Greetings,
I promised I would write up something on how I set up my OCS lab since so many have had issues with certificates and external web conferencing.
Hope this helps: http://jason-shave.blogspot.com/
...and In case we're not supposed to link outside the forum here is the article:
Overall setup:
1 Edge Server
1 Standard Edition Server
1 ISA Server
Internal Domain name: contoso.local
External Domain name: contoso.com
Server names:
serverA = Standard Edition server hosting users and serving as a Director
serverB = Edge server hosting the Access, Web, and A/V roles
firewall1 = ISA Server 2006 used to reverse proxy the Web Components traffic
Certificates:
sip.contoso.com (for the external port 5061 traffic)
ocs.contoso.com (for the port 443 Web Components traffic such as Live Meeting's whiteboard functionality)
meeting.contoso.com (for the port 443 Live Meeting functionality)
serverA.contoso.local (generated by an internal certificate authority such as Microsoft Certificate services and bound to the Standard Edition Server/Director)
NOTE: The above certificate MUST have a subject alternate name of serverA.contoso.com as well (see below for more).
serverB.contoso.local (also generated by the internal CA and bound to the private interface of the Edge server)
IP Addresses:
192.168.10.100 = serverA.contoso.local
192.168.10.101 = serverB.contoso.local
10.1.1.1 = Access role on serverB.contoso.com
10.1.1.2 = Web Conferencing role on serverB.contoso.com
150.100.2.1 = ISA Server public interface (will be NAT'd to perimeter network)
150.100.2.2 = ISA Server public interface (will be NAT'd to perimeter network)
150.100.2.3 = ISA Server public interface (will be NAT'd to internal network)
10.1.1.100 = ISA perimeter network interface
192.168.10.1 ISA Server private internal network interface
External DNS records:
"A" record for sip.contoso.com pointing to 150.100.2.1
"A" record for meeting.contoso.com pointing to 150.100.2.2
"A" record for ocs.contoso.com pointing to 150.100.2.3
"SRV" record for _sip._tls.contoso.com pointing to sip.contoso.com on port 5061
Internal DNS records:
"A" record for serverA.contoso.local
"A" record for serverB.contoso.local
"SRV" record for _sip._tls.contoso.local pointing to serverA.contoso.local on port 5061
IMPORTANT!! --> "A" record for
serverA.contoso.com = 192.168.10.100
The above entry is critical since the ISA server will be performing reverse proxy HTTPS access on the public side with "ocs.contoso.com" and then establishing a new HTTPS connection with "serverA.contoso.local". The issue I ran into is that the ISA server cannot change the domain suffix from .com to .local. The host name only changes on the internal HTTPS request. What makes this VERY difficult to troubleshoot is the fact that the firewall logs show a connection to:
http://serverA.contoso.local:443/conf/int/...
If you look at the ISA alerts or the server's application log you will notice that it complains about the target name being incorrect. It's trying to connect to serverA.contoso.com and not serverA.contoso.local. The end result is an HTTP 500 on the client browser if you test the web component functionality (https://ocs.contoso.com/conf/ext/tshoot.html).
Just remember, you MUST have a subject alternate name with "serverA.contoso.com" for your internal certificate on the standard edition server.
ISA Server firewall rules:
NOTE: Rules have already been set up to NAT traffic from the perimeter network to the Internet.
- Allow OCS_SIP from External (150.100.2.1) to 10.1.1.1 via port 5061
- Allow HTTPS Server from External (150.100.2.2) to 10.1.1.2 <---NOTE this is a non-web server traffic publishing rule
- A web publishing rule for HTTPS traffic to "ocs.contoso.local" on 150.100.2.3 going to serverA.contoso.com which is actually 192.168.10.100
With this setup I can remotely use Office Communicator 2007 along with the Live Meeting client to establish anonymous meetings with 3rd party clients.
Cheers!
Thanks,
Jason Shave
