locked
Supported Topology RRS feed

  • Question

  • I am at a client site who have already installed an Office Communication 2007 Standard edition server, they have internal Instant messaging working fine along with internal conferencing. They now require External users to participate, they have built an Access Edge server that has three NIC cards configured as follows

     

    NIC1 10.0.0.231 (Access Edge)

    NIC2 10.0.0.232 (Internal)

    NIC3 10.0.0.233 (Web Conf Edge)

    NIC4 10.0.0.234 (AV Edge)

     

    Note: these IP's are in the Internal network and not in any DMZ (They do not have a DMZ and do not want one) allo NIC's have the same default gateway

     

    A seperate certificate has been configured for each of the roles and assigned the the relevant NIC Port 443 and port 5061 has been opened on the external firewall to the External Access Edge NIC (Public IP Mapped to the private IP of that NIC)

     

    I have run the Validation wizard on the edge server and this completes with a couple of warnings, nothing major seems to be noted here.

     

    If I try to connect the the external IP address using Offive Communicator 2007 using the IP address I receive an error stating there is an issue with the certificate. If I connect using the FQDN I recieve an error stating the server is not available.

     

    NOTE: Cert issued to the external interface is aespi.domainname.co.uk with a Subject Alternate name of sip.domainname.co.uk

     

    Should this topology work or are there routing issues with having all the NIC's on the same subnet?

     

    thanks in Advance

     

    Skully

    Tuesday, February 5, 2008 4:14 PM

Answers

  • Skully,

     

    It sounds like you have a couple different issues going on.

     

    First off, the A/V Authentication Edge service needs to be on a publicly-routable IP address without any Network address Translation used.  Search the forums for "STUN" and you'll see plenty of discussion and links to the deployment guides about this topic.  Also, make sure you have correctly configured the default gateway when using that many interfaces.

     

    Second, my blog post on Edge Server Topologies covers a similar installation as you are looking at.  Also this other blog entry details the use of the same subnet for the internal and external interfaces as you plan to.  I recommend reading through them.

     

    Thirdly, what is the specific error you are getting regarding the certificate?  Typically I see problems when the Subject and or SAN fields do not match the FQDN used by external DNS SRV records.  When you say that you "use the FQDN and receive server unavailbe errors" are you refferring to using Manual Configuration?  If so, make sure that you enter sip.domainname.co.uk:443 in the external server field.

     

    Wednesday, February 6, 2008 2:05 PM
    Moderator

All replies

  • Well there are couple of problems in the mentioned scenario.

    * A/V edge server external interface should have the Public IP Address configured over it. NATING is not supported for the external interface of the AV Edge server.

    * You should have three different FQDN and corresponding public IP Addresses

    For more information.. please visit the following page which deals with the details of the Edge server configuration.

     

    Edge Server deployment

     

    http://www.ocspedia.com/Edge_Srvr.htm

     

    Deploy Access Edge Server

    http://www.ocspedia.com/Edge_Server/Deploy_AEP.htm

     

     

    Deploy AV Edge Server

    http://www.ocspedia.com/Edge_Server/Deploy_AV_Edge.htm

     

    Deploy Web conf edge server

    http://www.ocspedia.com/Edge_Server/Deploy_WebConf_Edge.htm

     

     

    in case if you face any more problem, reply me back.

     

     

    Ram K Ojha
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com

     

     

    Wednesday, February 6, 2008 1:59 AM
  • Thanks for this Ram,

     

    One question, lets say we could provide a DMZ in the more common straight through topology, IE permiter firewall and an internal firewall configured as below.

     

    Permiter firewall

     

    NIC1 External Public IP address

    NIC2 192.168.0.1 Connected to Permiter network

     

     

    Internal Firewall

     

    NIC1 192.168.0.254 Connected to Permiter Network

    NIC2 10.10.0.1 Connected to Corp LAN

     

    I understand the Edge server needs a public IP address for the AV Edge Function, but what IP addresses would be valid including default gateways on the other three NIC's if the Edge server was placed inside the permiter network?

     

    What I am driving at is should the Internal NIC of the edge server also be connected to the same permiter subnet or should it be directly connected to the internal corp LAN?

     

    Thanks in advance

     

     

    Ashley

     

    Wednesday, February 6, 2008 9:51 AM
  • Skully,

     

    It sounds like you have a couple different issues going on.

     

    First off, the A/V Authentication Edge service needs to be on a publicly-routable IP address without any Network address Translation used.  Search the forums for "STUN" and you'll see plenty of discussion and links to the deployment guides about this topic.  Also, make sure you have correctly configured the default gateway when using that many interfaces.

     

    Second, my blog post on Edge Server Topologies covers a similar installation as you are looking at.  Also this other blog entry details the use of the same subnet for the internal and external interfaces as you plan to.  I recommend reading through them.

     

    Thirdly, what is the specific error you are getting regarding the certificate?  Typically I see problems when the Subject and or SAN fields do not match the FQDN used by external DNS SRV records.  When you say that you "use the FQDN and receive server unavailbe errors" are you refferring to using Manual Configuration?  If so, make sure that you enter sip.domainname.co.uk:443 in the external server field.

     

    Wednesday, February 6, 2008 2:05 PM
    Moderator
  •  

    Thanks for this reply, your messages help me come up with a solution that was very much restricted by the clients wishes and network.

     

    I will post again tomorrow with the full config on how I got this working, it certainly will not be part of the Microsoft support topology but it work's

     

     

    Regards

     

    Ashley

    Wednesday, February 6, 2008 10:09 PM