Share via


Perimeter Network

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

If you want to support access by external users who are not using Communicator Web Access, you must deploy at least an Access Edge Server and an HTTP reverse proxy in the perimeter network. You can also deploy an A/V Edge Server and/or a Web Conferencing Edge Server if you want to support A/V and Web conferencing for your external users.

All these edge server roles and the reverse proxy must be deployed in the same subnet. If your organization has multiple branch offices, you can deploy edge servers in one location to support all your office locations.

For Communicator Web Access, edge server roles are not required to support external user access. A reverse proxy is not required for Communicator Web Access, either, but we strongly recommend that you deploy one.

Collocation of any Office Communications Server 2007 edge server with an internal or external firewall or with a reverse proxy is not supported.

If a load-balanced array of Directors is the internal next hop from the edge servers, you must use the virtual IP address of the Director array for the next hop when you configure the Edge Server.

Except for the A/V Edge Server, certificates are required on the external interfaces (logical or physical, depending upon configuration) of all edge servers.

A certificate is not required for the external interface of the A/V Edge Server, because SSL or TLS is not used for connections from the external network to the A/V Edge Server. Instead, for the external interface of the A/V Edge Server, an additional certificate for A/V authentication is required. For details, see the Microsoft Office Communications Server 2007 Edge Server Guide.

A certificate is required for each physical internal interface of all edge servers and of the HTTP reverse proxy. These certificates must be issued by the same certification authority (CA) that issued the certificates that are used on the internal servers, including Office Communicator Web Access servers, to which the edge servers and the reverse proxy connect.

The following edge topologies, each with a single HTTP reverse proxy in each physical location, in the perimeter network are supported:

  • Consolidated edge topology. All three edge server roles are collocated on a single computer.

  • Single-site edge topology. The Access Edge Server and the Web Conferencing Edge Server roles are collocated on a single computer, and the A/V Edge Server is deployed on a separate computer.

  • Scaled single-site edge topology. One Access Edge Server and one Web Conferencing Edge Server are collocated on each of two or more computers behind a hardware load balancer. Additionally, two or more A/V Edge Servers are deployed, each on a separate computer. Multiple A/V Edge Servers may or may not be configured as an array behind a hardware load balancer. Office Communications Server 2007 supports using the same hardware load balancer for both the array of collocated Access Edge Servers and Web Conferencing Edge Servers and the array of A/V Edge Servers. In that case, a different virtual IP address is required for each array.

  • Multiple-site edge topology. One primary location (the data center) has a scaled single-site edge topology, and one or more remote sites deploy the following:

    • No Access Edge Server.

    • One or more Web Conferencing Edge Servers, each running on a dedicated computer. Multiple Web Conferencing Edge Servers may or may not be configured as an array behind a hardware load balancer.

    • One or more A/V Edge Servers, each running on a dedicated computer. Multiple A/V Edge Servers may or may not be configured as an array behind a hardware load balancer.

For details about edge topologies, see the Microsoft Office Communications Server 2007 Edge Server Deployment Guide.

Collocation of Edge Server Roles

Edge server roles can be collocated, but each server role must have a separate IP address. Each server role can use a separate physical network adapter, or all server roles can use a single multihomed network adapter.

Access Edge Server

An Access Edge Server is required for external user access unless that access is through Communicator Web Access. Only a single Access Edge Server or a single load-balanced array of Access Edge Servers is supported for federation and public IM connectivity. Only a single Access Edge Server or a single load-balanced array of Access Edge Servers is supported for remote user and anonymous user access. You can have a different Access Edge Server or array of Access Edge Servers for federation and public IM connectivity than the one used for remote user and anonymous access.

Two network adapters, one for the internal interface of the Access Edge Server and one for the external interface, are supported and recommended. A single multihomed network adapter for both the internal and external edge is also supported.

Using different DNS names for each of the two interfaces is required. A unique IP address and a unique domain name are required for the internal and external interface. A multi-homed network adapter that uses the same DNS name, and therefore the same IP address, for both internal and external interfaces is not supported.

An Access Edge Server is supported by both the Standard Edition license or product key and the Enterprise Edition license or product key.

Joining the Access Edge Server to a domain is supported but not recommended.

Web Conferencing Edge Server

A Web Conferencing Edge Server is required for external users to participate in conferences that are hosted by Office Communications Server 2007, Web Conferencing Server.

A/V Edge Server

An A/V Edge Server is required for sharing audio and video with external users.

The external interface of the A/V Edge Server must have a publicly routable IP address. If an external firewall is deployed, it must not use NAT (network address translation) for this IP address. This requirement does not apply to other edge server roles.

The IP address of the internal interface of the A/V Edge Server must not have NAT applied to it. If an internal firewall is deployed, it must not use NAT for this IP address.

Two network adapters, one for the internal interface of the A/V Edge Server and one for the external interface, are supported and recommended. A single multihomed network adapter for both the internal and external edge is also supported.