The complete step-by-step setup guide for deploying Microsoft Unified Communications
[LEFT][CODE]http://blogs.technet.com/daveh/archive/2009/08/17/part-1-of-3-the-complete-step-by-step-setup-guide-for-deploying-microsoft-unified-communications-products-with-enterprise-voice-in-a-lab-environment-using-a-single-windows-server-2008-hyper-v-computer-and-a-single-internet-ip.aspx[/CODE][B][SIZE=3]PART-1[/SIZE][/B]
[B][SIZE=4]
[/SIZE][/B][B][B][SIZE=4]The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address[/SIZE][/B][/B]
As a Senior Support Escalation Engineer with the Unified Communications team at Microsoft, I help a lot of customers install Microsoft Unified Communications products in either their production or lab environment. I often find that for many smaller organizations, the task of deploying OCS 2007 R2 and/or Exchange Unified Messaging becomes that of the existing IT team or the network administrator. While Office Communications Server 2007 R2 is the coolest collaboration product that Microsoft has ever shipped and Unified Messaging is the perfect voice mail solution for it, the learning curve for each product isn’t just steep – it is nearly insurmountable. Considering the seemingly endless list of available features within OCS 2007 R2 and their associated requirements, figuring out exactly what you [B][I]need[/I][/B] to accomplish what you[B] [I]want[/I][/B] is often a frustrating experience – especially for those who are new to the technology.
So, what [I][B]do[/B][/I] you want to do with Office Communications Server 2007 R2 and Microsoft Exchange Server 2007?[INDENT] Do you want to enable instant messaging?
[LIST][*] [LEFT]IM only between user accounts in your lab?[/LEFT][*] [LEFT]IM with federated contacts? (external IM with other labs/other companies)[/LEFT][*] [LEFT]IM with public providers like MSN/Yahoo/AOL?[/LEFT][/LIST]
Do you want to share meetings using Live Meeting?
[LIST][*]Meetings only between user accounts in your lab?[*]Meetings that can be joined by remote users?[*]Meetings that can be joined remotely by anonymous users?[*]Meetings that offer Audio/Video capabilities?[/LIST]
Do you want to offer Exchange services to your OCS users?
[LIST][*]Access to email via Outlook or Outlook Web Access?[*]Automatic configuration of Outlook using Outlook Anywhere[*]Voice mail services using Unified Messaging[/LIST][/INDENT]Having recently moved to the Unified Communications team after supporting Exchange for the past eight years, I am also new to this technology – and I’ve experienced a similar degree of frustration when building out various lab environments. Since I seem to learn a lot more about a product by installing and configuring it versus simply reading about it from a book, I wanted to deploy a fully working Unified Communications lab environment at home where I could learn at my own pace.
While I am extremely fortunate to have unlimited access to a variety of high-end equipment at work, the equipment found in my own lab at home is a little embarrassing by comparison… :-) So, in the best interest of [I]make do[/I], this step-by-step guide will attempt to offer all of the services listed above in a lab environment using a single Windows 2008 Hyper-V physical host computer and a single public IP address.
[FONT=Franklin Gothic Demi Cond][SIZE=5]Disclaimer[/SIZE][/FONT]
This information is provided AS-IS with no warranties, and confers no rights. In fact, many of the configuration steps provided in this documentation are considered [B][COLOR=#ff0000]UNSUPPORTED[/COLOR][/B] by the Microsoft RTC and Exchange product groups for production use. Although Microsoft now officially supports many of the server roles for OCS 2007 R2 on Windows 2008 Hyper-V, the roles involving RTC media streams are [I]not[/I] [I]supported[/I] on virtualized platforms. As such, please [B]DO NOT[/B] use this documentation as prescriptive guidance for deploying these products in a production capacity.
[FONT=Franklin Gothic Demi Cond][SIZE=5]Lab Overview[/SIZE][/FONT]
Using a single 64-bit computer running Windows Server 2008 and Hyper-V, you can deploy a fully functional OCS 2007 R2 / Exchange 2007 lab environment. After completing setup of this lab, you’ll be able to do instant messaging and Live Meeting conferences with full audio and video for both internal and external users. If you want to provide optional VoIP telephony services with PSTN integration, however, you’ll need to add a Mediation server and a VoIP Gateway device to your lab.
Since I chose to deploy this lab at home, there were a few constraints that I knew I had to work around. For example, my house was not pre-wired for CAT5 when it was built, so I use wireless networking for just about everything – including my laptops, my Zune, and each of my X-Box 360s. Instead of inconveniencing my family by taking the network offline while I figured out how to route everything through ISA Server 2006 running in a virtual machine, I chose instead to use ISA Server 2006 simply as an SSL proxy/redirect while leaving the firewall on my Linksys WRT54G wireless router to filter out unwanted network traffic.
Below you will find a diagram of the Unified Communications lab environment that I built at home and that we will attempt to build in the following documentation (click to enlarge).
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/BlogUCLab_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/BlogUCLab_thumb.jpg[/IMG][/URL]
[FONT=Franklin Gothic Demi Cond][SIZE=5]Requirements[/SIZE][/FONT]
To build this lab environment, the following components are required:
[LIST][*][FONT=Calibri][SIZE=2]One (1) 3.0 GHz Dual Core (or higher) 64-bit Hyper-V host computer, 8GB RAM, Gigabit NIC, two (2) 320GB SATA hard disks [/SIZE][/FONT]
[LIST][*][FONT=Calibri][SIZE=2]One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (ISA 2006) [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 CWA) [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Mediation) [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) Hyper-V guest, 1024MB RAM, two virtual NICs, 16GB virtual hard disk (OCS 2007 R2 Edge) [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) Hyper-V guest, 1024MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Front End [/SIZE][/FONT][/LIST]
[*][FONT=Calibri][SIZE=2]One (1) Wireless or Wired Ethernet Router [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) Ethernet Cable Modem or DSL Modem [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) Public IP address, either static or DHCP assigned [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) publicly registered Internet domain[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]One (1) SSL SAN Certificate issued by a trusted PKI provider (optional)[/SIZE][/FONT][/LIST]
[SIZE=2]To provide VoIP connectivity with PSTN integration, you will need the following optional component:[/SIZE]
[LIST][*][FONT=Calibri][SIZE=2]One (1) VoIP Gateway (similar to AudioCodes MP 114/118), or[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]SIP Trunk from a [/SIZE][/FONT][URL="http://technet.microsoft.com/en-us/office/ocs/bb735838.aspx#trunking"][FONT=Calibri][SIZE=2]UCOIP Certified Provider[/SIZE][/FONT][/URL][/LIST]
Unless you plan to provide Public IM Connectivity to your lab users, you will not need a UC Certificate from a trusted PKI provider. This may be good news given that UC (SAN) Certificates can be very pricey, especially for a small lab environment. You can accomplish much of the same functionality simply by using internally generated certificates, however your external users will log trust errors – at least initially. Internally generated certificates are not trusted by computers which are external to your organization. You can work around this, however, by having your external users import the certificate from your internal Certification Authority into their list of Trusted Root Certificate Authorities.
With regards to Federation, you can establish direct federation with a partner organization without using a publicly trusted UC certificate. As long as your federated partner agrees to import your internally generated CA certificate into the Trusted Root Certification Authorities list on each Edge server, you can participate in federated IM conversations and conferences.
Now… let’s get started!
[FONT=Franklin Gothic Demi Cond][SIZE=5]Registering a Public Domain[/SIZE][/FONT]
The first step in this process is to register a public domain from a trusted registrar. The registrar you choose will ask you to provide various contact and technical information that makes up the registration, which is then stored in a central directory known as the "registry." You will also be required to enter a registration contract with the registrar, which sets forth the terms under which your registration is accepted and will be maintained. A list of trusted registrars can be found at [URL="http://www.internic.net/regist.html"]InterNIC[/URL].
While most domain registrars also offer hosting the DNS records for purchased domains, you should look for a domain registrar which will allow you to create and edit Service Records (SRV). Office Communications Server 2007 R2 uses SRV records for Federation, Public IM Connectivity (PIC), and automatic client configuration for external users. After checking [URL="http://www.slickdeals.net/sdsearch.php?forumchoice%5B%5D=9&mode=forum&showposts=0&sdsearch_archive=0&search=godaddy"]SlickDeals.net[/URL] for online coupon codes, I purchased the domain name for my Unified Communications lab from [URL="http://www.godaddy.com/domains/search.aspx?ci=14514"]GoDaddy.com[/URL]. Not only did I get my domain for a fantastic price, I have been extremely pleased with their customer service – and they allow you to create DNS SRV records.
[FONT=Franklin Gothic Demi Cond][SIZE=5]Creating Public DNS Records[/SIZE][/FONT]
Next, we will need to create several public DNS records for our Unified Communications environment. While my ISP does offers static IP addresses to their customers for an extra fee, I still use a DHCP-assigned IP address. I found that DHCP-assigned IP addresses from my ISP rarely change – maybe once every four or five months. However, when it does happen, I have to manually update my DNS records to point to the new IP address. As you can imagine, manually updating DNS records can be quite annoying.
For me, though, updating DNS to point to a new IP address isn’t big of a deal. While Microsoft only officially supports using host (A) public DNS records for deploying OCS 2007 R2, I chose instead to use CNAME records for my own lab environment. By using CNAME records, I found that I only have to update a single DNS record if my DHCP-assigned IP address changes for any reason.
The following step-by-step instructions describe how to create CNAME records with GoDaddy to support OCS 2007 R2, however, these instructions will vary by provider.
[B]A. To create Public DNS records for your Unified Communications lab environment[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to your DNS service provider.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the appropriate option for managing DNS records for your domain.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2](For GoDaddy.com customers, this option is called [B]Total DNS Control and MX Records[/B].)[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the appropriate option for creating a new A record, then enter the following details:[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_2.png"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_thumb.png[/IMG][/URL]
[FONT=Calibri][SIZE=2]Host Name: [B]@[/B]
Points to IP Address: [B]<Your IP Address>[/B]
TTL: [B]One hour[/B]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the appropriate option for creating a new CNAME record, then enter the following details:[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_4.png"][FONT=Calibri][SIZE=2][COLOR=#333333][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_thumb_1.png[/IMG][/COLOR][/SIZE][/FONT][/URL]
[FONT=Calibri][SIZE=2]Enter an Alias Name: [B]sip[/B]
Points to Host Name: [B]@[/B]
TTL: [B]One hour[/B]
[/SIZE][/FONT][FONT=Calibri][SIZE=2]Repeat this step, creating additional CNAME records for each of the following Alias names:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][B]Alias[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]Points to Host Name[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]cwa[/SIZE][/FONT] [FONT=Calibri][SIZE=2]@[/SIZE][/FONT] [FONT=Calibri][SIZE=2]mail[/SIZE][/FONT] [FONT=Calibri][SIZE=2]@[/SIZE][/FONT] [FONT=Calibri][SIZE=2]www[/SIZE][/FONT] [FONT=Calibri][SIZE=2]@[/SIZE][/FONT] [FONT=Calibri][SIZE=2]autodiscover[/SIZE][/FONT] [FONT=Calibri][SIZE=2]@[/SIZE][/FONT] [FONT=Calibri][SIZE=2]as.cwa[/SIZE][/FONT] [FONT=Calibri][SIZE=2]@[/SIZE][/FONT] [FONT=Calibri][SIZE=2]download.cwa[/SIZE][/FONT] [FONT=Calibri][SIZE=2]@[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the appropriate option for creating a new [B]MX[/B] record, then enter the following details:[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_8.png"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_thumb_3.png[/IMG][/URL]
[FONT=Calibri][SIZE=2]Host Name: [B]@[/B]
Goes To Address: [B]mail.contoso.com[/B]
Priority: [B]0[/B]
TTL: [B]One hour[/B]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the appropriate option for creating a new [B]SRV[/B] record, then enter the following details:[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_10.png"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/image_thumb_4.png[/IMG][/URL]
[FONT=Calibri][SIZE=2]Service: [B]_sipfederationtls[/B]
Protocol: [B]_tcp[/B]
Name: [B]Federation SRV Record[/B]
Priority: [B]1[/B]
Weight: [B]1[/B]
Port: [B]5061[/B]
Target: [B]sip.contoso.com[/B]
TTL: [B]One hour[/B]
[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Repeat this step, creating an additional[B] SRV[/B] record with the following details:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Service: [B]_sip[/B]
Protocol: [B]_tls[/B]
Name: [B]External User SRV Record[/B]
Priority: [B]1[/B]
Weight: [B]1[/B]
Port: [B]5061[/B]
Target: [B]sip.contoso.com[/B]
TTL: [B]One hour[/B] [/SIZE][/FONT][/LIST]
[FONT=Calibri][SIZE=2][FONT=Verdana]This completes the configuration of the external DNS records.[/FONT][/SIZE][/FONT]
[FONT=Franklin Gothic Demi Cond][SIZE=5]Configuring the Router/Firewall[/SIZE][/FONT]
[FONT=Verdana]The third step in this process is to either configure port forwarding in the configuration of your router or to create rules to open ports on your firewall. As mentioned previously, I use a Linksys WRT54G wireless router and a single private network (no DMZ) for all devices. As such, I created the following port forwarding rules in the configuration of my router to accommodate network traffic for Exchange Server and Office Communications Server:[/FONT][INDENT] [FONT=Calibri][SIZE=2][B]Protocol[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]Source IP[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]External Ports[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]Internal Ports[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]Internal IP[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]Description[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]Both[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]50000 – 59999[/SIZE][/FONT] [FONT=Calibri][SIZE=2](same)[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.4[/SIZE][/FONT] [FONT=Calibri][SIZE=2]A/V Edge RTP Ports[/SIZE][/FONT] [FONT=Calibri][SIZE=2]TCP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]5061[/SIZE][/FONT] [FONT=Calibri][SIZE=2]5061[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.2[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Access Edge[/SIZE][/FONT] [FONT=Calibri][SIZE=2]UDP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]3478[/SIZE][/FONT] [FONT=Calibri][SIZE=2]3478[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.4[/SIZE][/FONT] [FONT=Calibri][SIZE=2]A/V Edge (STUN/TURN)[/SIZE][/FONT] [FONT=Calibri][SIZE=2]TCP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.6[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA SSL Listener[/SIZE][/FONT] [FONT=Calibri][SIZE=2]TCP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]442[/SIZE][/FONT] [FONT=Calibri][SIZE=2]442[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.3[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Web Conferencing Edge[/SIZE][/FONT] [FONT=Calibri][SIZE=2]TCP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]441[/SIZE][/FONT] [FONT=Calibri][SIZE=2]441[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.4[/SIZE][/FONT] [FONT=Calibri][SIZE=2]A/V Edge[/SIZE][/FONT] [FONT=Calibri][SIZE=2]TCP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]80[/SIZE][/FONT] [FONT=Calibri][SIZE=2]80[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.10[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Web Site[/SIZE][/FONT] [FONT=Calibri][SIZE=2]TCP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]All[/SIZE][/FONT] [FONT=Calibri][SIZE=2]25[/SIZE][/FONT] [FONT=Calibri][SIZE=2]26[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.10[/SIZE][/FONT] [FONT=Calibri][SIZE=2]SMTP (Email)[/SIZE][/FONT][/INDENT][FONT=Verdana]After saving this configuration, restart your router or firewall.[/FONT]
[FONT=Franklin Gothic Demi Cond][SIZE=5]Explanation of Routing[/SIZE][/FONT]
Although it is possible to deploy both OCS 2007 R2 and Exchange 2007 using a single public IP address, to do so introduces some very interesting challenges with regards to routing. The following summary explains how routing is accomplished in this lab for internal and external connectivity.
[B][SIZE=2]External Routing[/SIZE][/B]
[B][FONT=Calibri][SIZE=2]Client[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Address[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Ext Port[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Path[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Int Port[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Target[/SIZE][/FONT][/B] [FONT=Calibri][SIZE=2]OCS Remote User[/SIZE][/FONT] [FONT=Calibri][SIZE=2]sip.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]5061[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS Access Edge[/SIZE][/FONT] [FONT=Calibri][SIZE=2]5061[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS Web Components[/SIZE][/FONT] [FONT=Calibri][SIZE=2]sip.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA Server Proxy[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS Web Conferencing[/SIZE][/FONT] [FONT=Calibri][SIZE=2]sip.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]442[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS Web Conf Edge[/SIZE][/FONT] [FONT=Calibri][SIZE=2]8057[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS A/V Conferencing[/SIZE][/FONT] [FONT=Calibri][SIZE=2]sip.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]441[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS A/V Edge[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS CWA[/SIZE][/FONT] [FONT=Calibri][SIZE=2]https://cwa.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA Server Proxy[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]CWA-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Outlook Web Access[/SIZE][/FONT] [FONT=Calibri][SIZE=2]https://mail.contoso.com/owa[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA Server Proxy[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Email.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Autodiscover[/SIZE][/FONT] [FONT=Calibri][SIZE=2]https://autodiscover.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA Server Proxy[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Email.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]SMTP[/SIZE][/FONT] [FONT=Calibri][SIZE=2]mail.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]25[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Linksys Router[/SIZE][/FONT] [FONT=Calibri][SIZE=2]26[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Email.contoso.com[/SIZE][/FONT]
[B][SIZE=2]Internal Routing[/SIZE][/B]
[B][FONT=Calibri][SIZE=2]Client[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Address[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Port[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Path[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Target[/SIZE][/FONT][/B] [FONT=Calibri][SIZE=2]OCS Internal User[/SIZE][/FONT] [FONT=Calibri][SIZE=2]sip.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]5061[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS Front End[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS Web Components[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS Front End[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCS CWA[/SIZE][/FONT] [FONT=Calibri][SIZE=2]https://cwa.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA Server Proxy[/SIZE][/FONT] [FONT=Calibri][SIZE=2]CWA-R2.contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Outlook Web Access[/SIZE][/FONT] [FONT=Calibri][SIZE=2]https://mail.contoso.com/owa[/SIZE][/FONT] [FONT=Calibri][SIZE=2]443[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA Server Proxy[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Email.contoso.com[/SIZE][/FONT]
[FONT=Franklin Gothic Demi Cond][SIZE=5]Configuring the Domain Infrastructure[/SIZE][/FONT]
For the purposes of this lab, our physical host computer will run a number of services – including Active Directory, DNS, Enterprise Certification Authority, and Hyper-V virtualization. The following steps will configure the domain infrastructure for the Unified Communications lab environment.
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 1 - Install Windows Server 2008 Enterprise Edition[/SIZE][/FONT]
The first configuration step involves installing Windows Server 2008 Enterprise Edition as the operating system for the physical host computer. Rather than reinvent the wheel here, Microsoft MVP [B]Daniel Petri[/B] authored a fantastic [URL="http://www.petri.co.il/how-to-install-windows-server-2008-step-by-step.htm"]step-by-step blog entry[/URL] on installing Windows Server 2008. Be sure to check it out if you have never done this before. It may save you some time and effort… :-)
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 2 - Install the Hyper-V Role[/SIZE][/FONT]
Once Windows Server 2008 Enterprise Edition has been installed on the host PC, our first configuration task will be to install the Hyper-V role which will host the four guest virtual machines that will run ISA Server 2006 and OCS 2007 R2. It is important to install the Hyper-V role first because it allows us an opportunity to configure network settings for the computer before installing Active Directory. For additional information on Windows virtualization using Hyper-V, check out the [URL="http://technet.microsoft.com/en-us/library/cc732470.aspx"]Hyper-V Getting Started Guide[/URL] on Microsoft TechNet.
[B][SIZE=2]A. To install Hyper-V on a full installation of Windows Server 2008[/SIZE] [/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 computer using the [B]built-in Administrator account[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], and then click [B]Server Manager[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]Roles Summary[/B] area of the Server Manager main window, click [B]Add Roles[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Select Server Roles[/B] page, click Hyper-V. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Create Virtual Networks[/B] page, click one or more network adapters if you want to make their network connection available to virtual machines. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Confirm Installation Selections[/B] page, click [B]Install[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]The computer must be restarted to complete the installation. Click [B]Close[/B] to finish the wizard, and then click [B]Yes[/B] to restart the computer. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]After you restart the computer, log on with the same account you used to install the role. After the Resume Configuration Wizard completes the installation, click [B]Close[/B] to finish the wizard.[/SIZE][/FONT][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 3 – Configure Network Settings[/SIZE][/FONT]
While As mentioned previously, our Windows 2008 physical host computer will be configured to support a number of roles, including Active Directory, DNS, Certificate Services, and Exchange 2007. The IP address for this computer will be 192.168.1.10, and since it will host Active Directory and DNS, the IP address should not be assigned by DHCP. As such, we will need to complete several steps to configure our network settings.
[B][SIZE=2]A. To verify that Windows Firewall is enabled[/SIZE][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 computer using the [B]built-in Administrator account[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], then open the [B]Control Panel[/B]. Launch [B]Windows Firewall.[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the menu on the left, click on the [B]Turn Windows Firewall on or off [/B]hyperlink option[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Verify that Windows Firewall is [B]enabled[/B].[/SIZE][/FONT][/LIST]
[INDENT] [FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/windowsfirewall_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/windowsfirewall_thumb.jpg[/IMG][/URL] [/SIZE][/FONT][/INDENT][B][SIZE=2]B. To configure static TCP/IP settings for a Hyper-V virtual NIC in Windows Server 2008[/SIZE] [/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 computer using the [B]built-in Administrator account[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], then open the [B]Control Panel[/B]. Launch the [B]Network and Sharing Center[/B] applet. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the Tasks menu on the left, select [B]Manage Network Connections[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]Network Connections[/B] window, click the [B]Views[/B] option from the menu bar and select[B] Details[/B].
[/SIZE][/FONT][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NICsBeforeRename_2.jpg"][FONT=Calibri][SIZE=2][COLOR=#333333][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NICsBeforeRename_thumb.jpg[/IMG][/COLOR][/SIZE][/FONT][/URL][FONT=Calibri][SIZE=2]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]After installing the Hyper-V role, you will notice that a new network adapter has been added to the system. Open the properties of each adapter and locate the one that is bound only to the [B]Microsoft Virtual Network Switch Protocol[/B]. This adapter represents the physical (hardware) network adapter, while the other represents the Hyper-V virtual adapter.
[/SIZE][/FONT][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NICProperties_2.jpg"][FONT=Calibri][SIZE=2][COLOR=#333333][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NICProperties_thumb.jpg[/IMG][/COLOR][/SIZE][/FONT][/URL][FONT=Calibri][SIZE=2]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Right click on each network adapter and rename them as follows:
[B]HyperV Internal (Physical NIC)[/B] – network adapter bound only to [B]Microsoft Virtual Network Switch Protocol[/B].
[B]HyperV Internal (Virtual NIC)[/B] – network adapter bound to everything [I]except[/I] the [B]Microsoft Virtual Network Switch Protocol[/B].
[/SIZE][/FONT][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NICsAfterRename_2.jpg"][FONT=Calibri][SIZE=2][COLOR=#333333][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NICsAfterRename_thumb.jpg[/IMG][/COLOR][/SIZE][/FONT][/URL][FONT=Calibri][SIZE=2]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]After renaming the network adapters, open the properties of the [B]HyperV Internal (Virtual NIC)[/B] adapter. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the [B]Internet Protocol Version 6 (TCP/IPv6)[/B] connection, then click [B]Properties[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select[B] Use the following IPv6 address[/B], then enter the following:
IP Address: [B]fe80:0:0:0:0:0:c0a8:010a[/B]
Subnet prefix length: [B]64[/B]
Default Gateway: [B]fe80:0:0:0:0:0:c0a8:0101[/B]
DNS Server: [B]fe80:0:0:0:0:0:7f00:0001[/B]
Click [B]OK[/B].
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the [B]Internet Protocol Version 4 (TCP/IPv4) [/B]connection, then click[B] Properties[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select [B]Use the following IPv4 address[/B], then enter the following:
IP Address: [B]192.168.1.10[/B]
Network Mask: [B]255.255.255.0[/B]
Default Gateway: [B]192.168.1.1[/B]
DNS Server: [B]127.0.0.1[/B]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]OK[/B] then [B]Close[/B] the properties of the [B]HyperV Internal (Virtual NIC)[/B] adapter. [/SIZE][/FONT][/LIST]
[SIZE=2]After completing the network configuration steps, restart the Windows 2008 physical host computer.[/SIZE]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 4 – Install [/SIZE][/FONT][FONT=Franklin Gothic Demi Cond][SIZE=3]Active Directory Domain Services / DNS[/SIZE][/FONT]
Having installed the Hyper-V role and configured our network settings, we’re now ready to install Active Directory Domain Services on the Windows 2008 physical host computer. Since we have not yet installed the DNS server role, you will be prompted to install the DNS role during the setup of Active Directory.
[B][SIZE=2]A. To install a new Active Directory forest by using the Windows interface [/SIZE][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 computer using the [B]built-in Administrator account[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Open Server Manager by clicking [B]Start[/B], point to [B]Administrative Tools[/B], and then click [B]Server Manager[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In [B]Roles Summary[/B], click [B]Add Roles[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]If necessary, review the information on the [B]Before You Begin[/B] page and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Select Server Roles[/B] page, click the [B]Active Directory Domain Services[/B] check box, and then click [B]Next[/B]. [/SIZE][/FONT] [FONT=Calibri][SIZE=2]Note: If you installed Windows Server 2008 R2, you might have to click [B]Add Required Features[/B] to install .NET Framework 3.5.1 features before you can click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]If necessary, review the information on the [B]Active Directory Domain Services[/B] page, and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Confirm Installation Selections[/B] page, click [B]Install[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Installation Results[/B] page, click [B]Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe)[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Welcome to the Active Directory Domain Services Installation Wizard[/B] page, click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]You can select the [B]Use advanced mode installation[/B] check box to get additional installation options. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Operating System Compatibility[/B] page, review the warning about the default security settings for Windows Server 2008 and Windows Server 2008 R2 domain controllers, and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Choose a Deployment Configuration[/B] page, click [B]Create a new domain in a new forest[/B], and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Name the Forest Root Domain[/B] page, type the full Domain Name System (DNS) name for the forest root domain (i.e. [B]contoso.com[/B]), and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]If you selected [B]Use advanced mode installation[/B] on the Welcome page, the [B]Domain NetBIOS Name[/B] page appears. On this page, type the NetBIOS name of the domain if necessary (i.e. [B]contoso[/B]) or accept the default name, and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Set Forest Functional Level[/B] page, select the forest functional level that accommodates the domain controllers that you plan to install anywhere in the forest ([I][B][COLOR=#ff0000]Windows 2003 mode or higher is required[/COLOR][/B][/I]), and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Set Domain Functional Level[/B] page, select the domain functional level that accommodates the domain controllers that you plan to install anywhere in the domain ([I][B][COLOR=#ff0000]Windows 2003 mode or higher is required[/COLOR][/B][/I]), and then click [B]Next[/B].
[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Note: The [B]Set Domain Functional Level[/B] page does not appear if you select the Windows Server 2008 forest functional level on a server that runs Windows Server 2008 or if you select the Windows Server 2008 R2 forest functional level on a server that runs Windows Server 2008 R2. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Additional Domain Controller Options[/B] page, [B]DNS server[/B] is selected by default so that your forest DNS infrastructure can be created during AD DS installation. If you plan to use Active Directory–integrated DNS, click [B]Next[/B]. If you have an existing DNS infrastructure and you do not want this domain controller to be a DNS server, clear the [B]DNS server[/B] check box, and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you can create the delegation manually. To continue, click [B]Yes[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Location for Database, Log Files, and SYSVOL[/B] page, browse to the volume and folder locations for the database file, the directory service log files, and the SYSVOL files, and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or existing files. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Directory Services Restore Mode Administrator Password[/B] page, type and confirm the restore mode password, and then click [B]Next[/B]. This password must be used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Summary[/B] page, review your selections. Click [B]Back[/B] to change any selections, if necessary. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]To save the selected settings to an answer file that you can use to automate subsequent AD DS operations, click [B]Export settings[/B]. Type the name for your answer file, and then click [B]Save[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]When you are sure that your selections are accurate, click [B]Next[/B] to install AD DS. [/SIZE][/FONT][*][SIZE=1][FONT=Calibri][SIZE=2]You can either select the [B]Reboot on completion[/B] check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so.[/SIZE][/FONT] [/SIZE][/LIST]
[SIZE=2]Upon restarting the server, log in using the credentials for the [B]built-in Domain Administrator account[/B] (i.e. [B]Contoso\Administrator[/B]). It is important that you use the built-in Domain Administrator account because it is the only account that is exempt from User Account Control restrictions. Once logged in, launch the Event Viewer and take a cursory glance at both the Application Log and System Logs from the server. Be sure to address any serious errors before proceeding.[/SIZE]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 5 – Configure Internal DNS Records[/SIZE][/FONT]
[FONT=Verdana]To support both OCS 2007 R2 and Exchange 2007, we will need to create several host (A) records and service (SRV) records in our internal DNS zone. [/FONT]
[SIZE=2][B]A. Add internal DNS Records for OCS 2007 R2 and Exchange 2007[/B][/SIZE]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], point to [B]Administrative Tools[/B], and then click [B]DNS[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the DNS console, expand the S[B]erver[/B] object, expand the [B]Forward Lookup Zones[/B] folder, and select the local [B]Domain[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the menu bar at the top of the DNS console, choose [B]Action[/B], then click [B]New Host (A or AAAA)…[/B] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]New Host [/B]dialog box, type the [B]Host Name[/B] and [B]IP Address[/B] for the new A record. [/SIZE][/FONT]
[SIZE=2][FONT=Calibri]Name: [B]sip [/B]
IP Address: [B]192.168.1.11[/B][/FONT][/SIZE]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DNSARecord_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DNSARecord_thumb.jpg[/IMG][/URL]
[FONT=Calibri][SIZE=2]Repeat this step, creating additional DNS [B]A[/B] records for each of the following host names:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][B]Host Name[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]IP Address[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]autodiscover[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.6[/SIZE][/FONT] [FONT=Calibri][SIZE=2]mail[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.6[/SIZE][/FONT] [FONT=Calibri][SIZE=2]www[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.10[/SIZE][/FONT] [FONT=Calibri][SIZE=2]sip[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.11[/SIZE][/FONT] [FONT=Calibri][SIZE=2]cwa[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.6[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Edge-R2[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.5[/SIZE][/FONT] [FONT=Calibri][SIZE=2]ISA[/SIZE][/FONT] [FONT=Calibri][SIZE=2]192.168.1.6[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, select the local [B]Domain [/B]again. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the menu bar at the top of the DNS console, choose [B]Action[/B], then click [B]New Alias (CNAME)…[/B] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the New Resource dialog box, enter the following data, then click OK:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Alias Name: [B]as.cwa[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Fully Qualified Domain Name: [B]as.cwa.contoso.com[/B] (automatically populated)[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Fully Qualified Domain Name for Target Host: [B]cwa.contoso.com[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Choose [B]Action[/B], then click [B]New Alias (CNAME)…[/B] to create an additional CNAME record. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the New Resource dialog box, enter the following data, then click OK:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Alias Name: [B]download.cwa[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Fully Qualified Domain Name: [B]download.cwa.contoso.com[/B] (automatically populated)[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Fully Qualified Domain Name for Target Host: [B]cwa.contoso.com[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, select the local [B]Domain [/B]again. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the menu bar at the top of the DNS console, choose [B]Action[/B], then click [B]Other New Records…[/B] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]Resource Record Type [/B]dialog box, scroll down the list of available record types and choose [B]Service Location (SRV)[/B] option and click [B]Create Record…[/B] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the New Resource Record dialog box, manually type in the following information (do not use the drop down list):[/SIZE][/FONT]
[SIZE=2][FONT=Calibri]Service: [B]_sipinternaltls[/B]
Protocol: [B]_tcp[/B]
Priority: [B]1[/B][/FONT][/SIZE][SIZE=2][FONT=Calibri]Weight: [B]1 [/B]
Port Number: [B]5061[/B]
Host Name: [B]sip.contoso.com[/B][/FONT][/SIZE]
[FONT=Calibri][SIZE=2][COLOR=#333333][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DNSSRVRecord_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DNSSRVRecord_thumb.jpg[/IMG][/URL][/COLOR][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Create a second DNS SRV record, manually type in the following information (do not use the drop down list):[/SIZE][/FONT]
[SIZE=2][FONT=Calibri]Service: [B]_sip [/B]
Protocol: [B]_tls[/B]
Priority: [B]1 [/B]
Weight: [B]1 [/B]
Port Number: [B]5061[/B]
Host Name: [B]sip.contoso.com[/B][/FONT][/SIZE]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DNSSRVRecord2_2.jpg"][COLOR=#333333][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DNSSRVRecord2_thumb.jpg[/IMG][/COLOR][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Close the DNS console after all records have been created. [/SIZE][/FONT][/LIST]
[FONT=Calibri][SIZE=2][FONT=Verdana]This completes the configuration of the internal DNS records.[/FONT][/SIZE][/FONT]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 6 - Install Certificate Services[/SIZE][/FONT]
Next, we need to install the Certificate Authority role on the Windows 2008 computer so that we can issue PKI certificates for the various Office Communications Server 2007 server roles.
[B][SIZE=2]A. To install Certificate Services and set up an Enterprise Root CA[/SIZE] [/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the[B] built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], point to [B]Administrative Tools[/B], and then click [B]Server Manager[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]Roles Summary [/B]section, click [B]Add roles[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Select Server Roles[/B] page, select the [B]Active Directory Certificate Services [/B]check box. Click [B]Next[/B] two times.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Select Role Services[/B] page, select the [B]Certification Authority [/B]check box, and then click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Specify Setup Type[/B] page, click [B]Enterprise[/B], and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Specify CA Type[/B] page, click [B]Root CA[/B], and then click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Set Up Private Key[/B] and [B]Configure Cryptography for CA[/B] pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking [B]Next[/B] twice.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]Common name for this CA [/B]box, type the common name of the CA, [B]ContosoCA[/B], and then click[B] Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Set the Certificate Validity Period[/B] page, accept the default validity duration for the root CA, and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Configure Certificate Database[/B] page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]After verifying the information on the [B]Confirm Installation Options[/B] page, click [B]Install[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Review the information on the confirmation screen to verify that the installation was successful.[/SIZE][/FONT][/LIST]
After installing Certificate Services, launch Internet Explorer on the Windows 2008 computer and browse to [URL="https://%7bcomputername%7d/Certsrv"][B]https://[I]{ComputerName}[/I]/Certsrv[/B][/URL]. SSL encryption should be automatically enabled for the CertSrv website, but you may need to enable it manually within the Internet Information Services (IIS) Manager console. You may also need to add this website to either your Trusted Sites or your local Intranet zone.[INDENT] [URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/certsrv_4.png"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/certsrv_thumb_1.png[/IMG][/URL] [/INDENT][FONT=Franklin Gothic Demi Cond][SIZE=3]Step 7 – Create the Hyper-V Guest Virtual Machines[/SIZE][/FONT]
Following a successful installation of Hyper-V and a reboot of the system, the next step is to create the five virtual machines that will host ISA Server 2006 and the four OCS 2007 R2 server roles. Again, here is the suggested configuration for each of the five virtual machines:
[LIST][*][FONT=Calibri][SIZE=2]ISA Server 2006 - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 CWA - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 Mediation – 512MB RAM, one (1) virtual NIC, 16 GB virtual hard disk[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 Edge - 1024MB RAM, two (2) virtual NICs, 16GB virtual hard disk [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 Front End - 1024MB RAM, one (1) virtual NIC, 16GB virtual hard disk [/SIZE][/FONT][/LIST]
[B][SIZE=2]A. To create and set up a Virtual Machine in Hyper-V[/SIZE][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator).[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], point to [B]Administrative Tools[/B], and then click [B]Hyper-V Manager[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the [B]Action[/B] pane, click [B]New[/B], and then click [B]Virtual Machine[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the [B]New Virtual Machine Wizard[/B], click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Specify Name and Location[/B] page, specify the name of the virtual machine and where you want to store it.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Memory[/B] page, specify enough memory to run the guest operating system you want to use on the virtual machine.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Networking[/B] page, connect the network adapter to an existing virtual network if you want to establish network connectivity at this point. [/SIZE][/FONT] [B][FONT=Calibri][SIZE=2]Note: [/SIZE][/FONT][/B][FONT=Calibri][SIZE=2]If you want to use a remote image server to install an operating system on your test virtual machine, select the external network.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Connect Virtual Hard Disk[/B] page, specify a name, location, and size to create a virtual hard disk so you can install an operating system on it.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Installation Options[/B] page, choose the method you want to use to install the operating system:[/SIZE][/FONT]
[LIST][*][FONT=Calibri][SIZE=2]Install an operating system from a boot CD/DVD-ROM. You can use either physical media or an image file (.iso file).[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Install an operating system from a boot floppy disk. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Install an operating system from a network-based installation server. To use this option, you must configure the virtual machine with a legacy network adapter connected to an external virtual network. The external virtual network must have access to the same network as the image server.[/SIZE][/FONT][/LIST]
[*][FONT=Calibri][SIZE=2]Click [B]Finish[/B].[/SIZE][/FONT][/LIST]
For best performance, place the paging file from your Windows 2008 Hyper-V host machine on one physical hard disk (C:\) and the configuration and virtual hard disk files from each of your Hyper-V guest machines on another physical hard disk (D:\). Distributing workload across at least two SATA hard disks on the Windows 2008 host machine is critical for adequate system performance.
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 8 – Install Windows OS on each Hyper-V Guest Virtual Machine[/SIZE][/FONT]
[SIZE=2]After creating each virtual machine, you will need to install a guest operating system.[/SIZE] While it may be desirable to install Windows Server 2008 as the operating system for each guest virtual machine, I would instead suggest using Windows Server 2003 SP2 as it generally performs better in a virtual environment with limited resources.
Please be sure to install the correct version of the Windows operating system on each virtual machine. While ISA Server 2006 is a 32 bit application that [I]may[/I] run on a 64 bit operating system, OCS 2007 R2 is a 64 bit application that [I]requires[/I] a 64 bit operating system. Given this, the suggested OS configuration and fully qualified distinguished name (FQDN) for each virtual machine is as follows:
[LIST][*][FONT=Calibri][SIZE=2]ISA Server 2006 / Windows Server 2003 SP2 ([COLOR=#ff0000]x86[/COLOR]) / [B]ISA.contoso.com[/B] / 192.168.1.6[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 CWA / Windows Server 2003 SP2 ([COLOR=#ff0000]x64[/COLOR]) / [B]CWA-R2.contoso.com[/B] / 192.168.1.12[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 Mediation / Windows Server 2003 SP2 ([COLOR=#ff0000]x64[/COLOR]) / [B]Mediation-R2.contoso.com[/B] / 192.168.1.13[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 Edge / Windows Server 2003 SP2 ([COLOR=#ff0000]x64[/COLOR]) / [B]Edge-R2.contoso.com[/B] / 192.168.1.2 - 192.168.1.5[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]OCS 2007 R2 Front End / Windows Server 2003 SP2 ([COLOR=#ff0000]x64[/COLOR]) / [B]OCS-R2.contoso.com[/B] / 192.168.1.11[/SIZE][/FONT][/LIST]
After installing an operating system, you will need to install Hyper-V Integration Services on each guest Virtual Machine to provide the best management experience. From the Action menu of Virtual Machine Connection, click [B]Insert Integration Services Setup Disk [/B](you must close the New Hardware Wizard to start the installation). The setup program should launch automatically, however it can be run manually if necessary. Within the virtual machine, simply navigate to the CD drive using Windows Explorer and launch the appropriate version of [B]Setup.exe[/B] (x86/x64) to begin the installation.
We will configure each of the guest virtual machines later in this guide.
[FONT=Franklin Gothic Demi Cond][SIZE=5]Configuring Exchange 2007 SP1[/SIZE][/FONT]
In addition to running Active Directory Domain Services and other domain infrastructure roles, the Windows 2008 physical host machine will host the Mailbox, Client Access, Hub Transport, and Unified Messaging server roles from Exchange 2007 SP1. The following steps will configure Exchange 2007 SP1 for both internal and external user access.
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 1 – Install Exchange 2007 SP1 on Windows 2008 Physical Host[/SIZE][/FONT]
Since we are installing the Unified Messaging role (which can be very processor intensive), we need to install Exchange 2007 on physical hardware – which in this case also happens to be our domain controller. While most people believe that installing Exchange 2007 on a Windows domain controller is unsupported, it actually [I]is[/I] supported – however it is not generally recommended (due to known DSAccess failover limitations in outage conditions).
[B]A. To install Exchange 2007 SP1 on the Windows 2008 host computer[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 computer using the[B] built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Install the [/SIZE][/FONT][URL="http://technet.microsoft.com/en-us/library/bb691354.aspx"][B][FONT=Calibri][SIZE=2]Prerequisites[/SIZE][/FONT][/B][/URL][FONT=Calibri][SIZE=2] for supporting [I]all[/I] Exchange 2007 server roles on Windows Server 2008. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Insert the Exchange 2007 SP1 installation media and double-click [B]Setup.exe[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the option to [B]Install Microsoft Exchange Server 2007 SP1[/B]. [/SIZE][/FONT] [URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall1_4.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall1_thumb_1.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Click [B]Next [/B]at the Introduction screen, then click [B]Accept[/B] at the EULA screen. Click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]At the Error Reporting screen, choose either [B]Yes[/B] or [B]No[/B] then click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Choose the [B]Custom[/B] installation option and select an appropriate installation path. Click [B]Next[/B]. [/SIZE][/FONT] [URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall2_4.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall2_thumb_1.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Select the [B]Mailbox[/B] role, the [B]Client Access[/B] role, the [B]Hub Transport[/B] role, and the [B]Unified Messaging[/B] role. Click [B]Next[/B]. [/SIZE][/FONT] [URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall3_4.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall3_thumb_1.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]On the Exchange Organization screen, enter the name of your [B]Organization[/B] (or accept the default value). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Client Settings screen, choose [B]No [/B](unless you want to support Outlook 2003 clients). Click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Unless you already have Exchange 2000/2003 in your lab, click [B]Next[/B] on the Mail Flow settings screen. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]After completing all installation prerequisite checks successfully, click [B]Install[/B] to begin the installation. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Once all roles have been installed successfully, click [B]Finish[/B] to complete the installation. [/SIZE][/FONT] [URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall4_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/ExInstall4_thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Download and install the [/SIZE][/FONT][URL="http://support.microsoft.com/kb/937052"][B][FONT=Calibri][SIZE=2]Latest Hotfix RollUp[/SIZE][/FONT][/B][/URL][FONT=Calibri][SIZE=2] for Exchange 2007 SP1. [/SIZE][/FONT][*][SIZE=2][FONT=Calibri][B]Restart[/B] the computer. [/FONT][/SIZE][/LIST]
[SIZE=2]Upon restarting the server, log in using the credentials for the [B]built-in Domain Administrator account[/B] (i.e. [B]Contoso\Administrator[/B]). Again, launch the Event Viewer and take a cursory glance at both the Application Log and System Log. Be sure to address any serious errors before proceeding. Also open the Services applet and verify that all Exchange services that are configured to start automatically have, in fact, started successfully.[/SIZE]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 2 – Configure the Hub Transport role[/SIZE][/FONT]
[SIZE=2]After installing the Hub Transport (HT) role on an Exchange 2007 server, you will find that two SMTP Receive Connectors are created automatically during the installation process – Client and Default. Although the Default [/SIZE]Receive Connector (used for server connections) can be configured to allow Anonymous connections from the Internet, by default it advertises the FQDN of the local machine in the SMTP protocol banner when a connecting server issues either the EHLO or HELO command, as shown below:
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/smtpbanner_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/smtpbanner_thumb.jpg[/IMG][/URL]
Advertising the FQDN of the local machine in the SMTP protocol banner is generally considered to be an unnecessary security risk. As such, many customers elect to change this value to reflect the same FQDN that is registered in their public MX record. The Default Receive Connector is a special case, however, as it is used by other Exchange servers or server roles (like Unified Messaging) for submitting email or voice mail for delivery. The FQDN advertised in the SMTP protocol banner of the Default Receive Connector should NOT be changed, as this value is used to look up the SMTPSvc ServicePrincipalName (SPN) value of the Hub Transport server during Kerberos authentication.
Additionally, for servers to successfully authenticate using X-AnonymousTLS, the SMTP service on the Hub Transport server must be bound to at least one certificate that contains the FQDN of the local machine. During the installation of the Hub Transport role, a self-signed certificate is generated containing the FQDN of the local machine. It is important to remember that even if you purchase a PKI certificate from a publicly trusted PKI provider like DigiCert or VeriSign, unless you plan to include the FQDN of the local machine in your certificate request, you should NOT remove the self-signed certificate that is enabled for SMTP.
Our next task will be to configure SMTP connectors for sending and receiving email.
[B]A. To create a new Send Connector to be used for routing email to the Internet[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 computer using the [B]built-in Domain Administrator account[/B] (Contoso\Administrator)[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Open the Exchange Management Console, then perform the following steps:
a. Under [B]Organization Configuration[/B], select [B]Hub Transport[/B]
b. In the result pane, select the [B]Send Connectors [/B]tab [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the action pane, click [B]New Send Connector[/B]. The New SMTP Send Connector wizard starts. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Introduction[/B] page, configure the name and type of connector:
a. In the [B]Name[/B] field, type [B]Internet Send Connector[/B]
b. In the [B]Select the intended use for this connector[/B] field, choose [B]Internet[/B]. Click [B]Next[/B]. [/SIZE][/FONT][*][SIZE=2][FONT=Calibri]On the [B]Address Space[/B] screen, click[B] Add[/B] to add a new address space configured as follows:
a. The [B]SMTP[/B] address type should already be selected by default.
b. In the [B]Address[/B] field, enter a single [B]asterisk[/B] to represent the wildcard ‘[B]*[/B]’ character
c. [B]Enable[/B] the option to [B]Include all subdomains[/B]
d. Enter a [B]Cost[/B] value of [B]1[/B]. Click [B]OK[/B] then click [B]Next[/B].[/FONT][/SIZE][*][FONT=Calibri][SIZE=2]On the [B]Network Settings[/B] screen, choose the following options:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]a. Select the option to [B]Use DNS MX Records to route mail automatically[/B].[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]b. Enable the option to [B]Use External DNS lookup settings on the transport server[/B]. Click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Source Server[/B] screen, click [B]Add[/B] and select a [B]Hub Transport[/B] server. [/SIZE][/FONT][*][FONT=Calibri]Click [B]OK[/B] then click [B]Next[/B].[/FONT][*][FONT=Calibri]Click [B]New[/B] to create the send connector[/FONT][/LIST]
[B]B. To modify the settings of the existing Default Receive Connector[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Open the Exchange Management Console, then perform the following steps:
[/SIZE][/FONT][FONT=Calibri][SIZE=2] a. Under [B]Server Configuration[/B], select [B]Hub Transport[/B]
b. In the result pane, select the [B]Hub Transport [/B]server
c. Click the [B]Receive Connectors[/B] tab. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Open the properties of the existing [B]Default [I]{ComputerName}[/I][/B] Receive Connector [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Under the General tab, verify that the value in [B]Specify the FQDN this connector will provide in response to HELO and EHLO[/B] contains the [B]FQDN of the local machine[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click on the [B]Network[/B] tab [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Under [B]Use these local IP addresses to receive mail[/B], do the following:
[/SIZE][/FONT][FONT=Calibri][SIZE=2] a. [B]Remove[/B] the existing value of [B][I]All IPv4 Addresses [/I][/B]listening on[I]Port 25[/I].
[/SIZE][/FONT][FONT=Calibri][SIZE=2] b.Click[B] Add[/B] to specify the IPv4 address value [B]192.168.1.10[/B] and [B]Port[/B] [B]25 [/B]to receive email requests.
c.[B] Remove[/B] the existing value of [I][B]All IPv6 Addresses[/B][/I] listening on [I]Port 25[/I].
d. Click[B] Add[/B] to specify the IPv6 address value [B]fe80::c0a8:010a[/B] and [B]Port 25[/B] to receive email requests. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Under [B]Receive mail from remote servers that have these IP addresses[/B], do the following:
[/SIZE][/FONT][FONT=Calibri][SIZE=2] a. [B]Verify[/B] that the specified IPv4 address range value is [I][B]0.0.0.0 – 255.255.255.255[/B][/I].
b. [B]Verify[/B] that the specifiedIPv6 address range value is[B] [I]:: -[/I][/B][/SIZE][I][SIZE=2] ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff[/SIZE] [/I][/FONT]
[FONT=Calibri] [URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DefaultRecConn_2.jpg"][COLOR=#333333][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DefaultRecConn_thumb.jpg[/IMG][/COLOR][/URL][/FONT][*][FONT=Calibri][SIZE=2]Click on the [B]Authentication [/B]tab and verify that [B]Exchange Server Authentication[/B] is enabled [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]OK[/B] to complete the configuration of the Default Receive Connector[/SIZE][/FONT][/LIST]
[B]C. To create a new SMTP Receive Connector for receiving Internet email[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Open the Exchange Management Console, then perform the following steps:
[/SIZE][/FONT][FONT=Calibri][SIZE=2] a. Under [B]Server Configuration[/B], select [B]Hub Transport[/B]
b. In the result pane, select the [B]Hub Transport[/B] server
c. Click the [B]Receive Connectors[/B] tab. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the action pane, click [B]New Receive Connector[/B]. The New SMTP Receive Connector wizard starts. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Introduction[/B] page, configure the name and type of connector:
[/SIZE][/FONT][FONT=Calibri][SIZE=2] a. In the [B]Name[/B] field, type [B]Internet [I]{ComputerName}[/I] [/B](for example [B]Internet EMAIL[/B])
b. In the [B]Select the intended use for this connector[/B] field, choose [B]Internet[/B]. Click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Local network settings[/B] page, click [B]Add [/B]an IP address to receive mail. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the existing value of [B][I]All IP addresses [/I][/B]listening on[I][B] Port 25[/B][/I] and click [B]Remove[I].[/I][/B]
[/SIZE][/FONT][FONT=Calibri][SIZE=2] a. Click [B]Add [/B]to specify binding settings for the new Receive Connector.
b. In the[B] Add Receive Connector Binding[/B] dialog box, select [B]Specify an IP address.[/B]
c. Enter the [B]IP address[/B] of your server, [B]192.168.1.10[/B].(Do not specify an IPv6 address here.)
d. Enter the [B]Port[/B] to receive email requests, [B][COLOR=#ff0000]Port 26[/COLOR][/B], then click[B] OK[/B].
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/InternetRecConn_5.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/InternetRecConn_thumb.jpg[/IMG][/URL] [/SIZE][/FONT][FONT=Calibri][SIZE=2]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Local network settings[/B] page, in the [B]Specify the FQDN this connector will provide in response to HELO or EHLO[/B] field, type the FQDN value of your public MX record (for example: [B]mail.contoso.com[/B]). Click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]New[/B] to create the new Receive Connector. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Open the properties of the new Receive Connector. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click on the Authentication tab.
[/SIZE][/FONT][FONT=Calibri][SIZE=2] a. [B]Disable[/B] the option for [B]TLS Authentication[/B]
b. [B]Enable[/B] the option for [B]Basic Authentication[/B] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]OK[/B] to complete the configuration of the new Receive Connector [/SIZE][/FONT][/LIST]
[FONT=Verdana]Once you have completed the configuration steps for handling SMTP mail flow, restart the following services:[/FONT]
[LIST][*][FONT=Verdana]Microsoft Exchange Mail Submission[/FONT][*][FONT=Verdana]Microsoft Exchange Transport[/FONT][*][FONT=Verdana]Microsoft Exchange Transport Log Search[/FONT][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 3 – Configure the Client Access Server role[/SIZE][/FONT]
[FONT=Verdana]Our next few configuration steps will be to configure the Client Access Server (CAS) role. First, we will enable RPC over HTTP so that we can use the Outlook Anywhere feature from the Internet. We will also configure each of the internal and external virtual directory URL settings for Exchange Web Services, including Exchange ActiveSync. To do all of this, we will use the Exchange Management Shell.[/FONT]
[B]A. To install the RPC over the HTTP Windows Networking component in Windows Server 2008[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator)[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], and then click [B]Control Panel[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Double-click [B]Programs and Features[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Turn Windows features on or off[/B]. Server Manager opens.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the left pane of Server Manager, click [B]Features[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the right pane, click [B]Add Features[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the Add Features Wizard, click to select the [B]RPC over HTTP Proxy[/B] check box. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]If the [B]Add role services required for HTTP Proxy[/B] dialog box appears, click [B]Add Required Role Services[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Read the information on the [B]Web Server (IIS)[/B] page, and then click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Select Role Services[/B] page, click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the [B]Confirm Installation Selections[/B] page, click [B]Install[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]When the features are installed, click [B]Close[/B].[/SIZE][/FONT][/LIST]
[B][FONT=Verdana]B. To enable Outlook Anywhere access from the Internet[/FONT][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B] , then [B]All Programs[/B], then expand [B]Microsoft Exchange Server 2007[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Launch the [B]Exchange Management Shell[/B], then enter the following command:[/SIZE][/FONT][/LIST]
[INDENT] [FONT=Calibri][SIZE=2][B]enable-OutlookAnywhere –ExternalHostname “[COLOR=#008000]mail.contoso.com[/COLOR]” –DefaultAuthenticationMethod “Basic” -SSLOffloading:$False[/B][/SIZE][/FONT][/INDENT][B][FONT=Verdana]C. To modify the virtual directory settings for Exchange Web Services[/FONT][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B] , then [B]All Programs[/B], then expand [B]Microsoft Exchange Server 2007[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Launch the [B]Exchange Management Shell[/B], then enter each of the following commands: [/SIZE][/FONT][/LIST]
[INDENT] [FONT=Calibri][SIZE=2][B]get-ClientAccessServer –server [I]{ComputerName}[/I] | set-ClientAccessServer -AutoDiscoverServiceInternalURI “[/B][/SIZE][/FONT][SIZE=2][FONT=Calibri][B][COLOR=#008000]https://mail.contoso.com/Autodiscover/Autodiscover.xml[/COLOR]”[/B][/FONT][/SIZE]
[FONT=Calibri][SIZE=2][B]get-WebServicesVirtualDirectory –server [I]{ComputerName}[/I] | set-WebServicesVirtualDirectory –internalURL “[COLOR=#008000]https://mail.contoso.com/EWS/Exchange.asmx[/COLOR]” –externalURL “[COLOR=#008000]https://mail.contoso.com/EWS/Exchange.asmx[/COLOR]” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2][B]get-AutodiscoverVirtualDirectory –server [I]{ComputerName}[/I] | set-AutodiscoverVirtualDirectory –internalURL “[COLOR=#008000]https://mail.contoso.com/Autodiscover/Autodiscover.xml[/COLOR]” -externalURL [/B][/SIZE][/FONT][FONT=Calibri][SIZE=2][B]“[COLOR=#008000]https://mail.contoso.com/Autodiscover/Autodiscover.xml[/COLOR]” –BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2][B]get-OWAVirtualDirectory –server [I]{ComputerName}[/I] | set-OWAVirtualDirectory -internalURL “[COLOR=#008000]https://mail.contoso.com/owa[/COLOR]” -externalURL “[/B][/SIZE][/FONT][SIZE=2][FONT=Calibri][B][COLOR=#008000]https://mail.contoso.com/owa[/COLOR]” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false –FormsAuthentication:$false[/B][/FONT][/SIZE]
[FONT=Calibri][SIZE=2][B]get-OABVirtualDirectory –server [I]{ComputerName}[/I] | set-OABVirtualDirectory -internalURL “[COLOR=#008000]https://mail.contoso.com/OAB[/COLOR]” -externalURL “[/B][/SIZE][/FONT][SIZE=2][FONT=Calibri][B][COLOR=#008000]https://mail.contoso.com/OAB[/COLOR]” –WindowsAuthentication:$true –BasicAuthentication:$false –DigestAuthentication:$false -requireSSL:$true[/B][/FONT][/SIZE]
[FONT=Calibri][SIZE=2][B]get-UMVirtualDirectory –server [I]{ComputerName} [/I]| set-UMVirtualDirectory -internalURL “[COLOR=#008000]https://mail.contoso.com/UnifiedMessaging/Service.asmx[/COLOR]” -externalURL “[COLOR=#008000]https://mail.contoso.com/UnifiedMessaging/Service.asmx[/COLOR]” -BasicAuthentication:$true –WindowsAuthentication:$true -DigestAuthentication:$false[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2][B]set-ActiveSyncVirtualDirectory -Identity "[I]{ComputerName}[/I]\Microsoft-Server-ActiveSync (Default Web Site)" – internalURL “[COLOR=#008000]https://mail.contoso.com/Microsoft-Server-ActiveSync[/COLOR]” -externalURL "[COLOR=#008000][URL]https://mail.contoso.com/Microsoft-Server-ActiveSync[/URL][/COLOR]”[/B][/SIZE][/FONT][/INDENT][B][FONT=Verdana]D. To enable SSL on the Exchange ActiveSync virtual directory in IIS[/FONT][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the[B] built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], point to [B]Administrative Tools[/B], and then select [B]Internet Information Services (IIS) Manager[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Within the Internet Information Services (IIS) Manager, expand the [B]Server[/B], then expand [B]Sites.[/B] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Expand the [B]Default Web Site[/B], then select the [B]Microsoft-Server-ActiveSync[/B] virtual directory. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the [B]Features View[/B] in the center window, double-click on [B]SSL Settings[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Enable the options for both [B]Require SSL[/B] and [B]Require 128-bit SSL[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the [B]Actions [/B]menu on the right, click [B]Apply[/B]. [/SIZE][/FONT][*][SIZE=2][FONT=Calibri][B]Close[/B] the Internet Information Services (IIS) Manager console.[/FONT][/SIZE][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 4 – Configure the Unified Messaging role[/SIZE][/FONT]
[FONT=Verdana]Next, we will need to create the various configuration objects used by the Unified Messaging (UM) role, which is very likely the most complex role to set up. The core configuration object for Unified Messaging is the Dial Plan, which defines the expected digit pattern for user extensions. Since we will be integrating Unified Messaging with OCS 2007 R2, we will create a SIP URI Dial Plan whose users have 4 digits in their extensions.[/FONT]
Whenever I build a Unified Communications lab, I always configure it with the expectation that [I]some day[/I] I may want to provide external telephone connectivity to the lab users. Since these objects will eventually be Enterprise Voice enabled within OCS 2007 R2, each configuration object will be configured with a telephone number that is correctly formatted as an E.164 dial string. With that in mind, I will use the following configuration details for each Enterprise Voice/UM enabled object in this lab:
[B][FONT=Calibri][SIZE=2]Name[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]SIP URI[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]UM Enabled Extension[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Telephone Number[/SIZE][/FONT][/B] [B][FONT=Calibri][SIZE=2]Tel URI[/SIZE][/FONT][/B] [FONT=Calibri][SIZE=2]Subscriber Access[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCSSA@contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]N/A[/SIZE][/FONT] [FONT=Calibri][SIZE=2]+19807760000[/SIZE][/FONT] [FONT=Calibri][SIZE=2]+19807760000[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Auto Attendant[/SIZE][/FONT] [FONT=Calibri][SIZE=2]OCSAA@contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]N/A[/SIZE][/FONT] [FONT=Calibri][SIZE=2]+19807769999[/SIZE][/FONT] [FONT=Calibri][SIZE=2]+19807769999[/SIZE][/FONT] [FONT=Calibri][SIZE=2]User A[/SIZE][/FONT] [FONT=Calibri][SIZE=2]UserA@contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]0001[/SIZE][/FONT] [FONT=Calibri][SIZE=2]0001[/SIZE][/FONT] [FONT=Calibri][SIZE=2]+19807760001[/SIZE][/FONT] [FONT=Calibri][SIZE=2]User B[/SIZE][/FONT] [FONT=Calibri][SIZE=2]User[/SIZE][/FONT][FONT=Calibri][SIZE=2]B@contoso.com[/SIZE][/FONT] [FONT=Calibri][SIZE=2]0002[/SIZE][/FONT] [FONT=Calibri][SIZE=2]0002[/SIZE][/FONT] [FONT=Calibri][SIZE=2]+19807760002[/SIZE][/FONT]
[B][FONT=Verdana]A. To create and configure a UM Dial Plan[/FONT][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Open the [B]Exchange Management Console[/B], then perform the following steps: [/SIZE][/FONT]
[FONT=Calibri][SIZE=2] a. Under [B]Organization Configuration[/B], select [B]Unified Messaging[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2] b. In the result pane, select the [B]UM Dial Plans [/B]tab[/SIZE][/FONT]
[FONT=Calibri][SIZE=2] c. From the actions pane, click [B]New UM Dial Plan[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Complete the information necessary to create a SIP enabled UM Dial Plan, which is required by OCS 2007 R2:[/SIZE][/FONT]
[SIZE=2][FONT=Calibri]Name of Dial Plan : [B]OCSDialPlan[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]Digits in Extension : [B]4[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]URI Type : [B]SIP URI[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]VoIP Security : [B]Secured[/B][/FONT][/SIZE][*][FONT=Calibri][SIZE=2]Click [B]New[/B] to create the UM Dial Plan.[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NewUMDialPlan_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/NewUMDialPlan_thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Within the Exchange Management Console, right click on the new [B]UM Dial Plan[/B] and select [B]Propertie[/B]s from the context menu. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click on the [B]Subscriber Access[/B] tab. Settings in this area of Dial Plan configuration control the behavior of Outlook Voice Access. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Add the Subscriber Access number [B]‘+19807760000’[/B] to the UM Dial Plan. This is typically the number that external users will dial when accessing voice mail phone. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, click on the [B]Features[/B] tab, locate the option [B]‘Callers can contact’[/B] and choose ‘[B]Anyone in the Default Global Address List[/B]’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, click on the [B]Dial Rule Groups[/B] tab. Under the [B]In Country/Region Rule Groups[/B] section of the dialog box, click [B]Add[/B].[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]In the Dialing Rule Entry dialog box, enter the following information:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Name: [B]All[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Number Mask: [B]*[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Dialed Number: [B]*[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Comment: [B]<optional comment>[/B][/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DialingRuleEntry_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DialingRuleEntry_thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Click [B]OK[/B], then under the [B]International Rule Group[/B] section, click [B]Add[/B] to create another Dialing Rule.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Complete the configuration of another [B]Dialing Rule Entry[/B] with the same options as shown above. Click [B]OK[/B], then click [B]Apply[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, click on the[B] Dialing Restrictions[/B] tab, then complete the following configuration:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Allow calls to users in the same Dial Plan: [B]Enabled[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Allow calls to extensions: [B]Enabled[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Select In Country/Region Rule Groups from Dial Plan: [B]Click Add then choose the ‘All’ Rule[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Select International Rule Groups from Dial Plan: [B]Click Add then choose the ‘All’ Rule[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]OK[/B] to complete the configuration of the UM Dial Plan.[/SIZE][/FONT][/LIST]
[B][FONT=Verdana]B. To link the Exchange 2007 server to the UM Dial Plan[/FONT][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Open the [B]Exchange Management Console[/B], then perform the following steps: [/SIZE][/FONT]
[FONT=Calibri][SIZE=2] a. Under [B]Server Configuration[/B], select [B]Unified Messaging[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2] b. In the result pane, select the [B]Exchange 2007 server [/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2] c. From the actions pane, click [B]Properties[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the Properties of the Exchange 2007 server, click on the [B]UM Settings[/B] tab.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Add[/B] and select the [B]OCSDialPlan[/B].[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/UMServerProperties._2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/UMServerProperties._thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Click OK to link the new [B]OCSDialPlan[/B] to the Exchange 2007 server.[/SIZE][/FONT][/LIST]
[B][FONT=Verdana]C. To configure the UM Mailbox Policy[/FONT][/B] [B]for the OCSDialPlan[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Open the [B]Exchange Management Console[/B], then perform the following steps: [/SIZE][/FONT]
[FONT=Calibri][SIZE=2] a. Under [B]Organization Configuration[/B], select [B]Unified Messaging[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2] b. In the result pane, select the [B]UM Mailbox Policies [/B]tab[/SIZE][/FONT]
[FONT=Calibri][SIZE=2] c. Select the [B]OCSDialPlan[/B], then from the actions pane, click [B]Properties[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]To relax security restrictions, click on the [B]PIN Settings [/B]tab within the properties of the UM Mailbox Policy, then configure the following options:[/SIZE][/FONT]
[SIZE=2][FONT=Calibri]Minimum PIN Length : [B]4[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]Pin Lifetime Days : [B]Enabled/60[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]Previous PINs disallowed : [B]1[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]Allow common patterns : [B]Enabled[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]Missed PINs before reset : [B]5[/B][/FONT][/SIZE]
[SIZE=2][FONT=Calibri]Missed PINs before lockout : [B]15[/B][/FONT][/SIZE]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/UMMailboxPolicy_6.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/UMMailboxPolicy_thumb_2.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Next, click on the[B] Dialing Restrictions[/B] tab, then complete the following configuration:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Allow calls to users in the same Dial Plan: [B]Enabled[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Allow calls to extensions: [B]Enabled[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Select In Country/Region Rule Groups from Dial Plan: [B]Click Add then choose the ‘All’ Rule[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Select International Rule Groups from Dial Plan: [B]Click Add then choose the ‘All’ Rule[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Apply[/B] then [B]OK[/B] to complete the configuration of the UM Mailbox Policy.[/SIZE][/FONT][/LIST]
[B][FONT=Verdana]D. To create and configure a UM Auto Attendant for the OCSDialPlan[/FONT][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Open the [B]Exchange Management Console[/B], then perform the following steps:
a. Under [B]Organization Configuration[/B], select [B]Unified Messaging[/B]
b. In the result pane, select the [B]UM Auto Attendants[/B] tab
c. From the actions pane, click [B]New UM Auto Attendant[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Complete the information necessary to create a UM Auto Attendant for the OCSDialPlan:
Name of Auto Attendant : [B]OCSAA[/B] ([COLOR=#ff0000][B]no spaces![/B][/COLOR])
Associated Dial Plan : [B]OCSDialPlan[/B]
Extension Numbers : [B]+19807769999[/B]
Create as Enabled : [B]Enabled[/B]
Create as Speech Enabled : [B]Enabled[/B]
[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]New[/B] to create the UM Auto Attendant. [/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/UMAutoAttendant_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/UMAutoAttendant_thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Within the Exchange Management Console, right click on the new [B]UM Auto Attendant[/B] and select [B]Propertie[/B]s from the context menu. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click on the [B]Features[/B] tab, locate the option [B]‘Callers can contact’[/B] and choose ‘[B]Anyone in the Default Global Address List[/B]’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, click on the[B] Dialing Restrictions[/B] tab, then complete the following configuration:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Allow calls to users in the same Dial Plan: [B]Enabled[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Allow calls to extensions: [B]Enabled[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Select In Country/Region Rule Groups from Dial Plan: [B]Click Add then choose the ‘All’ Rule[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Select International Rule Groups from Dial Plan: [B]Click Add then choose the ‘All’ Rule[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Apply[/B] then [B]OK[/B] to complete the configuration of the UM Auto Attendant.[/SIZE][/FONT][/LIST]
[FONT=Calibri][SIZE=2]
[/SIZE][/FONT] [FONT=Verdana]Although there are a few more steps required to finalize the configuration of the Unified Messaging role, we first need to install and configure Office Communications Server 2007 R2. As such, we will complete the configuration of Unified Messaging later in this documentation.[/FONT]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 5 – Request a TLS Certificate for Exchange services[/SIZE][/FONT]
[FONT=Verdana]Next, we will need to request a certificate from our Enterprise CA. Since there are a number of services hosted by the Windows 2008 host computer, we will need to request a certificate that contains Subject Alternative Name (SAN) values – one entry for each host name. To do this, we will use the Exchange Management Shell.[/FONT]
[B][FONT=Verdana]A. To create and assign a TLS certificate for Exchange services[/FONT][/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer using the built-in domain Administrator account (Contoso\Administrator)[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the [B]Exchange Management Shell[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Assuming that the fully qualified distinguished name (FQDN) of the Windows 2008 host computer is [B]email.contoso.com[/B], enter the following command within the Exchange Management Shell to generate a new certificate request:[/SIZE][/FONT]
[B][FONT=Calibri][SIZE=2]new-ExchangeCertificate –GenerateRequest –Path C:\ExchTLSCert.req –KeySize 1024 –subjectName “cn=email.contoso.com” –domainname email.contoso.com, mail.contoso.com, autodiscover.contoso.com, email –PrivateKeyExportable $true [/SIZE][/FONT][/B][*][FONT=Calibri][SIZE=2]Next, within Internet Explorer, type the URL ‘[B][URL]https://email/certsrv[/URL][/B]’ on the address line and press [B]Enter[/B] to connect to the Certificate Authority.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Request a Certificate[/B], then choose [B]Advanced Certificate Request[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Submit a certificate request by using a base-64 encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Using Windows Explorer, open the file [B]ExchTLSCert.req[/B] using [B]Notepad[/B]. Highlight and copy the data from ExchTLSCert.req.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Within Internet Explorer, paste the data from UMCert.req into the [B]Saved Request[/B] \ ‘[B]Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7)[/B]’ field. Additionally, choose ‘[B]Web Server[/B]’ from the drop-down list of available [B]Certificate Templates[/B]. Click [B]Submit[/B].[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CertRequest_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CertRequest_thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Upon being issued the certificate from the Certificate Authority, choose ‘[B]DER encoded[/B]’ from the available encoding options, and choose ‘[B]Download Certificate[/B]’. Save the certificate as ‘[B]C:\ExchTLSCert.cer[/B]’.[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/certDERencoded_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/certDERencoded_thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]After downloading the new certificate, open the Exchange Management Shell again and enter the following command to both import and assign the UM service to the new certificate:[/SIZE][/FONT]
[B][FONT=Calibri][SIZE=2]import-ExchangeCertificate –path C:\ExchTLSCert.cer | enable-ExchangeCertificate –Services SMTP,IIS,POP,IMAP,UM[/SIZE][/FONT][/B]
[FONT=Calibri][SIZE=2][I]Note: If you are prompted to replace the current certificate assigned to any of the Exchange roles, choose [A] All to replace the current certificate for all roles.[/I][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]After assigning the certificate, enter the following command to dump a list of Exchange certificates, and verify that your new certificate is correctly assigned to all five Exchange services.[/SIZE][/FONT]
[B][FONT=Calibri][SIZE=2]Get-ExchangeCertificate | fl thumbprint,rootCAType,services,notbefore[/SIZE][/FONT][/B]
[I][FONT=Calibri][SIZE=2]Thumbprint : [B]844D0CC6857F16E9FF7BC424895C97761390E6F2[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]RootCAType : [B]Enterprise[/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Services : [B]IMAP, POP, UM, IIS, SMTP [/B][/SIZE][/FONT]
[FONT=Calibri][SIZE=2]NotBefore : [B]5/11/2009 8:35:58 PM[/B][/SIZE][/FONT][/I][*][FONT=Calibri][SIZE=2]Restart all Exchange services by entering the following command in the Exchange Management Shell:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][B]get-Service *exchange* | restart-service –force[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Finally, verify that all Exchange services were restarted successfully by entering the following command in the Exchange Management Shell:[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][B]test-servicehealth[/B][/SIZE][/FONT][/LIST]
[FONT=Verdana]After completing these steps, you should be able to browse [URL]https://mail.contoso.com/owa[/URL] from a web browser and connect successfully to Outlook Web Access. Since this FQDN appears in the list of Subject Alternative Name (SAN) values assigned to the Exchange certificate, you should [B]not[/B] be prompted with a certificate name mismatch warning, although you may have to enter your credentials to access the web site.[/FONT]
[FONT=Franklin Gothic Demi Cond][SIZE=5]Requesting a UC Certificate[/SIZE][/FONT]
Our next step will be to request a Unified Communications Certificate from a publicly trusted Certification Authority. It is recommended to use a certificate from publicly trusted CA if you plan to allow external connectivity for your lab, however, this is only technically required if you plan to enable Public IM Connectivity (PIC). Although there are a number of publicly trusted CAs that can provide a UC Certificate (i.e. VeriSign, DigiCert, GoDaddy, Thawte), I chose DigiCert to issue the UC Certificate for my lab.
Before selecting a Certification Authority to issue a UC Certificate, you should consider the following questions:
[LIST][*]How much does it cost to request a new UC Certificate?[*]If I make a mistake, can the certificate be reissued?[*]How many times can the certificate be reissued?[*]Is there any cost involved with reissuing the certificate?[/LIST]
The reason I chose DigiCert is because they offer a very nice web interface for creating a UC Certificate for Exchange 2007, and they allow unlimited corrections/modifications during the lifetime of the certificate. As such, the following step-by-step instructions will describe how to request a UC Certificate from DigiCert.
Please note that while Exchange Server 2007 supports the use of Wildcard Certificates, Office Communications Server 2007 R2 supports either Single Name certificates or Unified Communictions/SAN Certificates – [I]not wildcard certificates![/I] And even though you may choose to use an alternate provider, the DigiCert CSR Command Wizard can still be used to generate the certificate request (unless you’re a PowerShell ace and don’t need the help of a pretty interface).
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 1 – Request a UC Certificate from a publicly trusted CA[/SIZE][/FONT]
[B]A. To request a UC Certificate from a publicly trusted Certification Authority[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 physical host computer using the[B] built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][SIZE=2][FONT=Calibri]Launch your web browser and navigate to[/FONT][/SIZE][URL="https://www.digicert.com/easy-csr/exchange2007.htm"][FONT=Calibri][SIZE=2][B]https://www.digicert.com/easy-csr/exchange2007.htm[/B][/SIZE][/FONT][/URL][FONT=Calibri][SIZE=2]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Complete the SSL CSR Command Wizard using the following certificate details:
[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Common Name:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]sip.contoso.com[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]Subject Alternative Names:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]sip.contoso.com
mail.contoso.com
autodiscover.contoso.com
cwa.contoso.com
as.cwa.contoso.com
download.cwa.contoso.com[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]Organization:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]<Legal Name of registered owner of the domain>[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]Department:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]<blank>[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]City:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]<Your City>[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]State:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]<Your State>[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]Country:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]<Your Country>[/B][/SIZE][/FONT] [FONT=Calibri][SIZE=2]Key Size:[/SIZE][/FONT] [FONT=Calibri][SIZE=2][B]1024[/B][/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert_thumb.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Click [B]Generate[/B] to create the command that will be used to generate the request from your Exchange 2007 server. [/SIZE][/FONT]
[SIZE=2][FONT=Calibri][B]New-ExchangeCertificate -GenerateRequest -Path c:\sip_contoso_com.csr -KeySize 1024 -SubjectName "c=US, s=South Carolina, l=MyCity, o=David Howe, cn=sip.contoso.com" -DomainName sip.contoso.com, mail.contoso.com, autodiscover.contoso.com, cwa.contoso.com, as.cwa.contoso.com, download.cwa.contoso.com -PrivateKeyExportable $True[/B] [/FONT][/SIZE][*][FONT=Calibri][SIZE=2]Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the [B]Exchange Management Shell[/B]. [/SIZE][/FONT][*][SIZE=2][FONT=Calibri][B]Copy[/B] the command generated by the SSL CSR Command Wizard, and paste it into the Exchange Management Shell:
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert1_6.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert1_thumb_2.jpg[/IMG][/URL]
[/FONT][/SIZE][*][FONT=Calibri][SIZE=2]After creating the certificate request, open your web browser and navigate to the web site of your chosen publicly trusted Certification Authority. Choose the option to purchase a new Unified Communications (UC) or SAN Certificate.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert3_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert3_thumb.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Choose Unified Communications/SAN certificate, the lifetime (expiry) of the certificate, and your payment preference. [/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert4_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert4_thumb.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, complete the registration process for creating a new account with the provider.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert5_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert5_thumb.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, enter the company on behalf of whom you are requesting this certificate, or choose the default value (the name used to register the new account with the provider). [/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert6_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert6_thumb.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next, click [B]Start[/B], then [B]All Programs[/B], then [B]Accessories[/B], then launch [B]Notepad[/B]. Open the certificate request file [B]C:\sip_contoso_com.csr[/B], and then highlight and [B]copy[/B] the Base-64-encoded content.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert2_4.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert2_thumb_3.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Next,[B] paste[/B] the Base-64-encoded data into the [B]Certificate Signing Request[/B] field from your provider’s web page, and choose [B]Microsoft Exchange Server[/B] as the server software.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert7_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert7_thumb_2.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the information provided in the Base-64-encoded data from your certificate request, verify that the [B]Organization[/B] information for the certificate is correct (highlighted in yellow below). This value should be [B]the legal name of the company or individual who appears as the registered owner of the domain[/B] in the WHOIS database.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2]Note: The CA provider [B][I]will[/I][/B] verify this information before issuing the certificate.[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert8_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert8_thumb_2.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Next, verify your contact information, which will be used to contact you to verify your order and to request proof of ID.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert9_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert9_thumb_2.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Finally, verify your payment information and submit your order.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert10_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert10_thumb_2.jpg[/IMG][/URL] [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Upon verifying your legal identification as the owner of the registered domain, your certificate (as well as the certificate of the issuing CA) will be issued and emailed to you.[/SIZE][/FONT]
[FONT=Calibri][SIZE=2][URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert11_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert11_thumb_2.jpg[/IMG][/URL] [/SIZE][/FONT][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 2 – Import the issued UC Certificate into the certificate store of the Exchange server[/SIZE][/FONT]
Now that we have received our issued UC Certificate, our next step is to import it into the certificate store of our Windows 2008 physical host computer (Exchange server). It is important to note that this certificate will not be used on this computer; rather, our UC Certificate will be assigned to both our ISA 2006 server and to each of the external interfaces of our OCS 2007 R2 Edge server. Since the certificate was requested from this computer, however, it must first be imported on this computer before it can be used elsewhere.
[B]A. To import a UC Certificate from a publicly trusted Certification Authority[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 physical host computer using the[B] built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][SIZE=2][FONT=Calibri]Extract the certificate package (zip file) as provided by your Certification Authority to [B]C:\Certificates[/B][/FONT][/SIZE][FONT=Calibri][SIZE=2]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2][FONT=Calibri][SIZE=2]Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the [B]Exchange Management Shell[/B]. [/SIZE][/FONT][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Within the Exchange Management Shell, type[B] cd C:\Certificates [/B]and then press Enter.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Again within the Exchange Management Shell, type [B]import-exchangecertificate –path c:\certificates\sip_contoso_com.cer[/B] to import the certificate into the local computer’s certificate store. Note the thumbprint value of the certificate.[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert12_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert12_thumb_2.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]To verify that the certificate was properly imported, type [B]get-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61 | fl[/B] within the Exchange Management Shell. Note that there are no services assigned to this certificate ([I]expected[/I]).[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert13_4.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert13_thumb.jpg[/IMG][/URL][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 3 – Export the issued UC Certificate with Private Key [/SIZE][/FONT]
Now that our UC Certificate has been properly imported into the certificate store of the requesting computer, it can be exported to be used on other servers. For the purposes of our lab, internal resources like our Exchange server and OCS Pool will be secured using internally issued certificates while external resources like OCS Edge services and web sites published by ISA server will be secured using our external issued certificate.
[B]A. To export a certificate with Private Key from local certificate store[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 physical host computer using [/SIZE][/FONT][FONT=Calibri][SIZE=2]the [B]built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], then [B]Run[/B]. Type [B]mmc.exe[/B] and press [B]Enter[/B] to launch the Microsoft Management Console.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From within the Management Console, click [B]File[/B], then [B]Add/Remove Snap-in…[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Within the Add/Remove Snap-in dialog box, click [B]Add[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the [B]Certificates[/B] snap-in, then click[B] Add[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]When prompted to choose which for which account to manage certificates, choose the [B]Computer account[/B]. Click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]When prompted to choose which computer to manage, choose [B]Local Computer[/B], then click [B]Finish[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2][B]Close[/B] the Standalone Snap-in dialog box, then [B]close[/B] the Add/Remove Snap-in dialog box.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Expand [B]Certificates (Local Computer)[/B], then expand the [B]Personal[/B] certificate store.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click on [B]Certificates[/B], then locate and select the UC Certificate that was issued by your public Certification Authority.[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert14_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert14_thumb_2.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]From the menu bar click[B] Action[/B], then [B]All Tasks[/B], then select [B]Export[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]At the Welcome to the Certificate Export Wizard screen, click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]At the Export with Private Key screen, choose [B]Yes, export the private key[/B]. Click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]At the Export Format settings, choose [B]Personal Information Exchange – PKCS #12 (.PFX)[/B]. Be sure to also select the option [B]Include all certificates in the certification path if possible[/B], then click [B]Next[/B].[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert15_2.png"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert15_thumb_2.png[/IMG][/URL][*][FONT=Calibri][SIZE=2]Enter a P[B]assword[/B] for the export file, then click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Enter an[B] Export Filename[/B] (i.e., [B]c:\Certificates\sip_contoso_com_exported.pfx[/B]) and click[B] Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Finish[/B] to complete the certificate export.[/SIZE][/FONT][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 4 – Export a copy of the certificate from the internal Certification Authority[/SIZE][/FONT]
Since neither the ISA 2006 server nor the OCS 2007 R2 Edge server will be joined to the Contoso domain, neither server will trust certificates issued by our internal Certification Authority. As such, we will need to export a copy of the certificate of our internal Certification Authority so that it can be imported on both the ISA 2006 server and the OCS 2007 R2 Edge server.
[B]A. To export a copy of the certificate from the internal Certification Authority[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 physical host computer using [/SIZE][/FONT][FONT=Calibri][SIZE=2]the [B]built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], then [B]Run[/B]. Type [B]mmc.exe[/B] and press [B]Enter[/B] to launch the Microsoft Management Console.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From within the Management Console, click [B]File[/B], then [B]Add/Remove Snap-in…[/B][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Within the Add/Remove Snap-in dialog box, click [B]Add[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Select the [B]Certificates[/B] snap-in, then click[B] Add[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]When prompted to choose which for which account to manage certificates, choose the [B]Computer account[/B]. Click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]When prompted to choose which computer to manage, choose [B]Local Computer[/B], then click [B]Finish[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2][B]Close[/B] the Standalone Snap-in dialog box, then [B]close[/B] the Add/Remove Snap-in dialog box.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Expand [B]Certificates (Local Computer)[/B], then expand the [/SIZE][/FONT][FONT=Calibri][SIZE=2][B]Trusted Root Certification Authorities[/B] certificate store.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click on [B]Certificates[/B], then locate and select the certificate that was issued to your Enterprise CA ([B]ContosoCA[/B])[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]From the menu bar click[B] Action[/B], then [B]All Tasks[/B], then select [B]Export[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]At the Welcome to the Certificate Export Wizard screen, click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]At the Export Format settings, choose [B]DER encoded binary X.509 (.CER) [/B]then click [B]Next[/B].[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DER_2.png"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/DER_thumb_2.png[/IMG][/URL][*][FONT=Calibri][SIZE=2]Enter an[B] export filename[/B] (i.e., [B]c:\Certificates\ContosoCA.cer[/B]) and click[B] Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Finish[/B] to complete the certificate export.[/SIZE][/FONT][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 5 – Remove the UC Certificate from the Exchange server[/SIZE][/FONT]
Next, we will remove the certificate from our publicly trusted Certification Authority from the Exchange server. Since OWA traffic will route inbound via ISA, and since inbound SMTP connections from the Internet will not be secured using TLS, this certificate is unneeded on the Exchange server. Unless you have a specific reason for leaving it on the Exchange server (for example, if you plan to directly service inbound OWA requests without using a reverse proxy like ISA server), I suggest removing the certificate to reduce overall complexity.
[B]A. To remove the UC Certificate from the Exchange server[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log in to the Windows 2008 physical host computer using the[B] built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2][FONT=Calibri][SIZE=2]Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the [B]Exchange Management Shell[/B]. [/SIZE][/FONT][/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Within the Exchange Management Shell, type[B] [B]remove-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61[/B] [/B]and then press Enter.[/SIZE][/FONT] [FONT=Calibri][SIZE=2]Choose [B]A[/B] to remove the certificate for all services.[/SIZE][/FONT]
[URL="http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert16_2.jpg"][IMG]http://blogs.technet.com/blogfiles/daveh/WindowsLiveWriter/HowtoimplementafullyworkingExchange2007O_6055/CreateUCCert16_thumb_2.jpg[/IMG][/URL][*][FONT=Calibri][SIZE=2]Close the Exchange Management Shell.[/SIZE][/FONT][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=5]Configuring OCS 2007 R2 Front End[/SIZE][/FONT]
Having completed the installation of Exchange 2007 SP1, we now need to focus on installing Office Communications Server 2007. We will start by installing the Standard Edition Front End server role.
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Front End server[/SIZE][/FONT]
Our first task will be to configure one of the virtual machines to host the OCS 2007 R2 Front End server role. To do this, we will need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role, and verify that the virtual machine for the OCS Front End server was created with the following specifications:[INDENT] [B]Role[/B] OCS 2007 R2 Front End [B]Memory[/B] 1024MB [B]Network[/B] One (1) Virtual NIC [B]Hard Disk[/B] 16GB Virtual Hard Disk [B]OS Version[/B] Windows Server 2003 SP2 ([COLOR=#ff0000]x64[/COLOR]) [B]FQDN[/B] OCS-R2.contoso.com [B][I](domain-joined)[/I][/B] [B]IP Address[/B] 192.168.1.11[/INDENT]To configure the server, double-click on the Front End virtual server within the Hyper-V section of the Server Manager console.
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 2 – Run Prep Schema for OCS 2007 R2[/SIZE][/FONT]
Our next task will be to prepare the Active Directory schema for Office Communications Server 2007 R2.
[B]A. Prepare the Active Directory schema [/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the [B]OCS 2007 R2 Front End[/B] virtual machine as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator).[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Launch Windows Explorer, and navigate to the [B]\Install\setup\amd64\[/B] folder.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Double-click [B]SetupSE.exe[/B], the setup program for the Standard Edition version of OCS 2007 R2. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Any machine running the Setup for the first time will be prompted to install the Microsoft Visual C++ SP1 Redistributable and Microsoft .NET Framework 3.5 SP1. Choose [B]Yes[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Deployment Wizard page, click [B]Prepare Active Directory[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Prepare Active Directory for Office Communications Server page, next to [B]Step[/B] [B]1: Prep Schema[/B], click [B]Run[/B].[/SIZE][/FONT][*][SIZE=2][FONT=Calibri]On the Welcome page, click [B]Next.[/B][/FONT][/SIZE][*][FONT=Calibri][SIZE=2]Note the Warning you receive concerning your data in the System container and the recommendation for using the Configuration container in Active Directory. Unless you have a specific reason for using the System container, choose the [B]Configuration[/B] naming context to store your Global Settings.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]OK[/B] on the Warning.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Directory Location of Schema Files page, click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Ready to Prepare Schema page, click [B]Next[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Completion page, select the [B]View the log when you click Finish[/B] check box, and then click [B]Finish[/B]. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Switch to the [B]Deployment Log[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the far right, click [B]Expand All[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]Execution Result[/B] column, to confirm that the Prep Schema operation completed successfully, verify that each task’s result is [B]Success[/B]. Close the Deployment Log window.[/SIZE][/FONT][/LIST]
[FONT=Franklin Gothic Demi Cond][SIZE=3]Step 3 – Run Prep Forest for OCS 2007 R2[/SIZE][/FONT]
After successfully extending our schema, the next step is to prepare the Active Directory forest for Office Communications Server 2007 R2.
[B]A. Prepare the Active Directory forest[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the [B]OCS 2007 R2 Front End[/B] virtual machine as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator).[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Launch Windows Explorer, and navigate to the [B]\Install\setup\amd64\[/B] folder.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Double-click [B]SetupSE.exe[/B], the setup program for the Standard Edition version of OCS 2007 R2. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Deployment Wizard page, next to [B]Step 3: Prep Forest[/B], click [B]Run[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Welcome page, click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Select Location to Store Global Settings page, Click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the Location of Universal Groups page, verify that [B]contoso.com[/B] is selected in the [B]Domain[/B] drop-down list, and then click [B]Next[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the SIP domain used for default routingpage, verify that [B]contoso.com[/B] is selected in the [B]Select SIP domain[/B] drop-down list, and then click [B]Next[/B].[/SIZE][/FONT][*][SIZE=2][FONT=Calibri]On the Ready to Prepare Forest page, click [B]Next.[/B][/FONT][/SIZE][*][FONT=Calibri][SIZE=2]On the Completion page, select the [B]View the log when you click Finish[/B] check box, and then click [B]Finish[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Switch to the Deployment Log.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]On the far right, click [B]Expand All[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]In the [B]Execution Result[/B] column, to confirm that the Prep Forest operation completed successfully, verify that each task’s result is [B]Success[/B]. Close the Deployment Log window.[/SIZE][/FONT][/LIST]
[B]B. Modify membership of RTCUniversalServerAdmins group[/B]
[LIST=1][*][FONT=Calibri][SIZE=2]Log on to the Windows 2008 computer as the [B]built-in Domain Administrator account[/B] (Contoso\Administrator). [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click [B]Start[/B], point to [B]Administrative Tools[/B], and then click [B]Active Directory Users and Computers[/B].[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Expand the domain [B]contoso.com[/B], then click on the [B]Users[/B] container.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Locate and open the properties of the [B]RTCUniversalServerAdmins[/B] group.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click on the [B]Members[/B] tab.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Verify that the [B]built-in Domain Administrator account[/B] (Contoso\Administrator) is a member of this group, otherwise [B]Add[/B] it. [/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Click[B] OK[/B] to complete the configuration of the [B]RTCUniversalServerAdmins[/B] group.[/SIZE][/FONT][*][FONT=Calibri][SIZE=2]Close [B]Active Directory Users and Computers[/B].[/SIZE][/FONT][/LIST]
[/LEFT]