Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

OCS 2007 R2 Deploying CWA

VIEWS: 4,623 PAGES: 82

Micrsoft Office Communications Server 2007 R2 Documentation and Updates

More Info
									Microsoft Office Communications
Server 2007 R2

Deploying Communicator Web Access
(2007 R2 Release)


Published: May 2009
Updated: October 2009




For the most up-to-date version of the Deploying Communicator Web Access (2007 R2 Release)
documentation and the complete set of the Microsoft® Office Communications Server 2007 R2
online documentation, see the Office Communications Server TechNet Library at
http://go.microsoft.com/fwlink/?LinkID=132106.

Note: In order to find topics that are referenced by this document but not contained within it,
search for the topic title in the TechNet library at http://go.microsoft.com/fwlink/?LinkID=132106.




                                                                                                      1
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, Excel, Hyper-V, Internet Explorer, MSN, MSDN, OneNote,
Outlook, PowerPoint, RoundTable, SharePoint, SQL Server, Visio, Visual Basic, Visual C++,
Visual J#, Visual Studio, Windows, Windows Live, Windows Media, Windows Mobile, Windows
NT, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft
group of companies.
All other trademarks are property of their respective owners.




                                                                                                    2
Contents
Deploying Communicator Web Access with Office Communications Server 2007 R2 ................... 5

Verifying Communicator Web Access Requirements ................................................................... 6
 Verifying Communicator Web Access Server Requirements ..................................................... 7
 Verifying Communicator Web Access Client Requirements ...................................................... 8

Configuring Communicator Web Access DNS Records................................................................ 9
 Creating Communicator Web Access DNS Records ............................................................... 11

Configuring Internet Information Services for Communicator Web Access ................................. 12
 Installing IIS 7.0 for Communicator Web Access..................................................................... 12
 Configuring Managed Pipeline Mode for IIS 7.0 ...................................................................... 14
 Installing IIS 6.0 for Communicator Web Access..................................................................... 15

Preparing Certificates for Communicator Web Access ............................................................... 15
  Installing a Certificate Chain for Communicator Web Access .................................................. 17
  Installing a Web Server Certificate for Communicator Web Access ......................................... 19
  Requesting a Third-Party Certificate for Communicator Web Access ...................................... 23

Installing and Activating Communicator Web Access ................................................................. 24
  Installing Communicator Web Access Using the Deployment Wizard ...................................... 24
  Installing Communicator Web Access By Using the Command Line ....................................... 25

Creating a Communicator Web Access Virtual Server................................................................ 26
    Authentication Methods....................................................................................................... 27
    Connectivity Type ............................................................................................................... 29
    Next Hop Server ................................................................................................................. 29
  Creating a Communicator Web Access Virtual Server By Using the Deployment Wizard ........ 30
  Creating a Communicator Web Access Virtual Server By Using the Command Line ............... 32
  Creating a Communicator Web Access Virtual Server By Using Communicator Web Access
    Snap-in ............................................................................................................................... 34
  Configuring Virtual Server Thread Settings ............................................................................. 36

Publishing Communicator Web Access URLs ............................................................................ 36

Deploying Communicator Web Access in Multiple Domains ....................................................... 38

Installing the Communicator Web Access Snap-in ..................................................................... 39
  Installing Communicator Web Access Snap-in By Using the Deployment Wizard .................... 40
  Installing Communicator Web Access Snap-in By Using the Command Line .......................... 41

Using a Load Balancer to Increase Capacity and Availability ..................................................... 41

Using a Reverse Proxy to Enable Remote User Access............................................................. 43

Optimizing Performance for Communicator Web Access ........................................................... 44

                                                                                                                                            3
  Enabling Kernel SSL on Windows Server 2003 ...................................................................... 44
  Modifying the ASP.NET Request Queue Limit ........................................................................ 45
  Modifying the IIS Queue Length ............................................................................................. 45

Enabling Users for Communicator Web Access ......................................................................... 46
 Enabling User Accounts for Communicator Web Access ........................................................ 47
 Configuring User Accounts for Communicator Web Access .................................................... 47

Testing the Web Site ................................................................................................................. 48
  Configuring Your Web Browser Prior to Testing ...................................................................... 48
  Testing Communicator Web Access Web Sites ...................................................................... 49

Verifying Load Balancing Configuration ..................................................................................... 52
 Verifying DNS and LDAP Traffic ............................................................................................. 53
 Verifying Load Balancer Configuration and Server SIP Traffic ................................................ 55

Configuring New Communicator Web Access Settings .............................................................. 56
 Redirecting Users of Previous Releases ................................................................................. 57
 Configuring a Next Hop Server for Anonymous Users ............................................................ 58
 Configuring Desktop Sharing .................................................................................................. 59
   Configuring Desktop Sharing .............................................................................................. 60
 Configuring Audio Conferencing for Communicator Web Access ............................................ 60
   To configure a static route for audio conferencing ............................................................... 61
 Configuring Distribution Group Support for Communicator Web Access ................................. 62
   To enable distribution group support ................................................................................... 62

Appendix: Deploying Communicator Web Access ...................................................................... 63
 Communicator Web Access Support ...................................................................................... 63
    Supported Topologies ......................................................................................................... 64
    Supported Collocation ......................................................................................................... 64
    Load Balancing ................................................................................................................... 64
    Required Hardware ............................................................................................................. 65
    Required Software .............................................................................................................. 66
    Deployment Process ........................................................................................................... 66
 DNS Requirements for Communicator Web Access ............................................................... 71
 Certificates for Communicator Web Access ............................................................................ 72
 IIS Requirements for Communicator Web Access .................................................................. 73
 Accounts and Permissions Requirements............................................................................... 73
    Administrative Credentials .................................................................................................. 73
    Security Levels ................................................................................................................... 81
      Exchange UM Security Levels ......................................................................................... 81
    Media Gateway Security ..................................................................................................... 82




                                                                                                                                        4
Deploying Communicator Web Access with
Office Communications Server 2007 R2
Microsoft Office Communicator Web Access (2007 R2 release) enables you to provide Office
Communications Server services – such as instant messaging (IM), presence, audio
conferencing, and desktop sharing – to users who do not use Office Communicator. This includes
users who:
   Do not run Microsoft Windows. For example, Macintosh and Linux users can participate in
     audio conferences or desktop sharing sessions as long as they use a supported Web
     browser.
   Log on from outside the organization’s firewall. For example, a sales person can stay in
     constant contact with the home office by logging onto the Internet from a hotel room or
     Internet café. You do not need a virtual private network (VPN) connection in order to use
     Communicator Web Access.
   Have locked-down computers. No software other than a supported Web browser is required
     to access features such as instant messaging and rich presence.
   Do not have accounts in your Active Directory domain or the Active Directory domain of a
     federated partner. Anonymous users can be invited to participate in audio conferences or
     desktop sharing sessions without needing to be authenticated.
 Communicator Web Access is an extension of Office Communications Server 2007 R2. It is not a
stand-alone application. You cannot install Communicator Web Access unless you have already
installed Office Communications Server 2007 R2 somewhere within your Active Directory forest.
In addition to needing Office Communications Server 2007 R2, there are hardware and software
requirements for both Communicator Web Access servers and clients. For details, see Verifying
Communicator Web Access Requirements.
Communicator Web Access offers a number of deployment options based on your needs and
budget. For example:
   Communicator Web Access can be deployed on a single, dedicated server. A single
     Communicator Web Access server can handle approximately 5,000 simultaneous users.
     (This assumes that the server meets the minimum hardware requirements, and that the users
     are only engaged in instant messaging.)
   If you need to handle more than 5,000 simultaneous users you can create a pool of
     Communicator Web Access servers. If you deploy a hardware load balancer, users can use
     the same URL to access any available Communicator Web Access server, and you can help
     ensure that the workload will be equitably distributed among those servers.
   You can configure Communicator Web Access to handle service requests from three different
     types of users:
        internal users (that is, users located behind your organization’s firewall)


                                                                                                 5
        external users (that is, users on the Internet)
        anonymous users (that is, users who do not have an account in your Active Directory or
          the Active Directory of a federated partner)
Regardless of how you design your Communicator Web Access infrastructure, the tasks required
to install, activate, and configure Communicator Web Access are always the same. This is true
whether you are installing Communicator Web Access on one computer or on an entire array of
computers.
In This Document
   Verifying Communicator Web Access Requirements
   Configuring Communicator Web Access DNS Records
   Configuring Internet Information Services for Communicator Web Access
   Preparing Certificates for Communicator Web Access
   Installing and Activating Communicator Web Access
   Creating a Communicator Web Access Virtual Server
   Publishing Communicator Web Access URLs
   Deploying Communicator Web Access in Multiple Domains
   Installing the Communicator Web Access Snap-in
   Using a Load Balancer to Increase Capacity and Availability
   Using a Reverse Proxy to Enable Remote User Access
   Optimizing Performance for Communicator Web Access
   Enabling Users for Communicator Web Access
   Testing the Web Site
   Verifying Load Balancing Configuration (Required only if you are using a hardware load
     balancer.)
   Configuring New Communicator Web Access Settings
   Appendix: Deploying Communicator Web Access



Verifying Communicator Web Access
Requirements
Before you install Communicator Web Access (2007 R2 release), keep in mind that this is not a
stand-alone program. You cannot install Communicator Web Access (2007 R2 release) unless
you have first installed Office Communications Server 2007 R2 somewhere in your Active
Directory forest. In addition, Communicator Web Access (2007 R2 release) is not an upgrade
from the previous version. Instead, it is a new program. To install Communication Web Access
(2007 R2 release) you must install it to a new computer, or first delete the previous version of the
software from an existing computer.

                                                                                                   6
Note:
     If you plan to re-use the previous computer it is important to note that Communicator
     Web Access (2007 R2 release) runs only on 64-bit versions of the Windows operating
     system.
Other Communicator Web Access requirements, for both the server and the client, are detailed in
the following sections of this Deployment Guide:
   Verifying Communicator Web Access Server Requirements
   Verifying Communicator Web Access Client Requirements


Verifying Communicator Web Access Server
Requirements
Before you begin installing Communicator Web Access (2007 R2 release), make sure that the
computer does not have an underscore in its fully qualified domain name (FQDN) (for example,
CWA_server.contoso.com). Internet Explorer does not support underscores in fully qualified
domain names. If the Communicator Web Access server has an underscore in its name and if
you are using integrated password authentication, no one using Internet Explorer will be able to
log on to the Web site.
The recommended minimum hardware for a Communicator Web Access server is as follows:
   Processor. PC with dual Quad-Core 2.0 gigahertz (GHz) or higher processor or PC with 4-
     way Dual-Core 2.0 GHz or higher processor
   Memory. 8 gigabyte (GB) double data rate (DDR) RAM
   Disks. 2 x 72 GB 15K or 10K RPM disk drives, RAID 0 (striped) or equivalent
   Network card. 2 x gigabit (1 gigabit per second) Ethernet network adapter
As a general rule, increasing the speed of the processor, the hard disk, or the network card has a
minimal effect on Communicator Web Access performance. If you wish to increase the
performance (and the capacity) of your Communicator Web Access servers the best way to do
this is to add additional memory.
Communicator Web Access (2007 R2 release) can only be installed on a computer running a 64-
bit version of Microsoft Windows Server 2003 or Microsoft Windows Server 2008. This is an
important change from the previous version of Communicator Web Access, which could run
under either 32-bit or 64-bit versions of Windows. Communicator Web Access (2007 R2 release)
must be installed on a computer running one of the following operating systems:
   The Windows Server 2003 Standard x64 Edition operating system with Service Pack 2 (SP2)
   The Windows Server 2003 Enterprise x64 Edition operating system with Service Pack 2
     (SP2)
   The Windows Server 2003 Standard x64 Edition R2 operating system with Service Pack 2
     (SP2)
   The Windows Server 2003 Enterprise x64 Edition R2 operating system with Service Pack 2
     (SP2)
                                                                                                   7
   The 64-bit edition of the Windows Server 2008 Standard operating system
   The 64-bit edition of the Windows Server 2008 Enterprise operating system
In addition, the following software must be running before Communicator Web Access can be
installed:
   Microsoft Visual C++ Redistributable
   Microsoft .NET Framework 3.5, Service Pack 1
   Office Communications Server Core Components
   SQL Server Native Client
   Microsoft Unified Communications Managed API Redistributable
   Internet Information Services (IIS)
If you install Communicator Web Access by using the Office Communications Server 2007 R2
Deployment Wizard, the Setup program will verify that each of these applications have been
installed. If any of the applications are missing, the Deployment Wizard will notify you and offer to
install the program for you. If you install Communicator Web Access from the command line, you
will need to install each of these applications before you begin the setup.


Verifying Communicator Web Access Client
Requirements
There are very few client requirements for Communicator Web Access (2007 R2 release). All you
need a supported operating system and Web browser. There is one exception: Windows users
who want to share their desktop with other uses need to install the Communicator Web Access
Plug-in. Communicator Web Access is currently supported on the following operating systems
and Web browsers:
Microsoft Windows 2000 Service Pack 4 (SP4)
   Internet Explorer 6.0 Service Pack 1 (SP1)
Microsoft Windows XP Service Pack 2 (SP2)
   Internet Explorer 6.0 Service Pack 2 (SP2)
   Internet Explorer 7.0
   Firefox 3.0.X
Microsoft Windows Vista
   Internet Explorer 7.0
   Firefox 3.0.X
Macintosh OS 10.3.9
   Safari 1.3.X
   Firefox 3.0.X
Macintosh OS 10.5.4
   Safari 3.X.X

                                                                                                    8
   Firefox 3.0.X
Red Hat Linux 2.16
   Firefox 3.0.X

Note:
     It is possible that Communicator Web Access will run under other Web browsers or on
     other operating systems. However, these alternate configurations have not been tested
     and are not officially supported.



Configuring Communicator Web Access DNS
Records
Like most networked-aware applications, Communicator Web Access (2007 R2 release) relies on
Domain Name System (DNS) records to map URLs (for example, https://im.contoso.com) to a
computer (or, in some cases, pool of computers). To support Communicator Web Access you
need to create two types of DNS records:
   Host name records. (also known as an A record or AAAA record). A host name record maps
     the fully qualified domain name (FQDN) of the computer (for example, im.contoso.com) to an
     IP address.
   Canonical name (CNAME) records. CNAME records enable you to refer to the same
     computer (and the same IP address) in multiple ways. Thus, as.im.contoso.com,
     download.im.contoso.com, and im.contoso.com can all refer to the same physical
     computer.
The records you need to create depend on how you are deploying Communicator Web Access. In
general, you will always need a host record for each computer or load balancer you have
deployed. In addition, you need to create CNAME records named as and downloaded in order to
support desktop sharing.
Following are some common Communicator Web Access scenarios along with the required DNS
records.

Your Communicator Web Access URL and your computer’s fully qualified domain name
are the same
In some cases you might have just one Communicator Web Access computer (for example, a
server named im, with the fully qualified domain name (FQDN) im.contoso.com). If you intend to
use the URL https://im.contoso.com in order to access Communicator Web Access that means
that the Communicator Web Access URL and the computer’s fully qualified domain name are the
same.
Under this scenario you need to create the following DNS records:
   A host name record for the Communicator Web Access URL (im.contoso.com)
   A CNAME record, download.im.contoso.com

                                                                                              9
   A CNAME record, as.im.contoso.com

Your Communicator Web Access URL and your computer’s fully qualified domain name
are not the same
In many cases the Communicator Web Access URL and the fully qualified domain name (FQDN)
of the Communicator Web Access computer will not match. For example, suppose the computer
is named cwaserver.contoso.com, but you would like the Communicator Web Access URL to
be https://im.contoso.com. In a case like this you need to create an additional CNAME record,
one that maps im.contoso.com to cwaserver.contoso.com.
Under this scenario you need to create the following DNS records:
   A host name record for the desired URL (im.contoso.com)
   A CNAME record, download.im.contoso.com
   A CNAME record, as.im.contoso.com
Note that the as and download records should reference the Communicator Web Access URL
rather than the fully qualified domain name (FQDN) of the server.

You are using a hardware load balancer
If you are using a hardware load balancer, then your CNAME records (as and download) must
refer to the IP address of the load balancer rather than the IP address of an individual
Communicator Web Access server. In this case, you will also need to create a host name record
for the load balancer.
Under this scenario you need to create the following DNS records:
   A host name record for the desired URL (im.contoso.com)
   A CNAME record, download.im.contoso.com
   A CNAME record, as.im.contoso.com
The CNAME records should all point to the IP address of the load balancer rather than to the IP
address to any of the computers.

You are using a reverse proxy server
A similar approach is required if you are using a reverse proxy server to handle external traffic
and logons. In that case, your CNAME records must refer to the IP address of the reverse proxy
server. You will also need to create a host name record for this server.
Under this scenario you need to create the following DNS records:
   A host name record for the desired URL (im.contoso.com)
   A CNAME record, download.im.contoso.com
   A CNAME record, as.im.contoso.com
The CNAME records should all point to the reverse proxy server rather than to either of the
computers. All DNS records that point to the reverse proxy server must be located in a DNS
server that is publicly available.



                                                                                                10
Creating Communicator Web Access DNS
Records
The following procedures explain the steps involved in creating host name and CNAME records
for the first scenario, the one where your Communicator Web Access (2007 R2 release) URL and
your computers’ fully qualified domain name (FQDN) are the same. A similar approach can be
used to create the required Domain Name System (DNS) records for other Communicator Web
Access scenarios.

To create a host record for a Communications Web Access server

   1. Log on to the DNS Server as a member of the Domain Administrators group.
   2. In the DNS snap-in, expand the name of the DNS server, expand Forward Lookup
      Zones, right-click the name of your domain, and then click New Host (A or AAAA).
   3. In the New Host dialog box enter the host name of the Communicator Web Access Web
      site (for example, im) in the Name box; make sure that the URL for that site (for example,
      im.contoso.com) appears in the Fully qualified domain name box.
   4. Type the IP address for the server in the IP address box and then click Add Host.

To create canonical name records for a Communications Web Access server
   1. Log on to the DNS Server as a member of the Domain Administrators group.
   2. In the DNS snap-in, expand the name of the DNS server, expand Forward Lookup
      Zones, right-click the name of your domain, and then click New Alias (CNAME).
   3. In the New Resource Record dialog box enter the first “alias” for the Communicator Web
      Access server. This first alias is as. followed by the fully qualified domain name (FQDN)
      of the server. For example, if your Communicator Web Access server has the FQDN
      im.contoso.com then the alias would be as.im.contoso.com.
   4. Make sure that the fully qualified domain name (FQDN) for the alias (for example,
      as.im.contoso.com) has been entered into the Fully qualified domain name box.
   5. In the Fully qualified domain name (FQDN) for target host box type the FQDN for the
      server itself (for example, im.contoso.com), and then click OK.
   6. Right-click the name of your domain a second time and then click New Alias (CNAME).
   7. In the New Resource Record dialog box, type the next alias for the Communicator Web
      Access server. The second alias is download. followed by the FQDN of the server. For
      example, if your Communicator Web Access server has the FQDN im.contoso.com then
      the alias would be download.im.contoso.com.
   8. Make sure that the fully qualified domain name (FQDN) for the alias (for example,
      download.im.contoso.com) has been entered into the Fully qualified domain name box.
   9. In the Fully qualified domain name (FQDN) for target host box type the FQDN for the
      server itself (for example, im.contoso.com), and then click OK.



                                                                                             11
Configuring Internet Information Services for
Communicator Web Access
Before you can install Communicator Web Access (2007 R2 release) on a computer that
computer must have Internet Information Services (IIS) installed and running. If you are installing
Communicator Web Access on a computer running Windows Server 2003 then you only need to
install Active Server Pages and the World Wide Web Server. No additional configuration is
needed.
However, additional configuration is needed if you are installing Communicator Web Access on a
computer running Windows Server 2008 and IIS 7.0. In particular, you must do two things before
installing Communicator Web Access on a computer running IIS 7.0:
   You must install the Windows Process Activation Service, a service that enables IIS to work
     with any application that hosts the Windows Communication Foundation (WCF).
   You must configure Internet Information Services to run in IIS 6.0 compatibility mode.
For detailed steps on installing and configuring Internet Information Services see the following
topics:
   Installing IIS 7.0 for Communicator Web Access
   Installing IIS 6.0 for Communicator Web Access
If you are running Communicator Web Access under IIS 7.0, you should configure the IIS
Managed Pipeline mode after you have created your virtual servers. For details, see Configuring
Managed Pipeline Mode for IIS 7.0.


Installing IIS 7.0 for Communicator Web Access
Before you can install Communicator Web Access (2007 R2 release) on a computer running
Windows Server 2008 you must install and configure Internet Information Services (IIS) 7.0. To
ensure that IIS 7.0 will work with Communicator Web Access, install the Windows Process
Activation Service, then install and configure IIS 7.0. These tasks are described in the following
two procedures.
After installing IIS 7.0. you should verify that the folder
%SystemRoot%\Microsoft.NET\Framework64\V2.0.50727\Temporary ASP.NET Files was
created. On rare occasions, this folder is not created during setup. If that should happen, you will
be able to install Communicator Web Access, but you will not be able to connect to any virtual
server you create; instead, you will receive an error message similar to this: "The current identity
(LS03\CWAService) does not have write access to
'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files'."
If the Temporary ASP.NET Files folder does not exist then you should manually create the folder
and assign full control to IIS_IUSRS.




                                                                                                     12
Note:
   If you are running Communicator Web Access under IIS 7.0 then, after you have created
   your virtual servers, you should configure Managed Pipeline mode for IIS. For details,
   see Configuring Managed Pipeline Mode for IIS 7.0.

To install Windows Process Activation Service on a Windows 2008 computer

   1. Log on to the computer as a member of the local Administrators group.
   2. In Server Manager, expand Features and then click Add Features.
   3. In the Add Features Wizard, on the Select Features page, select Windows Process
      Activation Service. Make sure that both Process Model and .NET Environment are
      selected, and then click Next.
   4. On the Confirm Installation Selections page, click Install.
   5. On the Installation Results page, click Close to close the Add Features Wizard.

To install Internet Information Services 7.0
   1. Log on to the computer as a member of the Administrators group.
   2. In Server Manager, expand Roles and then click Add Roles.
   3. In the Add Roles Wizard, on the Before You Begin page, click Next.
   4. On the Select Server Roles page, select Web Server (IIS) and then click Next.
   5. On the Select Role Services page, make sure that each of the following items have
      been selected and then click Next:
           Static Content
           Default Document
           Directory Browsing
           HTTP Errors
           HTTP Redirection
           ASP.NET
           .NET Extensibility
           Internet Server API (ISAPI) Extensions
           ISAPI Filters
           HTTP Logging
           Logging Tools
           Request Monitor
           Tracing
           Basic Authentication
           Windows Authentication
           Request Filtering


                                                                                            13
           Static Content Compression
           IIS Management Console
           IIS Management Scripts and Tools
           IIS Management Compatibility
           IIS 6 Metabase Compatibility
           IIS 6 WMI Compatibility
    6. On the Confirm Installation Selections page, click Install.
    7. On the Installation Results page click Close to close the Add Roles Wizard.




Configuring Managed Pipeline Mode for IIS 7.0
If you are running Communicator Web Access (2007 R2 release) under Internet Information
Services (IIS) 7.0, your users might experience lengthy logon times and you might discover that
your servers are unable to handle more than a few hundred simultaneous connections.
(Communicator Web Access should be able to accommodate around 6,500 simultaneous users.)
This is due to the way that IIS 7.0 allocates memory for IIS applications. To avoid this issue, you
should create your Communicator Web Access virtual servers and then, for each virtual server on
each computer running Communicator Web Access, change the IIS Managed Pipeline Mode.
Use the following procedure to change the pipeline mode.

To configure Managed Pipeline Mode in IIS 7.0
    1. Log on to a computer running Communicator Web Access as a member of the local
       Administrators group.

        Note:
             You need to perform this task on each computer that hosts a Communicator Web
             Access virtual server.
    2. Click Start, point to Administrative Tools, and then click Internet Information Services
       (IIS) Manager.
    3. In the IIS Manager, expand the name of your IIS server, and then click Application
       Pools.
    4. Under Application Pools, locate the name of one of the applications created for you
       when you created your Communicator Web Access virtual server (for example,
       W3SVC175074822 - Communicator Web Access), right-click the application, and then
       click Advanced Settings.
    5. In the Advanced Settings dialog box, click the Managed Pipeline Mode dropdown list,
       select Classic, and then click OK.
    6. Repeat steps 4 and 5 for any other Communicator Web Access applications running on
       the computer, and then close IIS Manager.


                                                                                                14
    7. Click Start and then click Run.
    8. In the Run dialog box, type cmd and then click OK.
    9. In the command window, type iisreset to stop and then restart IIS.
    10. Close the command window.




Installing IIS 6.0 for Communicator Web Access
If you are installing Communicator Web Access (2007 R2 release) on a computer running
Windows Server 2003, you only need to install Internet Information Services (IIS) 6.0. You can
install IIS 6.0 by completing the following procedure.

To install Internet Information Services 6.0
    1. Log on to the computer as a member of the Administrators group.
    2. In Add or Remove Programs, click Add/Remove Windows Components.
    3. In the Windows Components Wizard, on the Windows Components page, click
       Application Server and then click Details.
    4. In the Application Server dialog box, select Application Server Console. Select
       Internet Information Services (IIS) and then click Details.
    5. In the Internet Information Services (IIS) dialog box, select World Wide Web Services
       and then click Details.
    6. In the World Wide Web Services dialog box, select Active Server Pages and World
       Wide Web Server and then click OK.
    7. In the Internet Information Services (IIS) dialog box click OK.
    8. In the Application Server dialog box click OK.
    9. On the Windows Components page click Next.
    10. If prompted, insert the Microsoft Windows Server 2003 CD in your CD drive, or use the
        Browse button to locate the folder containing the Windows 2003 installation files.
    11. On the Completing the Windows Component Wizard page, click Finish.




Preparing Certificates for Communicator
Web Access
Communicator Web Access (2007 R2 release) uses two different protocols – mutual TLS (MTLS)
and Secure Sockets Layer (SSL) – to carry out its appointed tasks. MTLS is a protocol that
provides secure communication between two computers. In this case, MTLS is used to


                                                                                                 15
authenticate connections between Communicator Web Access and Office Communications
Server 2007 R2.
Secure Sockets Layer (SSL) is an Internet protocol used both as a way to authenticate parties in
a conversation and as a way to encrypt that conversation. With Communicator Web Access, SSL
(and certificates) are used to secure connections between the clients and the server.
Although Communicator Web Access uses two different protocols you can typically get by with
installing a single certificate: in most cases the same certificate can be used both for MTLS and
SSL. (The MTLS certificate is assigned when you activate Communicator Web Access, while the
SSL certificate is assigned each time you create a virtual server). If you have just one
Communicator Web Access server you can use a single certificate as long as that certificate
meets the following criteria:


Subject name                                      Matches the URL of the Communicator Web
                                                  Access site. For example, if the URL is
                                                  https://im.contoso.com then the certificate
                                                  should have im.contoso.com as subject name.

Subject alternative name (SAN)                    Includes the following:
                                                     The URL of the Communicator Web
                                                       Access site.
                                                  
                                                     The as URL.
                                                     The download URL.
                                                     The fully qualified domain name (FQDN) of
                                                       the Communicator Web Access server.


For example, suppose you have a computer named cwaserver.contoso.com, and users access
this server using the host name im.contoso.com. In that case your certificate would need to
include the following information:


Subject name                                         im.contoso.com

Subject alternative name (SAN)                       im.contoso.com
                                                     as.im.contoso.com
                                                     download.im.contoso.com
                                                     cwaserver.contoso.com


It is possible for a single Communicator Web Access computer to host multiple virtual servers (for
example, im.contoso.com and im.fabrikam.com). In that case, you will need two certificates,
one for contoso.com and one for fabrikam.com.



                                                                                                16
It is also possible to have separate SSL and MTLS certificate. For example, if your Communicator
Web Access URL is https://im.contoso.com then your SSL certificate should have following
information:


Subject name                                           im.contoso.com

Subject alternative name (SAN)                         im.contoso.com
                                                       as.im.contoso.com
                                                       download.im.contoso.com


The MTLS certificate should list the full qualified domain name (FQDN) of the Communications
Web Access computer in the subject name of the certificate. If the fully qualified domain name
(FQDN) of that computer is cwaserver.contoso.com then the MTLS certificate should include the
following information (with no subject alternative name required):


Subject name                                           cwaserver.contoso.com


The certificates assigned to the Communicator Web Access server and the certificates assigned
to Office Communications Server do not have to be issued by the same certification authority
(CA). This enables you to assign a certificate from a public CA to a virtual server used by external
users. For details, see Requesting a Third-Party Certificate for Communicator Web Access. This
is important for users who log on to Communicator Web Access from a public computer (for
example, a computer in an Internet cafe) or a borrowed computer. If the virtual server uses an
SSL certificate issued by a CA that is not trusted by the computer, the user will see a "blocked
content" message when he or she accesses the Communicator Web Access sign-on screen.
Although the user might be able to log on, he or she will not be able to send instant messages or
participate in desktop sharing sessions. The only solution to this problem is to assign a new
certificate to the virtual server, or have each client obtain a certificate from the CA used by that
virtual server.


Installing a Certificate Chain for Communicator
Web Access
A certificate chain establishes a “chain of trust” from a certification authority (CA) to an individual
certificate. Trust occurs if a valid certificate from that CA can be found in your root certificate
directory. As long as you trust the CA, you will automatically trust any other certificates signed by
that CA.
If you create your own certificates, your Communicator Web Access (2007 R2 release) server
probably already has a chain of trust with your internal CA. If not, you can establish this chain of
trust by downloading and installing a certificate chain.
Installing the certificate chain is especially important if your CA is running Windows Server 2003
and your Communicator Web Access server is running Windows Server 2008. Because of
                                                                                                     17
changes in Windows Server 2008, you cannot request a certificate from a Windows Server 2003
CA without first installing the certificate chain. If you request a certificate without installing the
certificate chain, you will receive the following error message:
Delayed or Immediate Request: The request was submitted to the Certification Authority
successfully.
However, request processing failed. Restart the wizard and retry the operation.
Task failed: Failed to generate certificate signing request. Ensure that you have sufficient
privileges to perform certificate operations
By installing the certificate chain, you prevent this error from occurring.

To download a certificate chain
    1. Log on to the computer as a member of the local Administrators group.
    2. Open a Web browser and then, in the address bar, type the URL to the CA. For example,
       if your certificate server has a fully qualified domain name (FQDN) of
       certserver.contoso.com, the URL would be https://certserver.contoso.com/certsrv.
    3. After connecting to the Welcome page, click Download a CA certificate, certificate
       chain, or CRL.
    4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Download
       CA certificate chain.
    5. In the File Download dialog box, click Save, and then save the downloaded .p7b file (a
       file format used to store certificates) to a folder on the local computer.
    6. If the Download Complete dialog box appears, click Close.

To install a certificate chain
    1. Click Start, and then click Run.
    2. In the Open box, type mmc, and then click OK.
    3. On the File menu, click Add/Remove Snap-in.
    4. In the Add/Remove Snap-in dialog box, click Add.
    5. In the list of Available Standalone Snap-ins, select Certificates.
    6. Click Add.
    7. Select Computer account, and then click Next.
    8. In the Select Computer dialog box, ensure that Local computer (the computer this
       console is running on) is selected, and then click Finish.
    9. Click Close, and then click OK.
    10. In the left pane of the Certificates console, expand Certificates (Local Computer).
    11. Expand Trusted Root Certification Authorities.
    12. Right-click Certificates, point to All Tasks, and then click Import.
    13. In the Import Wizard, click Next.

                                                                                                    18
      14. Click Browse, go to the location where you saved the certificate chain, select the .p7b
          file, and then click Open.
      15. Click Next.
      16. Accept the default value Place all certificates in the following store. Under Certificate
          store, ensure that Trusted Root Certification Authorities appears.
      17. Click Next.
      18. Click Finish.




Installing a Web Server Certificate for
Communicator Web Access
After you download and install the certificate chain, you are ready to request and install the Web
Server certificate on the Communicator Web Access (2007 R2 release) server. To ensure that
you obtain the correct certificate, and to ensure that this certificate is placed in the correct
certificate store on the Communicator Web Access computer, you should request your Web
Server certificate by using the LcsCmd.exe command-line tool.
The parameters required when requesting a certificate for Communicator Web Access are
detailed in the following table.


Parameter     Sample Value                                                        Description

/Cert         None                                                                Indicates you
                                                                                  want to work with
                                                                                  certificates.

/Action       Request                                                             Indicates that you
                                                                                  want to request a
                                                                                  new certificate.

/sn           im.contoso.com                                                      Subject name for
                                                                                  the certificate.
                                                                                  This will typically
                                                                                  be the URL for
                                                                                  the
                                                                                  Communicator
                                                                                  Web Access Web
                                                                                  site.

/san          im.contoso.com,download.im.contoso.com,as.im.contoso.com,c          Subject
              waserver.contoso.com                                                alternative name,
                                                                                  with individual
                                                                                  entries separated

                                                                                                    19
Parameter   Sample Value            Description
                                    by using a
                                    comma. The
                                    subject alternative
                                    name should
                                    always include
                                    the following:
                                       The host
                                         name of the
                                         Communicato
                                         r Web Access
                                         site
                                         (im.contoso.c
                                         om)
                                       The as
                                         Domain
                                         Name System
                                         (DNS) record
                                       The
                                         download
                                         DNS record
                                       The fully
                                         qualified
                                         domain name
                                         (FQDN) of the
                                         computer
                                         where the
                                         certificate will
                                         be installed
                                         (for example,
                                         cwaserver.co
                                         ntoso.com)
                                    For details about
                                    the as and
                                    download
                                    records, see
                                    Configuring
                                    Communicator
                                    Web Access DNS
                                    Records.

/ca         ca-server.contoso.com   The fully qualified

                                                      20
Parameter    Sample Value      Description
                               domain name
                               (FQDN) of the
                               certification
                               authority (CA).

/ou          OCSServers        The Active
                               Directory
                               organizational unit
                               (OU) where the
                               computer account
                               is located.

/org         Contoso           The organization
                               that the computer
                               belongs to.

/country     US                The country
                               where the
                               computer is
                               located. You must
                               use a two-letter
                               country
                               abbreviation.

/city        Redmond           The city where
                               the computer is
                               located.

/state       WA                For the United
                               States and
                               Canada, the
                               state/province
                               where the
                               computer is
                               located. You must
                               use a two-letter
                               abbreviation.

/friendlyN   CWA_Certificate   A “nickname” that
ame                            makes it easy to
                               identify the
                               certificate.
                               Without a friendly
                               name, the
                               certificate will use

                                                 21
Parameter    Sample Value                                                   Description
                                                                            the fully qualified
                                                                            domain name of
                                                                            the computer. As
                                                                            a result, you could
                                                                            end up with
                                                                            multiple
                                                                            certificates named
                                                                            cwaserver.contos
                                                                            o.com, making it
                                                                            difficult to
                                                                            determine which
                                                                            certificate is
                                                                            which.

/exportabl   TRUE                                                           Indicates that the
e                                                                           certificate can be
                                                                            exported. This
                                                                            means that you
                                                                            can make a copy
                                                                            of the certificate,
                                                                            either as a
                                                                            backup, or for use
                                                                            on another
                                                                            computer.


To request a Web Server certificate from a Windows Server CA
    1. On the computer where Communicator Web Access is to be installed, click Start, and
       then click Run.
    2. In the Run dialog box, type cmd, and then click OK.
    3. At the command prompt, type the path to the root folder on the Office Communications
       Server 2007 R2 CD and then press ENTER. For example, if your CD drive is drive F you
       would type the following:
        cd f:\
    4. If you are logged on to the computer as an administrator type the following command to
       install Communicator Web Access (be sure and substitute your actual parameter values
       for the sample values shown here). The entire command should be typed on a single line
       as follows:
        LcsCmd.exe /Cert /Action:Request /sn:im.contoso.com /san:
        im.contoso.com,download.im.contoso.com,as.im.contoso.com /ca:ca-
        server.contoso.com /OU:OCSServers /org:Contoso /country:US /city:Redmond

                                                                                            22
        /state:WA /friendlyName:CWA_Certificate /exportable:TRUE

To verify installation of the Web Server certificate
    1. On the Communicator Web Access server, click Start, and then click Run.
    2. In the Run dialog box, type mmc, and then click OK.
    3. On the File menu, click Add/Remove Snap-in.
    4. In the Add/Remove Snap-in dialog box, click Add.
    5. In the list of Available Standalone Snap-ins, click Certificates.
    6. Click Add.
    7. In the Certificates Snap-in dialog box click Computer account, and then click Next.
    8. In the Select Computer dialog box, ensure that the Local computer: (the computer
       this console is running on) check box is selected, and then click Finish.
    9. Click Close, and then click OK.
    10. In the left pane of the Certificates console, expand Certificates (Local Computer),
        expand the Personal folder, and then click Certificates.
    11. Confirm that the certificate is located in this folder.




Requesting a Third-Party Certificate for
Communicator Web Access
Instead of setting up your own certificate server you can purchase certificates from a third-party
certification authority (CA). Third-party certificates are often assigned to virtual servers that
handle external users because most public CA root certificates are already in the Windows
operating system. Because of that, a certificate from a public CA enables users to connect to
Communicator Web Access (2007 R2 release) without having receiving repeated security
warnings, and without having to download and install a certificate from your organization’s CA.

Note:
    If you decide to use certificates from a third-party CA, keep in mind that the CA must be
    able to process certificate requests in the Certificate Management protocol, using the
    Cryptographic Message Syntax (CMS) Public Key Infrastructure (PKI) format.
For details about how to purchase, download, and install these certificates, you need to contact
the CA itself.




                                                                                                     23
Installing and Activating Communicator Web
Access
Before Communicator Web Access (2007 R2 release) is ready to use you must complete the
following four steps:
1. Install the Communicator Web Access software.
2. Activate the new Communicator Web Access server.
3. Create at least one virtual server.
4. Publish the Communicator Web Access URLs to Active Directory.
You can use the Office Communications Server Deployment Wizard to carry out these steps.
Alternatively, you can install the server from the command prompt (step 1), then use the
command prompt to start the Create Virtual Server Wizard (step 3). However, you cannot fully
install, activate, and configure Communicator Web Access from the command prompt, or by
using a script or batch file.


Installing Communicator Web Access Using the
Deployment Wizard
You can use the Office Communications Server 2007 R2 Deployment Wizard to install and
activate Communicator Web Access (2007 R2 release). To install and activate the software,
perform the following two procedures.

To install the Communicator Web Access files
    1. Log on to the computer where Communicator Web Access is to be installed, you must log
       on as a member of both the local Administrators group and the Domain Admins group.
    2. From the Office Communications Server 2007 R2 installation media, double-click
       SetupSE.exe (if you are installing Office Communications Server Standard Edition) or
       SetupEE.exe (if you are installing Office Communications Server Enterprise Edition).
    3. On the Office Communications Server 2007 R2 Deployment Wizard page, click
       Deploy Other Server Roles.
    4. On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
    5. On the Deploy Communicator Web Access page, at Step 1: Install Communicator
       Web Access, click Install.
    6. On the License Agreement page, click I accept the terms in the license agreement
       (required to proceed), and then click Next.
    7. On the Install location for Microsoft Office Communications Server 2007 R2,
       Communicator Web Access page do one of the following:
           To accept the default installation location, click Next.
           To specify a different default location, in the Location box, type the path where

                                                                                                 24
              Communicator Web Access server should be installed, and then click Next.
     8. Do not close the Deployment Wizard window. Instead, continue directly to the next
        procedure to activate Communicator Web Access.

To activate Communicator Web Access
     1. On the Deploy Communicator Web Access page, at Step 2: Activate Communicator Web
        Access, click Run.
     2. On the Welcome page, click Next.
     3. On the Select domain service account page, do one of the following:
            Click Create an account and then, in the Account name box, type the name of a new
              service account that you want Communicator Web Access to run under. Type a
              password for the account in both the Password and Confirm password boxes, and
              then click Next.
            Click Use an existing account. Type the name of the existing account in the
              Account name box, and then type the account password in the Password box. Click
              Next.
     4. On the Select Server Certificate page, click Select Certificate.
     5. In the Select Certificate dialog box, click the certificate you installed before beginning
        Setup. If you are using separate mutual TLS (MTLS) and Secure Sockets Layer (SSL)
        certificates, be sure you select the MTLS certificate when activating Communicator Web
        Access. Click OK.
     6. On the Select Server Certificate page, click Next.
     7. On the Confirm Installation page, click Next.
     8. After the server has been activated, click Close on the Activation Complete page to
        close the Activation Wizard.
     9. Do not close the Deployment Wizard window. Instead, continue directly to the procedure
        Creating a Communicator Web Access Virtual Server to create a virtual server.




Installing Communicator Web Access By Using
the Command Line
You can install Communicator Web Access (2007 R2 release) from the command prompt. This
enables you to use a script or batch file to install the application. Before you can do this, the
following software must be installed on the target server:
   Microsoft Visual C++ Redistributable
   Microsoft .NET Framework 3.5 Service Pack 1 (installing the .NET Framework requires you
     to reboot the computer)
   Office Communications Server Core Components

                                                                                                    25
   SQL Server Native Client
   Microsoft Unified Communications Managed API Redistributable
Setup cannot proceed if any of these items are not installed. If you install Communicator Web
Access by using the Setup Wizard, the wizard detects any missing components and gives you the
option of installing them.
Because of this, you might find it easier to use the Setup Wizard to install Communicator Web
Access. However, if these components have already been installed you can use the following
command-line procedure to install Communicator Web Access.

To install Communicator Web Access by using the command prompt
     1. Log on to the computer where you want to install the Communicator Web Access snap-in
        as a member of both the local Administrators group and the Domain Admins group.
     2. Click Start, and then click Run.
     3. In the Run dialog box, type cmd, and then click OK.
     4. At the command prompt, type the path to the Setup\CWA folder on the Office
        Communications Server 2007 R2 CD, and then press ENTER. For example, if your CD
        drive is drive F you would type the following:
         cd f:\setup\cwa
     5. Type the following command to install Communicator Web Access:
         CWAMain.msi
         If you would like to create a log file for the installation process then add the /lv switch
         followed by the file path for the log file. For example, to save a log file as
         C:\Logs\CWA_Install.txt use the following command:
         CWAMain.msi /lv c:\logs\cwa_install.txt




Creating a Communicator Web Access
Virtual Server
After you have installed and activated Communicator Web Access (2007 R2 release), you must
create at least one Communicator Web Access virtual server. Users cannot use instant
messaging, audio conferencing, or any other feature of Communicator Web Access unless they
have a virtual server to log on to.

Note:
     For the most part, a virtual server is simply a Web site. If users log on to Communicator
     Web Access using the URL https://im.contoso.com, https://im.contoso.com is not only a
     Web site but is also a Communicator Web Access virtual server. The value of virtual
     servers is that they allow a single Internet Information Services (IIS) computer to host

                                                                                                       26
     multiple Web sites. For example, one computer could https://im.fabrikam.com as well as
     https://im.contoso.com.
If you plan to handle requests from both internal users (that is, users behind the organization’s
firewall) and from external users (that is, users outside the organization’s firewall) then you will
need to create two virtual servers: one for internal users and one for external users. You can use
the Deployment Wizard to create the first virtual server, and then use the Communicator Web
Access snap-in to create the second virtual server.

Note:
     If you are going to handle requests from external users, it is strongly recommended that
     you use a reverse proxy server to publish that virtual server to the Web. For details about
     using a reverse proxy server to publish a Communicator Web Access virtual server, see
     Using a Reverse Proxy to Enable Remote User Access. In addition, and for security
     reasons, it is recommended that you host the virtual server for internal users and the
     virtual server for external users on separate computers.
To create the first virtual server on a computer, see the procedure To create the first virtual server
in Creating a Communicator Web Access Virtual Server By Using the Deployment Wizard. If you
want to create a second virtual server on that same computer, this task must be carried out by
using the Communicator Web Access snap-in. To create a second virtual server on a computer,
do the following:
   Open the Communicator Web Access snap-in, right-click the name of the server where the
     virtual server is to be created and then click Create Virtual Server.
   After the Create Virtual Server Wizard. Appears, use the same approach you use to create
     the first virtual server on the computer.
Before you create a virtual server, you need to choose an authentication method, a connectivity
type, and a next hop server.


Authentication Methods
When you create a virtual server you will need to specify values for a number of key properties,
beginning with the authentication mechanism. Communicator Web Access provides several
authentication options.
Integrated (NTLM/Kerberos) password authentication
This is the most secure type of authentication and the option that requires the least amount of
effort. With integrated password authentication, users do not have to enter a user name and
password. Instead, they are authenticated using the same credentials they used when they
logged on to their computer.
However, there are two drawbacks to integrated password authentication. First, this type of
authentication can only be used with internal virtual servers; external users always have to supply
credentials, which means that sites that handle external logon requests must used either forms-
based or custom authentication.



                                                                                                   27
Second, integrated password authentication can only be used by people who: log on from a
computer running Microsoft Windows, and are using a Web browser that supports NTLM or
Kerberos authentication. If all of your users are internal users running Internet Explorer and
Microsoft Windows, then you can use integrated password authentication as your sole
authentication mechanism. Otherwise, you will need to use both integrated password
authentication and forms-based authentication, or you will need to use a custom authentication
method.

Note:
     If you use both integrated password authentication and forms-based authentication,
     Communicator Web Access will first try to log a user on using integrated password
     authentication. If that fails, the user will then be given the chance to log on using forms-
     based authentication.
Forms-based authentication
With forms-based authentication, a user attempting to access a Communicator Web Access
virtual server is presented within a logon dialog box. The user must be then present his or her
credentials (that is, domain, user name, and password) before he or she can be authenticated
and be able to access the site. Forms-based authentication enables you to provide support for:
   Macintosh and Linux users
   Users who are not running Internet Explorer
   External users (that is, users logging on from outside the organization’s firewall)
The downside to forms-based authentication is that it is not a very secure mechanism. For
example, user credentials are passed to the server in plain-text format. Because of that, it is
highly recommended that you employ HTTPS connectivity for any virtual server that allows forms-
based authentication.
Custom authentication
In addition to the authentication mechanisms built into the Windows operating system,
Communicator Web Access also supports custom or third-party authentication methods. For
example, Communicator Web Access supports the use of two-factor authentication, in which two
pieces of identification (typically a smart card and a Personal Identification Number (PIN)) must
be presented before a user can be authenticated.
Communicator Web Access also supports single sign-on authentication, although only with
Microsoft Internet Security and Acceleration Server (ISA) 2006. With single sign-on, a user can
log on once and be granted access to multiple applications. For example, a user can log on to
Microsoft Outlook Web Access and automatically be logged on to Communicator Web Access as
well (or vice-versa).

Note:
     If you use single sign-on you should specify the option Sign-Out URL, a URL that the
     user will be taken to whenever he or she signs out from Communicator Web Access. By
     visiting this page, the user can be assured that any authentication cookies stored on their


                                                                                                    28
    computer will be deleted. For details, see the documentation for your custom
    authentication method.


Connectivity Type
After specifying the authentication mechanism you need to specify the connectivity type.
Communicator Web Access supports two different connectivity protocols: HTTP and HTTPS. Of
the two, HTTPS is preferred because it is the more secure protocol. Among other things, HTTPS
encrypts all the traffic between the server and the browser. If you decide to use HTTPS (the
recommended protocol), you need to assign this connection a certificate. For details, see
Preparing Certificates for Communicator Web Access.

Note:
    The HTTPS protocol is required if you intend to implement desktop sharing. If you log on
    to a Communicator Web Access Web site that uses the HTTP protocol the desktop
    sharing button will be disabled. If you hold the mouse over the button a tooltip will appear
    stating that, “Desktop sharing requires a secure connection (HTTPS). Contact your
    system administrator.”
You must also assign each virtual server an IP address and port. Virtual servers can share IP
addresses, but virtual servers cannot share ports: each virtual server must have its own port, a
port not used by any other application. By default, Setup suggests using port 443 for HTTPS
connections and port 80 for HTTP connections. Because these are also the ports used by the
Default Web Site in Internet Information Services (IIS) you will need to shut down that site before
those ports can be assigned to Communicator Web Access.
As noted, when you create a virtual server you must specify a port to be used by that server. If
the specified port is already in use by another application the Setup program will inform you that
the port has already been reserved, and will ask you to select a different port number. For
example, port 443 is used by the Default Web Site in IIS. If you have not disabled this Web site
Setup will not allow you to use port 443 as a virtual server port.
However, Communicator Web Access does not always recognize ports that are currently in use
by a Windows system component. For example, suppose you select port 137 when creating a
virtual server. Setup will allow you to use that port number, and will create the virtual server for
you. However, you will not be able to start this new virtual server. That is because this port is
used by File and Printer Sharing. If this happens, you will need to use the Communicator Web
Access snap-in to change the port number.


Next Hop Server
Finally, you will need to assign the virtual server a “next hop server.” When a user participates in
a conference, messages need to be passed between the Communicator Web Access server and
the user’s home server. Anonymous users (that is, users who do not have an account in your
Active Directory domain or the domain of a federated partner) can participate in conferences.
However, because anonymous users do not have a home server there is no place for
Communicator Web Access to relay messages.
                                                                                                       29
Because of this you must assign each virtual server a “next hop” server, a server (or pool of
servers) that can act as a home server for anonymous users. A next hop server can be any
computer in the forest that is running Office Communications Server 2007 R2.
When you assign a next hop server, make sure that the next hop server is up and running. Do not
assign a next hop server that is currently offline or is going to be taken offline. If the next hop
server fails, Communicator Web Access will fail as well. Because of this, it is recommended that
you use a server pool as your next hop server. That way, the failure of a single server will not
cause Communicator Web Access to fail.
Again, note that the Setup wizard only lets you create one virtual server per Communicator Web
Access computer. If you want to create a second virtual server on this same computer (for
example, so that one Communicator Web Access server can support both internal and external
users), you need to create the second server using the Communicator Web Access snap-in. For
details, see Creating a Communicator Web Access Virtual Server By Using Communicator Web
Access Snap-in.


Creating a Communicator Web Access Virtual
Server By Using the Deployment Wizard
This procedure assumes you are using the Deployment Wizard to install the first virtual server on
a computer running Communicator Web Access (2007 R2 release). In addition, this procedure
assumes you have just finished installing and activating Communicator Web Access and that the
Deployment Wizard is still running. If the Deployment Wizard is not running or if this is not the first
virtual server you are creating on the computer, see Creating a Communicator Web Access
Virtual Server By Using the Command Line or Creating a Communicator Web Access Virtual
Server By Using Communicator Web Access Snap-in.

To create the first virtual server

    1. On the Deploy Communicator Web Access page, at Step 3: Create Virtual Server, click
       Run.
    2. In the Create Virtual Server Wizard, on the Welcome page, click Next.
    3. On the Select Virtual Server Type page, click Internal or External and then click Next.
    4. On the Select Authentication Type page, do one of the following:
           If you want the virtual server to support the authentication methods built into the
             operating system, click Use built-in authentication and then click Next.
           If you want the virtual server to support authentication mechanisms not built into the
             operating system, click Use custom authentication. If you select this option, you
             can also enter a URL in the Sign-Out URL (Optional) box. This represents the URL
             of the Web page that users will see after they sign out of Communicator Web Access.
             Click Next.
    5. Do one of the following:
           If you chose built-in authentication and you are creating an internal virtual server,

                                                                                                     30
         select Forms-based authentication and/or Integrated (NTLM/Kerberos)
         password authentication from the Select Authentication Type page. Click Next.
       If you are creating an external virtual server, you will see the Select Authentication
         Type page. However, you will not be able to select an authentication mechanism.
         Instead, Forms-based authentication will automatically be selected for you. Click
         Next.
       If you chose custom authentication you will not see the Select Authentication Type
         page. That is because neither forms-based authentication nor integrated password
         authentication can be used with custom authentication. Instead, you will go directly to
         the Select Connection Type page.
6. On the Select Connection Type page do one of the following:
       Select HTTP (May be used with SSL accelerator) and then click Next.
       Select HTTPS (Recommended) and then click the Select Certificate button. In the
         Select Certificate dialog box, select the certificate to be used with this virtual server.
         Click the appropriate certificate and then click OK. On the Select Connection Type
         page, click Next.
7. On the Select IP Address and Port Settings page, select the IP address to be assigned
   to the virtual server. In the Port box, type the port to be used by the virtual server. Click
   Next.
8. On the Server Description page, type a name for the virtual server in the Description
   box; this is the way the virtual server will be identified both in the Communicator Web
   Access snap-in and in the Internet Information Services (IIS) snap-in. Click Next.
9. On the Select a listening port page, type the port number that the Communicator Web
   Access server uses to listen for Session Initiation Protocol (SIP) messages in the
   Listening port box and then click Next. Do not select a port that is already in use by
   another application (for example, port 135, which is used by Remote Desktop, or port
   445, which is used by file and printer sharing. If you select a port that is already in use
   setup will continue, but, upon completion, you will not be able to start your virtual server.
10. On the Select a pool page select the fully qualified domain name of the Office
    Communications 2007 R2 server or server pool that will act as a “next hop” server for
    anonymous users. Select the next hop server from the Next hop pool dropdown list, type
    the SIP listening port (typically port 5061) in the Port box, and then click Next.
11. On the Start Server Option page, select Start this virtual server after the Create
    Virtual Server Wizard finishes and then click Next; this ensures that the virtual server
    will start immediately after it is created.
12. On the Review Settings Before Virtual Server Creation page, verify that the virtual
    server has been configured correctly and then click Next.
13. On the Create Virtual Server Complete page, click Close to close the Create Virtual
    Server Wizard.



                                                                                                 31
Creating a Communicator Web Access Virtual
Server By Using the Command Line
Instead of using Setup you can also start the Create Virtual Server Wizard by running the file
CWACreateVirtualServer.msi. Note that there are no command-line options that enable you to
actually create a virtual server. All you can do is start the Create Virtual Server Wizard.
This means that there is no difference in the installation process. However, there is a slight
savings in time. When you start it from the command line, the Wizard starts immediately. By
contrast, it can take a minute or so longer to load Setup and then start the Wizard from there.

To create a virtual server from the command prompt
    1. Log on to the computer where you want to install the Communicator Web Access snap-in
       as a member of both the local Administrators group and the Domain Admins group.
    2. Click Start, and then click Run.
    3. In the Run dialog box, type cmd, and then click OK.
    4. At the command prompt, type the path to the Setup\CWA folder on the Office
       Communications Server 2007 R2 CD and then press ENTER. For example, if your CD
       drive is drive F, you would type the following:
        cd f:\setup\cwa
    5. Type the following command to start the Create Virtual Server Wizard:
        CWACreateVirtualServer.msi
        If you would like to create a log file for the installation process then add the /lv switch
        followed by the file path for the log file. For example, to save a log file as
        C:\Logs\CWA_Install.txt use the following command:
        CWACreateVirtualServer.msi /lv c:\logs\cwa_install.txt
    6. In the Create Virtual Server Wizard, on the Welcome page, click Next.
    7. On the Select Virtual Server Type page, click Internal or External and then click Next.
    8. On the Select Authentication Type page, do one of the following:
           If you want the virtual server to support the authentication methods built into the
             operating system, click Use built-in authentication and then click Next.
           If you want the virtual server to support authentication mechanisms not built into the
             operating system, click Use custom authentication. If you select this option, you
             can also enter a URL in the Sign-Out URL (Optional) box. This represents the URL
             of the Web page that users will see after they sign out of Communicator Web Access.
             Click Next.
    9. Do one of the following:
           If you chose built-in authentication and you are creating an internal virtual server,
             select Forms-based authentication and/or Integrated (NTLM/Kerberos)
             password authentication from the Select Authentication Type page. Click Next.


                                                                                                      32
       If you are creating an external virtual server, you will see the Select Authentication
         Type page. However, you will not be able to select an authentication mechanism.
         Instead, Forms-based authentication will be selected for you automatically. Click
         Next.
       If you chose custom authentication you will not see the Select Authentication Type
         page. That is because neither forms-based authentication nor integrated password
         authentication can be used with custom authentication. Instead, you go directly to the
         Select Connection Type page.
10. On the Select Connection Type page do one of the following:
       Select HTTP (May be used with SSL accelerator) and then click Next.
       Select HTTPS (Recommended) and then click the Select Certificate button. In the
         Select Certificate dialog box, select the certificate to be used with this virtual server.
         Click the appropriate certificate and then click OK. On the Select Connection Type
         page, click Next.
11. On the Select IP Address and Port Settings page, select the IP address to be assigned
    to the virtual server. In the Port box, type the port to be used by the virtual server. Click
    Next. Do not select a port that is already in use by another application (for example, port
    135, which is used by Remote Desktop, or port 445, which is used by file and printer
    sharing. If you select a port that is already in use setup will continue, but, upon
    completion, you will not be able to start your virtual server.
12. On the Server Description page, type a name for the virtual server in the Description
    box; this is the way the virtual server will be identified both in the Communicator Web
    Access snap-in and in the Internet Information Services (IIS) snap-in. Click Next.
13. On the Select a listening port page, type the port number that the Communicator Web
    Access server uses to listen for Session Initiation Protocol (SIP) messages in the
    Listening port box and then click Next.
14. On the Select a pool page select the fully qualified domain name of the Office
    Communications 2007 R2 server or server pool that will act as a “next hop” server for
    anonymous users. Select the next hop server from the Next hop pool dropdown list, type
    the SIP listening port (typically port 5061) in the Port box, and then click Next.
15. On the Start Server Option page, select Start this virtual server after the Create
    Virtual Server Wizard finishes and then click Next. This ensures that the virtual server
    will start immediately after it is created.
16. On the Review Settings Before Virtual Server Creation page, verify that the virtual
    server has been configured correctly and then click Next.
17. On the Create Virtual Server Complete page, click Close to close the Create Virtual
    Server Wizard.




                                                                                                 33
Creating a Communicator Web Access Virtual
Server By Using Communicator Web Access
Snap-in
Depending on your needs you might want to create more than one virtual server on a single
Communicator Web Access (2007 R2 release) computer. The Deployment Wizard only gives you
the option to install a single virtual server. If you want to install a second virtual server on a
computer, this must be done by using the Communicator Web Access snap-in.
Before you begin installing a second virtual server, keep in mind that:
   Virtual servers must have unique IP addresses, or if the IP addresses are the same they
     must use different ports. For example, suppose your Communicator Web Access server has
     a single IP address (for example, 192.168.1.123) and you install an internal virtual server on
     port 443. If you decide to install an external virtual server on the same computer, that server
     cannot be assigned port 443. Instead, it needs to be assigned an unused port.
   The Communicator Web Access snap-in is not installed when you run the Deployment
     Wizard. Before you can use the Communicator Web Access snap-in, you must install it as
     described in the topic Installing the Communicator Web Access Snap-in.

To create another Communicator Web Access virtual server
     1. Log on to the computer that is running the Communicator Web Access snap-in as a
        member of the local Administrators group and the RTCUniversalServerAdmins group.
     2. Click Start, point to Administrative Tools, and then click Microsoft Office
        Communications Server 2007 R2, Communicator Web Access.
     3. In the Communicator Web Access snap-in, in the scope pane, locate the name of the
        computer that will host the virtual server, right-click the computer name, and then click
        Create Virtual Web Server.
     4. In the Create Virtual Server Wizard, on the Welcome page, click Next.
     5. On the Select Virtual Server Type page, click Internal or External and then click Next.
     6. On the Select Authentication Type page, do one of the following:
            If you want the virtual server to support the authentication methods built into the
              operating system, click Use built-in authentication and then click Next.
            If you want the virtual server to support authentication mechanisms not built into the
              operating system, click Use custom authentication. If you select this option, you
              can also type a URL in the Sign-Out URL (Optional) box. This represents the URL
              of the Web page that users will see after they sign out of Communicator Web Access.
              Click Next.
     7. Do one of the following:
            If you chose built-in authentication and you are creating an internal virtual server,
              select Forms-based authentication and/or Integrated (NTLM/Kerberos)
              password authentication from the Select Authentication Type page. Click Next.

                                                                                                    34
       If you are creating an external virtual server, you will see the Select Authentication
         Type page. However, you will not be able to select an authentication mechanism.
         Instead, Forms-based authentication will automatically be selected for you. Click
         Next.
       If you chose custom authentication you will not see the Select Authentication Type
         page. That is because neither forms-based authentication nor integrated password
         authentication can be used with custom authentication. Instead, you will go directly to
         the Select Connection Type page.
8. On the Select Connection Type page do one of the following:
       Select HTTP (May be used with SSL accelerator) and then click Next.
       Select HTTPS (Recommended) and then click the Select Certificate button. In the
         Select Certificate dialog box, select the certificate to be used with this virtual server.
         Click the appropriate certificate and then click OK. On the Select Connection Type
         page, click Next.
9. On the Select IP Address and Port Settings page, select the IP address to be assigned
   to the virtual server. In the Port box, type the port to be used by the virtual server. Click
   Next. Do not select a port that is already in use by another application (for example, port
   135, which is used by Remote Desktop, or port 445, which is used by file and printer
   sharing. If you select a port that is already in use setup will continue, but, upon
   completion, you will not be able to start your virtual server.
10. On the Server Description page, type a name for the virtual server in the Description
    box. This is the way that the virtual server will be identified both in the Communicator
    Web Access snap-in and in the Internet Information Services (IIS) snap-in. Click Next.
11. On the Select a listening port page, type the port number that the Communicator Web
    Access server uses to listen for Session Initiation Protocol (SIP) messages in the
    Listening port box and then click Next.
12. On the Select a pool page select the fully qualified domain name of the Office
    Communications 2007 R2 server or server pool that will act as a “next hop” server for
    anonymous users. Select the next hop server from the Next hop pool dropdown list, type
    the SIP listening port (typically port 5061) in the Port box, and then click Next.
13. On the Start Server Option page, select Start this virtual server after the Create
    Virtual Server Wizard finishes and then click Next; this ensures that the virtual server
    will start immediately after it is created.
14. On the Review Settings Before Virtual Server Creation page, verify that the virtual
    server has been configured correctly and then click Next.
15. On the Create Virtual Server Complete page, click Close to close the Create Virtual
    Server Wizard.




                                                                                                 35
Configuring Virtual Server Thread Settings
For maximum performance and scalability, it is recommended that you modify the Internet
Information Service (IIS) thread limits after creating a Communicator Web Access (2007 R2
release) virtual server. This is especially important if your Communicator Web Access server will
need to handle more than just a few hundred simultaneous connections.

To configure virtual server thread settings
    1. Log on to the computer that is running Communicator Web Access as a member of the
       local Administrators group and the RTCUniversalServerAdmins group.
    2. Click Start and then click Run.
    3. In the Run dialog box, type wbemtest and then press ENTER.
    4. In the Windows Management Instrumentation Tester, click Connect.
    5. In the Connect dialog box, type root\default\rtccwa_repository in the Namespace box,
       and then press ENTER.
    6. In the Windows Management Instrumentation Tester, click Open Class.
    7. In the Get Class Name dialog box, type MSFT_CWASiteSetting in the Enter Target
       Class Name box, and then press ENTER.
    8. In the Object Editor for MSFT_CWASiteSetting dialog box, select Hide System
       Properties and then click Instances.
    9. All of the virtual servers installed on the computer will be displayed in the Query Result
       dialog box. To view the properties for a particular virtual server, double-click the server
       name.
    10. In the Object Editor dialog box, select MaxThreadLimit and then click Edit Property.
    11. In the Property Editor dialog box type 12 in the Value box and then click Save
        Property.
    12. In the Object Editor dialog box, select MinThreadLimit and then click Edit Property.
    13. In the Property Editor dialog box, type 3 in the Value box and then click Save Property.
    14. In the Object Editor dialog box, click Save Object.




Publishing Communicator Web Access URLs
Office Communications Server 2007 R2 enables users to invite other people, including
anonymous users, to participate in instant messaging conferences, audio conferences, and
desktop sharing sessions. To enable people to schedule and to join these conferences,
Communicator Web Access (2007 R2 release) hosts a pair of Web pages (that is, dialin and join).
Before you can use these pages for scheduling and joining conferences, the URLS must be


                                                                                                 36
published to Active Directory. You can do this either when you create a virtual server or later by
using the Communicator Web Access snap-in.
When you publish URLs you are given four publishing options:
   External virtual server URL
   Internal virtual server URL
   Dial-in conference information suffix
   Anonymous conference join suffix
The dial-in conference information suffix is the name of the page where users can configure dial-
in conference information. By default, the dial-in conference information suffix (that is, page
name) is dialin. If your primary Communicator Web Access URL is https://im.contoso.com then
your dial-in conferencing page would be https://im.contoso.com/dialin. The conference join suffix
is the page where users are sent to join a conference. By default, the conference join suffix is
join. You cannot change either of these values.
The external and internal virtual server URLs represent the primary Communicator Web Access
URL. When you invite someone to join a conference Communicator Web Access, you use this
address when you create the conference invitation. If you support both internal and external
URLs it is recommended that both of these values be set to the URL of the external virtual server.
This is recommended, in part, because the Conferencing Add-in for Microsoft Outlook, the tool
that is typically used for conference scheduling, only displays the external URL. The internal URL
is not available in the tool. Setting the two URLs to the same value will cause no problems for
internal or external users who try to join a conference.
If you support only internal users, set both of these values to the URL of your internal virtual
server.
URLs typically need to be published just once. You only need to republish URLs if you change
your primary Communicator Web Access URL (for example, changing https://im.contoso.com to
https://cwa.contoso.com).

To publish Communicator Web Access URLs during deployment
     1. On the Deploy Communicator Web Access page, at Step 4: Publish Communicator
        Web Access URLs, click Run.
     2. On the Publish Web Address page, in both the External web address (URL) and
        Internal web address (URL) boxes, type the URL that users outside the organization’s
        firewall use to sign in to the Communicator Web Access client (for example,
        https://im.contoso.com).
     3. Click Publish.
As noted, URLs can also be published using the Communicator Web Access snap-in.

To publish Communicator Web Access URLs using the Communicator Web Access snap-
   in
     1. Log on to the computer where the Communicator Web Access snap-in has been
        installed. Note that, in order to publish URLs, you must be a member of the local
                                                                                                     37
        Administrators group and a member of the RTCUniversalServerAdmins group.
    2. Click Start, point to Administrative Tools, and then click Microsoft Office
       Communications Server 2007 R2, Communicator Web Access.
    3. In the console tree, right-click Microsoft Office Communications Server 2007 R2,
       Communicator Web Access and then click Publish Web Addresses.
    4. On the Publish Web Address page, in both the External web address (URL) and
       Internal web address (URL) boxes, type the URL that users outside the organization’s
       firewall use to sign in to the Communicator Web Access client (for example,
       https://im.contoso.com).
    5. Click Publish.
If you need to know which URLs and suffixes have been published to Active Directory, you can
retrieve this information using Windows Management Instrumentation (WMI).

To verify published URLs
    1. On a computer where Communicator Web Access has been installed, click Start and
       then click Run.
    2. In the Run dialog box, type wbemtest and then click OK.
    3. In the Windows Management Instrumentation Tester, click Connect.
    4. In the Namespace box, if necessary, type root\cimv2. Click Connect.
    5. In the Windows Management Instrumentation Tester, click Open Class.
    6. In the Get Class Name dialog box, in the Enter Target Class Name box, type
       MSFT_SIPGlobalCWAServerConfigSetting and then click OK.
    7. In the Object editor for MSFT_SIPGlobalCWAServerConfigSetting dialog box, click
       Hide System Properties and then click Instances.
    8. In the Query Result dialog box, double click the lone instance of the
       MSFT_SIPGlobalCWAServerConfigSetting class.




Deploying Communicator Web Access in
Multiple Domains
If you are deploying the 2007 R2 version of Communicator Web Access in an Active Directory
forest that includes multiple domains it is important that all the domains trust one another. If they
do not, then users with accounts in a given domain might experience difficulty logging on to
Communicator Web Access. In particular, they might have their logon attempt rejected along with
the message that there computer clock has not been set correctly. The rejected logon and the
misleading error message, result from the way that the Kerberos authentication protocol handles
these requests.

                                                                                                   38
If you cannot set up a trust relationship between all the domains, you can temporarily fix the
problem by resetting the World Wide Web service. Alternatively, you can disable Kerberos, which
forces Internet Information Services (IIS) to use NTLM authentication. With NTLM authentication,
this problem does not occur.

To disable Kerberos authentication on a computer running Windows Server 2008
     1. Log on to the computer as a member of the local Administrators group.
     2. Click Start, point to Administrative Tools, and then click Internet Information Services
        (IIS) Manager.
     3. In Internet Information Services (IIS) Manager, expand the name of your domain and
        then expand Web Sites.
     4. Click the name of your Communicator Access Web site, and then double-click
        Authentication in the Features pane.
     5. Right-click Windows Authentication and then click Disabled.

To disable Kerberos authentication on a computer running Windows Server 2003
     1. Log on to the computer as a member of the local Administrators group.
     2. Click Start and then click Run.
     3. In the Run dialog box, type cmd and then press ENTER.
     4. In the command window, type the following command and then press ENTER. Note that
        NTLM must be typed in all uppercase letters:
        cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"




Installing the Communicator Web Access
Snap-in
Communicator Web Access (2007 R2 release) is not managed by using the Office
Communications Server administrative tools. Instead, Communicator Web Access has its own
management snap-in. The Communicator Web Access snap-in is not installed when
Communicator Web Access is installed. Instead, you must install the snap-in either before or after
you have installed Communicator Web Access.
Communicator Web Access snap-in does not have to be installed on a computer that is running
Communicator Web Access. You can install the snap-in on an administrative computer instead of
or in addition to your Communicator Web Access servers. However, the following restrictions
apply:
   Communicator Web Access snap-in can only be installed on a computer that is a member of
     an Active Directory forest where Office Communications Server 2007 R2 is already running.


                                                                                               39
   Communicator Web Access snap-in can only be installed on a computer running a 64-bit
     version of the Windows operating system (this includes Windows Vista, as well as Windows
     Server 2003 and Windows Server 2008).
   The following software must be installed before you can install Communicator Web Access
     snap-in:
        SQL Server Native Client
        Visual C++ 2008 Redistributable
        Microsoft .NET Framework 3.5, Service Pack 1
        Office Communications Server 2007 R2 Core Components
        Internet Information Services (IIS)
If you install Office Communications Server 2007 R2 or Communicator Web Access 2007 R2
using the Setup wizard this prerequisite software will be installed for you. Otherwise, you will have
to manually install this software before you can install Communicator Web Access snap-in.
When you install Communicator Web Access snap-in, you also install the Office Communications
Server administrative tools. There is no way to install just Communicator Web Access snap-in.
You can install Communicator Web Access snap-in by using either of the following procedures:
   Installing Communicator Web Access Snap-in By Using the Deployment Wizard
   Installing Communicator Web Access Snap-in By Using the Command Line


Installing Communicator Web Access Snap-in By
Using the Deployment Wizard
You can use the Office Communications Server Deployment wizard to install the Communicator
Web Access snap-in.

To install Communicator Web Access snap-in on a computer
     1. Log on to the computer where you want to install the Communicator Web Access snap-in
        as a member of both the local Administrators group and the Domain Admins group.
     2. On the Office Communications Server 2007 R2 installation media, double-click
        SetupSE.exe (if you are installing Standard Edition) or SetupEE.exe (if you are installing
        Enterprise Edition).
     3. On the Office Communications Server 2007 R2 Deployment Wizard page, click
        Administrative Tools.
     4. On the License Agreement page, click I accept the terms in the license agreement
        (required to proceed), and then click Next.




                                                                                                  40
Installing Communicator Web Access Snap-in By
Using the Command Line
You can install Communicator Web Access snap-in and Office Communications Server
administrative tools from the command prompt by running the file AdminTools.msi.

To install Communicator Web Access snap-in from the command line
    1. Log on to the computer where you want to install Communicator Web Access snap-in as
       a member of both the local Administrators group and the Domain Admins group.
    2. Click Start, and then click Run.
    3. In the Run dialog box, type cmd, and then click OK.
    4. At the command prompt, navigate to the Setup folder on the Office Communications
       Server 2007 R2 CD and then press ENTER. For example, if your CD drive is drive F type
       the following:
        cd f:\setup
    5. Type the following command to install the Communicator Web Access snap-in:
        AdminTools.msi
        If you would like to create a log file for the installation process then add the /lv switch
        followed by the file path for the log file. For example, to save a log file as
        C:\Logs\CWA_Install.txt use the following command:
        AdminTools.msi /lv c:\logs\cwa_install.txt




Using a Load Balancer to Increase Capacity
and Availability
A single server running Communicator Web Access (2007 R2 release) can handle approximately
5,000 simultaneous connections. If you need to support more users than that, you will need more
than one Communicator Web Access server. If you need more than one Communicator Web
Access server, you will probably want to deploy a hardware load balancer to help ensure that the
workload is equitably distributed between those servers.

Note:
    In addition to increasing the overall capacity of your Communicator Web Access
    infrastructure, by using an array of servers and a load balancer you can increase the
    reliability and availability of Communicator Web Access. Should a single server fail, the
    load balancer can automatically route incoming connection requests to the servers that
    are still functioning.



                                                                                                      41
Communicator Web Access requires session affinity, a requirement that directly impacts load
balancing. Session affinity simply means that a given Communicator Web Access session must
take place on the same server. Communicator Web Access does not allow an instant messaging
session to begin on one server and then somehow be transferred to another server. If a user is
logged on to Server A at the beginning of his or her Communicator Web Access session, he or
she will continue to use Server A for the duration of that session. If Server A should fail, the user
will have his or her session terminated. (That user can then sign on again, and the load balancer
will route them to a server that is still running.) However, users connected to Server B or Server C
will not have their session disrupted in any way should Server A fail.
This explains why you must use hardware load balancing with Communicator Web Access.
Software load balancing can also equally distribute connection requests among servers.
However, if Server A fails, a software load balancer will redistribute all the client connections,
including those clients on Server B and Server C. As a result, not only will users on Server A lose
their connections, but many users on Server B and Server C will lose their connections as well.

Note:
     As noted, software load balancing is not supported on Communicator Web Access. In
     addition, Communicator Web Access does not support any type of load balancing
     scenario involving multi-homed network adapters or computers equipped with more than
     one network adapter and more than one default gateway.
Communicator Web Access supports most hardware load balancers, provided that the load
balancer:
   Allows you to set the TCP idle timeout to 1,800 seconds (30 minutes). The TCP idle timeout
     represents the amount of time the server will wait for information during a session. If you are
     using a reverse proxy server (such as Microsoft Internet Security and Acceleration Server)
     then the TCP idle timeout on that computer should also be set to 1,800 seconds.
   Allows you to use a source network address translation (SNAT) pool if you need to handle
     more than 65,000 simultaneous connections. SNAT is designed to “hide” multiple servers
     behind a single IP address (that is, a number of servers can be accessed using just one IP
     address). With a SNAT pool, servers can be hidden behind multiple IP addresses.
   Allows you to use cookie persistence when configuring session affinity. With cookie
     persistence, information about the actual Communicator Web Access server being used for a
     session is stored in an Internet cookie on the client computer. When configuring the load
     balancer’s session persistence profile it is recommended that you use “HTTP Cookie Insert.”
     With this configuration method, information about the server to which the client is connected
     is inserted in the header of the HTTP response from that server as a cookie.
Communicator Web Access also supports Secure Sockets Layer (SSL) acceleration on the load
balancer. With SSL acceleration, the load balancer decrypts HTTPS transmissions before
sending that unencrypted traffic to the Communicator Web Access server. Relieving the server of
the need to perform SSL decryption can markedly improve that server’s performance.
Communicator Web Access should always have a dedicated load balancer. You should not share
a load balancer between Office Communications Server and Communicator Web Access server.

                                                                                                   42
Using a Reverse Proxy to Enable Remote
User Access
External users (that is, users outside the organization firewall) log on to Communicator Web
Access (2007 R2 release) by pointing their Web browser towards a virtual server created
especially for them. It is possible for external users to directly access the Communicator Web
Access server. However, this is discouraged for security reasons. Instead, it is highly
recommended that external users first go through a reverse proxy server.
A reverse proxy server is a computer running proxy server software such as Microsoft Internet
Security and Acceleration (ISA) Server. The reverse proxy server is located within the perimeter
network (also known as the DMZ or demilitarized zone), a network that exists between the
internal corporate network and the Internet. When an external user tries to connect to a
Communicator Web Access virtual server the Domain Name System (DNS) service automatically
routes the request to the reverse proxy server. The reverse proxy server then forwards the
request for service to the Communicator Web Access server. For end users, the process is
completely transparent. As far as they know, the reverse proxy server is the Communicator Web
Access server.
Having a single point of access makes it easy for administrators to determine who can and
cannot connect to your servers, and to control the content that users are allowed to access. By
“hiding” server names behind the reverse proxy you can also swap hardware or make host name
changes without affecting your clients. Users will continue to same URL regardless of which
computers might be stationed behind the proxy server.
Communicator Web Access is compatible with most of the reverse proxy servers on the market.
That means you can use almost any reverse proxy software, with one exception. If you have use
single sign-on authentication then you must use Microsoft Internet Security and Acceleration
(ISA) Server 2006 with single sign on (SSO) enabled on the Web listener.
Regardless of which reverse proxy server you choose to use, it is recommended that the server
be a workgroup member and not a member server of the internal, trusted domain. This provides
an additional level of security. If the reverse proxy server should be compromised the attackers
will have access only to that server and not to the internal network.
For performance reasons, it is recommended that no other software be installed on the reverse
proxy. However, the same computer that acts as a reverse proxy server for Communicator Web
Access can also be used as a reverse proxy server for other applications (for example, Outlook
Web Access).
Because different reverse proxy servers are configured in different ways, this document will not
discuss the detailed steps for setting up a reverse proxy server. For details, see the
documentation for your reverse proxy server.




                                                                                                   43
Optimizing Performance for Communicator
Web Access
You can adjust specific settings to increase user capacity and performance on your servers. This
section provides information about these adjustments, including procedures for making them.
In This Section
   Enabling Kernel SSL on Windows Server 2003
   Modifying the ASP.NET Request Queue Limit
   Modifying the IIS Queue Length


Enabling Kernel SSL on Windows Server 2003
By default, Windows Server 2003 runs Secure Sockets Layer (SSL) in user mode. Beginning with
Service Pack 1 (SP1), Windows 2003 offered the option of running SSL in kernel mode. This can
improve overall Internet Information Services (IIS) performance, because kernel mode moves all
encryption and decryption operations to the kernel. That move dramatically decreases down the
number of transactions that must be made between kernel mode and user mode. Kernel mode
also reduces the memory consumption of server-side processes. In turn, that makes more
memory available to Communicator Web Access. Note that this applies only to Windows Server
2003. Windows 2008 uses a form of kernel mode SSL by default.
To enable kernel mode SSL in Windows Server 2003 you must create and configure a new
registry value, and then restart the HTTP service. If you later decide to disable kernel SSL mode
simply set this new registry value (that is, EnableKernelSSL) to 0 (that is, zero).

To enable kernel SSL mode on Windows Server 2003
     1. Open Registry Editor and locate the registry key
        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
     2. In the Parameters key, right-click a blank area of the window pane, click New, and then
        click DWORD Value.
     3. After the new value is created, type EnableKernelSSL to rename the value.
     4. Double-click EnableKernelSSL.
     5. In the Edit DWORD Value dialog box, type 1 in the Value data box and then click OK.
     6. Restart the HTTP service by opening a command window, typing net stop http, and then
        pressing ENTER.
     7. When asked whether you want to continue the operation, type y and then press ENTER.
     8. After all the services have been stopped, type net start http in the command window to
        restart the HTTP service.




                                                                                                44
Modifying the ASP.NET Request Queue Limit
When ASP.NET is queried, the request for service is carried over, and queued within, a pipe
between Internet Information Services (IIS) and the ASP.NET worker process. (ASP.NET runs in
its own process – this is different from classic ASP, which runs in the same process as the IIS
service.) By default, this queue can contain no more than 5,000 requests. If there are more than
5,000 requests, users receive a “503 – Service Unavailable” error and are denied service.
Although the default value is sufficient for relatively small numbers of Communicator Web Access
(2007 R2 release) users, the request queue limit can easily be exceeded as the number of users
approaches 4,500. Because of this, you might want to increase the request queue limit to 15,000,
which is a task that you can implement by editing the machine.config file for .NET Framework. By
setting the request queue limit to 15,000, you can provide a queue large enough to handle all of
your client requests.

To modify the ASP.NET request queue limit
    1. Click Start and then click Run.
    2. In the Run dialog box, type notepad
       %systemroot%\Microsoft.Net\Framework64\v2.0.50727\CONFIG\machine.config,
       and then click OK.
    3. Locate the processModel element that looks like this: <processModel
       autoConfig="true" />
    4. Replace the processModel element with the following value: <processModel
       enable="true" requestQueueLimit="15000" />
    5. Save and close the Machine.config file.




Modifying the IIS Queue Length
Internet Information Services (IIS) enforces a limit on the maximum number of application pool
requests that can be held in the queue at any given time. If this limit is reached, any new requests
will be denied and users receive a “503 – Service Unavailable” error message. By default, IIS
sets the queue length to 1,000 requests. That default value might be too low because, with a
queue length of 1,000, Communicator Web Access (2007 R2 release) will only be able to handle
approximately 650 concurrent users before new users began to be turned away.
To help ensure availability of the Communicator Web Access service, it is recommended that you
set the value of the IIS queue length to the expected maximum number of users times 1.5. For
example, suppose you expect that, at most, you will have 2,000 users logged on to
Communicator Web Access at a given time. In that case, you should set the queue length to
3,000 (that is, 2,000 users multiplied by 1.5).

To change the queue length setting in IIS 7.0

    1. Click Start, point to Administrative Tools, and then click Internet Information Services

                                                                                                 45
         (IIS) Manager.
     2. In IIS Manager, expand the name of the IIS server, and then click Application Pools.
     3. In the Application Pools pane, right-click the Communicator Web Access application
        pool and then click Advanced Settings.
     4. In the Advanced Settings dialog box, under General, click Queue Length, and then
        type a value that is 1.5 times the maximum number of concurrent users in your
        Communicator Web Access deployment.
     5. Click OK.

To change the queue length setting in IIS 6.0

     1. Click Start, click All Programs, point to Administrative Tools, and then click Internet
        Information Services (IIS) Manager.
     2. In IIS Manager, expand the Sites node, right-click the Communicator Web Access
        Application pool and then click Properties.
     3. In the Properties dialog box, click the Performance tab.
     4. Under Request Queue Limit, click Limit the kernel request queue (Number of
        requests), and then type a value that is 1.5 times the maximum number of concurrent
        users in your Communicator Web Access deployment.
     5. Click OK.




Enabling Users for Communicator Web
Access
Any user whose user account has been enabled and configured for Office Communications
Server 2007 R2 is ready to begin using Communicator Web Access (2007 R2 release). Because
Office Communications Server must be running before you can even install Communicator Web
Access, this means that your user accounts might have already been enabled for Office
Communications Server. That means they have already been enabled for Communicator Web
Access as well.
However, if you have user accounts that have not been enabled for Office Communications
Server then you can enable and configure those accounts by completing the following two
procedures. After that, these users will then be able to log on to Communicator Web access.
Before undertaking these procedures, however, you should understand a little bit of what is
involved in enabling and configuring user accounts for Office Communications Server.
To ensure that users are able to use Communicator Web Access you must complete the following
two procedures for each user account:
   Enabling User Accounts for Communicator Web Access

                                                                                                  46
   Configuring User Accounts for Communicator Web Access


Enabling User Accounts for Communicator Web
Access
When you enable a user account you must specify a sign-in name for the user; this is the name
that the user employs when logging on to Communicator Web Access (2007 R2 release) or other
Office Communications Server 2007 R2 components, such as Office Communicator. The user’s
e-mail name (for example, kenmyer@contoso.com) is typically used as the sign-in name.
However, instead of using the e-mail name you can use one of the following name formats:
   The user's Universal Principal Name (UPN)
   The format first_name.last_name@domain_name format (for example,
     Ken.Myer@contoso.com)
   The format SAM_account_Name@domain_name (for example, kenmyer@contoso.com)

To enable a user for Communications Server
     1. Log on to a computer where both Office Communications Server 2007 R2 and the Active
        Directory Users and Computers snap-in has been installed. You must log on as a
        member of the local Administrators group and a member of the
        RTCUniversalServerAdmins group.
     2. In Active Directory Users and Computers, locate the user account to be enabled. Right-
        click the account name and then click Enable Users for Communications Server.

        Note:
            To enable multiple user accounts, click on the first account, and then Ctrl+click
            on any subsequent accounts.
     3. In the Enable Office Communications Server User Wizard, on the Welcome page, click
        Next.
     4. On the Select Server or Pool page, select the Enterprise pool or Standard Edition server
        to which the user is to be assigned and then click Next.
     5. On the Specify Sign-in Name page, select the format to be used as the user name, and
        then click Next.
     6. On the Ready to Enable Users page, click Next.
     7. On the Enable Operation Status page, click Finish.




Configuring User Accounts for Communicator
Web Access
When you configure a user account you can grant the user any (or all) of the following privileges:

                                                                                                47
   Federation. Allows the user to communicate with users from a federated organization.
   Remote User Access. Allows the user to connect to the internal network when outside the
     organization’s firewall. (This connection is typically made by going through an Edge Server.)
   Public IM Connectivity. Allows the user to communicate with users from a public instant
     messaging (IM) network.
   Enhanced Presence. Allows the user to not only report presence information, but to control
     who can access this information (as well as how much of the information they can access).
When you configure a user for Office Communications Server 2007 R2 some options might not
be available. For example, the option that allows the user to organize meetings with anonymous
users might be unavailable. If so, that is because the setting has been configured at the forest
level, and cannot be changed on a per-user basis.



Testing the Web Site
Before you publicize the existence of your Communicator Web Access (2007 R2 release)
infrastructure you should perform some rudimentary tests in order to verify that users can connect
to the service and carry out such basic functions as sending instant messages, and viewing and
changing status information.
To do this testing, complete the following procedures:
   Configuring Your Web Browser Prior to Testing
   Testing Communicator Web Access Web Sites


Configuring Your Web Browser Prior to Testing
Before you begin testing, you must configure all of the Web browsers that will be used in your
tests. In particular, you must disable the pop-up blocker for all browsers and, if applicable,
configure Internet Explorer for automatic logon. To test Quick Sign-In, you must configure Internet
Explorer for automatic logon.

To disable the popup blocker in Firefox
     1. Log on to a computer in your organization as a member of the local Administrators group.
     2. Start the Firefox Web browser.
     3. In Firefox, click Tools and then click Options.
     4. In the Options dialog box, on the Content tab, clear Block pop-up windows and then
        click OK.

To disable the popup blocker in Safari
     1. Log on to a computer in your organization as a member of the local Administrators group.
     2. Start the Safari Web browser.

                                                                                                 48
    3. In Safari, click Safari and then clear Block Pop-Up Windows.

To disable the popup blocker in and to configure Internet Explorer for automatic logon
    1. Log on to a computer in your organization as a member of the local Administrators group.
    2. Open the Internet Properties dialog box by choosing Internet Options either from
       Control Panel or from the Tools menu in Internet Explorer.
    3. In the Internet Properties dialog box, on the Security tab, click Local intranet and then
       click Custom Level.
    4. In the Security Settings dialog box, under Logon, select Automatic logon only in
       Intranet zone and then click OK.
    5. Still in the Internet Properties dialog box and with Local intranet still selected, click
       Sites.
    6. In the Local intranet dialog box, click Advanced.
    7. In the next dialog box (also titled Local intranet), type the URL of your Communicator
       Web Access site (for example, https://im.contoso.com) in the Add this Web site to the
       zone box and then click Add.
    8. In the Local intranet dialog box, click OK.
    9. In the original Local intranet dialog box, click OK.
    10. In the Internet Properties dialog box, click OK.




Testing Communicator Web Access Web Sites
After you have configured your Web browser, you can begin carrying out the following tests.
Please note that the tests described here are by no means comprehensive, and involve only a
handful of users and computers. You might want to do additional testing, and testing involving a
larger number of users and computers, before making your Communicator Web Access (2007 R2
release) sites widely available.

To test the Web site for internal users
    1. Log on to a computer that is inside your organization’s firewall using an account that has
       been enabled for Office Communications Server.
    2. Open a supported Internet browser, and then type the URL of the internal virtual server in
       the address bar (for example, https://im.contoso.com).
    3. In the Microsoft Office Communicator Web Access window, click Sign In.
    4. If an authentication dialog box appears, type your Office Communications Server user
       name in the User name box. Type your password in the Password box and then click
       OK. A separate Communicator Web Access client window should open.
    5. Repeat this procedure on a second computer (either inside or outside your organization’s
       firewall) using a second user account. Verify that the two users can view each other’s

                                                                                                   49
       presence and send instant messages to one another.

To test the Web site for external users
   1. Log on to a computer that is outside your organization’s firewall using an account that
      has been enabled for Office Communications Server.
   2. Open a supported Internet browser, and then type the URL of the external virtual server
      in the address bar (for example, https://im.contoso.com).
   3. In the Microsoft Office Communicator Web Access window, click Sign In.
   4. When the authentication dialog box appears, type your Office Communications Server
      user name in the User name box. Type your password in the Password box and then
      click OK. A separate Communicator Web Access client window should open.
   5. Repeat this procedure on a second computer (either inside or outside your organization’s
      firewall) using a second user account. Verify that the two users can view each other’s
      presence and send instant messages to one another.

To test the Web site for anonymous users
   1. Log on to a computer either inside or outside your organization’s firewall. Log on using
      the account of a user who has been enabled for Office Communications Server.
   2. Open a supported Internet browser, and then type the URL of the external virtual server
      in the address bar (for example, https://im.contoso.com).
   3. In the Microsoft Office Communicator Web Access window, click Sign In.
   4. If an authentication dialog box appears, type your Office Communications Server user
      name in the User name box. Type your password in the Password box and then click
      OK. A separate Communicator Web Access client window should open.
   5. In the Communicator Web Access window, click Meet Now. A new Conversation window
      will open.
   6. In the Conversation window, click Invite, then click Invite Using Email.
   7. A message similar to this will appear in the Conversation window:
   8. Select the hyperlink portion of the message, right-click anywhere on that hyperlink and
      then click Copy. Click the Close button in the message pane to dismiss the invitation.
   9. Use e-mail or instant messaging to send the hyperlink to another user. This user can
      either be inside the firewall or outside the firewall, and should have an account that has
      not been enabled for Office Communications Server.
   10. Have the anonymous user log onto a computer either inside or outside your
       organization’s firewall. Have the user use their Web browser to navigate to the page
       specified in the hyperlink.
   11. At the sign-on page, instruct the anonymous user to enter a user name of any kind and
       then click Sign On.
   12. Verify that authenticated user and the anonymous user can exchange instant messages.


                                                                                                   50
To test the Web site for audio conferencing
   1. Log on to a computer that is inside your organization’s firewall using an account that has
      been enabled for Office Communications Server.
   2. Open a supported Internet browser, and then type the URL of the internal virtual server in
      the address bar (for example, https://im.contoso.com).
   3. In the Microsoft Office Communicator Web Access window, click Sign In.
   4. If an authentication dialog box appears, type your Office Communications Server user
      name in the User name box. Type your password in the Password box and then click
      OK. A separate Communicator Web Access client window should open.
   5. In the Communicator Web Access window, click Meet Now. A new Conversation window
      will open.
   6. In the Conversation window, click the Audio button (that is, the button that looks like a
      telephone). Do one of the following:
          Click one of your phone numbers. Phone numbers will be available only if you have
            published them, or if these phone numbers have been published in Active Directory.
          Type a phone number in the New Number box and then press ENTER. When typing
            a phone number, use the E164 format: country code followed by area code, followed
            by phone number. For example, 14255551219.
   7. Your telephone should ring.

To test the Web site for desktop sharing
   1. Log on to a computer that is inside your organization’s firewall using an account that has
      been enabled for Office Communications Server.
   2. Open a supported Internet browser, and then type the URL of the internal virtual server in
      the address bar (for example, https://im.contoso.com).
   3. In the Microsoft Office Communicator Web Access window, click Sign In.
   4. If an authentication dialog box appears, type your Office Communications Server user
      name in the User name box. Type your password in the Password box and then click
      OK. A separate Communicator Web Access client window should open.
   5. Repeat this procedure on a second computer (either inside or outside your organization’s
      firewall) using a second user account. If you have no already done so, make this second
      user a contact of the first user.
   6. On the first computer, in the Contact List, right-click the name of the second user and
      then click Share My Desktop.
   7. If this is the first time you are sharing your desktop, you must install the Microsoft Office
      Communicator Web Access Plug-in. Click Click to Install to start the Plug-in installation.
   8. When installation begins, in the File Download - Security Warning dialog box, click Run
      to run the installer file for the plug-in.
   9. If you see a Windows Security Alert dialog box, click Unblock.

                                                                                                  51
     10. After the plug-in has been installed, click Share to start sharing your desktop.
     11. Verify that the second user can view the desktop of the first user.




Verifying Load Balancing Configuration
If you are deploying a hardware load balancer as part of your Communicator Web Access (2007
R2 release) infrastructure then you should run a series of tests to verify that your load balancer
has been correctly configured and is working as expected. At a minimum it is recommended that
you:
   Verify that each Communicator Web Access server can communicate with other computers
     on the network, and can connect to Active Directory.
   Verify that the load balancer is able to equitably distribute incoming connections.
   Verify that standard Communicator Web Access activities – such as instant messaging and
     presence detection – are working as expected.

Verifying DNS and LDAP Traffic
Load balancing will not work unless each of the individual servers in your array of Communicator
Web Access servers can do two things:
   Resolve IP addresses and computer host names.
   Communicate with an Active Directory global catalog server.
Because of this, the first test you should perform is to verify Lightweight Directory Access
Protocol (LDAP) and Domain Name System (DNS) connectivity; this test must be performed on
each server in the server array. In the first part of the test you will ping a global catalog server by
IP address (for example, 192.168.1.5). For the test to complete successfully, you must get back a
response similar to this:
If that test completes successfully you will then ping the global catalog server by name. With this
second test, you should get back a response similar to this:
After using these two tests to verify DNS traffic, you should next use the Ldp.exe utility to verify
your LDAP connection to Active Directory.

Verifying Load Balancer Configuration
The primary purpose of a load balancer is to make sure that workloads are distributed evenly
among all the servers in your server array. For example, suppose you have four servers in your
server array, and 100 users log on to Communicator Web Access. If you have employed
hardware load balancing and if load balancing has been configured correctly, each server should
end up handling 25 sessions (100 total sessions divided by 4 servers.)
To verify your load balancing configuration you should do a series of tests involving two user
accounts (User A and User B) and no more than two Communicator Web Access servers at a
time. (Using more than two servers makes it more difficult to track down the source of any

                                                                                                       52
problems you might encounter.) If you have more than two servers in your server array, you
should repeat testing on each possible pair of computers. For example, suppose your server
array consists of the following computers:
   Server A
   Server B
   Server C
   Server D
In that case, you need to run tests involving the following pairs of computers:
   Server A and Server B
   Server A and Server C
   Server A and Server D
   Server B and Server C
   Server B and Server D
   Server C and Server D
The test itself is relatively simple. To begin with, you will configure your load balancer and include
just two servers (Server A and Server B) in your server array. (For purposes of testing, you can
simply turn off your other Communicator Web Access servers.)
After the load balancer and server array has been set up, you will need two client computers:
Client A and Client B. As User A, you will log on to Client A and connect to Communicator Web
Access. As User B you will log on to Client B and connect to Communicator Web Access. If load
balancing has worked correctly, Server A and Server B should each have one connection. If
either server is handling both connections, load balancing failed.

Verifying HTTP/HTTPS and Server SIP Traffic
After verifying that load balancing is working correctly, use your two client computers and user
accounts to verify that Communicator Web Access is working correctly. This can be done by:
   Verifying that the two users can exchange instant messages.
   Verifying that any time User A changes his or her status that presence change is visible to
     User B.
   Verifying that User A can block User B, preventing User B from seeing status information or
     exchanging information.
   Verifying that User A can unblock User B.
   Verifying that the two users can delete each other as contacts, and then use the Search
     capabilities built into Communicator Web Access to re-add each other as contacts.


Verifying DNS and LDAP Traffic
The following tests should be carried out on each server in your Communicator Web Access
(2007 R2 release) server array. The first test (that is, verifying Domain Name System
(DNS)/Lightweight Directory Access Protocol (LDAP) traffic) helps verify your network
                                                                                                   53
connectivity; the second test verifies that your servers are able to bind to Active Directory. This
second test requires the use of the program Ldp.exe. Note that the instructions for installing
Ldp.exe vary, depending on whether your Communicator Web Access server is running Windows
Server 2008 or Windows Server 2003.

To verify DNS/LDAP traffic
    1. Log on to the first Communicator Web Access server in the array as a member of the
       Domain Admins group.
    2. Verify that you can successfully ping your global catalog server by IP address. Use a
       command similar to the following:
        ping 192.168.1.1
    3. Verify that you receive a successful reply (including the correct DNS name resolution)
       when you run the ping –a command against the IP address of your global catalog server.
       Use a command similar to the following:
        ping 192.168.1.1 -a
    4. Verify that you can use Ldp.exe to successfully connect to Active Directory on the global
       catalog server. Use the following two procedures to install and run Ldp.exe. When you
       have finished with Ldp.exe, repeat these procedures on the next Communicator Web
       Access server in the array.

To install Ldp.exe on Windows Server 2008

    1. In Server Manager, click Add Features.
    2. In the Add Features Wizard, on the Select Features page, expand Remote Server
       Administration Tools and then select Active Directory Lightweight Directory
       Services Tools. Click Next.
    3. On the Confirm Installation Selections page, click Install.
    4. On the Installation Results page, click Close.

To install Ldp.exe on Windows Server 2003

    1. Insert the Windows Server 2003 CD into your CD-ROM drive.
    2. Click No if you are prompted to reinstall Windows.
    3. On the Welcome screen, click Perform additional tasks, and then click Browse this
       CD.
    4. In the \Support\Tools folder, double-click Suptools.msi.
    5. On the Confirm Installation Selections page, click Install.
    6. On the Installation Results page, click Close.

To connect to Active Directory by using Ldp.exe

    1. Click Start and then click Run. In the Run dialog box, type ldp and then click OK.


                                                                                                54
    2. In Ldp.exe, click Connection and then click Connect.
    3. In the Connect dialog box, in the Server box, type the fully qualified domain name
       (FQDN) of your global catalog server (for example, gcserver.contoso.com) and then click
       OK.
    4. Click Connection and then click Bind.
    5. In the Bind dialog box, select Bind as currently logged on user and then click OK.
    6. Click View and then click Tree.
    7. In the Tree View dialog box, click OK.
    8. Verify that your Active Directory containers appear in the left pane of the Ldp.exe
       window.




Verifying Load Balancer Configuration and Server
SIP Traffic
After each server has passed the Domain Name System (DNS)/Lightweight Directory Access
Protocol (LDAP) traffic tests you can then set up the verification environment for testing client
HTTP/HTTPS and server Session Initiation Protocol (SIP) traffic.

To prepare the verification environment
    1. Begin by setting up two client computers, Client A and Client B. In Active Directory,
       create two new users (User A and User B). Enable these users for Office
       Communications Server. Give the two users local Administrator rights on their respective
       computers.
    2. Log on to Client A as User A. Log on to Client B as User B.
    3. On each computer, click Start, click Run and then, in the Run dialog box, type perfmon
       and press ENTER.
    4. On the Communicator Web Access (2007 R2 release) server do one of the following:
           If you are running Communicator Web Access on a Windows Server 2003 computer,
             in the Performance scope pane, select Performance Monitor and click Add. In the
             Add Counters dialog box, under Performance Object, click CWA - 03 - User
             session Service. In the list of counters, click CWA - 002 - Sessions, click Add, and
             then click Close. Click OK.
           If you are running Communicator Web Access on a Windows Server 2008 computer,
             in the Performance scope pane, select System Monitor and click Add. In the Add
             Counters dialog box, under Performance Object, click CWA - 03 - User session
             Service. In the list of counters, click CWA - 002 - Sessions, click Add, and then click
             Close. Click OK.
    5. Open the Internet browser on Client A and Client B, and navigate to the Communicator
       Web Access URL.

                                                                                                    55
     6. Verify that, from Client A, you can sign on to Communicator Web Access as User A.
        Verify that, on Client B, you can log on to Communicator Web Access as User B.

To verify client HTTP/HTTPS traffic and server SIP traffic

     1. Verify that the CWA – 002 Sessions performance counter for each server shows one
        connection each.
     2. Verify that User B (signed in to Client B), can search for User A and can add User A to
        his or her contact list.
     3. Verify that User A (signed in to Client A), can search for User B and can add User B to
        his or her contact list.
     4. Verify that the following functions work as expected:
            Instant messaging
            Presence change
            Block and unblock of each contact from each client
            Contact deletion on each client
     5. Verify that, when you unplug the network cable from the load balancer to one of the
        Communicator Web Access servers, the client connected to that server is signed out.
     6. On the client that was signed out in the previous step, sign on again to Communicator
        Web Access. Verify that the user can connect to the Communicator Web Access server
        that is still running.
     7. Verify that the CWA – 002 Sessions performance counter for the remaining server
        shows two connections.




Configuring New Communicator Web Access
Settings
This section describes the new server configuration options that have been added Communicator
Web Access (2007 R2 release).
In This Section
   Redirecting Users of Previous Releases
     Although users homed on previous versions of the software cannot log on to a Communicator
     Web Access (2007 R2 release) site, you can configure that site to automatically redirect
     those users to a server running a previous version of Communicator Web Access.
   Configuring a Next Hop Server for Anonymous Users
     The next hop server makes it possible for "anonymous users" (that is, users who do not have
     an account in your Active Directory or the Active Directory of a federated partner) to be
     invited to take part in conferences and desktop sharing sessions.
                                                                                                  56
   Configuring Desktop Sharing
     With desktop sharing, users are able to see everything that is happening on another person's
     computer. In addition, these users can even be allowed to take control of that computer,
     using their own mouse and keyboard to do such things as enter data or run applications.
   Configuring Audio Conferencing for Communicator Web Access
     Communicator Web Access (2007 R2 release) enables you to add audio (that is, using
     standard telephones and cell phones) to any instant messaging (IM) session or desktop
     sharing session.
   Configuring Distribution Group Support for Communicator Web Access
     Communicator Web Access (2007 R2 release) not only enables you to use an Active
     Directory distribution group as a contact, but it also lets you expand the group membership.
     In turn, that lets you send separate messages to or view the presence of all the members of
     that group.


Redirecting Users of Previous Releases
When users are enabled for Office Communications Server, they are assigned a home server. If
you are moving from Office Communications Server 2007 to Office Communications Server 2007
R2, you might still have users who are homed on the earlier version of Office Communications
Server. This is a problem because users who are homed on Office Communications Server 2007
cannot log on to Communicator Web Access (2007 R2 release). Only users homed on a server
running Office Communications Server 2007 R2 can log on to a Web site hosted on a server
running Communicator Web Access (2007 R2 release).
The solution to this problem is twofold:
1. Continue running at least one server with Communicator Web Access (2007 release)
   installed.
2. Define a redirect URL for your virtual servers that are running Communicator Web Access
   (2007 R2 release).
The redirect URL is the URL for the server running the Communicator Web Access (2007
release) (that is, the legacy version of Communicator Web Access). When a user logs on to
Communicator Web Access (2007 R2 release), the server verifies the user account in Active
Directory. If the user is homed on Office Communications Server 2007 that user will automatically
be redirected to the server running the earlier version of Communicator Web Access. Otherwise,
the user will be logged on to the server running Communicator Web Access (2007 R2 release).
Instead of using a redirect URL you can give users two different URLs: one for users homed on
Communicator Web Access (2007 release), and the other for users homed on Communicator
Web Access (2007 R2 release). However, it is much easier to give users one URL, without
having to worry about which version of Office Communications Server each user is homed on.
This way, as users are moved to Office Communications Server 2007 R2 they can continue to
access Communicator Web Access by using the same URL they used previously. The only



                                                                                                57
difference is that, after they are homed on Office Communications Server 2007 R2, they will no
longer need to be redirected.
Redirected users will not have access to the new features included in Communicator Web Access
(2007 R2 release). They will only have access to the features available in the previous version of
Communicator Web Access.

To specify a redirect URL
    1. Log on to the computer that is running the Communicator Web Access snap-in.

        Note:
            To specify a redirect URL, you must log on as a member of the local
            Administrators group and the RTCUniversalServerAdmins group.
    2. Click Start, point to Administrative Tools, and then click Microsoft Office
       Communications Server 2007 R2, Communicator Web Access.
    3. In the console tree, expand the name of the computer that hosts the virtual server that
       needs to be configured with a redirect URL, right-click the name of the virtual server, and
       then click Properties.
    4. In the Properties dialog box, on the General tab, type the URL of the server to which
       legacy users will be redirected in the URL box and then click OK.




Configuring a Next Hop Server for Anonymous
Users
When a Communicator Web Access user participates in an instant messaging (IM), audio
conference, or a desktop sharing session, messages must be passed back and forth between
Communicator Web Access and the user’s home server. This creates a problem for anonymous
users because, by definition, anonymous users do not have a home server.
To accommodate anonymous users, Communicator Web Access lets you define a next hop
server for each of your virtual servers. A next hop server can be any computer running Office
Communications Server 2007 R2. The next hope server acts as a home server for anonymous
users, giving Communicator Web Access a place to send messages to and receive messages
from.
You must configure a next hop server when you create a virtual server. You can use the
Communicator Web Access snap-in to change the next hop server at any time. When selecting a
next hop server, keep in mind that if the next hop server fails, Communicator Web Access will fail
as well. With this issue in mind, it is recommended that you select a server pool as your next hop
server instead of an individual server. By choosing a server pool, you ensure that Communicator
Web Access will continue to function even if an individual server in that pool fails.




                                                                                                 58
To configure a next hop server
     1. On a computer that is running the Communicator Web Access snap-in, log on as a
        member of the local Administrators group and the RTCUniversalServerAdmins group.
     2. Click Start, point to Administrative Tools, and then click Microsoft Office
        Communications Server 2007 R2, Communicator Web Access.
     3. In the console pane, expand the name of the computer that hosts the virtual server for
        which you want to specify a next hop server, right-click the name of the virtual server, and
        then click Properties.
     4. In the Properties dialog box, on the Next Hop tab, select a server or server pool from
        the Next hop pool dropdown.
     5. Type the listening port of the server or server pool in the Port box and then click OK.

         Note:
             Typically, Office Communications Server uses port 5061 as the listening port.


Configuring Desktop Sharing
Communicator Web Access (2007 R2 release) enables users to share their desktop. This allows
participants in an instant messaging (IM) session to view the desktop of a user and, if given
permission, to take control of that desktop. Before you can enable desktop sharing you must
configure and apply a meeting policy that allows for desktop sharing. To do that you will need to:
   Enable Web conferencing.
   Enable program and desktop sharing.
   If desired, allow users to take control of a shared desktop session. This is done by enabling
     the option Allow control of shared programs and desktop.
   Configure a maximum meeting size, which determines the maximum number of users that
     can participate in a single desktop sharing session or other type of meeting. By default, the
     maximum meeting size is set to 10.
You also need to determine how (and if) anonymous users will be allowed to participate in
desktop sharing sessions. You have three options available to you:
   Allow anonymous participants to take part in meetings and desktop sharing sessions.
   Do not allow anonymous participation.
   Configure anonymous participation on a per-user basis.
Desktop sharing can be implemented only if the virtual server uses the HTTPS connectivity
protocol. If you log on to a Communicator Web Access Web site that uses the HTTP protocol the
desktop sharing button will be disabled. If you hold the mouse over the button a tooltip will appear
stating that, “Desktop sharing requires a secure connection (HTTPS). Contact your system
administrator.” You will also need to open firewall ports 49152 through 65535 to support desktop
sharing.



                                                                                                     59
Note:
    Some applications that use Microsoft Direct3D to display all or part of their user interface
    (for example, Windows Photo Gallery) might appear as a black screen during desktop
    sharing. These applications use a method for displaying graphics that is incompatible
    with the desktop sharing technology. Other users might report large delays when working
    on a shared desktop. Typically this is because their video card drivers are outdated. If
    your users are going to participate in desktop sharing sessions it is important that they
    have the latest video card drivers.


Configuring Desktop Sharing
To configure desktop sharing complete the following procedure. No client configuration is
required for users to participate in a desktop sharing session. However, users who want to share
their desktops will need to install the Communicator Web Access Plug-in. They will be prompted
to install the plug-in the first time they try to share their desktop. Only users running Microsoft
Windows can share their desktops. Users running other operating systems (for example,
Macintosh or Linux) can participate in a desktop sharing session, but they cannot share their own
computer desktop.

To configure desktop sharing
    1. Log on to the computer where the Communicator Web Access snap-in has been
       installed. You must log on as a member of the local Administrators group and a member
       of the RTCUniversalServerAdmins group.
    2. Click Start, point to Administrative Tools, and then click Office Communications
       Server 2007 R2.
    3. Right-click the forest node, click Properties and then click Global Properties.
    4. In the Office Communications Server Global Properties dialog box, on the Meetings
       tab, select the desired setting from the Anonymous participants drop-down list.
    5. In the Global Policy drop-down list select Default Policy and then click Edit.
    6. In the Edit Policy dialog box type a value in the Maximum meeting size box.
    7. Click Enable web conferencing, click Enable program and desktop sharing, and then
       select the Allow control of shared programs and desktop check box to allow users to
       take control of a shared desktop session.
    8. Make any other configuration changes as needed and then click OK.
    9. In the Office Communications Server Global Properties dialog box, click OK.


Configuring Audio Conferencing for
Communicator Web Access
Communicator Web Access (2007 R2 release) enables users to add audio conferencing to any
instant messaging (IM) or desktop sharing session. After an instant messaging or desktop sharing

                                                                                                   60
session has been established a user can then add audio conferencing (that is, by using any
telephone, including cell phones) to the session. This enables user to take part in a conference
call along with the instant messaging or desktop sharing session. When audio is added to a
session, Communicator Web Access will call the user who initiated the audio conference (that is,
at a phone number supplied by that user) and then invite other users to join the audio conference.
If a user decides to join, Communicator Web Access will then call that user at the phone number
he or she supplies.

Note:
     Audio conferencing requires you to install and configure Audio/Video Conferencing
     Server and, if you need to support external users, Audio/Video Conferencing Edge
     Server. You must also set up Mediation Server, which connects Office Communications
     Server 2007 R2 to the public switched telephone network (PSTN).


To configure a static route for audio conferencing
If all of your users are internal users who have been enabled for Enterprise Voice, and if you have
configured location profiles for these users then no additional work is needed for you to
implement audio conferencing. However, this is not the case if you:
   Support external users.
   Have users who have not been enabled for Enterprise Voice.
   Have not configured location profiles for your users.
If any of these are true then you must create static audio routes for each Communicator Web
Access server or server pool. These routes point the server or server pool towards the location
(IP address) of the appropriate Mediation Server.

To configure a static route for audio conferencing

     1. Log on to a computer running the Office Communications Server 2007 R2 administrative
        tools. To create static routes you must be member of both the local Administrators group
        and the RTCUniversalServerAdmins group.
     2. Click Start, point to Administrative Tools, and then click Office Communications
        Server 2007 R2.
     3. In the console tree, expand the forest node.
     4. Do one of the following:
            If you are running Office Communications Server Enterprise Edition, expand
              Enterprise pools, and then right-click the pool in which Communicator Web Access
              is installed.
            If you are running Office Communications Server Standard Edition, expand Standard
              Edition Servers and right-click the name of the server on which Communicator Web
              Access is installed.
     5. Point to Properties, and then click Front-End Properties.


                                                                                                  61
    6. In the Front End Properties dialog box, on the Routing tab, click Add.
    7. In the Add Static Route dialog box, under Matching URI, type the Communicator Web
       Access domain name in the Domain box, and then click Phone URI.
    8. Under Next hop, type the fully qualified domain name (FQDN) of the Mediation server
       (for example, mediation.contoso.com) in the FQDN box. Type the IP address of the
       Mediation server in the IP address box and the listening port number (typically 5061) in
       the Port box.
    9. Select TLS from the Transport dropdown and then click OK.


Configuring Distribution Group Support for
Communicator Web Access
With Communicator Web Access, users can use an Active Directory distribution group as a
contact. This makes it easy to send an instant message (IM) to all the members of that group.
Users can simply direct the message to the group rather than to each individual member of the
group.
Communicator Web Access also supports distribution group expansion. When distribution group
expansion is enabled users can use a distribution group as a contact. In addition to that, users
can “expand” the membership list for that group. This enables them to see all the members of that
group, along with their individual contact and status information. Because of this, you can work
with the group as a whole, or you can work with each of the individual members of that group.


To enable distribution group support
Distribution group expansion is configured at the pool level (for Enterprise Edition) or at the server
level (for Standard Edition), and the configured setting applies to both Communicator Web
Access and Office Communicator. By default, distribution group expansion is enabled when you
install Office Communications Server. You can verify (or, if necessary, change) these settings by
doing the following:

To enable distribution group support
    1. Log on to a computer running the Office Communications Server administrative tools. To
       enable distribution group support you must be a member of both the Domain
       Administrators group and the RTCUniversalServerAdmins group.
    2. Click Start, point to Administrative Tools, and then click Office Communications
       Server 2007 R2.
    3. In the console tree, expand the forest node.
    4. Do one of the following:
           If you are running Office Communications Server Enterprise Edition, expand
             Enterprise pools, and then right-click the pool in which Communicator Web Access
             is installed.

                                                                                                   62
           If you are running Office Communications Server Standard Edition, expand Standard
             Edition Servers and right-click the name of the server on which Communicator Web
             Access is installed.
     5. Click Properties and then click Web Component Properties.
     6. In the Web Components Properties dialog box, on the Address Book tab, verify that
        Enable distribution groups expansion has been selected, and that the desired value
        has been entered in the Maximum group size box.
     7. Make any changes as needed, and then click OK.




Appendix: Deploying Communicator Web
Access
To facilitate access to the Communicator Web Access requirements documented in the Planning
and Architecture documentation, the following topics are replicated in this Appendix.
In This Section
   Communicator Web Access Support
   DNS Requirements for Communicator Web Access
   Certificates for Communicator Web Access
   IIS Requirements for Communicator Web Access
   Accounts and Permissions Requirements


Communicator Web Access Support
The 2007 R2 version of Communicator Web Access is not a stand-alone application. Instead, it
functions as an extension to your Office Communications Server 2007 R2 deployment: Office
Communications Server 2007 R2 must be deployed and running before you can even install
Communicator Web Access. As an extension to Office Communications Server, this means that
Communicator Web Access must interact with – and rely upon – other components of Office
Communications Server in order to carry out its appointed tasks. For example, Communicator
Web Access authenticates users when they log on to a virtual server; after users are
authenticated, however, Communicator Web Access then relies on Office Communications
Server in order to provide presence information and instant messaging (IM) capabilities.
Additional information about integrating Communicator Web Access with Office Communications
Server, as well as information about hardware and software requirements and a checklist of
deployment steps, can be found in the following sections of this topic.




                                                                                             63
Supported Topologies
Communicator Web Access supports a number of different deployment scenarios. In a smaller
organization you can install Communicator Web Access on one computer and run Office
Communications Server 2007 R2 on another. In larger organizations, Communicator Web Access
can be deployed as an array of servers located behind a hardware load balancer.
Communicator Web Access supports two types of virtual servers: internal (designed for
authenticated users logging on behind the organization firewall) and external (designed for
authenticated users logging on from outside the organization firewall). When you deploy
Communicator Web Access, you can deploy one or more internal virtual servers or you can
deploy one or more external virtual servers. Alternatively, you can deploy both types of virtual
server, thus providing a way for users to log on to Communicator Web Access either from the
internal network or from the Internet. You can even host both an internal virtual server and an
external virtual server on the same computer, although this is not recommended for security
reasons.
If you are planning to deploy an external virtual server it is recommended that you also deploy a
reverse proxy server. In this scenario, external users initially connect to the reverse proxy server
rather than connect directly to your Communicator Web Access server. After the user has been
authenticated, the reverse proxy server then directs them to a Communicator Web Access server
or server pool.
As a general rule, Communicator Web Access supports any reverse proxy configuration for
creating a perimeter network, including Microsoft Internet Security and Acceleration (ISA) Server.
However, there is one exception to this general rule. Communicator Web Access supports single
sign-on authentication. With single sign-on, a user who needs to access more than one Web-
based service can log on once and automatically be granted to each of those Web-based
services. For instance, a user can log on and simultaneously be authenticated for both Microsoft
Outlook Web Access and Communicator Web Access.
Communicator Web Access supports single sign-on, but only if ISA Server 2006 is used as the
authenticating server. No other single sign-on method is currently supported.
If you want to enable audio conferencing and desktop sharing for Communicator Web Access,
you will need to deploy both the A/V Conferencing Server and Mediation Server. (You will also
need to deploy the A/V Conferencing Edge Server if you want to provide these capabilities to
external users.) If you need to keep a record of your IM sessions (a legal requirement in some
industries), you must deploy and configure Archiving Server.


Supported Collocation
Communicator Web Access must run on a dedicated computer. Collocating Communicator Web
Access with any other Office Communications Server server role is not supported.


Load Balancing
Communicator Web Access supports hardware load balancing; software load balancing is not
supported. In theory, it is possible to use a single load balancer to handle both Office
                                                                                                   64
Communications Server connectivity and Communicator Web Access connectivity. Although this
works, it does not guarantee that connection requests will be shared equally among all the
servers in the Communicator Web Access array. Because of that, it is recommended that you
dedicate a load balancer solely for use with Communicator Web Access.
Any load balancer that supports client affinity can be used with Communicator Web Access.
Client affinity helps ensure that an entire session takes place on a single Communicator Web
Access server; Communicator Web Access does not allow a session to begin on one server and
then somehow be transferred to another server. If a user is logged on to Server A at the
beginning of a session, the user will continue to use Server A for the duration of that session. If
Server A fails, the user will have the session terminated. (That user can then sign on again, and
the load balancer will route the user to a server that is still running.) Users connected to Server B
or Server C will not have their session disrupted in any way if Server A fails.
For optimal performance, load balancers used with Communicator Web Access should also
support the following:
   You should be able to set TCP idle time out to 1,800 seconds. If you are using Microsoft
     Internet Security and Acceleration (ISA) Server as a reverse proxy or single sign-on server,
     you should also set the idle time out on the ISA server to 1,800 seconds.
   If your load balancer is expected to handle more than 65,000 simultaneous connections, you
     should use source network address translation (SNAT).

     Note:
         Use of destination network address translation (DNAT) is not supported for
         Communicator Web Access.
   To help ensure client affinity, your load balancer should support cookie-based load balancing.
     It is recommended that you use HTTP Cookie Insert when creating the load balancer’s cookie
     persistence profile.
For details about general load balancer requirements, see Planning Load Balancing.


Required Hardware
No special hardware is required for a Communicator Web Access server. (However, if you are
setting up a pool of servers you can use a hardware load balancer to direct clients to a specific
server.) For details about the recommended minimum hardware for a Communicator Web Access
server, see Internal Office Communications Server Component Requirements.
As a general rule, increasing the speed of the processor, the hard disk, or the network card has a
minimal effect on Communicator Web Access performance. If you want to increase the
performance (and the capacity) of your Communicator Web Access servers, adding additional
memory is the best approach.




                                                                                                    65
Required Software
For details about the operating systems that are supported for the 2007 R2 version of
Communicator Web Access, see Internal Office Communications Server Component
Requirements.
In addition, the following software must be running before Communicator Web Access can be
installed:
   Microsoft Visual C++ Redistributable
   Microsoft .NET Framework 3.5 with Service Pack 1
   Office Communications Server Core Components
   Microsoft SQL Server Native Client
   Microsoft Unified Communications Managed API Redistributable
   Internet Information Services (IIS)
If you are installing Communicator Web Access using the Office Communications Server 2007 R2
Deployment Wizard, the Setup program will verify that each of these applications have been
installed; if they have not, the wizard will notify you and offer to install any missing programs for
you. If you are installing Communicator Web Access from the command line, you will need to
install each of these applications before beginning the Communicator Web Access setup.
These same software requirements apply to any computer where you want to install
Communicator Web Access Manager, the primary tool for administering your Communicator Web
Access infrastructure. You do not have to install Communicator Web Access Manager on a
computer that is running Communicator Web Access itself; this enables you to set up an
administrative computer separate and distinct from your Communicator Web Access servers.


Deployment Process
As a planner, you do not need to know the step-by-step procedures for creating a DNS record or
for enabling users for remote access. However, it is useful for planners to understand the basic
tasks involved in deploying Communicator Web Access in an organization. Because of that, these
steps are briefly described in the following table.

Table 1. Communicator Web Access Deployment Process

Phase                      Steps                     Permissions             Documentation

Verify Communicator        1. Verify that your       DNS Admins group        Verifying
Web Access                    servers meet the       or Domain Admins        Communicator Web
requirements                  hardware and           group                   Access Server
                              software                                       Requirements
                              requirements for                               Verifying
                              running                                        Communicator Web
                              Communicator                                   Access Client
                              Web Access.                                    Requirements


                                                                                                  66
Phase                   Steps                     Permissions            Documentation
                        2. Verify that your
                           client computers
                           are running an
                           operating system
                           and Web browser
                           supported by
                           Communicator
                           Web Access.

Prepare DNS records     1. Create Domain          DNS Admins group       Domain Name System
                           Name System            or Domain Admins       (DNS) Requirements
                           (DNS) records for      group
                           internal
                           Communicator
                           Web Access
                           servers and load
                           balancer.
                        2. Optionally, create
                           DNS records for
                           the external
                           Communicator
                           Web Access
                           servers, the
                           reverse proxy, and
                           the load balancer.

Install and configure   1. If installing on       Local Administrators   Installing IIS 7.0 for
Internet Information       Windows Server         group                  Communicator Web
Services (IIS)             2003, install IIS                             Access
                           6.0.
                        2. If installing on
                           Windows Server
                           2008, install
                           Windows Process
                           Activation Service
                           and then install IIS
                           7.0. After IIS 7.0
                           has been installed,
                           configure the
                           Managed Pipeline
                           mode.

Prepare and install     1. Request and install Local Administrators      Preparing Certificates

                                                                                                  67
Phase                  Steps                       Permissions            Documentation

certificates               a Web server            group                  for Communicator
                           certificate for both                           Web Access
                           mutual TLS
                           (MTLS) and
                           Secure Sockets
                           Layer (SSL). In
                           some cases,
                           multiple certificates
                           might be required.
                       2. If necessary, install
                          the certificate
                          chain for the
                          certification
                          authority (CA) in
                          the Trusted Root
                          Certification
                          Authorities node in
                          the certificate store
                          for the local
                          computer.

Deploy Office          1. Install Office           Various                The Deploying Office
Communications            Communications                                  Communications
Server 2007 R2            Server.                                         Server 2007 R2
                       2. Activate Office                                 Enterprise Edition
                          Communications                                  documentation (for an
                          Server.                                         Enterprise pool
                                                                          deployment) or the
                       3. Configure Office
                                                                          Deploying Office
                          Communications
                                                                          Communications
                          Server.
                                                                          Server 2007 R2
                                                                          Standard Edition
                                                                          documentation (for a
                                                                          Standard Edition
                                                                          server deployment)

Install and activate   1. Install                  Local Administrators   Installing and
Communicator Web          Communicator             group                  Activating
Access                    Web Access.              Domain Admins          Communicator Web
                       2. Activate                 group                  Access
                          Communicator                                    Creating a
                          Web Access.                                     Communicator Web

                                                                                             68
Phase                     Steps                      Permissions            Documentation
                          3. Create an internal                             Access Virtual Server
                             virtual server.
                          4. Create an external
                             virtual server
                             (optional).

Publish                   Publish the                Local Administrators   Publishing
Communicator Web          Communicator Web           group                  Communicator Web
Access URLs               Access URLs.               Domain Admins          Access URLs
                                                     group

Install Communicator      Install Communicator       Local Administrators   Installing the
Web Access Manager        Web Access Manager         group                  Communicator Web
                          and the Office             Domain Admins          Access Snap-in
                          Communications             group
                          Server Administration
                          Tools. These tools do
                          not need to be installed
                          on the same computer
                          where Communicator
                          Web Access is
                          installed.

Install a load balancer   1. If needed, install a    Local Administrators   Using a Load Balancer
and reverse proxy            load balancer to        group                  to Increase Capacity
server (optional)            help distribute         Domain Admins          and Availability
                             Communicator            group                  Using a Reverse
                             Web Access                                     Proxy to Enable
                             connection                                     Remote User Access
                             requests to all your
                             servers.
                          2. If needed, install a
                             reverse proxy
                             server to handle
                             logon requests
                             from external
                             users.

Configure your      1. If Communicator               Local Administrators   Enabling Kernel SSL
Communicator Web       Web Access is                 group                  on Windows Server
Access server for      running on                                           2003
optimum performance    Windows Server                                       Modifying the
                       2003, enable SSL                                     ASP.NET Request

                                                                                                69
Phase                  Steps                     Permissions     Documentation
                           to run in kernel                      Queue Limit
                           mode.                                 Modifying the IIS
                       2. If your server                         Queue Length
                          needs to handle
                          more than a few
                          hundred
                          simultaneous
                          connections,
                          increase the
                          ASP.NET request
                          queue limit.
                       3. If your server
                          needs to handle
                          more than a few
                          hundred
                          simultaneous
                          connections,
                          increase the queue
                          length setting in
                          IIS.

Enable and configure   In Active                 Domain Admins   Create and Enable
user accounts          Directory Domain          group           Users in the Deploying
                       Services (AD DS),                         Office
                       configure user                            Communications
                       accounts by enabling                      Server 2007 R2
                       them for Office                           Enterprise Edition
                       Communications                            documentation (for an
                       Server 2007 R2.                           Enterprise pool
                                                                 deployment) or in the
                                                                 Deploying Office
                                                                 Communications
                                                                 Server 2007 R2
                                                                 Standard Edition
                                                                 documentation (for a
                                                                 Standard Edition
                                                                 server deployment)
                                                                 Enabling Users for
                                                                 Communicator Web
                                                                 Access

Test the               Verify connectivity for   Domain Admins   Testing the Web Site

                                                                                      70
Phase                   Steps                      Permissions       Documentation
Communicator Web        internal users, external
Access Web site         users, and anonymous
                        users.

Verify load balancing      Verify that users     Domain Admins     Verifying Load
configuration (if            can connect to        group             Balancing
applicable)                  Communicator                            Configuration
                             Web Access
                             through the load
                             balancer, and that
                             connections are
                             being equitably
                             distributed.
                           Verify that users
                             can carry out
                             typical
                             Communicator
                             Web Access
                             activities, such as
                             sending instant
                             messages,
                             managing
                             contacts, and
                             sharing their
                             desktop.

Configure New           As needed, modify          Domain Admins     Configuring New
Communicator Web        Communicator Web           group             Communicator Web
Access settings         Access settings for                          Access Settings
                        such features as
                        desktop sharing, audio
                        conferencing, and
                        distribution group
                        expansion.



DNS Requirements for Communicator Web
Access
Each Communicator Web Access server must have a DNS host record that associates the Web
site URL with the computer's IP address. In addition, each Communicator Web Access server



                                                                                        71
must have a pair of canonical name (CNAME) records named as and download. For example,
the URL im.contoso.com must have the following two DNS records:
   as.im.contoso.com
   download.im.contoso.com
These CNAME records are required in order to support desktop sharing.
If you are employing a hardware load balancer, your CNAME records must refer to the IP address
of the load balancer rather than to individual Communicator Web Access server. For example, if
you have four servers located behind a hardware load balancer, your CNAME records should
point to the load balancer, and you should have a single as record that points to the load balancer
rather than four separate as records, one for each server.
A similar approach is required if you are using a reverse proxy server to handle external logons.
In that case, your CNAME records must refer to the IP address of the reverse proxy server. In
addition, you will need to create a host name record for this server.
For details, including step-by-step information about creating DNS records, see Configuring
Communicator Web Access DNS Records in Deploying Communicator Web Access in the
Deploying Office Communications Server 2007 R2 documentation.


Certificates for Communicator Web Access
Like other Office Communications Server components, Communicator Web Access requires an
MTLS certificate to authenticate traffic with other components of Office Communications Server. If
you are using the HTTPS protocol for your virtual servers, an SSL certificate is required to
authenticate the traffic between each Communicator Web Access server and each logged-on
client.
In many cases, the same certificate can be used for both your MTLS connections and your SSL
connections. For details about both certificate requirements and the recommended procedure for
requesting and installing certificates for Communicator Web Access, see Preparing Certificates
for Communicator Web Access in Deploying Communicator Web Access in the Deployment
documentation.
If you have set up a Windows CA, you can generate your own certificates for use with
Communicator Web Access. If all your users are internal users (that is, users who log on from
inside the organization’s firewall), you might want to use self-generated certificates: There is no
charge for certificates that you create yourself, and – as members of the same domain – your
client computers more than likely already trust certificates generated by your internal CA.
Certificates purchased from a third-party CA can also be used with Communicator Web Access. If
you are supporting external users (that is, users who log on from outside the organization’s
firewall), you might want to use a third-party certificate for all of your external virtual servers. By
default, the Windows operating system (and many other operating systems) comes with
certificates from many of the major third-party CAs preinstalled. Using a third-party certificate for
external virtual servers helps limit security warnings and provide for a better Communicator Web
Access experience for external users.


                                                                                                      72
IIS Requirements for Communicator Web Access
IIS is the Web server that hosts Communicator Web Access. Both IIS 6.0 and IIS 7.0 (running in
IIS 6.0 compatibility mode) are supported for the 2007 R2 version of Communicator Web Access.
If you use IIS 7.0 with Communicator Web Access, you must enable several IIS 7.0 features.
Communicator Web Access supports any combination of internal and external virtual server
instances on the same or different computers.
The IIS queue length setting affects user capacity for Communicator Web Access.
You can optimize IIS 6.0 scalability and the user limit to increase capacity.
For details about Communicator Web Access components and capacity, see Capacity Planning
and Communicator Web Access Support.


Accounts and Permissions Requirements
Security requirements for Office Communications Server 2007 R2 include the following:
   Administrative credentials
   Security levels
   Media gateway security


Administrative Credentials
The following table outlines the permissions required to deploy the various server roles.

Note:
     By default, membership in the Domain Admins group is required to deploy or activate a
     server that is joined to an Active Directory domain. If you do not want to grant this level of
     privilege to the group or users deploying Office Communications Server, you can use the
     setup delegation wizard to provide a specific group the subset of permissions required for
     this task.

Table 1. Administrative Credentials Required for Deployment Tasks

Procedure                                            Administrative credentials or roles required

Standard Edition

Install prerequisite software                        RTCUniversalServerAdmins group
                                                     Domain Admins group

Prepare Active Directory Domain Services             Member of Schema Admins group and
(AD DS)                                              Administrator rights on the schema master
                                                     Member of EnterpriseAdmins group for the
                                                     forest root domain
                                                     Member of EnterpriseAdmins or DomainAdmins


                                                                                                      73
Procedure                                       Administrative credentials or roles required

                                                group

Prepare Windows for setup                       Administrators group

Create and verify DNS records                   DNS Admins group

Deploy and activate Standard Edition server     RTCUniversalServerAdmins group
and applications                                Domain Admins group

Configure Standard Edition server               RTCUniversalServerAdmins group

Configure certificates for Office               Administrators group
Communications Server                           RTCUniversalServerAdmins group

Start the services                              RTCUniversalServerAdmins group

Validate server configuration                   RTCUniversalServerAdmins group

Optionally, configure A/V and Web               RTCUniversalServerAdmins group
conferencing

Enterprise Edition, Consolidated Topology

Install prerequisite software                   RTCUniversalServerAdmins group
                                                Domain Admins group

Prepare AD DS                                   Member of the Schema Admins group and
                                                Administrator rights on the schema master
                                                Member of the EnterpriseAdmins group for the
                                                forest root domain
                                                Member of the EnterpriseAdmins or
                                                DomainAdmins group

Prepare Windows for setup                       Administrators group

Install SQL Server                              Local Administrator

Configure SQL Server for Office                 SQL Server administrator
Communications Server                           Local administrator

Optionally, configure a load balancer for the   Load balancer administrator
pool

Create and verify DNS records                   DNS Admins group

Create the pool                                 RTCUniversalServerAdmins group
                                                Domain Admins group

Configure the pool and applications             RTCUniversalServerAdmins group


                                                                                               74
Procedure                                       Administrative credentials or roles required

Add servers to the pool                         Administrators group
                                                RTCUniversalServerAdmins group
                                                Domain Admins group

Configure certificates for Office               Administrators group
Communications Server                           RTCUniversalServerAdmins group

Start the services                              RTCUniversalServerAdmins

Validate the server and pool configuration      RTCUniversalServerAdmins

Dial-in Conferencing

Install and activate Office Communications      Administrators group
Server 2007 R2                                  RTCUniversalServerAdmins group
                                                Domain Admins group

Activate Conferencing Attendant and             RTCUniversalServerAdmins group
Conferencing Announcement Service               Domain Admins group
applications

Install, activate, and configure the 2007 R2    Administrators group
version of Microsoft Office Communicator Web    Domain Admins group
Access server

Optionally, enable remote user access to        Administrators group
Communicator Web Access                         Domain Admins group

Test the Dial-in Conferencing Web page          Office Communications Server 2007 R2 user

Create one or more location profiles            RTCUniversalServerAdmins group

Configure a global policy to support dial-in    RTCUniversalServerAdmins group
conferencing

Deploy a Mediation Server                       RTCUniversalServerAdmins group

Deploy a third-party basic media gateway        RTCUniversalServerAdmins group (to configure
OR                                              Mediation Server)
Configure the Mediation Server to perform SIP   Administrator of the SIP trunking provider
trunking

Response Group Service

Install and activate Office Communications      Administrators group
Server 2007 R2                                  RTCUniversalServerAdmins group
                                                Domain Admins group

                                                                                               75
Procedure                                     Administrative credentials or roles required

Activate the Response Group Service           RTCUniversalServerAdmins group
application                                   Domain Admins group

Add agents, create agent groups, and create   RTCUniversalServerAdmins group
queues for the server pool

Create the workflows                          RTCUniversalServerAdmins group

Configure the Response Group tab              Domain Admins group

Archiving Server

Install prerequisite software                 Administrators group and Domain Admins
                                              group (to install Message Queuing with Active
                                              Directory integration enabled)

Install and activate Archiving Server         Administrators group
                                              Domain Admins or RTCUniversalServerAdmins
                                              group

Configure Archiving Server associations       Administrators group

Configure users for archiving                 RTCUniversalUserAdmins group

Start the archiving services                  RTCUniversalUserAdmins Group

Monitoring Server

Install prerequisite software                 Administrators group
                                              Domain Admins group (to install Message
                                              Queuing with Active Directory integration
                                              enabled)

Install and activate Monitoring Server        Administrators group
                                              Domain Admins or RTCUniversalServerAdmins
                                              group

Start the services                            Administrators group

Deploy Monitoring Server reports              Administrators group

Configure Monitoring Server associations      Administrators group

Communicator Web Access

Install and activate                          Domain Admins

Create virtual server                         Domain Admins, or
                                              RTCUniversalServerAdmins and local
                                              Administrators

                                                                                             76
Procedure                                       Administrative credentials or roles required

Publish Communicator Web Access URLs            Domain Admins, or
                                                RTCUniversalServerAdmins and local
                                                administrators

Manage Communicator Web Access settings         Domain Admins, or
                                                RTCUniversalServerAdmins and local
                                                administrators

Group Chat

Create SQL Server database                      Database administrator

Set up Group Chat accounts and permissions      Administrators group

Obtain certificates for Group Chat              Administrators group

Install Group Chat                              Administrators group

Configure Web site settings in IIS              Administrators group

Connect the Group Chat Administration Tool to   Administrators group
Group Chat                                      Channel service administrator

Configure Group Chat user access                Administrators group

Deploy archiving and compliance support         Database administrator
                                                Administrators group

Administrative Tools

Install Administrative Tools on a centralized     Administrators group
administrative console that is not running Office Domain Admins group
Communications Server

Configure user account settings                 RTCUniversalUserAdmins

Configure all other settings (other than user   RTCUniversalServerAdmins
account settings)

Edge Server

Set up the infrastructure for Edge Servers      Administrators group

Set up Edge Servers                             Administrators group
                                                Domain Admins or RTCUniversalServerAdmins
                                                group

Configure the environment                       Administrators group
                                                Domain Admins or RTCUniversalServerAdmins
                                                group

                                                                                               77
Procedure                                         Administrative credentials or roles required

Validate edge configuration                       Administrators group
                                                  Domain Admins or RTCUniversalServerAdmins
                                                  group

Communicator Mobile for Windows Mobile

Install prerequisites                             Administrator

Install Communicator Mobile for Windows           Administrator
Mobile

Install self-signed certificates                  Administrator

Configure the client                              Administrator

Test IM and presence                              Administrator

Communicator Mobile for Java

Verify that prerequisites and dependencies are    Administrator
met

Deploy the Communicator Mobile component          Administrator

Install Communicator Mobile for Java client       Administrator
software

Configure and use the client                      Administrator

Test IM and presence                              Administrator

Outside Voice Control

Install and activate Office Communications        Administrators group
Server 2007 R2                                    RTCUniversalServerAdmins group
                                                  Domain Admins group

Activate Outside Voice Control application        RTCUniversalServerAdmins group
                                                  Domain Admins group

Start the application                             RTCUniversalServerAdmins group

Test Outside Voice dialing on a supported         Office Communications Server 2007 R2 user
mobile client

Enterprise Voice with PBX Coexistence

Deploy Office Communications Server,                 Create Enterprise pool:
including Mediation Server that connects to the        RTCUniversalServerAdmins and Domain
PBX                                                    Admins or equivalent credentials


                                                                                                 78
Procedure                                   Administrative credentials or roles required
                                               Configure pool:
                                                 RTCUniversalServerAdmins
                                               Add server to pool:
                                                 RTCUniversalServerAdmins
                                               Configure certificate:
                                                 RTCUniversalServerAdmins
                                               Configure Web Components Server
                                                 certificate: Local Administrator credentials
                                               Validate server and pool functionality:
                                                 RTCUniversalServerAdmins

Deploy Office Communicator 2007             Administrator on the computer on which Office
                                            Communicator is being installed

Enable users for IM and presence            RTCUniversalUserAdmins group

Configure Communications Server for         RTCUniversalServerAdmins group
Enterprise Voice

Configure PBX to fork calls to Office       RTCUniversalServerAdmins (to get information
Communications Server                       from AD DS to convert an extension into the
                                            correct telephone URI)

Deploy media gateways (if required)         Media gateways are external systems their own
                                            authentication and authorization schemes. If
                                            the media gateway requires creation of trusted
                                            service entries, you must be at least a member
                                            of the RTCUniversalServerAdmins group.

Deploy RCC gateway (if required)            RCC gateways are external systems their own
                                            authentication and authorization schemes. You
                                            must be at least a member of the
                                            RTCUniversalServerAdmins group to create the
                                            required trusted service entries.

Enable users for Enterprise Voice and PBX   RTCUniversalUserAdmins group
integration

Enterprise Voice stand-alone (no PBX
coexistence)

Deploy Office Communications Server            Create enterprise pool:
                                                 RTCUniversalServerAdmins and Domain
                                                 Admins or equivalent credentials
                                               Configure pool:

                                                                                            79
Procedure                                    Administrative credentials or roles required

                                                  RTCUniversalServerAdmins
                                                Add server to pool:
                                                  RTCUniversalServerAdmins
                                                Configure certificate:
                                                  RTCUniversalServerAdmins
                                                Configure Web Components Server
                                                  certificate: Local Administrator credentials
                                                Validate server and pool functionality:
                                                  RTCUniversalServerAdmins

Deploy Office Communicator 2007              Administrator on the computer on which Office
                                             Communicator is being installed

Configure Office Communications Server for   RTCUniversalUserAdmins group
Enterprise Voice

Deploy Exchange Server 2007 Unified             For Office Communications Server:
Messaging and configure to integrate with         RTCUniversalServerAdmins group
Office Communications Server                    For Exchange Server: Exchange
                                                  Organization Administrators permissions
                                                  are sufficient when Office Communications
                                                  Server and Exchange Server are running in
                                                  the same forest.

                                                  Note:
                                                      The user account used to configure
                                                      Exchange Unified Messaging must
                                                      have READ access to Office
                                                      Communications Server pools in
                                                      AD DS and READ/WRITE access
                                                      on the Exchange configuration
                                                      containers (First Organization\UM
                                                      Dial Plan Container, UM IP
                                                      Gateway Container, UM Auto
                                                      Attendant Container, and so on).

Deploy media gateways                        Media gateways are external systems their own
                                             authentication and authorization schemes. If
                                             the media gateway requires creation of trusted
                                             service entries, you must be at least a member
                                             of the RTCUniversalServerAdmins group.

Enable users for Enterprise Voice            RTCUniversalUserAdmins group


                                                                                             80
Procedure                                         Administrative credentials or roles required

Device Update Service

Deployment                                        Device Update Service is automatically
                                                  installed on the Web Components Server.
                                                  There are no specific deployment permissions
                                                  needed outside those required to deploy
                                                  Standard Edition or Enterprise Edition.



Security Levels
The security levels required for deploying Office Communications Server 2007 R2 depend on the
components your organization plans to deploy.


Exchange UM Security Levels
An Exchange Unified Messaging (UM) dial plan supports three different security levels:
Unsecured, SIPSecured, and Secured. You configure security levels by means of the
VoipSecurity parameter of the UM dial plan. The following table shows appropriate dial plan
security levels depending on whether mutual TLS (MTLS) and/or Secure Real-Time Transport
Protocol (SRTP) are enabled or disabled.

Table 2. VoipSecurity Values for Various Combinations of Mutual TLS and SRTP

Security level                    Mutual TLS                       SRTP

Unsecured                         Disabled                         Disabled

SIPSecured                        Enabled (required)               Disabled

Secured                           Enabled (required)               Enabled (required)


When integrating Exchange UM with Communications Server 2007 R2, you need to select the
most appropriate dial plan security level for each voice profile. In making this selection, you
should consider the following:
   MTLS is required between Exchange UM and Office Communications Server. Therefore, the
     dial plan security level must not be set to Unsecured.
   When dial plan security is set to SIPSecured, SRTP is disabled. In this case, the Office
     Communicator 2007 R2 client encryption level must be set to either rejected or optional.
   When setting dial plan security to Secured, SRTP is enabled and is required by Exchange
     UM. In this case, the Office Communicator 2007 R2 client encryption level must be set to
     either optional or required.




                                                                                                  81
 Media Gateway Security
Media flowing both directions between the Mediation Server and Communications Server network
is encrypted using SRTP. Organizations that rely on IPsec for packet security are strongly
advised to create an exception on a small media port range if they are to deploy Enterprise Voice.
The security negotiations required by IPsec work for normal UDP or TCP connections, but they
can slow call setup to unacceptable levels.
Because a media gateway receives calls from the PSTN that can present a potential security
vulnerability, the following are recommended mitigation actions:
   Enable TLS on the link between the gateway and the Mediation Server. This will assure that
     signaling is encrypted end to end between the gateway and your internal users.
   Physically isolate the media gateway from the internal network by deploying the Mediation
     Server on a computer with two network adapters: the first accepting traffic only from the
     internal network, and the second accepting traffic from a media gateway. Each card is
     configured with a separate listening address so that there is always clear separation between
     trusted traffic originating in the Communications Server network and untrusted traffic from the
     PSTN.
     The internal edge of a Mediation Server should be configured to correspond to a unique static
     route that is described by an IP address and a port number. The default port is 5061.
     The external edge of a Mediation Server should be configured as the internal next-hop proxy
     for the media gateway. It should be identified by a unique combination of IP address and port
     number. The IP address should not be the same as that of the internal edge, but the default
     port is 5060.




                                                                                                  82

								
To top