runisaserver

isaserver  时间:2021-04-04  阅读:()

MicrosoftOfficeCommunicatorWebAccessPlanningandDeploymentGuidePublished:April2006Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.
Unlessotherwisenoted,thecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedinexampleshereinarefictitious.
Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.
Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.
ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
2006MicrosoftCorporation.
Allrightsreserved.
Microsoft,ActiveDirectory,InternetExplorer,Windows,WindowsNT,WindowsServer,andWindowsVistaareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
ContentsIntroduction1Overview1CommunicatorWebAccess1ComparingCommunicatorWebAccessandCommunicator20052ReferenceArchitecture5OtherComponentsinaCommunicatorWebAccessDeployment6Planning7ActiveDirectoryConsiderations8SupportedTopologies8ReferenceTopology8ColocationwithLiveCommunicationsServer9Multiple-DomainTopologies9MultipleForestTopologies9InternalandExternalWebAccessonaSingleServer10BranchOfficeTopologies11Federation11CommunicatorWebAccessRequirements11SupportedServerOperatingSystems13SupportedClientOperatingSystems13SupportedClientBrowsers14ClientInteroperability14ServerRequirements15ServerHardwareRequirements16AdditionalInfrastructureInformation16PlanningCertificates17PlanningforCommunicatorWebAccessCertificates17PlanningforLiveCommunicationsServerCertificates19PlanningCertificatesforHardwareLoadBalancing19PlanningforISAServer2004Certificates19AuthenticationandAuthorization19Pop-upBlockers20Cookies21CapacityPlanning21IncreasingCapacity21PerformanceConsiderations22AvailabilityPlanning22PlanningforHighAvailability23LoadBalancing24DisasterRecoveryPlanning30StandbyRecoveryServer30TransitioningServicefromaFailedServertoaStandbyServer31Deployment31CommunicatorWebAccessSetupOverview31Preparation32PreparingtheServerforInstallation32PreparingCertificatesforCommunicatorWebAccess33InstallingCommunicatorWebAccess35InstallingCommunicatorWebAccessbyUsingtheDeploymentTools35CreatingAdditionalVirtualServers40EnablingtheAJAXServiceforCommunicatorWebAccess42InstallingCommunicatorWebAccessbyUsingtheCommandLine43PreparingClientsandSigningintoCommunicatorWebAccess43SigningintoCommunicatorWebAccess44JavaScriptSigningforMozillaandFirefoxBrowsers46ConfiguringSearch48SearchResults49ManuallyConfiguringAttributeReplicationtotheGlobalCatalogServer50ConfiguringISAServer200451Prerequisites52InstallISAServer200454ConfigureCertificatesontheISAServerFirewall54CreatetheExternalCommunicatorWebAccessVirtualServer55ConfiguretheISAServer55ManagementandOperations60ManagingtheCommunicatorWebAccessServer60ManagingVirtualServers62Monitoring66RemovingCommunicatorWebAccess68Appendixes68Appendix1:Accounts68AccountsCreatedbyCommunicatorWebAccessSetup69AdministratorGroups69Appendix2:EnablingActivationWithoutUsingDomainAdminsCredentials69Appendix3:WMISettings72Appendix4:ConfiguringIIS6.
073IntroductionMicrosoftOfficeCommunicatorWebAccessisabrowser-basedclientforMicrosoftOfficeLiveCommunicationsServer2005withSP1.
LiveCommunicationsServerprovidesastable,extensible,enterprise-readyinstantmessaging(IM)andpresenceawarenessplatformthatisbasedontheSIP(SessionInitiationProtocol)andSIMPLE(SIPIMandPresenceLeveragingExtensions)standards.
ThisguidehelpsyouplananddeployCommunicatorWebAccessforyourorganization.
Theguidecoversthefollowingtopics:EvaluatingyourenvironmentforthedeploymentanduseofCommunicatorWebAccess.
Networkinfrastructure,hardware,andadministrativeconsiderations.
ConsiderationsfordesigningahighlyreliableandconsistentlyavailableCommunicatorWebAccessinstantmessagingsystem,includingperformancetuning,securityconsiderations,andcapacity.
StepsforinstallingCommunicatorWebAccessserver,configuringtheserver,andpreparingclients.
Managementandoperationsoptions,includingmonitoring.
ThisguideassumesthatyouhavealreadyinstalledLiveCommunicationsServer2005SP1.
Fordetailedinformation,seethetechnicaldocumentationforLiveCommunicationsServer2005,availableathttp://office.
microsoft.
com/en-us/FX011526591033.
aspx.
OverviewPresenceawarenessistheabilitytodetectanotheruser'savailabilityononeormoredevices.
ByusingLiveCommunicationsServer2005,enterprisescomprisingasmanyastensofthousandsofuserscantrackandmanagepresenceinformationandIM.
Auser'spresenceisreportedasastatus,suchas"Online,""Away,"or"Busy.
"Presence,morethananyotherfactor,haspropelledinstantmessagingtothelevelofanecessity.
YourorganizationcanalsousethefederationfeaturesinLiveCommunicationsServertoextendIMandpresenceinformationtoremoteusersandtrustedcustomers,suppliers,andpartners.
ByusingCommunicatorWebAccess,employeeswhoareworkingoffsitecancollaborateinrealtimewiththeironsitecolleagueswithouthavingtogothroughaVPN(virtualprivatenetwork).
ThissectiondescribesCommunicatorWebAccessandcomparesthetwoLiveCommunicationsServer2005clients,CommunicatorWebAccessandMicrosoftOfficeCommunicator2005.
ItalsopresentsareferencearchitectureforsupportingCommunicatorWebAccessinanexistingdeploymentofLiveCommunicationsServer2005withSP1.
CommunicatorWebAccessMicrosoftOfficeCommunicatorWebAccessenablesuserstoaccesstheinstantmessagingandpresencefeaturesinLiveCommunicationsServerthroughaWebbrowser,withoutrequiringclient-sidesoftwareoraVPN(virtualprivatenetwork)connection.
Users,whomaybeconnectingtoCommunicatorWebAccesseitherwithinthecorporatenetworkorthroughtheInternet,simplyenteraUniformResourceIdentifier(URI),forexample,imserver.
contoso.
com,inasupportedWebbrowser.
Foralistofsupportedbrowsers,see"SupportedClientBrowsers"laterinthisguide.
CommunicatorWebAccessoffersthefollowingfeatures:Webaccess–UserscanaccesstheIMandpresencefeaturesinLiveCommunicationsServer2005SP1throughanysupportedWebbrowser.
Instantmessaging–CommunicatorWebAccessuserscaninitiateanIMconversationwithoneormoreotherusersintheorganization.
Presence–CommunicatorWebAccessuserscandeterminethestatusofotherSIPusersandupdatetheirownpresenceinformation.
Personalnotes–Ausercanpublishapersonalnotethatisdisplayedalongwiththeuser'spresenceinformation.
Extensivecontactmanagement–Userscanaddcontactstoacontactlist,tagcontactstobenotifiedwhenthosecontacts'presencestatuschanges,andorganizelistedcontactsintogroups.
Federation–WhenfederationisenabledinMicrosoftOfficeLiveCommunicationsServer2005withSP1,CommunicatorWebAccessuserscanviewthepresenceofusersinexternalorganizationsandsendinstantmessagestothoseusers.
Multiplebrowserandoperatingsystemsupport–UserswithWindows-basedandnon-Windows-basedbrowsersandoperatingsystemscanuseCommunicatorWebAccess.
Fordetailsaboutsupportedoperatingsystems,see"SupportedClientOperatingSystems"and"SupportedClientBrowsers"laterinthisguide.
Zeroinstallation–UsersconnecttoCommunicatorWebAccessthroughasupportedbrowser.
CommunicatorWebAccessdoesnotrequiretheinstallationofanyActiveXcontrols.
Digitalcertificatesecurity(MTLS/SSL)–HTTPtrafficandtrafficbetweentheCommunicatorWebAccessserverandtheLiveCommunicationsServercanbesecuredwithSSL.
Usersearch–TheCommunicatorWebAccessserverconnectstotheMicrosoftActiveDirectorydirectoryservice.
ByusingtheFindfeatureofCommunicatorWebAccess,userscansearchforotheruserswhoareenabledforSIPcommunications.
TheFindfeaturequeriestheuser'slocalcontactsandActiveDirectory.
UnlikeCommunicator,however,CommunicatorWebAccessdoesnotquerytheLiveCommunicationsServerAddressBook.
CommunicatorWebAccessisaclientforLiveCommunicationsServer2005withSP1.
CommunicatorWebAccessprovidesaccesstoLiveCommunicationsServerinstantmessagingandpresencefeaturesthroughaWebbrowser;beyondasupportedWebbrowser,noadditionalinstallationisrequiredontheclient.
Communicator2005,anotherclientforLiveCommunicationsServer,isaclient-sideapplicationthatprovidesaccesstoLiveCommunicationsServercollaborationfeatures,includinginstantmessaging,videoconferencing,telephony,applicationsharing,andfiletransfer.
ComparingCommunicatorWebAccessandCommunicator2005CommunicatorWebAccessprovidesbrowser-basedaccesstotheinstantmessagingandpresencefeaturesofLiveCommunicationsServer.
CommunicatorWebAccesssharessomeof'theessentialfeaturesandconfigurationsettingsofCommunicator2005.
Table1comparesthefeaturesavailableineachclient.
Table1.
FeatureComparisonBetweenCommunicator2005andCommunicatorWebAccessFeatureCommunicatorCommunicatorWebAccessInstantMessagingwithoneormorecontacts((Applicationsharing(Whiteboardsessions(Fileorphototransfer(Audiocommunication(Videocommunication(CommunicationwithMSN,AOLandYahoo!
users,ifsupportedbyyourorganization'sLiveCommunicationsServerdeployment(separatelicenserequired)((CommunicationwithorganizationsthatarefederatedthroughLiveCommunicationsServer((1Freeandbusycalendarinformationinstatus((IncomingIMpop-upnotification("Toast")((Personalnote((2Automatic"Away"statusafteraperiodofinactivity((3AccessforusersoutsideofthecorporatenetworkwithoutconnectingthroughaVPN(4(Zeroclientinstallation(Supportforotheroperationssystemsandbrowsers(1Informationfromauser'sOutlookcalendarisavailableinCommunicatorWebAccessonlyiftheusersignsintoCommunicator2005beforeCommunicatorWebAccess,andthenrunsbothCommunicatorWebAccessandCommunicator2005simultaneously.
2AslongastheuserrunsbothCommunicatorandCommunicatorWebAccesssimultaneously,iftheuser'sOutofOfficeAssistantisenabledandtheuserhasnotenteredapersonalnote,theOutofOfficeAssistantinformationwilldisplayasapersonalnote.
3Likeotherbrowser-basedapplications,CommunicatorWebAccesscannotdetectactivityinotherclientapplications.
Therefore,iftheuserisinactiveinCommunicatorWebAccess,theusermaystillbeusingotherapplications,butCommunicatorWebAccesscannotdetectthisactivityandchangestheuser'sstatusto"Away"afterauser-configurableperiodoftime,bydefault15minutes.
'4RemoteCommunicatoruserscanconnectdirectlytotheirLiveCommunicationsServerdomainthroughanAccessProxyifthedomainhasbeenenabledforremoteuseraccess.
Themainpageinbothclientsissimilar,withtheuser'sstatusatthetop,asearchframe,andacontactlist.
Additionalcontactinformationisavailableinthepaneatthebottomofthepage.
TheCommunicatorWebAccessandCommunicatormainpagesareshowninFigure1.
Figure1.
CommunicatorWebAccessandCommunicatorMainPagesCommunicatorWebAccessCommunicatorTherearealsosimilaritiesintheConversationwindows.
TheCommunicatorWebAccess(left)andCommunicatorConversationwindowsareshowninFigure2.
Figure2.
CommunicatorWebAccessandCommunicatorConversationWindowsCommunicatorWebAccessCommunicatorReferenceArchitectureCommunicatorWebAccessisanextensionofyourexistingLiveCommunicationsServer2005SP1deployment.
Generally,youinstallCommunicatorWebAccessserversoftwareonserversinsideyourcorporatenetworkandconfigurethemsothatbothinternalusersandremoteusershaveaccess.
TheCommunicatorWebAccessserverprovidescontactlistandinstantmessagingfeatures.
Figure3showsatypicalCommunicatorWebAccessarchitecture.
Inthisarchitecture,remoteusersconnectthroughtheInternetbyusingaURI,forexamplehttps://.
contoso.
com.
ThefirewallroutesincomingtraffictotheCommunicatorWebAccessserverorarrayofservers,whichinturnconnectstoLiveCommunicationsServertoprovidepresenceandinstantmessagingfeatures.
Figure3:CommunicatorWebAccessArchitectureFigure3showsInternalusersconnectingtotheinternalCommunicatorWebAccessserverarraybehindaloadbalancer.
Thepool/loadbalancercanbereplacedwithasingleserverformoremodestdeployments.
Internalusersarephysicallyseparatedfromremoteusersbydeployingbothaninternalandexternalpooltohandleinternalandexternalrequests,respectively.
RemoteusersaccesstheexternalpoolbytheSSL-publishedCommunicatorWebAccessexternalsiteonthereverseproxyserver.
OnlyoneofthemanyfirewallconfigurationsthatCommunicatorWebAccesssupportsisshown.
CommunicatorWebAccesssupportsanyfirewallorreverseproxyconfigurationforcreatingthePerimeterNetwork,includingISAServer2000,ISAServer2004,andotherfirewallandreverseproxysolutions.
SeethefollowinglinkforadditionalinformationaboutISAServer.
ISAServer:http://www.
microsoft.
com/isaserver/default.
mspxOtherComponentsinaCommunicatorWebAccessDeploymentInadditiontoCommunicatorWebAccess,thereferencearchitectureconsistsofthecomponentsdescribedinthefollowingsections.
LiveCommunicationsServerSP1LiveCommunicationsServermanagesclientconnections,presence,andotherreal-timecommunicationfeatureslikeinstantmessaging.
ActiveDirectoryTheLiveCommunicationsServerenvironmenthasastrongdependencyonActiveDirectory.
AsyouareawarefromdeployingLiveCommunicationsServer2005,ActiveDirectoryisusedforauthenticating,authorizing,provisioning,andconfiguringLiveCommunicationsServer.
InCommunicatorWebAccessandCommunicator2005,ActiveDirectorysuppliestheenterpriseaddresslisttofacilitatesearch-basedlookups.
FirewallsFirewallsoftwarehelpsprotectyournetworkagainstInternetattackersandenablesyourcomputerstoconnecttotheInternet.
ByusingafirewallapplicationsuchasISAServer,youcansecurelypublishyourCommunicatorWebAccessserverstoremoteusers.
ThefirewallisthefirstcomputerInternetintruderstrytoattackbecauseitisdirectlyconnectedtotheInternet.
Forthisreason,thefirewallcomputeritselfshouldbeconfiguredassecurelyaspossible,andperformonlydutiesdirectlyrelatedtointrusionpreventionanddetection.
LoadBalancerAloadbalancerisusedwithCommunicatorWebAccess/LiveCommunicationsServertodistributeusertrafficinthefollowingcases:MultipleCommunicatorWebAccessserversMultipleLiveCommunicationsServer2005SP1,EnterpriseEditionServersformingapoolMultipleLiveCommunicationsServer2005SP1,DirectorsMultipleLiveCommunicationsServer2005SP1,AccessProxiesSeetheConfiguringLoadBalancingTopologiessectionformoreinformation.
InternetInformationServices6.
0InternetInformationServices(IIS)6.
0istheWebserver,availableinallversionsoftheMicrosoftWindowsServer2003operatingsystem,usedtohostCommunicatorWebAccess.
IIS6.
0introducesmanyfeaturesthatcanhelpincreasethereliability,manageability,scalability,andsecurityofyourCommunicatorWebAccessdeployment.
.
NETFrameworkVersion2.
0CommunicatorWebAccesswasdevelopedusingtheMicrosoft.
NETFrameworkVersion2,whichrepresentsasignificantmilestonefortheWebservicesandXMLSerializationstackinthe.
NETFramework.
ASP.
NET2.
0MicrosoftASP.
NET2.
0,partofthe.
NETFramework2.
0,isthenewestASP.
NETversion.
Version2.
0providesbothdevelopersandWebsiteadministratorsnewandimprovedfeatures.
CommunicatorWebAccessisbuiltuponASP.
NET2.
0,andtogetherwithMicrosoftInternetInformationServices(IIS)6.
0andtheMicrosoft.
NETFramework2.
0,provideseasierandmorepowerfuldeployment,configuration,andmaintenanceofWebsitesandapplications.
ThenewadministrativeWebsiteincludedwithASP.
NET2.
0isasecureWebinterfacethatenablesyoutoeasilyadministerandconfigureCommunicatorWebAccessforscalabilityandperformance.
PortsUsedbyCommunicatorWebAccessForpurposesofconfiguringfirewallsortroubleshootingcommunicationsissues,itmaybeusefultoknowtheTCPportsthatCommunicatorWebAccessuses.
Theportsusedaresummarizedbelow.
IncomingPorts:TCPport80(HTTP)orTCPport443(HTTPS),dependingonhowthevirtualserver(Webaccessserver)isconfiguredDynamicportforincomingtrafficfromLiveCommunicationsServer(CommunicatorWebAccesslistensonarandomport)OutgoingPorts:TCPport3268(LDAP)ontheglobalcatalogserverTCPport389(LDAP)onthedomaincontrollerTCPport5061(MTLS)ontheserverorpoolrunningLiveCommunicationsServerPlanningThissectiondiscussesconsiderationsforplanningyourCommunicatorWebAccessdeployment.
Itcoversthefollowingtopics:ActiveDirectoryTopologiesSystemrequirementsCertificatesAuthenticationandauthorizationCapacityAvailabilityDisasterrecoveryActiveDirectoryConsiderationsCommunicatorWebAccessdoesnotimposeanyadditionalrequirementsonyourActiveDirectorydesign.
IfyouhavealreadydeployedLiveCommunicationsServer,yourActiveDirectorytopologyalreadymeetstherequirementsofCommunicatorWebAccess.
Inanorganizationwithmultipleforestsanddomains,youmustensurethattheCommunicatorWebAccessserverandLiveCommunicationsServer2005SP1aredeployedinthesameActiveDirectoryforestanddomain.
ForinformationaboutActiveDirectoryplanningforLiveCommunicationsServer,seetheLiveCommunicationsServer2005ActiveDirectoryPreparationdocumentintheDeploymentResourcesareaat:http://www.
microsoft.
com/office/livecomm.
SupportedTopologiesThissectiondescribesvarioustopologiessupportedforCommunicatorWebAccess:ReferencetopologyCommunicatorWebAccessonthesameserverasLiveCommunicationsServerMultipledomainsMultipleforestsInternalandexternalCommunicatorWebAccessonthesameserverBranchofficesFederationReferenceTopologyThereferencetopologyisshowninFigure3earlierinthisguide.
Inthereferencetopology,anarrayofCommunicatorWebAccessserversisdeployedforinternalusers,whoconnectfromwithinthecorporatenetwork.
AseparateCommunicatorWebAccessserverarraysupportsremoteusers,includingusersatabranchofficeanduserswhoconnectfromotherremotelocations(forexample,homeoranairportkiosk).
ThistopologyprovidesphysicalseparationbetweentrafficoriginatingfrominternalusersandtheInternet,whichprovidessecuritybenefits.
AccesstoeachCommunicatorWebAccessserverisprovidedbyavirtualserver(alsocalledaWebaccessserver)thatisconfiguredforeitherinternalorexternalaccess.
Aseparatevirtualserverforeachtypeofaccessisrequiredbecausetherequirementsforexternalconnectionsaredifferentfromthoseforinternalconnections.
Thefollowingaresomeexamplesofthesedifferences:Internalaccess–InternalusersmaybeauthenticatedthroughIntegratedWindowsAuthentication;remoteusersmustuseforms-basedauthentication.
Internaluserscantakeadvantageofsinglesign-on,sotheyarenotrequiredtobeauthenticatedagainwhentheyconnecttoCommunicatorWebAccessaftertheyhavealreadybeenauthenticatedonthenetwork.
Externalaccess–Usersmustuseforms-basedauthenticationinordertogainaccess.
CommunicatorWebAccessalsocheckswhethertheuserisallowedtoconnecttoLiveCommunicationsServerfromoutsidethecorporatenetwork,asettingthatisconfiguredfortheuserinActiveDirectory.
Inaddition,theexternalWebaccessserverenforcestimeoutsafteraperiodofinactivity(forexample15minutes)incasetheuserisusingapubliccomputer.
Thereferencetopologycontainstwohardwareloadbalancerstodistributeloadamongtheserversintheinternalpoolandtheexternalpool.
IfthedeploymentisgreaterthanthecapacityofoneCommunicatorWebAccessserver,thenmultipleserversandaloadbalancermustbedeployed.
ColocationwithLiveCommunicationsServerDeploymentcostscanbereducedbycolocatingserverroles.
LocatingMicrosoftOfficeCommunicatorWebAccessonthesameserverasLiveCommunicationsServer2005SP1,StandardEditionorEnterpriseEdition,issupported.
However,wheneverpossible,youshoulddeployeachserverroleonaseparatephysicalserver.
ActiveDirectorycontainsasingleentryforthephysicalserver,evenifbothserverrolesarerunningontheserver.
DeactivatingoneoftheserverrolesremovesthephysicalserverentryinActiveDirectory,andconsequently,bothserverrolesbecomeunavailable.
Therefore,youshoulddeactivateoneoftherolesonlyifyouintendtoremovebothserverroles.
Multiple-DomainTopologiesSmallandmediumorganizationstypicallydeployasingleforest,singledomainActiveDirectorytopology.
Inlargerorganizations,amultipledomaintopologyiscommon,inwhichthereisasinglerootdomainandseveralchilddomains.
Inamultipledomaintopology,itisimportanttodeploytheCommunicatorWebAccessserverinthesamedomainasLiveCommunicationsServer.
RequirementsandsupportformultipledomaintopologiesaredictatedbyLiveCommunicationsServer2005withSP1,andCommunicatorWebAccessimposesnoadditionalrequirementsonyourActiveDirectorydeployment.
FordetailsaboutdeployingActiveDirectoryforLiveCommunicationsServer,seetheLiveCommunicationsServer2005withSP1ActiveDirectoryPreparationguideathttp://www.
microsoft.
com/downloads/details.
aspxFamilyId=F6F5C288-1AFB-41EC-9A09-1279E93F9BA9&displaylang=en.

MultipleForestTopologiesInamultipleforesttopology,itisimportanttodeploytheCommunicatorWebAccessserverinthesameforestanddomainasLiveCommunicationsServer.
Inaddition,ensurethattheappropriateuserattributesaresynchronizedacrossdomainssothatauthorizationandsearchfeaturesfunctionproperly.
IfyouhavedeployedLCSSynctosynchronizeLiveCommunicationsServerattributesacrossdomains,alloftheattributesthatarerequiredforCommunicatorWebAccesswillbesynchronizedbydefault.
Ifyouuseanothermethodforsynchronizingforests—forexample,usingatoolsuchasGALSyncordeployingaresourceforestandprovisioningchangesacrossforests—youmustmakesurethattherequiredattributesarereplicatedtoeachforest.
TheattributesthatLCSSyncmapstocontactobjectsarelistedintheLiveCommunicationsServerwithSP1ResourceKit.
See"DeployinginaMultipleForestEnvironment"intheLCSSyncfolder.
Theresourcekitisavailableathttp://www.
microsoft.
com/downloads/thankyou.
aspxfamilyId=d21c38e5-5d8f-44c7-ba17-2cc4f85d8b51&displayLang=en.

InternalandExternalWebAccessonaSingleServerToreducedeploymentcosts,youcanhostbothinternalandremoteusersonasingleCommunicatorWebAccessserver.
ByusingtheapplicationisolationfeaturethatisprovidedbyIIS6.
0,youcanruntwoinstancesofCommunicatorWebAccessonasingleserver.
YoucancreateonevirtualserverinstanceduringCommunicatorWebAccesssetup,andaftersetupiscompleteyoucancreateothervirtualserverinstancesinCommunicatorWebAccessManager.
NoteAlthoughthisscenarioreduceshardwarecosts,itisrecommendedonlyforsmalldeployments.
Deployingtwoseparateserversforphysicalisolationisthemostsecuremechanismandisrecommendedwhenyourbudgetpermits.
Ingeneral,thesamedeploymentguidelinesthatapplytootherCommunicatorWebAccesstopologiesalsoapplytothesingleserverscenario.
However,thefollowingconsiderationsapplyspecificallytousingasingleserverforbothinternalandexternalaccess:TwovirtualserverscannotsharethesameIPaddressandlistenonthesameport;therefore,youmustdifferentiatethemeitherbyIPaddressorbyportnumber.
IfbothvirtualserversusethesameIPaddress,youwillneedtodifferentiatethembyportnumber.
ManyproxyserversacceptSSLtrafficonlyonport443;therefore,youmayneedtoconfiguretheexternalvirtualserverwithport443.
Youmustconfigureyourfirewall/reverseproxytomaptotheappropriateportforeachvirtualserver.
Althoughserverisolationreducessecurityrisk,itisstillpossiblefortheservertobecompromised,whichwouldimpactbothexternalandinternalusers.
Incontrast,usingaseparateexternalserverwouldlimittheimpactofanattackontheexternalservertoremoteusersonly.
Figure4showsanexampleofasingleCommunicatorWebAccessserverthatisusedforbothinternalandexternalaccess.
Figure4.
ExternalandInternalAccessonaSingleServerInfigure4,theCommunicatorWebAccessservercontainsaninternalvirtualserverandanexternalvirtualserverthatsharethesameIPaddress.
Theinternalvirtualserverusesport443,andtheexternalvirtualserverusesport444.
Thefirewall/reverseproxyserverisconfiguredtoredirectincomingSSLtrafficboundforport443toport444ontheCommunicatorWebAccessserver.
ThisexamplerepresentsawaytoconfigurethescenariosothatneitherinternalusersnorremoteusersneedtospecifyaportwhenenteringaURItoconnecttoCommunicatorWebAccess.
TheinternalvirtualserverisconfiguredtoacceptinternalrequestsoverthedefaultSSLport443.
Likewise,thefirewallisconfiguredtoacceptexternalrequestsoverthedefaultSSLport443,butitthenredirectstherequeststotheexternalvirtualserver.
Ifyoudecidetousedifferentportnumbers,usersmayneedtospecifytheportnumberwhenenteringtheCommunicatorWebAccessURL.
Forexample,ifyouuseport444ontheinternalserver,userswouldneedtospecifytheportnumberbytypinghttps://im.
contoso.
com:444.
BranchOfficeTopologiesManylargeorganizationsarereducingITexpensesassociatedwithbranchofficesbycentralizingthetechnicalsupportstaffandconsolidatingserversinadatacenter.
Thisbranchofficetopologyispracticableifthereisfast,reliablenetworkconnectivitybetweenthedatacenterandmostoftheremotebranchoffices.
Withtheappropriatenetworkconnectivity,userscanhaveadirectconnectiontothecorporatenetwork,ortheycantunnelthroughtheInternetasremoteusers.
Ifnetworkconnectivitybetweenthedatacenterandaremoteofficeissloworunreliable,thebranchofficemayneedtodeployitsownlocalserver.
ForCommunicatorWebAccess,thiswouldmeandeployinganHTTPproxyoraCommunicatorWebAccessserverinthebranchoffice.
Regardlessoftheassumedqualityofthenetworkconnection,thebandwidthandlatencybetweenthedatacenterandanybranchofficecannotbeguaranteed.
Therefore,youshouldalwaysdesignasystemthatcanaccommodateslow,unreliablenetworkconnections.
OneofthefactorsyoumustaccountforisthatconnectionstotheCommunicatorWebAccessserverfromotherorganizationsorovertheInternetwillprobablypassthroughoneormoreHTTPproxyservers.
HTTPproxiesarenotnecessarilydesignedtokeepHTTPconnectionsopenforlongperiodsoftime.
Suchconnectionscanbeconsideredabnormalandcanbeterminatedatanytime.
Forthisreason,whenplanningyourtopology,takeintoconsiderationtheHTTPproxiesinthepathbetweenclientandserver.
FormoreinformationaboutbranchofficetopologiesinLiveCommunicationsServerdeployments,seetheLiveCommunicationsServer2005PlanningGuide,whichisavailablefromtheLiveCommunicationsServerDeploymentResourcespageathttp://office.
microsoft.
com/en-us/FX011450741033.
aspx.
FederationWhenfederationisenabledinMicrosoftOfficeLiveCommunicationsServer2005withSP1,CommunicatorWebAccessuserscanviewpresenceandsendinstantmessagestousersofMSN,AOL,Yahoo!
instantmessaging,inadditiontootherexternalorganizationswithwhichfederationhasbeenestablished.
Userscanreadilyidentifytheoriginofacontactbythebrandingiconthatappearsnexttoafederatedcontact'sdisplayname.
ThebrandingiconofthefederatedpartnermustbeaccessedwithanHTTPSconnection.
Forfederatedorganizations,theadministratormustensurethatHTTPSisusedtoaccessbrandingiconsinsteadofHTTP.
Otherwise,ifaCommunicatorWebAccessuseraddsafederatedcontacttohisorhercontactlist,asecurityalertwillappearwhenevertheusersignsin.
Thesecurityalertwillalsoappearwheneveruserssearchforfederatedcontactsorstartinstantmessagingconversationswithfederatedcontacts.
Ifyourusersseethisbehavior,youshouldverifywhichfederatedorganizationisusingHTTPforthebrandingiconandrequestthattheyuseHTTPSinstead.
FormoreinformationaboutfederatedtopologiesinLiveCommunicationsServerdeployments,seetheLiveCommunicationsServer2005withServicePack1AccessProxyandDirectorguide,whichisavailablefromtheLiveCommunicationsServerDeploymentResourcespageathttp://office.
microsoft.
com/en-us/FX011450741033.
aspx.
CommunicatorWebAccessRequirementsThissectiondescribesthehardwareandsoftwarethatarerequiredtoinstallCommunicatorWebAccess.
Table2:RequirementsforinstallingCommunicatorWebAccessComputerComponentRequiredForActiveDirectoryDomainControllerMicrosoftWindows2000ServerSP4WindowsServer2003OperatingsystemActiveDirectoryDirectoryserviceDNSNameresolutionLiveCommunicationsServerMicrosoftOfficeLiveCommunicationsServer2005withSP1*SchemaPKIWindowsServer2003SP1Enterprisecertificationauthority(CA)(recommended)oratrustedthird-partycertificationauthorityinfrastructurePKIInfrastructureIIS6.
0CertificateservicesWebenrollmentsupportonlyCommunicatorWebAccessserverNTFSFilesystemWindowsServer2003SP1Operatingsystem.
NETFramework2.
0CommunicatorWebAccess/ASP.
NETWindowsInstaller3.
0(installedaspartofWindowsServer2003SP1)CommunicatorWebAccess/ASP.
NETIIS6.
0CommunicatorWebAccessASP.
NET2.
0CommunicatorWebAccessLiveCommunicationsServer2005SP1,StandardEditionorEnterpriseEditionCommunicatorWebAccessrequirementClientSeeSupportedClientOperatingSystemsOperatingSystemSeeSupportedClientBrowsersBrowser/ClientRemoteComputerCommunicatorWebAccessManagerIIS6.
0ManagerTheremotecomputerandtheCommunicatorWebAccessservershouldbelocatedinthesameActiveDirectorydomain.
RemotemanagementTable3:PermissionsrequiredforinstallingCommunicatorWebAccessComputerActionRequiredPermissionsCommunicatorWebAccessserverInstallCommunicatorWebAccessUsermustbeamemberoflocalAdministratorsgroup.
ActivateCommunicatorWebAccessUsermustbememberoftheDomainAdminsgroupandtheRTCDomainServerAdminsgroup.
CreateavirtualserverUsermustbeamemberoflocalAdministratorsgroup.
RemoteComputerInstallCommunicatorWebAccessManageronaremotecomputerUsermustbeamemberoflocalAdministratorsgroupoftheremotecomputer.
*CommunicatorWebAccesswillnotconnecttopreviousversionsofLiveCommunicationsServer.
Yourorganizationmaycontainpreviousversions,butCommunicatorWebAccessusersmustbehomedonserversthatarerunningLiveCommunicationsServer2005withSP1.
SupportedServerOperatingSystemsTheCommunicatorWebAccessserverissupportedonWindowsServer2003ServicePack1only.
ThefollowingWindowsServer2003SP1versionsaresupported:StandardEnterpriseDatacenterImportantTheservermustbeamemberofthesamedomainasaserverthatisrunningLiveCommunicationsServer2005withSP1.
InstallingCommunicatorWebAccessonaworkgroupcomputerisnotsupportedandwillresultinanerrorduringsetup.
SupportedCommunicatorWebAccessManagerOperatingSystemsYoucanusetheCommunicatorWebAccessManagersnap-intomanageoneormoreCommunicatorWebAccessserversfromaremotecomputer.
ThefollowingoperatingsystemsaresupportedforremoteCommunicatorWebAccessmanagement:WindowsXPProfessionalEditionWindowsServer2003,StandardEditionWindowsServer2003,EnterpriseEditionNoteCommunicatorWebAccessManagerisnotsupportedonanyversionofWindows2000.
ImportantBeforeinstallingtheCommunicatorWebAccessManagersnap-inonaremotecomputer,youmustfirstinstallInternetInformationServices(IIS)Manager.
Onlythemanagementcomponentsarerequired;youdonotneedtoinstallIISonthecomputer.
YoucanuseAdd/RemoveWindowsComponentsinControlPaneltoinstalltheInternetInformationServicesSnap-in(WindowsXP)orInternetInformationServicesManager(WindowsServer2003),oryoucandownloadInternetInformationServices(IIS)6.
0ManagerforWindowsXP.
SupportedClientOperatingSystemsCommunicatorWebAccessissupportedonthefollowingversionsoftheWindowsoperatingsystem:Windows98SecondEditionWindows2000(All)WindowsXPWindowsXPSP1WindowsXPSP2NoteIfWindows98istheclientoperatingsystem,thepasswordhashingprotocolwillignorecasewhenauthenticatingCommunicatorWebAccesspasswords.
OtherDevicesCommunicatorWebAccessincludestheAJAX(AsynchronousJavaScriptandXML)service,whichisanapplicationprogramminginterface(API)forcreatingclientprogramsthatarecompatiblewithCommunicatorWebAccessandMicrosoftOfficeCommunicator2005.
BecausetheAPIcanbeusedwithanyprogramthatisbuiltbyusingAJAXprogrammingtechniques,theclientprogramsarenotlimitedtorunningontheMicrosoftWindowsfamilyofoperatingsystemsonadesktoporlaptopcomputer.
Forexample,mobiledeviceproviderscancreateagatewaythatallowsusersoftheirdevicestoaccesspresenceandinstantmessagingfeatures.
ForinformationabouttheCommunicatorWebAccessAJAXservice,seetheMicrosoftOfficeCommunicatorWebAccessAJAXServiceSoftwareDevelopmentKit(SDK)1.
0,availableathttp://www.
microsoft.
com/downloads/details.
aspxFamilyId=A839967B-680F-41E6-99B4-F020319BBD88.

Tomakeadeveloper'sprogramavailabletousers,youcreateavirtualserverandenabletheAJAXserviceonthevirtualserver.
Youthendirectusersofthecustomprogramtosignintothenewvirtualserver.
FordetailsaboutcreatingavirtualserverandenablingtheAJAXservice,see"EnablingtheAJAXServiceforCommunicatorWebAccess"laterinthisguide.
SupportedClientBrowsersMicrosoftOfficeCommunicatorWebAccesssupportsthefollowingbrowsers:InternetExplorer6.
0NoteInstallInternetExplorer6.
0SP1toavoidissueswiththetitledisplayindesktopalerts,optionsdialogboxes,andpermissionsdialogboxes.
Firefox1.
0Safari1.
2.
4onMac10.
3.
7NetscapeBrowser7.
2orlaterClientInteroperabilityThissectiondescribesinteroperabilitywithvariousclients.
CommunicatorTheusercanrunCommunicator2005andCommunicatorWebAccessonthesamecomputer.
Desktopalertsfornewinstantmessageswillappearinbothprograms,andtheusercanchoosewhichonetoaccept.
IncomingIMalertscontinuetoappearonbothclients,butthemessageautomaticallyopensintheactiveclient.
BothCommunicator2005andCommunicatorWebAccesshaveamechanismthatchangestheuser'sstatusaftertherehasbeenaperiodofinactivity.
InCommunicator,theuser'sstatuschangestoAway.
However,becauseCommunicatorWebAccessisaWebapplication,itcandetectactivityonlyinitsownwindowsanddialogboxes.
Itcannotdetectwhetherauserisactiveinotherprogramsonthesamecomputer.
Therefore,afteraperiodofCommunicatorWebAccessinactivity,theuser'sstatusinCommunicatorWebAccessasitappearstootherusersautomaticallychangestoAway,buttheusermaystillbeactivelyusinghisorhercomputer.
FormoreinformationaboutCommunicator2005,seetheMicrosoftOfficeCommunicatorPlanningandDeploymentGuide,whichisavailablefromtheMicrosoftOfficeCommunicator2005deploymentresourcespageathttp://office.
microsoft.
com/en-us/assistance/HA011992481033.
aspx.
WindowsMessenger5.
1AusercanexperienceinconsistenciesinthewaypresencedisplayswhenheorshehassignedintobothWindowsMessenger5.
1andeitherCommunicatorWebAccessorCommunicator.
TheseinconsistenciescanoccurwhenWindowsMessenger5.
1isonthesamecomputeroronadifferentcomputerthanCommunicatorWebAccessorCommunicator2005.
However,aWindowsMessenger5.
1usercanparticipateinIMconversationswithaCommunicatorWebAccessuserwithouttheseinconsistencies.
ForadditionalinformationaboutWindowsMessenger5.
1,seetheWindowsMessenger5.
1PlanningandDeploymentGuideathttp://office.
microsoft.
com/en-us/FX011526591033.
aspx.
ServerRequirementsThissectiondescribestherequirementsfordeployingtheCommunicatorWebAccessserver.
InfrastructureRequirementsThefollowinginfrastructuremustbeinplacebeforeyoudeployCommunicatorWebAccess:ActiveDirectoryisdeployed.
DomaincontrollersarerunningMicrosoftWindows2000SP4orWindowsServer2003.
GlobalcatalogserversarerunningWindows2000SP4orWindowsServer2003,andatleastoneglobalcatalogserverintheforestrootdomain.
PKIisdeployedandconfigured,usingeitherPKIfromMicrosoftorathird-partycertificationauthority(CA)infrastructure.
PleaseseeLiveCommunicationsServer2005CertificateConfigurationathttp://www.
microsoft.
com/downloads/details.
aspxFamilyId=779DEDAA-2687-4452-901E-719CE6EC4E5A&displaylang=en.

DNSisdeployedandconfiguredcorrectly.
LiveCommunicationsServer2005ServicePack1withSP1mustbedeployed.
CommunicatorWebAccessserverSetupRequirementsThissectiondescribestherequirementsforthecomputerthatwillberunningtheCommunicatorWebAccessserver.
Itisassumedthatallinfrastructurerequirementsdescribedintheprevioussectionaremet.
ThefollowingarerequiredforthecomputeronwhichCommunicatorWebAccessserverisinstalled:WindowsServer2003SP1TheCommunicatorWebAccessserverisamemberserverofthesameActiveDirectoryforestanddomainasLiveCommunicationsServer2005withSP1.
NoteInstallingCommunicatorWebAccessonaworkgroupcomputerisnotsupportedandwillcauseanerrorduringsetup.
LiveCommunicationsServer2005withSP1schemaupdatesasspecifiedinLiveCommunicationsServer2005SP1ActiveDirectoryPreparationathttp://office.
microsoft.
com/en-us/FX011526591033.
aspx.
DNS.
IIS6.
0.
WindowsInstaller3.
.
NETFrameworkVersion2.
0.
YoumustbeloggedonasamemberoftheDomainAdminsandRTCDomainServerAdminsgroupstoactivateCommunicatorWebAccess.
TherootCAchainistrusted,andacertificatefromthetrustedrootCAislocatedinthelocalcomputertrustedrootauthoritiesstore.
Forinformationabouthowthecertificateshouldbeconfigured,see"PlanningCertificates"laterinthisguide.
CommunicatorWebAccessActiveDirectoryAccountRequirementsThefollowingtableliststheminimumgroupmembershiprequirementsforCommunicatorWebAccess.
Table4:MinimumGroupMembershipGroupMinimumRequirementAdministrators(local)TheuserinstallingCommunicatorWebAccessservermustbeloggedonasamemberofthelocalAdministratorsgroup.
DomainAdminsTheuseractivatingtheCommunicatorWebAccessservermustbeloggedonasamemberoftheDomainAdminsgroupCWAService(default)TheserviceaccountunderwhichCommunicatorWebAccessrunsisaddedtotheRTCHSDomainServicesgroupcreatedbyLiveCommunicationsServer2005SP1.
RTCDomainServerAdmins(createdbyLiveCommunicationsServer2005SP1)TheuseractivatingtheCommunicatorWebAccessservermustbeloggedonasamemberoftheRTCDomainServerAdminsgroup.
ServerHardwareRequirementsThissectiondiscussesthehardwarerequirementsforCommunicatorWebAccess.
CommunicatorWebAccessserverHardwareRequirementsTherecommendedminimumhardwarerequirementsfortheCommunicatorWebAccessserverare:Dual3.
06GHzprocessor,1-MBCache,533MHzFSB(frontsidebus)2GBDDR(doubledatarate),266MHzRAM18-GBharddisk100-megabitnetworkadapterAdditionalInfrastructureInformationThissectionprovideslinkstoinfrastructurerequirementdocuments.
ForinformationonLiveCommunicationsServer2005SP1,seethefollowingdocumentsavailablefromtheLiveCommunicationsServer2005DeploymentResourcespage:LiveCommunicationsServer2005SP1LiveCommunicationsServer2005DeploymentOverviewguideathttp://office.
microsoft.
com/en-us/FX011526591033.
aspx.
LiveCommunicationsServer2005StandardEditionDeploymentGuideathttp://office.
microsoft.
com/en-us/FX011526591033.
aspx.
LiveCommunicationsServer2005EnterpriseEditionDeploymentGuideathttp://office.
microsoft.
com/en-us/FX011526591033.
aspx.
ActiveDirectoryLiveCommunicationsServer2005SP1ActiveDirectoryPreparationathttp://office.
microsoft.
com/en-us/FX011526591033.
aspx.
DNShttp://www.
microsoft.
com/technet/prodtechnol/windowsserver2003/technologies/featured/dns/default.
mspxPKIandCertificatesLiveCommunicationsServer2005ConfiguringCertificatesathttp://www.
microsoft.
com/downloads/details.
aspxFamilyId=779DEDAA-2687-4452-901E-719CE6EC4E5A&displaylang=en.

PlanningCertificatesCommunicatorWebAccessrequirescertificatesthatareissuedfromaWindowsServer2003SP1EnterpriseCA(recommended)oratrustedthird-partycertificationauthority.
CertificatesarealsorequiredfordeploymentsofLiveCommunicationsServer2005SP1thatsupportCommunicatorWebAccess.
IfahardwareloadbalancerisdeployedinfrontofaCommunicatorWebAccessarray,thehardwareloadbalanceralsorequiresacertificate.
IfyouchoosetopublishtheCommunicatorWebAccesssiteforremoteusersbyusingISAServer,youwillneedtoconfigurecertificatesfortheISAServer.
Thenextsectionsdescribethesecertificaterequirements.
IfyouareusingWindowsServer2003PKI,see"BestPracticesforImplementingaMicrosoftWindowsServer2003PublicKeyInfrastructure"athttp://www.
microsoft.
com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.
mspx.

PlanningforCommunicatorWebAccessCertificatesCommunicatorWebAccessusesdigitalcertificatestoauthenticateserversandusers.
DuringyourpreparationforCommunicatorWebAccessserversetup,youmustconfigurethecomputerwithtrustedcertificatesforMTLSandHTTPS(SSL):MTLScertificate–TheMTLScertificateisusedtoauthenticateconnectionstotheLiveCommunicationsServer.
TheMTLScertificatesthatareusedbyCommunicatorWebAccessandLiveCommunicationsServermustbeissuedbythesametrustedcertificationauthority.
ImportantTheMTLSconnectionwillsucceedonlyifthesubjectnamefortheMTLScertificateistheFQDN(fullyqualifieddomainname)oftheCommunicatorWebAccessserver.
HTTPS(SSL)certificate–TheSSLcertificateisusedbyclientsthatareconnectingtotheCommunicatorWebAccessserver.
EachvirtualserverthatisconfiguredwithHTTPSmusthaveanSSLcertificate.
ThesecertificatesmustalreadybeinstalledontheserverbeforeyourunCommunicatorWebAccesssetup.
ThesecertificatesmustbeissuedbyyourCA,andthecertificationauthoritymustconfirmtheidentityofeachcomputeroruserintheauthenticationtransaction.
TherequirementsforthesecertificatesdependonwhetheryouarerunningLiveCommunicationsServerStandardEditionorEnterpriseEdition.
Ineithercase,thesubjectnamefortheHTTPS(SSL)certificatemustmatchthehostnameclientsusetoconnecttotheCommunicatorWebAccessserver(eitherthehostnameoftheserverorthehostnameofthevirtualIPaddressthatispublishedonbehalfoftheserver).
Thefollowingsectionsdescribethecertificationrequirementsforvariousscenarios.
SeparateServerIfyouarerunningCommunicatorWebAccessonseparateserverfromLiveCommunicationsServer,certificatesmustbeconfiguredasfollows:MTLScertificate–ThesubjectnamemustbetheFQDNoftheCommunicatorWebAccessserver.
HTTPS(SSL)certificate–ThesubjectnamemustbethehostnamethatisusedbyclientstoaccesstheCommunicatorWebAccessserver,whichmayormaynotbetheFQDN.
Forexample,iftheCommunicatorWebAccessserverFQDNisLCS-01.
domain.
com,andclientsusehttp://cwa.
domain.
comtoconnecttoCommunicatorWebAccess,theMTLScertificatesubjectnamewouldbeLCS-01.
domain.
comandtheHTTPS(SSL)subjectnamewouldbecwa.
domain.
com.
ColocationwithLiveCommunicationsServer,StandardEditionTherequirementswhenrunningCommunicatorWebAccessonthesameserverasLiveCommunicationsServerStandardEditionarethesameasinthepreviousscenario.
Certificatesmustbeconfiguredasfollows:MTLScertificate–ThesubjectnamemustbetheFQDNoftheCommunicatorWebAccessserver.
HTTPS(SSL)certificate–ThesubjectnamemustbethehostnameusedbyclientstoaccesstheCommunicatorWebAccessserver.
Forexample,iftheCommunicatorWebAccessserverFQDNisLCS-01.
domain.
com,andclientsusehttp://cwa.
domain.
comtoconnecttoCommunicatorWebAccess,theMTLScertificatesubjectnamewouldbeLCS-01.
domain.
com,andtheHTTPS(SSL)subjectnamewouldbecwa.
domain.
com.
LiveCommunicationsServerEnterpriseEditionIfyouarerunningCommunicatorWebAccessononeoftheserversinaLiveCommunicationsServerEnterpriseEditionpool,youmustusetheFQDNoftheserverpoolintheMTLScertificate.
Certificatesmustbeconfiguredasfollows:MTLScertificate–ThesubjectnamemustbetheFQDNoftheLiveCommunicationsServerpool.
HTTPS(SSL)certificate–ThesubjectnamemustbethehostnameusedbyclientstoaccesstheCommunicatorWebAccessserver.
Forexample,iftheLiveCommunicationsServerpoolFQDNisLCS_Pool.
domain.
com,andclientsusehttp://cwa.
domain.
comtoconnecttoCommunicatorWebAccess,theMTLScertificatesubjectnamewouldbeLCS-Pool.
domain.
comandtheHTTPS(SSL)subjectnamewouldbecwa.
domain.
com.
UsingaSingleCertificateInanyoftheabovescenarios,dependingonyourcertificationauthority,youcanuseaseparatecertificateforMTLSandHTTPS(SSL)oryoucanuseasinglecertificateforboth.
IfyouareusingaMicrosoftCertificateAuthorityorifyourthird-partycertificationauthoritysupportsasubjectalternatename,youcanuseasinglecertificate.
InordertouseasinglecertificateforbothMTLSandHTTPS(SSL),thecertificatemustbeconfiguredasfollows:ThecertificatesubjectnamemustbetheFQDNoftheCommunicatorWebAccessserverortheFQDNoftheLiveCommunicationsServer2005pool.
Thesubjectalternatenamemustincludebothofthefollowing:TheCommunicatorWebAccessserverFQDNortheLiveCommunicationsServerpoolFQDNThehostnameusedbyclientstoaccesstheCommunicatorWebAccessserver.
ForinformationaboutsettingaSubjectAlternativeName,seeMicrosoftOfficeLiveCommunicationsServer2005CertificateConfigurationat:http://www.
microsoft.
com/downloads/details.
aspxFamilyId=779DEDAA-2687-4452-901E-719CE6EC4E5A&displaylang=enBothNetBIOSnamesandFQDNsaresupportedasthesubjectnameofacertificatewhenyourequestacertificatefromaCertificationAuthority.
FormoreinformationonhowtoconfigurecertificatesbyusingtheNetBIOSname,see:http://support.
microsoft.
com/default.
aspxscid=kb;en-us;887490.
PlanningforLiveCommunicationsServerCertificatesMicrosoftOfficeLiveCommunicationsServer2005withSP1,whichisrequiredforCommunicatorWebAccess,requirescertificates.
FormoreinformationaboutLiveCommunicationsServer2005certificates,seeLiveCommunicationsServer2005CertificateConfigurationathttp://www.
microsoft.
com/downloads/details.
aspxFamilyId=779DEDAA-2687-4452-901E-719CE6EC4E5A&displaylang=en.

PlanningCertificatesforHardwareLoadBalancingForinformationaboutcertificaterequirementsforyourloadbalancerhardware,contactthemanufacturer.
PlanningforISAServer2004CertificatesYoucanpublishtheCommunicatorWebAccessserverbyusingISAServer2004toprovideremoteuserswithaccesstoCommunicatorWebAccesswhileprotectingtheinternalnetwork.
TherecommendedISAconfigurationhasatleasttwonetworkadapters,oneattheinternaledgeandoneattheexternaledge.
AnSSLcertificatemustberequested,andtheCAcertificatechainmustbedownloadedtotheTrustedRootCertificationAuthorities,Certificatesfolderforthelocalcomputer.
TheSSLcertificatewillbeboundtotheListenerfortheexternaledgenetworkadapterontheISAServer2004computer.
Fordetailsaboutcertificaterequirementsandprocedures,see"DigitalCertificatesforISAServer2004"athttp://www.
microsoft.
com/technet/prodtechnol/isa/2004/plan/digitalcertificates.
mspx.
NoteISAisnotrequired.
Youcanuseanyreverseproxy.
AuthenticationandAuthorizationTheCommunicatorWebAccessserverperformsbothauthenticationandauthorizationonclientsthataccesstheCommunicatorWebAccessserver.
TheuseofanMTLScertificateensuresthattheCommunicatorWebAccessserveristrustedbytheLiveCommunicationsServer.
CommunicatorWebAccessconfirmsthattheSIPURIoftheclientmatchesthecredentialsforthatuser,andensuresthattheuserhasbeenauthorizedtouseLiveCommunicationsServer.
Iftheuserisoutsidethecorporatenetwork,CommunicatorWebAccessalsoconfirmsthattheuserhasbeengrantedremoteaccesstoLiveCommunicationsServer.
CommunicatorWebAccessrequiresthatclientsbeauthenticatedbyoneofthefollowingmethods:Forms-basedauthenticationIntegratedWindows(NTLM/Kerberos)AuthenticationForms-BasedAuthenticationForms-basedauthenticationcanbeusedbyinternalusers(forexample,thosewhoareusinganon-Windowsoperatingsystem)andmustbeusedbyremoteusers.
Informs-basedauthentication,asign-inpageissubmittedtotheserverwiththeuser'scredentials.
TheCommunicatorWebAccessauthenticationmoduleandtheuseofSSLensurethatcredentialsareencrypted.
IntegratedWindows(NTLMand/orKerberos)AuthenticationIntegratedWindowsauthenticationusesKerberosV5authenticationandNTLMauthenticationandisavailableonlytointernalusers.
Exceptforremoteusers,NTLMisusedbydefault,butyoucanconfiguretheservertouseonlyKerberos.
NoteIfInternetExplorerusersarechallengedfortheircredentialswhensigningintoCommunicatorWebAccessfromwithintheinternalnetwork,youcanconfigureInternetExplorertobypasstheproxyserverfortheCommunicatorWebAccesssite.
Ifauserhasalreadybeenauthenticated,thisconfigurationallowstheusertosigninwithoutbeingrequiredtobeauthenticatedagain.
ToconfigureInternetExplorertobypasstheproxyserverforallusers,edittheInternetExplorergrouppolicytoincludeaproxyserverexceptionfortheCommunicatorWebAccesssite(forexample,im.
contoso.
com).
SingleSign-onCommunicatorWebAccessusessinglesign-on.
AfterauserhasalreadybeenauthenticatedthroughIntegratedWindowsAuthentication,theuserdoesnothavetoenterdomaincredentialstosignintoCommunicatorWebAccess.
Forexample,withsinglesign-on,ausercanenterthefollowingURItoaccessCommunicatorWebAccess:https://server.
contoso.
com/user@contoso.
comInthisexample,user@contoso.
comistheuser'sSIPsign-inname.
IftheuserisalreadyauthenticatedthroughIWA,CommunicatorWebAccesswillopenimmediatelywithnofurtherauthenticationrequests.
Forremoteusers,theforms-basedauthenticationwindowwillappear.
Youcanalsoconfiguretheserverallowausernamewithoutthehostinformation:https://server.
contoso.
com/userBothofthesesettingsareconfigurableintheCommunicatorWebAccessserverpropertiesontheAuthenticationtab.
Forsinglesign-ontowork,thefollowingconditionsmustbemet:TheCommunicatorWebAccesssitemustberecognizedasanintranetsite,oritmustbeincludedintheclient'slistoftrustedsites.
Theuser'sbrowsermustsupportIntegratedWindowsAuthentication.
Theusermustbeloggedontothecomputerwithhisorherdomaincredentials.
NoteUsingtheseURIstocodesinglesign-onfromotherWebapplicationsisnotasupportedscenarioandmayresultinunexpectedbehavior.
Pop-upBlockersTheCommunicatorWebAccessserverusespop-upsforbothinternalusersandremoteusers.
Forexample,pop-upsareusedforincominginstantmessagedesktopalertsandnewconversationwindows.
Therefore,usersmustconfigurepop-upblockerstoallowpop-upsontheCommunicatorWebAccesssite.
ForclientuserswhoareusingsupportedversionsofFirefox,Mozilla,andtheNetscapeBrowser,thenumberofwindowsopenatanyonetimeislimitedtohelpsafeguardagainstpop-ups.
WhenaccessingCommunicatorWebAccessfromtheseclients,userscanreachthislimitifseveralconversationwindowsordesktopalertsareopenatonetime.
Inthiscase,theclientbrowserwillpreventanynewwindowsfromopening,whichcanresultinmissedconversationsornotifications.
Topreventthisissue,theusercanchangeorremovethelimitonthenumberofallowableopenwindows.
CookiesCookiesareissuedtotheclientbytheCommunicatorWebAccessserveraftersuccessfulauthenticationbybothinternalusersandremoteusers.
Therefore,clientsmustacceptcookiesfromtheCommunicatorWebAccessservertofunctioncorrectly.
CapacityPlanningWhenyouuseCommunicatorWebAccess,youcanaddorremoveserverswithoutinterruptingservice.
EvenclientscurrentlyparticipatinginIMsessionsatthetimeofthechangeareunaffected.
Thisenablescustomerstobeproactivewhenplanningforandrespondingtocorporaterestructureandgrowth.
Youshouldconsideraloadbalancedconfigurationsothatyoucanaddorremoveserversasyourneedschange.
TheloadbalancerensuresthatthesameCommunicatorWebAccessserverisusedfortheentireuser'ssession.
Fordetails,see"LoadBalancing"laterinthisdocument.
Thissectiondiscussescapacityplanningforbothcurrentandfutureneeds.
IncreasingCapacityOvertime,regularmonitoringofsystemusagemayrevealthatyourconfigurationofCommunicatorWebAccessnolongermeetstheneedsofusersduringperiodsofnormalusage.
Thefollowingaresomemethodsforincreasingcapacity:Increasingsearchthresholds–CommunicatorWebAccesscontainsathresholdsettingthatdeterminesthenumberofsearchesthatareallowedatonetime.
ThissettingisconfigurableintheglobalsettingsforCommunicatorWebAccess.
YoucanuseMicrosoftOperationsManagertomonitorhowoftenusersarereachingthislimitovertime.
Ifuserscontinuallyreachthelimitandthesearchactivityrepresentsnormalusage,youmaywanttoincreasethesearchlimit.
However,youneedtoconsideranyimpactthatincreasingthelimitwillhaveonperformance.
FormoreinformationaboutusingMicrosoftOperationsManager,see"MicrosoftOperationsManagementPack"laterinthisdocument.
OptimizingIIS6.
0scalability–IIS6.
0,runningontheMicrosoftWindowsServer2003operatingsystem,includesanewarchitectureandnewfeaturestohelpyourapplicationserverscale.
FordetailedinformationaboutoptimizingIIS6.
0,see"ImprovingScalabilitybyOptimizingIIS6.
0Queues,""ImprovingScalabilitybyOptimizingIIS6.
0Caches,"and"AdditionalResourcesforIIS6.
0Scalability"athttp://www.
microsoft.
com/technet/prodtechnol/WindowsServer2003/Library/IIS/2a4d9385-8cf8-4482-83d8-fa0adb8ffd96.
mspx.

Atsomepoint,increasingsearchthresholdsandoptimizingotherperformancesettingsmayactuallyresultindegradedperformance,andyouwillneedtoconsideraddingserverstotheEnterprisepoolorupgradingtheprocessingpowerormemoryofexistingservers.
AddingserverstotheCommunicatorWebAccessarray–IfyourCommunicatorWebAccessserversareconfiguredinanarray,asyourorganizationgrows,youcanaddCommunicatorWebAccessserverstothearraywithoutinterruptingservice.
ClientswhoarecurrentlyparticipatinginIMsessionsatthetimeofthechangeareunaffected.
Addingstoragecapacity–DatastorageforCommunicatorWebAccessishandledbyLiveCommunicationsServer.
Staticdata,suchascontactlistsandACLs(accesscontrollists),arestoredaspersistentdataontheLiveCommunicationsServerBack-EndDatabase.
Toincreasetheback-endstoragecapacity,followtheguidelinesandproceduresforLiveCommunicationsServer.
Formoreinformation,seetheLiveCommunicationsServer2005EnterpriseEditionDeploymentGuide,whichisavailablefromtheLiveCommunicationsServerDeploymentResourcespageathttp://office.
microsoft.
com/en-us/FX011450741033.
aspx.
PerformanceConsiderationsThissectiondiscusseswaysinwhichyoucanimprovetheperformanceandreliabilityofaCommunicatorWebAccessdeployment.
NetworkPerformanceConsiderationsCommunicatorWebAccessperformanceisonlyasgoodasnetworkperformance,whichdependsonthefollowingfactors:Devicespeed:Howfastadevicecanrouteorfilterpackets.
Networkspeed:Thebitrateofthenetworkinterfacesandconnectivitydevicesorserverports.
Filtering:Thetypeoffilteringbeingperformedonpackets(theinspectionofpacketsabovelevel3oftheOSImodel).
Thehighertheleveloffiltering,thegreaterthelikelihoodofdegradedperformance.
Ifneeded,additionalCPUresourcesshouldbeaddedtobringtheperformancebacktodesiredlevels.
Encryption:Whenencryptionisused—forexample,onVPNdevices—thenetworktrafficperformancedeteriorates.
Ifthisoverheadprovestobetoogreatandthenetworkperformancefallsbelowanacceptablelevel,additionalCPUresourcesshouldbeaddedtothedevicesperformingencryptiontohelpbringperformancebacktodesiredlevels.
Numberofdevices:Thelatencyintroducedintotheoverallperformanceofthenetworkincreasesasthenumberofdevicesonthenetworkincreases.
ExamineyourcurrentnetworkanddetermineifthereareareasthatmayaffecttheperformanceofyourCommunicatorWebAccessdeployment.
AvailabilityPlanningConfiguringyourserversforavailabilityandreliabilityisaprocess,whichshouldbecontinuing,evolving,andbalancedbetweenneedandcost.
ThissectiondiscussestheconceptsandtechnologiesthathelpyoudesignanavailableandreliableCommunicatorWebAccessdeployment,includingfailovermechanismsandloadbalancing.
Toplanahighlyavailablenetwork,youmustconsidermorethanjustCommunicatorWebAccess.
However,onlyCommunicatorWebAccess-specificconsiderationsarediscussedinthisdocument.
Forexample,thisdocumentdoesnotdiscussfailureofthesupportingcomponents(suchasDNS,ActiveDirectory,NTLM/Kerberos,ReverseProxies,LoadBalancers,Firewall,LiveCommunicationsServer,andCLR),uponwhichCommunicatorWebAccessserverrelies.
Totalfailureorlackofconnectivitytoanyofthesesupportingcomponentscanresultindegradedperformanceorlossofservice.
Forinformationaboutavailabilityplanningingeneral,see"OverviewofPlanningforHighAvailabilityandScalability"athttp://technet2.
microsoft.
com/WindowsServer/en/Library/37b0b6af-c408-4d13-8e73-44a95b92fbac1033.
mspx.

PlanningforHighAvailabilityCommunicatorWebAccesshasafailovermechanismtohelpprovidereliabilityandhighavailability.
However,itisrecommendedthatyouadditionallyusepeopleandprocessesandthatyoucontinuallyevaluateandadjustyouravailabilityplan.
Highavailabilitytypicallyrequiresadatacenterwithuninterruptedpowerandcontinuousmaintenanceandoperations,aswellasatrained,experiencedstaff.
ThissectiondescribessomeofthefailovermechanismsinCommunicatorWebAccessandothermeasuresyoucantaketoincreasereliabilityandavailability.
Itcoversthefollowingtopics:CommunicatorWebAccessfailovermechanismConnectionretrymechanismDetectingfaultsContainingfailureControllingoverloadEnsuringstableinitializationHandlingexceptionsCommunicatorWebAccessFailoverMechanismMicrosoftOfficeCommunicatorWebAccessprovidesfailoversupport.
Youcanchoosefromanumberofoptionsforachievingreliabilityandavailability,dependingonyourneedsandyourbudget.
YoucanimproveavailabilitybyincreasingMTBF(meantimebetweenfailures)andbydecreasingMTTR(meantimetorecover).
YoucanincreaseMTBFforhardwarebyusinganyorallofthefollowing:DualpowersuppliesHotswapdiskswithRAIDHeat-sinktemperaturesensorsFansensorsRedundantsystemsYoucanlowerMTTRbydoinganyorallofthefollowing:DetectingfaultsassoonaspossibleUsingstandbyandredundantsystemsUsingserverpoolsandloadbalancingConnectionRetryMechanismTheCommunicatorWebAccessfailovermechanismcontainstheClientRetryrecoverymechanisms.
RepeatedfailurestoconnecttoanyoneCommunicatorWebAccessserverresultintheconnectionbeingattemptedwiththegenericDNSnamefortheVIP(virtualIP)addressoftheloadbalancersothattheclientcanbeconnectedwithanyavailableserverinthearray.
Ifabriefnetworkinterruptionoccurs,theclientwillattempttoreconnecttothesameserver.
Ifreconnectionfailswithintwominutes,theuserwillbesignedout.
Theusercanthenattempttosigninagain,andanyavailableserverwillbeusedforthenewsession.
ThenewCommunicatorWebAccessserverintherecoveryprocessperformsSIPoptimizationstoensurethatthefailuredoesnotreplicateandcauseanoverloadedconditiononanycomponentintheLiveCommunicationsServersystem.
Therecoveredconnectioncausesnouserstatechange,exceptforlossofonlythedatathatisbetweenendpointsatthetimeoffailure.
DetectingFaultsTheCommunicatorWebAccessfailovermechanismcontainsthefollowingfaultdetectionmechanisms:ClienttoServerClientfromServerLiveCommunicationsServerfromServerActiveDirectoryfromServerContainingFailureIntheeventofafailure,itisimportanttobeabletoisolatethefailureandtopreventitfrombecomingtheproximatecauseofotherfailures.
Forexample,isolatingserversforinternalusersfromthoseforremoteuserscancontainafailuretojustonegroupofusers.
Thisserverisolationcapabilityensuresthatintheeventofasystemoverload,performancemaybedegraded,buttheentiresystemwillnotfail.
ControllingOverloadTheCommunicatorWebAccessserverusesthrottlingtohelppreventatotalsystemfailureandacascadeofsubsequentfailuresthatarecausedbytheinitialfailure.
Topreventasystemoverload,throttlingmechanismdeniesand/ordelayssign-inattempts.
TheCommunicatorWebAccessoverloadmechanismhasdampingbuiltintoittopreventanormal,momentaryspikeintrafficfromproducinganoverload.
Similarly,iftheserverisalreadyoverloaded,CommunicatorWebAccesscontinuestotreattheserverasoverloadedforabriefperiodinordertoallowtheservertoreturntostability.
Thisdelayhelppreventstheserverfromimmediatelyreturningtotheoverloadedcondition.
Clientrequeststosigninduringanoverloadarereturnedwithamessageindicatingthattheserveristemporarilyunavailable.
Thispreventstheclientfromoverloadingtheserverbyimmediatelytryingagaintosignin.
Clientrequeststologinduringanoverloadinwhichnobandwidthisavailablearedropped,andtheclienttimesout.
EnsuringStableInitializationDuringfailover,CommunicatorWebAccesscausestheservertoperformacoldrestart.
Thisrestart,whichisindependentoftheorderinwhichothercomponentsstart,resultsinastable,predictableinitializationoftheCommunicatorWebAccessserverorarraythatisprovidingservice.
StableinitializationprovidesCommunicatorWebAccessserverarraystotolerateLiveCommunicationsServerswitchoversandindividualCommunicatorWebAccessserversbeingtakenofflineforanyreason,includingapowerfailure.
HandlingExceptionsExceptionsoccurwhentheserverorarrayhasafailover,recovery,initialization,orbootprocessinprogress.
Exceptionsarehandledinthesamewayasoverloads:clientsign-inattemptsaredenied,delayed,ordroppeduntilthesystemisstableagain.
LoadBalancingThissectiondescribesplanningfordistributingtheloadamongmultipleCommunicatorWebAccessserversthatuseahardwareloadbalancer.
LoadbalancingisatypeofredundancythatcanhelpimprovethereliabilityandavailabilityofCommunicatorWebAccess.
Loadbalancingisanelementofhorizontalclustering,inwhichmultipleserversareconfiguredtoperformthesamefunctiononthenetwork.
Loadbalancingcanberequiredforthefollowingreasons:Sizeofdeployment:IfthedeploymentrequiresmorecapacitythanoneCommunicatorWebAccessservercanprovide,thenmultipleserversmustbedeployed.
Aloadbalancerensuresthattheuserloadisdistributedequallyacrossthesemachines.
HighAvailability:IfCommunicatorWebAccessismission-criticalforyourorganization,thelossofCommunicationWebAccessserversduetothefailureofaservercanbecatastrophic.
AspartofthedesignandimplementationofyourCommunicatorWebAccessdeployment,aloadbalancercanhelpprovidehighavailabilityandprotectagainstoverloadsthatcanresultinserverfailures.
Aloadbalancercanbeusedforbothinternalandexternalaccess,potentiallywithadedicatedloadbalancerforeachtypeofaccess.
Alternatively,youcanuseasingleloadbalancerforbothLiveCommunicationsServerconnectivityandCommunicatorWebAccess.
Thisapproachwillprobablyaffectthescalabilityoftheloadbalancer,andhavingbothsetsoftraffictraverseoneloadbalancerdoesnotguaranteethateachserverdeploymentwillhavethesamecapacity;.
However,bothsetsoftrafficcanflowthroughthesameLoadBalancerwithoutanyfunctionalimpact.
LiketypicalWebapplications,CommunicatorWebAccessrequiresaffinity.
CommunicatorWebAccesssupportsanyloadbalancerthatprovidesHTTPorHTTPSclientaffinity.
CommunicatorWebAccessdoesnotsupportnetworkloadbalancingtopologies,becausethesetopologiesdonotmaintainclientaffinity.
IfyouconfigurenetworkloadbalancingonyourCommunicatorWebAccessservers,wheneveraserverfailsorrestarts,clientconnectionsarerebalancedacrosstheCommunicatorWebAccessserverpoolandusersaredisconnected.
ThefollowingfigureshowsthereferenceLoadBalancingarchitecture.
Figure5:LoadBalancingTopologyHTTPSandHTTPtrafficbetweenclientandCommunicatorWebAccessserverisroutedthroughtheloadbalancer,asisSIPtrafficbetweentheLiveCommunicationsServerandtheCommunicatorWebAccessserver.
ManagementtrafficbetweentheCommunicatorWebAccessserverandtheadministrator,whichisnotshownintheprecedingfigure,doesnotgothroughtheloadbalancer.
NeitherdoesDNStrafficorLDAPtraffic.
NoteYoucandeployCommunicatorWebAccessoneithersideofyourhardwareloadbalancer.
ConnectionsbetweenCommunicatorWebAccessandLiveCommunicationsServerconsistofclientSIPtrafficonly.
ConfiguringLoadBalancingTopologiesLoadbalancingtopologiescanbedescribedbythreenetworkattributes:Networkaddresstranslation(NAT)typeusedNumberofnodesusedNumberofsubnetsusedLoadbalancingusesNATatlayers2and3oftheTCP/IPstack.
TherearethreetypesofNAT:DestinationNAT(half-NAT)SourceNAT(full-NAT)DirectServerReturn(out-of-pathmode)Loadbalancerscanbeconnectedtothenetworkasanindependentnode(one-armtopology)orasanintermediarydevice(two-armtopology)betweentheCommunicatorWebAccessserversandtheremainingnetwork.
LoadBalancertopologiescanbefurtherclassifiedbythenumberofsubnettednetworkIDs(subnets)used.
AsubnetisarangeofIPaddressesthatbyconventionisdescribedbythelowestIPaddressintherangeandbythesubnetmask.
AcompletediscussionofNATandsubnettingisbeyondthescopeofthisdocument.
Formoreinformation,seethefollowing:TheNATTechnicalReferenceathttp://www.
microsoft.
com/technet/prodtechnol/windowsserver2003/library/TechRef/fd23047b-2b5a-42b3-aa14-2b7c1cd4be81.
mspxTheTCP/IPTechnicalReferenceathttp://www.
microsoft.
com/technet/prodtechnol/windowsserver2003/library/TechRef/58511c7c-fb5c-4186-aa69-6f598d59a973.
mspxSupportedLoadBalancingConfigurationsThissectiondescribesthesupportedloadbalancingconfigurationsforinternalandexternalclientaccess.
Allsupportedloadbalancingconfigurationsmeettherequirementofmaintainingstateforauser'ssession.
Theloadbalanceraccomplishesthisbyusingcookieinspection,IPaddress,oranothermechanism,dependinguponthespecificloadbalancer.
TheloadbalancerensuresthatthesameCommunicatorWebAccessserverisusedfortheentireuser'ssession.
NoteMultihomednetworkadaptersormultiplenetworkadapters,eachwithadifferentIPaddress,arenotsupportedforloadbalancinginCommunicatorWebAccess.
ThefollowingloadbalancingconfigurationsaresupportedforCommunicatorWebAccess:Table5.
SupportedLoadBalancingConfigurationsTypeofNATSupportedConfigurationsDestinationNATTwoarmsandoneIPsubnetTwoarmsandtwoIPsubnetsOnearmandtwoIPsubnetsSourceNATTwoarmsandoneIPsubnetTwoarmsandtwoIPsubnetsOnearmandoneIPsubnetOnearmandtwoIPsubnetsDirectServerReturnOnearmandoneIPsubnetOnearmandtwoIPsubnetsTwoarmsandoneIPsubnetTwoarmsandtwoIPsubnetsUnsupportedLoadBalancingConfigurationsThefollowingloadbalancingconfigurationsarenotsupportedforCommunicatorWebAccess:OnearmdestinationNATandoneIPsubnetNetworkloadbalancingSSLAcceleratorsAloadbalancercanbeusedasanSSLacceleratorbyconfiguringittoperformSSLdecryption.
ConfiguringtheloadbalancerinthiswaycandecreasetheloadontheCommunicatorWebAccessserver,therebyimprovingitsperformance.
Inthisscenario,theloadbalancerdecryptsHTTPStrafficandpassesittotheCommunicatorWebAccessserverasHTTPtraffic.
BecausetheinformationsentbetweentheloadbalancerandCommunicatorWebAccessisunencrypted,werecommendthatyousecurethistraffictopreventunauthorizedaccess.
ConnectivityRequirementsThefollowingconnectivityrequirementsmustbemetforsuccessfulloadbalancingofCommunicatorWebAccessservers.
TheVIP(virtualIP)addressoftheloadbalancermustsupporttheAddressResolutionProtocol(ARP).
TheVIPoftheloadbalancermusthaveonlyasingleDNSregistration,includinganFQDN(fullyqualifieddomainname)calledthepoolFQDN.
TheVIPaddressoftheloadbalancermusthaveoneormoreclientports.
TheportcanbeTCPport80,SSLport443,ordefinedbythesystemadministrator.
TheLoadBalancermustsupportHTTP/SSLaffinity.
TheCommunicatorWebAccessserversmusthaveActiveDirectoryaccess.
TheadministrativecomputermustbeabletoconnectdirectlytoeachCommunicatorWebAccessserverbehindtheloadbalancerwithoutgoingthroughtheloadbalancer.
EachCommunicatorWebAccessserverbehindtheLoadBalancermustbeabletoconnectwiththeLiveCommunicationsServer(serverorpool)usingmutualTLS(MTLS)onport5061.
LoadBalancerConfigurationRequirementsThefollowingloadbalancerconfigurationrequirementsmustbemetforsuccessfulloadbalancingofCommunicatorWebAccessservers.
TheloadbalancermustsupportPINGoftheCommunicatorWebAccessserverthroughaTCPport,typically80/443,whichisopenedbytheCommunicatorWebAccessserver.
TheloadbalancerservicecheckretryintervalandTCPidletimeoutmustbeconfigurableandsetto30secondsand92seconds,respectively.
TheloadbalancermustsupporteitherIPaddressforwardingorsourcenetworkaddresstranslation(NAT).
IftheloadbalancersupportsonlysourceNAT,andnotIPaddressforwarding,itmustsupportsourceNATpoolingifitistosupportmorethan65,000concurrentconnections.
LoadBalancerConfigurationRecommendationsThefollowingloadbalancerconfigurationrecommendationsshouldbemetforoptimalLoadBalancing,buttheyarenotrequired.
TheloadbalancershouldhaveasettingformaximumnumberofconnectionstoeachCommunicatorWebAccessserverbehindtheloadbalancer.
Theloadbalancershouldbecapableofaslowstart,inwhichtheloadontheserversisincreasedgradually.
TheTCPidletimeoutshouldbeatleasttwicethemaximumclientpollinginterval.
VerifyingSuccessfulLoadBalancingConfigurationThefollowingverificationsshouldbeperformedtoconfirmsuccessfulloadbalancingconfiguration.
ToverifyLDAP/DNStrafficToconfirmcorrectLDAP/DNSconfiguration,performthefollowingLDAP/DNSverificationsfromeachCommunicatorWebAccessserverbehindtheloadbalancer.
VerifythatapingofthedomaincontrollerandglobalcatalogserverbyIPaddressresultsinasuccessfulreplyfromeach.
Verifythataping-aofthedomaincontrollerandglobalcatalogserverbyIPaddressresultsinasuccessfulreplyfromeach,withcorrectDNSnameresolution.
VerifythatusingLdp.
exewithboththedomaincontrollerandglobalcatalogserverresultsinasuccessfulconnection.
WheneveryCommunicatorWebAccessserverpassestheaboveverifications,performtheclientHTTP/HTTPStrafficandserverSIPtrafficverifications.
Youmustfirstprepareanenvironmentfortheverifications.
TopreparetheverificationenvironmentSetuptwoclientcomputers,ClientAandClientB,andenabletwousers,UserAandUserB,forthearraybeingtested.
TheCommunicatorWebAccessarraybeingtestedshouldconsistofonlytwoservers.
OneachofthetwoCommunicatorWebAccessserversinthepoolbeingtested,openthePerformanceMonitorsnap-in.
ClickStart,pointtoAllPrograms,pointtoAdministrativeTools,andthenclickPerformance.
InthePerformanceconsoletree,expandPerformanceLogsandAlerts.
Right-clickCounterLogs,andthenclickNewLogSettings.
IntheNewLogSettingsdialogbox,underName,typeanameforthelog.
Inthepropertiessheet,ontheGeneraltab,clickAddCounters.
IntheAddCountersdialogbox,underPerformanceObject,clickCWA-03-UsersessionService.
Inthelistofcounters,clickCWA-002-Sessions,clickAdd,andthenclickClose.
ClickOK.
OpentheInternetExplorerbrowseronClientAandClientB,andthenentertheCommunicatorWebAccessURIforthetwo-serverpool.
SignintoClientAasUserA,andthensignintoClientBasUserB.
ToverifytheconfigurationToconfirmthattheClientHTTP/HTTPSandLiveCommunicationsServerSIPconfigurationwiththeCommunicatorWebAccessserverarecorrect,performthefollowingverifications.
Ifyouareusingaloadbalancingmethodthatpreventsthetwoclientsfromconnectingtothesameserver(forexample,the"round-robin"or"leastconnections"method),verifythattheCWA–002Sessionsperformancecounterforeachservershowsoneconnectioneach.
VerifythatUserB,signedintoClientB,cansearchforUserAandcanaddUserAtoUserB'sContactslist.
VerifythatUserA,signedintoClientA,cansearchforUserBandcanaddUserBtoUserA'sContactslist.
Verifythatthefollowingfunctionsworkasexpected:IMexchangePresencechangeBlockandunblockofeachcontactfromeachclientContactdeletiononeachclientVerifythatwhenyouunplugthenetworkcablefromtheloadbalancertooneoftheCommunicatorWebAccessservers,theclientconnectedtothatserverissignedoutwithinafewminutes.
VerifythatwhenclickingtheSignInbuttonontheclientthatwassignedoutinthepreviousstep,theuserissuccessfullyconnectedtotheremainingconnectedCommunicatorWebAccessserver.
VerifythattheCWA–002Sessionsperformancecounterfortheremainingservershowstwoconnections.
DisasterRecoveryPlanningBeforeyoudeployCommunicatorWebAccessinaproductionenvironment,itisimportantthatyouhavewell-definedandwell-rehearseddisasterrecoverystrategiesinplace.
Thesestrategieswillallowyoutoquicklyrecoveryfromanylossofmessagingservicestoyourusersthatiscausedbyadisaster.
Althoughbackupsarenormallyincludedinadisasterrecoveryplantohelpmitigatediskcrashesandsitefailures,userinformationforCommunicatorWebAccessisstoredwithinActiveDirectoryandLiveCommunicationsServer,sothereisnoCommunicatorWebAccessserver-specificuserinformationthatneedstobebackedup;however,itisagoodpracticetoensurethatyouhaveabackupofyourserverconfigurationandstandbyserverhardwarethatyoucaninstallincaseoffailure.
YoucanbackupCommunicatorWebAccessserver-specificconfigurationinformationfromCommunicatorWebAccessManager.
YoucanusetheImport/ExportfeaturewithinCommunicatorWebAccessManagertobackuptheserverconfigurationinXMLformat.
ThisXMLcanbeusedtorestoreanewservertothestatethatisrepresentedbytheXML,asdescribedinthenextsection.
StandbyRecoveryServerIfyourbudgetallowsit,youshouldholdextracomputersinreserveforuseasarecoveryserverintheeventofadisaster.
Mostenterprisesaremovingtoamodelofjust-in-timeinventoriesfortheirITorganizations.
Enterprisescontractwithhardwarevendorsandsuppliers,andthecontractspecifiesanSLA(servicelevelagreement)ofafewhoursfordeliveryofcertainpiecesofhardwareintheeventofacatastrophe.
Theadvantageofthismethodisthatmultiplespareserversarenotsittingininventoryunused.
Thefollowingaretherequirementsforastandbyserver:TheservermustcontainacleaninstallationofWindowsServer2003andnothingelse.
YoumusthavetheconfigurationfilesfromeachCommunicatorWebAccessserverthathavebeenpreviouslyexportedandareaccessible.
TransitioningServicefromaFailedServertoaStandbyServerIfaCommunicatorWebAccessserverfails,youmustmanuallytransitionservicetothebackupserver.
TotransitionservicefromafailedservertoastandbyserverAddthestandbyservertothedomain.
InstallIIS6.
0onthestandbyserver.
Install.
NETFrameworkversion2.
0onthestandbyserver.
ObtaintheappropriateSSLandMTLScertificatesforthestandbyserver.
InstallCommunicatorWebAccessonthestandbyserver.
Activatetheserver,butdonotcreateavirtualserver.
UseCommunicatorWebAccessManagertoimporttheconfigurationfilesthatwerepreviouslyexportedfromtheworkingCommunicatorWebAccessvirtualserversintothebackupserver.
UseCommunicatorWebAccessManagertoconfiguretheSSLcertificateforthevirtualservers.
IfthefailedserverispartofapoolofCommunicatorWebAccessserversbehindaloadbalancer,youcaneitherreusetheIPaddressofthefailedserverorconfiguretheloadbalancertopointtothenewIPaddressofthestandbyserver.
Ifthefailedserverisnotpartofapool,youshouldconfiguretheDNSservertopointtheFQDNtothenewIPaddress.
IfyoudonothaveaDNSserver,youcanreusetheIPaddressofthefailedserverasthatofthestandbyserver.
DeploymentThissectioncontainsproceduresforsettingupCommunicatorWebAccess,andincludesthefollowing:OverviewPreparetheserverInstallCommunicatorWebAccessConfigurationProceduresSSLPublishingusingISAServer2004Procedures,asanexampleServerManagementMonitoringandPerformanceCommunicatorWebAccessSetupOverviewCommunicatorWebAccesscanbedeployedtoyourexistinginfrastructureifitmeetstherequirementsdescribedin"CommunicatorWebAccessRequirements"earlierinthisguide.
DeployingCommunicatorWebAccessonaserverinvolvespreparation,installation,activation,andconfigurationprocedures.
Table6providesanoverviewoftherequiredsteps.
Detailedinstructionsareprovidedfollowingthetable.
Table6.
CommunicatorWebAccessSetupOverviewPhaseStepsPreparationInstallWindowsServer2003andapplythelatestservicepackandupdates.
AddtheservertoanActiveDirectorydomain.
InstallIIS6.
0.
Install.
NETFramework2.
0.
Requestandinstallthefollowingcertificatesinthecertificatestoreforthelocalcomputer:AcomputercertificateforMTLSthatspecifiestheFQDNoftheCommunicatorWebAccessserverasthecommonname.
AWebServercertificateforHTTPS.
Ifnecessary,installtheCA'scertificatechainintheTrustedRootCertificationAuthoritiesnodeinthecertificatestoreforthelocalcomputer.
InstallingCommunicatorWebAccessLogontotheserverwithanaccountthatisamemberoftheAdministrators,DomainAdmins,andRTCDomainServerAdminsgroups.
OpentheMicrosoftOfficeCommunicatorWebAccessDeploymenttool,andthenperformthefollowingsteps:InstallCommunicatorWebAccess.
ActivateCommunicatorWebAccess.
Inthewizard,selecttheMTLScomputercertificatethatyouinstalledabove.
CreateaVirtualServer.
Inthewizard,selecttheWebserverHTTPScertificatethatyouinstalledduringpreparation.
Createadditionalvirtualservers,asnecessary.
PreparingClientsandSigningIntoCommunicatorWebAccessInActiveDirectory,configureuseraccountsbyenablingthemforLiveCommunications,enteringSIPnames,andenablingremoteuseraccess.
SignintoCommunicatorWebAccessusingtheURIhttps://PreparationThissectiondescribeshowtopreparetheserverforCommunicatorWebAccessinstallationandrequesttherequiredcertificates.
PreparingtheServerforInstallationYourenvironmentmustmeettherequirementsdescribedin"CommunicatorWebAccessRequirements"earlierinthisguide.
TopreparetheserverforCommunicatorWebAccessserver,youmustperformthefollowingstepsbeforerunningtheDeploymentTool.
TopreparetheserverforCommunicatorWebAccessinstallationInstallWindowsServer2003ontheCommunicatorWebAccessserver.
InstallWindowsServer2003ServicePack1(SP1)andthelatestupdates.
AddtheservertoanActiveDirectorydomain.
YoumustaddtheservertothesameActiveDirectoryforestanddomainasLiveCommunicationsServer2005withSP1.
InstallIIS6.
0ontheCommunicatorWebAccessserver.
InstallNETFramework2.
0ontheCommunicatorWebAccessserver.
ConfigureastaticIPaddress(optional)andnameresolutionontheCommunicatorWebAccessserver.
Requestandinstallthefollowingcertificatesinthecertificatestoreofthelocalcomputer:AcomputercertificateforMTLSthatspecifiestheFQDNoftheCommunicatorWebAccessserverasthecommonname.
AWebServercertificateforHTTPS.
RequirementsforthiscertificatedependonwhetheryouarerunningtheStandardEditionorEnterpriseEditionofLiveCommunicationsServer.
Fordetails,see"PlanningCertificates"earlierinthisdocument.
Ifnecessary,installthecertificatechainfortheCAintheTrustedRootCertificationAuthoritiesnodeinthecertificatestoreofthelocalcomputer.
PreparingCertificatesforCommunicatorWebAccessTheCommunicatorWebAccessserverrequiresacertificateforMTLSandHTTPS.
ThesecertificatesmustbeinstalledontheserverbeforeyoubeginCommunicatorWebAccesssetup.
Fordetailedinformationabouttherequiredcertificateconfiguration,see"PlanningCertificates"earlierinthisdocument.
ImportantTheMTLSconnectionwillsucceedonlyifthesubjectnamefortheMTLScertificateistheFQDN(fullyqualifieddomainname)oftheCommunicatorWebAccessserver.
ThestepsbelowdescribehowtodownloadandtrustthecertificatechainfromtheWindowsServer2003EnterpriseRootCAandrequestthecertificatewiththeFQDNoftheCommunicatorWebAccessserver.
YouwillbeaskedtochoosethiscertificateduringtheCommunicatorWebAccesssetupprocess.
DownloadingandTrustingtheCertificateChainfromtheCertificationAuthorityIfyouareusingMicrosoftWindowsServer2003publickeyinfrastructure(PKI)andhavesetupautomaticenrollment,userswhoareauthenticatedinActiveDirectorycanbeautomaticallyenrolledinacertificatethroughtheuseofaGroupPolicy.
ForinformationaboutPKIbestpractices,see"BestPracticesforImplementingaMicrosoftWindowsServer2003PublicKeyInfrastructure"athttp://www.
microsoft.
com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.
mspx.

IfyouareusinganotherPKIinfrastructureoryouhavenotimplementedautomaticenrollment,usethefollowingstepstodownloadacertificatechainandtorequestacertificateonthecomputer.
WerecommendthatyounotusetheWebenrollmentcomponentforcomputersthatarenotinyourprotectedinternalnetwork.
ThefollowingprocedureassumesthattheserverandtheusercanaccesstheinternalcertificationauthoritybyusingthephysicalnetworkandCertificateServicesWebenrollment.
TodownloadthecertificationauthoritycertificationpathLogontotheserverasamemberoftheAdministratorsgroup.
ClickStart,andthenclickRun.
IntheOpenbox,typehttp:///certsrv,andthenclickOK.
IftheCAusesaportotherthanthedefault(port80),typehttp://[:]/certsrvinstead.
UnderSelectatask,clickDownloadaCAcertificate,certificatechain,orCRL.
UnderDownloadaCACertificate,CertificateChain,orCRL,clickDownloadCAcertificatechain.
IntheFileDownloaddialogbox,clickSave.
Savethefiletotheharddiskonyourserver.
Thisfilehasanextensionof.
p7b.
Ifyouopenthis.
p7bfile,thechainwillhavethefollowingtwocertificates:certificatecertificateToinstalltheCAcertificationpathClickStart,andthenclickRun.
IntheOpenbox,typemmc,andthenclickOK.
OntheFilemenu,clickAdd/RemoveSnap-in.
IntheAdd/RemoveSnap-indialogbox,clickAdd.
InthelistofAvailableStandaloneSnap-ins,selectCertificates.
ClickAdd.
SelectComputeraccount,andthenclickNext.
IntheSelectComputerdialogbox,ensureLocalcomputer(thecomputerthisconsoleisrunningon)isselected,andthenclickFinish.
ClickClose,andthenclickOK.
IntheleftpaneoftheCertificatesconsole,expandCertificates(LocalComputer).
ExpandTrustedRootCertificationAuthorities.
Right-clickCertificates,pointtoAllTasks,andthenclickImport.
IntheImportWizard,clickNext.
ClickBrowseandnavigatetowhereyousavedthecertificatechain.
Selectthep7bfile,andthenclickOpen.
ClickNext.
LeavethedefaultvaluePlaceallcertificatesinthefollowingstore.
UnderCertificatestore,ensureTrustedRootCertificationAuthoritiesappears.
ClickNext.
ClickFinish.
TorequestthecertificateOpenaWebbrowser,typetheURLhttp:///certsrv,andthenpressENTER.
ClickRequestaCertificate.
ClickAdvancedcertificaterequest.
ClickCreateandsubmitarequesttothisCA.
InCertificateTemplate,selectWebServer.
InIdentifyingInformationforOfflineTemplate,typetheFQDNoftheCommunicatorWebAccessserver.
InKeyOptions,clicktheStorecertificateinthelocalcomputercertificatestorecheckbox.
ClickSubmit.
Inthepotentialscriptingviolationdialogbox,clickYes.
ToinstallthecertificateontheserverClickInstallthiscertificate.
InthePotentialScriptingViolationdialogbox,clickYes.
ClickStart,andthenclickRun.
IntheOpenbox,typemmc,andthenclickOK.
OntheFilemenu,clickAdd/RemoveSnap-in.
IntheAdd/RemoveSnap-indialogbox,clickAdd.
InthelistofAvailableStandaloneSnap-ins,selectCertificates.
ClickAdd.
SelectComputeraccount,andthenclickNext.
IntheSelectComputerdialogbox,ensureLocalcomputer(thecomputerthisconsoleisrunningon)isselected,andthenclickFinish.
ClickClose,andthenclickOK.
IntheleftpaneoftheCertificatesconsole,expandCertificates(LocalComputer),expandTrustedRootCertificationAuthorities,andthenclickCertificates.
ConfirmthatthecertificatethatyourequestedfortheCommunicatorWebAccessserverwithitsFQDNislisted.
Ifnot,copyitfromthePersonal\CertificatesfoldertotheTrustedRootCertificationAuthorities\Certificatesfolder.
InstallingCommunicatorWebAccessThissectionprovidestheprocedurestoinstalltheCommunicatorWebAccessserverandclient.
Toperformtheproceduresthataredescribedinthissection,youmustbeloggedonasamemberoftheAdministratorsandtheDomainAdminsgroups.
TheCommunicatorWebAccesssetupprocedureconsistsofusingtheCommunicatorWebAccessserverdeploymenttooltoperformthefollowingsteps:InstallCommunicatorWebAccess.
InstallthefilesthatareneededtoactivateanddeployCommunicatorWebAccess.
ActivateCommunicatorWebAccess.
CreateaserviceaccountinActiveDirectory(namedCWAServicebydefault).
YoumustinstallCommunicatorWebAccessbeforeyoucanactivatetheserver.
Createavirtualserver.
CreatethefirstCommunicatorWebAccessvirtualserverinIIS6.
0.
YoucancreateadditionalvirtualserverslaterbyusingCommunicatorWebAccessManager.
(Optional)InstallCommunicatorWebAccessadministrativesnap-in.
Bydefault,CommunicatorWebAccessManagerisinstalledonthecomputerinthefirststep.
YoucanusethisoptionlatertoaddCommunicatorWebAccessManagertoothercomputers.
Thesestepsaredescribedindetailinthefollowingsections.
InsteadofusingthedeploymenttoolstoinstallCommunicatorWebAccessasdescribedbelow,youcanusethecommandlinemethodandinvokelogging.
OntheCommunicatorWebAccessserver,copytheinstallationfilestodisk.
Openacommandprompttothe.
.
\i386\MSIdirectoryoftheinstallationfilesandruneitherofthefollowingcommandstocreatealogforeachstep:Msiexec.
exe/iCWA.
msi[/lv.
txt]Runts.
exe/user:"Msiexec.
exe/I"NoteIfyouwanttoinstallCommunicatorWebAccessonacomputeronwhichCommunicatorWebAccessManagerisalreadyinstalled,youmustfirstremoveCommunicatorWebAccessManager.
InstallingCommunicatorWebAccessbyUsingtheDeploymentToolsToinstallMicrosoftOfficeCommunicatorWebAccessonaserver,youmusthavedeployedLiveCommunicationsServer2005withSP1.
DuringinstallationofCommunicatorWebAccess,youwillbeaskedtoselecttheCommunicatorWebAccessIISandMTLScertificate.
ToopenthedeploymenttoolsLogontotheserverasamemberoftheAdministratorsandtheDomainAdminsgroups.
IntheCommunicatorWebAccessdownloadfolder,runSetup.
exetoopentheDeployMicrosoftOfficeCommunicatorWebAccesspage.
Figure6:DeploymentToolspageToInstallCommunicatorWebAccessOnthedeploymenttoolspage,nexttoStep1:InstallCommunicatorWebAccess,clickInstall.
OntheWelcomepage,clickNext.
OntheLicenseAgreementpage,selectIacceptthetermsinthelicenseagreement,andthenclickNext.
OntheCustomerInformationpage,nexttoUserNameandOrganization,typeyourusernameandorganizationname,andthenclickNext.
OntheReadytoinstallpage,acceptthedefaultlocationorclickChangetoselectanalternatelocation,andthenclickNext.
OntheReadytoinstallpage,clickInstall.
OntheSetupCompletepage,clickFinish.
ToActivateCommunicatorWebAccessOnthedeploymenttoolspage,nexttoStep2:ActivateCommunicatorWebAccess,clickActivate.
OntheWelcomepage,clickNext.
OntheSelectdomainserviceaccountpage,dooneofthefollowing:SelectCreateanaccount.
IntheAccountnamebox,eitheracceptthedefaultaccountnameortypeanewdomainandaccountname.
InthePasswordbox,typeapasswordfortheaccount.
IntheConfirmPasswordbox,retypethepasswordexactlyasbefore,andthenclickNext.
SelectUseanexistingaccount,andthenintheAccountnameboxenteranewdomainandaccountname.
InthePasswordbox,typeapasswordfortheaccount.
IntheConfirmPasswordbox,retypethepasswordexactlyasbefore,andthenclickNext.
OntheSelectServerCertificatepage,clickSelectCertificate.
Figure7:SelectServerCertificatepageIntheSelectCertificatedialogbox,underIssuedto,selectthecertificatewiththeFQDNoftheCommunicatorWebAccessserver,andthenclickOK.
NoteBecausetheLiveCommunicationsServerusesthiscertificatetoauthenticatetheCommunicatorWebAccessserver,theFQDNonthiscertificatemustbetheFQDNoftheCommunicatorWebAccessserver.
Figure8:SelectCertificatedialogboxOntheSelectServerCertificatepage,verifythatthecorrectcertificatehasbeenselected,andthenclickNext.
OntheReadytoactivateCommunicatorWebAccesspage,verifythattheUseServerCertificate:Issuedto:boxcontainstheFQDNoftheCommunicatorWebAccessserver.
Ifitdoes,clickNext.
OntheSuccesspage,clickFinish.
ToCreatetheCommunicatorWebAccessIISVirtualServerOntheDeploymentToolspage,nexttoStep3:CreateaVirtualServer,clickCreate.
OntheWelcomepage,clickNext.
OntheSelectVirtualServerTypepage,clickoneofthefollowing:InternalforuserswithinthecorporatenetworkExternalforusersoutsidethecorporatenetworkClickNext.
OntheSelectauthenticationmethodpage,selecttheappropriateauthenticationmethodforthevirtualservertype,andthenclickNext:Ifthevirtualserverisaninternalsite,selecttheFormsBasedAuthenticationcheckbox,theIntegrated(NTLM/Kerberos)Authenticationcheckbox,orboth.
Ifthevirtualserverisanexternalsite,theFormsBasedAuthenticationcheckboxisselectedbydefault.
Integrated(NTLM/Kerberos)Authenticationisnotavailableforexternalsites.
OntheSelectBrowserConnectionTypepage,selectHTTPS(recommended)orHTTP.
IfyouselectHTTPS(recommended),clicktheSelectCertificatebutton.
OntheSelectCertificatepage,clickthecertificatewiththeFQDNoftheCommunicatorWebAccessserver,andthenclickOK.
Figure9:SelectHTTPSandCertificateOntheSelectBrowserConnectionTypepage,ifyouselectedHTTPS,verifythatthecorrectcertificatehasbeenselected.
ClickNext.
OntheSelectIPaddressandportsettingpage,selecttheIPaddress,orleavethesettingatthedefaultsetting(AllUnassigned).
Ifyouwanttochangethelisteningportforthisvirtualserver,inPort,typeaportnumber.
ClickNext.
Figure10:SelectIPAddressandPortSettingOntheNametheVirtualServerpage,enteranametodistinguishthevirtualserver,andthenclickNext.
OntheAutomaticallyStartVirtualServerpage,ifyouwantthevirtualservertostartafterthewizardfinishes,selectStartthisvirtualserveraftertheCreateVirtualServerWizardfinishes.
ClickNext.
OntheReviewvirtualserversettingspage,reviewthesettings.
TheCertificate:IssuedtosettingshouldbetheFQDNoftheCommunicatorWebAccessserver.
ClickNext.
OntheSuccesspage,clickFinish.
ManuallyInstallingCommunicatorWebAccessManager(Optional)CommunicatorWebAccessManagerisautomaticallyinstalledontheserverwhenyouinstallCommunicatorWebAccess.
IfyouareinstallingCommunicatorWebAccessonaserver,youdonotneedtoruntheoptionallaststep,InstallCommunicatorWebAccessAdministrativeSnap-in.
However,youcanalsomanuallyinstallCommunicatorWebAccessManageronaremotecomputer,fromwhichyoucanmanagetheCommunicatorWebAccessserver.
ForinformationaboutinstallingCommunicatorWebAccessManageronaremotecomputer,see"ManagingtheCommunicatorWebAccessServer"laterinthisdocument.
NoteIfyouinstallCommunicatorWebAccessManageronacomputerandthenlaterwanttoinstallCommunicatorWebAccessonthesamecomputer,youmustfirstremoveCommunicatorWebAccessManager.
CreatingAdditionalVirtualServersAllCommunicatorWebAccessvirtualserversexcepttheinitialvirtualserverthatwascreatedduringsetuparecreatedbyusingCommunicatorWebAccessManager.
TocreateanadditionalvirtualserverStartCommunicatorWebAccessManager:OntheStartmenu,clickAllPrograms,pointtoAdministrativeTools,andthenclickCommunicatorWebAccessManager.
Right-clickMicrosoftOfficeCommunicatorWebAccessManager,andthenclickConnect.
IntheComputerNamebox,typetheservername,IPaddress,orFQDN(fullyqualifieddomainname)oftheCommunicatorWebAccessserver.
ClickOK.
Right-clickthephysicalservernode,andthenclickCreateWebAccessServer.
TheCreateVirtualWebAccessServerwizardopens.
OntheWelcomepage,clickNext.
OntheSelectVirtualServerTypepage,selectoneofthefollowing:InternalforuserswithinthecorporatenetworkExternalforusersoutsidethecorporatenetworkClickNext.
OntheSelectauthenticationmethodpage,selecttheappropriateauthenticationmethodforthevirtualservertype,andclickNext:Ifthevirtualserverisaninternalsite,selecttheFormsBasedAuthenticationcheckbox,theIntegrated(NTLM/Kerberos)Authenticationcheckbox,orboth.
Ifthevirtualserverisanexternalsite,theFormsBasedAuthenticationcheckboxisselectedbydefault.
Integrated(NTLM/Kerberos)Authenticationisnotavailableforexternalsites.
OntheSelectBrowserConnectionType,selectHTTPS(recommended)orHTTP.
IfyouselectHTTPS(recommended),clickSelectCertificate.
OntheSelectCertificatepage,selectthecertificatewiththeFQDNoftheCommunicatorWebAccessserver,andthenclickOK.
OntheSelectBrowserConnectionTypepage,ifyouselectedHTTPS,verifythatthecorrectcertificateisselected.
ClickNext.
OntheSelectIPaddressandportsettingpage,selecttheIPaddress,orleavethesettingatthedefault(AllUnassigned).
Ifyouwanttochangethelisteningportforthisvirtualserver,inPort,typetheportnumber.
ClickNext.
ImportantIfyouassignaportnumberthatisalreadybeingusedbyanexistingvirtualserverandthenyouactivatethenewserver,theexistingserverwillbestoppedautomaticallyinordertoavoidaportconflict.
OntheNametheVirtualServerpage,enteranametoidentifythevirtualserver,andthenclickNext.
OntheAutomaticallyStartVirtualServerpage,ifyouwantthevirtualservertostartafterthewizardfinishes,selecttheStartthisvirtualserveraftertheCreateVirtualServerWizardfinishescheckbox.
ClickNext.
OntheReviewvirtualserversettingspage,reviewthesettings.
TheCertificate:IssuedtosettingshouldbetheFQDNoftheCommunicatorWebAccessserver.
ClickNext.
OntheSuccesspage,clickFinish.
EnablingtheAJAXServiceforCommunicatorWebAccessDeveloperscancreatecustomprogramsbyusingtheCommunicatorWebAccessAJAXservice.
Forexample,anorganizationmaywanttocreateasolutionforwirelessdevicesthatallowsuserstomanageandsharepresenceinformation,managecontactsandgroups,sendandreceiveinstantmessages,andsearchforuserswithintheorganization.
ForinformationaboutusingtheCommunicatorWebAccessAJAXservicetodevelopcustomprograms,seetheCommunicatorWebAccessAJAXServiceSoftwareDevelopmentKit(SDK)1.
0,availableathttp://www.
microsoft.
com/downloads/details.
aspxFamilyId=A839967B-680F-41E6-99B4-F020319BBD88.

YoumaketheAJAXserviceavailabletoprogramsbycreatinganadditionalvirtualserverandenablingtheAJAXextensiononthenewvirtualserver.
TocreateavirtualserverandenabletheAJAXServiceFollowtheprocedureintheprevioussection,"CreatingAdditionalVirtualServers,"tocreateavirtualserverfortheAJAXservice.
Afteryoucreatethenewvirtualserver,startIISManager:OntheStartmenu,clickAllPrograms,pointtoAdministrativeTools,andthenclickInternetInformationServices(IIS)Manager.
Intheconsoletree,expandtheservernode,andthenclickWebServiceExtensions.
Inthedetailspane,clickAddanewWebserviceextension.
IntheNewWebServiceExtensiondialogbox,underExtensionname,typeanamefortheWebextension.
UnderRequiredfiles,clickAdd.
ClickBrowse,andthenselectthefollowingfile::\ProgramFiles\MicrosoftOfficeCommunicatorWebAccess\ajax\ajax.
dllClickOK.
SelecttheSetextensionstatustoAllowedcheckbox,andthenclickOK.
IntheIISManagerconsoletree,expandWebSites,andthenclickthenewvirtualservernode.
OntheActionmenu,clickProperties.
InthenewvirtualserverPropertiesdialogbox,clicktheISAPIFilterstab,andthenclickAdd.
IntheAdd/EditFilterPropertiesdialogbox,inFiltername,typeafiltername.
ClickBrowse,andthenselectthefollowingfile::\ProgramFiles\MicrosoftOfficeCommunicatorWebAccess\ajax\ajax.
dllClickOK,andthenclickOKagaintoclosethenewvirtualserverproperties.
IntheIISManagerconsoletree,expandthenewvirtualservernode,andtheclickthecwanode.
OntheActionmenu,clickProperties.
InthecwaPropertiesdialogbox,ontheVirtualDirectorytab,clickConfiguration.
UnderWildcardApplicationMaps,clickInsert.
IntheAdd/EditApplicationExtensionMappingdialogbox,clickBrowse,andthenselectthefollowingfile::\ProgramFiles\MicrosoftOfficeCommunicatorWebAccess\ajax\ajax.
dllClickOKtoclosetheAdd/EditApplicationExtensionMappingdialogbox.
ClickOK,andthenclickOKagaintoclosethecwaPropertiesdialogboxInstallingCommunicatorWebAccessbyUsingtheCommandLineTheCommunicatorWebAccessprogramfilescanbeinstalledonaserverbyrunningthefollowingMicrosoftInstallerfiles(.
msi)atacommandprompt:CWAmain.
msi.
InstallstheCommunicatorWebAccessprogramfilesontheserver.
CWAActivateServer.
msi.
OpenstheActivationWizard,whichyoucanusetocreatethenecessaryActiveDirectoryobjects,activatethedomainserviceaccount,andspecifyanMTLScertificate.
CWACreateVirtualServer.
msi.
OpenstheCreateVirtualServerwizard,sothatyoucancreatevirtualdirectoriesinIIS,specifyanHTTPScertificate,andcreatetheCommunicatorWebAccessvirtualserver.
InstallMMC.
msi.
InstallsCommunicatorWebAccessManager.
ThisinstallationisnotnecessaryifyouhavealreadyinstalledtheCommunicatorWebAccessprogramfilesontheserver.
NoteCommunicatorWebAccessdoesnotsupportsilentinstallation.
ToinstallCommunicatorWebAccessatacommandpromptOpenacommandpromptwindow:ClickStart,andthenclickRun.
IntheOpenbox,typecmd,andthenclickOK.
Atthecommandprompt,typethefollowing,andthenpressENTER:\i386\MSIToinstalltheprogramfiles,atthecommandprompt,typethefollowing,andthenpressENTER.
Ifyouwanttocreatealogfile,includetheoptional/lvswitch.
Msiexec.
exe/iCWA.
msi[/lv.
txt]PreparingClientsandSigningintoCommunicatorWebAccessThissectionprovidestheproceduresforconfiguringusersforCommunicatorWebAccessinActiveDirectoryandsigningintoCommunicatorWebAccess.
ToprepareaCommunicatorWebAccessclientOntheclientcomputer,installasupportedoperatingsystem.
Supportedoperatingsystemsarelistedin"SupportedClientOperatingSystems"earlierinthisguide.
InstallasupportedbrowserSupportbrowsersarelistedin"SupportedClientBrowsers"earlierinthisguide.
InActiveDirectory,configureusersoftheclientasLiveCommunicationsServerusersasdescribedinthefollowingprocedure.
ToenableauserforCommunicatorWebAccessClickStart,pointtoPrograms,pointtoAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.
Intheconsoletree,expandtheOrganizationNode,andthenexpandUsers.
Right-clickUsers,pointtoNew,andthenclickUser.
IntheFirstnameandLastnameboxes,typetheuser'sfirstnameandlastname.
IntheUserlogonnamebox,typetheuser'snetworklogonname.
ClickNext.
Selectoneofthepasswordpolicycheckboxes.
InthePasswordbox,typeapassword.
IntheConfirmPasswordbox,typethesamepassword.
ClickNext,andthenclickFinish.
IntheActiveDirectoryUsersandComputersconsoletree,underUsers,rightclicktheuser'sname,andthenclickProperties.
InthePropertiesdialogbox,clicktheLiveCommunicationstab.
SelecttheEnableLiveCommunicationsforthisusercheckbox.
IntheSIPURIbox,typeaSIPaddress,forexample,intheformsip:@.
com.
InServerorpool,select.
.
com.
ClickAdvancedSettings.
SelecttheEnableremoteuseraccesscheckbox.
IffederationisenabledinLiveCommunicationsServer,selecttheEnablepublicIMconnectivitycheckbox.
ClickOK.
ClickApply,andthenclickOK.
SigningintoCommunicatorWebAccessThissectionexplainshowtotesttheabilityofaclientcomputertoconnecttoCommunicatorWebAccess.
ToConnecttotheCommunicatorWebAccessClientLogontotheclientcomputer.
Openasupportedbrowser.
Ifapop-upblockerisinstalled,eitherdisableitcompletelyordisableitonlyfortheCommunicatorWebAccessWebsite.
Enterhttps://inthebrowseraddressfield.
TheURItotheCommunicatorWebAccessservermustmatchthecommonnameintheHTTPScertificate.
Forexample,ifthecommonnameofthecertificateisim.
contoso.
com,theURLshouldbe:https://im.
contoso.
com.
IntheSecurityAlertdialogbox,clickYes.
IftheclientcomputerisconfiguredtotrustthesameCAthatCommunicatorWebAccesstrusts,youcaninstallacertificateontheclientsothatusersdonothavetorespondtothesecurityalert.
Thisproceduremaynotworkinallsituations.
ToinstallacertificateforCommunicatorWebAccessontheclientcomputerIntheaddressbaroftheclientbrowser,typehttp:///certsrv,andthenpressENTER.
ClickDownloadaCAcertificate,certificatechain,orCRL.
ClickDownloadCAcertificatechain.
IntheFileDownloaddialogbox,clickOpen.
Expandallthenodesinthecertmgrmanagementconsole.
Doubleclickthecertificatethatyouhavedownloaded.
Onthecertificate,clickInstallCertificate.
Installthecertificatewiththedefaultsettings.
Whenthesecuritywarningappears,clickYes.
Thesign-inpageforaninternaluserrunningInternetExploreronaWindowsoperatingsystemisshownintheFigure11.
Figure11:IntegratedWindowsAuthenticationTheforms-basedauthenticationsign-inpageforaremoteuserwhoisrunningInternetExploreronaWindowsoperatingsystemisshowninFigure12.
Figure12:Forms-basedauthenticationAftertheusersignsintoCommunicatorWebAccess,themainCommunicatorWebAccesspageappears.
Figure13:CommunicatorWebAccessMainPageJavaScriptSigningforMozillaandFirefoxBrowsersForclientsthatarerunningMozillaandFirefoxbrowsers,theJavaScriptcodefornotifications(includingincominginstantmessagedesktopalertsandtheflashingCommunicatorWebAccessiteminthetaskbar)mustbesigned.
Bydefault,theJavaScriptcodeissignedbyusingaMicrosoftcertificate.
ThefirsttimethatausersignsintoCommunicatorWebAccess,adialogboxwillappearaskingwhetherthesignedcodeshouldbeallowedtorun.
Theuser'sselectiondetermineshowthesenotificationfeatureswillfunction:Iftheuserallowstherequest,CommunicatorWebAccessnotificationsandtaskbarfeatureswillfunctioncorrectly.
Iftheuseralsoselectsthecheckboxtorememberthedecision,thedialogboxwillnotappearagain;otherwise,itwillappeareachtimetheJavaScriptcodeattemptstorun.
Iftheuserdeniestherequest,desktopalertswillopenonthedesktopinthebackground,andthetaskbaritemwillnotflashwhennewnotificationsormessagesappear.
Re-signtheJavaScriptCodeSigningCertificateYoucanre-signtheMicrosoftcertificatethatisusedtosigntheJavaScriptcodeeitherwithacertificatethatisprovidedbyatrustedthird-partycertificationauthority(CA)orwithaprivatecertificate.
IfyouobtaintheJavaScriptsigningcertificatefromatrustedthird-partyCA,noadditionalclient-sideconfigurationisrequired.
Ifyouobtainthesigningcertificatefromaprivateorself-hostedCA,thenclientsmayneedtobeupdatedtotrusttheCAthatissuedthecertificate.
SetupforCommunicatorWebAccessinstallsaJavaArchive(.
jar)fileinthefollowingpath,whereclientversionistheversionofthebuild:\Server\cwa\client\Whenyoure-signtheJavaScriptcode,youcreateanewJavaArchive(.
jar)filethatcontainsthescriptfileandrelatedsigninginformationtoreplacethedefaultJavaArchive(.
jar)file.
Ifyouareusingaprivateorself-hostedCA,thecertificateshouldusethe"Codesigning"certificatetemplate.
Thefollowingstepsoutlineonemethodforre-signingtheJavaScriptbyusingJavaScriptcertificatesigningtoolsprovidedbytheNetscapeBrowser.
Tore-signtheJavaScriptLogontotheCommunicatorWebAccessserverasamemberoftheAdministratorsgroup.
Obtainthefollowingcertificatesigningtools,availableathttp://www.
mozilla.
org/projects/security/pki/nss/tools:Certutil.
exe–Usedtomanagecertificatesandprivatekeys.
YoucanuseCertutiltocreateacertificatedatabase,createaprivatekeydatabase,andaddacertificatetothecertificatedatabase.
Pk12util.
exe–Usedtoimportacertificateandprivatekeypairfile(alsocalledapersonalinformationexchangefile)intothedatabasethatwascreatedbyCertutil.
exe.
Signtool.
exe–UsedtosignanHTMLpagewithacertificateandprivatekeyinthedatabase.
Createafolder(referredtointhefollowingstepsas),whichwillstoredatabasefilesthatarecreatedbycommandsinsubsequentsteps.
OpenaCommandPromptwindow:ClickStart,andthenclickRun.
IntheOpenbox,typecmd,andthenclickOK.
RunCertutil.
exetocreateacertificatedatabase.
Atthecommandprompt,typethefollowing,andthenpressENTER.
certutil.
exe-N-dWhenyouarepromptedforapassword,typeapasswordyouwanttouseforthecertificatedatabase.
ApplyforacertificateandprivatekeypairfilefromatrustedthirdpartyCAoraprivateorself-hostedCA.
Fordetailsaboutapplyingforacertificate,contactthecertificationauthority.
Ifthecertificatethatyoureceiveissavedinthelocalcomputer'scertificatestore,exportthecertificateandprivatekeyintoa.
pfxfile.
RunPk12util.
exetoimportthecertificateandprivatekeyfileintothedatabasethatyoucreated.
Atthecommandprompt,typethefollowing,andthenpressENTER:pk12util.
exe-i-dObtaintheCAcertificate.
RunCertutil.
exetoaddtheCAcertificatetothedatabase.
YoumustspecifyanicknamefortheCAcertificate.
Atthecommandprompt,typethefollowing,allononeline,andthenpressENTER:certutil.
exe-A-n-i-t"C,C,C"-dRunCertutil.
exetolistallcertificatesinthedatabase.
Fromthislist,youwillobtainthenameofthecertificatethatwillbeusedinthenextstep.
Atthecommandprompt,typethefollowing,andthenpressENTER:certutil.
exe-L-dRunSigntool.
exetosigntheJavaScriptcodebyusingthecertificate.
Atthecommandprompt,typethefollowing,,allononeline,andthenpressENTER:Signtool-k-Z\Server\cwa\client\\SignedCode.
jar-p-d\cwa\client\clientversion\SignedCodeAfterrunningthiscommand,thenewJavaArchive(.
jar)filethatincludesthescriptfileandrelatedsigninginformationreplacesthedefaultJavaArchive(.
jar)file.
Ifyouuseaprivateorself-hostedCA,ensurethattheclients'browsersimportthecertificatechainsothatthesignedJavaScriptcodewillbetrusted.
Onalargescale,thisprocesscanbeeasieriftheCAprovidesaWebsitethatallowsuserstosignonandrequestupdatedcertificates.
FormoreinformationaboutJavaScriptsecurityandsigning,seehttp://www.
mozilla.
org/projects/security/components/jssec.
html.
ConfiguringSearchUserscansearchforcontactsbyspecifyingoneormoresearchcriteriaintheFindtextbox.
Bydefault,thesearchcriteriaaredisplaynameande-mailaddress.
TheusercanoverridethedefaultsearchcriteriabyselectingadifferentpreferencefromthelistnexttotheFindbutton.
Optionsinclude:Contact'sfirstnameContact'slastnameContact'sdisplaynameContact'se-mailaddressContact'slastnameanddisplaynameContact'slastnameande-mailaddressAsasystemadministrator,youcanspecifythedefaultcriteriatobeusedinasearchbymodifyingtheDefaultSearchFieldandDefaultSearchQuerysettingsinWindowsManagementInstrumentation(WMI).
Youcanalsospecifythemaximumnumberofsearchresultsthataretobereturned.
Table7liststhesearch-relatedWMIsettingsthatcanbechanged.
Table7.
WMISearchSettingsWMISettingNameTypeDefaultValueAcceptedValuesDefaultSearchFielduint3212Valuesinbinary(decimal),withdefinitions:0001(1):Firstname0010(2):Lastname0011(3):Firstname;lastname0100(4):Displayname0110(6):Lastname;displayname1000(8):E-mailaddress1010(10):Lastname;e-mailaddress1100(12):Displayname;e-mailaddressDefaultSearchQuerystringORAND,ORSearchMaxServerResultsuint322001to1000SearchMaxClientResultsuint32101to300MaxQueuedSearchesuint32801to500Thedefaultsearchcriteria,whichyoucanchangeandtheusercanoverride,are:Contact'sfirstnameContact'slastnameContact'sdisplaynameContact'se-mailaddressSearchResultsInthesearchresults,onlythoseattributesofthereturnedActiveDirectoryUserobjectsthatexistintheglobalcatalogserveraredisplayedtotheuser.
Anattributeexistsintheglobalcatalogserveronlyifitismarkedforreplicationtotheglobalcatalogserver.
Bydefault,thefollowingActiveDirectoryattributesaremarkedforglobalcatalogserverreplication:NameE-mailSIPURIBydefault,thefollowingattributesarenotmarkedforglobalcatalogserverreplication:CompanyTitleAsanadministrator,youcanchangethedefaultreplicationbehaviorasexplainedinthenextsection.
Afterthesearchiscompletedandtheattributesintheglobalcatalogserverarereturned,CommunicatorWebAccesssearchestheuser'slocalContactslistforthefollowingattributes:SIPInformation:Phone1Phone2Phone3Phone4SubscribeToPresenceIsSmartCampNotificationSettingTheseattributesaredisplayedinthesearchresultsalongwiththemarkedattributesdescribedpreviously.
NotesSomesearchresultsontheclientmaynotincludeTitleandCompany.
eventhoughtheseattributesaremarkedforreplicationtotheglobalcatalogserver.
ThisisbecausetheclientdisplayssomesearchresultsfromthelocalContactslist.
ThelocalContactslistdoesnotincludetheJobTitleandCompanyattributes,whethertheyarereplicatedtotheglobalcatalogserverornot.
UsersmayreceivedifferentsearchresultswhenperformingthesamesearchinCommunicatorWebAccessandCommunicator.
Bothclientsqueryboththeuser'slocalContactslistandActiveDirectory;however,CommunicatoralsoqueriestheLiveCommunicationsServerAddressBook,ifoneisconfigured.
CommunicatorWebAccessdoesnotquerytheAddressBook.
ManuallyConfiguringAttributeReplicationtotheGlobalCatalogServerAsexplainedintheprevioussection,someuserattributesinActiveDirectoryare,bydefault,replicatedtotheglobalcatalogserver,andothers,bydefault,arenot.
Youcanmanuallychangethedefaultreplicationbehaviorsothattheattributesthataredisplayedinthesearchresultsaretheonesthatyouwant.
YoucanusetheActiveDirectorySchemasnap-in(Schmmgmt.
msc)tomanuallyconfigureanattributeforreplicationtotheGlobalCatalogserver.
TheActiveDirectorySchemasnap-inisincludedinthei386directoryofWindowsServer2003ServicePack1(SP1).
TheWindowsServer2003AdministrationToolsPackisnotinstalledbydefault.
YoumustinstalltheAdministrationToolsPack,andyoumustmanuallyregistertheschmmgmt.
dllwheninstallationiscomplete.
Note:IfyouplantomanuallyconfigureglobalcatalogserverattributereplicationonthedomaincontrollerforCommunicatorWebAccess,youmustinstalltheversionoftheAdminpak.
msithatisincludedinWindowsServer2003SP1.
TomanuallyconfigureglobalcatalogserverattributereplicationOntheCommunicatorWebAccessdomaincontroller,intherootWindowssystem32directory,double-clicktheWindowsServer2003SP1AdministrationToolsPackinstallationprogram(Adminpak.
msi).
FollowtheinstructionsinthesetupwizardtoinstalltheWindowsServer2003ServicePack1AdministrationToolsPack.
Registerschmmgmt.
dll:ClickStart,andthenclickRun.
IntheOpenbox,typecmd,andthenclickOK.
Atthecommandprompt,typeregsvr32schmmgmt.
dll,andthenpressENTER.
Atthecommandprompt,typeMMC/a,andthenpressENTER.
Intheconsolewindow,ontheFilemenu,clickAdd/RemoveSnap-in,andthenclickAdd.
OntheAddStandaloneSnap-in,clickActiveDirectorySchema,andthenclickAdd.
ClickClose,andthenclickOK.
Intheconsoletree,expandtheActiveDirectorySchema[]node,andthenclicktheAttributesnode.
Inthedetailspane,right-clicktheattributewhosereplicationbehavioryouwanttochange,andthenclickProperties.
InthePropertiessheet,ontheGeneraltab,selectorcleartheReplicatethisattributetotheGlobalCatalogcheckbox,asappropriate,andthenclickOK.
ThenextfigureshowsthedefaultmailPropertiesscreen.
Figure14:PropertiesdialogboxThenexttimethatattributesarereplicatedtotheglobalcatalogserver,thenewlymarkedattributeusingtheabovemethod,replicatestotheglobalcatalogserver.
ConfiguringISAServer2004AlthoughanyfirewallorreverseproxyservercanbeusedwithCommunicatorWebAccess,thissectionexplainshowtoconfigureMicrosoftInternetSecurityandAcceleration(ISA)Server2004forCommunicatorWebAccess.
ISAServer2004canbeusedasanalternativeto,orinconjunctionwith,aVPNinyourdeploymentofLiveCommunicationsServer2005withSP1andCommunicatorWebAccess.
YoucanuseISAServertoprovideperimeternetworkandinternalnetworkboundaries.
YoucanalsouseISAServerpublishoneormoreCommunicatorWebAccessserversusingISAServer2004.
TheCommunicatorWebAccesssolutiondescribedinthisguideusesISAServer2004StandardEditiontohelpsecurelyconnectremoteuserstotheCommunicatorWebAccessserverontheinternalnetwork.
ThecombinationofCommunicatorWebAccessandISAServer2004providesconnectivitytoenableduserswithonlyanInternetconnectionandasupportedbrowserthatisrunningonasupportedoperatingsystem.
Figure15showsanexampleshowingthepositionofISAServerinthedeployment.
Figure15:PublishingCommunicatorWebAccessUsingISA2004ISAserver2004willpublishtheCommunicatorWebAccessserversothatremoteuserscanaccessthecorporateCommunicatorWebAccessserverbypublicaddressinsteadofinternalFQDN.
IntheexampleshowninFigure15,theuserenterstheURI(forexample,https://im.
contoso.
com)inthebrowser.
ThisURIresolvestotheexternalnetworkIPaddress(forexample,10.
10.
10.
10).
OntheISAserver,theexternalnetworkadapterisconfiguredwiththeIPaddress(10.
10.
10.
10),andtheWeblistenerisconfiguredtolistenforHTTPSrequestsonthedefaultport(443).
ISAserverreceivestherequestandmapsittotheIPaddressorFQDNoftheCommunicatorWebAccessexternalvirtualserver.
IftheCommunicatorWebAccessexternalvirtualserverisconfiguredtolistenonadifferentport(forexample,444),ISAServermustalsomaptothatportnumber.
NoteWhenconfiguringISAServer,youcanchoosebetweenmappingtheexternalIPaddresstotheIPaddressofCommunicatorWebAccessormappingthehostname(forexample,im.
contoso.
com)totheFQDNoftheCommunicatorWebAccessserver(forexample,imserver.
contoso.
com).
Ifyouchoosethesecondoption,theFQDNmustbeabletoresolvetotheIPaddressoftheCommunicatorWebAccessserver.
PrerequisitesThefollowingarerequiredontheISA2004computer:TwonetworkadaptersontheISAServercomputer,onefortheexternalnetworkandonefortheinternalnetwork.
WindowsServer2003SP1ISAServer2004,StandardEditionorEnterpriseEditionWerecommendedthatnoothersoftwarebeinstalledontheISAServer.
Youcangetthefree,120daytrial,ISAServer2004softwareathttp://www.
microsoft.
com/isaserver/evaluation/trial/default.
aspConfigureStaticIPAddressesforISANetworkAdaptersItishelpfultothinkoftheISAServerashavingtwointerfaces,oredges.
TheinternalnetworkadapterconnectstheinternaledgeoftheISAServertotheinternalnetwork,andtheexternalnetworkadapterconnectstheexternaledgeoftheISAServertotheexternalnetwork.
EachnetworkadapterontheISAServerhasastaticIPaddress.
Theaddressandsubnetofeachadapterdependsonthenetwork(router)towhichitisconnected.
ToconfiguretheinternalnetworkadapterwithastaticIPaddressClickStart,pointtoAllPrograms,pointtoControlPanel,andthendouble-clickNetworkConnections.
Right-clicktheinternalnetworkadapterconnection,andthenclickProperties.
OnthePropertiespage,selectInternetProtocol(TCP/IP),andthenclickProperties.
OntheInternetProtocol(TCP/IP)Propertiespage,clickUsethefollowingIPaddress.
IntheIPaddressbox,enteranIPaddressontheinternalsubnet.
IntheSubnetmaskfield,entertheinternalsubnet.
ClickUsethefollowingDNSserveraddresses.
InthePreferredDNSserverbox,entertheDNSIPaddress.
ClickOKtwice.
ToconfiguretheexternalnetworkadapterwithastaticIPaddressClickStart,pointtoAllPrograms,pointtoControlPanel,andthendouble-clickNetworkConnections.
Right-clicktheexternalnetworkadapterconnection,andthenclickProperties.
OnthePropertiespage,selectInternetProtocol(TCP/IP),andthenclickProperties.
OntheInternetProtocol(TCP/IP)Propertiespage,clickUsethefollowingIPaddress.
IntheIPaddressbox,enteranIPaddressfortheexternalnetwork.
InSubnetmask,entertheexternalsubnet.
ClickUsethefollowingDNSserveraddresses.
LeavethePreferredDNSserverboxempty.
ClickOKtwice.
TosettheinterfaceorderClickStart,pointtoAllPrograms,pointtoControlPanel,andthendouble-clickNetworkConnections.
IntheNetworkConnectionswindow,ontheAdvancedmenu,clickAdvancedSettings.
IntheAdvancedSettingsdialogbox,clicktheAdaptersandBindingstab.
UnderConnections,selectInternal.
ClicktheuparrowtomovetheInternaltothetopofthelist.
ClickOK.
ClosetheNetworkConnectionswindow.
ToaddtheinternalIPaddressoftheISAServertotheDNSServerLogontotheDNSServer.
ClickStart,pointtoAllPrograms,pointtoAdministrativeTools,andthendouble-clickDNS.
Intheconsoletree,expandForwardLookupZones.
Right-clicktheDNSservernode,andthenclickProperties.
OnProperties,selecttheNamedServerstab,andthenclickAdd.
IntheNewResourceRecorddialogbox,intheServerFQDNbox,typetheFQDNoftheISAServer.
IntheIPaddressbox,typetheIPaddressoftheinternalnetworkadapteroftheISAServer.
ClickAdd,andthenclickOK.
Intheconsoletree,expandReverseLookupZones.
Right-clickthe.
in-addr.
arpanode,andthenclickProperties.
InthePropertiesdialogbox,clicktheNamedServerstab,andthenclickAdd.
IntheNewResourceRecorddialogbox,intheServerFQDNbox,typetheFQDNoftheISAserver.
IntheIPaddressbox,typetheIPaddressoftheinternalnetworkadapterontheISAServer.
ClickAdd,andthenclickOK.
ClickApply.
ClickOK.
ClosetheDNSconsole.
InstallISAServer2004InstallISAServer2004onaserver.
ToinstallISAServer2004,StandardEditionOntheISAServer2004installationfolderorCD,runSetup.
exetostarttheSetupWizard.
FollowtheSetupWizardprompts,theISAServer2004setupdocumentation,andacceptalldefaultswiththeexceptionofthefollowingsettings,whicharespecifictoCommunicatorWebAccess.
OntheInternalNetworkpage,clickAdd.
Dooneofthefollowing:Ontheaddressrangesselectionpage,intheFromandToboxes,specifytherangeofaddressestoincludeintheinternalnetwork,andthenclickAdd.
ClickSelectNetworkAdapter.
OntheSelectNetworkAdapterpage,selecttheAddaddressrangesbasedontheWindowsRoutingTablecheckbox.
UnderNetworkAdapter,selecttheInternalcheckbox.
ClickOK.
ClickOK.
OntheInternalNetworkpage,clickNext.
ClickNextandcompletethewizard,acceptingalldefaults.
FormoreinformationandresourcesaboutISAServervisitthefollowingWebsites:ISAServerhomepage:http://www.
microsoft.
com/isaserver/KnowledgeBasearticlesaboutISAandSSLWebpublishing:http://support.
microsoft.
com/search/default.
aspxcatalog=LCID%3D1033&query=isa+server+ca+certificatePublishingguidancearticles:http://www.
microsoft.
com/isaserver/techinfo/guidance/2004/publishing.
aspConfigureCertificatesontheISAServerFirewallAnSSLcertificatemustberequested,andtheCAcertificatechainmustbedownloadedtotheISAServerTrustedRootCertificationAuthorities,Certificatesfolderforthelocalcomputer.
TheSSLcertificatewillbeboundtotheListenerfortheexternaledgenetworkadapterontheISAServer2004computer.
Fordetailsoncertificaterequirementsandprocedures,see"DigitalCertificatesforISAServer2004"athttp://www.
microsoft.
com/technet/prodtechnol/isa/2004/plan/digitalcertificates.
mspxCreatetheExternalCommunicatorWebAccessVirtualServerYoumustdeployACommunicatorWebAccessvirtualserverthatwillhandletrafficfromclientsonexternal,untrustednetworks.
ThisvirtualserveristhesitethatwillbepublishedbyISAServer2004.
RemoteusersmustentertheexactURLfortheexternalCommunicatorWebAccesssiteinordertoaccesstheCommunicatorWebAccesssign-inpage.
Theuserthenmustenterdomaincredentialstocompletetheforms-basedauthenticationprocess.
TheexternalCommunicatorWebAccessvirtualserverusesport444,andtheinternalvirtualserverusesport443.
Theseportscanbeconfiguredtomeetthespecificneedsofyourdeployment.
Tocreatetheexternalvirtualserver,see"CreatingAdditionalVirtualServers"earlierinthisguide.
Specifytheportnumberas444.
ConfiguretheISAServerToconfigureISAservertohelpprovideasecureconnection,youmustcreateafirewallpolicyontheISAserver.
YouthenuseSSLWebPublishingtopublishtheexternalCommunicatorWebAccessvirtualserverthatisavailabletoenabledusersovertheInternet.
ToconfigureinternalnetworkpropertiesClickStart,pointtoPrograms,pointtoMicrosoftISAServer,andthenclickISAServerManagement.
Expandallnodesintheconsoletree,andthenselecttheNetworksnode.
Inthedetailspane,right-clickInternal,andthenclickProperties.
IntheInternalPropertiesdialogbox,clicktheDomainstab.
ClickAdd.
Inthebox,typetheFQDNofthedomain,andthenclickOK.
IntheInternalPropertiesdialogbox,clicktheWebBrowsertab.
Selectallcheckboxes,clickDirectAccess,andthenclickAdd.
Figure16:WebBrowsertabIntheAddServerdialogbox,clickDomainorcomputer.
EntertheFQDNoftheCommunicatorWebAccessserver,andthenclickOK.
Figure17:Addthecontoso.
comdomainIntheInternalPropertiesdialogbox,clicktheWebProxytab.
EnsurethattheEnableWebProxyclientsandEnableSSLcheckboxesarebothselectedandthattheEnableHTTPcheckboxiscleared.
IntheSSLportbox,type8444,andthenclickAuthentication.
IntheAuthenticationdialogbox,selecttheIntegratedcheckbox,andthenclickOK.
IntheInternalPropertiesdialogbox,clicktheFirewallClienttab.
Ensurethatallcheckboxesareselected.
IneachoftheISAServernameorIPaddresstextboxes,typetheFQDNoftheISAserver.
ClickApply.
Figure18:FirewallClienttabClicktheAutoDiscoverytab.
SelectthePublishautomaticdiscoveryinformationcheckbox.
Inthebox,type80,andthenclickOK.
ClickApplytocommitallchanges.
Donotclosetheconsole.
NowyouwillpublishtheCommunicatorWebAccessservertotheexternalnetworksothatauthenticatedandauthorizedclientscanconnecttoCommunicatorWebAccess.
TheListenerthatyouconfigureaspartofthefollowingprocedurewilllistenforrequestsfromtheexternalnetwork(Internet)onport443.
ISAwillredirecttheexternaltrafficonport443toport444ontheinternalnetwork.
TrafficfromtheISAServertotheCommunicatorWebAccessserverandfromtheCommunicatorWebAccessservertoISAServer(allinternal)isonport444.
TrafficforremoteusersthatoriginatesfromtheCommunicatorWebAccessserveronport444isredirectedbyISAtoport443.
Therearetwodiscreteconnections.
TheconnectionfromtheremoteusertotheISAServeronport443terminatesattheISAserver.
Iftheremoteuserissuccessfullyauthenticated,themessageintheoriginalconnectionisinspected,reconstructed,andsenttotheCommunicatorWebAccessoveranewconnectionbetweentheISAServerandtheCommunicatorWebAccessserver.
TrafficdestinedfortheremoteuserfromtheCommunicatorWebAccessisterminatedattheISAServer,reconstructed,andsenttotheremoteuseroveranewconnectionestablishedbyISAServer.
ThereisnodirectconnectionineitherdirectionbetweentheremoteuserandtheCommunicatorWebAccessserver,whichispublishedbyISAServer2004StandardEditionusingSSLWebPublishing,existsineitherdirection:ISAServeractsasaproxyserver.
ToconfigureISAServer2004StandardEditiontopublishCommunicatorWebAccessIntheISAServerManagementconsoletree,clickFirewallPolicy.
OntheTaskstab,clickPublishaSecureWebServer.
OntheWelcomepageofthewizard,inSSLWebpublishingrulename,typeanamefortherule.
OnthePublishingModepage,clickSSLBridging.
IntheSelectRuleActionpage,clickAllow,andthenclickNext.
OntheBridgingModepage,clickSecureconnectiontoclientandWebserver,andthenclickNext.
OntheDefineWebsitetoPublishpage,youcanuseeithertheFQDNortheIPaddressoftheCommunicatorWebAccessServer.
IntheComputernameorIPaddressbox,typetheFQDNoftheCommunicatorWebAccessserver.
EnsurethattheForwardtheoriginalhostheaderinsteadoftheactualone(specifiedabove)checkboxiscleared.
EnsurethatthePathboxisempty,andthenclickNext.
NoteIfyouusetheFQDNtodefinetheCommunicatorWebAccessserver,ensurethattheFQDNcanberesolvedtotheserver'sIPaddress.
OnthePublicNameDetailspage,intheAcceptrequestsforbox,selectThisdomainname(typebelow).
InthePublicNamebox,typethenamethatremoteclientswillusetoaccesstheCommunicatorWebAccessserver.
EnsurethatthePathboxisempty.
ClickNext.
NoteThepathyoutypeinPublicNamemustbearootWebdirectory.
CommunicatorWebAccessdoesnotsupportpublishingtheCommunicatorWebAccessWebsiteasasubdirectoryofanotherWebsite.
OntheSelectWebListenerpage,clickNew.
OntheWelcomepageoftheCreateNewWebListenerWizard,intheWeblistenernamebox,typethenamethatremoteclientswillusetoaccesstheCommunicatorWebAccessserver,andthenclickNext.
OntheIPAddressespage,selectthecheckboxinfrontofExternalandensurethatallothercheckboxesareclearedsothattheWeblistenerwilllistenonlytothetrafficcomingfromtheexternalnetwork.
ClickAddress.
UnderListenforrequestson,clickSpecifiedIPaddressesontheISAServercomputerintheselectednetwork.
UnderAvailableIPAddresses,clicktheIPaddressfortheISAExternalnetworkadapter.
ClickAdd,clickOK,andthenclickNext.
OnthePortSpecificationpage,cleartheEnableHTTPcheckbox,selecttheEnableSSLcheckbox,andmakeensurethatthenumberintheSSLportboxis443.
ClickSelect.
OntheSelectCertificatepage,selecttheSSLcertificate.
Thecommonnameonthecertificatemustmatchthepublicname.
ThisnameistheURLthatremoteuserswillusetoconnecttothepublishedCommunicatorWebAccessserverontheinternalnetwork.
ClickOK.
NoteWerecommendthatyounotusethesameURLforexternalandinternalconnectionsinaproductionenvironment.
OnthePortSpecificationpage,clickNext.
OntheCompletingtheNewWebListenerWizard,clickFinish.
OntheSelectWebListenerpage,verifytheWeblistenerproperties,andthenclickNext.
OntheUserSetspage,clickNexttoacceptthedefaultofAllUsers.
OntheCompletingtheNewSSLWebPublishingRuleWizard,clickFinish.
OnthemainISAmanagementconsole,clickApplytocommitthechangesyoumade.
OntheApplyNewConfigurationconfirmationbox,clickOK.
InthemainISAmanagementconsole,theFirewallPolicytabshouldcontainrule1namedimserver.
contoso.
comandtheLastDefaultRule.
Atthispoint,youhavetwovirtualservers,CommunicatorWebAccess_InternalandCommunicatorWebAccess_External.
CommunicatorWebAccess_ExternalisSSLWebPublishedbyISAServer2004.
CommunicatorWebAccess_InternalisaccessiblefromSSLport443,andCommunicatorWebAccess_ExternalisaccessiblefromSSLport444.
Onacomputerontheinternalnetworkwithpermissiontoaccessbothvirtualservers,port444mustbespecifiedtoaccesstheexternalsite.
Port443isthedefault,anditdoesnotneedtobespecifiedtoaccesstheinternalsite.
YouwillnowconfigureISAtoautomaticallyredirecttheremoteusertrafficfromthepublicURLtotheexternalvirtualserveronport444sothattheuserdoesnothavetospecifyport444.
ThisstepisnecessarysothatISAServerwilldirectrequeststoport443,whichbydefaultisusedbytheinternalvirtualserver.
Forsecurityreasons,itisimportanttoisolatetheinternalserversfromexternaltraffic.
Afteryouautomaticallyredirectremoteusertraffic,internalandremoteuserscanconnecttoCommunicatorWebAccessserverbyusingthesameURL.
CommunicatorWebAccesswillalwaysdirectagivenusertotheappropriatevirtualserveronthecorrectport.
ToconfigureISAtoredirectexternalrequeststoport444internallyClickStart,pointtoProg4rams,pointtoMicrosoftISAServer,andthenclickISAServerManagement.
IntheISAServerManagementconsoletree,clicktheFirewallPolicynode.
Inthedetailspane,right-clickthefirewallpolicycorrespondingtotheCommunicatorWebAccessserver,andthenclickProperties.
OnthePropertiespage,clicktheBridgingtab.
OntheBridgingtab,clickWebserver,cleartheRedirectrequeststoHTTPportcheckbox,selecttheRedirectrequeststoSSLportcheckbox,andtype444intheboxtotheright.
Youdonotneedtoselectacertificateonthispage.
ClickOK.
IntheISAServerManagementconsole,clickApplytocommitthechangesyouhavemade.
OntheApplyNewConfigurationconfirmationbox,clickOK.
Usearemoteclienttotesttheconfiguration.
Ontheclient,entertheURIhttps://inthebrowser.
IntheSecurityAlertdialogbox,clickYes.
YoushouldseetheForms-basedCommunicatorWebAccesssign-inpage.
Figure19:Forms-basedCommunicatorWebAccessLoginAftersigningintoCommunicatorWebAccess,themainCommunicatorWebAccessclientwindowshouldappear.
ManagementandOperationsThissectiondescribesoptionsformanaging,configuring,andmonitoringCommunicatorWebAccess.
ManagingtheCommunicatorWebAccessServerThissectionexplainshowtouseCommunicatorWebAccessManagertomanageoneormoreCommunicatorWebAccessserversfromaCommunicatorWebAccessserverorfromaremotecomputer.
WhenyouconnecttoaphysicalCommunicatorWebAccessserver,informationabouttheserver,includingthenumberofvirtualserversthatitcontains,isdisplayedinthedetailspaneofCommunicatorWebAccessManager.
YoucanuseCommunicatorWebAccessManagertoconfigurethepropertiesofbothphysicalserversandvirtualservers.
FromCommunicatorWebAccessManager,youcandoanyofthefollowing:Connecttoaphysicalserver.
Disconnectaserver.
Deactivateaserverbeforeremovingitfromservice.
CreateanewWebaccessserver(virtualserver).
Youcanalsotakethefollowingactionsonvirtualservers:Start,stop,andrestartavirtualserver.
Importorexportaconfigurationfileofthevirtualserver'ssettings.
Refreshthevirtualserver.
Deletethevirtualserver.
Youcanalsoconfigureauthenticationandconnectivityproperties.
DuringCommunicatorWebAccesssetup,CommunicatorWebAccessManagerisautomaticallyinstalledontheserver.
Youcanalsoinstallthemanageronaremotecomputerbyopeningthedeploymenttoolsandselectingthelastoption,InstallCommunicatorWebAccessManager.
Fordetailsaboutthedeploymenttools,see"InstallingCommunicatorWebAccessbyUsingtheDeploymentTools"earlierinthisguide.
CommunicatorWebAccessManagerwillrunonanyofthefollowingoperatingsystems:WindowsXPProfessionalEditionWindowsServer2003,StandardEditionWindowsServer2003,EnterpriseEditionCommunicatorWebAccessManagerisnotsupportedonanyversionofWindows2000.
ACommunicatorWebAccesssnap-infortheMicrosoftManagementConsoleisalsoinstalledduringCommunicatorWebAccessinstallation.
Ifyourorganizationhasalargenumberofadministrators,youcancreateaconsolethatcontainsthesnap-inandredistributethe.
mscfiletoadministratorswithread-onlyaccess.
ImportantYoumustinstallIISManageronaremotecomputerbeforeyoucaninstallCommunicatorWebAccessManager.
Onlythemanagementcomponentsarerequired;youdonotneedtoinstallIISonthecomputer.
YoucanuseControlPaneltoinstalltheInternetInformationServicesSnap-in(WindowsXP)orInternetInformationServicesManager(WindowsServer2003),oryoucandownloadtheInternetInformationServices(IIS)6.
0ManagerforWindowsXP.
ToinstallCommunicatorWebAccessManageronaremotecomputerLogontotheserverasamemberoftheAdministratorsandtheDomainAdminsgroups.
IntheCommunicatorWebAccessinstallationfolder,runSetup.
exetoopentheDeployMicrosoftOfficeCommunicatorWebAccesspage.
Onthedeploymentpage,clickStep4:InstallCommunicatorWebAccessAdministrativeSnap-in.
OntheWelcomepage,clickNext.
OntheLicenseAgreementpage,clickIacceptthetermsinthelicenseagreement,andthenclickNext.
OntheReadytoInstallpage,acceptthedefaultlocation,orclickChangetoselectanalternatelocation,andthenclickNext.
OntheReadytoInstallpage,clickInstall.
OntheSetupCompletepage,clickFinish.
ToconnecttotheCommunicatorWebAccessserverOntheStartmenu,clickAllPrograms,clickAdministrativeTools,andthenclickCommunicatorWebAccessManager.
Right-clickMicrosoftOfficeCommunicatorWebAccessManager,andthenclickConnect.
IntheComputerNamebox,typetheservername,IPaddress,orFQDN(fullyqualifieddomainname)oftheCommunicatorWebAccessserver,andthenclickOK.
Afteryourlogonhasbeenauthenticatedandauthorized,CommunicatorWebAccessManagerappears.
NoteIfyouruseraccountisnotauthorizedtologontotheCommunicatorWebAccessserver,youcanconnectasanotheruserbyselectingtheConnectAscheckbox,enteringcredentialsforthatuser,andthenclickingOK.
Figure20:CommunicatorWebAccessManagerToDeactivatetheCommunicatorWebAccessserverInCommunicatorWebAccessManager,connecttotheCommunicatorWebAccessserverwithanaccountthatamemberoftheAdministratorsandRTCDomainServerAdminsgroups.
Right-clickthephysicalservernode,andthenclickDeactivate.
OntheWelcometotheDe-activateWizardpage,clickNext.
OntheReviewbeforeDe-Activationpage,clickNext.
OntheDe-activationWizardhasbeencompletedsuccessfullypage,clickFinish.
ManagingVirtualServersDuringinstallationofCommunicatorWebAccess,aCommunicatorWebAccessvirtualserver(Website)iscreatedinIISwiththeappropriatevirtualdirectories,content,anddefaultWebsitesettings.
ThedefaultIISsettingsarelistedin"DefaultCommunicatorWebAccessIIS6.
0Settings"earlierinthisdocument.
TochangeanyofthesesettingsontheCommunicatorWebAccessWebsite,useIISManager.
FordetailsaboutIISManager,seetheIISManagerdocumentation.
TheCommunicatorWebAccessdeploymenttoolswillcreateonlythefirstCommunicatorWebAccessvirtualserver.
Inordertocreateadditionalvirtualservers,forexample,forremoteuseraccess,youmustuseCommunicatorWebAccessManager.
AfterCommunicatorWebAccessisinstalled,youcanaddvirtualserverstothesameCommunicatorWebAccessserver.
Forexample,youcancreatemultipleCommunicatorWebAccessvirtualserverstotakeadvantageofserverisolation,providedbyIIS6.
0,tologicallyseparateexternalandinternalusersevenifalltrafficisroutedthroughthesamephysicalserver.
ToImportaConfigurationfileInCommunicatorWebAccessManager,connecttotheCommunicatorWebAccessserverwithanaccountthatamemberoftheAdministratorsandRTCDomainServerAdminsgroups.
Expandthetreeview,right-clicktheserverFQDNnodeandclickImportConfigurationfile.
OntheWelcometotheImportWizardpage,clickNext.
OntheSelectConfigurationFiletoImportpage,enterthefilenameincludingpath,orclicktheBrowsebuttontoenterthefilenameandpath.
IfyouclicktheBrowsebutton,ontheOpenpage,locatethe.
XMLfiletoimport,andthenclickOpen.
OntheSelectConfigurationFiletoImportpage,clickNext.
OntheImportWizardwassuccessfullycompletedpage,clickFinish.
InCommunicatorWebAccessmanager,right-clickthevirtualservernode,andthenclickProperties.
ClicktheConnectivitytab.
UnderServercertificate,ifHTTPS(recommended)isselected,clickSelectCertificate,andthenselecttheWebServercertificatetouseforHTTPS.
ToExportaConfigurationfileInCommunicatorWebAccessManager,connecttotheCommunicatorWebAccessserverwithanaccountthatamemberoftheAdministratorsandRTCDomainServerAdminsgroups.
Expandthetreeview,right-clicktheWebAccessServernode,andthenclickExportConfigurationFile.
OntheWelcometotheExportWizardpage,clickNext.
OntheSelectConfigurationFiletoImportpage,enterthefilenameincludingpath,orclicktheBrowsebuttontoenterthefilenameandpath.
IfyouclicktheBrowsebutton,ontheOpenpage,locatethe.
XMLfiletoimport,andthenclickOpen.
OntheChooseDestinationFolderpage,clickNext.
OntheExportWizardwassuccessfullycompletedpage,clickFinish.
VirtualserverpropertiesWhenyouright-clicktheMicrosoftOfficeCommunicatorWebAccessservernodeinthetreeviewpane,CommunicatorWebAccessManagerdisplaysapropertysheetwiththreeconfigurationtabs:GeneralAuthenticationConnectivityFigure21:GeneralTabOntheGeneraltab,theLiveCommunicationsServerboxdisplaystheFQDNoftheLiveCommunicationsServerthatshouldreceivetrafficfromCommunicatorWebAccessusers.
Ifyouleavetheboxblank(therecommendedsettingformostdeployments),CommunicatorWebAccesswilldetermineeachuser'sLiveCommunicationsServerhomeserverandroutetrafficaccordingly.
IfyouwanttorouteusertrafficthroughaspecifiedLiveCommunicationsServer,typetheFQDN(fullyqualifieddomainname)oftheLiveCommunicationsServerinthebox.
Forexample,youmaywanttoarchivetrafficfromremoteusersonly.
Inthatcase,youwoulddeployaLiveCommunicationsServerDirectorforexternaltrafficandenablearchiving.
WhenyouconfiguretheCommunicatorWebAccessexternalvirtualserver,youwouldusethisboxtospecifytheFQDNoftheDirector.
Figure22:AuthenticationTabOntheAuthenticationtab,youcansetpublicandprivatetimeoutsfortheexternalsite.
Forsecurityreasons,youmightwanttoconfigureyourexternalsitetimeoutstobeshorterthanthedefaultinternalsitetimeouts.
Reducingthetimeoutcanhelpreducetheriskofanunauthenticateduserfindinganunattended,authenticatedsession.
Anunattended,authenticatedsessioncanresultfromauserwalkingawayfromanauthenticatedsessiononanexternal,publiccomputer.
Onlyforms-basedauthenticationcanbeusedbyremoteusers.
Forinternalsites,youcanspecifytheauthenticationmethod.
Timeoutsettingsaredisabledforinternalsites.
IftheAllowuserspecificURIcheckboxisselected,userscanincludeacontact'sSIPaddressintheserverURI.
Forexample,ausercouldenterthefollowingURIinthebrowser:https://im.
contoso.
com/bob@contoso.
comIftheAllowuserspecificURIwithoutanysupplieddomaincheckboxisselected,userscanincludeacontact'sSIPaddressintheserverURI,butthedomainportionoftheSIPaddressisoptional.
Forexample,ausercouldenterthefollowingURIinthebrowser:https://im.
contoso.
com/bobIfbothcheckboxesarecleared,theusermustidentifythecontactasaseparatestep.
Forexample,ausercouldenteronlythefollowingURIinthebrowser:https://im.
contoso.
comTheusermustthensupplytheSIPaddressofthecontactintheformthatappearsonthehomepageoftheserver.
MonitoringThissectiondiscussesoptionsformonitoringCommunicatorWebAccess.
TheMicrosoftOfficeCommunicatorWebAccessManagementPackforMicrosoftOperationsManager(MOM)2005addsthefollowingCommunicatorWebAccess-relatedinformationtoMOM2005SP1:ComputerGroupAdminsNotificationGroupEventRulesPerformanceRulesAlertRules:Byusingthesefeatures,MOMadministratorscanmonitorCommunicatorWebAccessserversandreceiveautomatice-mailnotificationsofcriticalevents.
Someexamplesofcriticaleventsincludethefollowing:TheCWAserviceunexpectedlyterminates.
Ahugebacklogofusersistryingtologontothesystem.
CommunicatorWebAccesscannotconnecttoActiveDirectory,soitcannotauthenticateusersorsearchforcontacts.
Themanagementpackhelpskeepyouawareofissuesthatneedattention.
ItalsoprovidesadditionalinformationforrespondingtocriticalissuesbeyondtheinformationprovidedbythestandardeventlogsandperformancecountersthatareincludedwithWindowsandWindowsServer.
ThefollowingcomponentsarenotprovidedintheCommunicatorWebAccessmanagementpack;however,youcanaddthesecomponentsbyusingtheMOMPackauthoringfeatures:StateViewsCustomTasksScriptsforautomatedresponsesReportingSystemRequirementsTheCommunicatorWebAccessmanagementpackrequiresthefollowingsoftware:MicrosoftOperationsManager2005SP1LiveCommunicationsServer2005withSP1ManagementPack(optional,buthighlyrecommended)ToinstalltheCommunicatorWebAccessmanagementpackOnacomputerwiththeMOMAdministratorConsoleinstalled,downloadthemanagementpackfromtheManagementPackandProductConnectorCatalogathttp://www.
microsoft.
com/management/mma/catalog.
aspx.
RuntheMicrosoftWindowsInstallertoinstallthemanagementpackfilesinalocal,temporaryfolder.
ClickStart,pointtoPrograms,andthenclickMicrosoftOperationsManager2005.
FromMicrosoftOperationsManager2005,clickAdministratorconsole.
Inthemanagementpacktreeintheconsole,selectImport/ExportManagementPack.
OntheSelectManagementPackspage,selectthemanagementpacksthatyouwanttoimport,andthenselectanimportoption.
UsingtheMOMPackMicrosoftOperationsManagercollectseventsandperformancedatafromthemonitoredsystems.
AdministratorscanviewtheresultsintheMOMoperatorconsole.
ThefollowingviewsdisplayCommunicatorWebAccessdata:AlertsViewEventsViewPerformanceViewImportantToensurethatnotificationsworkproperly,manuallyaddanOperatorobjectforeachnetworkadministratortoMOMandconfigureitse-mailsettings(andpagersettings,ifdesired).
ThenaddtheOperatorobjecttotheLiveCommunicationsServeradministratorsnotificationgroup.
Afteryouperformthesesteps,whenanerror-levelalert(orhigherseverity)occurs,LiveCommunicationsServertheoperatorshouldbenotifiedbye-mail(andbypager,ifconfigured).
IntheMOM2005administratorconsole,theMicrosoftOfficeCommunicatorWebAccessnodeappearsundertheMicrosoftOfficeLiveCommunicationsServer2005node.
TheMicrosoftOfficeCommunicatorWebAccessnodecontainsthefollowingrulegroups:AuthenticationPerformancePolicySessionServiceUserSearchEachrulegroupmaycontaineventrules,performancerules,andanalertrule.
Thealertrulesareconfiguredtosende-mailtotheLiveCommunicationsServeradministratorsnotificationgroupwheneverMOMreceivesaneventorperformancecounterwithaseverityofErrororhigher.
ThefollowingalertlevelsarealsoavailableinMOM:ServiceUnavailableSecurityIssueCriticalErrorErrorWarningInformationSuccessTheCommunicatorWebAccessmanagementpackalsoinstallsthenecessaryeventandperformancecounterprovidersandtheCommunicatorWebAccesscomputergroupsothatMOMcanautomaticallyfindCommunicatorWebAccessserversandcollecttheappropriateinformation.
CustomizingtheManagementPackDependingontheirneeds,organizationscancustomizetheCommunicatorWebAccessmanagementpackbymakingthefollowingmodifications:Modifyrules–Youcansuppresseventsthatareappearingtoofrequentlyordisableunnecessaryevents.
Youcanalsoconfigurepagerdatatonotifynetworkadministratorsbytheirpagerswhenalertsoccur.
Customizetracking–Youcanuseperformancerulesandsomeoftheinformationeventrulestotrackserviceperformance,manageservicelevels(forexample,identifypeakusageperiodsandperiodsofincreasedlatency),andtrackserviceuptime.
Expandfunctionality–Youcanaddyourownrules,tasks,andautomatedresponses.
AdditionalMOMResourcesForadditionalinformationaboutMOM2005,pleaseseethefollowingresources:MOMSecurityGuide.
http://www.
microsoft.
com/technet/prodtechnol/mom/mom2005/secguide5.
mspxMOMCatalog.
http://www.
microsoft.
com/management/mma/catalog.
aspxMOMResourceKit.
http://www.
microsoft.
com/mom/downloads/2005/reskit/default.
mspxRemovingCommunicatorWebAccessThissectiondescribeshowtoremoveCommunicatorWebAccessfromaserver.
YoumustfirstdeactivatetheCommunicatorWebAccessservertoremoveitscorrespondingentryfromActiveDirectory.
NoteIfLiveCommunicationsServerandCommunicatorWebAccessarecolocatedonthesameserver,deactivatingCommunicatorWebAccesswillalsodeactivateLiveCommunicationsServer.
BecauseActiveDirectorycontainsasingleentryforthephysicalserver,deactivatingoneoftheserverrolesremovesthephysicalserverentryinActiveDirectory,andconsequently,bothserverrolesbecomeunavailable.
TodeactivatetheCommunicatorWebAccessserverClickStart,pointtoAllPrograms,pointtoAdministrativeTools,andthenclickCommunicatorWebAccessManager.
IntheCommunicatorWebAccessManagerconsoletree,right-clickthephysicalservernode,andclickDeactivate.
Followthestepsinthewizardtodeactivatetheserver.
ToremovetheCommunicatorWebAccessserverClickStart,clickControlPanel,andthenclickAddorRemovePrograms.
ClickChangeorRemovePrograms.
FromtheCurrentlyinstalledprogramslist,clickMicrosoftOfficeCommunicatorWebAccessserver.
ClickRemove.
ClickYes.
AppendixesAppendix1:AccountsThissectiondescribestheaccountsrequiredforCommunicatorWebAccess.
AccountsCreatedbyCommunicatorWebAccessSetupThefollowingaccountiscreatedbytheCommunicatorWebAccesssetupprogram.
Table8:AccountCreatedbySetupAccountNameMemberOfCWAServiceRTCHSDomainServicesAdministratorGroupsThefollowingadministratorgroupchangesarerequiredforCommunicatorWebAccess.
Table9:AdministratorGroupChangesAccountNameChangesRTCDomainServerAdminsTheRTCDomainServerAdminsgroupiscreatedbyLiveCommunicationsServer.
Duringsetup,CommunicatorWebAccessaddsRTCDomainServerAdminstothelocalAdministratorsgroup.
Appendix2:EnablingActivationWithoutUsingDomainAdminsCredentialsToactivatetheCommunicatorWebAccessserver,youmustbeloggedonasamemberoftheDomainAdminsgrouporagroupwithequivalentuserrights.
IfyoudonotwanttoaddanadministratortotheDomainAdminsgroup,youcanstillallowtheadministratortoactivatetheserverbycreatinganewsecuritygroup,grantingthesecuritygrouponlytherightsandpermissionsthatarerequiredtoruntheCommunicatorWebAccessActivationWizard,andaddingtheadministratortothenewsecuritygroup.
ThefollowingpermissionsarerequiredtoruntheCommunicatorWebAccessActivationWizard:RightsequivalenttomembershipintheAdministratorsgrouponthelocalcomputer.
PermissionsontheLiveCommunicationsServerglobalcontainerRTCService,tocreateanddeleteglobalsettings.
PermissionsonthecontainerthatcontainstheRTCDomainServerAdminsgroupandtheRTCHSDomainServicesgrouptocreateanddeleteaccounts.
ReadandWritepermissionsontheserviceaccountthatisspecifiedduringactivation.
Tograntauserthesepermissions,youcanperformthefollowingtasks:CreateaserviceaccountforCommunicatorWebAccessinthesamethecontainerthatcontainstheRTCDomainServerAdminsgroupandtheRTCHSDomainServicesgroup.
Thisserviceaccountwillbespecifiedduringactivation.
Createaglobalsecuritygroupandgiveitaname,forexample,CWAServerAdmins.
Grantthenewsecuritygroupthepermissionsnecessarytocreateanddeleteglobalsettings.
ThegroupmusthavethefollowingpermissionsontheRTCServiceobject:Read,CreateAllChildObjects,andDeleteAllChildObjects.
Grantthenewsecuritygroupthepermissionsnecessarytocreateanddeleteaccounts.
TheaccountmusthavethefollowingpermissionsontheUserscontainer(orthecontainerthatcontainstheRTCDomainServerAdminsgroupandtheRTCHSDomainServicesgroup):Read,CreateAllChildObjects,andDeleteAllChildObjects.
GrantthenewsecuritygroupReadandWritepermissionsontheserviceaccountthatwillbespecifiedduringactivation.
Addtheadministrator'suseraccounttothenewsecuritygroup,sothattheadministratorcanruntheCommunicatorWebAccessActivationWizardwithoutmembershipintheDomainAdminsgroup.
Thefollowingproceduresdescribethesestepsindetail.
TocreateaserviceaccountthatwillbespecifiedduringactivationLogontoacomputerasamemberoftheDomainAdminsgroupforthedomainwhereyouwilldeployCommunicatorWebAccess.
OpenActiveDirectoryUsersandComputers:ClickStart,clickAllPrograms,clickAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.
Intheconsoletree,expandthedomainnode,right-clickUsersCreateaserviceaccountforCommunicatorWebAccessinthesamethecontainerthatcontainstheRTCDomainServerAdminsgroupandtheRTCHSDomainServicesgroup.
Thisserviceaccountwillbespecifiedduringactivation,clickNew,andthenclickUser.
InFirstname,typetheaccountname(forexampleCWAServiceAccount).
InUserlogonname,typethesameaccountname.
ClickNext.
InPassword,typeapassword.
InConfirmpassword,typethesamepassword.
CleartheUsermustchangepasswordatnextlogoncheckbox.
ClickNext,andthenclickFinish.
Inthedetailspane,rightclickRTCHSDomainServices,andthenclickProperties.
ClicktheSecuritytab.
ClickAdd.
UnderEntertheobjectnamestoselect,typetheserviceaccountname,andthenclickOK.
TocreateasecuritygroupLogontoacomputerasamemberoftheDomainAdminsgroupforthedomainwhereyouwilldeployCommunicatorWebAccess.
OpenActiveDirectoryUsersandComputers:ClickStart,clickAllPrograms,clickAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.
IntheActiveDirectoryUsersandComputersconsoletree,right-clickUsers,clickNew,andthenclickGroup.
InGroupname,typethegroupname(forexampleCWAServerAdmins).
UnderGroupScope,acceptthedefaultGlobal.
UnderGrouptype,acceptthedefaultSecurity.
ClickOK.
TogranttherequiredglobalpermissionstothesecuritygroupLogontoacomputerasamemberoftheDomainAdminsgroupforthedomainwhereyouwilldeployCommunicatorWebAccess.
OpenActiveDirectoryUsersandComputers:ClickStart,clickAllPrograms,clickAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.
OntheViewmenu,clickAdvancedFeatures.
Intheconsoletree,expandtherootdomainnode,expandSystem,expandMicrosoft,andthenexpandRTCService.
Right-clickGlobalSettings,andthenclickProperties.
ClicktheSecuritytab,andthenclickAdd.
IntheEntertheobjectnamestoselectbox,typethenameoftheglobalsecuritygroup(forexample,CWAServerAdmins),andthenclickOK.
Nexttothefollowingpermissions,clickAllow:ReadCreateAllChildObjectsDeleteallChildObjectsClickOK.
TograntpermissionsrequiredtocreateanddeleteaccountstothesecuritygroupLogontoacomputerasamemberoftheDomainAdminsgroupforthedomainwhereyouwilldeployCommunicatorWebAccess.
OpenActiveDirectoryUsersandComputers:ClickStart,clickAllPrograms,clickAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.
IntheActiveDirectoryUsersandComputersconsoletree,expandthenodeofthedomainwhereCommunicatorWebAccesswillbeinstalled.
Right-clickUsers(orthecontainerthatcontainstheRTCDomainServerAdminsgroupandtheRTCHSDomainServicesgroup),andthenclickProperties.
ClicktheSecuritytab,andthenclickAdd.
IntheEntertheobjectnamestoselectbox,typethenameoftheglobalsecuritygroup(forexample,CWAServerAdmins),andthenclickOK.
Nexttothefollowingpermissions,clickAllow:ReadCreateAllChildObjectsDeleteallChildObjectsClickOK.
TograntpermissionsontheserviceaccounttothesecuritygroupLogontoacomputerasamemberoftheDomainAdminsgroupforthedomainwhereyouwilldeployCommunicatorWebAccess.
OpenActiveDirectoryUsersandComputers:ClickStart,clickAllPrograms,clickAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.
IntheActiveDirectoryUsersandComputersconsoletree,clickUsers.
Inthedetailspane,right-clicktheserviceaccountyoucreated(forexampleCWAServiceAccount),andthenclickProperties.
ClicktheSecuritytab,andthenclickAdd.
UnderEntertheobjectnamestoselect,typethenameoftheglobalsecuritygroup(forexample,CWAServerAdmins),andthenclickOK.
Nexttothefollowingpermissions,clickAllow:ReadWriteClickOK.
ToaddausertothesecuritygroupIntheActiveDirectoryUsersandComputersdetailspane,right-clickthenameoftheglobalsecuritygroup(forexample,CWAServerAdmins),andthenclickProperties.
ClicktheMemberstab.
ClickAdd.
UnderEntertheobjectnamestoselect,typetheuseraccountname,andthenclickOKtwice.
TheusernowhastherightspermissionsnecessarytoruntheCommunicatorWebAccessActivationWizard.
Appendix3:WMISettingsThefollowingtableliststhedefaultCommunicatorWebAccessserverWMIsettingsforaninternalandanexternalvirtualserverinstance.
TheWMIpropertiesthatcanbechangeddirectly,withoutusingCommunicatorWebAccessManager,areidentifiedintheCanbeChangedcolumn.
AnychangesmadedirectlytoWMIpropertiestakeeffectimmediatelywithoutrestartingthevirtualserver.
Table10:WMISettingsCanbechangedNameTypeValueMSFT_CWASupportedLanguageNoEnabledbooleantrueNoFriendlyNamestringEnglishNoLanguageIDuint321033NoLanguageTagstringENMSFT_CWASiteSettingYesAllowDomainlessUribooleanfalseYesAllowFormAuthbooleantrueYesAllowIwaAuthbooleantrue(falseforexternal)YesAllowSingleSignonbooleantrueYesBackendLCSstringNoConnectivityTypestringHTTPSYesDefaultLanguageIDuint321033(English)YesDefaultSearchFielduint3212Acceptedvalues:0000(0)0001(1)0010(2)0011(3)0100(4)0101(5)0110(6)1000(8)1001(9)1010(10)1100(12)YesDefaultSearchQuerystringORAcceptedvalues:AND,ORNoDescriptionstringYesFormPrivateTimeoutMinuint32240YesFormPublicTimeoutMinuint3215NoFQDNstringNoIPstring[blank]YesMaxQueuedSearchesuint3280Acceptedvalues:1to80NoNamestringW3SVC/NoPortuint32443YesSearchMaxClientResultsuint3210Acceptedvalues:1to300YesSearchMaxServerResultsuint32200Acceptedvalues:1to1000YesServerTypestringInternal(externalforexternal)YesUserNoticestring[Blank]MSFT_CWAServerSettingNoActivatedbooleantrueNoNamestringServerFQDNNoTLSCertIssuerarrayofunit8NoTLSCertSNarrayofunit8Appendix4:ConfiguringIIS6.
0ThissectiondescribesthechangesthatCommunicatorWebAccessmakesinIIS6.
0anddiscussesconfigurationconsiderations.
TheCommunicatorWebAccessSetupWizardmakesanumberofchangesinIIS6.
0,asshowninthenextfigure.
Figure23:IIS6.
0MMCApplicationPoolsTheCommunicatorWebAccess,CreateVirtualServerWizardcreatestwoapplicationpoolsforthefirstvirtualservercreated:CommunicatorWebAccessW3SVCTheCommunicatorWebAccess,CreateVirtualServerWizardcreatesoneapplicationpoolforeachvirtualserverthatiscreatedafterthefirstvirtualserver:W3SVCWebServiceExtensionsTheCommunicatorWebAccess,CreateVirtualServerwizardcreatesaWebserviceextensionforthefirstvirtualserverthatiscreated.
ThecwaauthattributemustbesettoAllowedintheIIS6.
0Manager.
CreationofsubsequentvirtualserversdoesnotresultinadditionalWebserviceextensions.
ImportantDonotusetherecyclingoptionsintheapplicationpoolproperties.
TherecyclingapplicationpoolsettingsarespecifiedontheRecyclingtabofanapplicationpool'sPropertiesdialogbox.
BecausesomeCommunicatorWebAccessprocessesarestateful,usinganyoftheserecyclingoptionscanresultinfailures.
Foradditionalinformationsee"WebApplicationServicesOperations"intheWindowsServerSystemReferenceArchitecture(WSSRA)at:http://www.
microsoft.
com/technet/itsolutions/wssra/raguide/WebApplicationServices/igwaog_2.
mspxDefaultCommunicatorWebAccessIIS6.
0SettingsDuringCommunicatorWebAccesssetup,severalIISsettingsareconfiguredautomatically.
ThedefaultsettingsconfiguredbysetuparelistedinTable11.
Table11:DefaultIIS6.
0MMC,CommunicatorWebAccesswebsitesettingsSettingNameTypeSettingValueWebSiteTabDescriptiontextboxCommunicatorWebAccessIPAddressdropdownlistbox(AllUnassigned)TCPPorttextbox80SSLPorttextbox443ConnectionTimeouttextbox120EnableHTTPKeep-AlivescheckboxselectedEnableloggingcheckboxselectedActivelogformatdropdownlistboxW3CExtendedLogFileFormatAdvancedWebSiteIdentification-MultipleidentitiesforthisWebSiteIPAddresstextboxDefaultTCPPorttextbox80HostHeaderValuetextboxAdvancedWebSiteIdentification-MultipleSSLidentitiesforthisWebSiteIPAddresstextboxDefaultSSLPorttextbox443LoggingProperties-GeneralTabNewlogscheduleradiobuttonsDailyradiobuttonselectedUselocaltimeforfilenamingandrollovercheckboxunselectedLogfiledirectorytextbox%windir%\system32\LogFilesLoggingProperties-AdvancedTabExtendedloggingoptionslotsofcheckboxesunselectedServerName(s-computername)BytesSent(sc-bytes)BytesReceived(cs-bytes)TimeTaken(time-taken)ProtocolVersion(cs-version)Host(cs-host)Cookie(cs(Cookie))Referer(cs(Referer))selectedAllremainingcheckboxesPerformanceTabBandwidthThrottlingcheckboxunselectedWebsiteconnectionsradiobuttons(2)UnlimitedradiobuttonselectedISAPIFiltersTabSettingNameTypeSettingValueFilterNametextboxcwaauthPrioritytextboxLowConfiguringforPerformanceTomaintainpeakperformanceofyourCommunicatorWebAccessservers,youcanconfigurethefollowingIISpropertysettings:WebSiteConnections–Websiteconnectionsaresettounlimitedbydefault.
ConnectionlimitsrestrictthenumberofsimultaneousclientconnectionstoyourWebsitesandyourWebserver.
LimitingconnectionsconservesmemoryandprotectsagainstmaliciousattemptstooverloadyourWebserverwiththousandsofclientrequests.
Bandwidththrottling–Bydefault,bandwidththrottlingisdisabled.
IfthenetworkorInternetconnectionthatisusedbytheCommunicatorWebAccessserverisalsousedbyotherservicessuchase-mailornews,youmaywanttolimitthebandwidththatisusedbyeachservice.
IfyourWebserverhostsmorethanoneWebsite,youcanindividuallythrottlethebandwidththatisusedbyeachsite.
IISLogging–IISloggingisenabledbydefault.
WhenIISloggingisenabled,theIISlogfilescoulduseupthefreediskspaceontheserveroveraperiodoftime.
Forexample,inadeploymentthatsupports1,000ormoreusers,freediskspacecouldbedepletedwithinafewdays.
TokeepCommunicatorWebAccessserverrunningproperly,youshouldenableIISloggingonlyfordebuggingpurposes,oryoushouldregularlydeleteobsoletefiles.
ForinformationabouttuningIIS6.
0settings,see"PerformanceTuning(IIS6.
0)"athttp://www.
microsoft.
com/technet/prodtechnol/WindowsServer2003/Library/IIS/71490aae-f444-443c-8b2a-520c2961408e.
mspx.

【IT狗】在线ping,在线tcping,路由追踪

IT狗为用户提供 在线ping、在线tcping、在线路由追踪、域名被墙检测、域名被污染检测 等实用工具。【工具地址】https://www.itdog.cn/【工具特色】1、目前同类网站中,在线ping 仅支持1次或少量次数的测试,无法客观的展现目标服务器一段时间的网络状况,IT狗Ping工具可持续的进行一段时间的ping测试,并生成更为直观的网络质量柱状图,让用户更容易掌握服务器在各地区、各线...

HostYun全场9折,韩国VPS月付13.5元起,日本东京IIJ线路月付22.5元起

HostYun是一家成立于2008年的VPS主机品牌,原主机分享组织(hostshare.cn),商家以提供低端廉价VPS产品而广为人知,是小成本投入学习练手首选,主要提供基于XEN和KVM架构VPS主机,数据中心包括中国香港、日本、德国、韩国和美国的多个地区,大部分机房为国内直连或者CN2等优质线路。本月商家全场9折优惠码仍然有效,以KVM架构产品为例,优惠后韩国VPS月付13.5元起,日本东京...

totyun:香港cn2 vps,5折优惠,$6/月,10Mbps带宽,不限流量,2G内存/2核/20g+50g

totyun,新公司,主要运作香港vps、日本vps业务,接入cn2网络,不限制流量!VPS基于KVM虚拟,采用系统盘和数据盘分离,从4G内存开始支持Windows系统...大家注意下,网络分“Premium China”、“Global”,由于站长尚未测试,所以也还不清楚情况,有喜欢吃螃蟹的尝试过不妨告诉下站长。官方网站:https://totyun.com一次性5折优惠码:X4QTYVNB3P...

isaserver为你推荐
.cn域名cn域名和com域名有啥区别?各有啥优点?老虎数码86年属虎的吉祥数字和求财方向蒋存祺蒋存祺的主要事迹777k7.comwww 地址 777rv怎么打不开了,还有好看的吗>comporntimesexy time 本兮 MP3地址51sese.com谁有免费电影网站125xx.com高手指教下,www.fshxbxg.com这个域名值多少钱?www.se333se.com米奇网www.qvod333.com 看电影的效果好不?www.toutoulu.comSEO行业外链怎么做?www.toutoulu.comWWW【toutoulu】cOM怎么搜不到了?到哪里能看到toutoulu视频?
域名出售 北京主机租用 enom dns是什么 hawkhost 免费网站监控 密码泄露 http500内部服务器错误 debian源 hnyd 网通ip php空间购买 昆明蜗牛家 酷番云 搜索引擎提交入口 路由跟踪 永久免费空间 网页加速 成都主机托管 winds 更多