locked
Ideal ISA Configuration RRS feed

  • Question

  • Hey everyone,

     

    First let me start by saying, I've read thousands of pages of convoluted documentation on deploying edge, ISA, etc etc etc.

    I would have never thought that OCS would be the most complicated of microsoft solutions to deploy, however here I am.

    So I'm writing in the hopes I can get some clarification on where I need to start when planning my boss' need for us to have OCS up and running ASAP with external users and all features available to external users.

     

    Here's what I've got to work with right now.

    We run a VMWare virtual server environment with great amounts of free resources available.

    I have 5 public IP addresses that I can use for all of OCS's functions.

    I run a Juniper SSG 140 firewall which our dmz and internal network traffic are filtered through.

    I have a basic install of ISA with no configuration going on, I want to use ISA ONLY for reverse proxy configurations to deploy our OCS, Exchange, and Sharepoint servers.

     

    Can someone tell me the best solution for setting up ISA for my needs? (3-leg, single nic, etc)  Remember I only want to use ISA as a reverse proxy because our Juniper router has all of our VPN and protection I could want in a device.

     

    So here I am, having deployed Office Sharepoint Server 2007, Exchange 2007, a domain migration and rename, and trying to setup OCS, I'm absolutely lost.  Can someone shrink the thousands of pages of documentation into something that's easy to swallow so I can get a starting point going here?

     

    Thanks much,

    Matt

    Thursday, February 14, 2008 2:33 AM

All replies

  • Hi Matt,

     

    I assume that you haven't installed the OCS FE server as well. so let's start from the begining.

     

    Install FE Server:

    http://www.ocspedia.com/Install_FE.htm

     

    Configure your users for ocs and make sure they get address book download when they login to the office communicator 2007

    http://www.ocspedia.com/ABS/Steps.htm

     

    Once you made sure that the internal users can login and download the address book and they can expand the exchange dl, install the edge servers

     

    recommended topologies to place the edge servers

    http://www.ocspedia.com/Edge_Server/Recommended_topo.htm

     

    step by step to install the access edge server

    http://www.ocspedia.com/Edge_Server/Deploy_AEP.htm

     

    step by step to install the a/v edge server

    http://www.ocspedia.com/Edge_Server/Deploy_AV_Edge.htm

     

    step by step to install the web conference edge server

    http://www.ocspedia.com/Edge_Server/Deploy_WebConf_Edge.htm

     

     

    After you configured these edge servers, make sure that the external clients can login. Now its time to configure the reverse proxy.

     

    Follow the following steps to configure the reverse proxy

     

     

     

     

     

    Ram K Ojha
    MCSE 2003 (Messaging), MCTS - (LCS 2005, OCS 2007)
    http://www.ocspedia.com
    http://www.ITCentrics.com

     

     

     

    Thursday, February 14, 2008 6:31 AM
  • For Office Communications Server edge server deployments, a Microsoft® Internet Security and Acceleration (ISA) Server or other reverse proxy in the perimeter network is required for the following:

    ·         To enable external users to download meeting content for your meetings.

    ·         To enable external users to expand distribution groups.

    ·         To enable remote users to download files from the Address Book Service.

    The following table shows the specific directories used by the Web components. We recommend configuring your HTTP reverse proxy to use all directories.

    Table 3 Directories used by Web Components Server

    Directory

    Use

    https://<ExternalFQDN>/ABS/ext

    Stores Address Book Server files

    https://ExternalFQDN/etc/place/null

    Stores meeting content

    https://ExternalFQDN/GroupExpansion/ext/service.asmx

    Stores distribution group expansion information

     

    The detailed steps in this section describe how to configure an ISA 2006 server as a reverse proxy. If you are using a different reverse proxy, consult the documentation for that product.

    You can use the information in this section to set up the reverse proxy, which requires completing the following procedures:

    ·         Configure the network adapter cards.

    ·         Install and configure ISA Server 2006.

    ·         Request and configure a digital certificate for SSL.

    ·         Create a Web server publishing rule and verify that the secure Web server publishing rule properties are correct.

    ·         Verify or configure authentication and certification on IIS virtual directories.

    ·         Create an external DNS entry.

    ·         Verify that you can access the Web site through the Internet.

    ISA Server uses Web publishing rules in order to securely publish internal resources, such as a meeting URL, over the Internet. Publishing information to Internet users makes computing resources inside the internal network available to users outside the network.

    Before You Begin

    When you created your Enterprise pools and Standard Edition servers, you had the option to configure an external Web farm FQDN on the Web Farm FQDNs page in the Create Pool wizard or the Deploy Server wizard. If you did not configure this URL when you ran these wizards, you need to manually configure these settings in WMI. For more information, see Appendix E, Manually Configuring the External Web Farm FQDN on Internal Standard Edition Servers or Pools.

    Configure Network Adapters

    You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter. For information about deploying ISA Server with a single network adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site. This document also applies to ISA Server 2006.

    In the following procedures, the ISA Server computer has two network adapters:

    ·         A public, or external, network adapter, which is exposed to the clients that will attempt to connect to your Web site (usually over the Internet).

    ·         A private, or internal, network interface, which is exposed to the internal Web servers to which outside users will connect.

    You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter.

     

    To configure the network adapter cards on the reverse proxy computer

    1.      On the server running ISA Server 2006, open Network Connections. Click Start, point to Settings, and then click Network Connections.

    2.      Right-click the external network connection to be used for the external interface, and then click Properties.

    3.      On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.

    4.      On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.

    5.      Click OK twice.

    6.      In Network Connections, right-click the internal network connection to be used for the internal interface, and then click Properties. Repeat steps 3 through 5 to configure the internal network connection.

    Install ISA Server 2006

    ·         Install ISA Server 2006 according to setup instruction included with the product. For more information about installing ISA Server, see Microsoft ISA Server 2006 - Getting Started at the Microsoft TechNet Web site.

    Note

    After completing ISA Server setup, a default access rule denying traffic to all network resources is present. You will need to configure your firewall rules as defined in the previous procedure.


     

     

    Thursday, February 14, 2008 6:33 AM
  • Request and Configure a Certificate for Your Reverse HTTP Proxy

    The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web components) needs to be installed on the server running ISA Server 2006. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.

    ·         You must install a Web server certificate on your ISA Server. This certificate should match the published FQDN of your external Web farm where you are hosting meeting content and Address Book files.

    ·         If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN.

    Configure Web Publishing Rules

    Use the following procedure to create Web publishing rules.

    Note

    This procedure assumes ISA Server 2006 Standard Edition has been installed.


     

     

    To create a Web server publishing rule on the ISA Server 2006 computer

    1.      Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

    2.      In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.

    3.      On the Welcome to the New Web Publishing Rule page, enter a friendly name for the publishing rule, and then click Next. For example, the name of the rule could be OfficeCommunicationsWebDownloadsRule.

    4.      On the Select Rule Action page, select Allow, and then click Next.

    5.      On the Publishing Type page, select Publish a single Web site or load balancer, and then click Next.

    6.      On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and click Next.

    7.      On the Internal Publishing Details page, enter the FQDN of the internal Web farm that hosts your meeting content and Address Book content in the Internal Site name box, and then click Next. Select from the following options:

    Note

    The ISA Server must be able to resolve the FQDN to the IP address of the internal Web server. If the ISA Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, enter the IP address of the internal Web server. If you do this, you must ensure that the ISA Server has port 53 opened and can reach an internal DNS server or a DNS server that resides in the perimeter network.


     

     

    ·         If your internal server is a Standard Edition, this FQDN is the Standard Edition server FQDN.

    ·         If your internal server is an Enterprise pool, this FQDN is the internal Web farm FQDN.

    ·         On the Internal Publishing Details page, in the Path (optional) box, enter /* as the path of the folder to be published, and then click Next.

    Note

    In the Web site publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.


     

     

    8.      On the Publish Name Details page, confirm that This domain name is selected for Accept Requests for, type the external Web farm FQDN in the Public Name box, and click Next.

    9.      On Select Web Listener page, click New to create a new Web listener. This opens the New Web Listener Definition Wizard.

    10.   On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in the Web listener name box, and then click Next. For example, type Web Servers.

    11.   On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.

    12.   On the Web Listener IP Address page, select External, and then click Select IP Addresses.

    13.   On the External Listener IP selection page, select Specified IP address on the ISA Server computer in the selected network, select the appropriate IP address, click Add, and then click OK.

    14.   Click Next.

    15.   On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address you just added, and then click Select Certificate.

    16.   On the Select Certificate page, select the certificate that matches the public name specified in step 9, click Select, and then click Next.

    17.   On the Authentication Setting page, select No Authentication, and then click Next.

    18.   On the Single Sign On Setting page, click Next.

    19.   On the Completing the Web Listener Wizard page, review the Web listener settings, and then click Finish.

    20.   Click Next.

    21.   On the Authentication Delegation page, select No delegation, but client may authenticate directly, and click Next.

    22.   On the User Set page, click Next.

    23.   On the Completing the New Web Publishing Rule Wizard page, review the Web publishing rule settings and then click Finish.

    24.   Click Apply in the details pane to save the changes and update the configuration.

    To modify the properties of the Web publishing rule

    1.      Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

    2.      In the left pane, expand ServerName, and then click Firewall Policy.

    3.      In the details pane, right-click the secure Web server publishing rule that you created in the previous procedure (for example, OfficeCommunicationsServerExternal Rule), and then click Properties.

    4.      On the Properties page, on the From tab:

    ·         In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove.

    ·         Click Add.

    ·         In the Add Network Entities dialog box, expand Networks, click External, click Add, and then click Close.

    5.      If you need to publish another path on the Web server, select the Paths tab.

    6.      Click Add, type /* for the path to be published, and then click OK.

    7.      Click Apply to save changes, and then click OK.

    8.      Click the Apply button in the details pane to save the changes and update the configuration.

    Verify or Configure Authentication and Certification on IIS Virtual Directories

    Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly.

     

    To verify or configure authentication and certification on IIS virtual directories

    Note

    Perform the following procedure on each IIS Server in your internal Office Communications Server.

    The procedure given below is for the Default Web Site in IIS.


     

     

    1.      Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

    2.      In Internet Information Services (IIS) Manager, expand ServerName, and then expand Web Sites.

    3.      Right-click <default or selected> Web Site, and then click Properties.

    4.      On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click OK.

    5.      On the Directory Security tab, click Server Certificate under Secure communications. This opens the Welcome to the Web Server Certificate Wizard.

    6.      Click Next.

    7.      On the Server Certificate page, click Assign an existing certificate, and then click Next.

    8.      On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use box, and then click Next.

    9.      On the Certificate Summary page, verify that settings are correct, and then click Next.

    10.   Click Finish.

    11.   Click OK to close the Default Web Site Properties dialog box.

    Create a DNS Record

    Create an external DNS A record pointing to the external interface of your ISA server, as described in the following section. 

    Verify Access through Your Reverse Proxy

    Use the following procedure to verify that your users can access information on the reverse proxy. You may need to complete the firewall configuration and DNS configuration before access will work correctly.

    To verify that you can access the Web site through the Internet

    1.      Deploy the Live Meeting 2007 client as described in “Live Meeting 2007 Client Deployment Guide.

    2.      Open a Web browser, type the URLs in the Address bar that are used by clients to access the Address Book files and the Web site for Web conferencing.

    ·         For Address Book Server type a URL similar to the following: https://externalwebfarmFQDN/abs/ext where externalwebfarmFQDN is the external FQDN of the Web farm that hosts Address Book server files. User should receive an HTTP challenge, because directory security on the Address Book Server folder is configured to Microsoft Windows® authentication by default.

    ·         For Web conferencing, type a URL similar to the following: https://externalwebfarmFQDN/conf/ext/Tshoot.html where externalwebfarmFQDN is the external FQDN of the Web farm that hosts meeting content. This URL should display the troubleshooting page for Web conferencing.

    ·         For distribution group expansion type a URL similar to the following: https://Externalwebfar,FQDN/GroupExpansion/ext/service.asmx. User should receive an HTTP challenge, because directory security on the distribution group expansion service is configured to Microsoft Windows® authentication by default.

    Thursday, February 14, 2008 6:35 AM
  •  DXS_Matt wrote:

    Can someone tell me the best solution for setting up ISA for my needs? (3-leg, single nic, etc)  Remember I only want to use ISA as a reverse proxy because our Juniper router has all of our VPN and protection I could want in a device.

     

    I have a couple blog entries regarding OCS & ISA; here's the most detailed of them:

    https://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19

     

    I cover some details and configuration scenarios for ISA that are not discussed in the OCS Deployment Guides that were simply cut/pasted above.  I'm sure you've reviewed the MS guides and still have some questions.

    Friday, February 15, 2008 1:52 PM
    Moderator
  • Jeff and Ram, thanks for the information.

    I've begun digesting everything I've been seeing, however now I'm stuck and can't get past a certain point to even begin worrying about ISA.

    Here's a post on my current headache, any help would be greatly appreciated.

    http://forums.microsoft.com/unifiedcommunications/ShowPost.aspx?PostID=2862803&SiteID=57

    Thanks again,
    Matt
    Monday, February 18, 2008 2:13 PM
  • Hi Matt,

    I'm in the process of designing our OCS Edge and ISA environment.  Like you, I'm very confused with the convoluted documentation.  I noticed that your last post was back in February of 2008.  Since that time, have you been able to figure out how to design your Edge/ISA network?

    Thanks,
    Kevin
    Thursday, September 3, 2009 12:38 PM