DNS Requirements for External Access (2007 R2 Beta)
[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]
An Edge Server runs three services—Access Edge service, Web Conferencing Edge service, and A/V Edge service. Each of these services has a separate external and internal interface. Each of these services requires a separate external IP address/port combination; the recommended configuration is for each of the three services to have different IP addresses, so that each service can use its default port settings.
Specific DNS settings must be configured on each external and internal interface. In general, this includes configuring DNS records to point to appropriate servers in the internal network and configuring DNS records as appropriate for each service.
Note
To prevent DNS SRV spoofing and ensure that certificates provide valid ties from the user Uniform Resource Identifier (URI) to real credentials, Office Communications Server 2007 R2 requires that the name of the DNS SRV domain match the server name on the certificate. The subject name (SN) must point to sip.<domain>.
The following table provides details about each DNS record required for the Edge Servers.
Note
The port numbers referenced in the following table and elsewhere in this documentation are typically the default ports. If you use different port settings, you will need to modify the procedures in this documentation accordingly.
Table 1. Required DNS records for Edge Servers
Internal/External Record | Server | DNS Settings |
---|---|---|
External |
Edge Server |
To support federation and public IM connectivity. An external SRV record for one Edge Server for _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the external fully qualified domain name (FQDN) of the Access Edge service. If you have multiple SIP domains, you need a DNS SRV record for each domain. The Edge Server you choose for this SRV record will be the Edge Server through which all federation traffic will flow. To support external user access through Microsoft® Office Communicator and the Live Meeting client. A DNS SRV record for _sip._tls.<domain>, over port 443 where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge service. If you have multiple SIP domains, you need a DNS SRV record for each domain—each SRV record can point to a different Edge Server, if you want, to spread the workload.
Note:
If multiple DNS records are returned to a DNS SRV query, the Access Edge service always picks the DNS SRV record with the lowest numerical priority and highest numerical weight. If multiple DNS SRV records with equal priority and weight are returned, the Access Edge service will pick the SRV record that came back first from the DNS server.
To resolve domain lookups for the Access Edge service. For each supported SIP domain in your organization, an external A record for sip.<domain> that resolves to the external IP address of the Access Edge service (or to the virtual IP address used by the Access Edge services on the external load balancer, if you have multiple Edge Servers deployed). If a client cannot perform an SRV record lookup to connect to the Access Edge service, it will use this A record as a fallback. To resolve domain lookups for the Web Conferencing Edge service. An external DNS A record that resolves the external name of the Web Conferencing Edge service to the external IP address of the Web Conferencing Edge service (or to the virtual IP address used by the Web Conferencing Edge services on the external load balancer, if you have multiple Edge Servers deployed). To resolve domain lookups for the A/V Edge Service. An external DNS A record that resolves the external FQDN of the A/V Edge service to the external IP address of the A/V Edge service (or to the virtual IP address used by the A/V Edge services on the external load balancer, if you have multiple Edge Servers deployed). |
External |
Reverse proxy |
An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy. |
Internal |
Edge Server |
For every Edge Server, you need an internal DNS A record that resolves the internal FQDN of the Edge Server to the internal IP address of the Edge Server. Office Communications Server 2007 R2 servers within the organization use this DNS A record to connect to the internal interface of the Edge Server. If you have multiple Edge Servers at one site, you also need the following DNS records:
|