the other conference participants.

With a successfully deployed Mediation Server and a correctly configured media gateway, there is no additional configuration necessary for Communicator Web Access users to use the audio conferencing feature. Otherwise, static routes must be configured before CWA users will be able to participate in audio conferences. For the purposes of this lab, we will skip configuring audio conferencing for CWA.

If you need more information on Audio Conferencing in CWA, please visit http://technet.microsoft.com/en-us/library/dd425101(office.13).aspx.

Step 10 – Configure Desktop Sharing in Communicator Web Access

Communicator Web Access in OCS 2007 R2 supports desktop sharing between participants if the environment has been correctly configured to support it and if meeting policy has been configured to allow it. In previous steps, we obtained certificates containing the same required host names to support desktop sharing in CWA, and we configured both internal and external DNS to support desktop sharing. We also enabled desktop sharing in the default policy used by Live Meeting in a previous configuration step. At this point, there is no further configuration necessary to support desktop sharing for our lab environment, but if you would like more information on desktop sharing in CWA, please visit http://technet.microsoft.com/en-us/library/dd425349(office.13).aspx.

This completes the installation of the OCS 2007 R2 CWA server role.

Configuring ISA Server 2006

Our final server role to deploy in this lab environment is ISA Server 2006, which will be configured to act strictly as a reverse proxy for the various SSL web sites offered by Exchange 2007 and Office Communications Server 2007 R2. Since we will not be using ISA Server 2006 as a firewall, we will use a single NIC configuration in this lab.

Step 1 – Connect to the Virtual Machine that will host the ISA Server 2006 role

To configure one of the virtual machines to host the ISA Server 2006 server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for ISA 2006 was created with the following specifications:

Role ISA Server 2006

Memory 512MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN ISA.contoso.com (not domain-joined)

IP Address 192.168.1.6

Although the DNS name of this server will be ISA.contoso.com, it will not be joined to the Contoso.com domain. To configure the server, double-click on the ISA 2006 virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure ISA Server 2006 Network Settings

Before installing the ISA Server binaries, we need to configure the network settings for the virtual machine.

A. To configure ISA Server network settings

Log on to the ISA Server virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Right click on the Local Area Network network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.6
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 4.2.2.1 (Internet root server)
     Alternate DNS Server: 4.2.2.2 (Internet root server)
While still within the TCP/IP properties of the Hyper-V External network adapter, click on the Advanced button.
Within Advanced settings, click on the DNS tab. Under Append these DNS suffixes (in order), click Add and enter the domain contoso.com. Then, under DNS suffix for this connection, enter contoso.com. Finally, deselect the option to Register this connection’s addresses in DNS.
Click OK three times to complete the configuration of the Local Area Network network adapter.
Close Network Connections.
Click Start, then Run. Type Notepad %windir%\system32\drivers\etc\hosts to open the hosts file for editing.
After opening the hosts file in Notepad, add each of the following entries. To minimize complexity, I use a single hosts file with identical entries on both my Edge server and my ISA server.

192.168.1.5    edge-r2.contoso.com
192.168.1.6    isa.contoso.com
192.168.1.6    cwa.contoso.com
192.168.1.6    as.cwa.contoso.com
192.168.1.6    download.cwa.contoso.com
192.168.1.6    mail.contoso.com
192.168.1.6    autodiscover.contoso.com
192.168.1.10   email.contoso.com
192.168.1.11   ocs-r2.contoso.com
192.168.1.12   cwa-r2.contoso.com
192.168.1.13   mediation-r2.contoso.com
Save your changes by clicking File then Save. If you find that you are unable to save your changes and receive an Access Denied error message, then you will need to launch Notepad as the local Administrator account, create the various entries, then save the file.
After successfully configuring the network settings for the virtual machine, restart the ISA 2006 server.

Step 3 – Copy UC Certificate and Internal CA Certificates to ISA 2006 server

Before we install the ISA Server binaries, we first need to copy our UC Certificate purchased from a publicly trusted Certification Authority and the certificate from our internal Certification Authority to the ISA server.

A. To copy certificates to the ISA 2006 server

Log on to the ISA Server virtual machine as the built-in Administrator account (ISA\Administrator).
Launch Windows Explorer, and navigate to the Certificates folder using the administrative share for the C:\ hard disk on the Exchange server (\\192.168.1.10\C$\Certificates).
When prompted for authentication, enter the credentials of the built-in Domain Administrator account (Contoso\Administrator).
Within the Certificates folder, select the file sip_contoso_com_exported.pfx and the file ContosoCA.cer. After highlighting each file, choose Edit then Copy from the Windows Explorer menu bar at the top of the window, or simply press CTRL+C to copy the two certificates to the Windows clipboard.
Again within Windows Explorer, navigate to the C:\ folder from the virtual hard disk on the ISA 2006 server.
Choose Edit then Paste from the Windows Explorer menu bar at the top of the window, or simply press CTRL+V to paste the two certificates from the Windows clipboard into the root of drive C:\ on the ISA server.
Verify that the two certificates were successfully copied to the ISA server, then close Windows Explorer.

Step 4 – Import the Certificates into the local Certificate store

Now that our certificates have been copied to the ISA server, we need to import them into the local computer certificate store.

A. To import the UCC Certificate into the local certificate store

Log in to the ISA Server 2006 virtual machine using the built-in Administrator account (ISA\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Personal certificate store object.
Right click on the Certificates object, then highlight All Tasks within the context menu and select Import to launch the Certificate Import Wizard.
At the Welcome page for the Certificate Import Wizard, click Next.
At the File to Import page, enter C:\sip_contoso_com_exported.pfx or browse to the C:\ drive and select the file using the Windows object picker. Click Next.
At the Password page, enter the password used to export the certificate from the Windows 2008 physical host computer (i.e. the Exchange server), then enable the option to Mark this key as exportable. Click Next.
At the Certificate Store page, select the option to Automatically select the certificate store based on the type of certificate. Click Next.
Click Finish to complete the certificate import.

B. To import the Contoso Root CA certificate into the local certificate store

Log in to the ISA Server 2006 virtual machine using the built-in Administrator account (ISA\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Trusted Root Certification Authorities certificate store object.
Right click on the Certificates object, then highlight All Tasks within the context menu and select Import to launch the Certificate Import Wizard.
At the Welcome page for the Certificate Import Wizard, click Next.
At the File to Import page, enter C:\ContosoCA.cer or browse to the C:\ drive and select the file using the Windows object picker. Click Next.
At the Certificate Store page, select the option to Place all certificates in the following store. Verify that the Trusted Root Certification Authorities certificate store is selected, then click Next.
Click Finish to complete the certificate import, then Close the Microsoft Management Console.

Step 5 – Install ISA Server 2006

After configuring the virtual machine, we are now ready to install the ISA Server 2006 binaries. Please verify that you have correctly configured the network settings for the virtual network adapter before proceeding with the installation of ISA.

A. To install ISA Server 2006

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Launch Windows Explorer, and navigate to ISA CD or shared installation folder.
Double-click ISAAutorun.exe, the setup launcher for ISA Server 2006.
At the Welcome page, click Next.
At the License Agreement page, select I accept the terms in the license agreement.
At the Customer Information page, enter your User Name, your Organization Name, and your Product ID.
At the Setup Type page, choose the Typical installation option. This installs ISA Server, Advanced Logging, and ISA Server Management. Click Next.
On the Internal Network page, click the Add button.
In the Addresses dialog box, click Add Adapter.
In the Select Network Adapters dialog box, select the single virtual network adapter, then click OK.
Back in the Addresses dialog box, click OK to return to the Internal Network page. Note that the addresses shown here will have no meaning in a single NIC ISA configuration, as all network addresses in a single NIC configuration are considered internal.
Back on the Internal Network page, click Next.
On the Firewall Client Connections page, click Next. Since our server will not be acting as a firewall, this setting will not matter.
Click Next on the Services Warning page.
Click Install to being the installation.
On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox and click Finish.
Close the Internet Explorer window entitled Protect the ISA Server Computer.

Step 6 – Configure ISA System Policy

Having successfully installed the ISA server binaries, we are now ready to configure the server. First we’ll configure the system policy to allow for remote management using terminal services client, and we’ll configure the system policy to respond to pings from computers on our local network.

A. To configure ISA system policy

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and choose Edit System Policy from the context menu.
Within the System Policy Editor, you will find a list of Configuration Groups. Under the Remote Management configuration group, choose Terminal Server.
Within the Terminal Server configuration group, select Enable this configuration group under the General tab.
Click on the From tab. Under This rule applies to traffic from these sources, select the Remote Management Computers group, then click Edit.
In the Remote Management Computers Properties dialog box, click Add then select Computer. Alternatively you may add an entire subnet or an entire range of IP addresses.
Enter the Host Name of your computer which will be used to manage the ISA server remotely using terminal services client, then enter the IP address. Click OK.
After adding each computer that will be used to manage your ISA server, click OK to commit your changes.
Back at the System Policy Editor dialog box, under the Remote Management configuration group, click on the ICMP (Ping) configuration group.
Within the ICMP (Ping) configuration group, select Enable this configuration group under the General tab.
Next, click on the From tab. Under This rule applies to traffic from these sources, verify that the Remote Management Computers group is listed, then click Add.
Within the Add Network Entities, expand Networks, then select Local Host. Click Add.
Back within the System Policy Editor, click OK.
Click Apply to commit your System Policy configuration changes.

Step 7 – Create Exchange OutlookAnywhere Firewall Rule

Our next step will be to create a firewall rule to handle almost all Exchange 2007 requests, including Outlook Web Access.

A. To create the Exchange OutlookAnywhere firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Exchange Web Client Access Publishing Rule.
At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange OutlookAnywhere). Click Next.
At the Select Services page, choose Exchange Server 2007 as the server version. Choose the option Outlook Anywhere (RPC/HTTP(s)), and enable the option Publish additional folders on the Exchange Server for Outlook 2007 clients. Click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the internal site name mail.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10. Click Next.
At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name mail.contoso.com. Click Next.
At the Select Web Listener page, click New.
At the New Web Listener Definition Wizard welcome page, click Next.
On the Web Listener Client Connection Security page, choose Require SSL secured connections with clients. Click Next.
At the Web Listener IP Addresses page, choose both the Internal and Local Host networks, and enable the option ISA Server will compress content sent to clients through this Web Listener if the clients requesting the content support encryption. Click Next.
At the Web Listener SSL Certificates page, select Use a single certificate for the Web Listener, then click Select Certificate. From the list of available certificates, choose the UC Certificate purchased from the publicly trusted Certification Authority, then click Select. Click Next.
At the Web Listener Authentication Settings page, choose No Authentication from the drop down box, then click Next.
At the Web Listener Single Sign On Settings page, choose Next. Single Sign On is not a supported option in a single NIC ISA configuration.
Click Finish to complete the configuration of the Web Listener.
Back at the Select Web Listener page, verify that the HTTPS Listener web listener is selected, then click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new Exchange OutlookAnywhere rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab, then click on the Add button to add a new path. Enter the path value /owa/*, and under External Path, choose Same as published folder. Click OK, then click Apply.
Click Test Rule to simulate a connection request to each of the external paths listed under the Paths tab.
Click OK to complete configuration of the Exchange OutlookAnywhere rule.

Step 8 – Create Exchange ActiveSync Firewall Rule

Next, we will create a firewall rule to handle Exchange 2007 ActiveSync requests.

A. To create the Exchange ActiveSync firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Exchange Web Client Access Publishing Rule.
At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange ActiveSync). Click Next.
At the Select Services page, choose Exchange Server 2007 as the server version. Choose the option Exchange ActiveSync, and then Click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the internal site name mail.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10. Click Next.
At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name mail.contoso.com. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new Exchange ActiveSync rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab, then verify that /Microsoft-Server-ActiveSync/* is listed as the Internal Path. Click Apply.
Click Test Rule to simulate a connection request to the external ActiveSync path listed under the Paths tab.
Click OK to complete configuration of the Exchange ActiveSync rule.

Step 9 – Create Exchange Autodiscover Firewall Rule

Next, we will create a firewall rule to handle Exchange 2007 Autodiscover requests.

A. To create the Exchange Autodiscover firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Exchange Web Client Access Publishing Rule.
At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange Autodiscover). Click Next.
At the Select Services page, choose Exchange Server 2007 as the server version. Choose the option Outlook Anywhere (RPC/HTTP(s)), and enable the option Publish additional folders on the Exchange Server for Outlook 2007 clients. Click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the internal site name autodiscover.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10. Click Next.
At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name autodiscover.contoso.com. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new Exchange Autodiscover rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab. Select each Internal Path entry, then click Remove. After removing all values, click Add to add a new Internal Path value of /*. Verify that the External Path is the Same as published folder. Click OK, then click Apply.
Click Test Rule to simulate a connection request to the external Autodiscover path listed under the Paths tab.
Click OK to complete configuration of the Exchange Autodiscover rule.

Step 10 – Create OCS 2007 R2 Web Components Firewall Rule

Next, we will create a firewall rule to handle OCS 2007 R2 Web Components requests.

A. To create the OCS 2007 R2 Web Components firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Web Site Publishing Rule.
At the Welcome to the New Web Site Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. OCS 2007 R2 Web Components). Click Next.
At the Specify Rule Action page, choose Allow then click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the site name sip.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the OCS Front End server, 192.168.1.11. Click Next.
At the next Internal Publishing Details page, enter a path value of /*. Enable the option Forward the original host header instead of the actual one provided in the Internal site name field on the previous page. Click Next.
At the Public Name Details page, choose the option Accept requests for this domain name (type below). Enter the public site name sip.contoso.com and a path value of /*. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Web Site Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new OCS 2007 R2 WebComponents rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab. Verify that /* is listed as the internal path value. Click Apply.
Click Test Rule to simulate a connection request to the external Web Components path listed under the Paths tab.
Click OK to complete configuration of the OCS 2007 R2 WebComponents rule.

Step 11 – Create OCS 2007 R2 CWA Firewall Rule

Finally, we will create a firewall rule to handle OCS 2007 R2 Communicator Web Access requests. This will be the last rule that we need to create to support OCS and Exchange traffic for our lab environment.

A. To create the OCS 2007 R2 CWA firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Web Site Publishing Rule.
At the Welcome to the New Web Site Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. OCS 2007 R2 CWA). Click Next.
At the Specify Rule Action page, choose Allow then click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the site name cwa.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the OCS Front End server, 192.168.1.12. Click Next.
At the next Internal Publishing Details page, enter a path value of /*. Enable the option Forward the original host header instead of the actual one provided in the Internal site name field on the previous page. Click Next.
At the Public Name Details page, choose the option Accept requests for this domain name (type below). Enter the public site name cwa.contoso.com and a path value of /*. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Web Site Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new OCS 2007 R2 CWA rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab. Verify that /* is listed as the internal path value. Click Apply.
Click Test Rule to simulate a connection request to the external Communicator Web Access path listed under the Paths tab.
Click OK to complete configuration of the OCS 2007 R2 CWA rule.

This completes the deployment of the ISA Server 2006 server role.

Conclusion

Please remember that much of this configuration is considered by Microsoft to be unsupported for production use. While the configuration details provided in this series of blog entries have enabled me to achieve the goals I wanted for my own lab, your own mileage may vary. Either way, I hope that you have found this series of blog entries to be helpful, and as always, all comments and/or corrections are greatly appreciated.

-- Dave

(Part 1 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

DaveH — Mon, 17 Aug 2009 16:55:15 GMT

As a Senior Support Escalation Engineer with the Unified Communications team at Microsoft, I help a lot of customers install Microsoft Unified Communications products in either their production or lab environment. I often find that for many smaller organizations, the task of deploying OCS 2007 R2 and/or Exchange Unified Messaging becomes that of the existing IT team or the network administrator. While Office Communications Server 2007 R2 is the coolest collaboration product that Microsoft has ever shipped and Unified Messaging is the perfect voice mail solution for it, the learning curve for each product isn’t just steep – it is nearly insurmountable. Considering the seemingly endless list of available features within OCS 2007 R2 and their associated requirements, figuring out exactly what you need to accomplish what you want is often a frustrating experience – especially for those who are new to the technology.

So, what do you want to do with Office Communications Server 2007 R2 and Microsoft Exchange Server 2007?

Do you want to enable instant messaging?

IM only between user accounts in your lab?

IM with federated contacts? (external IM with other labs/other companies)

IM with public providers like MSN/Yahoo/AOL?

Do you want to share meetings using Live Meeting?

Meetings only between user accounts in your lab?

Meetings that can be joined by remote users?

Meetings that can be joined remotely by anonymous users?

Meetings that offer Audio/Video capabilities?

Do you want to offer Exchange services to your OCS users?

Access to email via Outlook or Outlook Web Access?

Automatic configuration of Outlook using Outlook Anywhere

Voice mail services using Unified Messaging

Having recently moved to the Unified Communications team after supporting Exchange for the past eight years, I am also new to this technology – and I’ve experienced a similar degree of frustration when building out various lab environments. Since I seem to learn a lot more about a product by installing and configuring it versus simply reading about it from a book, I wanted to deploy a fully working Unified Communications lab environment at home where I could learn at my own pace.

While I am extremely fortunate to have unlimited access to a variety of high-end equipment at work, the equipment found in my own lab at home is a little embarrassing by comparison… :-) So, in the best interest of make do, this step-by-step guide will attempt to offer all of the services listed above in a lab environment using a single Windows 2008 Hyper-V physical host computer and a single public IP address.

Disclaimer

This information is provided AS-IS with no warranties, and confers no rights. In fact, many of the configuration steps provided in this documentation are considered UNSUPPORTED by the Microsoft RTC and Exchange product groups for production use. Although Microsoft now officially supports many of the server roles for OCS 2007 R2 on Windows 2008 Hyper-V, the roles involving RTC media streams are not supported on virtualized platforms. As such, please DO NOT use this documentation as prescriptive guidance for deploying these products in a production capacity.

Lab Overview

Using a single 64-bit computer running Windows Server 2008 and Hyper-V, you can deploy a fully functional OCS 2007 R2 / Exchange 2007 lab environment. After completing setup of this lab, you’ll be able to do instant messaging and Live Meeting conferences with full audio and video for both internal and external users. If you want to provide optional VoIP telephony services with PSTN integration, however, you’ll need to add a Mediation server and a VoIP Gateway device to your lab.

Since I chose to deploy this lab at home, there were a few constraints that I knew I had to work around. For example, my house was not pre-wired for CAT5 when it was built, so I use wireless networking for just about everything – including my laptops, my Zune, and each of my X-Box 360s. Instead of inconveniencing my family by taking the network offline while I figured out how to route everything through ISA Server 2006 running in a virtual machine, I chose instead to use ISA Server 2006 simply as an SSL proxy/redirect while leaving the firewall on my Linksys WRT54G wireless router to filter out unwanted network traffic.

Below you will find a diagram of the Unified Communications lab environment that I built at home and that we will attempt to build in the following documentation (click to enlarge).

Requirements

To build this lab environment, the following components are required:

One (1) 3.0 GHz Dual Core (or higher) 64-bit Hyper-V host computer, 8GB RAM, Gigabit NIC, two (2) 320GB SATA hard disks
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (ISA 2006)
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 CWA)
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Mediation)
- One (1) Hyper-V guest, 1024MB RAM, two virtual NICs, 16GB virtual hard disk (OCS 2007 R2 Edge)
- One (1) Hyper-V guest, 1024MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Front End
One (1) Wireless or Wired Ethernet Router
One (1) Ethernet Cable Modem or DSL Modem
One (1) Public IP address, either static or DHCP assigned
One (1) publicly registered Internet domain
One (1) SSL SAN Certificate issued by a trusted PKI provider (optional)

To provide VoIP connectivity with PSTN integration, you will need the following optional component:

One (1) VoIP Gateway (similar to AudioCodes MP 114/118), or
SIP Trunk from a UCOIP Certified Provider

Unless you plan to provide Public IM Connectivity to your lab users, you will not need a UC Certificate from a trusted PKI provider. This may be good news given that UC (SAN) Certificates can be very pricey, especially for a small lab environment. You can accomplish much of the same functionality simply by using internally generated certificates, however your external users will log trust errors – at least initially. Internally generated certificates are not trusted by computers which are external to your organization. You can work around this, however, by having your external users import the certificate from your internal Certification Authority into their list of Trusted Root Certificate Authorities.

With regards to Federation, you can establish direct federation with a partner organization without using a publicly trusted UC certificate. As long as your federated partner agrees to import your internally generated CA certificate into the Trusted Root Certification Authorities list on each Edge server, you can participate in federated IM conversations and conferences.

Now… let’s get started!

Registering a Public Domain

The first step in this process is to register a public domain from a trusted registrar. The registrar you choose will ask you to provide various contact and technical information that makes up the registration, which is then stored in a central directory known as the "registry." You will also be required to enter a registration contract with the registrar, which sets forth the terms under which your registration is accepted and will be maintained. A list of trusted registrars can be found at InterNIC.

While most domain registrars also offer hosting the DNS records for purchased domains, you should look for a domain registrar which will allow you to create and edit Service Records (SRV). Office Communications Server 2007 R2 uses SRV records for Federation, Public IM Connectivity (PIC), and automatic client configuration for external users. After checking SlickDeals.net for online coupon codes, I purchased the domain name for my Unified Communications lab from GoDaddy.com. Not only did I get my domain for a fantastic price, I have been extremely pleased with their customer service – and they allow you to create DNS SRV records.

Creating Public DNS Records

Next, we will need to create several public DNS records for our Unified Communications environment. While my ISP does offers static IP addresses to their customers for an extra fee, I still use a DHCP-assigned IP address. I found that DHCP-assigned IP addresses from my ISP rarely change – maybe once every four or five months. However, when it does happen, I have to manually update my DNS records to point to the new IP address. As you can imagine, manually updating DNS records can be quite annoying.

For me, though, updating DNS to point to a new IP address isn’t big of a deal. While Microsoft only officially supports using host (A) public DNS records for deploying OCS 2007 R2, I chose instead to use CNAME records for my own lab environment. By using CNAME records, I found that I only have to update a single DNS record if my DHCP-assigned IP address changes for any reason.

The following step-by-step instructions describe how to create CNAME records with GoDaddy to support OCS 2007 R2, however, these instructions will vary by provider.

A. To create Public DNS records for your Unified Communications lab environment

Log in to your DNS service provider.
Select the appropriate option for managing DNS records for your domain.
(For GoDaddy.com customers, this option is called Total DNS Control and MX Records.)
Select the appropriate option for creating a new A record, then enter the following details:

Host Name: @
Points to IP Address: <Your IP Address>
TTL: One hour

Select the appropriate option for creating a new CNAME record, then enter the following details:

Enter an Alias Name: sip
Points to Host Name: @
TTL: One hour

Repeat this step, creating additional CNAME records for each of the following Alias names:

Alias	Points to Host Name
cwa	@
mail	@
www	@
autodiscover	@
as.cwa	@
download.cwa	@

Select the appropriate option for creating a new MX record, then enter the following details:

Host Name: @
Goes To Address: mail.contoso.com
Priority: 0
TTL: One hour
Select the appropriate option for creating a new SRV record, then enter the following details:

Service: _sipfederationtls
Protocol: _tcp
Name: Federation SRV Record
Priority: 1
Weight: 1
Port: 5061
Target: sip.contoso.com
TTL: One hour

Repeat this step, creating an additional SRV record with the following details:

Service: _sip
Protocol: _tls
Name: External User SRV Record
Priority: 1
Weight: 1
Port: 5061
Target: sip.contoso.com
TTL: One hour

This completes the configuration of the external DNS records.

Configuring the Router/Firewall

The third step in this process is to either configure port forwarding in the configuration of your router or to create rules to open ports on your firewall. As mentioned previously, I use a Linksys WRT54G wireless router and a single private network (no DMZ) for all devices. As such, I created the following port forwarding rules in the configuration of my router to accommodate network traffic for Exchange Server and Office Communications Server:

Protocol Source IP External Ports Internal Ports Internal IP Description

Both All 50000 – 59999 (same) 192.168.1.4 A/V Edge RTP Ports

TCP All 5061 5061 192.168.1.2 Access Edge

UDP All 3478 3478 192.168.1.4 A/V Edge (STUN/TURN)

TCP All 443 443 192.168.1.6 ISA SSL Listener

TCP All 442 442 192.168.1.3 Web Conferencing Edge

TCP All 441 441 192.168.1.4 A/V Edge

TCP All 80 80 192.168.1.10 Web Site

TCP All 25 26 192.168.1.10 SMTP (Email)

After saving this configuration, restart your router or firewall.

Explanation of Routing

Although it is possible to deploy both OCS 2007 R2 and Exchange 2007 using a single public IP address, to do so introduces some very interesting challenges with regards to routing. The following summary explains how routing is accomplished in this lab for internal and external connectivity.

External Routing

Client	Address	Ext Port	Path	Int Port	Target
OCS Remote User	sip.contoso.com	5061	OCS Access Edge	5061	OCS-R2.contoso.com
OCS Web Components	sip.contoso.com	443	ISA Server Proxy	443	OCS-R2.contoso.com
OCS Web Conferencing	sip.contoso.com	442	OCS Web Conf Edge	8057	OCS-R2.contoso.com
OCS A/V Conferencing	sip.contoso.com	441	OCS A/V Edge	443	OCS-R2.contoso.com
OCS CWA	https://cwa.contoso.com	443	ISA Server Proxy	443	CWA-R2.contoso.com
Outlook Web Access	https://mail.contoso.com/owa	443	ISA Server Proxy	443	Email.contoso.com
Autodiscover	https://autodiscover.contoso.com	443	ISA Server Proxy	443	Email.contoso.com
SMTP	mail.contoso.com	25	Linksys Router	26	Email.contoso.com

Internal Routing

Client	Address	Port	Path	Target
OCS Internal User	sip.contoso.com	5061	OCS Front End	OCS-R2.contoso.com
OCS Web Components	OCS-R2.contoso.com	443	OCS Front End	OCS-R2.contoso.com
OCS CWA	https://cwa.contoso.com	443	ISA Server Proxy	CWA-R2.contoso.com
Outlook Web Access	https://mail.contoso.com/owa	443	ISA Server Proxy	Email.contoso.com

Configuring the Domain Infrastructure

For the purposes of this lab, our physical host computer will run a number of services – including Active Directory, DNS, Enterprise Certification Authority, and Hyper-V virtualization. The following steps will configure the domain infrastructure for the Unified Communications lab environment.

Step 1 - Install Windows Server 2008 Enterprise Edition

The first configuration step involves installing Windows Server 2008 Enterprise Edition as the operating system for the physical host computer. Rather than reinvent the wheel here, Microsoft MVP Daniel Petri authored a fantastic step-by-step blog entry on installing Windows Server 2008. Be sure to check it out if you have never done this before. It may save you some time and effort… :-)

Step 2 - Install the Hyper-V Role

Once Windows Server 2008 Enterprise Edition has been installed on the host PC, our first configuration task will be to install the Hyper-V role which will host the four guest virtual machines that will run ISA Server 2006 and OCS 2007 R2. It is important to install the Hyper-V role first because it allows us an opportunity to configure network settings for the computer before installing Active Directory. For additional information on Windows virtualization using Hyper-V, check out the Hyper-V Getting Started Guide on Microsoft TechNet.

A. To install Hyper-V on a full installation of Windows Server 2008

Log in to the Windows 2008 computer using the built-in Administrator account.
Click Start, and then click Server Manager.
In the Roles Summary area of the Server Manager main window, click Add Roles.
On the Select Server Roles page, click Hyper-V.
On the Create Virtual Networks page, click one or more network adapters if you want to make their network connection available to virtual machines.
On the Confirm Installation Selections page, click Install.
The computer must be restarted to complete the installation. Click Close to finish the wizard, and then click Yes to restart the computer.
After you restart the computer, log on with the same account you used to install the role. After the Resume Configuration Wizard completes the installation, click Close to finish the wizard.

Step 3 – Configure Network Settings

While As mentioned previously, our Windows 2008 physical host computer will be configured to support a number of roles, including Active Directory, DNS, Certificate Services, and Exchange 2007. The IP address for this computer will be 192.168.1.10, and since it will host Active Directory and DNS, the IP address should not be assigned by DHCP. As such, we will need to complete several steps to configure our network settings.

A. To verify that Windows Firewall is enabled

Log in to the Windows 2008 computer using the built-in Administrator account.
Click Start, then open the Control Panel. Launch Windows Firewall.
From the menu on the left, click on the Turn Windows Firewall on or off hyperlink option
Verify that Windows Firewall is enabled.

B. To configure static TCP/IP settings for a Hyper-V virtual NIC in Windows Server 2008

Log in to the Windows 2008 computer using the built-in Administrator account
Click Start, then open the Control Panel. Launch the Network and Sharing Center applet.
From the Tasks menu on the left, select Manage Network Connections.
In the Network Connections window, click the Views option from the menu bar and select Details.
After installing the Hyper-V role, you will notice that a new network adapter has been added to the system. Open the properties of each adapter and locate the one that is bound only to the Microsoft Virtual Network Switch Protocol. This adapter represents the physical (hardware) network adapter, while the other represents the Hyper-V virtual adapter.
Right click on each network adapter and rename them as follows:

HyperV Internal (Physical NIC) – network adapter bound only to Microsoft Virtual Network Switch Protocol.
HyperV Internal (Virtual NIC) – network adapter bound to everything except the Microsoft Virtual Network Switch Protocol.
After renaming the network adapters, open the properties of the HyperV Internal (Virtual NIC) adapter.
Select the Internet Protocol Version 6 (TCP/IPv6) connection, then click Properties.
Select Use the following IPv6 address, then enter the following:

IP Address: fe80:0:0:0:0:0:c0a8:010a
Subnet prefix length: 64
Default Gateway: fe80:0:0:0:0:0:c0a8:0101
DNS Server: fe80:0:0:0:0:0:7f00:0001

Click OK.
Select the Internet Protocol Version 4 (TCP/IPv4) connection, then click Properties.
Select Use the following IPv4 address, then enter the following:

IP Address: 192.168.1.10
Network Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DNS Server: 127.0.0.1
Click OK then Close the properties of the HyperV Internal (Virtual NIC) adapter.

After completing the network configuration steps, restart the Windows 2008 physical host computer.

Step 4 – Install Active Directory Domain Services / DNS

Having installed the Hyper-V role and configured our network settings, we’re now ready to install Active Directory Domain Services on the Windows 2008 physical host computer. Since we have not yet installed the DNS server role, you will be prompted to install the DNS role during the setup of Active Directory.

A. To install a new Active Directory forest by using the Windows interface

Log in to the Windows 2008 computer using the built-in Administrator account.
Open Server Manager by clicking Start, point to Administrative Tools, and then click Server Manager.
In Roles Summary, click Add Roles.
If necessary, review the information on the Before You Begin page and then click Next.
On the Select Server Roles page, click the Active Directory Domain Services check box, and then click Next.
Note: If you installed Windows Server 2008 R2, you might have to click Add Required Features to install .NET Framework 3.5.1 features before you can click Next.
If necessary, review the information on the Active Directory Domain Services page, and then click Next.
On the Confirm Installation Selections page, click Install.
On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
You can select the Use advanced mode installation check box to get additional installation options.
On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 and Windows Server 2008 R2 domain controllers, and then click Next.
On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.
On the Name the Forest Root Domain page, type the full Domain Name System (DNS) name for the forest root domain (i.e. contoso.com), and then click Next.
If you selected Use advanced mode installation on the Welcome page, the Domain NetBIOS Name page appears. On this page, type the NetBIOS name of the domain if necessary (i.e. contoso) or accept the default name, and then click Next.
On the Set Forest Functional Level page, select the forest functional level that accommodates the domain controllers that you plan to install anywhere in the forest (Windows 2003 mode or higher is required), and then click Next.
On the Set Domain Functional Level page, select the domain functional level that accommodates the domain controllers that you plan to install anywhere in the domain (Windows 2003 mode or higher is required), and then click Next.

Note: The Set Domain Functional Level page does not appear if you select the Windows Server 2008 forest functional level on a server that runs Windows Server 2008 or if you select the Windows Server 2008 R2 forest functional level on a server that runs Windows Server 2008 R2.
On the Additional Domain Controller Options page, DNS server is selected by default so that your forest DNS infrastructure can be created during AD DS installation. If you plan to use Active Directory–integrated DNS, click Next. If you have an existing DNS infrastructure and you do not want this domain controller to be a DNS server, clear the DNS server check box, and then click Next.
If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you can create the delegation manually. To continue, click Yes.
On the Location for Database, Log Files, and SYSVOL page, browse to the volume and folder locations for the database file, the directory service log files, and the SYSVOL files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or existing files.
On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline.
On the Summary page, review your selections. Click Back to change any selections, if necessary.
To save the selected settings to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type the name for your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS.
You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so.

Upon restarting the server, log in using the credentials for the built-in Domain Administrator account (i.e. Contoso\Administrator). It is important that you use the built-in Domain Administrator account because it is the only account that is exempt from User Account Control restrictions. Once logged in, launch the Event Viewer and take a cursory glance at both the Application Log and System Logs from the server. Be sure to address any serious errors before proceeding.

Step 5 – Configure Internal DNS Records

To support both OCS 2007 R2 and Exchange 2007, we will need to create several host (A) records and service (SRV) records in our internal DNS zone.

A. Add internal DNS Records for OCS 2007 R2 and Exchange 2007

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click DNS.
In the DNS console, expand the Server object, expand the Forward Lookup Zones folder, and select the local Domain.
From the menu bar at the top of the DNS console, choose Action, then click New Host (A or AAAA)…

In the New Host dialog box, type the Host Name and IP Address for the new A record.

Name: sip
IP Address: 192.168.1.11

Repeat this step, creating additional DNS A records for each of the following host names:

Host Name	IP Address
autodiscover	192.168.1.6
mail	192.168.1.6
www	192.168.1.10
sip	192.168.1.11
cwa	192.168.1.6
Edge-R2	192.168.1.5
ISA	192.168.1.6

Next, select the local Domain again.
From the menu bar at the top of the DNS console, choose Action, then click New Alias (CNAME)…
In the New Resource dialog box, enter the following data, then click OK:

Alias Name: as.cwa
Fully Qualified Domain Name: as.cwa.contoso.com (automatically populated)
Fully Qualified Domain Name for Target Host: cwa.contoso.com
Choose Action, then click New Alias (CNAME)… to create an additional CNAME record.
In the New Resource dialog box, enter the following data, then click OK:

Alias Name: download.cwa
Fully Qualified Domain Name: download.cwa.contoso.com (automatically populated)
Fully Qualified Domain Name for Target Host: cwa.contoso.com
Next, select the local Domain again.
From the menu bar at the top of the DNS console, choose Action, then click Other New Records…
In the Resource Record Type dialog box, scroll down the list of available record types and choose Service Location (SRV) option and click Create Record…
In the New Resource Record dialog box, manually type in the following information (do not use the drop down list):

Service: _sipinternaltls
Protocol: _tcp
Priority: 1
Weight: 1
Port Number: 5061
Host Name: sip.contoso.com
Create a second DNS SRV record, manually type in the following information (do not use the drop down list):

Service: _sip
Protocol: _tls
Priority: 1
Weight: 1
Port Number: 5061
Host Name: sip.contoso.com
Close the DNS console after all records have been created.

This completes the configuration of the internal DNS records.

Step 6 - Install Certificate Services

Next, we need to install the Certificate Authority role on the Windows 2008 computer so that we can issue PKI certificates for the various Office Communications Server 2007 server roles.

A. To install Certificate Services and set up an Enterprise Root CA

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Server Manager.
In the Roles Summary section, click Add roles.
On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
On the Select Role Services page, select the Certification Authority check box, and then click Next.
On the Specify Setup Type page, click Enterprise, and then click Next.
On the Specify CA Type page, click Root CA, and then click Next.
On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.
In the Common name for this CA box, type the common name of the CA, ContosoCA, and then click Next.
On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.
On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.
After verifying the information on the Confirm Installation Options page, click Install.
Review the information on the confirmation screen to verify that the installation was successful.

After installing Certificate Services, launch Internet Explorer on the Windows 2008 computer and browse to https://{ComputerName}/Certsrv. SSL encryption should be automatically enabled for the CertSrv website, but you may need to enable it manually within the Internet Information Services (IIS) Manager console. You may also need to add this website to either your Trusted Sites or your local Intranet zone.

Step 7 – Create the Hyper-V Guest Virtual Machines

Following a successful installation of Hyper-V and a reboot of the system, the next step is to create the five virtual machines that will host ISA Server 2006 and the four OCS 2007 R2 server roles. Again, here is the suggested configuration for each of the five virtual machines:

ISA Server 2006 - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk
OCS 2007 R2 CWA - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk
OCS 2007 R2 Mediation – 512MB RAM, one (1) virtual NIC, 16 GB virtual hard disk
OCS 2007 R2 Edge - 1024MB RAM, two (2) virtual NICs, 16GB virtual hard disk
OCS 2007 R2 Front End - 1024MB RAM, one (1) virtual NIC, 16GB virtual hard disk

A. To create and set up a Virtual Machine in Hyper-V

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Hyper-V Manager.
From the Action pane, click New, and then click Virtual Machine.
From the New Virtual Machine Wizard, click Next.
On the Specify Name and Location page, specify the name of the virtual machine and where you want to store it.
On the Memory page, specify enough memory to run the guest operating system you want to use on the virtual machine.
On the Networking page, connect the network adapter to an existing virtual network if you want to establish network connectivity at this point.
Note: If you want to use a remote image server to install an operating system on your test virtual machine, select the external network.
On the Connect Virtual Hard Disk page, specify a name, location, and size to create a virtual hard disk so you can install an operating system on it.
On the Installation Options page, choose the method you want to use to install the operating system:
- Install an operating system from a boot CD/DVD-ROM. You can use either physical media or an image file (.iso file).
- Install an operating system from a boot floppy disk.
- Install an operating system from a network-based installation server. To use this option, you must configure the virtual machine with a legacy network adapter connected to an external virtual network. The external virtual network must have access to the same network as the image server.
Click Finish.

For best performance, place the paging file from your Windows 2008 Hyper-V host machine on one physical hard disk (C:\) and the configuration and virtual hard disk files from each of your Hyper-V guest machines on another physical hard disk (D:\). Distributing workload across at least two SATA hard disks on the Windows 2008 host machine is critical for adequate system performance.

Step 8 – Install Windows OS on each Hyper-V Guest Virtual Machine

After creating each virtual machine, you will need to install a guest operating system. While it may be desirable to install Windows Server 2008 as the operating system for each guest virtual machine, I would instead suggest using Windows Server 2003 SP2 as it generally performs better in a virtual environment with limited resources.

Please be sure to install the correct version of the Windows operating system on each virtual machine. While ISA Server 2006 is a 32 bit application that may run on a 64 bit operating system, OCS 2007 R2 is a 64 bit application that requires a 64 bit operating system. Given this, the suggested OS configuration and fully qualified distinguished name (FQDN) for each virtual machine is as follows:

ISA Server 2006 / Windows Server 2003 SP2 (x86) / ISA.contoso.com / 192.168.1.6
OCS 2007 R2 CWA / Windows Server 2003 SP2 (x64) / CWA-R2.contoso.com / 192.168.1.12
OCS 2007 R2 Mediation / Windows Server 2003 SP2 (x64) / Mediation-R2.contoso.com / 192.168.1.13
OCS 2007 R2 Edge / Windows Server 2003 SP2 (x64) / Edge-R2.contoso.com / 192.168.1.2 - 192.168.1.5
OCS 2007 R2 Front End / Windows Server 2003 SP2 (x64) / OCS-R2.contoso.com / 192.168.1.11

After installing an operating system, you will need to install Hyper-V Integration Services on each guest Virtual Machine to provide the best management experience. From the Action menu of Virtual Machine Connection, click Insert Integration Services Setup Disk (you must close the New Hardware Wizard to start the installation). The setup program should launch automatically, however it can be run manually if necessary. Within the virtual machine, simply navigate to the CD drive using Windows Explorer and launch the appropriate version of Setup.exe (x86/x64) to begin the installation.

We will configure each of the guest virtual machines later in this guide.

Configuring Exchange 2007 SP1

In addition to running Active Directory Domain Services and other domain infrastructure roles, the Windows 2008 physical host machine will host the Mailbox, Client Access, Hub Transport, and Unified Messaging server roles from Exchange 2007 SP1. The following steps will configure Exchange 2007 SP1 for both internal and external user access.

Step 1 – Install Exchange 2007 SP1 on Windows 2008 Physical Host

Since we are installing the Unified Messaging role (which can be very processor intensive), we need to install Exchange 2007 on physical hardware – which in this case also happens to be our domain controller. While most people believe that installing Exchange 2007 on a Windows domain controller is unsupported, it actually is supported – however it is not generally recommended (due to known DSAccess failover limitations in outage conditions).

A. To install Exchange 2007 SP1 on the Windows 2008 host computer

Log in to the Windows 2008 computer using the built-in Domain Administrator account (Contoso\Administrator).
Install the Prerequisites for supporting all Exchange 2007 server roles on Windows Server 2008.
Insert the Exchange 2007 SP1 installation media and double-click Setup.exe.
Select the option to Install Microsoft Exchange Server 2007 SP1.
Click Next at the Introduction screen, then click Accept at the EULA screen. Click Next.
At the Error Reporting screen, choose either Yes or No then click Next.
Choose the Custom installation option and select an appropriate installation path. Click Next.
Select the Mailbox role, the Client Access role, the Hub Transport role, and the Unified Messaging role. Click Next.
On the Exchange Organization screen, enter the name of your Organization (or accept the default value).
On the Client Settings screen, choose No (unless you want to support Outlook 2003 clients). Click Next.
Unless you already have Exchange 2000/2003 in your lab, click Next on the Mail Flow settings screen.
After completing all installation prerequisite checks successfully, click Install to begin the installation.
Once all roles have been installed successfully, click Finish to complete the installation.
Download and install the Latest Hotfix RollUp for Exchange 2007 SP1.
Restart the computer.

Upon restarting the server, log in using the credentials for the built-in Domain Administrator account (i.e. Contoso\Administrator). Again, launch the Event Viewer and take a cursory glance at both the Application Log and System Log. Be sure to address any serious errors before proceeding. Also open the Services applet and verify that all Exchange services that are configured to start automatically have, in fact, started successfully.

Step 2 – Configure the Hub Transport role

After installing the Hub Transport (HT) role on an Exchange 2007 server, you will find that two SMTP Receive Connectors are created automatically during the installation process – Client and Default. Although the Default Receive Connector (used for server connections) can be configured to allow Anonymous connections from the Internet, by default it advertises the FQDN of the local machine in the SMTP protocol banner when a connecting server issues either the EHLO or HELO command, as shown below:

Advertising the FQDN of the local machine in the SMTP protocol banner is generally considered to be an unnecessary security risk. As such, many customers elect to change this value to reflect the same FQDN that is registered in their public MX record. The Default Receive Connector is a special case, however, as it is used by other Exchange servers or server roles (like Unified Messaging) for submitting email or voice mail for delivery. The FQDN advertised in the SMTP protocol banner of the Default Receive Connector should NOT be changed, as this value is used to look up the SMTPSvc ServicePrincipalName (SPN) value of the Hub Transport server during Kerberos authentication.

Additionally, for servers to successfully authenticate using X-AnonymousTLS, the SMTP service on the Hub Transport server must be bound to at least one certificate that contains the FQDN of the local machine. During the installation of the Hub Transport role, a self-signed certificate is generated containing the FQDN of the local machine. It is important to remember that even if you purchase a PKI certificate from a publicly trusted PKI provider like DigiCert or VeriSign, unless you plan to include the FQDN of the local machine in your certificate request, you should NOT remove the self-signed certificate that is enabled for SMTP.

Our next task will be to configure SMTP connectors for sending and receiving email.

A. To create a new Send Connector to be used for routing email to the Internet

Log in to the Windows 2008 computer using the built-in Domain Administrator account (Contoso\Administrator)
Open the Exchange Management Console, then perform the following steps:
a. Under Organization Configuration, select Hub Transport
b. In the result pane, select the Send Connectors tab
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
On the Introduction page, configure the name and type of connector:
a. In the Name field, type Internet Send Connector
b. In the Select the intended use for this connector field, choose Internet. Click Next.
On the Address Space screen, click Add to add a new address space configured as follows:
a. The SMTP address type should already be selected by default.
b. In the Address field, enter a single asterisk to represent the wildcard ‘*’ character
c. Enable the option to Include all subdomains
d. Enter a Cost value of 1. Click OK then click Next.
On the Network Settings screen, choose the following options:
a. Select the option to Use DNS MX Records to route mail automatically.
b. Enable the option to Use External DNS lookup settings on the transport server. Click Next.
On the Source Server screen, click Add and select a Hub Transport server.
Click OK then click Next.
Click New to create the send connector

B. To modify the settings of the existing Default Receive Connector

Open the Exchange Management Console, then perform the following steps:
   a. Under Server Configuration, select Hub Transport
   b. In the result pane, select the Hub Transport server
   c. Click the Receive Connectors tab.
Open the properties of the existing Default {ComputerName} Receive Connector
Under the General tab, verify that the value in Specify the FQDN this connector will provide in response to HELO and EHLO contains the FQDN of the local machine.
Click on the Network tab
Under Use these local IP addresses to receive mail, do the following:
   a. Remove the existing value of All IPv4 Addresses listening on Port 25.
   b. Click Add to specify the IPv4 address value 192.168.1.10 and Port 25 to receive email requests.
   c. Remove the existing value of All IPv6 Addresses listening on Port 25.
   d. Click Add to specify the IPv6 address value fe80::c0a8:010a and Port 25 to receive email requests.
Under Receive mail from remote servers that have these IP addresses, do the following:
   a. Verify that the specified IPv4 address range value is 0.0.0.0 – 255.255.255.255.
   b. Verify that the specified IPv6 address range value is :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Click on the Authentication tab and verify that Exchange Server Authentication is enabled
Click OK to complete the configuration of the Default Receive Connector

C. To create a new SMTP Receive Connector for receiving Internet email

Open the Exchange Management Console, then perform the following steps:
   a. Under Server Configuration, select Hub Transport
   b. In the result pane, select the Hub Transport server
   c. Click the Receive Connectors tab.
In the action pane, click New Receive Connector. The New SMTP Receive Connector wizard starts.
On the Introduction page, configure the name and type of connector:
a. In the Name field, type Internet {ComputerName} (for example Internet EMAIL)
b. In the Select the intended use for this connector field, choose Internet. Click Next.
On the Local network settings page, click Add an IP address to receive mail.
Select the existing value of All IP addresses listening on Port 25 and click Remove.
   a. Click Add to specify binding settings for the new Receive Connector.
   b. In the Add Receive Connector Binding dialog box, select Specify an IP address.
   c. Enter the IP address of your server, 192.168.1.10. (Do not specify an IPv6 address here.)
   d. Enter the Port to receive email requests, Port 26, then click OK.
On the Local network settings page, in the Specify the FQDN this connector will provide in response to HELO or EHLO field, type the FQDN value of your public MX record (for example: mail.contoso.com). Click Next.
Click New to create the new Receive Connector.
Open the properties of the new Receive Connector.
Click on the Authentication tab.
a. Disable the option for TLS Authentication
b. Enable the option for Basic Authentication
Click OK to complete the configuration of the new Receive Connector

Once you have completed the configuration steps for handling SMTP mail flow, restart the following services:

Microsoft Exchange Mail Submission
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search

Step 3 – Configure the Client Access Server role

Our next few configuration steps will be to configure the Client Access Server (CAS) role. First, we will enable RPC over HTTP so that we can use the Outlook Anywhere feature from the Internet. We will also configure each of the internal and external virtual directory URL settings for Exchange Web Services, including Exchange ActiveSync. To do all of this, we will use the Exchange Management Shell.

A. To install the RPC over the HTTP Windows Networking component in Windows Server 2008

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator)
Click Start, and then click Control Panel.
Double-click Programs and Features.
Click Turn Windows features on or off. Server Manager opens.
In the left pane of Server Manager, click Features.
In the right pane, click Add Features.
In the Add Features Wizard, click to select the RPC over HTTP Proxy check box.
If the Add role services required for HTTP Proxy dialog box appears, click Add Required Role Services.
Click Next.
Read the information on the Web Server (IIS) page, and then click Next.
On the Select Role Services page, click Next.
On the Confirm Installation Selections page, click Install.
When the features are installed, click Close.

B. To enable Outlook Anywhere access from the Internet

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start , then All Programs, then expand Microsoft Exchange Server 2007.
Launch the Exchange Management Shell, then enter the following command:

enable-OutlookAnywhere –ExternalHostname “mail.contoso.com” –DefaultAuthenticationMethod “Basic” -SSLOffloading:$False

C. To modify the virtual directory settings for Exchange Web Services

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start , then All Programs, then expand Microsoft Exchange Server 2007.
Launch the Exchange Management Shell, then enter each of the following commands:

get-ClientAccessServer –server {ComputerName} | set-ClientAccessServer -AutoDiscoverServiceInternalURI “https://mail.contoso.com/Autodiscover/Autodiscover.xml”

get-WebServicesVirtualDirectory –server {ComputerName} | set-WebServicesVirtualDirectory –internalURL “https://mail.contoso.com/EWS/Exchange.asmx” –externalURL “https://mail.contoso.com/EWS/Exchange.asmx” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false

get-AutodiscoverVirtualDirectory –server {ComputerName} | set-AutodiscoverVirtualDirectory –internalURL “https://mail.contoso.com/Autodiscover/Autodiscover.xml” -externalURL “https://mail.contoso.com/Autodiscover/Autodiscover.xml” –BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false

get-OWAVirtualDirectory –server {ComputerName} | set-OWAVirtualDirectory -internalURL “https://mail.contoso.com/owa” -externalURL “https://mail.contoso.com/owa” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false –FormsAuthentication:$false

get-OABVirtualDirectory –server {ComputerName} | set-OABVirtualDirectory -internalURL “https://mail.contoso.com/OAB” -externalURL “https://mail.contoso.com/OAB” –WindowsAuthentication:$true –BasicAuthentication:$false –DigestAuthentication:$false -requireSSL:$true

get-UMVirtualDirectory –server {ComputerName} | set-UMVirtualDirectory -internalURL “https://mail.contoso.com/UnifiedMessaging/Service.asmx” -externalURL “https://mail.contoso.com/UnifiedMessaging/Service.asmx” -BasicAuthentication:$true –WindowsAuthentication:$true -DigestAuthentication:$false

set-ActiveSyncVirtualDirectory -Identity "{ComputerName}\Microsoft-Server-ActiveSync (Default Web Site)" – internalURL “https://mail.contoso.com/Microsoft-Server-ActiveSync” -externalURL "https://mail.contoso.com/Microsoft-Server-ActiveSync”

D. To enable SSL on the Exchange ActiveSync virtual directory in IIS

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.
Within the Internet Information Services (IIS) Manager, expand the Server, then expand Sites.
Expand the Default Web Site, then select the Microsoft-Server-ActiveSync virtual directory.
From the Features View in the center window, double-click on SSL Settings.
Enable the options for both Require SSL and Require 128-bit SSL.
From the Actions menu on the right, click Apply.
Close the Internet Information Services (IIS) Manager console.

Step 4 – Configure the Unified Messaging role

Next, we will need to create the various configuration objects used by the Unified Messaging (UM) role, which is very likely the most complex role to set up. The core configuration object for Unified Messaging is the Dial Plan, which defines the expected digit pattern for user extensions. Since we will be integrating Unified Messaging with OCS 2007 R2, we will create a SIP URI Dial Plan whose users have 4 digits in their extensions.

Whenever I build a Unified Communications lab, I always configure it with the expectation that some day I may want to provide external telephone connectivity to the lab users. Since these objects will eventually be Enterprise Voice enabled within OCS 2007 R2, each configuration object will be configured with a telephone number that is correctly formatted as an E.164 dial string. With that in mind, I will use the following configuration details for each Enterprise Voice/UM enabled object in this lab:

Name	SIP URI	UM Enabled Extension	Telephone Number	Tel URI
Subscriber Access	OCSSA@contoso.com	N/A	+19807760000	+19807760000
Auto Attendant	OCSAA@contoso.com	N/A	+19807769999	+19807769999
User A	UserA@contoso.com	0001	0001	+19807760001
User B	UserB@contoso.com	0002	0002	+19807760002

A. To create and configure a UM Dial Plan

Open the Exchange Management Console, then perform the following steps:
   a. Under Organization Configuration, select Unified Messaging
   b. In the result pane, select the UM Dial Plans tab
   c. From the actions pane, click New UM Dial Plan.
Complete the information necessary to create a SIP enabled UM Dial Plan, which is required by OCS 2007 R2:

Name of Dial Plan : OCSDialPlan
Digits in Extension : 4
URI Type : SIP URI
VoIP Security : Secured
Click New to create the UM Dial Plan.
Within the Exchange Management Console, right click on the new UM Dial Plan and select Properties from the context menu.
Click on the Subscriber Access tab. Settings in this area of Dial Plan configuration control the behavior of Outlook Voice Access.
Add the Subscriber Access number ‘+19807760000’ to the UM Dial Plan. This is typically the number that external users will dial when accessing voice mail phone.
Next, click on the Features tab, locate the option ‘Callers can contact’ and choose ‘Anyone in the Default Global Address List’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List.
Next, click on the Dial Rule Groups tab. Under the In Country/Region Rule Groups section of the dialog box, click Add.

In the Dialing Rule Entry dialog box, enter the following information:
Name: All
Number Mask: *
Dialed Number: *
Comment: <optional comment>
Click OK, then under the International Rule Group section, click Add to create another Dialing Rule.
Complete the configuration of another Dialing Rule Entry with the same options as shown above. Click OK, then click Apply.
Next, click on the Dialing Restrictions tab, then complete the following configuration:

Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Click OK to complete the configuration of the UM Dial Plan.

B. To link the Exchange 2007 server to the UM Dial Plan

Open the Exchange Management Console, then perform the following steps:
   a. Under Server Configuration, select Unified Messaging
   b. In the result pane, select the Exchange 2007 server
   c. From the actions pane, click Properties.
In the Properties of the Exchange 2007 server, click on the UM Settings tab.
Click Add and select the OCSDialPlan.
Click OK to link the new OCSDialPlan to the Exchange 2007 server.

C. To configure the UM Mailbox Policy for the OCSDialPlan

Open the Exchange Management Console, then perform the following steps:
   a. Under Organization Configuration, select Unified Messaging
   b. In the result pane, select the UM Mailbox Policies tab
   c. Select the OCSDialPlan, then from the actions pane, click Properties.
To relax security restrictions, click on the PIN Settings tab within the properties of the UM Mailbox Policy, then configure the following options:

Minimum PIN Length : 4
Pin Lifetime Days : Enabled/60
Previous PINs disallowed : 1
Allow common patterns : Enabled
Missed PINs before reset : 5
Missed PINs before lockout : 15
Next, click on the Dialing Restrictions tab, then complete the following configuration:

Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Click Apply then OK to complete the configuration of the UM Mailbox Policy.

D. To create and configure a UM Auto Attendant for the OCSDialPlan

Open the Exchange Management Console, then perform the following steps:
   a. Under Organization Configuration, select Unified Messaging
   b. In the result pane, select the UM Auto Attendants tab
   c. From the actions pane, click New UM Auto Attendant.
Complete the information necessary to create a UM Auto Attendant for the OCSDialPlan:

Name of Auto Attendant : OCSAA (no spaces!)
Associated Dial Plan : OCSDialPlan
Extension Numbers : +19807769999
Create as Enabled : Enabled
Create as Speech Enabled : Enabled
Click New to create the UM Auto Attendant.
Within the Exchange Management Console, right click on the new UM Auto Attendant and select Properties from the context menu.
Click on the Features tab, locate the option ‘Callers can contact’ and choose ‘Anyone in the Default Global Address List’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List.
Next, click on the Dialing Restrictions tab, then complete the following configuration:

Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Click Apply then OK to complete the configuration of the UM Auto Attendant.

Although there are a few more steps required to finalize the configuration of the Unified Messaging role, we first need to install and configure Office Communications Server 2007 R2. As such, we will complete the configuration of Unified Messaging later in this documentation.

Step 5 – Request a TLS Certificate for Exchange services

Next, we will need to request a certificate from our Enterprise CA. Since there are a number of services hosted by the Windows 2008 host computer, we will need to request a certificate that contains Subject Alternative Name (SAN) values – one entry for each host name. To do this, we will use the Exchange Management Shell.

A. To create and assign a TLS certificate for Exchange services

Log on to the Windows 2008 computer using the built-in domain Administrator account (Contoso\Administrator)
Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Assuming that the fully qualified distinguished name (FQDN) of the Windows 2008 host computer is email.contoso.com, enter the following command within the Exchange Management Shell to generate a new certificate request:

new-ExchangeCertificate –GenerateRequest –Path C:\ExchTLSCert.req –KeySize 1024 –subjectName “cn=email.contoso.com” –domainname email.contoso.com, mail.contoso.com, autodiscover.contoso.com, email –PrivateKeyExportable $true
Next, within Internet Explorer, type the URL ‘https://email/certsrv’ on the address line and press Enter to connect to the Certificate Authority.
Click Request a Certificate, then choose Advanced Certificate Request.
Click Submit a certificate request by using a base-64 encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Using Windows Explorer, open the file ExchTLSCert.req using Notepad. Highlight and copy the data from ExchTLSCert.req.
Within Internet Explorer, paste the data from UMCert.req into the Saved Request \ ‘Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7)’ field. Additionally, choose ‘Web Server’ from the drop-down list of available Certificate Templates. Click Submit.
Upon being issued the certificate from the Certificate Authority, choose ‘DER encoded’ from the available encoding options, and choose ‘Download Certificate’. Save the certificate as ‘C:\ExchTLSCert.cer’.
After downloading the new certificate, open the Exchange Management Shell again and enter the following command to both import and assign the UM service to the new certificate:

import-ExchangeCertificate –path C:\ExchTLSCert.cer | enable-ExchangeCertificate –Services SMTP,IIS,POP,IMAP,UM

Note: If you are prompted to replace the current certificate assigned to any of the Exchange roles, choose [A] All to replace the current certificate for all roles.
After assigning the certificate, enter the following command to dump a list of Exchange certificates, and verify that your new certificate is correctly assigned to all five Exchange services.

Get-ExchangeCertificate | fl thumbprint,rootCAType,services,notbefore

Thumbprint : 844D0CC6857F16E9FF7BC424895C97761390E6F2
RootCAType : Enterprise
Services : IMAP, POP, UM, IIS, SMTP
NotBefore : 5/11/2009 8:35:58 PM
Restart all Exchange services by entering the following command in the Exchange Management Shell:

get-Service *exchange* | restart-service –force
Finally, verify that all Exchange services were restarted successfully by entering the following command in the Exchange Management Shell:

test-servicehealth

After completing these steps, you should be able to browse https://mail.contoso.com/owa from a web browser and connect successfully to Outlook Web Access. Since this FQDN appears in the list of Subject Alternative Name (SAN) values assigned to the Exchange certificate, you should not be prompted with a certificate name mismatch warning, although you may have to enter your credentials to access the web site.

Requesting a UC Certificate

Our next step will be to request a Unified Communications Certificate from a publicly trusted Certification Authority. It is recommended to use a certificate from publicly trusted CA if you plan to allow external connectivity for your lab, however, this is only technically required if you plan to enable Public IM Connectivity (PIC). Although there are a number of publicly trusted CAs that can provide a UC Certificate (i.e. VeriSign, DigiCert, GoDaddy, Thawte), I chose DigiCert to issue the UC Certificate for my lab.

Before selecting a Certification Authority to issue a UC Certificate, you should consider the following questions:

How much does it cost to request a new UC Certificate?
If I make a mistake, can the certificate be reissued?
How many times can the certificate be reissued?
Is there any cost involved with reissuing the certificate?

The reason I chose DigiCert is because they offer a very nice web interface for creating a UC Certificate for Exchange 2007, and they allow unlimited corrections/modifications during the lifetime of the certificate. As such, the following step-by-step instructions will describe how to request a UC Certificate from DigiCert.

Please note that while Exchange Server 2007 supports the use of Wildcard Certificates, Office Communications Server 2007 R2 supports either Single Name certificates or Unified Communictions/SAN Certificates – not wildcard certificates! And even though you may choose to use an alternate provider, the DigiCert CSR Command Wizard can still be used to generate the certificate request (unless you’re a PowerShell ace and don’t need the help of a pretty interface).

Step 1 – Request a UC Certificate from a publicly trusted CA

A. To request a UC Certificate from a publicly trusted Certification Authority

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Launch your web browser and navigate to https://www.digicert.com/easy-csr/exchange2007.htm.

Complete the SSL CSR Command Wizard using the following certificate details:

Common Name:	sip.contoso.com
Subject Alternative Names:	sip.contoso.com mail.contoso.com autodiscover.contoso.com cwa.contoso.com as.cwa.contoso.com download.cwa.contoso.com
Organization:	<Legal Name of registered owner of the domain>
Department:	<blank>
City:	<Your City>
State:	<Your State>
Country:	<Your Country>
Key Size:	1024

Click Generate to create the command that will be used to generate the request from your Exchange 2007 server.

New-ExchangeCertificate -GenerateRequest -Path c:\sip_contoso_com.csr -KeySize 1024 -SubjectName "c=US, s=South Carolina, l=MyCity, o=David Howe, cn=sip.contoso.com" -DomainName sip.contoso.com, mail.contoso.com, autodiscover.contoso.com, cwa.contoso.com, as.cwa.contoso.com, download.cwa.contoso.com -PrivateKeyExportable $True
Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Copy the command generated by the SSL CSR Command Wizard, and paste it into the Exchange Management Shell:
After creating the certificate request, open your web browser and navigate to the web site of your chosen publicly trusted Certification Authority. Choose the option to purchase a new Unified Communications (UC) or SAN Certificate.
Choose Unified Communications/SAN certificate, the lifetime (expiry) of the certificate, and your payment preference.
Next, complete the registration process for creating a new account with the provider.
Next, enter the company on behalf of whom you are requesting this certificate, or choose the default value (the name used to register the new account with the provider).
Next, click Start, then All Programs, then Accessories, then launch Notepad. Open the certificate request file C:\sip_contoso_com.csr, and then highlight and copy the Base-64-encoded content.
Next, paste the Base-64-encoded data into the Certificate Signing Request field from your provider’s web page, and choose Microsoft Exchange Server as the server software.
From the information provided in the Base-64-encoded data from your certificate request, verify that the Organization information for the certificate is correct (highlighted in yellow below). This value should be the legal name of the company or individual who appears as the registered owner of the domain in the WHOIS database.

Note: The CA provider will verify this information before issuing the certificate.
Next, verify your contact information, which will be used to contact you to verify your order and to request proof of ID.
Finally, verify your payment information and submit your order.
Upon verifying your legal identification as the owner of the registered domain, your certificate (as well as the certificate of the issuing CA) will be issued and emailed to you.

Step 2 – Import the issued UC Certificate into the certificate store of the Exchange server

Now that we have received our issued UC Certificate, our next step is to import it into the certificate store of our Windows 2008 physical host computer (Exchange server). It is important to note that this certificate will not be used on this computer; rather, our UC Certificate will be assigned to both our ISA 2006 server and to each of the external interfaces of our OCS 2007 R2 Edge server. Since the certificate was requested from this computer, however, it must first be imported on this computer before it can be used elsewhere.

A. To import a UC Certificate from a publicly trusted Certification Authority

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Extract the certificate package (zip file) as provided by your Certification Authority to C:\Certificates.
Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Within the Exchange Management Shell, type cd C:\Certificates and then press Enter.
Again within the Exchange Management Shell, type import-exchangecertificate –path c:\certificates\sip_contoso_com.cer to import the certificate into the local computer’s certificate store. Note the thumbprint value of the certificate.
To verify that the certificate was properly imported, type get-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61 | fl within the Exchange Management Shell. Note that there are no services assigned to this certificate (expected).

Step 3 – Export the issued UC Certificate with Private Key

Now that our UC Certificate has been properly imported into the certificate store of the requesting computer, it can be exported to be used on other servers. For the purposes of our lab, internal resources like our Exchange server and OCS Pool will be secured using internally issued certificates while external resources like OCS Edge services and web sites published by ISA server will be secured using our external issued certificate.

A. To export a certificate with Private Key from local certificate store

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Personal certificate store.
Click on Certificates, then locate and select the UC Certificate that was issued by your public Certification Authority.
From the menu bar click Action, then All Tasks, then select Export.
At the Welcome to the Certificate Export Wizard screen, click Next.
At the Export with Private Key screen, choose Yes, export the private key. Click Next.
At the Export Format settings, choose Personal Information Exchange – PKCS #12 (.PFX). Be sure to also select the option Include all certificates in the certification path if possible, then click Next.
Enter a Password for the export file, then click Next.
Enter an Export Filename (i.e., c:\Certificates\sip_contoso_com_exported.pfx) and click Next.
Click Finish to complete the certificate export.

Step 4 – Export a copy of the certificate from the internal Certification Authority

Since neither the ISA 2006 server nor the OCS 2007 R2 Edge server will be joined to the Contoso domain, neither server will trust certificates issued by our internal Certification Authority. As such, we will need to export a copy of the certificate of our internal Certification Authority so that it can be imported on both the ISA 2006 server and the OCS 2007 R2 Edge server.

A. To export a copy of the certificate from the internal Certification Authority

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Trusted Root Certification Authorities certificate store.
Click on Certificates, then locate and select the certificate that was issued to your Enterprise CA (ContosoCA)
From the menu bar click Action, then All Tasks, then select Export.
At the Welcome to the Certificate Export Wizard screen, click Next.
At the Export Format settings, choose DER encoded binary X.509 (.CER) then click Next.
Enter an export filename (i.e., c:\Certificates\ContosoCA.cer) and click Next.
Click Finish to complete the certificate export.

Step 5 – Remove the UC Certificate from the Exchange server

Next, we will remove the certificate from our publicly trusted Certification Authority from the Exchange server. Since OWA traffic will route inbound via ISA, and since inbound SMTP connections from the Internet will not be secured using TLS, this certificate is unneeded on the Exchange server. Unless you have a specific reason for leaving it on the Exchange server (for example, if you plan to directly service inbound OWA requests without using a reverse proxy like ISA server), I suggest removing the certificate to reduce overall complexity.

A. To remove the UC Certificate from the Exchange server

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Within the Exchange Management Shell, type remove-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61 and then press Enter. Choose A to remove the certificate for all services.
Close the Exchange Management Shell.

Configuring OCS 2007 R2 Front End

Having completed the installation of Exchange 2007 SP1, we now need to focus on installing Office Communications Server 2007. We will start by installing the Standard Edition Front End server role.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Front End server

Our first task will be to configure one of the virtual machines to host the OCS 2007 R2 Front End server role. To do this, we will need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role, and verify that the virtual machine for the OCS Front End server was created with the following specifications:

Role OCS 2007 R2 Front End

Memory 1024MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN OCS-R2.contoso.com (domain-joined)

IP Address 192.168.1.11

To configure the server, double-click on the Front End virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Run Prep Schema for OCS 2007 R2

Our next task will be to prepare the Active Directory schema for Office Communications Server 2007 R2.

A. Prepare the Active Directory schema

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
Any machine running the Setup for the first time will be prompted to install the Microsoft Visual C++ SP1 Redistributable and Microsoft .NET Framework 3.5 SP1. Choose Yes.
On the Deployment Wizard page, click Prepare Active Directory.
On the Prepare Active Directory for Office Communications Server page, next to Step 1: Prep Schema, click Run.
On the Welcome page, click Next.
Note the Warning you receive concerning your data in the System container and the recommendation for using the Configuration container in Active Directory. Unless you have a specific reason for using the System container, choose the Configuration naming context to store your Global Settings.
Click OK on the Warning.
On the Directory Location of Schema Files page, click Next.
On the Ready to Prepare Schema page, click Next.
On the Completion page, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log.
On the far right, click Expand All.
In the Execution Result column, to confirm that the Prep Schema operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.

Step 3 – Run Prep Forest for OCS 2007 R2

After successfully extending our schema, the next step is to prepare the Active Directory forest for Office Communications Server 2007 R2.

A. Prepare the Active Directory forest

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Deployment Wizard page, next to Step 3: Prep Forest, click Run.
On the Welcome page, click Next.
On the Select Location to Store Global Settings page, Click Next.
On the Location of Universal Groups page, verify that contoso.com is selected in the Domain drop-down list, and then click Next.
On the SIP domain used for default routing page, verify that contoso.com is selected in the Select SIP domain drop-down list, and then click Next.
On the Ready to Prepare Forest page, click Next.
On the Completion page, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log.
On the far right, click Expand All.
In the Execution Result column, to confirm that the Prep Forest operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.

B. Modify membership of RTCUniversalServerAdmins group

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand the domain contoso.com, then click on the Users container.
Locate and open the properties of the RTCUniversalServerAdmins group.
Click on the Members tab.
Verify that the built-in Domain Administrator account (Contoso\Administrator) is a member of this group, otherwise Add it.
Click OK to complete the configuration of the RTCUniversalServerAdmins group.
Close Active Directory Users and Computers.

Step 4 – Run Prep Domain for OCS 2007 R2

Next, we need to prepare the Active Directory domain for Office Communications Server 2007 R2.

A. Prepare the Active Directory domain

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Prepare Active Directory page, next to Step 5: Prep Current Domain, click Run.
On the Welcome Screen, Click Next to Continue.
On the next screen that provides Domain Preparation Information, read the excerpt provided and Click Next to Continue.
You are now ready to prepare the domain. Because we have only one domain and are running this step in contoso.com, our current settings will display as contoso.com. Click Next to Continue.
On the Completion page, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log.
On the far right, click Expand All.
In the Execution Result column, to confirm that the Prep Forest operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.

Step 5 – Install Internet Information Services 6.0 for Windows 2003

In addition to hosting Web Components, the OCS 2007 R2 Standard Edition Front End server role now supports several telephony related applications such as Dial-In Conferencing, Outside Voice Control, and Response Groups. As such, we will need to install IIS 6.0 before installing the Front End server role.

A. To install Internet Information Services 6.0

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Open the Control Panel and launch Add/Remove Programs.
Click Add/Remove Windows Components.
In the Components list box, click Application Server.
Click Details.
Click Internet Information Services Manager.
Click Details to select the World Wide Web Publishing Service, Active Server Pages, and Remote Administration (HTML) components to be installed.
Click OK until you are returned to the Windows Component Wizard.
Click Next and complete the Windows Component Wizard.

Step 6 – Install the OCS 2007 R2 Front End server role

Having prepared Active Directory and installed IIS 6.0 on the Windows 2003 server, we are now ready to install the OCS 2007 R2 Standard Edition Front End server role. This installation will create a single-server OCS Pool, and it will install SQL Express automatically to support the three OCS 2007 R2 databases.

A. To install the OCS 2007 R2 Front End server role

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
On the Deploy Standard Edition Server page, next to Step 1: Deploy Server click Run.
Notice the Warning that states the Windows Media Format Runtime is required. This is necessary for the Dial-In Conferencing component. Click OK.
On the Welcome page, click Next.
On the License Agreement page, select I accept the terms in the license agreement and click Next.
On the Location for Server Files page, click Next.
On the Application Configuration page, take notice of the new applications for OCS 2007 R2. Make sure all four boxes are checked and click Next.
On the Main Service Account for Standard Edition Server page, create a new service account called RTCService and enter a password for the account. Click Next.
On the Component Service Account for Standard Edition Server page, create a new service account called RTCComponentService and enter a password for the account. Click Next.
On the Web Farm FQDNs page, enter sip.contoso.com for the external FQDN value (the internal FQDN value will be automatically populated). Click Next.
On the Location for Database Files page, click Next.
On the Ready to Deploy Standard Edition Server page, click Next.
When installation has finished, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log that has opened.
In the Action column, expand Execute Action.
In the Execution Result column, to verify that Office Communications Server 2007 R2 was successfully installed, verify that each task’s result is Success. There may be warnings associated with the Activation.
Investigate the individual Activation Logs and verify they report Success.
Close the Deployment Log window.

Step 7 – Configure the OCS 2007 R2 Front End server role

Now that the OCS 2007 R2 Front End server role is installed, we need to configure it. This involves defining the various SIP domains that will be hosted by your environment and whether automatic client logon configuration will be supported.

A. To configure OCS 2007 R2 Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
At Configure Server, click Run.
On the Welcome to the Configure Pool/Server Wizard page, click Next.
On the Server or Pool to Configure page, select the server from the list, and then click Next.
On the SIP domains page, verify that contoso.com appears in the list. If it does not, click the SIP domains in your environment box, type your SIP domain, and then click Add. Repeat these steps for all other SIP domains that the Standard Edition server will support. When you are finished, click Next.
On the Client Logon Settings page, select the option Some or all clients will use DNS SRV records for automatic logon then click Next.
Select the check box for the domain that will be supported by the server for automatic sign-in (contoso.com), and then click Next.
On the External User Access Configuration page, select Do not configure for external user access now.
When you are finished, click Next.
On the Ready to Configure Server or Pool page, review the settings that you specified, and then click Next to configure the Standard Edition server.
When the files have been installed and the wizard has completed, select the View the log when you click Finish check box, and then click Finish.
In the log file, verify that <Success> appears under the Execution Result column. Look for <Success> Execution Result at the end of each task to verify Standard Edition server configuration completed successfully.
Close the log window when you are finished.

Step 8 – Configure Certificate for OCS 2007 R2 Front End server

With the Front End server now successfully installed and configured, we now need to request and assign a certificate for it from our internal Certificate Authority. To support automatic client configuration, we will need to include a Subject Alternative Name value of sip.contoso.com in our certificate request.

A. To configure a new certificate for the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
At Configure Certificate, click Run.
On the Welcome to the Certificate Wizard page, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
On the Name and Security Settings page, configure as follows:

a. Enter a meaningful name for the OCS Front End server certificate (i.e. OCSR2FrontEndCert).
b. Under Bit length, select 1024 bit length.
c. Enable the Mark cert as exportable check box.

When you are finished, click Next.
On the Organization Information page, type or select the name of your organization and organizational unit (enter contoso.com for both entries), and then click Next.
On the Your Server’s Subject Name page, configure as follows:

a. In Subject Name, verify that the FQDN of the OCS Front End server is displayed (i.e., OCS-R2.contoso.com)
b. In Subject Alternate Name, enter the value sip.contoso.com (for automatic client configuration).

When you are finished, click Next.
On the Geographical Information page, enter the Country/Region, State/Province, and City/Locality. Do not use abbreviations. When you are finished, click Next.
On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory. Click Select a certificate authority from the list detected in your environment, and then select your certification authority (CA). Click Next.
On the Request Summary page, review the settings that you specified, and then click Next.
At the Assign Certificate Task screen, click the View button and verify that the Subject Name and Subject Alternative Names values are correct.
If the Subject Name and Subject Alternative Names values are correct , click Assign.
A dialog box appears and informs you that the settings were applied successfully. Click OK.
Click Finish.

B. To assign the new certificate to IIS on the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, and select Internet Information Services (IIS) Manager.
Within the IIS Manager console, expand the local server, then expand Web Sites.
Right click on the Default Web Site and choose Properties.
Under the Web Site tab, verify that either 192.168.1.11 or (All Unassigned) is configured as the IP address for the web site.
Click on the Directory Security tab.
Under Secure Communications, click on Server Certificate.
On the Welcome to the Web Server Certificate Wizard page, click Next.
Click Assign an existing certificate, and then click Next.
Select the certificate that you requested by using the Certificates Wizard, and then click Next.
On the SSL Port page, verify that port 443 will be used for SSL, and then click Next.
Review the certificate details, and then click Next to assign the certificate.
Click Finish to exit.
Click OK to close the Default Web Site Properties page.

Step 9 – Modify settings of OCS service accounts

When you use the OCS setup program to create the OCS service accounts, the password expiration settings for the service accounts are inherited from the domain policy settings. To prevent service startup failure due to expired passwords, we will need to change the password settings for both the RTCService and RTCComponentService accounts.

A. Change password settings for OCS service accounts

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand the domain contoso.com, then click on the Users container.
Locate and open the properties of the RTCService account, then click on the Account tab.
Enable the option for Password Never Expires, and verify that Account Expires is set to Never. Click OK.
Locate and open the properties of the RTCComponentService account, then click on the Account tab.
Enable the option for Password Never Expires, and verify that Account Expires is set to Never. Click OK.
Close Active Directory Users and Computers.

Step 10 – Start OCS 2007 R2 Front End services

At this point we should be ready to start services on the OCS 2007 R2 Front End server.

A. To start Front End services

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
At Start Services, click Run.
On the Welcome to the Start Services Wizard page, click Next.
Click Next again to start the services.
Verify that the View the log when you click 'Finish' check box is selected, and then click Finish.
In the log file, verify that <Success> appears under the Execution Result column for each task, and then close the log window.

Step 11 – Install OCS 2007 R2 Administration Console

The last step of our Front End server installation involves installing the OCS Administration Console.

A. To install the administration console

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

This completes the installation of the OCS 2007 R2 Front End server role.

(Part 2 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

DaveH — Mon, 17 Aug 2009 16:50:17 GMT

Configuring OCS 2007 R2 Edge

Next we will install the OCS 2007 R2 Edge role, which provides connectivity to the internal OCS environment for remote clients. For the purposes of this lab, we will deploy a single Edge server supporting all three roles – Access Edge, Web Conferencing Edge, and Audio/Video Edge. While the typical configuration for Edge involves the use of at least two network cards with each connected to a different network, we will use two virtual NICs which are both connected to the same network, as shown below.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Edge role

To configure one of the virtual machines to host the OCS 2007 R2 Edge server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for Edge was created with the following specifications:

Role OCS 2007 R2 Edge

Memory 1024MB

Network Two (2) Virtual NICs

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN Edge-R2.contoso.com (not domain-joined)

IP Addresses 192.168.1.2 – 192.168.1.4 (External NIC)
192.168.1.5 (Internal NIC)

Although the DNS name of this server will be Edge-R2.contoso.com, it will not be joined to the Contoso.com domain. To configure the server, double-click on the Edge virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure OCS 2007 R2 Edge Network Settings

Before installing the OCS 2007 R2 Edge binaries, we need to configure the network settings for the virtual machine.

A. To configure OCS 2007 R2 Edge network settings

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Rename each of the two available network connections, as follows:
a. Right click on the first interface, choose Rename, then change it to Hyper-V Internal (192.168.1.5).
b. Right click on the other interface, choose Rename, then change it to Hyper-V External (192.168.1.2 – 192.168.1.4).
Right click on the Hyper-V External (192.168.1.2 – 192.168.1.4) network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.2
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 4.2.2.1 (Internet root server)
     Alternate DNS Server: 4.2.2.2 (Internet root server)
While still within the TCP/IP properties of the Hyper-V External network adapter, click on the Advanced button.
Under the IP Settings tab, click Add. Enter the following two additional IP addresses:

IP Address: 192.168.1.3
Subnet Mask: 255.255.255.0

IP Address: 192.168.1.4
Subnet Mask: 255.255.255.0
Next, click on the DNS tab within Advanced settings. Under Append these DNS suffixes (in order), click Add and enter the domain contoso.com. Then, under DNS suffix for this connection, enter contoso.com. Finally, deselect the option to Register this connection’s addresses in DNS.
Click OK three times to complete the configuration of the Hyper-V External network adapter.
Right click on the Hyper-V Internal (192.168.1.5) network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.5
     Subnet Mask: 255.255.255.0
     Default Gateway: (empty)

Choose Use the following DNS servers.

     Primary DNS Server: (empty)
     Alternate DNS Server: (empty)
.
While still within the TCP/IP properties of the Hyper-V Internal network adapter, click on the Advanced button.
Click on the DNS tab within Advanced settings, and deselect the option to Register this connection’s addresses in DNS.
Click OK three times to complete the configuration of the Hyper-V Internal network adapter.
Close Network Connections.
Click Start, then Run. Type Notepad %windir%\system32\drivers\etc\hosts to open the hosts file for editing.
After opening the hosts file in Notepad, add each of the following entries. To minimize complexity, I use a single hosts file with identical entries on both my Edge server and my ISA server.

192.168.1.5    edge-r2.contoso.com
192.168.1.6    isa.contoso.com
192.168.1.6    cwa.contoso.com
192.168.1.6    as.cwa.contoso.com
192.168.1.6    download.cwa.contoso.com
192.168.1.6    mail.contoso.com
192.168.1.6    autodiscover.contoso.com
192.168.1.10   email.contoso.com
192.168.1.11   ocs-r2.contoso.com
192.168.1.12   cwa-r2.contoso.com
192.168.1.13   mediation-r2.contoso.com
Save your changes by clicking File then Save. If you find that you are unable to save your changes and receive an Access Denied error message, then you will need to launch Notepad as the local Administrator account, create the various entries, then save the file.
After successfully configuring the network settings for the virtual machine, restart the Edge server.

Step 3 – Install OCS 2007 R2 Edge

After configuring the virtual machine, we are now ready to install the OCS Edge server binaries.

A. To install OCS 2007 R2 Edge

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
When prompted to install the Microsoft Visual C++ 2008 Redistributable, choose Yes to install it.
When prompted to install Microsoft .NET Framework 3.5 SP1, choose Yes to install it.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 1: Install Files for Edge Server, click Install.
On the License Agreement page, click I accept the terms in the license agreement, and then click Next. If you do not accept the license terms, Setup cannot continue.
On the Install location for Microsoft Office Communications Server 2007 R2, Edge Server page, in the Location box, type a path where Edge server should be installed, or accept the default location. Click Next.
After the Edge server has been installed successfully, click Close to return to the Edge deployment wizard.

Step 4 – Activate OCS 2007 R2 Edge

Having successfully installed the Edge server binaries, we are now ready to activate the server.

A. To activate OCS 2007 R2 Edge

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 2: Activate Edge Server, click Run.
On the Welcome page, click Next.
On the Select domain service account page, select Create a New Account. Enter the name RTCProxyService in the Account name box, then type the account password in the Password box. Click Next.
Review the information on the Ready to Activate Edge Server screen. If all information is correct, click Next to activate the server.
After the server has been successfully activated, click Finish on the Activation Complete page to close the Activation Wizard.

Step 5 – Configure OCS 2007 R2 Edge

Having successfully installed and activated the Edge server role, we are now ready to configure the server.

A. To configure OCS 2007 R2 Edge

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 3: Configure Edge Server, click Run.
On the Welcome page, click Next.
On the Import Settings screen, click Next.
On the Internal Interface configuration screen, select 192.168.1.5 (the IP address assigned to the Hyper-V Internal network interface) from the drop-down list and enter Edge-R2.contoso.com as the FQDN value. Click Next.

On the External Interface configuration screen, configure each of the interfaces as follows, then click Next:

Access Edge Server

IP Address:	192.168.1.2
FQDN:	sip.contoso.com
Federation Port:	5061
Remote User Port:	5061

Web Conferencing Edge Server

IP Address:	192.168.1.3
FQDN:	sip.contoso.com
Port (Other):	441

A/V Edge Server

IP Address:	192.168.1.4
FQDN:	sip.contoso.com
Port (Other):	442

On the Enable Edge Features screen, enable all of the following features:

ü	Allow remote user access to your network
ü	Allow anonymous users to join meetings
ü	Enable Federation
ü	Allow discovery of federation partners
ü	Federation with public IM providers
ü	MSN / AOL / Yahoo

On the FQDN of Internal Next Hop Server screen, enter the FQDN of the OCS-R2 Front End server, OCS-R2.contoso.com. Click Next.
On the Authorized Internal SIP Domains screen, enter contoso.com. Click Add, then click Next.
On the Authorized Internal Servers screen, enter each of the following FQDN values. Click Add, then click Next:

Mediation-R2.contoso.com
OCS-R2.contoso.com
sip.contoso.com
Review the information on the Configure Your Edge Server screen. If all information is correct, click Next to configure the server.
After the server has been successfully configured, click Finish to close the Configuration Wizard.

Step 6 – Copy UC Certificate and Internal CA Certificates to OCS 2007 R2 Edge server

Having successfully installed and activated the Edge server role, we are now ready to configure the server. We’ll first need to copy our UC Certificate purchased from a publicly trusted Certification Authority and the certificate from our internal Certification Authority to the new OCS 2007 R2 Edge server.

A. To copy certificates to the OCS 2007 R2 Edge server

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the Certificates folder using the administrative share for the C:\ hard disk on the Exchange server (\\192.168.1.10\C$\Certificates).
When prompted for authentication, enter the credentials of the built-in Domain Administrator account (Contoso\Administrator).
Within the Certificates folder, select the file sip_contoso_com_exported.pfx and the file ContosoCA.cer. After highlighting each file, choose Edit then Copy from the Windows Explorer menu bar at the top of the window, or simply press CTRL+C to copy the two certificates to the Windows clipboard.
Again within Windows Explorer, navigate to the C:\ folder from the virtual hard disk on the OCS 2007 R2 Edge server.
Choose Edit then Paste from the Windows Explorer menu bar at the top of the window, or simply press CTRL+V to paste the two certificates from the Windows clipboard into the root of drive C:\ on the Edge server.
Verify that the two certificates were successfully copied to the OCS 2007 R2 Edge server, then close Windows Explorer.

Step 7 – Configure OCS 2007 R2 Edge Certificates

Having successfully installed and activated the Edge server role, we are now ready to configure the server.

A. To configure OCS 2007 R2 Edge Certificate (Private/Internal Interface)

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 4: Configure Certificates for Edge Server, click Run.
On the Welcome page, click Next.
At the Available Certificate Tasks page, choose Create a New Certificate, then click Next.
At the Select a Component page, choose Edge Server Private Interface, then click Next.
At the Delayed or Immediate Request page, choose Send the request immediately to an online Certification Authority, then click Next.
At the Name and Security Settings page, enter a logical friendly name for the certificate (i.e. EdgeR2Internal), select a bit length of 1024, and select the Mark cert as exportable option. Click Next.
At the Organization Information page, enter the name of your organization and organizational unit, then click Next.
At the Your Server’s Subject Name page, enter the FQDN of the Edge server (i.e. Edge-R2.contoso.com) as the Subject Name of the certificate, then click Next. Do not add any Subject Alternative Name (SAN) values in your certificate request.
At the Geographical Information page, select your Country, select your State, and enter your City. Click Next.
At the Choose a Certification Authority page, select Specify the certificate authority that will be used to request this certificate. Enter the name of your certificate authority (i.e. email.contoso.com\ContosoCA), click Next, then enter the credentials of the Domain Administrator account when prompted.
At the Request Summary page, verify that all information is correct, then click Next to submit the request.
If the certificate request was successfully completed, you will be prompted to assign the certificate. At the Assign Certificate Tasks page, choose Assign certificate immediately, then click Next twice.
Upon successfully assigning the certificate, click Finish.

B. To configure OCS 2007 R2 Edge Certificate (A/V Authentication Certificate)

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 4: Configure Certificates for Edge Server, click Run Again.
On the Welcome page, click Next.
At the Available Certificate Tasks page, choose Assign an existing certificate, then click Next.
At the Available Certificates page, choose the EdgeR2Internal certificate that was created and assigned to the Edge Private Interface. Click Next.
At the Available Certificate Assignments page, choose the A/V Authentication Certificate option, then click Next twice.
Upon successfully assigning the certificate, click Finish.

C. To configure OCS 2007 R2 Edge Certificate (Access Edge/Web Conferencing Edge Public Interface)

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 4: Configure Certificates for Edge Server, click Run Again.
On the Welcome page, click Next.
At the Available Certificate Tasks page, choose Import a certificate from a .pfx file, then click Next.
At the Import Certificate page, click Browse and navigate to C:\. Select the file sip_contoso_com_exported.pfx, then click Open. Verify that the option Mark cert as exportable is enabled, then click Next.
At the Import Certificate Password page, enter the Password for the certificate. This will be the same password that was used to originally export the certificate from the certificate store on the Exchange server. Click Next.
At the Assign Certificate Task page, choose Assign certificate immediately, then click Next.
At the Available Certificate Assignments page, select both the Access Edge Server Public Interface and the Web Conferencing Edge Server Public Interface, then choose Next twice.
Upon successfully assigning the certificate, click Finish.

Having completed the certificate assignments for each of the network interfaces, you may find that you are unable to federate with other OCS environments or with PIC providers. There are a number of known trust issues with certificates which may be a contributing factor to federation and/or PIC failures. A few of the more common issues are listed below:

Step 8 – Start OCS 2007 R2 Edge Services

Having successfully installed, activated, and configured the Edge server role, we are now ready to start services.

A. To start OCS 2007 R2 Edge services

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 5: Start Services, click Run.
On the Welcome page, click Next.
At the Start OCS 2007 R2 Services page listing all of the Edge services to be started, click Next.
After services have been successfully started, click Finish.

Step 9 – Install OCS 2007 R2 Administration Console

The next step of the Edge server installation involves installing the OCS Administration Console.

A. Install the administration console

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

Step 10 – Configure additional Edge settings to support External Connectivity

With the Edge server role successfully deployed, we need to configure additional settings to support external connectivity at both the Forest and Pool levels. These settings will be configured using the OCS 2007 R2 Front End server.

A. To configure Edge settings in Global Properties

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, then choose Office Communications Server 2007 R2.
Within the OCS 2007 management console, right click on the Forest – Contoso.com node, then select Properties, then choose Global Properties.
Within Global Properties, click on the Edge Servers tab.

a. Under Access Edge and Web Conferencing Edge Servers, click Add.
b. Enter the FQDN of your Edge server, Edge-R2.contoso.com, then click OK.

c. Under A/V Edge Servers, click Add.
d. Enter the FQDN of your Edge server, Edge-R2.contoso.com, and port 5062 (used for A/V Authentication). Click OK.

e. Verify that your Edge Server tab settings are configured as follows:
Again within Global Properties, click on the Federation tab.

a. Select the option to Enable Federation and Public IM Connectivity.
b. Enter the FQDN of your Edge server, Edge-R2.contoso.com.
c. Enter port 5061, the port used for communications between the Edge and the OCS Front End servers.

Again within Global Properties, click on the Meetings tab.

a. Under Anonymous Participants choose the option Allow users to invite anonymous participants.
b. Under Global Policy settings choose Default Policy. Select Default Policy under Policy Definitions, then click Edit.

c. Configure the Default Policy settings as follows, then click OK:

ü	Enable Web Conferencing
ü	Use native format for PowerPoint files
ü	Enable program and desktop sharing
ü	Allow control of shared programs and desktop
ü	Allow presenter to record meetings
ü	Presenter can allow attendees to record meetings
ü	Enable IP Audio
ü	Enable IP Video
ü	Enable PSTN conference dial-in
ü	PSTN conference dial-in requires passcode

Click OK twice to complete the configuration of Global Properties.

B. To configure Edge settings in Pool Properties

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, then choose Office Communications Server 2007 R2.
Within the OCS 2007 management console, expand the Forest – Contoso.com node, then expand Standard Edition Servers.
Right click on the OCS-R2 pool object, expand Properties, then choose Pool Properties.
Under the Media tab, configure the following settings:

Encryption Level: Require Encryption
A/V Authentication Service: Edge-R2.contoso.com:5062
Media Port Range: 49152 to 65535
Click OK to complete the configuration of Pool settings.

Step 11 – Restart services on the OCS 2007 R2 Front End server

Our final step of configuring OCS 2007 R2 Edge services involves restarting the services on the OCS 2007 R2 Front End server.

A. To restart services on the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Standard Edition Servers.
Expand the OCS-R2 Pool object, then right click on the OCS-R2.contoso.com Front End server object.
Expand Stop, then select Stop all started services.
Monitor the status of the stopping of services displayed at the bottom left corner of the Administration Console window.
When all services have stopped successfully, again, right click on the OCS-R2.contoso.com Front End server object.
Expand Start, then select Start all stopped services.
Again monitor the status of the startup of services of the Front End server.

This completes the configuration of the OCS 2007 R2 Edge role.

Configuring OCS 2007 R2 Mediation

Next we will install the OCS 2007 R2 Mediation role, which provides signaling and media translation between the VoIP infrastructure and a basic media gateway. Although a typical deployment of the Mediation role involves using two network cards for enhanced security, we will use a single NIC configuration for the Mediation server in our lab.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Mediation role

To configure one of the virtual machines to host the OCS 2007 R2 Mediation server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for Mediation was created with the following specifications:

Role OCS 2007 R2 Mediation

Memory 512MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN Mediation-R2.contoso.com (domain-joined)

IP Address 192.168.1.13

To configure the server, double-click on the Mediation virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure OCS 2007 R2 Mediation Network Settings

Next, we need to configure the network settings for the Mediation virtual machine. Again, we will be using a single NIC configuration in our lab.

A. To configure OCS 2007 R2 Mediation network settings

Log on to the OCS 2007 R2 Mediation Server virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Right click on the Local Area Network network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.13
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 192.168.1.10 (our internal DNS server)
     Alternate DNS Server: None
Click OK to commit your changes.
Close the Network Connections dialog box, and restart the Mediation virtual machine.

Step 3 – Install OCS 2007 R2 Mediation

After configuring the virtual machine, we are now ready to install the OCS Mediation server binaries.

A. To install OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
When prompted to install the Microsoft Visual C++ 2008 Redistributable, choose Yes to install it.
When prompted to install Microsoft .NET Framework 3.5 SP1, choose Yes to install it.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Mediation Server.
On the Deploy Mediation Server page, at Step 1: Install Files for Mediation Server, click Install.
On the License Agreement page, click I accept the terms in the license agreement, and then click Next. If you do not accept the license terms, Setup cannot continue.
On the Install location for Microsoft Office Communications Server 2007 R2, Mediation Server page, in the Location box, type a path where Mediation server should be installed, or accept the default location. Click Next.
After the Mediation server has been installed successfully, click Close to return to the Mediation deployment wizard.

Step 4 – Activate OCS 2007 R2 Mediation

Having successfully installed the Mediation server binaries, we are now ready to activate the server.

A. To activate OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Mediation Server.
On the Deploy Mediation Server page, at Step 2: Activate Mediation Server, click Run.
On the Welcome page, click Next.
On the Select domain service account page, select Use an existing account. Enter the name RTCComponentService in the Account name box, then type the account password in the Password box. This account is already a member of the RTCComponentUniversalServices group, which is required for the Mediation service to start. Click Next.
After the server has been activated, click Close on the Activation Complete page to close the Activation Wizard.

Step 5 – Install OCS 2007 R2 Administration Console

The next step of the installation of the Mediation server involves installing the OCS Administration Console.

A. Install the administration console

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

Step 6 – Configure OCS 2007 R2 Mediation

Having successfully installed and activated the Mediation server role, we are now ready to configure the server.

A. To configure OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, then choose Office Communications Server 2007 R2.
Within the OCS 2007 management console, expand Forest – Contoso.com, then expand Mediation Servers.
Open the Properties of your Mediation server, Mediation-R2.contoso.com.
Under the General tab, enter the following information:
Communications Server listening IP address: 192.168.1.13
Gateway listening IP address: 192.168.1.13
A/V Edge Server: Edge-R2.contoso.com:5062
Default Location Profile: None
Under the Next Hop Connections tab, enter the following information:
Office Communications Server Next Hop FQDN: OCS-R2.contoso.com
Port: 5061
PSTN Gateway Next Hop IP Address: 192.168.1.14
Port: 5060
When you have completed configuring options for both the General and Next Hop Connections tabs, click Apply and OK to commit your changes.

Note: Since we have not yet created a location profile, we are unable to select a location profile in the configuration of the Mediation server. This will cause the following warning to appear. Just click OK.

Note: You will also receive a warning to restart Mediation services. You can safely ignore this warning.

Step 7 – Request Certificate for OCS 2007 R2 Mediation

After configuring the Mediation server role, we will need to request a certificate from our Certificate Authority.

A. To request a certificate for OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Mediation Server.
On the Deploy Mediation Server page, at Step 4: Configure Certificate, click Run.
At the Certificate Wizard splash screen, click Next.
At the Available Certificate Tasks screen, choose Create a New Certificate, then click Next.
At the Delayed or Immediate Request screen, choose the option Send the request immediately to an online certificate authority, then click Next.
At the Name and Security Settings screen, enter the following information, then click Next:

Name: OCSR2MediationCert
Bit Length: 1024
Mark cert as exportable: Enabled
At the Organization Information screen, enter contoso.com for both the Organization name and the Organizational Unit. Click Next.
At the Server’s Subject Name screen, enter Mediation-R2.contoso.com for the Subject Name value. Do not enter any Subject Alternative Names for this certificate. Click Next.
At the Geographical Information screen, enter your Country, State/Province, and City/Locality, then click Next.
At the Choose a Certification Authority screen, select Email.contoso.com\ContosoCA from the drop-down list of Certificate Authorities, then click Next.
At the Request Summary screen, verify that all of the information was entered correctly, then click Next.
Upon successfully submitting the certificate request, a new certificate should be issued by the Certificate Authority from your environment. Choose the Assign option to assign the certificate immediately, then click Finish.
You will be prompted to restart services, however you can ignore this warning.

This completes the deployment of the OCS 2007 R2 Mediation Server role.

Configuring Enterprise Voice

Next we will configure Enterprise Voice functionality for Office Communications Server. There are several steps that must be completed to configure Enterprise Voice, especially when Unified Messaging is involved. As you will see, this is one of the more challenging tasks in deploying OCS 2007 R2.

Step 1 – Get the Phone Context value of the Unified Messaging Dial Plan

To successfully integrate OCS 2007 and Unified Messaging, the name of the Location Profile for your Enterprise Voice users must match the Phone Context value of your Unified Messaging Dial Plan. To get this value, we will use the Exchange Management Shell on the Windows 2008 physical host computer.

A. Get Phone Context value of UM Dial Plan

Log on to the Windows 2008 physical computer as the built-in Domain Administrator account (Contoso\Administrator).
Launch the Exchange Management Shell by clicking Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
Within the Exchange Management Shell, enter the following command to get details of all Exchange UM Dial Plans:

get-UMDialPlan | fl name,uritype,voipsecurity,phonecontext,umservers

[PS] C:\> get-umdialplan | fl name,uritype,voipsecurity,phonecontext,umservers

Name : OCSDialPlan
URIType : SipName
VoIPSecurity : SIPSecured
PhoneContext : OCSDialPlan.contoso.com
UMServers : {EMAIL}
Note that the PhoneContext value of the OCSDialPlan is ‘OCSDialPlan.contoso.com’. The name of the Location Profile you will create must match this value.

Step 2 – Install the OCS 2007 R2 Resource Kit Tools on the Mediation Server

To create and configure the OCS Location Profile, we will use Enterprise Voice Route Helper, which is installed with the OCS 2007 R2 Resource Kit tools. We will need to install the resource kit tools on the Mediation server.

A. To install the OCS 2007 R2 Resource Kit tools

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Internet Explorer, and navigate to http://www.microsoft.com/downloads/details.aspx?FamilyID=9e79a236-c0df-4a72-aba6-9a9602a93ed0&DisplayLang=en.
Download and save the OCSResKit.msi installation file to disk.
Double-click on the file OCSResKit.msi to launch the installation of the Resource Kit tools for Office Communications Server 2007 R2.
At the installation splash screen, Click Next, then accept the License Agreement.
When prompted for the installation path, just accept the default value and click Next.
When the installation of the OCS Resource Kit tools finishes, click Close.

Step 3 – Create a Location Profile using Enterprise Voice Route Helper

Next we will use the Enterprise Voice Route Helper tool to create a Location Profile for our Enterprise Voice enabled users.

A. To create a Location Profile

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Enterprise Voice Route Helper by clicking Start > Programs > Microsoft Office Communications Server 2007 > Resource Kit > Enterprise Voice Route Helper.
From the Menu bar in Enterprise Voice Route Helper, click Insert > New Location Profile.
Enter the name ‘OCSDialPlan.contoso.com’ for the name of the new Location Profile. This is the same value found in the PhoneContext field of the UM Dial Plan from Step 1. Click OK.
Within the Location Profile Editor, enter Default Location Profile for the Description value of the location profile, then click Add to enter phone number Normalization Rules for the new Location Profile.
You will likely need to create several Normalization Rules both to correctly handle user dialing behavior within Office Communicator and to correctly format dial strings from telephone numbers stored in Active Directory and in Microsoft Outlook. For the purposes of this lab, we will only create three very simple normalization rules:

Rule Name: 4 Digit Internal Dialing
Internal Enterprise Extension: Enabled
Use Translation When Dialing from Device: Enabled
Starting Digits: (empty)
Length: Exactly 4 Digits
Number of Digits to Strip: 0
Digits to Prepend: +1980776
Automatically Update Description: Enabled

Rule Name: 10 Digit Dialing
Internal Enterprise Extension: Disabled
Use Translation When Dialing from Device: Enabled
Starting Digits: (empty)
Length: Exactly 10 Digits
Number of Digits to Strip: 0
Digits to Prepend: +1
Automatically Update Description: Enabled

Rule Name: 11 Digit Dialing
Internal Enterprise Extension: Disabled
Use Translation When Dialing from Device: Enabled
Starting Digits: (empty)
Length: Exactly 11 Digits
Number of Digits to Strip: 0
Digits to Prepend: +
Automatically Update Description: Enabled
When all three normalization rules have been added, click Apply and then OK.
Next, choose Edit > Edit Phone Usage from the Menu Bar.
Save/Upload your work by clicking File > Upload Changes from the Menu Bar.
After the changes have been uploaded successfully, click OK on the Change Report screen.
From the Phone Usage dialog box, click Add to add a new Route.
From within the Route Picker dialog box, click New.
With the Route Details box, configure the new route as follows:

    a. Enter PSTN Route as the Route Name value.
    b. Under the Target Phone Numbers\Prefixes tab, choose Match all numbers except as noted.

    c. Under the Gateways tab, click Add then select Mediation-R2.contoso.com from the list of available gateways.

   d. To complete the configuration of Route Details, click OK twice.
Save/Upload your work by clicking File > Upload Changes from the Menu Bar.
After the changes have been uploaded successfully, click OK on the Change Report screen.
Close the Enterprise Voice Route Helper application.

Step 4 – Associate the OCS Environment with the Location Profile

After having created our new Location Profile, we now need to associate it to our OCS environment.

A. To associate the Location Profile

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Mediation Servers.
Right click on the Mediation-R2.contoso.com server object, then select Properties.
In the Default Location Profile drop down box, choose the newly created OCSDialPlan.contoso.com Location Profile.
Click OK to commit your changes

Step 5 – Start services on the OCS 2007 R2 Mediation server

Now that we have configured Enterprise Voice, we need to restart services on the Mediation server.

A. To start services on the Mediation server

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Mediation Servers.
Right click on the Mediation-R2.contoso.com server object, then click Start.
Monitor the status of the startup of services displayed at the bottom left corner of the Administration Console window.

Step 6 – Restart services on the OCS 2007 R2 Front End server

Our final step of configuring Enterprise Voice involves restarting the services on the OCS 2007 R2 Front End server. This is done to ensure that our end users receive details regarding the default location profile and normalization rules though in-band provisioning during the client logon process.

A. To restart services on the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Standard Edition Servers.
Expand the OCS-R2 Pool object, then right click on the OCS-R2.contoso.com Front End server object.
Expand Stop, then select Stop all started services.
Monitor the status of the stopping of services displayed at the bottom left corner of the Administration Console window.
When all services have stopped successfully, again, right click on the OCS-R2.contoso.com Front End server object.
Expand Start, then select Start all stopped services.
Again monitor the status of the startup of services of the Front End server.

This completes the configuration of OCS 2007 R2 Enterprise Voice.

Configuring a VoIP Gateway or SIP Trunk

To provide external telephony connectivity for users in your lab, you will need to either purchase a VoIP gateway or a SIP trunk from a UCOIP certified provider. Currently, there are currently three vendors that offer VoIP gateways and four vendors that offer SIP trunks which have been certified for use with OCS 2007 R2. Given the enormity of scope with regards to configuring PSTN connectivity for Office Communications Server 2007 R2, this topic will not be covered in this documentation.

For more information, please check the Microsoft Unified Communications Open Interoperability Program website at http://technet.microsoft.com/en-us/office/ocs/bb735838.aspx#trunking.

While Dialogic, Quintum, and Audiocodes offer VoIP gateways for use with OCS 2007 R2, I purchased the Audiocodes MP-114 Media Gateway for my lab environment. In February 2009, I published a blog entry on Microsoft TechNet which provides configuration details for configuring PSTN connectivity for OCS environments using an Audiocodes MP-114 or MP-118 Media Gateway. If you have an Audiocodes media gateway, you may find this information useful if you plan to configure PSTN connectivity for your own lab.

Integrating AudioCodes MP-114/MP-118 Media Gateways with Microsoft Unified Communications Products

http://blogs.technet.com/daveh/archive/2009/02/01/integrating-audiocodes-mp-114-mp-118-media-gateways-with-microsoft-unified-communications-products.aspx

Configuring Users

Our next task will be to create and configure users for our lab environment. Each user will be enabled for email, voice mail, and OCS with Enterprise Voice. If you’re like me and find it difficult to come up with names for users in your lab, check out a random name generator like the one at http://www.behindthename.com/random.

Step 1 – Create a Mailbox-Enabled User using Exchange Management Console (EMC)

Our first step will be to connect to our Exchange server (the Windows 2008 physical host computer) and create a mailbox-enabled user for our lab. To do this, we will use the Exchange Management Console.

A. To create a Mailbox-Enabled user account

Log on to the Windows 2008 physical host computer (Exchange 2007 server) as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then All Programs, then Microsoft Exchange Server 2007, then choose Exchange Management Console.
Within the Exchange Management Console, expand the Recipient Configuration object in the Navigation pane on the left, then select New Mailbox from the Action pane on the right.
Within the Introduction page, select the User Mailbox option, then click Next.
At the User Type page, choose New User, then click Next.
At the User Information page, enter a First Name, Last Name, and Display Name value for your user account. Additionally, configure a User Principal Name (user@domain.com), a pre-Windows 2000 Login Name (domain\user), and a Password value for your account. Click Next.
At the Mailbox Settings page, enter a mailbox Alias for your user, then click Browse to select a Mailbox Database. Choose the Mailbox Database from your Exchange 2007 server, then click OK. Click Next.
At the Configuration Summary page, click New to create the mailbox-enabled user account.
Next, right click on the new user account and choose Properties from the context menu.
Within the Properties of the user account, click on the Address and Phone tab.
Enter a Business phone number for the user account (i.e. 60001). The number of digit in this extension should equal the number of digits specified in your Unified Messaging Dial Plan (i.e. 5 digits). Click OK.

Step 2 – Enable the user for Office Communications Server

Our next step will be to enable the user for Office Communications Server. This will add the user to the OCS database and allow the user to connect to the OCS Front End server using Microsoft Office Communicator.

A. To enable a user for Office Communications Server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, and then click Run. In the Open box, type dsa.msc, and then click OK.
In the console pane of Active Directory Users and Computers, expand the Users container or other organization unit where your user accounts reside.
Right-click the mailbox-enabled user that you create in Step 1 above (i.e., Spongebob Squarepants), and then click Enable users for Communications Server.
On the Welcome to the Enable Office Communications Server Users Wizard page, click Next.
On the Select Server or Pool page, select the Standard Edition server OCS-R2.contoso.com from the list, and then click Next.
On the Specify Sign-in Name page, select Use user’s e-mail address to generate the SIP URI for the user account, then click Next.
At the Ready to Enable Users page, click Next.
Verify that the user was enabled successfully, and then click Finish.

Step 3 – Configure OCS settings for enabled users

After enabling our account for Office Communications Server, our next step will be to configure the account for external connectivity and Enterprise Voice.

A. To configure a user for Office Communications Server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, and then click Run. In the Open box, type dsa.msc, and then click OK.
In the console pane of Active Directory Users and Computers, expand the Users container or other organization unit where your user accounts reside.
Right-click on the user account that you created in Step 1 above, then select Configure Communications Server Users.
At the Welcome to the Configure Users Wizard splash screen, click Next.
At the Configure User Settings page, Enable the Federation, Public IM Connectivity, Remote User Access, and Enhanced Presence options for all selected users. Click Next.
At the Configure User Settings anonymous meeting participation page, click Next. (This option will be grayed out)
At the Configure User Settings meeting policy page, click Next. (This option will be grayed out.)
At the Configure Enterprise Voice Settings page, enable the option for Change Enterprise Voice Settings and select the option for Enable Enterprise Voice. Click Next.
At the Configure Enterprise Voice Settings and Location Profile page, enable the option Change location profile for selected users, then choose the OCSDialPlan.contoso.com location profile from the list of available location profiles. Click Next.
At the Ready to Configure Users page, click Next.
At the Configure Operation Status page, verify that your user was successfully configured for Office Communications Server.

Step 4 – Configure Enterprise Voice details for users

Our next step will be to configure the Line URI value for our user account. This value allows us to define a E.164 telephone number for our user.

A. To configure a Line URI value for a user

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, and then click Run. In the Open box, type dsa.msc, and then click OK.
In the console pane of Active Directory Users and Computers, expand the Users container or other organization unit where your user accounts reside.
Right-click on the user account that you created in Step 1 above, then select Properties.
Click on the Communications tab, and verify that the user is enabled for OCS.
Under Telephony settings, click Configure.
Under Telephony Options, verify that Enterprise Voice is enabled. Enter the Line URI value tel:+19807760001 and select the OCSDialPlan.contoso.com Location Profile. Click OK.
Click OK to close user properties.

Step 5 – Enable the User for Unified Messaging using Exchange Management Console (EMC)

Our next step will be to enable the account for Unified Messaging. This will allow unanswered or busy calls to this user to be diverted to voice mail. Again, we will use the Exchange Management Console for this task.

A. To enable the user account for Unified Messaging

Log on to the Windows 2008 physical host computer (Exchange 2007 server) as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then All Programs, then Microsoft Exchange Server 2007, then choose Exchange Management Console.
Within the Exchange Management Console, expand the Recipient Configuration object in the Navigation pane on the left, highlight the mailbox in the Results pane in the center, then select Enable Unified Messaging from the Action pane on the right.
At the Introduction page, you will find options to configure the UM Mailbox Policy and UM PIN Settings. To select a UM Mailbox Policy, click Browse and choose the OCSDialPlan Default Policy. Click OK. Then select the option Manually specify PIN, and to the right enter the desired PIN for this user. Click Next.
At the Extension Configuration page, select the option Manually entered mailbox extension and enter the Business extension (i.e. 60001) from Step 1 above. Again, the number of digits in the extension should match that of your UM Dial Plan. Also select the option Manually entered SIP or E.164 address, and enter the email address of the user. Click Next.
At the Configuration Summary page, click Enable to enable the account for Unified Messaging.

Step 6 – Generate Grammar Files for UM Dial Plan and Global Address List

After enabling our accounts for Unified Messaging, we need to be sure to include them in the grammar files used by Unified Messaging. Although these files are created and/or updated by the server around 1:30am each day, the Directory Search feature of our Auto Attendant will not find our new UM enabled users until these files are generated.

A. To generate the grammar file for Unified Messaging

Log on to the Windows 2008 physical host computer (Exchange 2007 server) as the built-in Domain Administrator account (Contoso\Administrator).
From the Exchange server, open a command prompt.
Create a new folder to hold the log files created by the galgrammargenerator utility using the following command:

md C:\temp
Navigate to the folder where the galgrammargenerator utility resides by entering the following command:

cd C:\Program Files\Microsoft\Exchange Server\Bin
Next, run the following command to generate the grammar files for our Dial Plan:

galgrammargenerator.exe –s {servername} –o c:\temp\DialPlan_GrammarGeneration.log
Next, run the following command to generate the grammar files for our Global Address List:

galgrammargenerator.exe -g -o c:\temp\GAL_GrammarGeneration.log
Examine each of the log files in the C:\temp folder to verify that the UM Enabled user was included in the compiled grammar files.

This completes the configuration of the user account for Exchange Server and Office Communications Server.

First Name	Last Name	Extension	UM Extension/Dial Plan
PBX	UserA	60001	60001 / PBXNSIP Dial Plan
PBX	UserB	60002	60002 / PBXNSIP Dial Plan

Routing Target	IP Address	Protocol/Transport
Exchange 2010 Unified Messaging	192.168.1.11	SIP / TCP
AudioCodes MP-114 VoIP Gateway	192.168.1.12	SIP / TCP

Role	OCS 2007 R2 Communicator Web Access
Memory	512MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	CWA-R2.contoso.com *(domain-joined)*
IP Address	192.168.1.12

Role	ISA Server 2006
Memory	512MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	ISA.contoso.com (not domain-joined)
IP Address	192.168.1.6

Protocol	Source IP	External Ports	Internal Ports	Internal IP	Description
Both	All	50000 – 59999	(same)	192.168.1.4	A/V Edge RTP Ports
TCP	All	5061	5061	192.168.1.2	Access Edge
UDP	All	3478	3478	192.168.1.4	A/V Edge (STUN/TURN)
TCP	All	443	443	192.168.1.6	ISA SSL Listener
TCP	All	442	442	192.168.1.3	Web Conferencing Edge
TCP	All	441	441	192.168.1.4	A/V Edge
TCP	All	80	80	192.168.1.10	Web Site
TCP	All	25	26	192.168.1.10	SMTP (Email)

Role	OCS 2007 R2 Front End
Memory	1024MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	OCS-R2.contoso.com *(domain-joined)*
IP Address	192.168.1.11

Role	OCS 2007 R2 Edge
Memory	1024MB
Network	Two (2) Virtual NICs
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	Edge-R2.contoso.com *(not domain-joined)*
IP Addresses	192.168.1.2 – 192.168.1.4 (External NIC) 192.168.1.5 (Internal NIC)

Role	OCS 2007 R2 Mediation
Memory	512MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	Mediation-R2.contoso.com *(domain-joined)*
IP Address	192.168.1.13