Perimeter Network Topologies for Office Communications Server 2007 R2
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2013-06-26
Edge Server is a server role that is deployed in a perimeter network to support access by external users. External users include remote, federated, and anonymous users. Office Communications Server supports connectivity with one or more of the following public IM service providers: AOL, MSN, and Yahoo!.
In this discussion, external users who access the network by using a VPN connection are considered to be internal users.
An Edge Server runs three services: Access Edge service, A/V Edge service, and Web Conferencing Edge service. All three services are automatically installed with an Edge Server.
In addition to one or more Edge Servers, HTTP reverse proxies are also required in the perimeter network. Collocation of an Edge Server with a reverse proxy or with an internal or external firewall is not supported. The Access Edge service cannot be collocated with any other network perimeter service, such as Microsoft Internet Security and Acceleration (ISA) Server or the Microsoft Exchange 2007 Server Edge role.
The components support external access as follows:
The Access Edge service validates and forwards SIP signaling traffic between internal and external users.
The A/V Edge service enables audio and video conferencing, desktop sharing, and audio/video (A/V) peer-to-peer communications with external users who are equipped with a supported client. For details, see Supported Clients.
The Web Conferencing Edge service enables external users to participate in conferences that are hosted by an internal Web Conferencing Server.
The HTTP reverse proxy is required for downloading Address Book information, expanding membership in distribution groups, downloading Web conference content, and providing access to files for updating devices and clients.
The following edge topologies, each with a single HTTP reverse proxy in each physical location, are supported in the perimeter network:
Single consolidated edge topology
A single Edge Server computer.
Scaled consolidated edge topology
Two or more Edge Server computers behind a load balancer.
Multiple-site consolidated edge topology
One primary location (the data center) has a scaled consolidated edge topology, and one or more remote sites deploy a single consolidated edge topology or a scaled consolidated edge topology behind a load balancer.
For deployments with multiple locations, only a single Edge Server or a single load-balanced array of Edge Servers is supported for federation and for public IM connectivity. Multiple Access Edge Servers in multiple locations are supported for remote user access.
For a scaled consolidated edge topology with multiple Edge Servers, the next-hop server on the Director must target the virtual IP address of the Access Edge service array on the internal load balancer.
An Edge Server is supported by both the Standard Edition server product key and the Enterprise Edition server product key.
Joining the Edge Server to a domain located entirely in the perimeter network is supported but not recommended. An Edge Server should never be part of a domain in the internal network.
Each Edge Server must have an internal certificate. All three Edge services on that server share this certificate. The subject name of the certificate must match the internal fully qualified domain name (FQDN) of the Access Edge service of that Edge Server.
Each Edge Server requires two external certificates—one for the Access Edge service, and one for the Web Conferencing Edge service. Each of these certificates must have a subject name that matches the external FQDN of that Edge service on that server.
An additional certificate is required for A/V authentication. The private key of the A/V authentication certificate is used to generate authentication credentials. This can be an internal certificate, but as a security precaution, you should not use the same certificate for A/V authentication that you use for any of the Edge Server services.
For details about certificate requirements, see Certificate Requirements for External User Access in the Planning and Architecture documentation.
Internal and External Interfaces
Each of the three services running on an Edge Server has a separate external and internal interface. Each of the services requires a separate external IP address/port combination. The recommended configuration is for each of the three services to have different IP addresses, so that each service can use its default port settings.
Using different DNS names for each of the two interfaces is required. A unique IP address and a unique FQDN are required for the internal and external interface. A multihomed network adapter that uses the same DNS name, and therefore the same IP address, for both internal and external interfaces is not supported.
In a site with only a single Edge Server deployed, it is recommended that the IP address of the external interface of the A/V Edge service be publicly routable. However, the external firewall can function as a network address translation (NAT) for this IP address in this scenario.
In any location with multiple Edge Servers deployed behind a load balancer, the IP address of the external interface of the A/V Edge service must be publicly routable. The external firewall cannot function as a NAT for this IP address. This requirement does not apply to other Edge Server services.
The internal firewall must not function as a NAT for the internal IP address of the A/V Edge service. The internal IP address of the A/V Edge service must be fully routable from the internal network to the internal IP address of the A/V Edge service.