Office Comunnications Server 2007 R2 Poster
Upcoming SlideShare
Loading in...5
×
 

Office Comunnications Server 2007 R2 Poster

on

  • 647 views

 

Statistics

Views

Total Views
647
Views on SlideShare
647
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Office Comunnications Server 2007 R2 Poster Office Comunnications Server 2007 R2 Poster Presentation Transcript

  • LEGENDEnterprise poolHardwareload balancerEdge ServersFront End ServersSQL back-end serverDirectorsCommunicator WebAccess ServerArchiving ServerMonitoring Server Group Chat ServerUpdate ServerExchange UM ServerMediation Server XMPP gatewayReverse proxy© 2009 Microsoft Corporation. Active Directory, Office, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All rights reserved. Other trademarks or trade names mentioned herein are the property of their respective owners.Workload Architecturehttp://twitter.com/DrRezhttp://TechNet.microsoft.com/office/OCS http://go.microsoft.com/fwlink/?LinkId=181907Multi-NIC supportCERTIFICATE REQUIREMENTSCommunicatorPhone EditionOffice Live MeetingOffice Communicator Attendant ConsoleCommunicatorWeb AccessCLIENTSSIP/TLS:443EdgeServersExternalFirewallInternalFirewallDirectorsXMPPGatewayEdgeServersExternalfirewallInternalfirewallRTP/SRTP trafficIM and Presence WorkloadA/V and Web Conferencing Workload Enterprise Voice WorkloadHTTPS:443C3P/HTTPS:444SIP/MTLS:5061Application Sharing WorkloadXMPP/TCP:5269PoolsConnectivity to:• IP-PSTNgateway• IP/PBX• Direct SIP• SIP trunkPoolsReverse proxyAccess Edge - SIP/MTLS:5061FederatedCompanyYahoo!MSNAOLJabberGmailHTTPS:443A/V Edge - STUN/TCP:443, STUN/UDP:3478Access Edge - SIP/TLS:443A/V Edge – SRTP:443,3478,50,000-59,999SIP/MTLS:5061HTTPS:443Access Edge - SIP/TLS:443SIP/MTLS:5061HTTPS:443SRTP/RTCP:60,000-64,000SIP/TLS:5061SIP trafficExternalfirewallInternalfirewallHTTPS:443CommunicatorWeb AccessServerHTTPS:443PoolsA/V Edge – SRTP:443,3478,50,000-59,999HTTPS:443SRTP/RTCP:60,000-64,000Access Edge - SIP/TLS:443SIP/MTLS:5061EdgeServersExternalfirewallInternalfirewallHTTPS:443Reverse proxyHTTPS traffic HTTPS:443PoolsHTTPS:443SIP traffic: signalingSIP/MTLS:5061SIP/TLS:5061RTP/SRTP traffic: A/V ConferencingA/V Edge - STUN/TCP:443, STUN/UDP:3478A/V Edge – SRTP:443,3478,50,000-59,999SRTP/UDP:49152-65535This media traffic goes directly tothe A/V Edge. The A/V Edgemust have publicly routable IPaddressesIf using a single Edge Server, thepublic Edge IP addresses can beNAT-ed by your external firewall.Range of portsis configurableRDP/SRTP trafficHTTPS trafficSIP trafficSIP traffic: signaling and IMXMPP trafficHTTPS trafficMSMQ trafficSIP/MTLS:5062PSOM traffic: Web ConferencingHTTPS:443 is used to downloadaddress book and updatesCommunicatorMobileGroup ChatGroup Chat file shareAddress book file shareGroup ChatComplianceServerMeeting content+ metadata +compliance filesharePSOM/TLS:8057HTTPS:443HTTPS:443HTTPS:443 is usedto downloadconferencingcontent + metadataMedia codec varieson workload:- RTAudio- G.711Traffic goes directly to WebConferencing ServiceWITHOUT going through thepool’s hardware load balancer2 inbound and 2 outboundunidirectional streams.Media codec varies on workload:- RTAudio for audio- RTVideo for videoRange of portsis configurableSRTP consists of twounidirectional streams. RTCPtraffic piggy backs on the SRTPstream.Media codec varies on workload:- RTAudio- G.711SIP/TLS:5061SRVquery(1)(3)Range of portsis configurableTraffic goes directly to A/VConferencing ServiceWITHOUT going through thepool’s hardware load balancerMediation ServerFQDN: medsrv.<ad-domain>Certificate SN: medsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CAExchange UM ServerFQDN: umsrv.<ad-domain>Certificate SN: umsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CADirectorsFront End Server 1, Front End Server 2FQDN: pool.<ad-domain>Certificate SN: pool.<ad-domain>Certificate SAN: pool.<ad-domain>,EKU: serverRoot certificate: private CAPoolDirector 1, Director 2FQDN: dir.<ad-domain>Certificate SN: dir.<ad-domain>Certificate SAN: dir.<ad-domain>,sipinternal.<sip-domain>EKU: serverRoot certificate: private CASTUN/TCP:443, STUN/UDP:3478Mediation ServerExternal user sign-in process:1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server.2. Client connects to Edge Server.3. Edge Server proxies connection to Director.4. Director authenticates user and proxies connection to user’s home pool.FQDN: xmppsrv.<sip-domain> (1)Certificate SN: xmppsrv.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CAXMPP Gateway*Required only for publicIM connectivity with AIMEdge Server 1, Edge Server 2Internal FQDN: intsrv.<ad-domain>Certificate SN: intsrv.<ad-domain>Certificate SAN:EKU: serverRoot certificate: private CAAccess FQDN: accesssrv.<sip-domain>Certificate SN: accesssrv.<sip-domain>Certificate SAN: accesssrv.<sip-domain>,sip.<sip-domain>EKU: server, client*Root certificate: public CAConference FQDN: N/ACertificate SN: conf.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CAA/V FQDN: av.<sip-domain>Certificate SN: av.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CAEdge ServersGroup Chat ServerFQDN: chatsrv.<ad-domain>Certificate SN: chatsrv.<ad-domain>Certificate SAN: N/AEKU: server, clientRoot certificate: private CAMonitoring ServerFQDN: monsrv.<ad-domain>Certificate SN: monsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CACommunicator Web Access ServerFQDN: cwasrv.<ad-domain>Certificate SN: cwasrv.<ad-domain>Certificate SAN: cwasrv.<ad-domain>, cwa.<sip-domain>, as.cwa.<sip-domain>,download.cwa.<sip-domain>EKU: serverRoot certificate: private CAFQDN: xmpp.<sip-domain> (2)Certificate SN: xmpp.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CA(1)This FQDN is for connectivityto internal Edge Servers(2)This FQDN is for connectivityto external XMPP gatewaysMRAS trafficHTTPS:443SIP/TLS:5061MSMQSIP/MTLS:5062MonitoringServerWeb Conf Edge - PSOM/TLS:443Access Edge - SIP/TLS:443This media traffic goesdirectly to the A/V Edge. TheA/V Edge must have publiclyroutable IP addressesIf using a single EdgeServer, the public Edge IPaddresses can be NAT-edby your external firewall.2 inbound and 2 outboundunidirectional streamsSTUN/TCP:443, STUN/UDP:3478SIP/MTLS:5061STUN/TCP:443,STUN/UDP:3478· Publish SRV record for _sipfederationtls._tcp.<sip-domain>, which resolves to the Access Edge FQDN, accesssrv.<sip-domain>.· Publish SRV record for _sip._tls.<sip-domain>, which resolves to the Access Edge FQDN. This is required for federated andanonymous connections to Live Meetings.· Publish SRV record for _xmpp-server._tcp.<sip-domain>, which resolves to the gateway NIC of the XMPP gateway.·· Publish A record for Access Edge FQDN, accesssrv.<sip-domain>, which resolves to the Access Edge public IP address.· Publish A record for A/V Edge FQDN, av.<sip-domain>, which resolves to the A/V Edge public IP address.· Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, which resolves to the Conferencing Edge public IP address.· Publish A record for Communicator Web Access to the reverse proxy FQDN, which resolves to public IP address of reverseproxyDNS ConfigurationFirewall ConfigurationPorts to open on internal firewall:accesssrv.<sip-domain>: TCP 5061, TCP 5062, TCP 5063, TCP5064, TCP 5071, TCP 5072, TCP 5073, TCP 5074conf.<sip-domain>: TCP 8057av.<sip-domain>: TCP 443, UDP 3478, TCP 50,000-59,999SIP/MTLSSIP/MTLSReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxhttp://technet.microsoft.com/en-us/library/dd425257(office.13).aspxSIP/MTLSPorts to open on external firewall:accesssrv.<sip-domain>: TCP 443, TCP 5061conf.<sip-domain>: TCP 443av.<sip-domain>: TCP 443, UDP 3478, TCP 50,000-59,999xmpp.<sip-domain>: TCP 5269Direction of arrow indicates whichserver initiates the connection.Subsequent traffic is bi-directional.CommunicatorWeb AccessServerAuthor: Rui Maximo — Designer: Ken CirceoReviewers: Rick Kingslan, Benoit Boudeville, Paul Brombley, Nick Smith, Brandon Taylor, Stefan Plizga, Greg AnthonySIP/TCP:5060,5061This media traffic goesdirectly to the A/V Edge. TheA/V Edge must have publiclyroutable IP addressesIf using a single EdgeServer, the public Edge IPaddresses can be NAT-edby your external firewall.RDP/SRTP/TCP:1024-65535Peer-to-peer applicationsharing sessionKerberos used for user authenticationLDAP used to access Active DirectorySIP/TLS:5061PSOM/MTLS:8057STUN/TCP:443, STUN/UDP:3478DirectorsMonitoringServerSIP/MTLSSIP/MTLS:5061MSMQSIP/MTLS:5061SIP/MTLS:5061DirectorsCodec varies on workload:- SIREN for audio- RTVideo for videoEdgeServersDirectorsSIP/TLS:5061SIP/MTLS:5062SIP/TLS:5061MonitoringServerExchangeUM ServerPort number to service traffic assignment:5062 - Media Relay Authentication Service5064 - Telephony Conferencing Service5069 - Monitoring (QoE) Agent5071 - Response Group Service5072 - Conferencing Attendant Service5073 - Conferencing Announcement Service5074 - Outside Voice Control ServiceMSMQMRAS trafficPort number to service traffic assignment:5062 - Media Relay Authentication Service5065 - Application Sharing Conferencing Service5069 - Monitoring (QoE) AgentSIP/TLS:5061SIP/MTLS:5062SIP/MTLS:5061Port number to service traffic assignment:5063 - A/V Conferencing Service5069 - Monitoring (QoE) AgentMSMQPort number to service traffic assignment:5062 - IM Conferencing Service5069 - Monitoring (QoE) AgentMSMQMonitoringServerArchivingServerKerberos:88, LDAP:389Internal user sign-in process:1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.2. Client connects to Director.3. Director redirects client to user’s home pool.(2)HTTPS:443RDP/SRTP:49152-65535RDP/SRTP/TCP:49152-65535Group ChatServerReverse proxyMRAS trafficSIP/MTLS:5061CommunicatorFor Mac