(Part 3 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address


 

Configuring OCS 2007 R2 Communicator Web Access

Now we will install the OCS 2007 R2 CWA role.  Although the Communicator Web Access setup program only allows you to create a single virtual server instance (internal or external), a CWA server can be configured to host both types of virtual servers on the same computer.  Since I really don’t use CWA internally that much in my lab, I opted to install a single external virtual server instance on my CWA server.  Both external and internal users will access the same CWA virtual server instance using https://cwa.contoso.com.

 

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 CWA role

To configure one of the virtual machines to host the OCS 2007 R2 CWA server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console.  Expand the Hyper-V role and verify that the virtual machine for Communicator Web Access was created with the following specifications: 


Role OCS 2007 R2 Communicator Web Access
Memory 512MB
Network One (1) Virtual NIC
Hard Disk 16GB Virtual Hard Disk
OS Version Windows Server 2003 SP2 (x64)
FQDN CWA-R2.contoso.com (domain-joined)
IP Address 192.168.1.12

To configure the server, double-click on the Communicator Web Access virtual server within the Hyper-V section of the Server Manager console.

 

Step 2 – Configure OCS 2007 R2 CWA Network Settings

Next, we need to configure the network settings for the Communicator Web Access virtual machine.  Since we will be using only an external CWA virtual server, only one NIC is required.  If you’re wondering why I suggest using an external CWA virtual directory versus an internal CWA virtual directory, the Remote Desktop Sharing functionality is offered by the CWA external virtual directory.v

A.  To configure OCS 2007 R2 CWA network settings

  1. Log on to the OCS 2007 R2 CWA Server virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Click Start, then click Run.  Type ncpl.cpl and press Enter to launch Network Connections.  
  3. Right click on the Local Area Network network interface and select Properties.
  4. Highlight Internet Protocol (TCP/IP) and click on the Properties button.
  5. Under the General tab of TCP/IP Properties, configure the network adapter as follows:

    Choose Use the following IP address.

         IP Address:  192.168.1.12  
         Subnet Mask:  255.255.255.0
         Default Gateway:  192.168.1.1  (our Linksys Router)

    Choose Use the following DNS servers.
     
         Primary DNS Server:  192.168.1.10  (our internal DNS server)
         Alternate DNS Server:  None

    CWA_Networking_1

  6. Click OK to commit your changes.  Close the Network Connections dialog box, and restart the CWA virtual machine.

 

Step 3 – Generate a TLS certificate for Communicator Web Access

Our next step for deploying Communicator Web Access will be to request a certificate from our Enterprise CA.  Although CWA will host an external virtual server that will be accessed by both internal and external clients, we will use an internally generated certificate for the CWA server.  Later, we’ll request a third party PKI certificate which will be assigned to the ISA Listener that will be used to proxy all inbound SSL requests – including CWA.  The easiest way to request a certificate for CWA is to use the Certificate Wizard from our Front End server.

 

A.  To use the Certificate Wizard to request a new certificate

  1. Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Click Start, then Programs, then Administrative Tools.  Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
  3. Within the administration console, expand the contoso.com Forest level entry, then expand Standard Edition Servers
  4. Expand the OCS-R2.contoso.com pool level entry, then right click on the OCS-R2.contoso.com server object.  Select  Certificates
  5. On the Welcome to the Certificate Wizard page, click Next.
  6. On the Available Certificate Tasks page, click Create a new certificate, and then click Next. 
  7. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
  8. On the Name and Security Settings page, configure as follows:   
    ConfigCWACert1

    a. Enter a meaningful name for the CWA server certificate (i.e., OCSR2CWACert).
    b. Under Bit length, select 1024 bit length.
    c. Enable the Mark cert as exportable check box.
    d. Enable the Include client EKU in the certificate request check box. 

    When you are finished, click Next.

  9. On the Organization Information page, type or select the name of your organization and organizational unit (enter contoso.com for both entries), and then click Next.
  10. On the Your Server’s Subject Name page, configure as follows:   
    ConfigCWACert2    

    a. In Subject Name, verify that the FQDN of the OCS CWA server is displayed (i.e., CWA-R2.contoso.com)
    b. In Subject Alternate Name, enter the values cwa.contoso.com,as.cwa.contoso.com,download.cwa.contoso.com.

    When you are finished, click Next.

  11. Since we are generating this certificate from the Front End server, you will receive a warning which states The Subject Name does not match the Computer FQDN.  Do you wish to continue? Choose Yes.
  12. On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory.  Click Select a certificate authority from the list detected in your environment, and then select your certification authority (CA). Click Next. 
    On the Request Summary page, review the settings that you specified, and then click Next.
  13. At the Assign Certificate Task screen, click the View button and verify that the Subject Name and Subject Alternative Names values are correct, then click Assign Certificate Later.  
    ConfigCWACert3
  14. A dialog box appears and informs you that the Certificate Wizard completed with warnings.  Click Finish.

At this point the certificate has been issued to the Front End server from the Certificate Authority.  We need to export it from the local computer’s certificate store to a PFX file.

 

B.  Export the new certificate from the OCS 2007 R2 Front End server

  1. Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Click Start, then Run.  Type mmc.exe and press Enter to launch the Microsoft Management Console.
  3. From within the Management Console, click File, then Add/Remove Snap-in…
  4. Within the Add/Remove Snap-in dialog box, click Add.
  5. Select the Certificates snap-in, then click Add.
  6. When prompted to choose which for which account to manage certificates, choose the computer account.  Click Next.
  7. When prompted to choose which computer to manage, choose Local Computer, then click Finish.
  8. Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
  9. Expand Certificates (Local Computer), then expand the Personal certificate store.
  10. Click on Certificates, then locate and select the certificate that was issued to CWA-R2.contoso.com. 
    certificateconsole
  11. From the menu bar click Action, then All Tasks, then select Export.
  12. At the Welcome to the Certificate Export Wizard screen, click Next.
  13. At the Export with Private Key screen, choose Yes, export the private key.  Click Next.
  14. At the Export Format settings, choose Personal Information Exchange – PKCS #12 (.PFX), then click Next. 
    PFX
  15. Enter a Password for the export file, then click Next.
  16. Enter an Export Filename (i.e., c:\CWACert.pfx) and click Next.
  17. Click Finish to complete the certificate export.
  18. Copy the CWACert.PFX export file to the CWA server so that it can be imported.

 

C.  Import the new certificate to the OCS 2007 R2 CWA server

  1. Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Click Start, then Run.  Type mmc.exe and press Enter to launch the Microsoft Management Console.
  3. From within the Management Console, click File, then Add/Remove Snap-in…
  4. Within the Add/Remove Snap-in dialog box, click Add.
  5. Select the Certificates snap-in, then click Add.
  6. When prompted to choose which for which account to manage certificates, choose the computer account.  Click Next.
  7. When prompted to choose which computer to manage, choose Local Computer, then click Finish.
  8. Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
  9. Expand Certificates (Local Computer), then select the Personal certificate store.
  10. From the menu bar, click Actions, then All Tasks, then select Import.
  11. At the Welcome to the Certificate Export Wizard screen, click Next.
  12. Click Browse, change the Files of Type option to Personal Information Exchange (pfx), and select the CWACert.pfx file that you copied from the Front End server.  Click Next. 
    CWAImport1
  13. Enter the password that you used to export the private key, then click Next.
  14. When prompted where to place the certificate, choose the Personal certificate store.  Click Next.
  15. Click Finish to import the certificate.
  16. Close the Certificates management console.

 

Step 4 – Install Internet Information Services 6.0 for Windows 2003

Communicator Web Access requires Internet Information Services 6.0 when installed on Windows Server 2003.  Considering this, we need to install IIS 6.0 prior to installing the CWA server role.

A.  To install Internet Information Services 6.0

  1. Log on to the OCS 2007 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Open the Control Panel and launch Add/Remove Programs.
  3. Click Add/Remove Windows Components.
  4. In the Components list box, click Application Server.
  5. Click Details.
  6. Click Internet Information Services Manager.
  7. Click Details to select the World Wide Web Publishing Service, Active Server Pages, and Remote Administration (HTML) components to be installed.
  8. Click OK until you are returned to the Windows Component Wizard.
  9. Click Next and complete the Windows Component Wizard.

 

Step 5 – Install OCS 2007 R2 Communicator Web Access

After installing Internet Information Services, we are now ready to install the Communicator Web Access binaries.

A.  To install Communicator Web Access

  1. Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
  3. Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
  4. When prompted to install the Microsoft Visual C++ 2008 Redistributable, choose Yes to install it.
  5. When prompted to install Microsoft .NET Framework 3.5 SP1, choose Yes to install it.
  6. On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
  7. On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
  8. On the Deploy Communicator Web Access page, at Step 1: Install Communicator Web Access, click Install.
  9. On the License Agreement page, click I accept the terms in the license agreement, and then click Next. If you do not accept the license terms, Setup cannot continue.
  10. On the Install location for Microsoft Office Communications Server 2007 R2, Communicator Web Access page, in the Location box, type a path where Communicator Web Access server should be installed, or accept the default location (C:\Program Files\Microsoft Office Communications Server R2\Communicator Web Access\). Click Next.
  11. Do not close the Deployment Wizard window. Instead, continue directly to the next procedure in order to activate Communicator Web Access.

 

Step 6 – Activate OCS 2007 R2 Communicator Web Access

Having successfully installed Communicator Web Access, we are now ready to activate the server.

A.  To activate Communicator Web Access

  1. Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
  3. Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2. 
  4. On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
  5. On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
  6. On the Deploy Communicator Web Access page, at Step 2: Activate Communicator Web Access, click Run.
  7. On the Welcome page, click Next.
  8. On the Select domain service account page, select Use an existing account.  Enter the name RTCComponentService in the Account name box, then type the account password in the Password box.  This account is already a member of the RTCComponentUniversalServices group, which is required for the CWA service to start.  Click Next.
  9. In the Select Certificate dialog box, click the certificate you installed before beginning Setup; this was the certificate you created and imported in Step 1 above.  Click OK.
  10. On the Select Server Certificate page, click Next.
  11. On the Confirm Installation page, click Next.
  12. After the server has been activated, click Close on the Activation Complete page to close the Activation Wizard.
  13. Do not close the Deployment Wizard window. Instead, continue directly to the next procedure in order to create a virtual server.

 

Step 7 – Create the CWA external virtual server

Once CWA has been activated, we are ready to create our external virtual server.  Again, I use an external virtual server for both internal and external users, primarily for the simplicity of connecting to CWA with a single DNS name. 

A.  To create an external virtual server for Communicator Web Access

  1. Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
  3. Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2. 
  4. On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
  5. On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
  6. At Step 3: Create Virtual Server of the Deploy Communicator Web Access page, click Run.
  7. On the Welcome page, click Next.
  8. On the Select Virtual Server Type page, click External then click Next.
    CreateCWAVirtualServer1
  9. On the Select Authentication Type page, choose Use Built-in Authentication, then click Next. 
    CreateCWAVirtualServer2 
  10. On the Select Authentication Type page, the default value of Forms-based Authentication is already selected since this is an external virtual server.  Click Next.
  11. On the Select Connection Type page, select HTTPS then click the Select Certificate button.  Choose the certificate that we generated for Communicator Web Access, then click OK.  Click Next to continue. 
    CreateCWAVirtualServer4
  12. On the Select IP Address and Port Settings page, select the IP address 192.168.1.12 or use the default value [All Unassigned]. In the Port box, type the port to be used by the virtual server, which should be 443 by default.
  13. On the Server Description page, type a name for the virtual server in the Description box (i.e., Communicator Web Access), then click Next.
  14. On the Select a listening port page, type 5061 as the port number that the Communicator Web Access server will use to listen for SIP messages in the Listening port box.  This value must be a unique port value that is not used by any other application on the server.  Click Next.
    CreateCWAVirtualServer6
  15. On the Select a pool page, select the fully-qualified domain name of the Office Communications 2007 R2 server that will act as a “next hop” server for anonymous users. Here we will choose OCS-R2.contoso.com, which is our Standard Edition Front End server.  For the Port value, choose 5061.  Click Next. 
    CreateCWAVirtualServer7
  16. On the Start Server Option page, select Start this virtual server after the Create Virtual Server Wizard finishes and then click Next. This ensures that the virtual server will start immediately after it is created. (Virtual servers must be started before they can be accessed.) If you do not start the virtual server immediately, you can start the server later by using either the Communicator Web Access Manager or the Internet Information Services Manager snap-in.
  17. On the Review Settings Before Virtual Server Creation page, verify that the virtual server has been configured correctly and then click Next.
  18. On the Create Virtual Server Complete page, click Close to close the Create Virtual Server wizard.

 

Step 8 – Install OCS 2007 R2 Administration Console

The next step of our Communicator Web Access installation involves installing the OCS Administration Console.

A.  Install the administration console

  1. Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
  2. Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
  3. Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2. 
  4. At the main deployment page, select Administrative Tools from the menu on the right.
  5. On the License Agreement page, click I accept the terms in the license agreement and then click Next.
  6. When the installation finishes, close the OCS 2007 R2 Deployment Tools.
  7. Click Start, then Programs, then Administrative Tools.  There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

 

Step 9 – Configure Audio Conferencing for Communicator Web Access

Communicator Web Access offers support for audio conferences, or telephone calls between three or more people. (Peer-to-peer phone calls are not supported in the R2 version of CWA.) To conduct an audio conference, Communicator Web Access connects the user’s telephone to the public switched telephone network (PSTN) and then initiates calls to the other conference participants.

With a successfully deployed Mediation Server and a correctly configured media gateway, there is no additional configuration necessary for Communicator Web Access users to use the audio conferencing feature.  Otherwise, static routes must be configured before CWA users will be able to participate in audio conferences.  For the purposes of this lab, we will skip configuring audio conferencing for CWA.

If you need more information on Audio Conferencing in CWA, please visit http://technet.microsoft.com/en-us/library/dd425101(office.13).aspx.

 

Step 10 – Configure Desktop Sharing in Communicator Web Access

Communicator Web Access in OCS 2007 R2 supports desktop sharing between participants if the environment has been correctly configured to support it and if meeting policy has been configured to allow it.  In previous steps, we obtained certificates containing the same required host names to support desktop sharing in CWA, and we configured both internal and external DNS to support desktop sharing.  We also enabled desktop sharing in the default policy used by Live Meeting in a previous configuration step.  At this point, there is no further configuration necessary to support desktop sharing for our lab environment, but if you would like more information on desktop sharing in CWA, please visit http://technet.microsoft.com/en-us/library/dd425349(office.13).aspx

 

This completes the installation of the OCS 2007 R2 CWA server role.

 

  

Configuring ISA Server 2006

Our final server role to deploy in this lab environment is ISA Server 2006, which will be configured to act strictly as a reverse proxy for the various SSL web sites offered by Exchange 2007 and Office Communications Server 2007 R2.  Since we will not be using ISA Server 2006 as a firewall, we will use a single NIC configuration in this lab. 

 

Step 1 – Connect to the Virtual Machine that will host the ISA Server 2006 role

To configure one of the virtual machines to host the ISA Server 2006 server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console.  Expand the Hyper-V role and verify that the virtual machine for ISA 2006 was created with the following specifications: 


Role ISA Server 2006
Memory 512MB
Network One (1) Virtual NIC
Hard Disk 16GB Virtual Hard Disk
OS Version Windows Server 2003 SP2 (x64)
FQDN ISA.contoso.com (not domain-joined)
IP Address 192.168.1.6

Although the DNS name of this server will be ISA.contoso.com, it will not be joined to the Contoso.com domain.  To configure the server, double-click on the ISA 2006 virtual server within the Hyper-V section of the Server Manager console.

 

Step 2 – Configure ISA Server 2006 Network Settings

Before installing the ISA Server binaries, we need to configure the network settings for the virtual machine.

A.  To configure ISA Server network settings

  1. Log on to the ISA Server virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Click Start, then click Run.  Type ncpl.cpl and press Enter to launch Network Connections.  
  3. Right click on the Local Area Network network interface and select Properties.
  4. Highlight Internet Protocol (TCP/IP) and click on the Properties button.
  5. Under the General tab of TCP/IP Properties, configure the network adapter as follows:

    Choose Use the following IP address.

         IP Address:  192.168.1.6 
         Subnet Mask:  255.255.255.0
         Default Gateway:  192.168.1.1  (our Linksys Router)

    Choose Use the following DNS servers.
     
         Primary DNS Server:  4.2.2.1  (Internet root server)
         Alternate DNS Server:  4.2.2.2 (Internet root server)

    ISA_Networking_1

  6. While still within the TCP/IP properties of the Hyper-V External network adapter, click on the Advanced button.
  7. Within Advanced settings, click on the DNS tab.  Under Append these DNS suffixes (in order), click Add and enter the domain contoso.com.  Then, under DNS suffix for this connection, enter contoso.com.  Finally, deselect the option to Register this connection’s addresses in DNS.
     ISA_Networking_2
  8. Click OK three times to complete the configuration of the Local Area Network network adapter.
  9. Close Network Connections.
  10. Click Start, then Run.  Type Notepad %windir%\system32\drivers\etc\hosts to open the hosts file for editing.
  11. After opening the hosts file in Notepad, add each of the following entries.  To minimize complexity, I use a single hosts file with identical entries on both my Edge server and my ISA server.

    192.168.1.5    edge-r2.contoso.com
    192.168.1.6    isa.contoso.com
    192.168.1.6    cwa.contoso.com
    192.168.1.6    as.cwa.contoso.com
    192.168.1.6    download.cwa.contoso.com
    192.168.1.6    mail.contoso.com
    192.168.1.6    autodiscover.contoso.com
    192.168.1.10   email.contoso.com
    192.168.1.11   ocs-r2.contoso.com
    192.168.1.12   cwa-r2.contoso.com
    192.168.1.13   mediation-r2.contoso.com

    hostsfile

  12. Save your changes by clicking File then Save.  If you find that you are unable to save your changes and receive an Access Denied error message, then you will need to launch Notepad as the local Administrator account, create the various entries, then save the file.
  13. After successfully configuring the network settings for the virtual machine, restart the ISA 2006 server.

 

Step 3 – Copy UC Certificate and Internal CA Certificates to ISA 2006 server

Before we install the ISA Server binaries, we first need to copy our UC Certificate purchased from a publicly trusted Certification Authority and the certificate from our internal Certification Authority to the ISA server.   

A.  To copy certificates to the ISA 2006 server

  1. Log on to the ISA Server virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Launch Windows Explorer, and navigate to the Certificates folder using the administrative share for the C:\ hard disk on the Exchange server (\\192.168.1.10\C$\Certificates).
  3. When prompted for authentication, enter the credentials of the built-in Domain Administrator account (Contoso\Administrator).
  4. Within the Certificates folder, select the file sip_contoso_com_exported.pfx and the file ContosoCA.cer.  After highlighting each file, choose Edit then Copy from the Windows Explorer menu bar at the top of the window, or simply press CTRL+C to copy the two certificates to the Windows clipboard.
  5. Again within Windows Explorer, navigate to the C:\ folder from the virtual hard disk on the ISA 2006 server.
  6. Choose Edit then Paste from the Windows Explorer menu bar at the top of the window, or simply press CTRL+V to paste the two certificates from the Windows clipboard into the root of drive C:\ on the ISA server.
  7. Verify that the two certificates were successfully copied to the ISA server, then close Windows Explorer.

 

Step 4 – Import the Certificates into the local Certificate store

Now that our certificates have been copied to the ISA server, we need to import them into the local computer certificate store.   

A.  To import the UCC Certificate into the local certificate store

  1. Log in to the ISA Server 2006 virtual machine using the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Run.  Type mmc.exe and press Enter to launch the Microsoft Management Console.
  3. From within the Management Console, click File, then Add/Remove Snap-in…
  4. Within the Add/Remove Snap-in dialog box, click Add.
  5. Select the Certificates snap-in, then click Add.
  6. When prompted to choose which for which account to manage certificates, choose the Computer account.  Click Next.
  7. When prompted to choose which computer to manage, choose Local Computer, then click Finish.
  8. Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
  9. Expand Certificates (Local Computer), then expand the Personal certificate store object. 
  10. Right click on the Certificates object, then highlight All Tasks within the context menu and select Import to launch the Certificate Import Wizard.
  11. At the Welcome page for the Certificate Import Wizard, click Next.
  12. At the File to Import page, enter C:\sip_contoso_com_exported.pfx or browse to the C:\ drive and select the file using the Windows object picker. Click Next.
    ISA_Cert_Import_1
  13. At the Password page, enter the password used to export the certificate from the Windows 2008 physical host computer (i.e. the Exchange server), then enable the option to Mark this key as exportable.  Click Next.
    ISA_Cert_Import_2
  14. At the Certificate Store page, select the option to Automatically select the certificate store based on the type of certificate.  Click Next.
    ISA_Cert_Import_3
  15. Click Finish to complete the certificate import.

B.  To import the Contoso Root CA certificate into the local certificate store

  1. Log in to the ISA Server 2006 virtual machine using the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Run.  Type mmc.exe and press Enter to launch the Microsoft Management Console.
  3. From within the Management Console, click File, then Add/Remove Snap-in…
  4. Within the Add/Remove Snap-in dialog box, click Add.
  5. Select the Certificates snap-in, then click Add.
  6. When prompted to choose which for which account to manage certificates, choose the Computer account.  Click Next.
  7. When prompted to choose which computer to manage, choose Local Computer, then click Finish.
  8. Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
  9. Expand Certificates (Local Computer), then expand the Trusted Root Certification Authorities certificate store object. 
  10. Right click on the Certificates object, then highlight All Tasks within the context menu and select Import to launch the Certificate Import Wizard.
  11. At the Welcome page for the Certificate Import Wizard, click Next.
  12. At the File to Import page, enter C:\ContosoCA.cer or browse to the C:\ drive and select the file using the Windows object picker. Click Next.
  13. At the Certificate Store page, select the option to Place all certificates in the following store.  Verify that the Trusted Root Certification Authorities certificate store is selected, then click Next.
    ISA_Cert_Import_4
  14. Click Finish to complete the certificate import, then Close the Microsoft Management Console.

 

Step 5 – Install ISA Server 2006

After configuring the virtual machine, we are now ready to install the ISA Server 2006 binaries.  Please verify that you have correctly configured the network settings for the virtual network adapter before proceeding with the installation of ISA.

A.  To install ISA Server 2006

  1. Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Launch Windows Explorer, and navigate to ISA CD or shared installation folder.
  3. Double-click ISAAutorun.exe, the setup launcher for ISA Server 2006. 
  4. At the Welcome page, click Next.
    1
  5. At the License Agreement page, select I accept the terms in the license agreement.  
  6. At the Customer Information page, enter your User Name, your Organization Name, and your Product ID.
  7. At the Setup Type page, choose the Typical installation option.  This installs ISA Server, Advanced Logging, and ISA Server Management.  Click Next.
    4
  8. On the Internal Network page, click the Add button.
    6
  9. In the Addresses dialog box, click Add Adapter.
    6.1 
  10. In the Select Network Adapters dialog box, select the single virtual network adapter, then click OK.
     6.2
  11. Back in the Addresses dialog box, click OK to return to the Internal Network page.  Note that the addresses shown here will have no meaning in a single NIC ISA configuration, as all network addresses in a single NIC configuration are considered internal.
  12. Back on the Internal Network page, click Next.
    6.3
  13. On the Firewall Client Connections page, click Next.  Since our server will not be acting as a firewall, this setting will not matter.
    7 
  14. Click Next on the Services Warning page.
    8
  15. Click Install to being the installation.
    9
  16. On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox and click Finish.
    12
  17. Close the Internet Explorer window entitled Protect the ISA Server Computer.

 

Step 6 – Configure ISA System Policy

Having successfully installed the ISA server binaries, we are now ready to configure the server. First we’ll configure the system policy to allow for remote management using terminal services client, and we’ll configure the system policy to respond to pings from computers on our local network.

A.  To configure ISA system policy

  1. Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management
  3. Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
  4. Right click on Firewall Policy and choose Edit System Policy from the context menu.
    ISASysPolicy1
  5. Within the System Policy Editor, you will find a list of Configuration Groups.  Under the Remote Management configuration group, choose Terminal Server.
  6. Within the Terminal Server configuration group, select Enable this configuration group under the General tab.
    ISASysPolicy1.5
  7. Click on the From tab.  Under This rule applies to traffic from these sources, select the Remote Management Computers group, then click Edit.
    ISASysPolicy2
  8. In the Remote Management Computers Properties dialog box, click Add then select Computer.  Alternatively you may add an entire subnet or an entire range of IP addresses.
  9. Enter the Host Name of your computer which will be used to manage the ISA server remotely using terminal services client, then enter the IP address.  Click OK.
    ISASysPolicy3
  10. After adding each computer that will be used to manage your ISA server, click OK to commit your changes.
    ISASysPolicy4
  11. Back at the System Policy Editor dialog box, under the Remote Management configuration group, click on the ICMP (Ping) configuration group.
  12. Within the ICMP (Ping) configuration group, select Enable this configuration group under the General tab.
  13. Next, click on the From tab.  Under This rule applies to traffic from these sources, verify that the Remote Management Computers group is listed, then click Add.
  14. Within the Add Network Entities, expand Networks, then select Local Host.  Click Add.
    ISASysPolicy5
  15. Back within the System Policy Editor, click OK.
    ISASysPolicy6
  16. Click Apply to commit your System Policy configuration changes.
    ISASysPolicy7

Step 7 – Create Exchange OutlookAnywhere Firewall Rule

Our next step will be to create a firewall rule to handle almost all Exchange 2007 requests, including Outlook Web Access.

A.  To create the Exchange OutlookAnywhere firewall rule

  1. Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
  3. Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
  4. Right click on Firewall Policy and highlight New.  Select Exchange Web Client Access Publishing Rule.
  5. At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange OutlookAnywhere).  Click Next.
    ISA_ExOLAnywhere_1
  6. At the Select Services page, choose Exchange Server 2007 as the server version.  Choose the option Outlook Anywhere (RPC/HTTP(s)), and enable the option Publish additional folders on the Exchange Server for Outlook 2007 clients.  Click Next.
    ISA_ExOLAnywhere_2
  7. At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
    ISA_ExOLAnywhere_3
  8. At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm.  Click Next.
    ISA_ExOLAnywhere_4
  9. At the Internal Publishing Details page, enter the internal site name mail.contoso.com.  Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10.  Click Next.
    ISA_ExOLAnywhere_5
  10. At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name mail.contoso.com.  Click Next.
    ISA_ExOLAnywhere_6
  11. At the Select Web Listener page, click New.
    ISA_ExOLAnywhere_8.1
  12. At the New Web Listener Definition Wizard welcome page, click Next.
    ISA_ExOLAnywhere_8.2
  13. On the Web Listener Client Connection Security page, choose Require SSL secured connections with clients.  Click Next.
    ISA_ExOLAnywhere_8
  14. At the Web Listener IP Addresses page, choose both the Internal and Local Host networks, and enable the option ISA Server will compress content sent to clients through this Web Listener if the clients requesting the content support encryption.  Click Next.
    ISA_ExOLAnywhere_9
  15. At the Web Listener SSL Certificates page, select Use a single certificate for the Web Listener, then click Select Certificate.  From the list of available certificates, choose the UC Certificate purchased from the publicly trusted Certification Authority, then click Select.  Click Next.
    ISA_ExOLAnywhere_A
    ISA_ExOLAnywhere_B
  16. At the Web Listener Authentication Settings page, choose No Authentication from the drop down box, then click Next.
    ISA_ExOLAnywhere_D
  17. At the Web Listener Single Sign On Settings page, choose Next.  Single Sign On is not a supported option in a single NIC ISA configuration.
  18. Click Finish to complete the configuration of the Web Listener.
    ISA_ExOLAnywhere_F
  19. Back at the Select Web Listener page, verify that the HTTPS Listener web listener is selected, then click Next.
    ISA_ExOLAnywhere_G
  20. At the Authentication Delegation page, choose No Delegation, but client may authenticate directly.  Click Next.
    ISA_ExOLAnywhere_H 
  21. At the User Sets page, choose All Users, then click Next.
    ISA_ExOLAnywhere_I
  22. At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
  23. Next, click Apply to commit your changes. 
    ISASysPolicy7
  24. From the list of available firewall rules, right click on the new Exchange OutlookAnywhere rule, then choose Properties.
  25. Select the From tab.  Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove.  Click Add, expand Networks, and Add the Internal and Local Host networks.
    ISA_ExOLAnywhere_K 
  26. Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
    ISA_ExOLAnywhere_L
  27. Next, click on the Paths tab, then click on the Add button to add a new path.  Enter the path value /owa/*, and under External Path, choose Same as published folder.  Click OK, then click Apply.
    ISA_ExOLAnywhere_M
  28. Click Test Rule to simulate a connection request to each of the external paths listed under the Paths tab.
    ISA_ExOLAnywhere_N
  29. Click OK to complete configuration of the Exchange OutlookAnywhere rule.

 

Step 8 – Create Exchange ActiveSync Firewall Rule

Next, we will create a firewall rule to handle Exchange 2007 ActiveSync requests.

A.  To create the Exchange ActiveSync firewall rule

  1. Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
  3. Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
  4. Right click on Firewall Policy and highlight New.  Select Exchange Web Client Access Publishing Rule.
  5. At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange ActiveSync).  Click Next.
  6. At the Select Services page, choose Exchange Server 2007 as the server version.  Choose the option Exchange ActiveSync, and then Click Next.
    ISA_ExAS_1
  7. At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
  8. At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm.  Click Next. 
  9. At the Internal Publishing Details page, enter the internal site name mail.contoso.com.  Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10.  Click Next.
  10. At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name mail.contoso.com.  Click Next.
  11. At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list.  Click Next.
  12. At the Authentication Delegation page, choose No Delegation, but client may authenticate directly.  Click Next. 
  13. At the User Sets page, choose All Users, then click Next.
  14. At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
  15. Next, click Apply to commit your changes.  
    ISASysPolicy7
  16. From the list of available firewall rules, right click on the new Exchange ActiveSync rule, then choose Properties.
  17. Select the From tab.  Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove.  Click Add, expand Networks, and Add the Internal and Local Host networks.
  18. Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic. 
  19. Next, click on the Paths tab, then verify that /Microsoft-Server-ActiveSync/* is listed as the Internal Path.  Click Apply.
    ISA_ExAS_2
  20. Click Test Rule to simulate a connection request to the external ActiveSync path listed under the Paths tab. 
    ISA_ExAS_3
  21. Click OK to complete configuration of the Exchange ActiveSync rule.

 

Step 9 – Create Exchange Autodiscover Firewall Rule

Next, we will create a firewall rule to handle Exchange 2007 Autodiscover requests.

A.  To create the Exchange Autodiscover firewall rule

  1. Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
  3. Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
  4. Right click on Firewall Policy and highlight New.  Select Exchange Web Client Access Publishing Rule.
  5. At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange Autodiscover).  Click Next.
  6. At the Select Services page, choose Exchange Server 2007 as the server version.  Choose the option Outlook Anywhere (RPC/HTTP(s)), and enable the option Publish additional folders on the Exchange Server for Outlook 2007 clients.  Click Next.
    ISA_ExOLAnywhere_2
  7. At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
  8. At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm.  Click Next. 
  9. At the Internal Publishing Details page, enter the internal site name autodiscover.contoso.com.  Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10.  Click Next.
    ISA_ExAD_1
  10. At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name autodiscover.contoso.com.  Click Next.
     ISA_ExAD_2
  11. At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list.  Click Next.
  12. At the Authentication Delegation page, choose No Delegation, but client may authenticate directly.  Click Next. 
  13. At the User Sets page, choose All Users, then click Next.
  14. At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
  15. Next, click Apply to commit your changes.  
    ISASysPolicy7
  16. From the list of available firewall rules, right click on the new Exchange Autodiscover rule, then choose Properties.
  17. Select the From tab.  Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove.  Click Add, expand Networks, and Add the Internal and Local Host networks.
  18. Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic. 
  19. Next, click on the Paths tab.  Select each Internal Path entry, then click Remove.  After removing all values, click Add to add a new Internal Path value of /*.  Verify that the External Path is the Same as published folder.  Click OK, then click Apply.
    ISA_ExAD_3 
  20. Click Test Rule to simulate a connection request to the external Autodiscover path listed under the Paths tab. 
    ISA_ExAD_4
  21. Click OK to complete configuration of the Exchange Autodiscover rule.

 

Step 10 – Create OCS 2007 R2 Web Components Firewall Rule

Next, we will create a firewall rule to handle OCS 2007 R2 Web Components requests. 

A.  To create the OCS 2007 R2 Web Components firewall rule

  1. Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
  3. Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
  4. Right click on Firewall Policy and highlight New.  Select Web Site Publishing Rule.
  5. At the Welcome to the New Web Site Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. OCS 2007 R2 Web Components).  Click Next.
    ISA_OCSWeb_1
  6. At the Specify Rule Action page, choose Allow then click Next.
    ISA_OCSWeb_2 
  7. At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
  8. At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm.  Click Next. 
  9. At the Internal Publishing Details page, enter the site name sip.contoso.com.  Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the OCS Front End server, 192.168.1.11.  Click Next.
    ISA_OCSWeb_3
  10. At the next Internal Publishing Details page, enter a path value of /*.  Enable the option Forward the original host header instead of the actual one provided in the Internal site name field on the previous page.  Click Next.
    ISA_OCSWeb_4
  11. At the Public Name Details page, choose the option Accept requests for this domain name (type below).  Enter the public site name sip.contoso.com and a path value of /*.  Click Next.
     ISA_OCSWeb_5
  12. At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list.  Click Next.
  13. At the Authentication Delegation page, choose No Delegation, but client may authenticate directly.  Click Next. 
  14. At the User Sets page, choose All Users, then click Next.
  15. At the Completing the New Web Site Publishing Rule Wizard page, click Finish.
  16. Next, click Apply to commit your changes.  
    ISASysPolicy7
  17. From the list of available firewall rules, right click on the new OCS 2007 R2 WebComponents rule, then choose Properties.
  18. Select the From tab.  Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove.  Click Add, expand Networks, and Add the Internal and Local Host networks.
  19. Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic. 
  20. Next, click on the Paths tab.  Verify that /* is listed as the internal path value.  Click Apply. 
  21. Click Test Rule to simulate a connection request to the external Web Components path listed under the Paths tab.  
    ISA_OCSWeb_6
  22. Click OK to complete configuration of the OCS 2007 R2 WebComponents rule.

 

Step 11 – Create OCS 2007 R2 CWA Firewall Rule

Finally, we will create a firewall rule to handle OCS 2007 R2 Communicator Web Access requests.  This will be the last rule that we need to create to support OCS and Exchange traffic for our lab environment.

A.  To create the OCS 2007 R2 CWA firewall rule

  1. Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
  2. Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
  3. Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
  4. Right click on Firewall Policy and highlight New.  Select Web Site Publishing Rule.
  5. At the Welcome to the New Web Site Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. OCS 2007 R2 CWA).  Click Next. 
    ISA_OCSCWA_1
  6. At the Specify Rule Action page, choose Allow then click Next.
  7. At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
  8. At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm.  Click Next. 
  9. At the Internal Publishing Details page, enter the site name cwa.contoso.com.  Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the OCS Front End server, 192.168.1.12.  Click Next.
    ISA_OCSCWA_2
  10. At the next Internal Publishing Details page, enter a path value of /*.  Enable the option Forward the original host header instead of the actual one provided in the Internal site name field on the previous page.  Click Next.
  11. At the Public Name Details page, choose the option Accept requests for this domain name (type below).  Enter the public site name cwa.contoso.com and a path value of /*.  Click Next. 
     ISA_OCSCWA_3
  12. At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list.  Click Next.
  13. At the Authentication Delegation page, choose No Delegation, but client may authenticate directly.  Click Next. 
  14. At the User Sets page, choose All Users, then click Next.
  15. At the Completing the New Web Site Publishing Rule Wizard page, click Finish.
  16. Next, click Apply to commit your changes.
    ISASysPolicy7
  17. From the list of available firewall rules, right click on the new OCS 2007 R2 CWA rule, then choose Properties.
  18. Select the From tab.  Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove.  Click Add, expand Networks, and Add the Internal and Local Host networks.
  19. Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic. 
  20. Next, click on the Paths tab.  Verify that /* is listed as the internal path value.  Click Apply. 
  21. Click Test Rule to simulate a connection request to the external Communicator Web Access path listed under the Paths tab.   
    ISA_OCSCWA_4
  22. Click OK to complete configuration of the OCS 2007 R2 CWA rule.

 

This completes the deployment of the ISA Server 2006 server role.

 

 

Conclusion

Please remember that much of this configuration is considered by Microsoft to be unsupported for production use.  While the configuration details provided in this series of blog entries have enabled me to achieve the goals I wanted for my own lab, your own mileage may vary.  Either way, I hope that you have found this series of blog entries to be helpful, and as always, all comments and/or corrections are greatly appreciated.

 

— Dave


Comments (1)

  1. digitexpress2000 says:

    Great How-To!!! It’s what I have been looking for. Why do you say it’s not supported by MS?

Skip to main content