LEGENDEnterprise poolHardwareload balancerEdge ServersFront End ServersSQL back-end serverDirectorsCommunicator WebAccess ...
Upcoming SlideShare
Loading in …5
×

Office Comunnications Server 2007 R2 Poster

630 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
630
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Office Comunnications Server 2007 R2 Poster

  1. 1. LEGENDEnterprise poolHardwareload balancerEdge ServersFront End ServersSQL back-end serverDirectorsCommunicator WebAccess ServerArchiving ServerMonitoring Server Group Chat ServerUpdate ServerExchange UM ServerMediation Server XMPP gatewayReverse proxy© 2009 Microsoft Corporation. Active Directory, Office, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All rights reserved. Other trademarks or trade names mentioned herein are the property of their respective owners.Workload Architecturehttp://twitter.com/DrRezhttp://TechNet.microsoft.com/office/OCS http://go.microsoft.com/fwlink/?LinkId=181907Multi-NIC supportCERTIFICATE REQUIREMENTSCommunicatorPhone EditionOffice Live MeetingOffice Communicator Attendant ConsoleCommunicatorWeb AccessCLIENTSSIP/TLS:443EdgeServersExternalFirewallInternalFirewallDirectorsXMPPGatewayEdgeServersExternalfirewallInternalfirewallRTP/SRTP trafficIM and Presence WorkloadA/V and Web Conferencing Workload Enterprise Voice WorkloadHTTPS:443C3P/HTTPS:444SIP/MTLS:5061Application Sharing WorkloadXMPP/TCP:5269PoolsConnectivity to:• IP-PSTNgateway• IP/PBX• Direct SIP• SIP trunkPoolsReverse proxyAccess Edge - SIP/MTLS:5061FederatedCompanyYahoo!MSNAOLJabberGmailHTTPS:443A/V Edge - STUN/TCP:443, STUN/UDP:3478Access Edge - SIP/TLS:443A/V Edge – SRTP:443,3478,50,000-59,999SIP/MTLS:5061HTTPS:443Access Edge - SIP/TLS:443SIP/MTLS:5061HTTPS:443SRTP/RTCP:60,000-64,000SIP/TLS:5061SIP trafficExternalfirewallInternalfirewallHTTPS:443CommunicatorWeb AccessServerHTTPS:443PoolsA/V Edge – SRTP:443,3478,50,000-59,999HTTPS:443SRTP/RTCP:60,000-64,000Access Edge - SIP/TLS:443SIP/MTLS:5061EdgeServersExternalfirewallInternalfirewallHTTPS:443Reverse proxyHTTPS traffic HTTPS:443PoolsHTTPS:443SIP traffic: signalingSIP/MTLS:5061SIP/TLS:5061RTP/SRTP traffic: A/V ConferencingA/V Edge - STUN/TCP:443, STUN/UDP:3478A/V Edge – SRTP:443,3478,50,000-59,999SRTP/UDP:49152-65535This media traffic goes directly tothe A/V Edge. The A/V Edgemust have publicly routable IPaddressesIf using a single Edge Server, thepublic Edge IP addresses can beNAT-ed by your external firewall.Range of portsis configurableRDP/SRTP trafficHTTPS trafficSIP trafficSIP traffic: signaling and IMXMPP trafficHTTPS trafficMSMQ trafficSIP/MTLS:5062PSOM traffic: Web ConferencingHTTPS:443 is used to downloadaddress book and updatesCommunicatorMobileGroup ChatGroup Chat file shareAddress book file shareGroup ChatComplianceServerMeeting content+ metadata +compliance filesharePSOM/TLS:8057HTTPS:443HTTPS:443HTTPS:443 is usedto downloadconferencingcontent + metadataMedia codec varieson workload:- RTAudio- G.711Traffic goes directly to WebConferencing ServiceWITHOUT going through thepool’s hardware load balancer2 inbound and 2 outboundunidirectional streams.Media codec varies on workload:- RTAudio for audio- RTVideo for videoRange of portsis configurableSRTP consists of twounidirectional streams. RTCPtraffic piggy backs on the SRTPstream.Media codec varies on workload:- RTAudio- G.711SIP/TLS:5061SRVquery(1)(3)Range of portsis configurableTraffic goes directly to A/VConferencing ServiceWITHOUT going through thepool’s hardware load balancerMediation ServerFQDN: medsrv.<ad-domain>Certificate SN: medsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CAExchange UM ServerFQDN: umsrv.<ad-domain>Certificate SN: umsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CADirectorsFront End Server 1, Front End Server 2FQDN: pool.<ad-domain>Certificate SN: pool.<ad-domain>Certificate SAN: pool.<ad-domain>,EKU: serverRoot certificate: private CAPoolDirector 1, Director 2FQDN: dir.<ad-domain>Certificate SN: dir.<ad-domain>Certificate SAN: dir.<ad-domain>,sipinternal.<sip-domain>EKU: serverRoot certificate: private CASTUN/TCP:443, STUN/UDP:3478Mediation ServerExternal user sign-in process:1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server.2. Client connects to Edge Server.3. Edge Server proxies connection to Director.4. Director authenticates user and proxies connection to user’s home pool.FQDN: xmppsrv.<sip-domain> (1)Certificate SN: xmppsrv.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CAXMPP Gateway*Required only for publicIM connectivity with AIMEdge Server 1, Edge Server 2Internal FQDN: intsrv.<ad-domain>Certificate SN: intsrv.<ad-domain>Certificate SAN:EKU: serverRoot certificate: private CAAccess FQDN: accesssrv.<sip-domain>Certificate SN: accesssrv.<sip-domain>Certificate SAN: accesssrv.<sip-domain>,sip.<sip-domain>EKU: server, client*Root certificate: public CAConference FQDN: N/ACertificate SN: conf.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CAA/V FQDN: av.<sip-domain>Certificate SN: av.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CAEdge ServersGroup Chat ServerFQDN: chatsrv.<ad-domain>Certificate SN: chatsrv.<ad-domain>Certificate SAN: N/AEKU: server, clientRoot certificate: private CAMonitoring ServerFQDN: monsrv.<ad-domain>Certificate SN: monsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CACommunicator Web Access ServerFQDN: cwasrv.<ad-domain>Certificate SN: cwasrv.<ad-domain>Certificate SAN: cwasrv.<ad-domain>, cwa.<sip-domain>, as.cwa.<sip-domain>,download.cwa.<sip-domain>EKU: serverRoot certificate: private CAFQDN: xmpp.<sip-domain> (2)Certificate SN: xmpp.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CA(1)This FQDN is for connectivityto internal Edge Servers(2)This FQDN is for connectivityto external XMPP gatewaysMRAS trafficHTTPS:443SIP/TLS:5061MSMQSIP/MTLS:5062MonitoringServerWeb Conf Edge - PSOM/TLS:443Access Edge - SIP/TLS:443This media traffic goesdirectly to the A/V Edge. TheA/V Edge must have publiclyroutable IP addressesIf using a single EdgeServer, the public Edge IPaddresses can be NAT-edby your external firewall.2 inbound and 2 outboundunidirectional streamsSTUN/TCP:443, STUN/UDP:3478SIP/MTLS:5061STUN/TCP:443,STUN/UDP:3478· Publish SRV record for _sipfederationtls._tcp.<sip-domain>, which resolves to the Access Edge FQDN, accesssrv.<sip-domain>.· Publish SRV record for _sip._tls.<sip-domain>, which resolves to the Access Edge FQDN. This is required for federated andanonymous connections to Live Meetings.· Publish SRV record for _xmpp-server._tcp.<sip-domain>, which resolves to the gateway NIC of the XMPP gateway.·· Publish A record for Access Edge FQDN, accesssrv.<sip-domain>, which resolves to the Access Edge public IP address.· Publish A record for A/V Edge FQDN, av.<sip-domain>, which resolves to the A/V Edge public IP address.· Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, which resolves to the Conferencing Edge public IP address.· Publish A record for Communicator Web Access to the reverse proxy FQDN, which resolves to public IP address of reverseproxyDNS ConfigurationFirewall ConfigurationPorts to open on internal firewall:accesssrv.<sip-domain>: TCP 5061, TCP 5062, TCP 5063, TCP5064, TCP 5071, TCP 5072, TCP 5073, TCP 5074conf.<sip-domain>: TCP 8057av.<sip-domain>: TCP 443, UDP 3478, TCP 50,000-59,999SIP/MTLSSIP/MTLSReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxReference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspxhttp://technet.microsoft.com/en-us/library/dd425257(office.13).aspxSIP/MTLSPorts to open on external firewall:accesssrv.<sip-domain>: TCP 443, TCP 5061conf.<sip-domain>: TCP 443av.<sip-domain>: TCP 443, UDP 3478, TCP 50,000-59,999xmpp.<sip-domain>: TCP 5269Direction of arrow indicates whichserver initiates the connection.Subsequent traffic is bi-directional.CommunicatorWeb AccessServerAuthor: Rui Maximo — Designer: Ken CirceoReviewers: Rick Kingslan, Benoit Boudeville, Paul Brombley, Nick Smith, Brandon Taylor, Stefan Plizga, Greg AnthonySIP/TCP:5060,5061This media traffic goesdirectly to the A/V Edge. TheA/V Edge must have publiclyroutable IP addressesIf using a single EdgeServer, the public Edge IPaddresses can be NAT-edby your external firewall.RDP/SRTP/TCP:1024-65535Peer-to-peer applicationsharing sessionKerberos used for user authenticationLDAP used to access Active DirectorySIP/TLS:5061PSOM/MTLS:8057STUN/TCP:443, STUN/UDP:3478DirectorsMonitoringServerSIP/MTLSSIP/MTLS:5061MSMQSIP/MTLS:5061SIP/MTLS:5061DirectorsCodec varies on workload:- SIREN for audio- RTVideo for videoEdgeServersDirectorsSIP/TLS:5061SIP/MTLS:5062SIP/TLS:5061MonitoringServerExchangeUM ServerPort number to service traffic assignment:5062 - Media Relay Authentication Service5064 - Telephony Conferencing Service5069 - Monitoring (QoE) Agent5071 - Response Group Service5072 - Conferencing Attendant Service5073 - Conferencing Announcement Service5074 - Outside Voice Control ServiceMSMQMRAS trafficPort number to service traffic assignment:5062 - Media Relay Authentication Service5065 - Application Sharing Conferencing Service5069 - Monitoring (QoE) AgentSIP/TLS:5061SIP/MTLS:5062SIP/MTLS:5061Port number to service traffic assignment:5063 - A/V Conferencing Service5069 - Monitoring (QoE) AgentMSMQPort number to service traffic assignment:5062 - IM Conferencing Service5069 - Monitoring (QoE) AgentMSMQMonitoringServerArchivingServerKerberos:88, LDAP:389Internal user sign-in process:1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.2. Client connects to Director.3. Director redirects client to user’s home pool.(2)HTTPS:443RDP/SRTP:49152-65535RDP/SRTP/TCP:49152-65535Group ChatServerReverse proxyMRAS trafficSIP/MTLS:5061CommunicatorFor Mac

×