Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Edge Config RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

     

    We have deployed standard edition OCS in our org. We now want to bring up an Edge server that will be used for IM only. We have PIC licensing.

     

    After reading the documentation I'm confused about some things.

     

    We plan on putting the Edge server in the DMZ (no reverse proxy). I was planning on NATing the private IP to a public and installing a publicly trusted cert from Verisign. But the docs say I must have two nics. Is that true? Why? If I do use two nics, I assume I assign them both private IP's and NAT the external one. And install a private cert on the private nic and the Verisign cert on the public NIC. I really don't get it.

     

    Any help would be greatly appreciated.

     

    Thanks

     

    p.s. - If we decide later to do Live Meeting for external, will external users be able to see meeting content without the reverse proxy?

     

    Wednesday, June 25, 2008 9:48 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    You do need a reverse proxy because you also need to download the addressbook and use Group Expansion

    Conferencing content requires reverse proxy also

     

    The Access Proxy EDGE and Conferencing EDGE can work with NAT so that is no problem

    They do require 2 NICs because you may have unpredictable results if you don't have 2 NICs

    You can use private IPs on both NICs and NAT the public IP (Access and Conferencing EDGE only)

    Public Cert on private NIC that uses NAT is fine

     

     

     

    Wednesday, June 25, 2008 10:36 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Is there no way to download the address book using the firewall only (no ISA)?

     

    Sorry for a stupid question, but exactly how does that limit us, for external users not being able to download the Adrress Book. Does that mean external users can't connect? Anyone from our org will be using vpn from external. The only real external users will be from MSN, AOL, Yahoo.  Does the lack of address book affect them?

     

    How does someone from say MSN Messenger send someone in our org an IM?

     

    Aslo. Currently our internal users can make IM calls using audio from the pc. Do I need the A/V function for this to work for external users?

    Thanks again

    Thursday, June 26, 2008 1:55 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
     akg414s wrote:

     

    After reading the documentation I'm confused about some things.

     

    I'm not suprised; some portions of the Edge Deployment Guide are quite confusing on the first few reads.  I attempted to explain some of the more complicated parts in a bit more depth in this blog entry: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19

     

     

    Thursday, June 26, 2008 3:44 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
     akg414s wrote:

    Is there no way to download the address book using the firewall only (no ISA)?

     

    Sorry for a stupid question, but exactly how does that limit us, for external users not being able to download the Adrress Book. Does that mean external users can't connect? Anyone from our org will be using vpn from external. The only real external users will be from MSN, AOL, Yahoo.  Does the lack of address book affect them?

     

    How does someone from say MSN Messenger send someone in our org an IM?

     

    Aslo. Currently our internal users can make IM calls using audio from the pc. Do I need the A/V function for this to work for external users?

    Thanks again

     

    ISA is not required (only recommended by MS) for reverse HTTP proxy to the internal Address Book server.  Search the forum for past discussion on using other firewall products to accomplish the same functionality.

     

    Without setting this up all external OC client functionality will still be there, with a few exceptions: changes to the address book will not be synchronized by external clients, distribution lists in the address book can not be expanded, and meeting content can't be downloaded.

     

    The Access Edge role is all that is needed to support Public IM connectivity (PIC), so yes your corporate OCS users would be able to chat with MSN, Yahoo, & AIM contacts, assuming proper configuration and licensing.

     

    And yes, you'll need the A/V Conferencing Edge component in order to facilitate Audio and Video connections between internal and external OC clients.

    Thursday, June 26, 2008 3:54 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Jeff, the blog was very informative.

     

    Without using reverse proxy, let's say someone from our org with Communcator installed, connects from an external source (not using vpn). They will still be able to use the address book and contacts that are stored locally in the galcontacts.db file? Is that correct? It just won't download the latest. Will they get an error message about dwonloading the address book?

     

    What exactly does it mean that DL's are not expandable (without the reverse proxy)?

     

    With the reverse proxy, would MSN, AOL or Yahoo users somehow have access to download our address book?

     

    According to your blog, if I'm using Access Role only, I would need two nics. 1 would have private IP and cert from our CA. Another would have private IP-->NAT to public IP and public cert. The Edge server will be in a workgroup. Will it need to have access to the CRL from our CA?

     

     

    By the way this will be running on VMWare. Any thoughts about that?

     

    Thanks

    Thursday, June 26, 2008 6:52 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    All contacts will appear, but if you were to say, create a new user in AD the external users won't see that person until they either use VPN or connect to the internal network to get the changes.  The contact list info is stored based on SQL database info that is available in-band to the OC client.

     

    Meaning you can't click on a distribution list in the address book and 'expand' it to view the membership.

     

    No, Public IM users can't access you corporate address book, it's only for OC users.

     

    No, you can get create a Certificate Request and transfer it to the internal CA for processing, then copy the completed request back to the Edge server for application.

     

    Vmware...hmmm.  Not supported by Microsoft, but do-able.  I have my personal lab running in VMware server, but keep in mind that audio/video performance could be very poor (read: awful) depending on load. Take a look at Matt McGillen's blog entry on OCS and Virtualiztion for more insight.

    Thursday, June 26, 2008 10:14 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    You can use private IPs on both NICs and NAT the public IP (Access and Conferencing EDGE only)

    Public Cert on private NIC that uses NAT is fine

     

    Just to calrify what I should do with certificates; the public cert on the NAT interface should have the FQDN  of the interface and a SAN with the sip domain?

     

    Thanks

    Monday, June 30, 2008 9:26 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    The Edge Access role's certificate should include a Subject Name that matches what you will be using to connect clients.  If your SRV (or A) DNS records point to an FQDN of sip.domainname.com, then that should be your cert's SN, and then include domainname.com and any additional SIP domains in the Subject Alternative Name field (SAN).

    Tuesday, July 1, 2008 12:29 AM
    Moderator