locked
Mobile Communicator without OCS EDGE RRS feed

  • Question

  • Hi all

    i want to know whether it's possible to connect Windows Mobile users with OCS without having to use EDGE Server.
    only requirement is to do instant messaging using the mobile. i'm wondering whether it's possible to do this by forwarding port 5061 and 443 without having to install OCS EDGE Server


    Nirmal Madhawa Thewarathanthri
    Tuesday, September 1, 2009 11:36 AM

Answers

  • Nirmal,

    Although it is possible to expose your front end server to the internet you are taking an awfully big security risk there. THere have been a few such threads on this lately on the forums, everyone of those you will see folks recommend not doing it because of security. 

    Technically you can do this, you would just expose your front end server and create a public DNS record for your pool and an SRV record:
    i.e:
    A Record:  pool.domain.com pointing to public IP
    SRV Record:  _sip._tls.domain.com pointing to pool.domain.com on 5061 (default port)
    Your certificate on the front end will have to have both the FQDN of the server (pool name if SE) and the public record name (pool.domain.com).

    Your mobile clients will also have to trust the CA that issued the cert, so if it is self signed (which may be the only way you can get both depending on naming convention of your domains) then you will have to install your CA's root certificate on any phones that need to access the service.

    Again I'd caution you strongly against doing this, you could even deploy your edge virtualized (since no voice or vide) to avoid this if hardware is the reasoning.  Security should be an important focus of your environment and this is not secure.

    Hope this helps!

    -kp
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Tuesday, September 1, 2009 2:23 PM
  • I can confirm that technically an R2 Front-End server will accept connections directly from a Communicator Mobile client.  In R2 there is no default entry in the Client Version Filter setting (as before) that specifically limited certain versions of CoMo, so the only things you'll need to do is provide access to the Front-End for mobile phones and install your internal CA certs as Kevin has mentioned.

    See this article for assistance in installing your internal CA certificate(s) on the mobile devices: http://support.microsoft.com/kb/915840

    Also, if that step proves to be overly complicate (SCMDM can help with mobile device management) then you may decide to purchase and install a third-party issued certificate to your internal Front-End server.  That is supported, but make sure you select an Issuing CA that will work for both OCS and WM purposes.

    That said, it's highly recommended to use an Edge server.  If you plan to add additinoal features (and you will!) in the future you'll already have a head-start.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 2, 2009 1:51 PM
    Moderator

All replies

  • Nirmal,

    Although it is possible to expose your front end server to the internet you are taking an awfully big security risk there. THere have been a few such threads on this lately on the forums, everyone of those you will see folks recommend not doing it because of security. 

    Technically you can do this, you would just expose your front end server and create a public DNS record for your pool and an SRV record:
    i.e:
    A Record:  pool.domain.com pointing to public IP
    SRV Record:  _sip._tls.domain.com pointing to pool.domain.com on 5061 (default port)
    Your certificate on the front end will have to have both the FQDN of the server (pool name if SE) and the public record name (pool.domain.com).

    Your mobile clients will also have to trust the CA that issued the cert, so if it is self signed (which may be the only way you can get both depending on naming convention of your domains) then you will have to install your CA's root certificate on any phones that need to access the service.

    Again I'd caution you strongly against doing this, you could even deploy your edge virtualized (since no voice or vide) to avoid this if hardware is the reasoning.  Security should be an important focus of your environment and this is not secure.

    Hope this helps!

    -kp
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Tuesday, September 1, 2009 2:23 PM
  • I can confirm that technically an R2 Front-End server will accept connections directly from a Communicator Mobile client.  In R2 there is no default entry in the Client Version Filter setting (as before) that specifically limited certain versions of CoMo, so the only things you'll need to do is provide access to the Front-End for mobile phones and install your internal CA certs as Kevin has mentioned.

    See this article for assistance in installing your internal CA certificate(s) on the mobile devices: http://support.microsoft.com/kb/915840

    Also, if that step proves to be overly complicate (SCMDM can help with mobile device management) then you may decide to purchase and install a third-party issued certificate to your internal Front-End server.  That is supported, but make sure you select an Issuing CA that will work for both OCS and WM purposes.

    That said, it's highly recommended to use an Edge server.  If you plan to add additinoal features (and you will!) in the future you'll already have a head-start.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 2, 2009 1:51 PM
    Moderator
  • Thanks alot for providing me with usfully infomration relating to opening up my Frontend server

    i'm just wondering, what kind of features i will not be able to use, if i use only the frond end server. is it the address book ?
    or can i use voice also if im connecting to my front end server using communicator client from outside

    also, please be kind enough to provide me with more information relating to the requirement of the certificate
    Nirmal Madhawa Thewarathanthri
    Wednesday, September 2, 2009 4:21 PM
  • Regarding CoMo specifically there is no 'voice' as the phone's cellular network is used for all calls.  For external access with the standard Communicator client on workstations you will not be able to support Web Conferencing or A/V Conferencing (hence no voice) without deploying an Edge server. 

    The Address book download happens via the separate Reverse Proxy requirement which is independent of the Edge server anyways.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 2, 2009 4:37 PM
    Moderator
  • Thanks alot for providing me with more information
    i'm still interested regarding the certificate requirement mentioned earlier
    what kind of certificate should be purchase if im buying from outside. i have already tried OCS with my internal CA and it works find.
    please suggest few venders if possible

    Nirmal Madhawa Thewarathanthri
    Wednesday, September 2, 2009 5:41 PM