CWA 2007 R2 with SSO and ISA 2006 RRS feed

  • Question

  • I am attempting to setup CWA on OCS 2007 R2 using SSO and and ISA 2006 array.  I am following the technet article which details this, however in R2, it asks for the listening port.  Since I am setting up a second virtual server on my CWA server specifically for SSO, it will not let me use 5061, since it is in use by the first CWA server.  I am at a loss what to do here, any help would be appreciated.


    Thursday, March 5, 2009 5:41 PM

All replies

  • Important to remember is that Microsoft does not support CWA on the Front-End (althow documentation is not very clear and consistent on that)

    Your Front-End is listening on port 5061 so you cannot use that port to listen for incomming connections on CWA you must use another port
    The way CWA is published through ISA server is not to authenticate on ISA server but directly on the CWA box itself so SSO would be a hard thing to do, I have not tried authenticating on ISA server first. What are you actually trying to acheive for SSO?

    - Belgian Exchange Community : http://www.pro-exchange.be -
    Friday, March 6, 2009 9:02 PM
  • I don't believe his CWA is installed on the FE, but on a separate machine.  He is saying (I am seeing the same issue), that the first virtual server for internal connections has the 'Communications Server Listening Port' set to 5061, however when the second virtual server for external connections is attempted to be created, you cannot give it the same port as it says already in use. 
    Thursday, May 21, 2009 1:36 PM
  • Right, you need to give a different listening port for each. I typically set the 1st CWA virtual server to 5061 and the 2nd virtual server to 5062.

    As a side note, if you're attempting to do SSO with OWA or SharePoint you will lose some functionality of CWA R2 like the Meet Now ability for anonymous participants. If you have an internal user who tries to use Meet Now via Communicator and emails the link to an outside user they'll get a URL that looks like https://CWA-Address/join?....

    Your ISA is going to block that connection and attempt to authenticate the user if it's performing the pre-authentication. I battled with this for awhile and finally conceded to just do a SSL pass through to the CWA virtual server with FBA. In the end, the functionality was more important than providing SSO. 

    The Meet Now join URL is based off your CWA URL, so you can't really use a subdomain, which rules out a different listener with no authentication for those connections. Maybe it's possible to edit that URL in WMI, but I wasn't that adventurous.

    If you do manage a workaround for this to enable SSO and the Meet Now functionality I'd love to hear what it is.
    Thursday, May 21, 2009 6:21 PM