locked
Edge Setup in regard to Remote Site RRS feed

  • Question

  • Ok, I am getting ready to deploy our OCS 2007 R2 Edge server, and I want to do a Consolidated Edge Topology. Now, our current environment consists of our main site, and couple remote sites, each connected to each other over the internet via Site-to-Site VPN connections. Each site has its own ISA server, and so the Site-to-Site VPN connection between the sites exist between the ISA servers.

    Now, we have no DMZ per se. We have our Internal network at each site, and the Internal NIC of each ISA server is the Default Gateway for each site, respectively. There are no routers in the internal networks, only simple switches. The ISA servers have two NICS each, one for internal connectivity, and the other for external connectivity.

    So far I have installed OCS 2007 R2 on a Windows Server 2003 R2 SP2 machine in our main site. After monkeying with some settings and finally getting validation to work, we can finally do conferencing, application sharing, and A/V conferencing in our internal network at our main site. We have even had our remote site users install Communicator 2007 R2 clients, as well as Live Meeting 2007, and they are able to join in the IM conferences. Additionally, if the remote users have a microphone turned on, everyone in the conference can hear the audio. However, video is another story. From our main site, we had one conference attendee turn on a webcam, and share it in the conference. The remote site user could see the video, but when she turned on her webcam and attempted to share it with us, the video feed is disconnected as soon as one of us accepts her invite. Likewise, if we attempt a P2P IM session between a main site user and a remote site user, IM works just fine, but if either party attempts to start a video call, the call is disconnected as soon as the receiving party answers the call.

    After reading several forums and articles I have come to the conclusion that we need to have an Edge server in place to gain these capabilities between our main site and remote sites, even though the remote sites are connected to us with ISA site-to-site VPNs that are configured to route (not NAT) ALL traffic between sites. I am now reading through the deployment requirements and procedures, and have some questions that I need cleared up.

    First, with our setup, can we successfully run a Consolidate Edge Topology in our environment, as opposed to the Multiple-Site with Remote Site Edge Topology? I don't want to have to put edge servers in place at our remote sites, not to mention that I don't know if I would get approval to, so I need to know if we will still be able to successfully hold A/V conferencing, as well as other multy-party meetings and conferencing, between our main site and remote sites, with only have our OCS 2007 R2 server and the Consolidate Edge server located in the main site. Is this a feasible solution?

    Second, I plan on putting a third NIC in our ISA server, and setting up a new IP range (private addresses) on this third NIC. The Edge server would have one NIC that connected to our Internal network, and the other NIC would be configured to connect to the ISA server on this new IP range (private addresses). In this setup, the publicly routable (external) IP addresses for each Edge role would be put on the ISA's external NIC, and would be routed to the private IPs on the Edge server. Will this successfully constitue a DMZ for OCS Edge purposes? I read in some of the Edge deployment documentation that you can have private IPs for the Access Edge role and the Web Conferencing Edge role, but that the A/V Edge server had to have a publicly routable (external) IP connected to it. Does this mean that I cannot have the publicly routable IP for the A/V Edge server on the ISA box, which then forwards the traffic to the corresponding private IP of the A/V Edge server on the Edge box?

    Third, one last thing I need clarification on, is my Consolidate Edge server supposed to be a member of my internal domain, or is it supposed to remain a WORKGROUP member?

    Thanks so much for being patient with this long post! I just needed to lay out the exact situation, so that no one is confused about how we are setup and what we are trying to do...

    v/r

    Josh Blalock
    Thursday, October 15, 2009 9:06 PM

Answers

  • 1. If each of your internal clients are connected via Site-to-Site VPN connections and have full port connectivity to the OCS server and all other client workstation then you shouldn't need to add an Edge server to assist in proxying peer-to-peer communications.

    2. You cannot use ISA Server as a firewall to perform NAT for the A/V Edge Role, it is not a supported firewall for that scenario.

    The first 'Note' in this document states that requirement:
    http://technet.microsoft.com/en-us/library/dd441361(office.13).aspx.

    You'll have to configure the external Edge interface with a public IP address and setup the third ISA interface using a 'Route' relationship.  See these related articles for more details:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=12
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33

    3. The Edge Server should be installed on a non-domain-connected, Workgroup server.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Saturday, October 17, 2009 12:22 PM
    Moderator
  • I have a similar set up but could never get the audio stream to connect across the ISA s2s VPN. I tried everything and ended up hitting my head against a brick wall. I'm still not precisely sure why it never worked but Wiresharking the connection suggested audio was terminating at the remote ISA VPN interface rather than at the communicator endpoint - essentially NATing the UDP stream instead of routing it as configured. In the end, I stuck a consolidated edge at the main office with 3 public IPs protected by Windows Firewall - not ISA - and configured group policies acting on each remote site to force the Communicator client to utilise the edge server. Not had any problems in any scenario since then. Although we restrict video by policy, during testing it also worked flawlessly in this configuration. No OCS servers, edge or otherwise, are employed at the branch offices (they are too small to justify the cost.)

    (If anyone can tell me why routing across ISA didn't work, I'll happily bow to their superior knowledge!!)
    Monday, October 19, 2009 12:12 PM

All replies

  • 1. If each of your internal clients are connected via Site-to-Site VPN connections and have full port connectivity to the OCS server and all other client workstation then you shouldn't need to add an Edge server to assist in proxying peer-to-peer communications.

    2. You cannot use ISA Server as a firewall to perform NAT for the A/V Edge Role, it is not a supported firewall for that scenario.

    The first 'Note' in this document states that requirement:
    http://technet.microsoft.com/en-us/library/dd441361(office.13).aspx.

    You'll have to configure the external Edge interface with a public IP address and setup the third ISA interface using a 'Route' relationship.  See these related articles for more details:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=12
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33

    3. The Edge Server should be installed on a non-domain-connected, Workgroup server.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Saturday, October 17, 2009 12:22 PM
    Moderator
  • I have a similar set up but could never get the audio stream to connect across the ISA s2s VPN. I tried everything and ended up hitting my head against a brick wall. I'm still not precisely sure why it never worked but Wiresharking the connection suggested audio was terminating at the remote ISA VPN interface rather than at the communicator endpoint - essentially NATing the UDP stream instead of routing it as configured. In the end, I stuck a consolidated edge at the main office with 3 public IPs protected by Windows Firewall - not ISA - and configured group policies acting on each remote site to force the Communicator client to utilise the edge server. Not had any problems in any scenario since then. Although we restrict video by policy, during testing it also worked flawlessly in this configuration. No OCS servers, edge or otherwise, are employed at the branch offices (they are too small to justify the cost.)

    (If anyone can tell me why routing across ISA didn't work, I'll happily bow to their superior knowledge!!)
    Monday, October 19, 2009 12:12 PM
  • Ok, well I am with you, Rob. I guess I will have to attempt your solution until someone out there can enlighten us as to why the A/V does not simply flow from site to site over a "Routed" relationship in ISA. So, if it wouldn't be too much trouble for you, would you mind going into some more detail and specifics about your setup, especially in regards to what group policies you used to force that particular track on each end of the main site and remote site? I would GREATLY appreciate it!

    Thanks for your articles and help, Jeff. I will start digging into them a little more. Thank you for confirming the "domain or workgroup" question, and for clarifying about the publicly routable IP address for the A/V. So, aside from those issues, will my configuration that I described above be a viable solution, even without hardware firewalls sandwiching in our "DMZ", if it can really even be called that?

    Thanks so much, both of you for your help and direction! I believe this is helping to at least get the wheels spinning and get progress made!

    v/r

    Josh
    Wednesday, October 21, 2009 3:45 PM