As a Senior Support Escalation Engineer with the Unified Communications team at Microsoft, I help a lot of customers install Microsoft Unified Communications products in either their production or lab environment. I often find that for many smaller organizations, the task of deploying OCS 2007 R2 and/or Exchange Unified Messaging becomes that of the existing IT team or the network administrator. While Office Communications Server 2007 R2 is the coolest collaboration product that Microsoft has ever shipped and Unified Messaging is the perfect voice mail solution for it, the learning curve for each product isn’t just steep – it is nearly insurmountable. Considering the seemingly endless list of available features within OCS 2007 R2 and their associated requirements, figuring out exactly what you need to accomplish what you want is often a frustrating experience – especially for those who are new to the technology.
So, what do you want to do with Office Communications Server 2007 R2 and Microsoft Exchange Server 2007?
Do you want to enable instant messaging?
-
IM only between user accounts in your lab?
-
IM with federated contacts? (external IM with other labs/other companies)
-
IM with public providers like MSN/Yahoo/AOL?
Do you want to share meetings using Live Meeting?
- Meetings only between user accounts in your lab?
- Meetings that can be joined by remote users?
- Meetings that can be joined remotely by anonymous users?
- Meetings that offer Audio/Video capabilities?
Do you want to offer Exchange services to your OCS users?
- Access to email via Outlook or Outlook Web Access?
- Automatic configuration of Outlook using Outlook Anywhere
- Voice mail services using Unified Messaging
Having recently moved to the Unified Communications team after supporting Exchange for the past eight years, I am also new to this technology – and I’ve experienced a similar degree of frustration when building out various lab environments. Since I seem to learn a lot more about a product by installing and configuring it versus simply reading about it from a book, I wanted to deploy a fully working Unified Communications lab environment at home where I could learn at my own pace.
While I am extremely fortunate to have unlimited access to a variety of high-end equipment at work, the equipment found in my own lab at home is a little embarrassing by comparison… :-) So, in the best interest of make do, this step-by-step guide will attempt to offer all of the services listed above in a lab environment using a single Windows 2008 Hyper-V physical host computer and a single public IP address.
Disclaimer
This information is provided AS-IS with no warranties, and confers no rights. In fact, many of the configuration steps provided in this documentation are considered UNSUPPORTED by the Microsoft RTC and Exchange product groups for production use. Although Microsoft now officially supports many of the server roles for OCS 2007 R2 on Windows 2008 Hyper-V, the roles involving RTC media streams are not supported on virtualized platforms. As such, please DO NOT use this documentation as prescriptive guidance for deploying these products in a production capacity.
Lab Overview
Using a single 64-bit computer running Windows Server 2008 and Hyper-V, you can deploy a fully functional OCS 2007 R2 / Exchange 2007 lab environment. After completing setup of this lab, you’ll be able to do instant messaging and Live Meeting conferences with full audio and video for both internal and external users. If you want to provide optional VoIP telephony services with PSTN integration, however, you’ll need to add a Mediation server and a VoIP Gateway device to your lab.
Since I chose to deploy this lab at home, there were a few constraints that I knew I had to work around. For example, my house was not pre-wired for CAT5 when it was built, so I use wireless networking for just about everything – including my laptops, my Zune, and each of my X-Box 360s. Instead of inconveniencing my family by taking the network offline while I figured out how to route everything through ISA Server 2006 running in a virtual machine, I chose instead to use ISA Server 2006 simply as an SSL proxy/redirect while leaving the firewall on my Linksys WRT54G wireless router to filter out unwanted network traffic.
Below you will find a diagram of the Unified Communications lab environment that I built at home and that we will attempt to build in the following documentation (click to enlarge).
Requirements
To build this lab environment, the following components are required:
- One (1) 3.0 GHz Dual Core (or higher) 64-bit Hyper-V host computer, 8GB RAM, Gigabit NIC, two (2) 320GB SATA hard disks
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (ISA 2006)
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 CWA)
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Mediation)
- One (1) Hyper-V guest, 1024MB RAM, two virtual NICs, 16GB virtual hard disk (OCS 2007 R2 Edge)
- One (1) Hyper-V guest, 1024MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Front End
- One (1) Wireless or Wired Ethernet Router
- One (1) Ethernet Cable Modem or DSL Modem
- One (1) Public IP address, either static or DHCP assigned
- One (1) publicly registered Internet domain
- One (1) SSL SAN Certificate issued by a trusted PKI provider (optional)
To provide VoIP connectivity with PSTN integration, you will need the following optional component:
Unless you plan to provide Public IM Connectivity to your lab users, you will not need a UC Certificate from a trusted PKI provider. This may be good news given that UC (SAN) Certificates can be very pricey, especially for a small lab environment. You can accomplish much of the same functionality simply by using internally generated certificates, however your external users will log trust errors – at least initially. Internally generated certificates are not trusted by computers which are external to your organization. You can work around this, however, by having your external users import the certificate from your internal Certification Authority into their list of Trusted Root Certificate Authorities.
With regards to Federation, you can establish direct federation with a partner organization without using a publicly trusted UC certificate. As long as your federated partner agrees to import your internally generated CA certificate into the Trusted Root Certification Authorities list on each Edge server, you can participate in federated IM conversations and conferences.
Now… let’s get started!
Registering a Public Domain
The first step in this process is to register a public domain from a trusted registrar. The registrar you choose will ask you to provide various contact and technical information that makes up the registration, which is then stored in a central directory known as the "registry." You will also be required to enter a registration contract with the registrar, which sets forth the terms under which your registration is accepted and will be maintained. A list of trusted registrars can be found at InterNIC.
While most domain registrars also offer hosting the DNS records for purchased domains, you should look for a domain registrar which will allow you to create and edit Service Records (SRV). Office Communications Server 2007 R2 uses SRV records for Federation, Public IM Connectivity (PIC), and automatic client configuration for external users. After checking SlickDeals.net for online coupon codes, I purchased the domain name for my Unified Communications lab from GoDaddy.com. Not only did I get my domain for a fantastic price, I have been extremely pleased with their customer service – and they allow you to create DNS SRV records.
Creating Public DNS Records
Next, we will need to create several public DNS records for our Unified Communications environment. While my ISP does offers static IP addresses to their customers for an extra fee, I still use a DHCP-assigned IP address. I found that DHCP-assigned IP addresses from my ISP rarely change – maybe once every four or five months. However, when it does happen, I have to manually update my DNS records to point to the new IP address. As you can imagine, manually updating DNS records can be quite annoying.
For me, though, updating DNS to point to a new IP address isn’t big of a deal. While Microsoft only officially supports using host (A) public DNS records for deploying OCS 2007 R2, I chose instead to use CNAME records for my own lab environment. By using CNAME records, I found that I only have to update a single DNS record if my DHCP-assigned IP address changes for any reason.
The following step-by-step instructions describe how to create CNAME records with GoDaddy to support OCS 2007 R2, however, these instructions will vary by provider.
A. To create Public DNS records for your Unified Communications lab environment
- Log in to your DNS service provider.
- Select the appropriate option for managing DNS records for your domain.
(For GoDaddy.com customers, this option is called Total DNS Control and MX Records.) - Select the appropriate option for creating a new A record, then enter the following details:
Host Name: @
Points to IP Address: <Your IP Address>
TTL: One hour
- Select the appropriate option for creating a new CNAME record, then enter the following details:
Enter an Alias Name: sip
Points to Host Name: @
TTL: One hour
Repeat this step, creating additional CNAME records for each of the following Alias names:
| Alias | Points to Host Name |
| cwa | @ |
| mail | @ |
| www | @ |
| autodiscover | @ |
| as.cwa | @ |
| download.cwa | @ |
- Select the appropriate option for creating a new MX record, then enter the following details:
Host Name: @
Goes To Address: mail.contoso.com
Priority: 0
TTL: One hour
- Select the appropriate option for creating a new SRV record, then enter the following details:
Service: _sipfederationtls
Protocol: _tcp
Name: Federation SRV Record
Priority: 1
Weight: 1
Port: 5061
Target: sip.contoso.com
TTL: One hour
Repeat this step, creating an additional SRV record with the following details:
Service: _sip
Protocol: _tls
Name: External User SRV Record
Priority: 1
Weight: 1
Port: 5061
Target: sip.contoso.com
TTL: One hour
This completes the configuration of the external DNS records.
Configuring the Router/Firewall
The third step in this process is to either configure port forwarding in the configuration of your router or to create rules to open ports on your firewall. As mentioned previously, I use a Linksys WRT54G wireless router and a single private network (no DMZ) for all devices. As such, I created the following port forwarding rules in the configuration of my router to accommodate network traffic for Exchange Server and Office Communications Server:
| Protocol | Source IP | External Ports | Internal Ports | Internal IP | Description |
| Both | All | 50000 – 59999 | (same) | 192.168.1.4 | A/V Edge RTP Ports |
| TCP | All | 5061 | 5061 | 192.168.1.2 | Access Edge |
| UDP | All | 3478 | 3478 | 192.168.1.4 | A/V Edge (STUN/TURN) |
| TCP | All | 443 | 443 | 192.168.1.6 | ISA SSL Listener |
| TCP | All | 442 | 442 | 192.168.1.3 | Web Conferencing Edge |
| TCP | All | 441 | 441 | 192.168.1.4 | A/V Edge |
| TCP | All | 80 | 80 | 192.168.1.10 | Web Site |
| TCP | All | 25 | 26 | 192.168.1.10 | SMTP (Email) |
After saving this configuration, restart your router or firewall.
Explanation of Routing
Although it is possible to deploy both OCS 2007 R2 and Exchange 2007 using a single public IP address, to do so introduces some very interesting challenges with regards to routing. The following summary explains how routing is accomplished in this lab for internal and external connectivity.
External Routing
| Client | Address | Ext Port | Path | Int Port | Target |
| OCS Remote User | sip.contoso.com | 5061 | OCS Access Edge | 5061 | OCS-R2.contoso.com |
| OCS Web Components | sip.contoso.com | 443 | ISA Server Proxy | 443 | OCS-R2.contoso.com |
| OCS Web Conferencing | sip.contoso.com | 442 | OCS Web Conf Edge | 8057 | OCS-R2.contoso.com |
| OCS A/V Conferencing | sip.contoso.com | 441 | OCS A/V Edge | 443 | OCS-R2.contoso.com |
| OCS CWA | https://cwa.contoso.com | 443 | ISA Server Proxy | 443 | CWA-R2.contoso.com |
| Outlook Web Access | https://mail.contoso.com/owa | 443 | ISA Server Proxy | 443 | Email.contoso.com |
| Autodiscover | https://autodiscover.contoso.com | 443 | ISA Server Proxy | 443 | Email.contoso.com |
| SMTP | mail.contoso.com | 25 | Linksys Router | 26 | Email.contoso.com |
Internal Routing
| Client | Address | Port | Path | Target |
| OCS Internal User | sip.contoso.com | 5061 | OCS Front End | OCS-R2.contoso.com |
| OCS Web Components | OCS-R2.contoso.com | 443 | OCS Front End | OCS-R2.contoso.com |
| OCS CWA | https://cwa.contoso.com | 443 | ISA Server Proxy | CWA-R2.contoso.com |
| Outlook Web Access | https://mail.contoso.com/owa | 443 | ISA Server Proxy | Email.contoso.com |
Configuring the Domain Infrastructure
For the purposes of this lab, our physical host computer will run a number of services – including Active Directory, DNS, Enterprise Certification Authority, and Hyper-V virtualization. The following steps will configure the domain infrastructure for the Unified Communications lab environment.
Step 1 - Install Windows Server 2008 Enterprise Edition
The first configuration step involves installing Windows Server 2008 Enterprise Edition as the operating system for the physical host computer. Rather than reinvent the wheel here, Microsoft MVP Daniel Petri authored a fantastic step-by-step blog entry on installing Windows Server 2008. Be sure to check it out if you have never done this before. It may save you some time and effort… :-)
Step 2 - Install the Hyper-V Role
Once Windows Server 2008 Enterprise Edition has been installed on the host PC, our first configuration task will be to install the Hyper-V role which will host the four guest virtual machines that will run ISA Server 2006 and OCS 2007 R2. It is important to install the Hyper-V role first because it allows us an opportunity to configure network settings for the computer before installing Active Directory. For additional information on Windows virtualization using Hyper-V, check out the Hyper-V Getting Started Guide on Microsoft TechNet.
A. To install Hyper-V on a full installation of Windows Server 2008
- Log in to the Windows 2008 computer using the built-in Administrator account.
- Click Start, and then click Server Manager.
- In the Roles Summary area of the Server Manager main window, click Add Roles.
- On the Select Server Roles page, click Hyper-V.
- On the Create Virtual Networks page, click one or more network adapters if you want to make their network connection available to virtual machines.
- On the Confirm Installation Selections page, click Install.
- The computer must be restarted to complete the installation. Click Close to finish the wizard, and then click Yes to restart the computer.
- After you restart the computer, log on with the same account you used to install the role. After the Resume Configuration Wizard completes the installation, click Close to finish the wizard.
Step 3 – Configure Network Settings
While As mentioned previously, our Windows 2008 physical host computer will be configured to support a number of roles, including Active Directory, DNS, Certificate Services, and Exchange 2007. The IP address for this computer will be 192.168.1.10, and since it will host Active Directory and DNS, the IP address should not be assigned by DHCP. As such, we will need to complete several steps to configure our network settings.
A. To verify that Windows Firewall is enabled
- Log in to the Windows 2008 computer using the built-in Administrator account.
- Click Start, then open the Control Panel. Launch Windows Firewall.
- From the menu on the left, click on the Turn Windows Firewall on or off hyperlink option
- Verify that Windows Firewall is enabled.
B. To configure static TCP/IP settings for a Hyper-V virtual NIC in Windows Server 2008
- Log in to the Windows 2008 computer using the built-in Administrator account
- Click Start, then open the Control Panel. Launch the Network and Sharing Center applet.
- From the Tasks menu on the left, select Manage Network Connections.
- In the Network Connections window, click the Views option from the menu bar and select Details.
- After installing the Hyper-V role, you will notice that a new network adapter has been added to the system. Open the properties of each adapter and locate the one that is bound only to the Microsoft Virtual Network Switch Protocol. This adapter represents the physical (hardware) network adapter, while the other represents the Hyper-V virtual adapter.
- Right click on each network adapter and rename them as follows:
HyperV Internal (Physical NIC) – network adapter bound only to Microsoft Virtual Network Switch Protocol.
HyperV Internal (Virtual NIC) – network adapter bound to everything except the Microsoft Virtual Network Switch Protocol.
- After renaming the network adapters, open the properties of the HyperV Internal (Virtual NIC) adapter.
- Select the Internet Protocol Version 6 (TCP/IPv6) connection, then click Properties.
- Select Use the following IPv6 address, then enter the following:
IP Address: fe80:0:0:0:0:0:c0a8:010a
Subnet prefix length: 64
Default Gateway: fe80:0:0:0:0:0:c0a8:0101
DNS Server: fe80:0:0:0:0:0:7f00:0001
Click OK.
- Select the Internet Protocol Version 4 (TCP/IPv4) connection, then click Properties.
- Select Use the following IPv4 address, then enter the following:
IP Address: 192.168.1.10
Network Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DNS Server: 127.0.0.1
- Click OK then Close the properties of the HyperV Internal (Virtual NIC) adapter.
After completing the network configuration steps, restart the Windows 2008 physical host computer.
Step 4 – Install Active Directory Domain Services / DNS
Having installed the Hyper-V role and configured our network settings, we’re now ready to install Active Directory Domain Services on the Windows 2008 physical host computer. Since we have not yet installed the DNS server role, you will be prompted to install the DNS role during the setup of Active Directory.
A. To install a new Active Directory forest by using the Windows interface
- Log in to the Windows 2008 computer using the built-in Administrator account.
- Open Server Manager by clicking Start, point to Administrative Tools, and then click Server Manager.
- In Roles Summary, click Add Roles.
- If necessary, review the information on the Before You Begin page and then click Next.
- On the Select Server Roles page, click the Active Directory Domain Services check box, and then click Next.
Note: If you installed Windows Server 2008 R2, you might have to click Add Required Features to install .NET Framework 3.5.1 features before you can click Next.
- If necessary, review the information on the Active Directory Domain Services page, and then click Next.
- On the Confirm Installation Selections page, click Install.
- On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
- On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
- You can select the Use advanced mode installation check box to get additional installation options.
- On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 and Windows Server 2008 R2 domain controllers, and then click Next.
- On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.
- On the Name the Forest Root Domain page, type the full Domain Name System (DNS) name for the forest root domain (i.e. contoso.com), and then click Next.
- If you selected Use advanced mode installation on the Welcome page, the Domain NetBIOS Name page appears. On this page, type the NetBIOS name of the domain if necessary (i.e. contoso) or accept the default name, and then click Next.
- On the Set Forest Functional Level page, select the forest functional level that accommodates the domain controllers that you plan to install anywhere in the forest (Windows 2003 mode or higher is required), and then click Next.
- On the Set Domain Functional Level page, select the domain functional level that accommodates the domain controllers that you plan to install anywhere in the domain (Windows 2003 mode or higher is required), and then click Next.
Note: The Set Domain Functional Level page does not appear if you select the Windows Server 2008 forest functional level on a server that runs Windows Server 2008 or if you select the Windows Server 2008 R2 forest functional level on a server that runs Windows Server 2008 R2.
- On the Additional Domain Controller Options page, DNS server is selected by default so that your forest DNS infrastructure can be created during AD DS installation. If you plan to use Active Directory–integrated DNS, click Next. If you have an existing DNS infrastructure and you do not want this domain controller to be a DNS server, clear the DNS server check box, and then click Next.
- If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you can create the delegation manually. To continue, click Yes.
- On the Location for Database, Log Files, and SYSVOL page, browse to the volume and folder locations for the database file, the directory service log files, and the SYSVOL files, and then click Next.
- Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or existing files.
- On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline.
- On the Summary page, review your selections. Click Back to change any selections, if necessary.
- To save the selected settings to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type the name for your answer file, and then click Save.
- When you are sure that your selections are accurate, click Next to install AD DS.
- You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so.
Upon restarting the server, log in using the credentials for the built-in Domain Administrator account (i.e. Contoso\Administrator). It is important that you use the built-in Domain Administrator account because it is the only account that is exempt from User Account Control restrictions. Once logged in, launch the Event Viewer and take a cursory glance at both the Application Log and System Logs from the server. Be sure to address any serious errors before proceeding.
Step 5 – Configure Internal DNS Records
To support both OCS 2007 R2 and Exchange 2007, we will need to create several host (A) records and service (SRV) records in our internal DNS zone.
A. Add internal DNS Records for OCS 2007 R2 and Exchange 2007
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, point to Administrative Tools, and then click DNS.
- In the DNS console, expand the Server object, expand the Forward Lookup Zones folder, and select the local Domain.
- From the menu bar at the top of the DNS console, choose Action, then click New Host (A or AAAA)…
- In the New Host dialog box, type the Host Name and IP Address for the new A record.
Name: sip
IP Address: 192.168.1.11
Repeat this step, creating additional DNS A records for each of the following host names:
| Host Name | IP Address |
| autodiscover | 192.168.1.6 |
| mail | 192.168.1.6 |
| www | 192.168.1.10 |
| sip | 192.168.1.11 |
| cwa | 192.168.1.6 |
| Edge-R2 | 192.168.1.5 |
| ISA | 192.168.1.6 |
- Next, select the local Domain again.
- From the menu bar at the top of the DNS console, choose Action, then click New Alias (CNAME)…
- In the New Resource dialog box, enter the following data, then click OK:
Alias Name: as.cwa
Fully Qualified Domain Name: as.cwa.contoso.com (automatically populated)
Fully Qualified Domain Name for Target Host: cwa.contoso.com
- Choose Action, then click New Alias (CNAME)… to create an additional CNAME record.
- In the New Resource dialog box, enter the following data, then click OK:
Alias Name: download.cwa
Fully Qualified Domain Name: download.cwa.contoso.com (automatically populated)
Fully Qualified Domain Name for Target Host: cwa.contoso.com
- Next, select the local Domain again.
- From the menu bar at the top of the DNS console, choose Action, then click Other New Records…
- In the Resource Record Type dialog box, scroll down the list of available record types and choose Service Location (SRV) option and click Create Record…
- In the New Resource Record dialog box, manually type in the following information (do not use the drop down list):
Service: _sipinternaltls
Protocol: _tcp
Priority: 1
Weight: 1
Port Number: 5061
Host Name: sip.contoso.com
- Create a second DNS SRV record, manually type in the following information (do not use the drop down list):
Service: _sip
Protocol: _tls
Priority: 1
Weight: 1
Port Number: 5061
Host Name: sip.contoso.com
- Close the DNS console after all records have been created.
This completes the configuration of the internal DNS records.
Step 6 - Install Certificate Services
Next, we need to install the Certificate Authority role on the Windows 2008 computer so that we can issue PKI certificates for the various Office Communications Server 2007 server roles.
A. To install Certificate Services and set up an Enterprise Root CA
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, point to Administrative Tools, and then click Server Manager.
- In the Roles Summary section, click Add roles.
- On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
- On the Select Role Services page, select the Certification Authority check box, and then click Next.
- On the Specify Setup Type page, click Enterprise, and then click Next.
- On the Specify CA Type page, click Root CA, and then click Next.
- On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.
- In the Common name for this CA box, type the common name of the CA, ContosoCA, and then click Next.
- On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.
- On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.
- After verifying the information on the Confirm Installation Options page, click Install.
- Review the information on the confirmation screen to verify that the installation was successful.
After installing Certificate Services, launch Internet Explorer on the Windows 2008 computer and browse to https://{ComputerName}/Certsrv. SSL encryption should be automatically enabled for the CertSrv website, but you may need to enable it manually within the Internet Information Services (IIS) Manager console. You may also need to add this website to either your Trusted Sites or your local Intranet zone.
Step 7 – Create the Hyper-V Guest Virtual Machines
Following a successful installation of Hyper-V and a reboot of the system, the next step is to create the five virtual machines that will host ISA Server 2006 and the four OCS 2007 R2 server roles. Again, here is the suggested configuration for each of the five virtual machines:
- ISA Server 2006 - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk
- OCS 2007 R2 CWA - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk
- OCS 2007 R2 Mediation – 512MB RAM, one (1) virtual NIC, 16 GB virtual hard disk
- OCS 2007 R2 Edge - 1024MB RAM, two (2) virtual NICs, 16GB virtual hard disk
- OCS 2007 R2 Front End - 1024MB RAM, one (1) virtual NIC, 16GB virtual hard disk
A. To create and set up a Virtual Machine in Hyper-V
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, point to Administrative Tools, and then click Hyper-V Manager.
- From the Action pane, click New, and then click Virtual Machine.
- From the New Virtual Machine Wizard, click Next.
- On the Specify Name and Location page, specify the name of the virtual machine and where you want to store it.
- On the Memory page, specify enough memory to run the guest operating system you want to use on the virtual machine.
- On the Networking page, connect the network adapter to an existing virtual network if you want to establish network connectivity at this point.
Note: If you want to use a remote image server to install an operating system on your test virtual machine, select the external network.
- On the Connect Virtual Hard Disk page, specify a name, location, and size to create a virtual hard disk so you can install an operating system on it.
- On the Installation Options page, choose the method you want to use to install the operating system:
- Install an operating system from a boot CD/DVD-ROM. You can use either physical media or an image file (.iso file).
- Install an operating system from a boot floppy disk.
- Install an operating system from a network-based installation server. To use this option, you must configure the virtual machine with a legacy network adapter connected to an external virtual network. The external virtual network must have access to the same network as the image server.
- Click Finish.
For best performance, place the paging file from your Windows 2008 Hyper-V host machine on one physical hard disk (C:\) and the configuration and virtual hard disk files from each of your Hyper-V guest machines on another physical hard disk (D:\). Distributing workload across at least two SATA hard disks on the Windows 2008 host machine is critical for adequate system performance.
Step 8 – Install Windows OS on each Hyper-V Guest Virtual Machine
After creating each virtual machine, you will need to install a guest operating system. While it may be desirable to install Windows Server 2008 as the operating system for each guest virtual machine, I would instead suggest using Windows Server 2003 SP2 as it generally performs better in a virtual environment with limited resources.
Please be sure to install the correct version of the Windows operating system on each virtual machine. While ISA Server 2006 is a 32 bit application that may run on a 64 bit operating system, OCS 2007 R2 is a 64 bit application that requires a 64 bit operating system. Given this, the suggested OS configuration and fully qualified distinguished name (FQDN) for each virtual machine is as follows:
- ISA Server 2006 / Windows Server 2003 SP2 (x86) / ISA.contoso.com / 192.168.1.6
- OCS 2007 R2 CWA / Windows Server 2003 SP2 (x64) / CWA-R2.contoso.com / 192.168.1.12
- OCS 2007 R2 Mediation / Windows Server 2003 SP2 (x64) / Mediation-R2.contoso.com / 192.168.1.13
- OCS 2007 R2 Edge / Windows Server 2003 SP2 (x64) / Edge-R2.contoso.com / 192.168.1.2 - 192.168.1.5
- OCS 2007 R2 Front End / Windows Server 2003 SP2 (x64) / OCS-R2.contoso.com / 192.168.1.11
After installing an operating system, you will need to install Hyper-V Integration Services on each guest Virtual Machine to provide the best management experience. From the Action menu of Virtual Machine Connection, click Insert Integration Services Setup Disk (you must close the New Hardware Wizard to start the installation). The setup program should launch automatically, however it can be run manually if necessary. Within the virtual machine, simply navigate to the CD drive using Windows Explorer and launch the appropriate version of Setup.exe (x86/x64) to begin the installation.
We will configure each of the guest virtual machines later in this guide.
Configuring Exchange 2007 SP1
In addition to running Active Directory Domain Services and other domain infrastructure roles, the Windows 2008 physical host machine will host the Mailbox, Client Access, Hub Transport, and Unified Messaging server roles from Exchange 2007 SP1. The following steps will configure Exchange 2007 SP1 for both internal and external user access.
Step 1 – Install Exchange 2007 SP1 on Windows 2008 Physical Host
Since we are installing the Unified Messaging role (which can be very processor intensive), we need to install Exchange 2007 on physical hardware – which in this case also happens to be our domain controller. While most people believe that installing Exchange 2007 on a Windows domain controller is unsupported, it actually is supported – however it is not generally recommended (due to known DSAccess failover limitations in outage conditions).
A. To install Exchange 2007 SP1 on the Windows 2008 host computer
- Log in to the Windows 2008 computer using the built-in Domain Administrator account (Contoso\Administrator).
- Install the Prerequisites for supporting all Exchange 2007 server roles on Windows Server 2008.
- Insert the Exchange 2007 SP1 installation media and double-click Setup.exe.
- Select the option to Install Microsoft Exchange Server 2007 SP1.
- Click Next at the Introduction screen, then click Accept at the EULA screen. Click Next.
- At the Error Reporting screen, choose either Yes or No then click Next.
- Choose the Custom installation option and select an appropriate installation path. Click Next.
- Select the Mailbox role, the Client Access role, the Hub Transport role, and the Unified Messaging role. Click Next.
- On the Exchange Organization screen, enter the name of your Organization (or accept the default value).
- On the Client Settings screen, choose No (unless you want to support Outlook 2003 clients). Click Next.
- Unless you already have Exchange 2000/2003 in your lab, click Next on the Mail Flow settings screen.
- After completing all installation prerequisite checks successfully, click Install to begin the installation.
- Once all roles have been installed successfully, click Finish to complete the installation.
- Download and install the Latest Hotfix RollUp for Exchange 2007 SP1.
- Restart the computer.
Upon restarting the server, log in using the credentials for the built-in Domain Administrator account (i.e. Contoso\Administrator). Again, launch the Event Viewer and take a cursory glance at both the Application Log and System Log. Be sure to address any serious errors before proceeding. Also open the Services applet and verify that all Exchange services that are configured to start automatically have, in fact, started successfully.
Step 2 – Configure the Hub Transport role
After installing the Hub Transport (HT) role on an Exchange 2007 server, you will find that two SMTP Receive Connectors are created automatically during the installation process – Client and Default. Although the Default Receive Connector (used for server connections) can be configured to allow Anonymous connections from the Internet, by default it advertises the FQDN of the local machine in the SMTP protocol banner when a connecting server issues either the EHLO or HELO command, as shown below:
Advertising the FQDN of the local machine in the SMTP protocol banner is generally considered to be an unnecessary security risk. As such, many customers elect to change this value to reflect the same FQDN that is registered in their public MX record. The Default Receive Connector is a special case, however, as it is used by other Exchange servers or server roles (like Unified Messaging) for submitting email or voice mail for delivery. The FQDN advertised in the SMTP protocol banner of the Default Receive Connector should NOT be changed, as this value is used to look up the SMTPSvc ServicePrincipalName (SPN) value of the Hub Transport server during Kerberos authentication.
Additionally, for servers to successfully authenticate using X-AnonymousTLS, the SMTP service on the Hub Transport server must be bound to at least one certificate that contains the FQDN of the local machine. During the installation of the Hub Transport role, a self-signed certificate is generated containing the FQDN of the local machine. It is important to remember that even if you purchase a PKI certificate from a publicly trusted PKI provider like DigiCert or VeriSign, unless you plan to include the FQDN of the local machine in your certificate request, you should NOT remove the self-signed certificate that is enabled for SMTP.
Our next task will be to configure SMTP connectors for sending and receiving email.
A. To create a new Send Connector to be used for routing email to the Internet
- Log in to the Windows 2008 computer using the built-in Domain Administrator account (Contoso\Administrator)
- Open the Exchange Management Console, then perform the following steps:
a. Under Organization Configuration, select Hub Transport
b. In the result pane, select the Send Connectors tab - In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
- On the Introduction page, configure the name and type of connector:
a. In the Name field, type Internet Send Connector
b. In the Select the intended use for this connector field, choose Internet. Click Next. - On the Address Space screen, click Add to add a new address space configured as follows:
a. The SMTP address type should already be selected by default.
b. In the Address field, enter a single asterisk to represent the wildcard ‘*’ character
c. Enable the option to Include all subdomains
d. Enter a Cost value of 1. Click OK then click Next. - On the Network Settings screen, choose the following options:
a. Select the option to Use DNS MX Records to route mail automatically.
b. Enable the option to Use External DNS lookup settings on the transport server. Click Next. - On the Source Server screen, click Add and select a Hub Transport server.
- Click OK then click Next.
- Click New to create the send connector
B. To modify the settings of the existing Default Receive Connector
- Open the Exchange Management Console, then perform the following steps:
a. Under Server Configuration, select Hub Transport
b. In the result pane, select the Hub Transport server
c. Click the Receive Connectors tab. - Open the properties of the existing Default {ComputerName} Receive Connector
- Under the General tab, verify that the value in Specify the FQDN this connector will provide in response to HELO and EHLO contains the FQDN of the local machine.
- Click on the Network tab
- Under Use these local IP addresses to receive mail, do the following:
a. Remove the existing value of All IPv4 Addresses listening on Port 25.
b. Click Add to specify the IPv4 address value 192.168.1.10 and Port 25 to receive email requests.
c. Remove the existing value of All IPv6 Addresses listening on Port 25.
d. Click Add to specify the IPv6 address value fe80::c0a8:010a and Port 25 to receive email requests. - Under Receive mail from remote servers that have these IP addresses, do the following:
a. Verify that the specified IPv4 address range value is 0.0.0.0 – 255.255.255.255.
b. Verify that the specified IPv6 address range value is :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- Click on the Authentication tab and verify that Exchange Server Authentication is enabled
- Click OK to complete the configuration of the Default Receive Connector
C. To create a new SMTP Receive Connector for receiving Internet email
- Open the Exchange Management Console, then perform the following steps:
a. Under Server Configuration, select Hub Transport
b. In the result pane, select the Hub Transport server
c. Click the Receive Connectors tab. - In the action pane, click New Receive Connector. The New SMTP Receive Connector wizard starts.
- On the Introduction page, configure the name and type of connector:
a. In the Name field, type Internet {ComputerName} (for example Internet EMAIL)
b. In the Select the intended use for this connector field, choose Internet. Click Next. - On the Local network settings page, click Add an IP address to receive mail.
- Select the existing value of All IP addresses listening on Port 25 and click Remove.
a. Click Add to specify binding settings for the new Receive Connector.
b. In the Add Receive Connector Binding dialog box, select Specify an IP address.
c. Enter the IP address of your server, 192.168.1.10. (Do not specify an IPv6 address here.)
d. Enter the Port to receive email requests, Port 26, then click OK.
- On the Local network settings page, in the Specify the FQDN this connector will provide in response to HELO or EHLO field, type the FQDN value of your public MX record (for example: mail.contoso.com). Click Next.
- Click New to create the new Receive Connector.
- Open the properties of the new Receive Connector.
- Click on the Authentication tab.
a. Disable the option for TLS Authentication
b. Enable the option for Basic Authentication - Click OK to complete the configuration of the new Receive Connector
Once you have completed the configuration steps for handling SMTP mail flow, restart the following services:
- Microsoft Exchange Mail Submission
- Microsoft Exchange Transport
- Microsoft Exchange Transport Log Search
Step 3 – Configure the Client Access Server role
Our next few configuration steps will be to configure the Client Access Server (CAS) role. First, we will enable RPC over HTTP so that we can use the Outlook Anywhere feature from the Internet. We will also configure each of the internal and external virtual directory URL settings for Exchange Web Services, including Exchange ActiveSync. To do all of this, we will use the Exchange Management Shell.
A. To install the RPC over the HTTP Windows Networking component in Windows Server 2008
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator)
- Click Start, and then click Control Panel.
- Double-click Programs and Features.
- Click Turn Windows features on or off. Server Manager opens.
- In the left pane of Server Manager, click Features.
- In the right pane, click Add Features.
- In the Add Features Wizard, click to select the RPC over HTTP Proxy check box.
- If the Add role services required for HTTP Proxy dialog box appears, click Add Required Role Services.
- Click Next.
- Read the information on the Web Server (IIS) page, and then click Next.
- On the Select Role Services page, click Next.
- On the Confirm Installation Selections page, click Install.
- When the features are installed, click Close.
B. To enable Outlook Anywhere access from the Internet
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start , then All Programs, then expand Microsoft Exchange Server 2007.
- Launch the Exchange Management Shell, then enter the following command:
enable-OutlookAnywhere –ExternalHostname “mail.contoso.com” –DefaultAuthenticationMethod “Basic” -SSLOffloading:$False
C. To modify the virtual directory settings for Exchange Web Services
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start , then All Programs, then expand Microsoft Exchange Server 2007.
- Launch the Exchange Management Shell, then enter each of the following commands:
get-ClientAccessServer –server {ComputerName} | set-ClientAccessServer -AutoDiscoverServiceInternalURI “https://mail.contoso.com/Autodiscover/Autodiscover.xml”
get-WebServicesVirtualDirectory –server {ComputerName} | set-WebServicesVirtualDirectory –internalURL “https://mail.contoso.com/EWS/Exchange.asmx” –externalURL “https://mail.contoso.com/EWS/Exchange.asmx” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false
get-AutodiscoverVirtualDirectory –server {ComputerName} | set-AutodiscoverVirtualDirectory –internalURL “https://mail.contoso.com/Autodiscover/Autodiscover.xml” -externalURL “https://mail.contoso.com/Autodiscover/Autodiscover.xml” –BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false
get-OWAVirtualDirectory –server {ComputerName} | set-OWAVirtualDirectory -internalURL “https://mail.contoso.com/owa” -externalURL “https://mail.contoso.com/owa” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false –FormsAuthentication:$false
get-OABVirtualDirectory –server {ComputerName} | set-OABVirtualDirectory -internalURL “https://mail.contoso.com/OAB” -externalURL “https://mail.contoso.com/OAB” –WindowsAuthentication:$true –BasicAuthentication:$false –DigestAuthentication:$false -requireSSL:$true
get-UMVirtualDirectory –server {ComputerName} | set-UMVirtualDirectory -internalURL “https://mail.contoso.com/UnifiedMessaging/Service.asmx” -externalURL “https://mail.contoso.com/UnifiedMessaging/Service.asmx” -BasicAuthentication:$true –WindowsAuthentication:$true -DigestAuthentication:$false
set-ActiveSyncVirtualDirectory -Identity "{ComputerName}\Microsoft-Server-ActiveSync (Default Web Site)" – internalURL “https://mail.contoso.com/Microsoft-Server-ActiveSync” -externalURL "https://mail.contoso.com/Microsoft-Server-ActiveSync”
D. To enable SSL on the Exchange ActiveSync virtual directory in IIS
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.
- Within the Internet Information Services (IIS) Manager, expand the Server, then expand Sites.
- Expand the Default Web Site, then select the Microsoft-Server-ActiveSync virtual directory.
- From the Features View in the center window, double-click on SSL Settings.
- Enable the options for both Require SSL and Require 128-bit SSL.
- From the Actions menu on the right, click Apply.
- Close the Internet Information Services (IIS) Manager console.
Step 4 – Configure the Unified Messaging role
Next, we will need to create the various configuration objects used by the Unified Messaging (UM) role, which is very likely the most complex role to set up. The core configuration object for Unified Messaging is the Dial Plan, which defines the expected digit pattern for user extensions. Since we will be integrating Unified Messaging with OCS 2007 R2, we will create a SIP URI Dial Plan whose users have 4 digits in their extensions.
Whenever I build a Unified Communications lab, I always configure it with the expectation that some day I may want to provide external telephone connectivity to the lab users. Since these objects will eventually be Enterprise Voice enabled within OCS 2007 R2, each configuration object will be configured with a telephone number that is correctly formatted as an E.164 dial string. With that in mind, I will use the following configuration details for each Enterprise Voice/UM enabled object in this lab:
| Name | SIP URI | UM Enabled Extension | Telephone Number | Tel URI |
| Subscriber Access | OCSSA@contoso.com | N/A | +19807760000 | +19807760000 |
| Auto Attendant | OCSAA@contoso.com | N/A | +19807769999 | +19807769999 |
| User A | UserA@contoso.com | 0001 | 0001 | +19807760001 |
| User B | UserB@contoso.com | 0002 | 0002 | +19807760002 |
A. To create and configure a UM Dial Plan
- Open the Exchange Management Console, then perform the following steps:
a. Under Organization Configuration, select Unified Messaging
b. In the result pane, select the UM Dial Plans tab
c. From the actions pane, click New UM Dial Plan. - Complete the information necessary to create a SIP enabled UM Dial Plan, which is required by OCS 2007 R2:
Name of Dial Plan : OCSDialPlan
Digits in Extension : 4
URI Type : SIP URI
VoIP Security : Secured
- Click New to create the UM Dial Plan.
- Within the Exchange Management Console, right click on the new UM Dial Plan and select Properties from the context menu.
- Click on the Subscriber Access tab. Settings in this area of Dial Plan configuration control the behavior of Outlook Voice Access.
- Add the Subscriber Access number ‘+19807760000’ to the UM Dial Plan. This is typically the number that external users will dial when accessing voice mail phone.
- Next, click on the Features tab, locate the option ‘Callers can contact’ and choose ‘Anyone in the Default Global Address List’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List.
- Next, click on the Dial Rule Groups tab. Under the In Country/Region Rule Groups section of the dialog box, click Add.
In the Dialing Rule Entry dialog box, enter the following information:
Name: All
Number Mask: *
Dialed Number: *
Comment: <optional comment>
- Click OK, then under the International Rule Group section, click Add to create another Dialing Rule.
- Complete the configuration of another Dialing Rule Entry with the same options as shown above. Click OK, then click Apply.
- Next, click on the Dialing Restrictions tab, then complete the following configuration:
Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
- Click OK to complete the configuration of the UM Dial Plan.
B. To link the Exchange 2007 server to the UM Dial Plan
- Open the Exchange Management Console, then perform the following steps:
a. Under Server Configuration, select Unified Messaging
b. In the result pane, select the Exchange 2007 server
c. From the actions pane, click Properties. - In the Properties of the Exchange 2007 server, click on the UM Settings tab.
- Click Add and select the OCSDialPlan.
- Click OK to link the new OCSDialPlan to the Exchange 2007 server.
C. To configure the UM Mailbox Policy for the OCSDialPlan
- Open the Exchange Management Console, then perform the following steps:
a. Under Organization Configuration, select Unified Messaging
b. In the result pane, select the UM Mailbox Policies tab
c. Select the OCSDialPlan, then from the actions pane, click Properties. - To relax security restrictions, click on the PIN Settings tab within the properties of the UM Mailbox Policy, then configure the following options:
Minimum PIN Length : 4
Pin Lifetime Days : Enabled/60
Previous PINs disallowed : 1
Allow common patterns : Enabled
Missed PINs before reset : 5
Missed PINs before lockout : 15
- Next, click on the Dialing Restrictions tab, then complete the following configuration:
Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
- Click Apply then OK to complete the configuration of the UM Mailbox Policy.
D. To create and configure a UM Auto Attendant for the OCSDialPlan
- Open the Exchange Management Console, then perform the following steps:
a. Under Organization Configuration, select Unified Messaging
b. In the result pane, select the UM Auto Attendants tab
c. From the actions pane, click New UM Auto Attendant. - Complete the information necessary to create a UM Auto Attendant for the OCSDialPlan:
Name of Auto Attendant : OCSAA (no spaces!)
Associated Dial Plan : OCSDialPlan
Extension Numbers : +19807769999
Create as Enabled : Enabled
Create as Speech Enabled : Enabled
- Click New to create the UM Auto Attendant.
- Within the Exchange Management Console, right click on the new UM Auto Attendant and select Properties from the context menu.
- Click on the Features tab, locate the option ‘Callers can contact’ and choose ‘Anyone in the Default Global Address List’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List.
- Next, click on the Dialing Restrictions tab, then complete the following configuration:
Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
- Click Apply then OK to complete the configuration of the UM Auto Attendant.
Although there are a few more steps required to finalize the configuration of the Unified Messaging role, we first need to install and configure Office Communications Server 2007 R2. As such, we will complete the configuration of Unified Messaging later in this documentation.
Step 5 – Request a TLS Certificate for Exchange services
Next, we will need to request a certificate from our Enterprise CA. Since there are a number of services hosted by the Windows 2008 host computer, we will need to request a certificate that contains Subject Alternative Name (SAN) values – one entry for each host name. To do this, we will use the Exchange Management Shell.
A. To create and assign a TLS certificate for Exchange services
- Log on to the Windows 2008 computer using the built-in domain Administrator account (Contoso\Administrator)
- Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
- Assuming that the fully qualified distinguished name (FQDN) of the Windows 2008 host computer is email.contoso.com, enter the following command within the Exchange Management Shell to generate a new certificate request:
new-ExchangeCertificate –GenerateRequest –Path C:\ExchTLSCert.req –KeySize 1024 –subjectName “cn=email.contoso.com” –domainname email.contoso.com, mail.contoso.com, autodiscover.contoso.com, email –PrivateKeyExportable $true
- Next, within Internet Explorer, type the URL ‘https://email/certsrv’ on the address line and press Enter to connect to the Certificate Authority.
- Click Request a Certificate, then choose Advanced Certificate Request.
- Click Submit a certificate request by using a base-64 encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Using Windows Explorer, open the file ExchTLSCert.req using Notepad. Highlight and copy the data from ExchTLSCert.req.
- Within Internet Explorer, paste the data from UMCert.req into the Saved Request \ ‘Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7)’ field. Additionally, choose ‘Web Server’ from the drop-down list of available Certificate Templates. Click Submit.
- Upon being issued the certificate from the Certificate Authority, choose ‘DER encoded’ from the available encoding options, and choose ‘Download Certificate’. Save the certificate as ‘C:\ExchTLSCert.cer’.
- After downloading the new certificate, open the Exchange Management Shell again and enter the following command to both import and assign the UM service to the new certificate:
import-ExchangeCertificate –path C:\ExchTLSCert.cer | enable-ExchangeCertificate –Services SMTP,IIS,POP,IMAP,UM
Note: If you are prompted to replace the current certificate assigned to any of the Exchange roles, choose [A] All to replace the current certificate for all roles.
- After assigning the certificate, enter the following command to dump a list of Exchange certificates, and verify that your new certificate is correctly assigned to all five Exchange services.
Get-ExchangeCertificate | fl thumbprint,rootCAType,services,notbefore
Thumbprint : 844D0CC6857F16E9FF7BC424895C97761390E6F2
RootCAType : Enterprise
Services : IMAP, POP, UM, IIS, SMTP
NotBefore : 5/11/2009 8:35:58 PM
- Restart all Exchange services by entering the following command in the Exchange Management Shell:
get-Service *exchange* | restart-service –force
- Finally, verify that all Exchange services were restarted successfully by entering the following command in the Exchange Management Shell:
test-servicehealth
After completing these steps, you should be able to browse https://mail.contoso.com/owa from a web browser and connect successfully to Outlook Web Access. Since this FQDN appears in the list of Subject Alternative Name (SAN) values assigned to the Exchange certificate, you should not be prompted with a certificate name mismatch warning, although you may have to enter your credentials to access the web site.
Requesting a UC Certificate
Our next step will be to request a Unified Communications Certificate from a publicly trusted Certification Authority. It is recommended to use a certificate from publicly trusted CA if you plan to allow external connectivity for your lab, however, this is only technically required if you plan to enable Public IM Connectivity (PIC). Although there are a number of publicly trusted CAs that can provide a UC Certificate (i.e. VeriSign, DigiCert, GoDaddy, Thawte), I chose DigiCert to issue the UC Certificate for my lab.
Before selecting a Certification Authority to issue a UC Certificate, you should consider the following questions:
- How much does it cost to request a new UC Certificate?
- If I make a mistake, can the certificate be reissued?
- How many times can the certificate be reissued?
- Is there any cost involved with reissuing the certificate?
The reason I chose DigiCert is because they offer a very nice web interface for creating a UC Certificate for Exchange 2007, and they allow unlimited corrections/modifications during the lifetime of the certificate. As such, the following step-by-step instructions will describe how to request a UC Certificate from DigiCert.
Please note that while Exchange Server 2007 supports the use of Wildcard Certificates, Office Communications Server 2007 R2 supports either Single Name certificates or Unified Communictions/SAN Certificates – not wildcard certificates! And even though you may choose to use an alternate provider, the DigiCert CSR Command Wizard can still be used to generate the certificate request (unless you’re a PowerShell ace and don’t need the help of a pretty interface).
Step 1 – Request a UC Certificate from a publicly trusted CA
A. To request a UC Certificate from a publicly trusted Certification Authority
- Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
- Launch your web browser and navigate to https://www.digicert.com/easy-csr/exchange2007.htm.
- Complete the SSL CSR Command Wizard using the following certificate details:
| Common Name: | sip.contoso.com |
| Subject Alternative Names: | sip.contoso.com
mail.contoso.com
autodiscover.contoso.com
cwa.contoso.com
as.cwa.contoso.com
download.cwa.contoso.com |
| Organization: | <Legal Name of registered owner of the domain> |
| Department: | <blank> |
| City: | <Your City> |
| State: | <Your State> |
| Country: | <Your Country> |
| Key Size: | 1024 |
- Click Generate to create the command that will be used to generate the request from your Exchange 2007 server.
New-ExchangeCertificate -GenerateRequest -Path c:\sip_contoso_com.csr -KeySize 1024 -SubjectName "c=US, s=South Carolina, l=MyCity, o=David Howe, cn=sip.contoso.com" -DomainName sip.contoso.com, mail.contoso.com, autodiscover.contoso.com, cwa.contoso.com, as.cwa.contoso.com, download.cwa.contoso.com -PrivateKeyExportable $True
- Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
- Copy the command generated by the SSL CSR Command Wizard, and paste it into the Exchange Management Shell:
- After creating the certificate request, open your web browser and navigate to the web site of your chosen publicly trusted Certification Authority. Choose the option to purchase a new Unified Communications (UC) or SAN Certificate.
- Choose Unified Communications/SAN certificate, the lifetime (expiry) of the certificate, and your payment preference.
- Next, complete the registration process for creating a new account with the provider.
- Next, enter the company on behalf of whom you are requesting this certificate, or choose the default value (the name used to register the new account with the provider).
- Next, click Start, then All Programs, then Accessories, then launch Notepad. Open the certificate request file C:\sip_contoso_com.csr, and then highlight and copy the Base-64-encoded content.
- Next, paste the Base-64-encoded data into the Certificate Signing Request field from your provider’s web page, and choose Microsoft Exchange Server as the server software.
- From the information provided in the Base-64-encoded data from your certificate request, verify that the Organization information for the certificate is correct (highlighted in yellow below). This value should be the legal name of the company or individual who appears as the registered owner of the domain in the WHOIS database.
Note: The CA provider will verify this information before issuing the certificate.
- Next, verify your contact information, which will be used to contact you to verify your order and to request proof of ID.
- Finally, verify your payment information and submit your order.
- Upon verifying your legal identification as the owner of the registered domain, your certificate (as well as the certificate of the issuing CA) will be issued and emailed to you.
Step 2 – Import the issued UC Certificate into the certificate store of the Exchange server
Now that we have received our issued UC Certificate, our next step is to import it into the certificate store of our Windows 2008 physical host computer (Exchange server). It is important to note that this certificate will not be used on this computer; rather, our UC Certificate will be assigned to both our ISA 2006 server and to each of the external interfaces of our OCS 2007 R2 Edge server. Since the certificate was requested from this computer, however, it must first be imported on this computer before it can be used elsewhere.
A. To import a UC Certificate from a publicly trusted Certification Authority
- Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
- Extract the certificate package (zip file) as provided by your Certification Authority to C:\Certificates.
- Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
- Within the Exchange Management Shell, type cd C:\Certificates and then press Enter.
- Again within the Exchange Management Shell, type import-exchangecertificate –path c:\certificates\sip_contoso_com.cer to import the certificate into the local computer’s certificate store. Note the thumbprint value of the certificate.
- To verify that the certificate was properly imported, type get-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61 | fl within the Exchange Management Shell. Note that there are no services assigned to this certificate (expected).
Step 3 – Export the issued UC Certificate with Private Key
Now that our UC Certificate has been properly imported into the certificate store of the requesting computer, it can be exported to be used on other servers. For the purposes of our lab, internal resources like our Exchange server and OCS Pool will be secured using internally issued certificates while external resources like OCS Edge services and web sites published by ISA server will be secured using our external issued certificate.
A. To export a certificate with Private Key from local certificate store
- Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
- From within the Management Console, click File, then Add/Remove Snap-in…
- Within the Add/Remove Snap-in dialog box, click Add.
- Select the Certificates snap-in, then click Add.
- When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
- When prompted to choose which computer to manage, choose Local Computer, then click Finish.
- Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
- Expand Certificates (Local Computer), then expand the Personal certificate store.
- Click on Certificates, then locate and select the UC Certificate that was issued by your public Certification Authority.
- From the menu bar click Action, then All Tasks, then select Export.
- At the Welcome to the Certificate Export Wizard screen, click Next.
- At the Export with Private Key screen, choose Yes, export the private key. Click Next.
- At the Export Format settings, choose Personal Information Exchange – PKCS #12 (.PFX). Be sure to also select the option Include all certificates in the certification path if possible, then click Next.
- Enter a Password for the export file, then click Next.
- Enter an Export Filename (i.e., c:\Certificates\sip_contoso_com_exported.pfx) and click Next.
- Click Finish to complete the certificate export.
Step 4 – Export a copy of the certificate from the internal Certification Authority
Since neither the ISA 2006 server nor the OCS 2007 R2 Edge server will be joined to the Contoso domain, neither server will trust certificates issued by our internal Certification Authority. As such, we will need to export a copy of the certificate of our internal Certification Authority so that it can be imported on both the ISA 2006 server and the OCS 2007 R2 Edge server.
A. To export a copy of the certificate from the internal Certification Authority
- Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
- From within the Management Console, click File, then Add/Remove Snap-in…
- Within the Add/Remove Snap-in dialog box, click Add.
- Select the Certificates snap-in, then click Add.
- When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
- When prompted to choose which computer to manage, choose Local Computer, then click Finish.
- Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
- Expand Certificates (Local Computer), then expand the Trusted Root Certification Authorities certificate store.
- Click on Certificates, then locate and select the certificate that was issued to your Enterprise CA (ContosoCA)
- From the menu bar click Action, then All Tasks, then select Export.
- At the Welcome to the Certificate Export Wizard screen, click Next.
- At the Export Format settings, choose DER encoded binary X.509 (.CER) then click Next.
- Enter an export filename (i.e., c:\Certificates\ContosoCA.cer) and click Next.
- Click Finish to complete the certificate export.
Step 5 – Remove the UC Certificate from the Exchange server
Next, we will remove the certificate from our publicly trusted Certification Authority from the Exchange server. Since OWA traffic will route inbound via ISA, and since inbound SMTP connections from the Internet will not be secured using TLS, this certificate is unneeded on the Exchange server. Unless you have a specific reason for leaving it on the Exchange server (for example, if you plan to directly service inbound OWA requests without using a reverse proxy like ISA server), I suggest removing the certificate to reduce overall complexity.
A. To remove the UC Certificate from the Exchange server
- Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
- Within the Exchange Management Shell, type remove-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61 and then press Enter. Choose A to remove the certificate for all services.
- Close the Exchange Management Shell.
Configuring OCS 2007 R2 Front End
Having completed the installation of Exchange 2007 SP1, we now need to focus on installing Office Communications Server 2007. We will start by installing the Standard Edition Front End server role.
Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Front End server
Our first task will be to configure one of the virtual machines to host the OCS 2007 R2 Front End server role. To do this, we will need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role, and verify that the virtual machine for the OCS Front End server was created with the following specifications:
| Role | OCS 2007 R2 Front End |
| Memory | 1024MB |
| Network | One (1) Virtual NIC |
| Hard Disk | 16GB Virtual Hard Disk |
| OS Version | Windows Server 2003 SP2 (x64) |
| FQDN | OCS-R2.contoso.com (domain-joined) |
| IP Address | 192.168.1.11 |
To configure the server, double-click on the Front End virtual server within the Hyper-V section of the Server Manager console.
Step 2 – Run Prep Schema for OCS 2007 R2
Our next task will be to prepare the Active Directory schema for Office Communications Server 2007 R2.
A. Prepare the Active Directory schema
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- Any machine running the Setup for the first time will be prompted to install the Microsoft Visual C++ SP1 Redistributable and Microsoft .NET Framework 3.5 SP1. Choose Yes.
- On the Deployment Wizard page, click Prepare Active Directory.
- On the Prepare Active Directory for Office Communications Server page, next to Step 1: Prep Schema, click Run.
- On the Welcome page, click Next.
- Note the Warning you receive concerning your data in the System container and the recommendation for using the Configuration container in Active Directory. Unless you have a specific reason for using the System container, choose the Configuration naming context to store your Global Settings.
- Click OK on the Warning.
- On the Directory Location of Schema Files page, click Next.
- On the Ready to Prepare Schema page, click Next.
- On the Completion page, select the View the log when you click Finish check box, and then click Finish.
- Switch to the Deployment Log.
- On the far right, click Expand All.
- In the Execution Result column, to confirm that the Prep Schema operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.
Step 3 – Run Prep Forest for OCS 2007 R2
After successfully extending our schema, the next step is to prepare the Active Directory forest for Office Communications Server 2007 R2.
A. Prepare the Active Directory forest
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- On the Deployment Wizard page, next to Step 3: Prep Forest, click Run.
- On the Welcome page, click Next.
- On the Select Location to Store Global Settings page, Click Next.
- On the Location of Universal Groups page, verify that contoso.com is selected in the Domain drop-down list, and then click Next.
- On the SIP domain used for default routing page, verify that contoso.com is selected in the Select SIP domain drop-down list, and then click Next.
- On the Ready to Prepare Forest page, click Next.
- On the Completion page, select the View the log when you click Finish check box, and then click Finish.
- Switch to the Deployment Log.
- On the far right, click Expand All.
- In the Execution Result column, to confirm that the Prep Forest operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.
B. Modify membership of RTCUniversalServerAdmins group
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Expand the domain contoso.com, then click on the Users container.
- Locate and open the properties of the RTCUniversalServerAdmins group.
- Click on the Members tab.
- Verify that the built-in Domain Administrator account (Contoso\Administrator) is a member of this group, otherwise Add it.
- Click OK to complete the configuration of the RTCUniversalServerAdmins group.
- Close Active Directory Users and Computers.
Step 4 – Run Prep Domain for OCS 2007 R2
Next, we need to prepare the Active Directory domain for Office Communications Server 2007 R2.
A. Prepare the Active Directory domain
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- On the Prepare Active Directory page, next to Step 5: Prep Current Domain, click Run.
- On the Welcome Screen, Click Next to Continue.
- On the next screen that provides Domain Preparation Information, read the excerpt provided and Click Next to Continue.
- You are now ready to prepare the domain. Because we have only one domain and are running this step in contoso.com, our current settings will display as contoso.com. Click Next to Continue.
- On the Completion page, select the View the log when you click Finish check box, and then click Finish.
- Switch to the Deployment Log.
- On the far right, click Expand All.
- In the Execution Result column, to confirm that the Prep Forest operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.
Step 5 – Install Internet Information Services 6.0 for Windows 2003
In addition to hosting Web Components, the OCS 2007 R2 Standard Edition Front End server role now supports several telephony related applications such as Dial-In Conferencing, Outside Voice Control, and Response Groups. As such, we will need to install IIS 6.0 before installing the Front End server role.
A. To install Internet Information Services 6.0
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Open the Control Panel and launch Add/Remove Programs.
- Click Add/Remove Windows Components.
- In the Components list box, click Application Server.
- Click Details.
- Click Internet Information Services Manager.
- Click Details to select the World Wide Web Publishing Service, Active Server Pages, and Remote Administration (HTML) components to be installed.
- Click OK until you are returned to the Windows Component Wizard.
- Click Next and complete the Windows Component Wizard.
Step 6 – Install the OCS 2007 R2 Front End server role
Having prepared Active Directory and installed IIS 6.0 on the Windows 2003 server, we are now ready to install the OCS 2007 R2 Standard Edition Front End server role. This installation will create a single-server OCS Pool, and it will install SQL Express automatically to support the three OCS 2007 R2 databases.
A. To install the OCS 2007 R2 Front End server role
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- In the Deployment Wizard, click Deploy Standard Edition Server.
- On the Deploy Standard Edition Server page, next to Step 1: Deploy Server click Run.
- Notice the Warning that states the Windows Media Format Runtime is required. This is necessary for the Dial-In Conferencing component. Click OK.
- On the Welcome page, click Next.
- On the License Agreement page, select I accept the terms in the license agreement and click Next.
- On the Location for Server Files page, click Next.
- On the Application Configuration page, take notice of the new applications for OCS 2007 R2. Make sure all four boxes are checked and click Next.
- On the Main Service Account for Standard Edition Server page, create a new service account called RTCService and enter a password for the account. Click Next.
- On the Component Service Account for Standard Edition Server page, create a new service account called RTCComponentService and enter a password for the account. Click Next.
- On the Web Farm FQDNs page, enter sip.contoso.com for the external FQDN value (the internal FQDN value will be automatically populated). Click Next.
- On the Location for Database Files page, click Next.
- On the Ready to Deploy Standard Edition Server page, click Next.
- When installation has finished, select the View the log when you click Finish check box, and then click Finish.
- Switch to the Deployment Log that has opened.
- In the Action column, expand Execute Action.
- In the Execution Result column, to verify that Office Communications Server 2007 R2 was successfully installed, verify that each task’s result is Success. There may be warnings associated with the Activation.
- Investigate the individual Activation Logs and verify they report Success.
- Close the Deployment Log window.
Step 7 – Configure the OCS 2007 R2 Front End server role
Now that the OCS 2007 R2 Front End server role is installed, we need to configure it. This involves defining the various SIP domains that will be hosted by your environment and whether automatic client logon configuration will be supported.
A. To configure OCS 2007 R2 Front End server
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- In the Deployment Wizard, click Deploy Standard Edition Server.
- At Configure Server, click Run.
- On the Welcome to the Configure Pool/Server Wizard page, click Next.
- On the Server or Pool to Configure page, select the server from the list, and then click Next.
- On the SIP domains page, verify that contoso.com appears in the list. If it does not, click the SIP domains in your environment box, type your SIP domain, and then click Add. Repeat these steps for all other SIP domains that the Standard Edition server will support. When you are finished, click Next.
- On the Client Logon Settings page, select the option Some or all clients will use DNS SRV records for automatic logon then click Next.
- Select the check box for the domain that will be supported by the server for automatic sign-in (contoso.com), and then click Next.
- On the External User Access Configuration page, select Do not configure for external user access now.
- When you are finished, click Next.
- On the Ready to Configure Server or Pool page, review the settings that you specified, and then click Next to configure the Standard Edition server.
- When the files have been installed and the wizard has completed, select the View the log when you click Finish check box, and then click Finish.
- In the log file, verify that <Success> appears under the Execution Result column. Look for <Success> Execution Result at the end of each task to verify Standard Edition server configuration completed successfully.
- Close the log window when you are finished.
Step 8 – Configure Certificate for OCS 2007 R2 Front End server
With the Front End server now successfully installed and configured, we now need to request and assign a certificate for it from our internal Certificate Authority. To support automatic client configuration, we will need to include a Subject Alternative Name value of sip.contoso.com in our certificate request.
A. To configure a new certificate for the Front End server
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- In the Deployment Wizard, click Deploy Standard Edition Server.
- At Configure Certificate, click Run.
- On the Welcome to the Certificate Wizard page, click Next.
- On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
- On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
- On the Name and Security Settings page, configure as follows:
a. Enter a meaningful name for the OCS Front End server certificate (i.e. OCSR2FrontEndCert).
b. Under Bit length, select 1024 bit length.
c. Enable the Mark cert as exportable check box.
When you are finished, click Next.
- On the Organization Information page, type or select the name of your organization and organizational unit (enter contoso.com for both entries), and then click Next.
- On the Your Server’s Subject Name page, configure as follows:
a. In Subject Name, verify that the FQDN of the OCS Front End server is displayed (i.e., OCS-R2.contoso.com)
b. In Subject Alternate Name, enter the value sip.contoso.com (for automatic client configuration).
When you are finished, click Next.
- On the Geographical Information page, enter the Country/Region, State/Province, and City/Locality. Do not use abbreviations. When you are finished, click Next.
- On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory. Click Select a certificate authority from the list detected in your environment, and then select your certification authority (CA). Click Next.
- On the Request Summary page, review the settings that you specified, and then click Next.
- At the Assign Certificate Task screen, click the View button and verify that the Subject Name and Subject Alternative Names values are correct.
- If the Subject Name and Subject Alternative Names values are correct , click Assign.
- A dialog box appears and informs you that the settings were applied successfully. Click OK.
- Click Finish.
B. To assign the new certificate to IIS on the Front End server
- Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, then Programs, then Administrative Tools, and select Internet Information Services (IIS) Manager.
- Within the IIS Manager console, expand the local server, then expand Web Sites.
- Right click on the Default Web Site and choose Properties.
- Under the Web Site tab, verify that either 192.168.1.11 or (All Unassigned) is configured as the IP address for the web site.
- Click on the Directory Security tab.
- Under Secure Communications, click on Server Certificate.
- On the Welcome to the Web Server Certificate Wizard page, click Next.
- Click Assign an existing certificate, and then click Next.
- Select the certificate that you requested by using the Certificates Wizard, and then click Next.
- On the SSL Port page, verify that port 443 will be used for SSL, and then click Next.
- Review the certificate details, and then click Next to assign the certificate.
- Click Finish to exit.
- Click OK to close the Default Web Site Properties page.
Step 9 – Modify settings of OCS service accounts
When you use the OCS setup program to create the OCS service accounts, the password expiration settings for the service accounts are inherited from the domain policy settings. To prevent service startup failure due to expired passwords, we will need to change the password settings for both the RTCService and RTCComponentService accounts.
A. Change password settings for OCS service accounts
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Expand the domain contoso.com, then click on the Users container.
- Locate and open the properties of the RTCService account, then click on the Account tab.
- Enable the option for Password Never Expires, and verify that Account Expires is set to Never. Click OK.
- Locate and open the properties of the RTCComponentService account, then click on the Account tab.
- Enable the option for Password Never Expires, and verify that Account Expires is set to Never. Click OK.
- Close Active Directory Users and Computers.
Step 10 – Start OCS 2007 R2 Front End services
At this point we should be ready to start services on the OCS 2007 R2 Front End server.
A. To start Front End services - Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- In the Deployment Wizard, click Deploy Standard Edition Server.
- At Start Services, click Run.
- On the Welcome to the Start Services Wizard page, click Next.
- Click Next again to start the services.
- Verify that the View the log when you click 'Finish' check box is selected, and then click Finish.
- In the log file, verify that <Success> appears under the Execution Result column for each task, and then close the log window.
Step 11 – Install OCS 2007 R2 Administration Console
The last step of our Front End server installation involves installing the OCS Administration Console.
A. To install the administration console
- Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
- Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
- Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
- At the main deployment page, select Administrative Tools from the menu on the right.
- On the License Agreement page, click I accept the terms in the license agreement and then click Next.
- When the installation finishes, close the OCS 2007 R2 Deployment Tools.
- Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.
This completes the installation of the OCS 2007 R2 Front End server role.
![clip_image002[4]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B4%5D.jpg "clip_image002[4]")
![clip_image002[6]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B6%5D.jpg "clip_image002[6]")
![clip_image002[8]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B8%5D.jpg "clip_image002[8]")
![clip_image002[10]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B10%5D.jpg "clip_image002[10]")
![clip_image002[12]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B12%5D.jpg "clip_image002[12]")
![clip_image002[14]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B14%5D.jpg "clip_image002[14]")
![clip_image002[16]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B16%5D.jpg "clip_image002[16]")
![clip_image002[18]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B18%5D.jpg "clip_image002[18]")
![clip_image002[20]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B20%5D.jpg "clip_image002[20]")
![clip_image002[22]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B22%5D.jpg "clip_image002[22]")
![clip_image002[24]](http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/IntegratingAudioCodesMP114MP118MediaGate_752A/clip_image002%5B24%5D.jpg "clip_image002[24]")
