Tuesday, May 27, 2008

Notes for Communicator Web Access

One Server for Both Internal and External Users In order to deploy all users on a single computer, you must run IIS 6.0 in application isolation mode. For details about application isolation modes in IIS 6.0, see “Application Isolation Modes” at http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=appmodes.

  • Two virtual servers cannot both share the same IP address and also listen on the same port; therefore, you must differentiate the virtual servers on your computer either by IP address or by port number. If both virtual servers use the same IP address, you will need to differentiate them by port number. Many proxy servers accept SSL traffic only on port 443, so you may need to manually configure the external virtual server to use port 443.
  • You must configure your firewall or reverse proxy to map to the appropriate port for each virtual server.
  • Although application isolation reduces security risk, it is still possible for the server to be compromised, which could affect both external and internal users. In contrast, using a separate external server would limit the impact of an attack on the external server to remote users only.


Required Software

The following software must be installed on the computer on which you will be installing Communicator Web Access:·

  • Windows Server 2003 R2 SP2 or Windows Server 2003 with SP1 or later·
  • Windows Installer 3 (included in Windows Server 2003 SP1 or later)·
  • IIS 6.0· .
  • NET Framework 2.0, including ASP.NET 2.0

Note

ASP.NET is automatically registered with IIS if the .NET Framework 2.0 is installed after IIS 6.0 is installed. If you install the .NET Framework first, you must manually register ASP.NET. For details, see http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb325093.

In addition, the following QFEs must be installed:·

Certificates

  • An MTLS connection will succeed only if the subject name for the MTLS certificate is the FQDN (fully qualified domain name) of the Communicator Web Access server
  • SSL certificate. An SSL certificate is required on all Communicator Web Access servers and on any load balancer that is associated with an array of Communicator Web Access servers. The SSL (Secure Sockets Layer) certificate is used by clients that are connecting to the Communicator Web Access server. Each virtual server that is configured with HTTPS (HTTP with SSL) must have an SSL certificate. The CA that issues the SSL certificate for Communicator Web Access does not have to be the same one that issues the Office Communications Server 2007 SSL certificates or the MTLS certificates.

MTLS and HTTPS Certificate Configuration Requirements


Certificate field
ValueVersion 3
Template Duplicated Web Server
EKU Server Authentication (1.3.6.1.5.5.7.3.1)
Private Key Enabled for Export
Key Usage Digital Signature, Key Encipherment (a0)

  • The subject of the Communicator Web Access certificate, which can be configured in the Communicator Web Access Manager, is always the FQDN of the Communicator Web Access server computer
  • The subject name of the SSL certificate corresponds to the FQDN of either the server or the load balancer if one is presentOn a reverse proxy that is deployed in the perimeter network, the subject name of the SSL certificate corresponds to the FQDN of the reverse proxy

Ex:


Single Communicator Web Access virtual server on a computer named computer1.contoso.comNo Web publishing, No load balancing==>The server has an SSL certificate whose subject name is the FQDN of the server, in this case, computer1.contoso.com

Authentication

For remote users and for users of supported browsers that cannot use integrated Windows authentication, the forms-based authentication window will appear.

  • · Optimizing IIS 6.0 scalability. IIS 6.0, running on the Microsoft Windows Server® 2003 operating system, includes a new architecture and new features to improve scalability on your Communicator Web Access server. For detailed information about optimizing IIS 6.0, see “Improving Scalability by Optimizing IIS 6.0 Queues” at http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=IIS6queue, “Improving Scalability by Optimizing IIS 6.0 Caches” at http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=IIS6cache, and “Additional Resources for IIS 6.0 Scalability” at http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=IIS6AddResScal
  • Adjusting the IIS 6.0 user limit. By default, IIS 6.0 has a limit of 8,000 connections. This setting is configurable in the following registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\ParametersTo increase the limit, create a DWORD entry named "MaxConnections" in this location and set an appropriate limit, allowing for a reasonable tolerance for peak periods. For example, if you want to allow 10,000 connections, you would probably set the value at double this number (20,000). For guidance, see the Microsoft Knowledge Base article “Http.sys registry settings for IIS” at http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=kb820129.

No comments: