ocs migration
TRANSCRIPT
-
8/8/2019 OCS Migration
1/81
Published: July 2007
Updated: October 2007
Migrating toMicrosoft OfficeCommunicationsServer 2007
-
8/8/2019 OCS Migration
2/81
2 Migrating to Microsoft Office Communications Server 2007
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwisenoted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
2007 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, Active Directory, SQL Server, and MSN are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
-
8/8/2019 OCS Migration
3/81
Phase 1: Upgrade Your Perimeter Network and Director 3
Contents
Introduction ......................................................................................5
Terminology ................................................................................. 5
Before You Begin ...............................................................................6
Planning Your Migration ....................................................................6
Third-Party Applications ............................................................... 9
Coexistence with Live Communications Server 2005 with SP1 .....9
Phase 1: Upgrade Your Perimeter Network and Director .................12
Overview of Steps ......................................................................12
Step 1 Configure DNS Records for Your Edge Servers ................16
Step 2 Configure a Reverse Proxy ..............................................20
Step 3 Deploy a New Edge Server ..............................................20
Step 4 Configure Certificates on the Internal Interface of Your EdgeServers .......................................................................................22
Step 5 Configure Certificates on the External Interface of Your AccessEdge Server ................................................................................33
Step 6 Start Services ..................................................................41
Step 7 Configure Federation on Your Access Edge Server ..........42
Step 8 Configure Your Internal Environment to Use the New EdgeServer .......................................................................................43
Step 9 Change Your Firewall Settings or DNS Settings to Use the IPAddress of Your New Access Edge Server ..................................45
Step 10 Validate the Configuration of Your Access Edge Server .46
Step 11 Test Connectivity Between Remote Users, Federated Usersand Public IM Connectivity .........................................................47
Step 12 Deploy an Office Communications Server 2007 Director(optional) ....................................................................................47
Step 13 Remove Your Live Communications Server 2005 SP1 Directorand Access Proxy .......................................................................55
User Experience in Phase 1 ........................................................56
Phase 2: Deploy Internal Office Communications Servers and MigrateUsers ...............................................................................................56
Step 2.1 Deploy Standard Edition Server or Enterprise Pool ......57
Step 2.2 Deploy Archiving and CDR Server If Required ..............58
Step 2.3 Verify that User Replication Completed ........................61
Step 2.4 Back Up User Data on the Existing Live CommunicationsServer 2005 with SP1 .................................................................63
Step 2.5 Export User Data from Live Communications Server 2005 withSP1 .............................................................................................63
-
8/8/2019 OCS Migration
4/81
4 Migrating to Microsoft Office Communications Server 2007
Step 2.6 Move Users to Office Communications Server 2007 .....65
Step 2.7 Configure Users ............................................................67
Step 2.8 Transfer Remote Call Control Settings As Necessary . . .69Step 2.9 Validate the Configuration and Connectivity of the Server orPool............................................................................................72
User Experience in Phase 2 ........................................................74
Phase 3: Enable Pilot Users for Enhanced Presence and New Features andDeploy New Clients .........................................................................75
Step 3.1 Enable Enhance Presence for Your Pilot Users .............76
Step 3.2 Deploy Office Communicator 2007 to Your Pilot Users . 77
Step 3.3 Deploy the Live Meeting 2007 Client to Your Pilot Users 77
User Experience in Phase 3 ........................................................77
Phase 4: Introduce New Edge Server Roles .....................................77
User Experience in Phase 4 ........................................................78
Phase 5: Continue Phased Migration for Additional User Groups .....78
Phase 6: Deprecate Your Live Communications Server 2005 SP1 Servers........................................................................................................78
Remove Live Communications Server 2005 SP1 Standard Edition 78
Remove Live Communications Server 2005 with SP1 Enterprise Edition...................................................................................................79
-
8/8/2019 OCS Migration
5/81
Phase 1: Upgrade Your Perimeter Network and Director 5
IntroductionMigrating to Microsoft Office Communications Server 2007guides you through the process ofupgrading from Microsoft Office Live Communications Server 2005 with Service Pack 1 to
Microsoft Office Communications Server 2007 and for deploying Office Communications Server
2007 in an existing Live Communications Server 2005 SP1 deployment. If you intend for your
Office Communications Server 2007 deployment to coexist with a Live Communications Server
2005 SP1 deployment, this guide includes some essential information for operating such a mixed
environment.
This guide provides information specific to upgrading your existing deployment. It does not
explain how to change your existing topology. Because many of the detailed planning and
deployment information and procedures are provided in other Office Communications Server
2007 documentation, that information is not duplicated in this guide. When a detailed procedure
is documented elsewhere, this guide directs you to the appropriate document.
In addition to this guide, you need the following documentation:
Microsoft Office Communications Server 2007 Planning Guide
Microsoft Office Communications Server 2007 Edge Server Deployment Guide
Microsoft Office Communications Server 2007 Active Directory Guide
Microsoft Office Communications Server 2007 Enterprise Edition Deployment Guide
Microsoft Office Communications Server 2007 Standard Edition Deployment Guide
Microsoft Office Communications Server 2007 Archiving and CDR Server
Deployment Guide
Microsoft Office Communicator 2007 Deployment Guide
Deploying the Microsoft Office Live Meeting 2007 Client with Office
Communications Server 2007
TerminologyAnonymous user An external user who does not have credentials in the Active Directory
Domain Services.
A/V audio/video
Direct federation In Live Communications Server 2005, a form of federation in which two
organizations explicitly designate each other as trusted federated partners. In Office
Communications Server 2007, this term is not used; you achieve the same functionality by not
configuring your Access Edge Server to automatically discover federated partners by using DNS.
Edge server An Office Communications Server 2007 server that resides in the perimeter
network and provides connectivity for external users, federated partners, and public IM
connections. Each edge server has one or more of the following roles: Access Edge Server, Web
Conferencing Edge Server, or A/V Edge Server.
-
8/8/2019 OCS Migration
6/81
6 Migrating to Microsoft Office Communications Server 2007
Enhanced federation In Live Communications Server 2005, an organization-to-organization
federation that uses DNS-SRV resolution to identify the Access Proxy for each partner. In Office
Communications Server 2007, this term is not used. You can achieve this functionality to
configure your Access Edge Server to use DNS to automatically discover federated partners.
External user A user who connects from outside the organizations firewall. External users
include anonymous users, federated users, and remote users.
External IP address An IP address that is accessible from the Internet or from another network
that is outside the organization.
Federated user An external user who possesses valid credentials with a federated partner and
who is therefore treated as authenticated by Office Communications Server.
Internal IP address An IP address that is accessible from the internal network of an
organization.
PSOM Persistent Shared Object Model. A custom protocol for transporting Web conferencing
content.Remote user An external user with a persistent Active Directory identity within the
organization.
Side-by-side migration Deploying an upgraded software version on a separate computer from
the one that is running the original version, transferring essential data to the new computer,
making the new computer operational, and then taking the legacy computer offline. Note: Side-
by-side migration is not supported for Access Proxy and an Office Communications Server 2007
Access Edge Server.
SIP Session Initiation Protocol, a signaling protocol for Internet telephony.
Web farm A collection of server computers that host a single Web site.
Before You BeginEnsure that Live Communications Server 2005 with SP1 servers have the following QFEs
installed in the following order:
1. QFE available from Microsoft Web site: http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996.
2. QFE available from Microsoft Web site: http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543.
These QFEs are required for coexistence with Office Communications Server 2007. They must
be installed on all Live Communications Server 2005 with SP1 servers, with the exception of the
back-end database server for an Enterprise pool.
Planning Your MigrationThe only migration path, when you have Live Communications Server 2005 with SP1 Access
Proxies deployed, is to migrate your environment from the outside in. You must first replace
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb921543 -
8/8/2019 OCS Migration
7/81
Phase 1: Upgrade Your Perimeter Network and Director 7
your Access Proxies with Office Communications Server 2007 Access Edge Servers before you
can migrate to Office Communications Server 2007 in your internal environment.
If you are running Live Communications Server 2003, you must first migrate to LiveCommunications Server 2005 with SP1, and then you can migrate to Office Communications
Server 2007.
To minimize service downtime, we recommend a phased approach in which you upgrade all the
servers of a particular type at one time. The supported order is as follows:
1. QFE available from Microsoft Web site: http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996.
2. Replace Access Proxies in the perimeter network with Access Edge Servers.
3. Replace Directors.
4. Install Enterprise pools and Standard Edition servers.
5. Install Archiving and CDR Servers as necessary.
At this point, you can move some pilot users to the new deployment to test the behavior of IM
and presence.
After you have ensured that IM and presence are working correctly in your environment, you can
deploy Web Conferencing Edge Servers and A/V Edge Servers in your perimeter network. After
you have ensured that Web conferencing and A/V conferencing work properly, you can move the
rest of your users to the new deployment and take the Live Communications Server offline.
Planning your upgrade to Office Communications Server 2007 should include the following:
Understanding the basic migration process
Understanding coexistence issues
Planning user migration
Determining your requirements for additional hardware
Table 1 summarizes the phases of the migration as they are presented in this guide. The table also
notes changes to the user experience as the migration proceeds.
Table 1 Migration Phases and User Experience
Phase Description User Experience
Phase 1:Upgradeyourperimeternetwork andDirector
Introducing new OfficeCommunications Server 2007Access Edge Servers andDirectors into your LiveCommunications Server 2005SP1 environment.
No changes. Users continue touse the Microsoft OfficeCommunicator 2005 client andhave the same IM and presencefunctionality.
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb911996 -
8/8/2019 OCS Migration
8/81
8 Migrating to Microsoft Office Communications Server 2007
Phase Description User Experience
Phase 2:
DeployinternalOfficeCommunications Servers
Deploying a new Office
Communications Server 2007Enterprise pool or StandardEdition server and an Archivingand CDR Server, if required,and moving users to the newserver or pool
No changes. Users continue to
use Office Communicator 2005and have the same IM andpresence functionality.
Phase 3:Enable pilotusers forenhancedpresenceand roll outnew clients
Enabling selected users forenhanced presence and rollingout Microsoft OfficeCommunicator 2007 and theMicrosoft Office Live Meeting2007 client to the pilot users
Pilot users are able to use thefull functionality of OfficeCommunicator 2007 when theycommunicate with other pilotusers internally. After they areenabled for enhanced presence,these users can no longer sign
in to an Office Communicator2005 client or to previousversions of Communicator WebAccess or of the CommunicatorMobile clients.
When communicating withOffice Communicator 2005users, pilot users are able to usenew features in OfficeCommunications Server 2007.
After the Live Meeting 2007client is rolled out to your pilotusers, they can participate ininternal Web conferences that
are hosted on your OfficeCommunications Servers.
Phase 4:Introducenew edgeserver roles
Deploying Web ConferencingEdge Servers and A/V EdgeServers in your perimeternetwork
Pilot users are able to use thenew Web conferencing andaudio/video capabilities whenconnecting remotely.
Phase 5:Continuephasedmigration ofadditionalusers
Enabling users for enhancedpresence and rolling out OfficeCommunicator 2007 and theLive Meeting 2007 client to theother users
Office Communicator 2007users are able to use the fullfunctionality of OfficeCommunicator 2007 whencommunicating with other OfficeCommunicator 2007 users.
When communicating withOffice Communicator 2005users, users of the upgradedclient are not able to use newfeatures in OfficeCommunications Server 2007.
-
8/8/2019 OCS Migration
9/81
Phase 1: Upgrade Your Perimeter Network and Director 9
Phase Description User Experience
After the Live Meeting 2007
client is rolled out, users canparticipate in Web conferencesthat are hosted on your OfficeCommunications Server whetherthey are signed in internally orremotely.
Third-Party ApplicationsIf you are running third-party applications on your Live Communications Server 2005 SP1
servers, be aware that changes have been made to the server and protocol infrastructure that
might affect these programs. You still need to test these applications to ensure that they work
properly with Office Communications Server 2007. For more information, contact the vendor ofyour applications.
If you are running applications that are based on code examples from the Live Communication
2005 with SP1 Software Development Kit, the applications must be updated before they will
work with Office Communications Server 2007. For more information, see the Office
Communications Server 2007 SDK documentation.
The Live Communications Server 2005 with SP1 Network of Origination Icon sample is not
supported on Office Communications Server 2007. In Office Communications Server 2007, for
federated users on a users Contacts list, the user sees the same icon for all contacts that are
outside the organization instead of seeing the icon for the network of origin. If the user moves the
pointer over the contact in Office Communicator, the SIP URI for the federated user appears.
Coexistence with Live Communications Server2005 with SP1
Both the Standard Edition and Enterprise Edition of Office Communications Server 2007 are
designed to coexist with Live Communications Server 2005 with SP1 Standard Edition servers
and Enterprise pools. Preparing the Active Directory for Office Communications Server also
provides backward compatibility with Live Communications Server 2005 with SP1.
If you are planning to deploy Office Communications Server 2007 in a mixed environment with
Live Communications Server 2005 with SP1, there are other issues you need to be aware of:
Every domain that contains Live Communications Server 2005 SP1 users or servers
must be prepared for Office Communications Server 2007.
Archiving services for each version are compatible only with servers of the sameversion.
All servers in a pool or in an edge server array must be of the same version, but
servers or pools of different versions can be connected to the same load balancer.
-
8/8/2019 OCS Migration
10/81
10 Migrating to Microsoft Office Communications Server 2007
Users who are enabled for enhanced presence and who sign in by using Office
Communicator 2007 can no longer use Microsoft Office Communicator 2005 or the
2005 releases of Communicator Web Access and Communicator Mobile.
Additionally, such users cannot access specific components of Live Communications
Server 2005 with SP1.
The A/V conferencing features of Office Communications Server 2007 are not
available to users who are hosted on Live Communications Server 2005 with SP1 or
to any users who are using Office Communicator 2005.
For Web conferencing, only users hosted on Office Communications Server 2007 can
organize Web conference meetings. However, any user can attend, provided they
have the ability to install the Live Meeting 2007 client. For more information about
deploying Live Meeting 2007, seeDeploying the Microsoft Office Live Meeting 2007
Client with Office Communications Server 2007.
The administrative snap-ins for Live Communications Server 2005 with SP1 and
Office Communications Server 2007 are not mutually compatible. Each can be usedto administer only servers of the corresponding version.
All external users, including federated users, can connect through Office
Communications Server 2007 Access Edge Servers and Directors, even if they are
hosted on Live Communications Server 2005 with SP1.
The following sections explain the implications of these issues.
Archiving Interoperability
You must archive all traffic on Office Communications Server 2007 servers by using an Office
Communications Server 2007 Archiving and CDR Server. Similarly, you must archive all traffic
on Live Communications Server 2005 SP1 servers by using the Live Communications Server
2005 with SP1 Archiving Service.
The default behavior is different for the different versions. In Office Communications Server
2007, both the global archiving and individual user archiving are disabled by default, but Live
Communications Servers retain their existing global settings. This means that if archiving is
enabled in global settings on all your Live Communications Servers, this setting is retained on all
your Live Communications Server 2055 with SP1 servers.
In a coexistence scenario, conversations initiated by a user hosted on a Live Communications
Server 2005 with SP1 server use the forest-level settings enabled in the Live Communications
Server 2005 SP1 environment. Conversations initiated by a user hosted on Office
Communications Server 2007 use the global settings configured in Office Communications
Server 2007.
NoteTo access the global archiving settings, right-click the forestnode, point to Properties,click Global Properties, and thenclick the Archiving tab. For more information, see theMicrosoft Office Communications Server 2007 Administration
Guide.
-
8/8/2019 OCS Migration
11/81
Phase 1: Upgrade Your Perimeter Network and Director 11
Using Load Balancers
Servers of different versions cannot coexist in a single pool or an edge server array. You can,
however, connect a Live Communications Server 2005 with SP1 pool and an OfficeCommunications Server 2007 pool to the same load balancer. For example, if you have an array
of Live Communications Server 2005 with SP1 Access Proxies attached to a load balancer, you
can also simultaneously attach an Office Communications Server 2007 edge server array to the
same load balancer.
Adding Live Communications Server 2005 SP1 Servers DuringCoexistence
Because Active Directory preparation is backwards compatible with the Live Communications
Server 2005 SP1 Active Directory schema, you can add new Live Communications Server 2005
with SP1 servers to any domain where domain preparation for Live Communications Server was
run before Office Communications Server 2007 Active Directory preparation.
During coexistence, if you do not run Live Communications Server 2005 Active Directory
domain preparation steps in a domain (a new domain for example) before the Office
Communications Server 2007 Active Directory preparation, you cannot install any Live
Communications Server 2005 SP1 servers.
Microsoft Office Communicator
By default, users who are homed on Office Communications Server 2007 can be enabled for
enhanced presence, but Office Communicator 2007 is required for users to take advantage of this
feature. Users who are moved from a Live Communications Server 2005 SP1 server to an Office
Communications Server 2007 can use the Microsoft Office Communicator 2005 client. Such a
user cannot, however, take advantage of the enhanced presence and A/V conferencing features of
Office Communications Server 2007.
After a user who is enabled for enhanced presence has signed in by using Office Communicator
2007, that user can no longer use Office Communicator 2005 or sign in to Live CommunicationsServer 2005 with SP1. Additionally, such a user can no longer sign in to Communicator Web
Access (2005 release) or to Communicator Mobile (2005 release).
If you plan to deploy in a mixed environment, you must make the appropriate clients available to
all your users. For details about migrating to the 2007 release of Communicator Web Access, see
the Microsoft Office Communicator Web Access (2007 release) Planning and Deployment
Guide.
Administrative Snap-Ins
In general, you must use the administrative snap-in that corresponds to the server version that
you want to manage. The only exception is that you use the Office Communications Server 2007
snap-in to move users from Live Communications Server 2005 with SP1 to Office
Communications Server 2007.
-
8/8/2019 OCS Migration
12/81
12 Migrating to Microsoft Office Communications Server 2007
Use the 2005 Administrative Snap-In To manage Live Communications Server 2005 SP1 users and servers. You can also
use Active Directory Users and Computers on Live Communications Server 2005
SP1 or on a computer with the Live Communications Server 2005 SP1 administrative
snap-in installed.
Although Office Communications Server pools are available from Live
Communications Server 2005 SP1, you should use only Office Communications
Server to move users hosted on Office Communications Server. Moving Office
Communications Server users from the 2005 administrative snap-in is not supported.
Use the 2007 Administrative Snap-In To move Live Communications Server 2005 SP1 users to Office Communications
Server 2007.
To manage users on Office Communications Server 2007 after moving them from
Live Communications Server 2005 SP1.
To manage all Office Communications Server 2007 servers.
The Live Communications Server 2005 SP1 administrative snap-in and the Office
Communications Server 2007 administrative snap-in cannot be installed on the same computer.
External User Access
External users, such as remote users, who are hosted on Live Communications Server 2005 with
SP1 and users of Office Communicator 2005, regardless of where they are hosted, can sign in by
using the Office Communications Server 2007 Edge Servers and Directors for functionality that
is supported by Live Communications Server 2005 with SP1. These users cannot, however, take
advantage of the additional features that are offered by Office Communications Server 2007.
Phase 1: Upgrade Your PerimeterNetwork and Director
In the initial phase of migration, if you have deployed public IM connectivity, remote user access
or federation in your Live Communications Server 2005 SP1 environment, you begin by
deploying an Office Communications Server 2007 Edge Server. This server replaces your
existing Live Communications Server 2005 SP1 Access Proxy.
Overview of StepsUpgrading your perimeter network involves the following steps:
1. Configuring necessary DNS records for your new edge server.2. Deploy your Office Communications Server 2007 Access Edge Server before any
internal servers. The single site edge topology or scaled single-site edge topology is
recommended for your initial edge deployment. This topology allows you to add a
load balancer later for growth.
-
8/8/2019 OCS Migration
13/81
Phase 1: Upgrade Your Perimeter Network and Director 13
Deploy the new edge server topology alongside your existing Live Communications Server
2005 SP1 Access Proxy, but do not change your firewall setting to point to the new IP
address used by the Office Communications Server 2007 edge servers until you have
completed the following steps. You must use an internal and external IP address that is
different from your existing Access Proxy.
It is strongly recommends that you use the same external FQDN for your new Access Edge
Server as you did for your Live Communications Server 2005 SP1 Access Proxy. If you do
this, you can use the same certificate. If you have purchased a license for public IM
connectivity, you do not need to go through the provisioning process again. If you use a
different FQDN, you must obtain new certificates and re-provision public IM connectivity.
Additionally, you must notify any federated partners of the change to your external FQDN.
These partners can then change their configurations to point to your new FQDN to federate
with your organization or if they are using enhanced federation or using an Office
Communications Server 2007 Access Edge Server with automatic DNS discovery, they can
simply add your domain on the Allow tab. Also, if you use manual configuration for your
Office Communicator clients, you must update this configuration to point to the new AccessEdge Server FQDN.
3. Configure certificates on your new Office Communications Server 2007 edge server.This process varies depending on the following conditions:
Internal certificate configuration.
o If your organization has a firewall between the Live Communications
Server 2005 SP1 Access Proxy and your internal servers, you can use
the same certificate on the internal interface of your new Access Edge
Server as you used on the internal interface of your existing Access
Proxy.
o If your organization does not have an internal firewall, the Director or
your internal Standard Edition server or Enterprise pool that is used forthe global federation route needs to differentiate the new Access Edge
Server from the 2005 Access Proxy so you can either use a new
certificate on the Access Edge Server or update DNS settings.
o If you use a different internal FQDN on your new edge server, you must
obtain a new certificate from the certificate authority you use for
internal certificates.
External certificate configuration.
o If you use the same external FQDN for your Access Edge Server, and
do not want your Access Edge Server to be discoverable through DNS
SRV records for multiple SIP domains in your organization, you can
use the same certificate on the external interface of your Access Edge
Server as you did on your Live Communications Server 2005 Access
Proxy.
Note If your Access Edge Server is not discoverable through DNSSRV records, organizations federating with your organizationmust manually add your SIP domains and your Access EdgeServer FQDN in the Allow List on their Access Edge Servers.
-
8/8/2019 OCS Migration
14/81
14 Migrating to Microsoft Office Communications Server 2007
o If you plan to enable automatic discovery of federated domains, and you
have multiple SIP domains, you must re-issue your external certificate
with each supported SIP domain configured as sip. in the
subject alternate name.
o If you use a different external FQDN for your Access Edge Server, you
must configure a new external certificate.
4. If you plan to enable external access to on-premise Web conferences, configure anHTTP reverse proxy for use with the Web Components. (Because this step is
independent of other configuration steps it can be performed independently of the
other steps involved.)
5. Configure your internal servers to communicate with your new Access Edge Server.Depending on whether you have a Director deployed, you make configuration
changes in one of two ways:
If you have a Live Communications Server 2005 SP1 Director deployed, after
you deploy your Access Edge Server you can simply update your Directorsettings to route external traffic to and from the new Access Edge Server.
If you do not have a Live Communications Server 2005 SP1 Director deployed,
all your internal servers and pools are routing external traffic directly to and from
the Access Proxy. After you deploy your Access Edge Server, you must
configure your internal servers and pools to route directly to the new Access
Edge Server.
6. Configure your external firewall to point to the new external IP address of the OfficeCommunications Server 2007 edge servers and update any required DNS settings. At
this point, all federation remote user access and public IM connectivity traverse
through the new Office Communications Server Edge Server.
These changes are transparent to your users. If problems occur, you can simply: Point your Director or your internal servers and pools back to the existing Live
Communications Server 2005 SP1 Access Proxy.
Point your firewall back to the external IP address of your Live Communications
Server 2005 SP1 Access Proxy.
Figure 1 New Access Edge Server in Your Existing Topology
-
8/8/2019 OCS Migration
15/81
Phase 1: Upgrade Your Perimeter Network and Director 15
7. Test your new topology by signing in with Office Communicator 2005 user andtesting communications scenarios between internal users, remote users, federated
users, and users on a public IM network (if you use public IM connectivity).
8. If you do not use a Director, skip this step. If you use a Director, after confirmingthat external traffic is flowing correctly from the new Access Edge Server to the
Live Communications Server 2005 SP1 Director, install and configure an Office
Communications Server 2007 Director so that it communicates with your new Edge
Server and configure your new Edge Server to route to the 2007 Director. Althougha Director is not required, it is strongly recommended. If problems occur, you can
simply point your Access Edge Server back to your existing Live Communications
Server 2005 SP1 Director.
At this point, your topology should now look similar to the following:
-
8/8/2019 OCS Migration
16/81
16 Migrating to Microsoft Office Communications Server 2007
Figure 2 New Access Edge Server and Director in Your Existing Topology
Step 1 Configure DNS Records for Your EdgeServers
Before you deploy your edge server topology, you must configure the required DNS records. The
default port for external user access has changed from port 5061to port 443. We recommend port
443 to ensure that connectivity from Office Communicator and the Live Meeting 2007 client to
the server is not blocked by any external HTTP proxy servers or firewalls that do not allow
connectivity to 5061.
To change the remote access port from 443 to 5061, you might need to make the following
changes to your existing DNS records:
For external clients that allow Office Communications Server to configure their
connection automatically, change your DNS SRV record for _sip._tls. that
points to the external interface of the Access Edge Server to use port 443.
If your external clients are manually configured, you might need to change the
external server name using the Group Policy object. For more information, see the
Microsoft Office Communicator 2007 Deployment Guide.Table 2 describes the DNS records that you must configure for the external interface and the
internal interface of edge servers in the single-site edge topology and the scaled single-site edge
topology. If you are deploying a different topology, see the Microsoft Office Communications
Server 2007 Edge Server Deployment Guide. For information about configuring these DNS
records, see the documentation for your DNS server.
-
8/8/2019 OCS Migration
17/81
Phase 1: Upgrade Your Perimeter Network and Director 17
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the single-site edge topology.
Table 2 DNS Records for the Single-Site Edge TopologyInterfac
eServer DNS Settings
External Collocated AccessEdge Server
An external SRV record for all Access EdgeServers for _sipfederationtls._tcp.,over port 5061 (where is the nameof the SIP domain of your organization). ThisSRV should point to an A record with theexternal FQDN of the Access Edge Server. Ifyou have multiple SIP domains, you need aDNS SRV record for each domain. This SRVrecord supports federation and public IMconnectivity.
A DNS SRV (service location) record for_sip._tls., over port 443 where is the name of your organizationsSIP domain. This SRV record must point to theA record of the Access Edge Server. If youhave multiple SIP domains, you need a DNSSRV record for each domain. This SRV recordsupports external user access through OfficeCommunicator and the Live Meeting client.
Note: Configuring multiple SRV records for thesame SIP domain is not supported. If multipleDNS records are returned to a DNS SRV query,the Access Edge Server always picks the DNS
SRV record with the lowest numerical priorityand highest numerical weight.
For each supported SIP domain in yourorganization, an external DNS A record for sip. that points to the external interfaceof the Access Edge Server and resolves to theexternal IP address on the firewall. If you havemultiple SIP domains, you need a DNS Arecord for each. If a client cannot perform anSRV record lookup to connect to the AccessEdge server, it uses this A record as a fallback.
An external DNS A record that resolves theexternal FQDN of the Web Conferencing EdgeServer to its external IP address.
Reverse proxy An external DNS A record that resolves theexternal Web farm FQDN to the external IPaddress of the reverse proxy. The client usesthis record to connect to the reverse proxy.
Access Edge An internal DNS A record that resolves the
-
8/8/2019 OCS Migration
18/81
18 Migrating to Microsoft Office Communications Server 2007
Server internal FQDN of the Access Edge Server to itsinternal IP address.
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the scaled single-site edge topology.
-
8/8/2019 OCS Migration
19/81
Phase 1: Upgrade Your Perimeter Network and Director 19
Table 3 DNS Records for the Scaled Single-Site Edge Topology
Interfac
e
Server DNS Settings
External Access Edge Server An external SRV record for all Access EdgeServers for _sipfederationtls._tcp.,over port 5061 (where is the nameof the SIP domain of your organization). ThisSRV should point to an A record that resolvesthe external FQDN of the Access Edge Serverarray to the VIP address used by the AccessEdge Server array on the external loadbalancer. If you have multiple SIP domains,you need a DNS SRV record for each domain.This SRV record supports federation andpublic IM connectivity.
A DNS SRV (service location) record for_sip._tls., over port 443 where is the name of your organizationsSIP domain. This SRV record must point to theA record of the Access Edge Server. If youhave multiple SIP domains, you need a DNSSRV record for each domain. This SRV recordsupports external user access through OfficeCommunicator and the Live Meeting client.
Note: Configuring multiple SRV records forthe same SIP domain is not supported. Ifmultiple DNS records are returned to a DNSSRV query, the Access Edge Server alwayspicks the DNS SRV record with the lowestnumerical priority and highest numericalweight.
For each supported SIP domain in yourorganization, an external DNS A record for sip. that points to the externalinterface of the Access Edge Server andresolves to the external IP address on thefirewall. If you have multiple SIP domains, youneed a DNS A record for each. If a clientcannot perform an SRV record lookup toconnect to the Access Edge server, it uses thisA record as a fallback.
An external DNS A record that resolves the
external FQDN of the Web Conferencing EdgeServer array to the VIP address used by theWeb Conferencing Edge Server array on theexternal load balancer.
Reverse proxy An external DNS A record that resolves theexternal Web farm FQDN to the external IP
-
8/8/2019 OCS Migration
20/81
20 Migrating to Microsoft Office Communications Server 2007
address of the reverse proxy. The client usesthis record to connect to the reverse proxy.
Access Edge Server An internal DNS A record that resolves theinternal FQDN of the Access Edge Server arrayto the virtual IP address used by the AccessEdge Servers on the internal load balancer.
Step 2 Configure a Reverse ProxyFor Office Communications Server 2007, a reverse proxy, such as that provided by Microsoft
Internet Security and Acceleration (ISA) Server is used to enable:
External users to download meeting content for your Web conference meetings.
Remote users to expand distribution groups.
Remote users to download files from the Address Book Service.
This task can be performed independently of other steps in this section. For details about
deploying and configuring a reverse proxy, see the Microsoft Office Communications Server
2007 Edge Server Deployment Guide.
Step 3 Deploy a New Edge ServerIf you have Live Communications Server 2005 SP1 Access Proxies deployed, you must upgrade
your edge topology first in the migration process. Deploy a new Access Edge Server and a
Director (if you used one) before migrating your server or pool. After your internal migration is
completed, you can add A/V Edge Servers and Web Conferencing Edge Servers.
If you do not have an existing Access Proxy, skip this section and proceed to Phase 2.
Before you deploy, read the Microsoft Office Communications Server 2007 Edge Server
Deployment Guide to understand the supported topologies and which one is right for your
organization. The single-site topology and the scaled single-site topology are recommended.
To deploy an edge server
1. For each Live Communications Server 2005 with SP1 Access Proxy in yourperimeter network, install and activate an Office Communications Server 2007
Access Edge Server as described in the Microsoft Office Communications Server
2007 Edge Server Deployment Guide. Configure each Access Edge Server with the
settings that are already configured on the corresponding Live Communications
Server 2005 with SP1 Access Proxy.
2. As you run the Configuration Wizard, follow the instructions in the Edge Server
Deployment Guide until you reach the Enable Features on Access Edge Serverpage.
3. On the Enable Features on Access Edge Server page, select the features that youwant to enable:
-
8/8/2019 OCS Migration
21/81
Phase 1: Upgrade Your Perimeter Network and Director 21
To make it possible for remote users to use this Access Edge Server to view
presence information and exchange instant messages, select the Allow remote
user to access your networkcheck box.
To enable federation or public IM connectivity through this Access Edge Server,
select the Enable federation check box.
4. If you selected the Enable federation check box, do one of the following:
To use DNS to automatically locate the Access Edge Servers of your federated
partners, select the Allow discovery of federation partners using DNS check
box. This configuration is recommended. Select this setting if you used what was
called open enhanced federation in Live Communications Server 2005 with SP1.
To enable public IM connectivity through this Access Edge Server, select the
Federation with selected public IM providers check box,and then select the
IM providers that you want to use with federated partners.
5. When you are finished, clickNext.6. On the FQDN of the Internal Next Hop Server page, if you are using a Live
Communications Server 2005 SP1 Director, enter the FQDN of the Director. If you
are not using a Director, enter the Live Communications Server 2005 SP1 server or
pool that is used as the next hop server.
7. On the Authorized Internal SIP Domains page, for each SIP domain that yourorganization supports, type the name of the supported SIP domain, and then click
Add. When you have entered all the supported SIP domains, clickNext.
8. On the Authorized Internal Serverspage, specify each internal server that canconnect to your Access Edge Server. If you are routing all outbound traffic through a
Director, the next hop server that you specified earlier in this procedure is
automatically authorized to connect to your Access Edge Server. If you are not using
a Director, type the FQDN of each Enterprise pool and Standard Edition server inyour organization except the next hop server, clicking Add after each.
9. ClickNext.
10. On the summary page, review the settings that you selected. If they are as you wantthem, and then clickNext.
11. On the wizard completion page, select the View the log when you click Finishcheck box.
12. If you want to export the server settings to a configuration file so they can beimported to another edge server (to streamline the setup of that server), click
Export, and then specify a location and name for the XML file to which you want to
save the server settings. Configure the export settings as you want them, and then
clickSave.
13. ClickFinish.
14. If you chose the option to view the log immediately, when the OfficeCommunications Server 2007 Deployment Log opens in a Web browser window,
verify that Success appears underExecution Result in the action column on the far
-
8/8/2019 OCS Migration
22/81
22 Migrating to Microsoft Office Communications Server 2007
right side of the screen. Optionally, expand each individual task and verify that the
ExecutionResult shows Success for the task. When you finish, close the log
window.
Step 4 Configure Certificates on the InternalInterface of Your Edge Servers
After you have installed, activated, and configured your new Access Edge Server, you must
configure certificates on it. How you configure your certificates depends on whether your Access
Edge Server is part of an array:
For a single-site edge topology, which has a single Access Edge Server, you need a
certificate configured on the internal interface with a subject name that matches the
internal FQDN of the edge server computer.
For a scaled single-site edge topology, which has a load-balanced array of Access
Edge Servers, you need a certificate configured on the internal interface with asubject name that matches the internal FQDN of the VIP address that is used by the
Access Edge Server on the internal load balancer. This certificate must be marked as
exportable on the first computer where you configure the certificate and must then be
imported on each additional computer in the Access Edge Server array.
The certificate on your internal interface of your Access Edge Server must match the DNS A
record that resolves to the internal IP address of the Access Edge Server. As explained earlier,
how you configured your new Access Edge Server determines the process you use to assign
certificates to your new edge server:
If you used the same internal FQDN on your new Access Edge Server, you can
configure the same certificate that you used on your existing Live Communications
Server 2005 with SP1 Access Proxy. Export the certificate from your Access Proxy,
and then use the Certificate Wizard to import the certificate and assign it to theinternal interface of the edge server.
If you used a different internal FQDN on your new Access Edge Server, you must
request a new certificate and assign it to the internal interface of the Access Edge
Server.
Option 4.1 Configuring the Certificate with the Same InternalFQDN as the Existing Access Proxy
If you are using the same internal FQDN for your Office Communications Server 2007 Access
Edge Server as the one that you used on your Live Communications Server 2005 with SP1
Access Proxy, use the following steps to set up a certificate on the internal interface for your
Office Communications Server 2007 Access Edge Server. These steps are explained in detail in
the following sections:
1. Export the certificate from your Live Communications Server 2005 SP1 AccessProxy.
2. Import the certificate for the internal interface on the first edge server.
-
8/8/2019 OCS Migration
23/81
Phase 1: Upgrade Your Perimeter Network and Director 23
3. Verify that the CA (certification authority) is on the list of trusted root CAs for eachAccess Edge Server.
4. If the edge server is part of an array, import the certificate on the other edge serversin the array.
5. Assign the certificate to the internal interface of each edge server.
After you export the certificate from your Live Communications Server 2005 SP1 Access Proxy,
use the Certificate Wizard to complete most of the certificate setup procedures for the internal
interface. You can start this wizard from the Office Communications Server 2007 installation
media, as described in the following procedures, or by using the Computer Management snap-in
on your Access Edge Server.
Step 4.1.1 Export the certificate from your Live CommunicationsServer 2005 SP1 Access Proxy.Use the following procedure to export the certificate from your Live Communications Server
2005 SP1 Access Proxy.
To export the certificate from your Live Communications Server 2005SP1 Access Proxy
1. Log on to your Access Proxy as a member of the Administrators group.
2. ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.
3. On the File menu, clickAdd/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, clickAdd.
5. In the Available Standalone Snap-ins list, select Certificates.
6. ClickAdd.
7. ClickComputer account, and then clickNext.
8. In the Select Computer dialog box, ensure that Local computer: (the computer thisconsole is running on) is selected, and then clickFinish.
9. ClickClose, and then clickOK.
10. In the console tree of the Certificates console, expand Certificates (LocalComputer).
11. Expand Personal.
12. ClickCertificates, and then in the result pane, right-click the certificate that is to beused on the internal interface, point to All Tasks, and then clickExport.
NoteThe procedures in this section are based on a MicrosoftWindows Server 2003 Enterprise CA or a Windows Server
2003 R2 CA. For step-by-step guidance for any other CA, seethe documentation that is provided by the CA. By default, allauthenticated users have the necessary user rights to requestcertificates.
-
8/8/2019 OCS Migration
24/81
24 Migrating to Microsoft Office Communications Server 2007
13. In the Export Wizard, clickNext.
14. ClickYes, export the private key, and then clickNext.
15. On the Export file format page, clickPersonal Information Exchange PKCS
#12 (.PFX).
16. Select the Include all certificates in the certification path if possiblecheck box.
17. Clear the Enable strong protection check box, and then click Next.
18. Complete the wizard by accepting all remaining default values and by indicating thedisk or network share where you want to save the certificate.
Step 4.1.2 Import the certificate for the internal interface on thefirst edge serverUse the following procedure to import the certificate to the internal interface of your Access
Edge Server or of the first Access Edge Server in an array.
To import the certificate for the internal interface
1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, andthen clickSetup.exe.
-
8/8/2019 OCS Migration
25/81
Phase 1: Upgrade Your Perimeter Network and Director 25
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, click Import a certificate from a .pfx file,and then clickNext.
6. On the Import Certificate page, type the full path and file name of the certificatethat you exported from the Access Proxy in the Path and file name box (or click
Browse to locate and select the certificate), clear the Mark cert as exportable
check box, and then clickNext.
7. On the Import Certificate password page, type the password that you used whenyou exported the certificate from the Access Proxy in the Password box, and then
clickNext.
8. On the wizard completion page, verify successful completion, and then clickFinish.Step 4.1.3 Verify that the CA is on the list of trusted root CAsFor each Access Edge Server that you deploy, use the following procedure to verify that the CA
for the edge server is on the list of trusted root CAs.
To verify that your CA is on the list of trusted root CAs
1. On the Access Edge Server, open an MMC console: ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.
2. On the File menu, clickAdd/Remove Snap-in, and then clickAdd.
3. In the Add Standalone Snap-ins box, clickCertificates, and then clickAdd.
4. In the Certificate snap-in dialog box, clickComputer account, and then clickNext.
5. In the Select Computer dialog box, ensure that the Local computer: (the computerthis console is running on) check box is selected, and then clickFinish.
6. ClickClose, and then clickOK.
7. In the console tree, expand Certificates (Local Computer), expand Trusted RootCertification Authorities, and then clickCertificates.
8. In the details pane, verify that your CA is on the list of trusted CAs.
Step 4.1.4 Import the certificate on subsequent Access EdgeServers (if you are deploying an Access Edge Server array)For each Access Edge Server that you deploy, use the following procedure to import the
certificate for an additional Access Edge Server if you are using an Access Edge Server array.
To import the certificate for the internal interface
1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the local Administrators group and the RTC Local Administrators
group.
2. Insert the Office Communications Server 2007 CD, and then click Setup.exe.
-
8/8/2019 OCS Migration
26/81
26 Migrating to Microsoft Office Communications Server 2007
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, click from Import a certificatea .pfxfile, and then clickNext.
6. On the Import Certificate page, type the full path and file name of the certificatethat you exported from the Access Proxy in the Path and file name box (or click
Browse to locate and select the certificate), clear the Mark cert as exportable
check box, and then clickNext.
7. On the Import Certificate Password page, type the password that you used whenyou exported the certificate from the Access Proxy in the Password box, and then
clickNext.
8. On the wizard completion page, verify successful completion, and then clickFinish.Step 4.1.5 Assign the certificate on the Access Edge ServerFor each Access Edge Server that you deploy, use the following procedure to assign the
certificate to the internal interface.
To assign the certificate to the internal interface of the edge server
1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, andthen clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, clickAssign an existing certificate, andthen clickNext.
6. On the Available Certificates page, click the certificate that you requested for theinternal interface of this edge server, and then clickNext.
7. On the Available Certificate Assignments page, select the AccessEdge ServerPrivate Interface check box (the server interface on which you want to install the
certificate), and then clickNext.
8. On the Configure the Certificate(s) of Your Server page, review your settings, andthen clickNext to assign the certificates.
9. On the wizard completion page, clickFinish.
-
8/8/2019 OCS Migration
27/81
Phase 1: Upgrade Your Perimeter Network and Director 27
Option 4.2 Configuring the Certificates with a Different InternalFQDN
If you are using a different internal FQDN for your Office Communications Server 2007 AccessEdge Server than the one that you used on your Live Communications Server 2005 SP1 Access
Proxy, use the following steps to set up a certificate on the internal interface for your Office
Communications Server 2007 Access Edge Server. These steps are explained in detail in the
following sections:
1. Download the CA certification path for the internal interface.
2. Install the CA certification path for the internal interface.
3. Verify that the CA is on the list of trusted root CAs.
4. Create the certificate request for the internal interface.
5. Import the certificate for the internal interface on the first edge server.
6. Export the certificate.
7. Import the certificate on other edge servers.
8. Assign the certificate for the internal interface to each edge server.
For most of these steps, you can use the Office Communications Server Certificate Wizard. You
can start this wizard from the Office Communications Server 2007 installation media, as
described in the following procedures, or from the Computer Management snap-in on your
Access Edge Server.
Step 4.2.1 Download the CA certification path for the internalinterfaceUse the following procedure to download the CA certification path on the internal interface of
your Access Edge Server.
To download the CA certification path for the internal interface
1. With your Enterprise root CA offline and your Enterprise subordinate (issuing) CAServer online, log on to a server in the internal network (not the Access Edge Server)
as a member of the Administrators group.
2. ClickStart, clickRun, type http:///certsrv, andthen clickOK. If prompted, enter your user name and password.
3. UnderSelect a task, clickDownload a CA certificate, certificate chain, or CRL.
NoteThe procedures in this section are based on using a WindowsServer 2003 Enterprise CA or a Windows Server 2003 R2 CA.For step-by-step guidance for any other CA, see the
documentation that is provided by the CA. By default, allauthenticated users have the necessary user rights to requestcertificates.
-
8/8/2019 OCS Migration
28/81
28 Migrating to Microsoft Office Communications Server 2007
4. UnderDownload a CA Certificate, Certificate Chain, or CRL, clickDownloadCA certificate chain.
5. In the File Download dialog box, clickSave.6. Save the .p7b file to the hard disk on the server, and then copy it to a folder on each
Access Edge Server. Verify that the file contains all the certificates that are in the
certification path. To view the certification path, open the server certificate, and then
click the certification path.
Step 4.2.2 Import the CA certification path for the internalinterfaceUse the following procedure to import the CA certification path on the internal interface of your
Access Edge Server.
To import the CA certification path for the internal interface
1. Log on to your Office Communications Server 2007 Access Edge Server as a
member of the Administrators group and the RTC Local Administrators group.2. On the Access Edge Server page, insert the Office Communications Server 2007
CD, and then clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
-
8/8/2019 OCS Migration
29/81
Phase 1: Upgrade Your Perimeter Network and Director 29
5. On the Available Certificate Tasks page, clickImport a certificate chain froma .p7b file, and then clickNext.
6. On Import Certificate Chain page, type the full path and file name of the .p7b filein the Path and file name box (or clickBrowse to locate and select the file), and thenclickNext.
7. ClickFinish.
8. Repeat this procedure on each edge server.
Step 4.2.3 Verify that the CA Is on the list of trusted root CAsFor each Access Edge Server that you deploy, use the following procedure to verify that the CA
for the edge server is on the list of trusted root CAs.
To verify that your CA is on the list of trusted root CAs
1. On the Access Edge Server, open an MMC console: ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.
2. On the File menu, clickAdd/Remove Snap-in, and then clickAdd.
3. In the Add Standalone Snap-ins box, clickCertificates, and then clickAdd.
4. In the Certificate snap-in dialog box, clickComputer account, and then clickNext.
5. In the Select Computer dialog box, ensure that the Local computer: (thecomputer this console is running on) check box is selected, and then clickFinish.
6. ClickClose, and then clickOK.
7. In the console tree, expand Certificates (Local Computer), expand Trusted RootCertification Authorities, and then click Certificates.
8. In the details pane, verify that your CA is on the list of trusted CAs.
Step 4.2.4 Create the certificate request for the internal interfaceFor each Access Edge Server that you deploy, use the following procedure to create the
certificate request for the internal interface.
To create the certificate request for the internal interface
1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the local Administrators group and the RTC Local Administrators
group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, andthen clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, clickRun to start the CertificateWizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, clickCreate a new certificate, and thenclickNext.
-
8/8/2019 OCS Migration
30/81
30 Migrating to Microsoft Office Communications Server 2007
6. On the Select a componentpage, select the Edge Server Private Interface checkbox, and then clickNext.
7. On the Delayed or Immediate Request page, select the Prepare the request now,but send it later check box, and then clickNext.
8. On the Name and Security Settings page, type a friendly name for the certificate,and then specify the bit length (typically, the default of 1024). Select the Mark cert
as exportable check box, and then clickNext.9. On the Organization Information page, enter the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click
Next.
10. On the Your Servers Subject Name page, type or select the subject name andsubject alternate name of the edge server. The subject name should match the FQDN
of the edge server that is published by the internal firewall for the internal interface
on which you are configuring the certificate:
For the internal interface of the edge server, the subject name should match the
name that your internal servers use to connect to the edge server (typically, the
FQDN of the internal interface for the edge server).
If you are using a load balancer, the edge server traffic still uses the FQDN of theinternal edge of the server (server name). If you are using a virtual IP address for
the edge server, the certificate should match the FQDN of the virtual IP address
that is used by this server role on the internal load balancer. For the internal
interface, this is typically the published DNS name for the perimeter network
that maps to the edge server.
11. ClickNext.
12. On the Geographical Information page, type the location information, and thenclickNext.
13. On the Certificate Request File Name page, type the full path and name of the fileto which the request is to be saved in the File name box (or clickBrowse to locate
and select the file), and then clickNext. A typical path and file name is
C:\certrequest_AccessEdge.txt.
14. On the Request Summary page, clickNext.
15. On the wizard completion page, verify successful completion, and then clickFinish.
NoteIf the Enterprise CA is reachable from the edge server, you canuse the Send the request immediately to an onlinecertification authority option. Because this is usually not thecase, this procedure and other certificate request procedures inthis guide do not cover the use of that option.
-
8/8/2019 OCS Migration
31/81
Phase 1: Upgrade Your Perimeter Network and Director 31
16. Submit this file to your CA by e-mail or another method that is supported by yourorganization for your Enterprise CA. When you receive the response file, copy the
new certificate to this computer so that it is available for import.
Step 4.2.5 Import the certificate on the internal interfaceFor each Access Edge Server that you deploy, use the following procedure to import the
certificate on the internal interface of the Access Edge Server.
To import the certificate for the internal interface
1. On the Access Edge Server on which you created the certificate request, log on as amember of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available certificate tasks page, clickProcess the pending request andimport the certificate, and then clickNext.
6. Type the full path and file name of the certificate that you requested for the internalinterface of the edge server (or clickBrowse to locate and select the certificate), and
then clickNext.
7. ClickFinish.
Step 4.2.6 Export the certificate (if you have an Access EdgeServer array)If you are using an Access Edge Server array, use the following procedure to export the
certificate from your Access Edge Server so that you can import it to other Access Edge Servers
in your array.
To export the certificate for the internal interface for importing toother edge servers
1. On the edge server on which you requested and imported the certificate, log on as amember of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, clickExport a certificate to a .pfx file,and then clickNext.
6. On the Available Certificatespage, click the certificate that you imported to thisedge server in Select a certificate list as described in the previous procedure, and
then clickNext.
-
8/8/2019 OCS Migration
32/81
32 Migrating to Microsoft Office Communications Server 2007
7. On the Export Certificate page, type the full path and file name to which you wantto export the certificate in the Path and file name box (or clickBrowse to locate
and specify a location and file), and then clickNext.
8. On the Export Certificate Password page, type the password to used to import thecertificate on the other edge servers in the Password box, and then clickNext.
9. On the wizard completion page, verify successful completion, and then clickFinish.
10. Copy the exported file to a location or media that is accessible by the other edgeservers.
Step 4.2.7 Import the certificate for additional Access EdgeServers (if you have an Access Edge Server array)If you are using an Access Edge Server array, use the following procedure to import the
certificate to each Access Edge Server in the array.
To import the certificate for the internal interface of each Access Edge
Server1. On the other Access Edge Servers where you will import the certificate, log on as a
member of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, clickImport a certificate from a .pfxfile, and then clickNext.
6. On the Import Certificate page, type the full path and file name of the certificatethat you exported from the first edge server in the Path and file name box (or click
Browse to locate and select the certificate), clear the Mark cert as exportable
check box, and then clickNext.
7. On the Import Certificate Password page, type the password that you typed whenyou exported the certificate from the first server in the Password box, and then click
Next.
8. On the wizard completion page, verify successful completion, and then clickFinish.
Step 4.2.8 Assign the certificate on the internal interface of eachAccess Edge ServerUse the following procedure to assign the certificate to the internal interface of each Access Edge
Server in the array.
To assign the certificate to the internal interface of the edge server
1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the Administrators group and the RTC Local Administrators group.
2. Insert the Office Communications Server 2007 CD, and then clickSetup.exe.
-
8/8/2019 OCS Migration
33/81
Phase 1: Upgrade Your Perimeter Network and Director 33
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, clickAssign an existing certificate, andthen clickNext.
6. On the Available Certificates page, select the certificate that you requested for theinternal interface of this edge server, and then clickNext.
7. On the Available Certificate Assignments page, select the Edge Server privateinterface check box (the server interface on which you want to install the
certificate), and then clickNext.
8. On the Configure the Certificate(s) of Your Server page, review your settings, andthen clickNext to assign the certificates.
9. On the wizard completion page, clickFinish.
Step 5 Configure Certificates on the ExternalInterface of Your Access Edge Server
If you are supporting public IM connectivity, the certificate that you configure on the external
interface of your Access Edge Server must be from a public CA (certification authority). AOL
requires the certificate for both client and server authorization. The MSN network of Internet
services and Yahoo! also require a certificate from a public CA, but a Web certificate is
sufficient. The CA must be on the default list of trusted root CAs that is installed on the Access
Edge Server.
Although a certificate from a public CA is not required for federation, it is strongly
recommended.
How you configure the certificate on the external interface depends on whether you are
deploying in a single-site edge topology or a scaled single-site edge topology:
Single-site edge topology. The subject name of the certificate must match the
external FQDN of the Access Edge Server computer. If you have multiple SIP
domains, each supported SIP domain must be entered as sip. in theSubject
Alternate Name box of the certificate. For example, if your organization supports
two domains, a.contoso.com and b.contoso.com, and the external FQDN of the
computer is sip.a.contoso.com, configure your certificate as follows:
SN=sip.a.contoso.com
SAN=sip.a.contoso.com, sip.b.contoso.com
NoteIt is possible to use your Enterprise subordinate CA for directfederation, as well as for testing or trial purposes, as long as allpartners agree to trust the CA or to cross-sign the certificate.
-
8/8/2019 OCS Migration
34/81
34 Migrating to Microsoft Office Communications Server 2007
Scaled single-site edge topology. The subject name must match the external FQDN
of the VIP (virtual IP) address of the external load balancer that is used by the Access
Edge Server. This certificate must be marked as exportable on the first computer
where you configure the certificate, and it must then be imported onto each additional
computer in the Access Edge Server array.
Determining Whether You Need a New Certificate for the AccessEdge Server
Whether you can reuse the certificate from your existing Access Proxy or obtain a new certificate
depends on how you have configured your new Access Edge Server:
If you use the same external FQDN for your Access Edge Server that you used for
the Access Proxy that it replaces, you can use the same certificate on the external
interface of your Access Edge Server that you used on the Access Proxy.
If you use a different external FQDN for your Access Edge Server, you must
configure a new certificate for the external interface.
Option 5.1 Configuring the Certificate with the Same External
FQDN as the Existing Access ProxyIf you are using the same external FQDN for your Office Communications Server 2007 Access
Edge Server as the one that you used on your Live Communications Server 2005 with SP1
Access Proxy, use the following steps to set up a certificate on the external interface for your
Office Communications Server 2007 Access Edge Server. These steps are explained in detail in
the following sections.
1. Export the certificate from your Live Communications Server 2005 SP1 AccessProxy.
2. Import the certificate for the external interface on each Access Edge Server.
3. Verify that the CA is on the list of trusted root CAs for each Access Edge Server.
4. Assign the certificate for the external interface to each edge server.
After you export the certificate from your Live Communications Server 2005 SP1 Access Proxy,
use the Certificate Wizard to complete most of the certificate setup procedures for the external
interface. You can start this wizard from the Office Communications Server 2007 installation
media, as described in the following procedures, or by using the Computer Management snap-in
on your Access Edge Server.
NoteIf your Access Edge Server is not discoverable through DNS SRVrecords, organizations federating with your organization mustmanually add your SIP domains and your Access Edge ServerFQDN in the Allow List on their Access Edge Servers.
If you enable automatic discovery and want to add additionalSIP domains to those supported in your Live CommunicationsServer 2005 SP1 environment, you must get a new certificatewith all the supported SIP domains in the SAN.
-
8/8/2019 OCS Migration
35/81
Phase 1: Upgrade Your Perimeter Network and Director 35
Step 5.1.1 Export the certificate from your Live CommunicationsServer 2005 SP1 Access Proxy.Use the following procedure to export the certificate from your Live Communications Server
2005 SP1 Access Proxy.
To export the certificate from your Live Communications Server 2005SP1 Access Proxy
1. Log on to your Access Proxy as a member of the Administrators group.
2. ClickStart, and then clickRun. In the Open box, type mmc, and then clickOK.
3. On the File menu, clickAdd/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, clickAdd.
5. In the Available Standalone Snap-ins list, select Certificates.
6. ClickAdd.
7. ClickComputer account, and then clickNext.
8. In the Select Computer dialog box, ensure that Local computer: (the computer thisconsole is running on) is selected, and then clickFinish.
9. ClickClose, and then clickOK.
10. In the console tree of the Certificates console, expand Certificates (LocalComputer).
11. Expand Personal.
12. ClickCertificates, right-click the certificate that is to be used on the externalinterface in the result pane, point to All Tasks, and then clickExport.
13. In the Export Wizard, clickNext.
14. ClickYes, export the private key, and then clickNext.
NoteThe procedures in this section are based on a Microsoft
Windows Server 2003 Enterprise CA or a Windows Server 2003R2 CA. For step-by-step guidance for any other CA, see thedocumentation that is provided by the CA. By default, allauthenticated users have the necessary user rights to requestcertificates.
-
8/8/2019 OCS Migration
36/81
36 Migrating to Microsoft Office Communications Server 2007
15. On the Export File Format page, clickPersonal Information Exchange PKCS#12 (.PFX).
16. Select the Include all certificates in the certification path if possiblecheck box.
17. Clear the Enable strong protection check box, and then clickNext.
18. Complete the wizard by accepting all remaining default values and by indicating thedisk or network share where you want to save the certificate.
Step 5.1.2 Import the certificate for the external interface ofeach Access Edge ServerUse the following procedure to import the certificate to the external interface of your Access
Edge Server or of each Access Edge Server in an array.
To import the certificate for the external interface
1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, andthen clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
-
8/8/2019 OCS Migration
37/81
Phase 1: Upgrade Your Perimeter Network and Director 37
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, click Import a certificate from a .pfx file,
and then clickNext.6. On the Import Certificate page, type the full path and file name of the certificate
that you exported from the Access Proxy in the Path and file name box (or click
Browse to locate and select the certificate), clear the Mark cert as exportable
check box, and then clickNext.
7. On the Import Certificate Password page, type the password that you used whenyou exported the certificate from the Access Proxy in the Password box, and then
clickNext.
8. On the wizard completion page, verify successful completion, and then clickFinish.
Step 5.1.3 Verify that the CA is on the list of trusted root CAsFor each Access Edge Server that you deploy, use the following procedure to verify that the CA
for the edge server is on the list of trusted root CAs.
To verify that your CA is on the list of trusted root CAs
1. On the Access Edge Server, open an MMC console: ClickStart,and thenclickRun. In the Open box, type mmc, and then clickOK.
2. On the File menu, clickAdd/Remove Snap-in, and then clickAdd.
3. In the Add Standalone Snap-ins box, clickCertificates, and then clickAdd.
4. In the Certificate snap-in dialog box, clickComputer account, and then clickNext.
5. In the Select Computer dialog box, ensure that the Local computer: (thecomputer this console is running on) check box is selected, and then clickFinish.
6. ClickClose, and then clickOK.7. In the console tree, expand Certificates (Local Computer), expand Trusted Root
Certification Authorities, and then click Certificates.
8. In the details pane, verify that your CA is on the list of trusted CAs.
Step 5.1.4 Assign the certificate on the Access Edge ServerFor each Access Edge Server that you deploy, use the following procedure to assign the
certificate to the external interface.
To assign the certificate to the external interface of the edge server
1. Log on to your Office Communications Server 2007 Access Edge Server as amember of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, andthen clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
-
8/8/2019 OCS Migration
38/81
38 Migrating to Microsoft Office Communications Server 2007
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, clickAssign an existing certificate, and
then clickNext.6. On the Available Certificates page, select the certificate that you requested for the
external interface of this edge server, and then clickNext.
7. On the Available Certificate Assignments page, select the Access Edge ServerPublic Interface check box (the server interface on which you want to install the
certificate), and then clickNext.
8. On the Configure the Certificate(s) of Your Server page, review your settings, andthen clickNext to assign the certificates.
9. On the wizard completion page, clickFinish.
Option 5.2 Configuring the Certificates on the Access EdgeServer External Interfaces When New Certificates Are Required
To set up a certificate for the external interface of an Access Edge Server, complete the following
steps. These steps are explained in detail in the following sections.
1. Create the certificate request for the external interface of the edge server.
2. Submit the request to your public CA.
3. Import the certificate for the external interface of each edge server.
4. Assign the certificate for the external interface of each edge server.
Step 5.2.1 Create the certificate requestFor each Access Edge Server that you deploy, use the following procedure to create a certificate
request for the external interface.
To create the certificate request for the external interface1. Log on to your Office Communications Server 2007 Access Edge Server as a
member of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, andthen clickSetup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:Configure Certificates for the Edge Server, clickRun to start the Certificate
Wizard.
4. On the Welcome page, clickNext.
5. On the Available Certificate Tasks page, clickCreate a new certificate, and thenclickNext.
6. On the Select a component page, select the Access Edge Server Public Interfacecheck box, and then clickNext.
7. On the Delayed or Immediate Request page, select the Prepare the request now,but send it later check box, and then clickNext.
NoteIf the Enterprise CA is reachable from the edge server, you canuse the Send the request immediately to an onlinecertification authority option. Because this is usually not thecase, this procedure and other certificate request procedures inthis guide do not cover the use of that option.
-
8/8/2019 OCS Migration
39/81
Phase 1: Upgrade Your Perimeter Network and Director 39
8. On the Name and Security Settings page, type a friendly name for the certificate,specify the bit length (typically, the default of 1024), select the Mark cert as
exportable check box, and then clickNext.
9. On the Organization Information page, type the name for the organization and theorganizational unit (such as a division or department, if appropriate), and then click
Next.
10. On the Your Servers Subject Name page, type or select the subject name andsubject alternate name of the edge server:
The subject name should match the FQDN of the server that is published by the
external firewall for the external interface on which you are configuring the
certificate. For the external interface of the Access Edge Server, this certificate
subject name should be sip..
If multiple SIP domain names exist and they do not appear in the Subject
alternate name box, type the name of each additional SIP domain as
sip., separating names with a comma. Domains entered duringconfiguration of the Access Edge Server are automatically added to this box.
11. ClickNext.
12. On the Geographical Information page, type the location information, and thenclickNext.
13. On the Certificate Request File Name page, type the full path and name of the fileto which the request is to be saved in the File name box (or clickBrowse to locate
and select the file), and then clickNext. A typical path and file name is
C:\certrequest_AccessEdge.txt.
14. On the Request Summary page, clickNext.
15. On th