locked
ABS not working after Edge installation RRS feed

  • Question

  • I installed Edge Access, A/V and Web Conference and altered the NAT(1-1NAT, this should work, right?) from the frontend to the edge in my firewall. Perhaps this is a stupid question, but cant external clients sync the address book from the edgeserver?

    /greigutt
    Friday, November 9, 2007 11:35 AM

All replies

  • In order

    for external clients to access and download the address book you'll need to create a Reverse HTTP Proxy rule in ISA or another firewall product publishing the default web site on your internal OCS front-end server.

     

    The OCS 2007 Edge Deployment Guide covers this in section 2.1.  Once an external client connects to the Access Edge service it is passed the external Web Farm URL you created during Edge deployment (e.g. abs.domain.com).  The external communicator client then goes to this site for Address Book information, among a couple other things.

     

     

    Friday, November 9, 2007 3:22 PM
    Moderator
  • Thank you, i saw that section but I guess I did not understant it. I am not sure I understand it now either. Does this mean i have to use two separate external ips, or is the reverse proxy directing the traffic to the right server?

    /greigutt
    Monday, November 12, 2007 10:25 AM
  • The reverse HTTP proxy is configured on a seperate computer than your Edge Server, either on an ISA Server or another firewall-type product.

     

    So the connection path would be: External client connects to Web Farm FQDN (e.g. abs.contoso.com), which resolves to an IP address on an ISA Server (NOT the Edge Server), which is passed back to the default web site on the internal OCS server.

     

    Monday, November 12, 2007 12:49 PM
    Moderator
  • Yes, i figured that would be the case. I guess I am a bit confused. First you have a Isa with to network cards(external and internal), then you have the Edge which also has one external and one internal interface?

    The edge documentation says:
    "When you created your Enterprise pools and Standard Edition servers, you had the option to configure an external Web farm FQDN on the Web Farm FQDNs page in the Create Pool wizard or the Deploy Server wizard." This should be a record that points to the ISA?
     But if i define an external _sip._tls that points to an ISA server, dont I have to configure the ISA to forward traffic (for example port 5061) to the edge? (I dont see this in the manual). I must say, I dont feel very smart at the moment. Wink

    Anyway, I dont think our firewall supports reverse proxying https. We have a checkpoint firewall, and I havent found any options for that.

    Well, I guess three days of reading and testing is not enough to get the hang of this, or perhaps I am too stupid Wink

    /greigutt
    Monday, November 12, 2007 1:48 PM
  • Don't feel bad, the the deployment documentation is very hard to follow and jump around a bit.  It takes a little while to sink in though.

     

    Yes, your Edge Server is totally seperate from whatever server you would use to publish the IIS Web Site on your internal OCS Server.  The standard deployment recommends ISA Server 2006 as a choice, but depending on your version of Firewall-1 you may or may not be able to configure it as such.  Do some research on "SSL Bridging" and "Reverse HTTP Proxy" related to Checkpoint's package and see what you can come up with.

     

    Monday, November 12, 2007 3:44 PM
    Moderator
  • Thank you for your answers.

    I read the edge deployment guide one more time and if I understand it right i need one _sipfederationtls._tcp.domain record, one _sip._tls.domain record, one sip.domain record,  one A record that resolves the external web farm fqdn to the reverse proxy and a couple of other records for the external web farm FQDN....

    Before I read the edge deployment guide I installed the OCS Front end and configured an external srv record _sip._tls.domain over port 5061 and IM worked externally right away. Then I installed the edge server and used the same external ip for my edge that I had previously used for the OCS. My question is this: The edge deployment guide says that the _sip._tls should use port 443, but mine is still using 5061, and it works. Anyone have a comment to this? Will it still work if I change it to 443?(probably it will)

    After reading the edge deployment guide one more time I believe I need two external IPs. One for the edge and one for the reverse proxy, am I right, or have i missunderstood? And if this is the case, why do I need the reverse proxy, couldnt I just use 1-1NAT directly in to the OCS and allow traffic on port 443? Is this a security "breach", or will it not work?

    /greigutt
    Tuesday, November 13, 2007 4:50 PM
  •  greigutt1 wrote:


    After reading the edge deployment guide one more time I believe I need two external IPs. One for the edge and one for the reverse proxy, am I right, or have i missunderstood? And if this is the case, why do I need the reverse proxy, couldnt I just use 1-1NAT directly in to the OCS and allow traffic on port 443? Is this a security "breach", or will it not work?

    /greigutt

     

    Your Edge Access Server and Reverse HTTP Proxy are two seperate physical servers.  The reverse proxy would need to be setup on an ISA Server ot similar device, which is seperate from your physical Edge Server.

     

    The reverse proxy is an SSL bridge used to publish your OCS front-end default web-site to the external users.  You are simply allowing the external client the ability to access the internal web server over HTTPS to download the address book and meeting web directories.

    Tuesday, November 13, 2007 5:00 PM
    Moderator
  •  Jeff Schertz wrote:



    Your Edge Access Server and Reverse HTTP Proxy are two seperate physical servers.  The reverse proxy would need to be setup on an ISA Server ot similar device, which is seperate from your physical Edge Server.

     

    The reverse proxy is an SSL bridge used to publish your OCS front-end default web-site to the external users.  You are simply allowing the external client the ability to access the internal web server over HTTPS to download the address book and meeting web directories.



    Yes, I know this. This is why I said I need one external IP for each of them(Two external IPs). And this is why I asked if i CAN open up traffic directly to port 443 on the OCS in stead of using a reverse proxy? Can I do this or will it not work? I think it will work, but is it safe?

    Before I read the edge deployment guide I installed the OCS Front end and configured an external srv record _sip._tls.domain over port 5061 and IM worked externally right away. Then I installed the edge server and used the same external ip for my edge that I had previously used for the OCS. My question is this: The edge deployment guide says that the _sip._tls should use port 443, but mine is still using 5061, and it works. When I try to manually set 443 in the client, it will not log in, what port have you specified in the _sip._tls.domain record?


    Tuesday, November 13, 2007 5:20 PM
  • Ok, I see what you are asking now.

     

    You 'can' open traffic directly to port 443, but the external clients will be most likely have connectivity errors related to the certificate that is assigned to the internal front-end IIS site.  The SSL bridging allows for separate certificates to be used in the process as ISA will use the internally trusted certificate for the back-end connection and then present the external Communicator client with a certificate that you request from a trusted third-party issuer.

     

    I suggest you enable client logging in Communicator and then check your local "%userprofile%\tracings" folder as well as the Application event log to troubleshoot if it is indeed a certificate-related error when using TCP 443.

    Tuesday, November 13, 2007 6:59 PM
    Moderator
  • Well, I got this to work, even though I am not quite sure how to assign the ports for all the roles, but I`ll figure out that later...

    One more thing: Lets say i set up a reverse proxy and register a DNS record of the web farm to resolve to the reverse proxy. It is the fqdn specified which I can specify with lcscmd I should use for this external record, right? Then, how does an external client know that it should connect to the web farm fqdn to get for instance the Address Book?

    I am still waiting for my external DNSs TTL to try it, but I must say I dont really expect it to work. Wink


    Wednesday, November 14, 2007 3:58 PM
  •  greigutt1 wrote:
    One more thing: Lets say i set up a reverse proxy and register a DNS record of the web farm to resolve to the reverse proxy. It is the fqdn specified which I can specify with lcscmd I should use for this external record, right? Then, how does an external client know that it should connect to the web farm fqdn to get for instance the Address Book?

     

    Yes, the "Web Farm FQD" that the OCS setup asks for during installation is the external name of your published web site via ISA (e.g. abs.contoso.com).

     

    Once an external client makes a connection to the Edge Access Server via automatic SRV or A/CNAME lookup then the Access server passing the remaining configuration information "in-band" to the Communicator client.

     

    So in short, the Edge Access Server tells the client: "hey, go to http://abs.contoso.com/abs to download the address book."

    Wednesday, November 14, 2007 4:07 PM
    Moderator
  • Thank you. I tried without a reverse proxy, and it worked. I just wanted to test if it would work, and it did..... But I guess this is a security issue...... I really dont know if this is safe at all Wink

     

     

     

    Wednesday, November 14, 2007 5:27 PM
  • That configuration is no different than allowing Internet traffic to any web server internally, so no, it's not near as safe as using a proxy or firewall.
    Wednesday, November 14, 2007 5:50 PM
    Moderator
  •  

    Hi, can you post here some details how did you resolved it without reverse proxy? You running it through Checkpoint? I am working on simillar configuration. Internal OCS server , Edge in DMZ and Checpoint fw. External A/V and IM is running at this point but i cant figure out how to properly set up Checkpoint for 'proxying' web on internal ocs.

     

    thanks

    Thursday, January 24, 2008 10:05 AM