locked
I love OCS but it hates me RRS feed

  • Question

  • I'm a newb with this software and need some ongoing help.

    My current network is:

    Internet Cloud --> (Cisco Router) 10.X.X.X --> (ISA Firewall) 192.168.X.X

    I have 1 public IP to work with and it forwards through the cisco router to the ISA server to host email/web services

     

    My goals:

    Enable IM internal/External (Public IM presence)

    Enable LiveMeeting Internal/External with anonymous access

    In the future enable Exchange UM/PSTN

     

    I have installed OCS Std. in the 192.168.X.X network and everything works great. I created a certificate using the internal name ocs.domain.local and used it on the OCS Std. I have a public dns record called ocs.pubdomain.com. I have opened up the ports for Communicator on the ISA server. (I know not recommended but lets move on).  Internally and Externally communicator works flawlessly using all features.

     

    Now for my confusion.

    To get Public IM and anonymous livemeeting, I have installed OCS Std. Edge server roles. The computer is part of the domain in the 192.168.X.X network and it has another NIC that has 3 IP addresses. (I think Jeff S's blog said not to do this but can't remember why).

     

    Now for the question:

    In my network setup how am I going to be able to use the edge server publicly when I have a network map like the one above. Remember I have only 1 public ip. Can I use a wildcard certificate in ISA and create another public dns record called ocs1.pubdomain.com and have the traffic sent to the edge server?

     

    Thanks!

    Friday, May 23, 2008 2:30 PM

Answers

  • Thanks Smile

     

    As for the NIC, I guess I missed that part.  Yes, if you try to stick all IPs (internal and external) on the same physical NIC on the Edge server, prepare to have problems.  I tried that in one deployment and the Access Edge server would just not route incoming SIP traffic on to the Front-End server.  No errors, just dropped it.  When I split the internal and external IP on dedicated physical NICs, and made no other configuration changes, it worked fine.  But, I have heard of a few people getting that to work, so it might be hardware dependent, just be aware that a single NIC on the Edge server is not supported by Microsoft in any way.

     

    Regarding the certificate, the Subject Name should match the FQDN in which clients are connecting to the server with.  Since it sounds like you'll have an internal Edge (never seen that before) then it depends on how you configure name resolution (DNS SRV records) for both internal and external clients to access the server.  You'll probably have to add the 'other' name to the SAN field (add it first in the list, just for safety), but I imagine you'll have to play around with that since it's not a supported configuration.

     

    Friday, May 23, 2008 3:05 PM
    Moderator

All replies

  • Jay,

     

    I'm a little confused on your configuration; have you deployed the Edge server in the same internal network as the front-End server?  And if your network only has a single public IP address that you are NATing behind with ISA, then you will not be able to get full functionailty out of OCS for external.  If you use NAT on the A/V Authentication IP, then Audio and Video will not function for external client and external Live Meetings, among a few other cavaets.

     

    To get to your list of goals, you can use NAT to for the Access Edge role, which will get you IM and Presence for internal, external, federated, and PIC clients.  The Webconferecing Edge role can also use NAT, so that get's you item #2.  And the OCS-to-Exchange UM connection is internal, so the Edge server doesn't come into play there either.

     

    If you can live without the A/V capabilities, and the security issues of routing traffic internally to the Front-End server as well as hosting the Edge server inside, then you should be able to get all those things.

     

    Friday, May 23, 2008 2:44 PM
    Moderator
  • Jeff thanks for replying, I thought I read somewhere in the edge deploying guide that you needed to have 2 nics one pointing towards the external and one pointing to the internal (not sure why that was and I may have misread), but if I understand you correctly I can install the edge server inside the 192.168.X.X network and then publish the required ports. I will lose audio and video within livemeeting and communicator. Just tested communicator and it did not work.

     

    This leaves me to my next question.

    When setting up the edge server the certificate needs to be the public dns name or the private dns name?

     

    BTW you have a great blog and keep up the good work on OCS.

    Friday, May 23, 2008 2:55 PM
  • Thanks Smile

     

    As for the NIC, I guess I missed that part.  Yes, if you try to stick all IPs (internal and external) on the same physical NIC on the Edge server, prepare to have problems.  I tried that in one deployment and the Access Edge server would just not route incoming SIP traffic on to the Front-End server.  No errors, just dropped it.  When I split the internal and external IP on dedicated physical NICs, and made no other configuration changes, it worked fine.  But, I have heard of a few people getting that to work, so it might be hardware dependent, just be aware that a single NIC on the Edge server is not supported by Microsoft in any way.

     

    Regarding the certificate, the Subject Name should match the FQDN in which clients are connecting to the server with.  Since it sounds like you'll have an internal Edge (never seen that before) then it depends on how you configure name resolution (DNS SRV records) for both internal and external clients to access the server.  You'll probably have to add the 'other' name to the SAN field (add it first in the list, just for safety), but I imagine you'll have to play around with that since it's not a supported configuration.

     

    Friday, May 23, 2008 3:05 PM
    Moderator
  • Thanks Jeff, you going to TechEd this year? If so look me up in the IT HOL's

    Friday, May 23, 2008 3:11 PM