HOW TO: Set up OCS/Edge in Lab RRS feed

  • General discussion

  • Greetings,

    I promised I would write up something on how I set up my OCS lab since so many have had issues with certificates and external web conferencing.

    Hope this helps: http://jason-shave.blogspot.com/

    ...and In case we're not supposed to link outside the forum here is the article:

    Overall setup:

    1 Edge Server
    1 Standard Edition Server
    1 ISA Server

    Internal Domain name: contoso.local
    External Domain name: contoso.com

    Server names:

    serverA = Standard Edition server hosting users and serving as a Director
    serverB = Edge server hosting the Access, Web, and A/V roles
    firewall1 = ISA Server 2006 used to reverse proxy the Web Components traffic


    sip.contoso.com (for the external port 5061 traffic)
    ocs.contoso.com (for the port 443 Web Components traffic such as Live Meeting's whiteboard functionality)
    meeting.contoso.com (for the port 443 Live Meeting functionality)

    serverA.contoso.local (generated by an internal certificate authority such as Microsoft Certificate services and bound to the Standard Edition Server/Director)

    NOTE: The above certificate MUST have a subject alternate name of serverA.contoso.com as well (see below for more).

    serverB.contoso.local (also generated by the internal CA and bound to the private interface of the Edge server)

    IP Addresses: = serverA.contoso.local = serverB.contoso.local = Access role on serverB.contoso.com = Web Conferencing role on serverB.contoso.com = ISA Server public interface (will be NAT'd to perimeter network) = ISA Server public interface (will be NAT'd to perimeter network) = ISA Server public interface (will be NAT'd to internal network) = ISA perimeter network interface ISA Server private internal network interface

    External DNS records:

    "A" record for sip.contoso.com pointing to
    "A" record for meeting.contoso.com pointing to
    "A" record for ocs.contoso.com pointing to
    "SRV" record for _sip._tls.contoso.com pointing to sip.contoso.com on port 5061

    Internal DNS records:

    "A" record for serverA.contoso.local
    "A" record for serverB.contoso.local
    "SRV" record for _sip._tls.contoso.local pointing to serverA.contoso.local on port 5061

    IMPORTANT!! --> "A" record for serverA.contoso.com =

    The above entry is critical since the ISA server will be performing reverse proxy HTTPS access on the public side with "ocs.contoso.com" and then establishing a new HTTPS connection with "serverA.contoso.local". The issue I ran into is that the ISA server cannot change the domain suffix from .com to .local. The host name only changes on the internal HTTPS request. What makes this VERY difficult to troubleshoot is the fact that the firewall logs show a connection to:


    If you look at the ISA alerts or the server's application log you will notice that it complains about the target name being incorrect. It's trying to connect to serverA.contoso.com and not serverA.contoso.local. The end result is an HTTP 500 on the client browser if you test the web component functionality (https://ocs.contoso.com/conf/ext/tshoot.html).

    Just remember, you MUST have a subject alternate name with "serverA.contoso.com" for your internal certificate on the standard edition server.

    ISA Server firewall rules:

    NOTE: Rules have already been set up to NAT traffic from the perimeter network to the Internet.
    • Allow OCS_SIP from External ( to via port 5061
    • Allow HTTPS Server from External ( to <---NOTE this is a non-web server traffic publishing rule
    • A web publishing rule for HTTPS traffic to "ocs.contoso.local" on going to serverA.contoso.com which is actually
    With this setup I can remotely use Office Communicator 2007 along with the Live Meeting client to establish anonymous meetings with 3rd party clients.



    Jason Shave
    Monday, October 22, 2007 4:41 PM