Documente Academic
Documente Profesional
Documente Cultură
Communicator Web
Access
(2007 release, Public
Beta)
Planning and
Deployment Guide
Published: March 2007
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of
the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying
with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows Mobile, Windows Server, Windows Vista, Active Directory, ActiveX, Internet Explorer, MSN,
and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Overview
Presence awareness is the ability to detect another user’s availability on one or more devices. By
using Office Communications Server 2007, enterprises comprising as many as tens of thousands
of users can track and manage presence information and IM. A user’s presence is reported as a
status, such as Available, Away, or Busy. Presence, more than any other factor, has propelled
instant messaging to the level of a necessity.
Your organization can also use the federation features in Office Communications Server 2007 to
extend IM and presence information to remote users and trusted customers, suppliers, and
partners. By using Communicator Web Access, employees who are working offsite can
collaborate in real time with their onsite colleagues without having to go through a VPN (virtual
private network).
This section describes Communicator Web Access (2007 release) and compares the two Office
Communications Server 2007 clients, Communicator Web Access and Microsoft Office
Communicator 2007. It also presents reference architecture for supporting Communicator Web
Access in an existing deployment of Office Communications Server 2007.
2 Communicator Web Access (2007 release) Planning & Deployment Guide
• Inbound Call Routing/Forwarding Inbound call routing is an option that enables the user
from within Communicator Web Access to specify how incoming calls are handled. The user
can forward calls to a single number, to a single contact, to two numbers simultaneously, or
to both a contact and a number simultaneously.
Let’s look at how Communicator Web Access (2007 release) has been improved from the 2005
release.
Communicator Web Access Improvements
Communicator Web Access (2007 release) includes the following improvements:
• Enhanced presence
• Automatic Discovery of servers in the MMC
• Inbound Call Routing
• Office Communicator 2007 User Interface
• Custom authentication, including single sign-on enablement
• Conferencing
• New AJAX Service API - provides rapid application development and integration providing
RTC features including a single sign-on experience
The next figures compare Communicator Web Access and Office Communicator 2007, with the
main interface seen first.
Communicator Web Access (2007 release) Planning & Deployment Guide 5
The next figures compare the instant message alerts for each client.
Figure 2: Instant Message Alerts
The next figures show the conversation page for each client.
6 Communicator Web Access (2007 release) Planning & Deployment Guide
You can also customize the Communicator Web Access UI to provide corporate name recognition
and branding. See the Corporate Branding section in this guide.
Figure 4: Corporate Branding
Reference Architecture
Communicator Web Access (2007 release) is an extension of your existing Office
Communications Server 2007 deployment. You install Communicator Web Access server
software on servers inside your corporate network and configure them for internal user access or
remote user access, or both as seen in the next figure.
Communicator Web Access (2007 release) Planning & Deployment Guide 7
The preceding figure shows the reference Communicator Web Access topology. In this figure,
internal user and remote user traffic is physically separated by deploying separate Communicator
Web Access servers for each type of user. Both internal and external users connect by entering a
URI, for example https://<server_name>.contoso.com in their web browser. The firewall shown
in the figure routes incoming, external-user traffic to the Communicator Web Access server or
array of servers handling external users. The Communicator Web Access server performs
authentication and authorization before forwarding the traffic to Office Communications Server
2007 to provide presence and instant messaging.
Communicator Web Access (2007 release) servers can be deployed as an array of servers behind
a load balancer. However, the server array can be replaced with a single server for more modest
deployments. Internal users can and should be physically separated from remote users by
deploying both an internal and external pool to handle internal and external requests,
respectively.
Remote users can access the external pool by the Web Published Communicator Web Access
external site on the reverse proxy server using SSL. Only one of the many firewall configurations
that Communicator Web Access supports is shown. Communicator Web Access supports any
firewall or reverse proxy configuration for creating a perimeter network, including the Microsoft
Internet Security and Acceleration Server (ISA Server) 2000, ISA Server 2004, ISA Server 2006,
and other firewall and reverse proxy solutions. However, if SSO is enabled for a Communicator
8 Communicator Web Access (2007 release) Planning & Deployment Guide
Web Access (2007 release) virtual server, then ISA Server 2006 with SSO enabled on the Web
listener must be deployed. See the following link for additional information about ISA Server.
• ISA Server: http://www.microsoft.com/isaserver/default.mspx
Planning
This section discusses planning your Communicator Web Access (2007 release) deployment.
Reference Topology
The reference topology is shown in Figure 5 earlier in this guide. In the reference topology, an
array of Communicator Web Access (2007 release) servers is deployed for internal users, who
connect from within the corporate network. A separate Communicator Web Access server array
supports remote users, including users at a branch office and users who connect from other
remote locations (for example, home or an airport kiosk). This topology provides physical
separation between traffic originating from internal users and the Internet, which provides
security benefits.
Access to each Communicator Web Access server is provided by a virtual server (also called a
Web access server) that is configured for either internal or external access. A separate virtual
server for each type of access is required because the requirements for external connections are
different from those for internal connections. The following are some examples of these
differences:
• Internal access – Internal users may be authenticated through Integrated Windows
Authentication or Forms-based authentication; remote users must use Forms-based
authentication. Internal and external users can take advantage of single sign-on, so they are
not required to be authenticated again when they connect to Communicator Web Access after
they have already been authenticated on the network.
• External access – Users must use forms-based authentication in order to gain access.
Communicator Web Access also checks whether the user is allowed to connect to Office
Communications Server 2007 from outside the corporate network, a setting that is
configured for the user in Active Directory. In addition, the external Web access server
enforces timeouts after a period of inactivity (for example 15 minutes) in case the user is
using a public computer.
The reference topology contains two hardware load balancers to distribute load among the
servers in the internal pool and the external pool. If the deployment is greater than the capacity of
one Communicator Web Access server, then multiple servers and a load balancer must be
deployed.
Communicator Web Access deployed outside the internal network, including the perimeter
network, is not supported.
Multiple-Domain Topologies
In larger organizations, a multiple domain topology is common in which there is a single root
domain and several child domains. In a multiple domain topology, it is important to deploy the
Communicator Web Access server in the same domain as Office Communications Server 2007.
Requirements and support for multiple domain topologies are dictated by Office
Communications Server 2007, and Communicator Web Access imposes no additional
requirements on your Active Directory deployment. For details about deploying Active Directory
for Office Communications Server 2007, see the Office Communications Server 2007 Active
Directory Preparation Guide.
than Active Directory User objects. Finally, users within the central forest are not restricted from
being enabled for Office Communications Server.
Note
Although this scenario reduces hardware costs, it is
recommended only for small deployments. Deploying two
separate servers for physical isolation is the most secure
mechanism and is recommended when your budget permits.
In general, the same deployment guidelines that apply to other Communicator Web Access (2007
release) topologies also apply to the single server scenario. However, the following
considerations apply specifically to using a single server for both internal and external access:
• Two virtual servers cannot share the same IP address and listen on the same port; therefore,
you must differentiate them either by IP address or by port number. If both virtual servers
use the same IP address, you will need to differentiate them by port number. Many proxy
servers accept SSL traffic only on port 443; therefore, you may need to configure the
external virtual server with port 443.
• You must configure your firewall/reverse proxy to map to the appropriate port for each
virtual server.
• Although server isolation reduces security risk, it is still possible for the server to be
compromised, which would affect both external and internal users. In contrast, using a
separate external server would limit the impact of an attack on the external server to remote
users only.
The next figure shows an example of a single Communicator Web Access server that is used for
both internal and external access (not recommended), using application isolation.
14 Communicator Web Access (2007 release) Planning & Deployment Guide
See http://technet2.microsoft.com/WindowsServer/en/library/25a310b6-c18f-4a7a-84f5-
115e5de2260c1033.mspx?mfr=true for details. However, the recommended deployment using
physical separation is discussed and shown in the next section.
The preceding figure showing application isolation is a way to configure a deployment so that
neither internal users nor remote users need to specify a port when entering a URI to connect to
Communicator Web Access. The internal virtual server is configured to accept internal requests
over the default SSL port 443. Likewise, the firewall is configured to accept external requests
over the default SSL port 443, but it then redirects the requests to the external virtual server.
Physical Separation
In the next figure, the internal and remote user traffic is physically separated by deploying a
dedicated server or array for each type of user.
Figure 7: Separate Servers (Recommended)
The internal virtual server uses port 443, and the external virtual server uses port 443 as well. The
firewall/reverse proxy server is configured to redirect incoming SSL traffic bound for port 443 to
port 443 on the Communicator Web Access server for external users.
Communicator Web Access (2007 release) Planning & Deployment Guide 15
If you decide to use different port numbers, users may need to specify the port number when
entering the Communicator Web Access URL. For example, if you use port 444 on the internal
server, users would need to specify the port number by typing https://im.contoso.com:444.
You can change an internal virtual server to an external virtual server, or an external virtual
server to an internal virtual server. You must do this in WMI. You cannot do this in the
Communicator Web Access Manager (2007 release) snap-in. The WMI setting is
• root\DEFAULT\rtccwa_repository\MSFT_CWASiteSetting\ServerType
Change the value to one of:
• Internal
• External
Branch Office Topologies
Many large organizations are reducing IT expenses associated with branch offices by centralizing
the technical support staff and consolidating servers in a data center. This branch office topology
is practicable if there is fast, reliable network connectivity between the data center and most of
the remote branch offices. With the appropriate network connectivity, users can have a direct
connection to the corporate network, or they can tunnel through the Internet as remote users.
If network connectivity between the data center and a remote office is slow or unreliable, the
branch office may need to deploy its own local server. For Communicator Web Access (2007
release), this would mean deploying an HTTP proxy or a Communicator Web Access server in
the branch office.
Regardless of the assumed quality of the network connection, the bandwidth and latency between
the data center and any branch office cannot be guaranteed. Therefore, you should always design
a system that can accommodate slow, unreliable network connections. One of the factors you
must account for is that connections to the Communicator Web Access server from other
organizations or over the Internet will probably pass through one or more HTTP proxy servers.
HTTP proxies are not necessarily designed to keep HTTP connections open for long periods of
time. Such connections can be considered abnormal and can be terminated at any time. For this
reason, when planning your topology, take into consideration the HTTP proxies in the path
between client and server.
For more information about branch office topologies in Office Communications Server 2007
deployments, see the Office Communications Server 2007 Planning Guide, which is available
from the Office Communications Server 2007 Deployment Resources page at
http://office.microsoft.com/en-us/FX011450741033.aspx.
Federation
When federation is enabled in Microsoft Office Communications Server 2007, Communicator
Web Access users can view presence and send instant messages to users of the MSN® network of
Internet services, AOL®, Yahoo!®, in addition to other external organizations with which
federation has been established. Users can readily identify the origin of a contact by the branding
icon that appears next to a federated contact’s display name.
16 Communicator Web Access (2007 release) Planning & Deployment Guide
The branding icon of the federated partner must be accessed with an HTTPS connection. For
federated organizations, the administrator must ensure that HTTPS is used to access branding
icons instead of HTTP. Otherwise, if a Communicator Web Access user adds a federated contact
to his or her contact list, a security alert will appear whenever the user signs in. The security alert
will also appear whenever users search for federated contacts or start instant messaging
conversations with federated contacts. If your users see this behavior, you should verify which
federated organization is using HTTP for the branding icon and request that they use HTTPS
instead.
For more information about federated topologies in Office Communications Server 2007
deployments, see the Office Communications Server 2007 Access Proxy and Director Guide,
which is available from the Office Communications Server 2007 Deployment Resources page at
http://office.microsoft.com/en-us/FX011450741033.aspx.
Custom Authentication, Including SSO
See the Communicator Web Access (2007 release) Authentication Guide.
IM Archiving
See the archiving topic in the Office Communications Server 2007 documentation.
Important
The server must be a member of the same domain as a server
that is running Office Communications Server 2007. Installing
Communicator Web Access (2007 release) on a workgroup
computer is not supported and will result in an error during
setup.
Communicator Web Access (2007 release) Planning & Deployment Guide 19
Note
Communicator Web Access (2007 release) Manager is not
supported on any version of Windows 2000.
Important
Before installing the Communicator Web Access Manager
(2007 release) snap-in on a remote computer, you must first
install Internet Information Services (IIS) Manager. Only the
management components are required; you do not need to
install IIS on the computer. You can use Add/Remove Windows
Components in Control Panel to install the Internet Information
Services Snap-in (Windows XP) or Internet Information
Services Manager (Windows Server 2003), or you can
download Internet Information Services (IIS) 6.0 Manager for
Windows XP.
Supported Clients
Supported Communicator Web Access (2007 release) clients are:
Table 4: Supported Browsers
Note
Install the Microsoft Internet Explorer® 6.0 SP1 Internet
browser in order to avoid issues with the title display in
desktop alerts, options dialog boxes, and permissions dialog
boxes.
Client Interoperability
This section describes interoperability with various clients.
Office Communicator 2005 and Office Communicator 2007
The user can run Office Communicator 2005 or Office Communicator 2007 and Communicator
Web Access (2007 release) client on the same computer. Desktop alerts for new instant messages
will appear in both programs, and the user can choose which one to accept. Incoming IM alerts
continue to appear on both clients, but the message automatically opens in the active client.
Both Office Communicator 2007 and Communicator Web Access (2007 release) have a
mechanism that changes the user’s status after there has been a period of inactivity. In Office
Communicator 2007, the user’s status changes to Away. However, because Communicator Web
Access is a Web application, it can detect activity only in its own windows and dialog boxes. It
cannot detect whether a user is active in other programs on the same computer. Therefore, after a
period of Communicator Web Access inactivity, the user’s status in Communicator Web Access
as it appears to other users automatically changes to Inactive, but the user may still be actively
using his or her computer. For more information about Office Communicator 2007, see the
Communicator Web Access (2007 release) Planning & Deployment Guide 21
Microsoft Office Communicator 2007(Planning and Deployment Guide, which is available from
the Microsoft Office Communicator 2007 deployment resources page at
http://office.microsoft.com/en-us/assistance/HA011992481033.aspx.
Server Requirements
This section describes the requirements for deploying the Communicator Web Access (2007
release) server.
Infrastructure Requirements
The following infrastructure must be in place before you deploy Communicator Web Access
(2007 release):
• Active Directory is deployed.
• Domain controllers are running Microsoft Windows 2000 Server SP4 or Windows
Server 2003.
• Global catalog servers are running Windows 2000 Server SP4 or Windows Server 2003, and
at least one global catalog server in the forest root domain.
• PKI is deployed and configured, using either PKI from Microsoft or a third-party
certification authority (CA) infrastructure. Please see Live Communications Server 2005
Certificate Configuration at
http://www.microsoft.com/downloads/details.aspx?FamilyId=779DEDAA-2687-4452-901E-
719CE6EC4E5A&displaylang=en.
• DNS is deployed and configured correctly.
• Office Communications Server 2007 must be deployed.
Communicator Web Access Server Setup Requirements
This section describes the requirements for the computer that will be running the Communicator
Web Access (2007 release) server. It is assumed that all infrastructure requirements described in
the previous section are met.
The following are required for the computer on which Communicator Web Access (2007 release)
server is installed:
• Windows Server 2003 SP1
• The Communicator Web Access server is a member server of the same Active Directory
forest and domain as Office Communications Server 2007.
Note
Installing Communicator Web Access on a workgroup
computer is not supported and will cause an error during
setup.
• IIS 6.0.
• Windows Installer 3 (included in Windows Server SP1)
• .NET Framework 2.0 with ASP.NET 2.0 installed and registered.
• You must be logged on as a member of the DomainAdmins and RTCUniversalServerAdmins
groups to activate Communicator Web Access (2007 release).
• The root CA chain is trusted, and a certificate from the trusted root CA is located in the local
computer trusted root authorities store. For information about how the certificate should be
configured, see “Planning Certificates” later in this guide.
Communicator Web Access Active Directory Account
Requirements
The following table lists the minimum group membership requirements for Communicator Web
Access (2007 release).
Table 5: Minimum Group Membership
Group Minimum Requirement
Administrators (local) The user installing Communicator Web Access
(2007 release) server must be logged on as a
member of the local Administrators group.
Domain Admins The user activating the Communicator Web
Access (2007 release) server must be logged
on as a member of the DomainAdmins group
CWAService (default) The service account under which
Communicator Web Access (2007 release) runs
is added to the RTCHSUniversalServices group
created by Office Communications Server 2007.
RTCUniversalServerAdmins The user activating the Communicator Web
(created by Office Access (2007 release) server must be logged
Communications Server 2007) on as a member of the
RTCUniversalServerAdmins group.
• MTLS certificate – The MTLS certificate is used to authenticate connections to the Office
Communications 2007 server, or in the case of Legacy Redirection, the Live
Communications Server 2005 with SP1 server. The MTLS certificates in all cases must be
issued by the same trusted certification authority.
Important
The MTLS connection will succeed only if the subject name for
the MTLS certificate is the FQDN (fully qualified domain name)
of the Communicator Web Access server.
• HTTPS (SSL) certificate – The SSL certificate is used by clients that are connecting to the
Communicator Web Access server. Each virtual server that is configured with HTTPS must
have an SSL certificate. This certificate must be issued by the same trusted certification
authority that issued the MTLS certificate.
Both the MTLS and HTTPS certificates should be installed on the Communicator Web Access
server before you run Communicator Web Access setup. These certificates must be issued by the
same CA, and the certification authority must confirm the identity of each computer or user in the
authentication transaction.
When you deploy a supported configuration of Communicator Web Access (2007 release) you
will have one of the following scenarios:
• A single, separate Communicator Web Access server, with or without a legacy configuration
• Two or more Communicator Web Access servers behind a load balancer, with or without a
legacy configuration
The above Communicator Web Access (2007 release) configurations are connected to one of the
following Office Communications Server 2007 configurations:
• A single Office Communications Server 2007, Standard Edition with or without a legacy
configuration
• Two or more servers that are running Office Communications Server 2007, Enterprise
Edition behind a load balancer, with or without a legacy configuration
The above scenarios have additional or modified certificate requirements, to those already
discussed, when:
• Load balancing is introduced
• The Communicator Web Access virtual server is enabled for custom authentication and an
ISA Server 2006 with an SSO-enabled Web listener is deployed
• SSL Web publishing is introduced
When and if deployed, certificates are also required for:
• A Load balancer
• ISA Server 2006 configured to Web publish a Communicator Web Access (2007 release)
virtual server using SSL, with or without custom authentication enabled on the virtual server
Communicator Web Access (2007 release) Planning & Deployment Guide 25
In all of the above cases, if you are migrating from Live Communications Server 2005 SP1 and
Communicator Web Access (2005 release), you could have one or more legacy Live
Communications Server 2005 SP1 servers and one or more legacy Communicator Web Access
(2005 release) servers. No changes to the legacy certificates already configured on the legacy
components are required by migration.
Planning for MTLS Certificates
The MTLS certificate is used to identify the Communicator Web Access server to the Office
Communications Server 2007 server (either EE pool or SE), or in the case of Legacy Redirection,
the Live Communications Server 2005 SP1 server. The Communicator Web Access certificate
FQDN, configured in the Manager (MMC) is always the Communicator Web Access server
machine FQDN. If a load balancer is deployed, which has a VIP, the certificate on the load
balancer has an FQDN of the VIP FQDN, and must be issued by the CA that issued all the other
RTC certificates.
Table 6: MTLS Certificate
Version V3
Template Duplicated Web Server
EKU Server Authentication (1.3.6.1.5.5.7.3.1)
Private Key Enabled for Export
Key Usage Digital Signature, Key Encipherment (a0)
Version V3
Template Duplicated Web Server
EKU Server Authentication (1.3.6.1.5.5.7.3.1)
Private Key Enabled for Export
Key Usage Digital Signature, Key Encipherment (a0)
The following table summarizes the FQDN of the HTTPS certificate in each case:
26 Communicator Web Access (2007 release) Planning & Deployment Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=779DEDAA-2687-4452-901E-
719CE6EC4E5A&displaylang=en
Both NetBIOS names and FQDNs are supported as the subject name of a certificate when you
request a certificate from a Certification Authority. For more information on how to configure
certificates by using the NetBIOS name, see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;887490.
Note
ISA is not required. You can use any reverse proxy.
Communicator Web Access confirms that the SIP URI of the client matches the credentials for
that user, and ensures that the user has been authorized to use Office Communications Server
2007. If the user is outside the corporate network, Communicator Web Access also confirms that
the user has been granted remote access to Office Communications Server 2007.
Authorization
Authorization checks the enhanced presence (EP) flag in the ninth bit of ms-RTCOptionFlags in
the User object in the Active Directory. It is either enabled or disabled. If EP is disabled, two
possible scenarios exist; the legacy URL has been set or it hasn’t. If the legacy URL has been set,
the client is notified of the redirect URL, and the client manually forms a logon request to
Communicator Web Access (2005 release), and the client logs on successfully. Otherwise, if the
legacy URL is not set, the client returns the following error:
• Your user account is not yet enabled for Communicator Web Access (2007 release) and there
is no Communicator Web Access (2005 release) server configured.
Authentication
Communicator Web Access (2007 release) requires that internal clients be authenticated by one
of the following methods:
• Forms-based authentication
• Integrated Windows (NTLM/Kerberos) Authentication
• Custom authentication, including SSO
Forms-Based Authentication
Forms-based authentication can be used by internal users (for example, those who are using a
non-Windows operating system) and must be used by remote users. In forms-based
authentication, a sign-in page is submitted to the server with the user’s credentials. The
Communicator Web Access (2007 release) authentication module and the use of SSL ensure that
credentials are encrypted.
Integrated Windows (NTLM and/or Kerberos) Authentication
Integrated Windows authentication uses Kerberos V5 authentication and is available only to
internal users. Except for remote users, Kerberos is used by default, but you can configure the
server to use only Kerberos. NTLM is used when computers are not domain members, or when
Kerberos is not available.
Custom Authentication, Including SSO
See the Office Communicator Web Access (2007 release) Authentication Guide.
Communicator Web Access (2007 release) Planning & Deployment Guide 29
Note
If Internet Explorer users are challenged for their credentials
when signing in to Communicator Web Access (2007 release)
from within the internal network, you can configure Internet
Explorer to bypass the proxy server for the Communicator
Web Access site. If a user has already been authenticated, this
configuration allows the user to sign in without being required
to be authenticated again. To configure Internet Explorer to
bypass the proxy server for all users, edit the Internet Explorer
group policy to include a proxy server exception for the
Communicator Web Access (2007 release) site (for example,
im.contoso.com).
Note
Using these URIs to code quick sign-in from other Web
applications is not a supported scenario and may result in
unexpected behavior.
new conversation windows. Therefore, users must configure pop-up blockers to allow pop-ups on
the Communicator Web Access site.
For client users who are using supported versions of Firefox, Mozilla, and the Netscape browser,
the number of windows open at any one time is limited to help safeguard against pop-ups. When
accessing Communicator Web Access from these clients, users can reach this limit if several
conversation windows or desktop alerts are open at one time. In this case, the client browser will
prevent any new windows from opening, which can result in missed conversations or
notifications. To prevent this issue, the user can change or remove the limit on the number of
allowable open windows.
Accepting Cookies
Cookies are issued to the client by the Communicator Web Access (2007 release) server after
successful authentication by both internal users and remote users. Therefore, clients must accept
cookies from the Communicator Web Access server to function correctly.
Increasing Capacity
Over time, regular monitoring of system usage may reveal that your configuration of
Communicator Web Access (2007 release) no longer meets the needs of users during periods of
normal usage.
The following are some methods for increasing capacity:
Communicator Web Access (2007 release) Planning & Deployment Guide 31
• Increasing search thresholds – Communicator Web Access contains a threshold setting that
determines the number of searches that are allowed at one time. This setting is configurable
in the global settings for Communicator Web Access. You can use Microsoft Operations
Manager 2005 to monitor how often users are reaching this limit over time. If users
continually reach the limit and the search activity represents normal usage, you may want to
increase the search limit. However, you need to consider any impact that increasing the limit
will have on performance.
For more information about using Microsoft Operations Manager, see Microsoft Operations
Management Pack in this document.
• Optimizing IIS 6.0 scalability – IIS 6.0, running on the Microsoft Windows Server® 2003
operating system, includes a new architecture and new features to help your application
server scale. For detailed information about optimizing IIS 6.0, see “Improving Scalability
by Optimizing IIS 6.0 Queues,” “Improving Scalability by Optimizing IIS 6.0 Caches,” and
“Additional Resources for IIS 6.0 Scalability” at
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2a4d9385-
8cf8-4482-83d8-fa0adb8ffd96.mspx.
• Adjusting the IIS 6.0 user limit – By default, IIS 6.0 has a limit of 8,000 connections. This
setting is configurable in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
To increase the limit, create a DWORD entry named "MaxConnections" in this location and
set an appropriate limit, allowing for a reasonable tolerance for peak periods. For example, if
you want to allow 10,000 connections, you would probably set the value at double this
number (20,000).
Important
Do not set this registry key to an unusually large number. The
connection queue is maintained in the system kernel, which
could run out of kernel memory if the queue becomes too
large.
At some point, increasing search thresholds and optimizing other performance settings may
actually result in degraded performance, and you will need to consider adding servers to the
Enterprise pool or upgrading the processing power or memory of existing servers.
• Adding servers to the Communicator Web Access (2007 release) array – If your
Communicator Web Access servers are configured in an array, as your organization grows,
you can add Communicator Web Access servers to the array without interrupting service.
Clients who are currently participating in IM sessions at the time of the change are
unaffected.
32 Communicator Web Access (2007 release) Planning & Deployment Guide
• Adding storage capacity – Data storage for Communicator Web Access (2007 release) is
handled by Office Communications Server 2007. Static data, such as contact lists and ACLs
(access control lists), are stored as persistent data on the Office Communications Server
2007 Back-End Database. To increase the back-end storage capacity, follow the guidelines
and procedures for Office Communications Server 2007. For more information, see the
Microsoft Office Communications Server 2007 Enterprise Edition Deployment Guide, which
is available from the Live Communications Server Deployment Resources page at
http://office.microsoft.com/en-us/FX011450741033.aspx.
Understanding Failover
This section describes some of the failover mechanisms in Communicator Web Access (2007
release) and other measures you can take to increase reliability and availability. It covers the
following topics:
• Communicator Web Access failover mechanism
• Connection retry mechanism
• Detecting faults
• Containing failure
• Controlling overload
• Ensuring stable initialization
• Handling exceptions
Communicator Web Access Failover Mechanism
Communicator Web Access (2007 release) has a failover mechanism to help provide reliability
and high availability. However, it is recommended that you additionally use people and
processes, and that you continually evaluate and adjust your availability plan. High availability
typically requires a data center with uninterrupted power and continuous maintenance and
operations, as well as a trained, experienced staff.
Communicator Web Access provides failover support. You can choose from a number of options
for achieving reliability and availability, depending on your needs and your budget.
You can improve availability by increasing MTBF (mean time between failures) and by
decreasing MTTR (mean time to recover). You can increase MTBF for hardware by using any or
all of the following:
• Dual power supplies
• Hot swap disks with RAID
• Heat-sink temperature sensors
• Fan sensors
• Redundant systems
You can lower MTTR by doing any or all of the following:
• Detecting faults as soon as possible
• Using standby and redundant systems
• Using server pools and load balancing
Connection Retry Mechanism
The Communicator Web Access failover mechanism contains the Client Retry recovery
mechanisms. Repeated failures to connect to any one Communicator Web Access server result in
the connection being attempted with the generic DNS name for the VIP (virtual IP) address of the
load balancer so that the client can be connected with any available server in the array.
Communicator Web Access (2007 release) Planning & Deployment Guide 35
If a brief network interruption occurs, the client will attempt to reconnect to the same server. If
reconnection fails within two minutes, the user will be signed out. The user can then attempt to
sign in again, and any available server will be used for the new session.
The Communicator Web Access (2007 release) server in the recovery process performs SIP
optimizations to ensure that the failure does not replicate and cause an overloaded condition on
any component in the Office Communications Server 2007 system. The recovered connection
causes no user state change, except for loss of only the data that is between endpoints at the time
of failure.
Detecting Faults
The Communicator Web Access failover mechanism contains the following fault detection
mechanisms:
• Client to Server
• Client from Server
• Office Communications Server 2007 from Server
• Active Directory from Server
Containing Failure
In the event of a failure, it is important to be able to isolate the failure and to prevent it from
becoming the proximate cause of other failures. For example, isolating servers for internal users
from those for remote users can contain a failure to just one group of users.
This server isolation capability ensures that in the event of a system overload, performance may
be degraded, but the entire system will not fail.
Controlling Overload
The Communicator Web Access (2007 release) server uses throttling to help prevent a total
system failure and a cascade of subsequent failures that are caused by the initial failure. To
prevent a system overload, throttling mechanism denies and/or delays sign-in attempts.
The Communicator Web Access overload mechanism has damping built into it to prevent a
normal, momentary spike in traffic from producing an overload. Similarly, if the server is already
overloaded, Communicator Web Access continues to treat the server as overloaded for a brief
period in order to allow the server to return to stability. This delay help prevents the server from
immediately returning to the overloaded condition.
Client requests to sign in during an overload are returned with a message indicating that the
server is temporarily unavailable. This prevents the client from overloading the server by
immediately trying again to sign in. Client requests to log in during an overload in which no
bandwidth is available are dropped, and the client times out.
Ensuring Stable Initialization
During failover, a cold restart of the Communicator Web Access is required. This restart, which is
independent of the order in which other components start, provides a stable and predictable
initialization of the Communicator Web Access server or array.
36 Communicator Web Access (2007 release) Planning & Deployment Guide
Stable initialization provides Communicator Web Access server arrays to tolerate Live
Communications Server switchovers and individual Communicator Web Access servers being
taken offline for any reason, including a power failure.
Handling Exceptions
Exceptions occur when the server or array has a failover, recovery, initialization, or boot process
in progress. Exceptions are handled in the same way as overloads: client sign-in attempts are
denied, delayed, or dropped until the system is stable again.
Planning for Load Balancing
This section describes planning for distributing the load among multiple Communicator Web
Access servers that use a hardware load balancer. Load balancing is a type of redundancy that can
help improve the reliability and availability of Communicator Web Access. Load balancing is an
element of horizontal clustering, in which multiple servers are configured to perform the same
function on the network. The following figure shows the reference Load Balancing architecture.
Figure 8: Load Balancing Topology
A load balancer can be used for both internal and external access, potentially with a dedicated
load balancer for each type of access. Alternatively, you can use a single load balancer for both
Office Communications Server 2007 connectivity and Communicator Web Access. This approach
will probably affect the scalability of the load balancer, and having both sets of traffic traverse
one load balancer does not guarantee that each server deployment will have the same capacity;.
However, both sets of traffic can flow through the same Load Balancer without any functional
impact.
Like typical Web applications, Communicator Web Access (2007 release) requires affinity.
Communicator Web Access supports any load balancer that provides HTTP or HTTPS client
affinity. Communicator Web Access (2007 release) does not support network load balancing
topologies, because these topologies do not maintain client affinity. If you configure network
load balancing on your Communicator Web Access servers, whenever a server fails or restarts,
client connections are rebalanced across the Communicator Web Access (2007 release) server
pool and users are disconnected.
HTTPS and HTTP traffic between client and Communicator Web Access server is routed through
the load balancer, as is SIP traffic between the Office Communications Server 2007 and the
Communicator Web Access server. Management traffic between the Communicator Web Access
server and the administrator, which is not shown in the preceding figure, does not go through the
load balancer. Neither does DNS traffic or LDAP traffic.
Note
You can deploy Communicator Web Access (2007 release) on
either side of your hardware load balancer. Connections
between Communicator Web Access (2007 release) and Office
Communications Server 2007 consist of client SIP traffic only.
A complete discussion of NAT and subnetting is beyond the scope of this document. For more
information, see the following:
• The NAT Technical Reference at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/fd23047
b-2b5a-42b3-aa14-2b7c1cd4be81.mspx
• The TCP/IP Technical Reference at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/58511c
7c-fb5c-4186-aa69-6f598d59a973.mspx
Supported Load Balancing Configurations
This section describes the supported load balancing configurations for internal and external client
access. All supported load balancing configurations meet the requirement of maintaining state for
a user’s session. The load balancer accomplishes this by using cookie inspection, IP address, or
another mechanism, depending upon the specific load balancer. The load balancer ensures that
the same Communicator Web Access server is used for the entire user’s session.
Note
Multihomed network adapters or multiple network adapters,
each with a different IP address, are not supported for load
balancing in Communicator Web Access (2007 release).
The next table describes supported load balancing configurations for Communicator Web Access
(2007 release):
Table 10: Supported Load Balancing Configurations
Type of NAT Supported Configurations
Destination NAT • Two arms and one IP subnet
• Two arms and two IP subnets
• One arm and two IP subnets
Source NAT • Two arms and one IP subnet
• Two arms and two IP subnets
• One arm and one IP subnet
• One arm and two IP subnets
Direct Server Return • One arm and one IP subnet
• One arm and two IP subnets
• Two arms and one IP subnet
• Two arms and two IP subnets
Deploying Communicator
Web Access
Communicator Web Access (2007 release) can be deployed in two authentication modes:
• Built-in authentication
• Custom authentication
For the public beta, this Planning and Deployment Guide describes deploying Communicator
Web Access using built-in authentication. For a discussion of custom authentication, see the
Communicator Web Access (2007 release, Public Beta) Authentication Guide.
Preparation
This section describes how to prepare the server for Communicator Web Access (2007 release)
installation and request the required certificates.
Communicator Web Access (2007 release) Planning & Deployment Guide 43
If you are using another PKI infrastructure or you have not implemented automatic enrollment,
use the following steps to download a certificate chain and to request a certificate on the
computer.
It is recommended that you not use the Web enrollment component for computers that are not in
your protected internal network. The following procedure assumes that the server and the user
can access the internal certification authority by using the physical network and Certificate
Services Web enrollment.
Configure a Windows Server 2003 SP1 Enterprise Root CA
Install certificate services and configure the server as an Enterprise Root Certification Authority.
To install certificate services and configure the server as an Enterprise
root CA
1. Click Start, point to Settings, click Control Panel, and then click Add or Remove
Programs.
2. Click Add or Remove Windows Components.
3. In the Windows Components Wizard, click Certificate Services.
4. On the Microsoft Certificate Services page, click Yes, and then click Next.
5. On the CA Type page, click Enterprise root CA, and then click Next.
6. On the CA Identifying Information page, in the Common name for this CA box, type
<server_name>, and then click Next.
7. On the Certificate Database Settings page, click Next.
8. If prompted, type the full path to the Windows Server 2003 installation folder or CD, and
then click Continue.
9. In the Microsoft Certificate Services message, click Yes to allow IIS to be temporarily
stopped.
10. In the Microsoft Certificate Services message, click Yes to enable ASP and IIS.
After you have installed Microsoft Certificate Services, prepare the CA for issuing certificates by
duplicating the Web server certificate template. During this procedure, you must grant Enroll and
Auto enroll permissions for the following groups in all domains: AuthenticatedUsers,
DomainAdmins, DomainComputers, and EnterpriseAdmins. You must also enable the Mark keys
as exportable during the Web server template duplication. See the Office Communications Server
2007, Standard Edition Quick Start for the procedure how to do this.
Caution
The certificates for both Office Communications Server 2007
Standard Edition and Communicator Web Access (2007
release) must be issued from the same certification authority
(CA) and must use a duplicated Web server template in which
the Mark keys as exportable option has been enabled.
When using ISA Server 2006 as a reverse proxy, the
certificates required for the ISA Server must also be issued
from the same CA.
Communicator Web Access (2007 release) Planning & Deployment Guide 45
15. Leave the default value Place all certificates in the following store. Under Certificate
store, ensure Trusted Root Certification Authorities appears.
16. Click Next.
17. Click Finish.
8. In the Select Computer dialog box, ensure that the Local computer: (the computer this
console is running on) check box is selected, and then click Finish.
9. Click Close, and then click OK.
10. In the left pane of the Certificates console, expand Certificates (Local Computer), expand
Trusted Root Certification Authorities, and then click Certificates.
11. Confirm that the certificate that you just requested and installed is located in this folder. If it
is not, copy it from the Certificates folder under the Personal folder node, just above.
Note
If you want to install Communicator Web Access (2007
release) on a computer on which Communicator Web Access
Manager (2007 release) is already installed, you must first
remove Communicator Web Access Manager (2007 release).
4. On the Deploy Other Server Roles page, click Deploy Communicator Web Access
Server.
50 Communicator Web Access (2007 release) Planning & Deployment Guide
5. On the Deploy Microsoft Office Communicator Web Access page, under Step 1: Install
Communicator Web Access, click Install.
Note
Activating the server creates the account CWAService in
Active Directory.
6. On the Select Server Certificate page, click Next. Verify that the Issued to box contains
CN=<FQDN>.
7. On the Ready to activate Communicator Web Access page, click Next.
8. On the Success page, click Finish.
Do not close the window. Continue directly with the next procedure.
To create the Communicator Web Access IIS virtual server
Note
The first virtual server is created during this step. You can
create additional virtual server in Communicator Web Access
Manager (2007 release).
4. On the Select Authentication Type page, accept Use built-in authentication and click
Next.
52 Communicator Web Access (2007 release) Planning & Deployment Guide
6. On the Select Browser Connection Type, accept the default of HTTPS (recommended),
and then click Select Certificate.
7. On the Select Certificate page, click the certificate with the FQDN of
webserver3.contoso.com, and then click OK.
8. On the Select Browser Connection Type page, click Next.
9. On the Select IP address and port setting page, accept all defaults, and then click Next.
Communicator Web Access (2007 release) Planning & Deployment Guide 53
10. On the Name the Virtual Server page, accept the default name Communicator Web Access
and then click Next.
11. On the Automatically Start Virtual Server page, accept the default and then click Next.
12. On the Review Settings … page, click Next.
13. On the Success page, click Finish.
Note
If you install Communicator Web Access Manager (2007
release) on a computer and then later want to install
Communicator Web Access (2007 release) on the same
computer, you must first remove Communicator Web Access
Manager (2007 release).
54 Communicator Web Access (2007 release) Planning & Deployment Guide
4. On the Select Virtual Server Type page, click External, and then click Next.
5. On Select Authentication Type, select Use built-in authentication, and click Next.
7. On the Select Connection Type page, click HTTPS (recommended), and then click Select
Certificate.
8. On the Select Certificate page, select the certificate, and then click OK.
10. On the Select IP Address and Port Settings page, in Port for this Communicator Web
Access Virtual Server, type 444. This port number must be different from the port number
(443) used for any other applications; otherwise, an IP address conflict will occur. Click
Next.
11. On the Server Description page, type cwaExternal, and then click Next.
58 Communicator Web Access (2007 release) Planning & Deployment Guide
13. On the Review Settings before Virtual Server Creation page, click Next.
15. In the scope pane of the Microsoft Office Communicator Web Access Manager (2007
release), the cwaExternal node has been added
Note
Communicator Web Access (2007 release) does not support
silent installation.
3. At the command prompt, type the following, and then press ENTER:
cd <setup path>\i386\MSI
4. To install the program files, at the command prompt, type the following, and then press
ENTER. If you want to create a log file, include the optional /lv switch.
Msiexec.exe /i cwamain.msi [/lv <log_file_name>.txt]
Caution
ISA Server 2006 with SSO enabled on the ISA Server 2006
Web listener, and publishing a virtual server enabled for
custom authentication is the only supported SSO
configuration. Additionally, ISA Server 2006 must be
configured for SSL on the external site. HTTP is not supported.
Communicator Web Access (2007 release) Planning & Deployment Guide 61
ISA Server 2006 can be used as an alternative to, or in conjunction with, a VPN in your
deployment of Office Communications Server 2007 and Communicator Web Access (2007
release). You can use ISA Server to provide perimeter network and internal network boundaries.
You can also use ISA Server to publish one or more Communicator Web Access (2007 release)
servers using ISA Server 2006. ISA Server 2006 Standard Edition and Enterprise Edition are both
supported.
62 Communicator Web Access (2007 release) Planning & Deployment Guide
Note
When publishing a Web site, you can either reference the
internal Web server with an FQDN, host name, or IP address. If
the ISA Server will communicate with the internal Web server
over HTTPS, then you need to use the FQDN that matches the
common name in the certificate installed on the internal
server, or the connection will fail. If the ISA Server cannot
resolve the FQDN, then the IP address or host name must be
specified when configuring ISA Server to publish the Web site.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following IP
address.
5. In the IP address box, type 192.168.1.5.
6. In the Subnet mask box, type 255.255.255.0.
7. Click Use the following DNS server addresses.
8. Enter 192.168.1.x in the Preferred DNS server box.
9. Click OK twice.
Set the isa2006 Interface Order Now set the interface order. Listing the ISA
Server 2006 internal interface first in the list of network connections can improve name
resolution performance. Any failure to resolve names will prevent the Web site from being
published successfully.
To set the interface order
1. Click Start, point to Settings, and click Network Connections.
2. On the Advanced menu, click Advanced Settings.
3. Under Connections, click Internal.
4. Click the up arrow to move the internal interface to the top of the list.
5. Click OK.
Add isa2006 Internal IP address to the contosodc.contoso.com DNS Server
11. In the IP address box, type 10.10.10.55. Click Add, click OK, and then click Apply.
12. Click OK.
13. Close the DNS console.
Add isa2006 external IP address to the “Internet” DNS Server Now add the
ISA Server 2006 external interface IP address to the “Internet” DNS server.
To add the external IP address to the “Internet” DNS Server
1. On the Internet DNS Server, click Start, point to All Programs, point to Administrative
Tools, and then click DNS.
2. In the console tree, expand Forward Lookup Zones.
3. Right-click the remote.contoso.com node and then click Properties.
4. In the remote.contoso.com Properties dialog box, select the Named Servers tab, and then
click Add.
5. In the New Resource Record dialog box, in the Server FQDN box, type cwa.contoso.com.
This will be the URL used by external users to access the Web published Communicator
Web Access (2007 release) external virtual server.
6. In the IP address box, type 192.168.1.5. Click Add, and then click OK.
7. In the console tree, expand Reverse Lookup Zones.
8. Right-click the 1.168.192.in-addr.arpa node, and then click Properties.
9. In the 1.168.192.in-addr.arpa Properties dialog box, click the Named Servers tab, and
then click Add.
10. In the New Resource Record dialog box, in the Server FQDN box, type cwa.contoso.com.
11. In the IP address box, type 192.168.1.5. Click Add, click OK, and then click Apply.
12. Click OK.
13. Close the DNS console.
Install ISA Server 2006 Standard Edition Install ISA Server 2006 Standard
Edition. You can get a free 180 day trial of ISA Server 2006 from:
http://www.microsoft.com/isaserver/2006/trial-software.mspx.
To install ISA Server 2006 for this lab
1. Double-click Isaautorun.exe.
2. On the splash screen, click Install ISA Server 2006
3. On the Welcome page, click Next
4. On the License Agreement page, select I accept, and then click Next.
5. On the Customer Information page, enter User Name, Organization, and Product Serial
Number, and click Next.
6. On the Setup Type page, select Typical, and click Next.
68 Communicator Web Access (2007 release) Planning & Deployment Guide
Important
The certificates must be issued from the same CA as the
certificates used for the Communicator Web Access (2007
release) server and the Office Communications Server 2007
server, and must use a duplicated Web server template. A
certificate issued from a public CA is recommended.
For details about certificate requirements and procedures, see “Digital Certificates for ISA Server
2004” at: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/digitalcertificates.mspx
Create the Communicator Web Access external Virtual Server Now create
the virtual server, cwaExternal that will handle external user traffic. This is the Communicator
Web Access (2007 release) virtual server that will be Web published by ISA Server 2006. See the
Creating Additional Virtual Servers procedure in this guide.
Communicator Web Access (2007 release) Planning & Deployment Guide 69
Configure the ISA Server 2006 server to publish the external virtual server
You must now configure ISA Server 2006 to Web publish the Communicator Web Access virtual
server.
First, specify the LDAP verification server. Then, configure the Web listener on ISA Server 2006.
Finally, publish the Communicator Web Access virtual server.
Specify the LDAP Verification Server You must specify the set of LDAP servers
that ISA will use to validate users. You can do this prior to creating the Web listener (the next
step) or you can do it during the step to create the Web listener. Regardless of when you specify
the LDAP servers, the process includes creating a User Set to which you can add only the users
and groups to the LDAP User Set that require authentication by the LDAP validation Server.
For example, you could create a group in Active Directory called remoteCWAusers, and then add
this group to the LDAP User Set that you create. To the remoteCWAusers group, add only users
that require external access to the published Communicator Web Access Web site, and which are
the only users authenticated on the LDAP validation server. When users no longer have the need,
remove them from the remoteCWAusers in Active Directory.
Prior to creating the Web listener, you can specify the LDAP server or servers that will validate
users from the General node in the scope pane of the ISA Server 2006 Management console, seen
in the next figure. Click the Specify RADIUS and LDAP Servers in the result pane to display the
RADIUS and LDAP Server configuration tabs.
70 Communicator Web Access (2007 release) Planning & Deployment Guide
If you choose to specify the LDAP server during the Web listener creation step, which is the next
step, you will get a wizard page on which you can do this. In either case, for details on how to
specify the LDAP server, see the Secure Application Publishing paper at:
https://www.microsoft.com/technet/isa/2006/secure_web_publishing.mspx.
Create the Web Listener Now let’s create the Web listener that listens on the external
network interface card, and name it isaListener.
To create the Web listener
1. On isa2006.contoso.com, open the ISA Server snap-in by clicking Start and pointing to
Programs, pointing to Microsoft ISA Server, and clicking ISA Server Management.
Communicator Web Access (2007 release) Planning & Deployment Guide 71
2. On the Firewall Policy (default) result pane, on the Toolbox tab on the right side of the
result pane, select Network Objects, click New, and click Web Listener.
3. On the Welcome page, enter isaListener in the Web listener name text box, and click Next.
72 Communicator Web Access (2007 release) Planning & Deployment Guide
4. On the Client Connection Security page, accept the default Require SSL and click Next.
5. On the Web Listener IP Addresses page, select External in the list box, and click Next.
6. On the External Network Listener IP Selection page, select Specified IP addresses on the
ISA Server computer in the selected network.
Communicator Web Access (2007 release) Planning & Deployment Guide 73
11. On the Select Certificate page, select the certificate you created for the isaListener Web
Listener. This certificate should have the FQDN of the URL used to access the isaListener
Web listener; in this case, cwa.contoso.com. Click Select.
13. On the Authentication Settings page, select HTML Form Authentication, select LDAP
(Active Directory), and click Next. You will configure the validation server in another task.
14. On the Single Sign On Settings page, clear the Enable SSO check box and click Next.
15. If you have not configured the LDAP Verification server before creating the Web listener,
you will get the LDAP Verification server configuration page now. If you have already
configured the LDAP Verification server, you will get the Completing the New Web
Listener Wizard page, on which you should click Finish.
76 Communicator Web Access (2007 release) Planning & Deployment Guide
16. In the ISA MMC Firewall Policy result pane, click Apply.
18. In the ISA Server snap-in, in the scope pane, right-click the Server node, and then click
Refresh.
Publish the Communicator Web Access cwaExternal virtual server Use the
following procedure to create an SSL (Secure Sockets Layer) Web publishing rule for the
Communicator Web Access cwaExternal virtual server, and then attach the listener to that
publishing rule.
Communicator Web Access (2007 release) Planning & Deployment Guide 77
2. On the Welcome page in the Web publishing rule name text box, type externalCWA, and
then click Next.
78 Communicator Web Access (2007 release) Planning & Deployment Guide
3. On the Select Rule Action page, click Allow, and then click Next.
4. On the Publishing Type page, accept the single web site default, and then click Next.
5. On the Server Connection Security page, select the Use SSL to connect to the published
web server or server farm check box, and then click Next.
Communicator Web Access (2007 release) Planning & Deployment Guide 79
6. On the Internal Publishing Details page, in the Internal site name box, type the name of
the internal site (webserver3.contoso.com). If needed, specify the Computer name or IP
address box by checking the box and typing webserver3.contoso.com, and click Next.
7. On the next page, also titled Internal Publishing Details, click Next.
8. On the Public Name Details page, in the Public name box, type cwa.contoso.com, and
then click Next.
80 Communicator Web Access (2007 release) Planning & Deployment Guide
9. On the Select Web Listener page, in the Web listener list, click isaListener, and then click
Next.
10. On the Authentication Delegation page, click Basic authentication in the list, and then
click Next.
12. On the Completing the New Web Publishing Rule Wizard page, click Finish.
13. Click Apply, click OK, and then refresh the ISA server node in the snap-in. To refresh the
ISA server node, right-click the server node in the scope pane, and then click Refresh.
Configure ISA Server to redirect external traffic to internal port 444 Now
configure ISA Server to redirect external traffic, which by ISA default is bound for 443, to the
Communicator Web Access, cwaExternal virtual server that is running on port 444 on
webserver3.contoso.com.
To configure ISA to redirect https://cwa.contoso.com requests to port
444
1. In the ISA Server Management console tree, click the Firewall Policy node.
2. In the details pane, right-click the externalCWA Web Publishing rule, and then click
Properties.
3. On the externalCWA Properties page, click the Bridging tab.
4. On the Bridging tab, click Web server. Clear the Redirect requests to HTTP port check
box. Click Redirect requests to SSL port, and type 444 in box next to it. You do not need to
select a certificate on this page.
5. Click Apply, and then click OK.
6. On the main ISA management console, click Apply to commit the changes.
7. On the Apply New Configuration confirmation box, click OK.
2. On the ISA default form, enter credentials for a user enabled for remote Communicator Web
Access.
PIC
Complete content for this topic is not yet available.
A PIC user cannot initiate a multiparty conference with an enhanced (Office Communications
Server 2007) user.
2. Verify that User B, signed in to Client B, can search for User A and can add User A to User
B’s Contacts list.
3. Verify that User A, signed in to Client A, can search for User B and can add User B to User
A’s Contacts list.
4. Verify that the following functions work as expected:
• IM exchange
• Presence change
• Block and unblock of each contact from each client
• Contact deletion on each client
5. Verify that when you unplug the network cable from the load balancer to one of the
Communicator Web Access servers, the client connected to that server is signed out within a
few minutes.
6. Verify that when clicking the Sign In button on the client that was signed out in the previous
step, the user is successfully connected to the remaining connected Communicator Web
Access server.
7. Verify that the CWA – 002 Sessions performance counter for the remaining server shows
two connections.
7. Use Communicator Web Access Manager (2007 release) to import the configuration files
that were previously exported from the working Communicator Web Access virtual servers
into the backup server.
8. Use Communicator Web Access Manager (2007 release) to configure the SSL certificate for
the virtual servers.
If the failed server is part of a pool of Communicator Web Access servers behind a load balancer,
you can either reuse the IP address of the failed server or configure the load balancer to point to
the new IP address of the standby server.
If the failed server is not part of a pool, you should configure the DNS server to point the FQDN
to the new IP address. If you do not have a DNS server, you can reuse the IP address of the failed
server as that of the standby server.
remote computer by opening the deployment tools and selecting the last option, Install
Communicator Web Access Administrative Snap-in. For details about the deployment tools,
see “Installing Communicator Web Access by Using the Deployment Tools” earlier in this guide.
Communicator Web Access Manager (2007 release) will run on any of the following operating
systems:
• Windows XP Professional Edition with Service Pack 2
• Windows Server 2003 SP1, Standard Edition
• Windows Server 2003 SP1, Enterprise Edition
Communicator Web Access Manager (2007 release) is not supported on any version of Windows
2000.
A Communicator Web Access snap-in for the Microsoft Management Console is also installed
during Communicator Web Access installation. If your organization has a large number of
administrators, you can create a console that contains the snap-in and redistribute the .msc file to
administrators with read-only access.
Important
You must install IIS Manager on a remote computer before you
can install Communicator Web Access Manager (2007
release). Only the management components are required; you
do not need to install IIS on the computer. You can use the
Control Panel to install the Internet Information Services Snap-
in (Windows XP) or Internet Information Services Manager
(Windows Server 2003 SP1), or you can download the Internet
Information Services (IIS) 6.0 Manager for Windows XP.
Additionally, the Communicator Web Access server must have
ASP.NET 2.0 installed and registered to be supported for
remote virtual server creation.
7. On the License Agreement page, click I accept the terms in the license agreement, and then
click Next.
8. On the Ready to Install page, accept the default location, or click Change to select an
alternate location, and then click Next.
9. On the Ready to Install page, click Install.
10. On the Setup Complete page, click Finish.
To connect to the Communicator Web Access server
• On the Start menu, point to Programs, click Administrative Tools, and then click Office
Communications Server 2007 Public Beta, Communicator Web Access Manager.
Auto Discovery of Servers
The Communicator Web Access (2007 release) snap-in automatically discovers the
Communicator Web Access (2007 release) servers in the current Active Directory Forest.
The Communicator Web Access Manager (2007 release) snap-in cannot connect to and manage
Communicator Web Access (2005 release) servers.
Scope Pane
The scope pane is the leftmost pane in the last figure.
Result Pane
Each node in the scope pane has its own result pane.
The physical server FQDN node result pane has two tabs:
• Status tab
• Performance tab
Table 15 describes the performance counters.
Table 15: Perf Counters
Perf Counter Description
PERF_AUTH_NUM_SUCCESSFUL_FORMS_L Content for this topic is not yet available.
OGONS_SEC
PERF_AUTH_NUM_SUCCESSFUL_IWA_LOG
ONS_SEC
PERF_SECURITY_NUM_TICKET_CHECK_FAI
LURES_SEC
PERF_AUTH_NUM_THROTTLED_
LOGONS_SEC
PERF_SERVICE_MESSAGE_SENT_FAILURE_
SEC
PERF_SERVICE_MESSAGE_RECEIVED_ SEC
90 Communicator Web Access (2007 release) Planning & Deployment Guide
The virtual server node, of which there can be 0 or more of, has one Status tab, and displays the
information seen in the next figure.
Figure 13: Status
• Authentication
• Connectivity
On the General tab, shown in the figure in step 3 of the next procedure, the Communicator
Web Access (2005 release) URL text box is where the admin specifies the Communicator Web
Access (2005 release) server for Legacy Redirect.
Specifying a Legacy Redirect URL
You can specify a legacy redirect URL from the virtual server Properties page, General tab.
To specify a legacy redirect URL
1. In Communicator Web Access Manager (2007 release), connect to the Communicator Web
Access server with an account that a member of the Administrators and
RTCUniversalServerAdmins groups.
2. Expand the tree view, right-click the virtual server node and select Properties.
3. On the General tab of the virtual server Properties page, enter the URL in the URL text box,
click Apply, and then click OK.
Tracing
To turn on and off “stack trace”, create the following registry key and set it to 1 or 0,
respectively:
HKLM\Software\Microsoft\Communicator Web Access\Tracing\EnableErrorStackTrace
Configuring Search
Users can search for contacts by specifying one or more search criteria in the Find text box. By
default, the search criteria are display name and e-mail address. The user can override the default
search criteria by selecting a different preference from the list next to the Find button. Options
include:
• Contact’s first name
• Contact’s last name
• Contact’s display name
• Contact’s e-mail address
• Contact’s last name and display name
• Contact’s last name and e-mail address
As a system administrator, you can specify the default criteria to be used in a search by
modifying the DefaultSearchField and DefaultSearchQuery settings in Windows Management
Instrumentation (WMI). You can also specify the maximum number of search results that are to
be returned. Table 16 lists the search-related WMI settings that can be changed.
Communicator Web Access (2007 release) Planning & Deployment Guide 95
• Phone 3
• Phone 4
• SubscribeToPresence
• IsSmartCamp
• NotificationSetting
These attributes are displayed in the search results along with the attributes described previously.
MOM Pack
This section discusses options for monitoring Communicator Web Access (2007 release).
The Microsoft Office Communicator Web Access (2007 release) Management Pack for Microsoft
Operations Manager (MOM) 2005 and MOM 2007 adds the following Communicator Web
Access (2007 release)-related information to MOM 2005 SP1:
• Computer Group
• Admins Notification Group
• Event Rules
• Performance Rules
• Alert Rules
By using these features, MOM administrators can monitor Communicator Web Access servers
and receive automatic e-mail notifications of critical events. Some examples of critical events
include the following:
• The Communicator Web Access service unexpectedly terminates.
• A large backlog of users is trying to log on to the system.
• Communicator Web Access cannot connect to Active Directory, so it cannot authenticate
users or search for contacts.
The management pack helps keep you aware of issues that need attention. It also provides
additional information for responding to critical issues beyond the information provided by the
standard event logs and performance counters that are included with Windows.
The following components are not provided in the Communicator Web Access (2007 release)
Management Pack; however, you can add these components by using the MOM Pack authoring
features:
• State Views
• Custom Tasks
• Scripts for automated responses
• Reporting
System Requirements The Communicator Web Access (2007 release) management
pack requires the following minimum software:
Communicator Web Access (2007 release) Planning & Deployment Guide 97
Important
To ensure that notifications work properly, manually add an
Operator object for each network administrator to MOM and
configure its e-mail settings (and pager settings, if desired).
Then add the Operator object to the Office Communications
Server 2007 administrator’s notification group. After you
perform these steps, when an error-level alert (or higher
severity) occurs, the Operator should be notified by e-mail
(and by pager, if configured).
In the MOM 2005 administrator console, the Microsoft Office Communicator Web Access
node appears under the Microsoft Office Communications Server 2007 node. The Microsoft
Office Communicator Web Access node contains the following rule groups:
• Authentication
• Performance
• Policy
• Session Service
• User Search
98 Communicator Web Access (2007 release) Planning & Deployment Guide
Each rule group may contain event rules, performance rules, and an alert rule. The alert rules are
configured to send e-mail to the Office Communications Server 2007 administrator’s notification
group whenever MOM receives an event or performance counter with a severity of Error or
higher.
The following alert levels are also available in MOM:
• Service Unavailable
• Security Issue
• Critical Error
• Error
• Warning
• Information
• Success
The Communicator Web Access (2007 release) management pack also installs the necessary
event and performance counter providers and the Communicator Web Access computer group so
that MOM can automatically find Communicator Web Access servers and collect the appropriate
information.
Customizing the Management Pack Depending on their needs, organizations can
customize the Communicator Web Access management pack by making the following
modifications:
• Modify rules – You can suppress events that are appearing too frequently or disable
unnecessary events. You can also configure pager data to notify network administrators by
their pagers when alerts occur.
• Customize tracking – You can use performance rules and some of the information event
rules to track service performance, manage service levels (for example, identify peak usage
periods and periods of increased latency), and track service uptime.
• Expand functionality – You can add your own rules, tasks, and automated responses.
Additional MOM Resources For additional information about MOM 2005, please see
the following resources:
• MOM Security Guide:
http://www.microsoft.com/technet/prodtechnol/mom/mom2005/Library/3e039637-4639-
46f7-9f5f-518e0c04795e.mspx?mfr=true
• MOM Catalog: http://www.microsoft.com/management/mma/catalog.aspx
• MOM Resource Kit: http://www.microsoft.com/mom/downloads/2005/reskit/default.mspx
Custom Tabs
Custom tabs are not supported in Communicator Web Access (2007 release).
</td>
<tr>
<script language=”javascript”>
var imgsrc = GetImgHTML(“<%=ServerPath%>cwa/client/custom/file_name.jpg”);
document.write(“<td valign=’top’ style=’padding-bottom:0px;padding-
top:10px;padding-left:19px;padding-right:30’>” + imgsrc + “</td>”);
</script>
</tr>
<!-- Contoso Corporate Branding - Finish -->
9. Make sure that the replacements fit within the UI bounds of the original art and strings.
10. Do an iisreset /restart on the server that is serving the new content.
11. Make sure that users clear the temporary files on their browser so that old content cached on
their computer, if any, doesn’t get used instead of the new content.
12. An example of adding a corporate name and logo in the lower left corner of the Integrated
Windows Authentication logon page, using the above script, is seen in the next figure.
Enterprise Voice
Communicator Web Access (2007 release) has no Enterprise Voice features, or any Enterprise
Voice-dependent features. All Enterprise Voice features are enabled by Office Communications
Server 2007, Office Communicator 2007 and Microsoft Exchange Server 2007. For details, see
the Microsoft Office Communications Server 2007 Unified Communications Enterprise Voice
Planning and Deployment Guide.
Call Forwarding
When Enterprise Voice is enabled within the Office Communications Server 2007 deployment in
which Communicator Web Access (2007 release) is deployed, Communicator Web Access users
can configure call forwarding. How the user can forward calls is dependent upon if the user is
enabled for Unified Messaging (UM) and Unified Communications (UC). The following table
summarizes this.
Communicator Web Access (2007 release) Planning & Deployment Guide 101
Web UI Controls
See the Communicator Web Access (2007 release) SDK.
See the Communicator Web Access (2007 release) Authentication Guide.
SDK
See the Communicator Web Access (2007 release) SDK.
See the Communicator Web Access (2007 release) Authentication Guide.
AJAX API
See the Communicator Web Access (2007 release) SDK.
See the Communicator Web Access (2007 release) Authentication Guide.
102 Communicator Web Access (2007 release) Planning & Deployment Guide
Security Considerations
This section covers security considerations for Communicator Web Access (2007 release) until
the Communicator Web Access (2007 release) Security Guide can be updated and released.
Service Account
The following table describes accounts that are created by the setup program.
Table 18: Accounts
Account
CWAService Content for this topic is not yet available.
Port Allocation
Content for this topic is not yet available.
Authentication Module
Content for this topic is not yet available.
Directory Permissions
For Active Directory permissions see the Office Communications Server 2007 Active Directory
Guide.
Configuring Clients
This section discusses tasks to configure clients.
104 Communicator Web Access (2007 release) Planning & Deployment Guide
7. In the Properties dialog box, click the Communications tab. Select the Enable Live
Communications for this user check box. In the SIP URI box, type a SIP address, for
example, in the form sip:<user_name>@<org_name>.com.
11. If federation is enabled in Office Communications Server 2007, select the Enable public IM
connectivity check box.
12. Click OK.
13. Click Apply, and then click OK.
Signing in to Communicator Web Access
This section explains how to test the ability of a client computer to connect to Communicator
Web Access (2007 release).
To Connect to the Communicator Web Access Client
1. Log on to the client computer.
2. Open a supported browser. If a pop-up blocker is installed, either disable it completely or
disable it only for the Communicator Web Access Web site.
3. Enter https://<server_FQDN> in the browser address field. The URI to the Communicator
Web Access server must match the common name in the HTTPS certificate. For example, if
the common name of the certificate is im.contoso.com, the URL should be:
https://im.contoso.com.
4. In the Security Alert dialog box, if you understand and accept the security implications,
click Yes.
Communicator Web Access (2007 release) Planning & Deployment Guide 107
5. If the client computer is configured to trust the same CA that Communicator Web Access
trusts, you can install a certificate on the client so that users do not have to respond to the
security alert. This procedure may not work in all situations.
The sign-in page for Integrated Windows Authentication on Internet Explorer and a Windows
operating system is shown in the next Figure.
Figure 14: Integrated Windows Authentication
Signing in to Communicator Web Access displays the main Communicator Web Access page.
Note
If Windows Firewall is enabled on the Communicator Web
Access (2007 release) Server, the client cannot successfully
publish presence at sign in time and two-party IM cannot be
started successfully.
3. Create a folder (referred to in the following steps as <database_directory>), which will store
database files that are created by commands in subsequent steps.
4. Open a Command Prompt window: Click Start, and then click Run. In the Open box, type
cmd, and then click OK.
5. Run Certutil.exe to create a certificate database. At the command prompt, type the following,
and then press ENTER.
certutil.exe -N -d <database_directory>
6. When you are prompted for a password, type a password you want to use for the certificate
database.
7. Apply for a certificate and private key pair file from a trusted third party CA or a private or
self-hosted CA. For details about applying for a certificate, contact the certification
authority. If the certificate that you receive is saved in the local computer’s certificate store,
export the certificate and private key into a .pfx file.
8. Run Pk12util.exe to import the certificate and private key file into the database that you
created. At the command prompt, type the following, and then press ENTER:
pk12util.exe -i <cert/key file> -d <database_directory >
9. Obtain the CA certificate.
10. Run Certutil.exe to add the CA certificate to the database. You must specify a nickname for
the CA certificate. At the command prompt, type the following, all on one line, and then
press ENTER:
certutil.exe -A -n <certificate nickname> -i <CA certificate> -t "C,C,C"
-d <database_directory >
11. Run Certutil.exe to list all certificates in the database. From this list, you will obtain the
name of the certificate that will be used in the next step. At the command prompt, type the
following, and then press ENTER:
certutil.exe -L -d <database_directory >
12. Run Signtool.exe to sign the JavaScript code by using the certificate. At the command
prompt, type the following, ,all on one line, and then press ENTER:
Signtool -k <certificate name> -Z <installation path>\Server\cwa\client\<client
version>\SignedCode.jar -p <database password> -d <database directory> <installation
path>\Server\cwa\client\clientversion\SignedCode
After running this command, the new Java Archive (.jar) file that includes the script file and
related signing information replaces the default Java Archive (.jar) file.
13. If you use a private or self-hosted CA, ensure that the clients’ browsers import the certificate
chain so that the signed JavaScript code will be trusted. On a large scale, this process can be
easier if the CA provides a Web site that allows users to sign on and request updated
certificates.
For more information about JavaScript security and signing, see
http://www.mozilla.org/projects/security/components/jssec.html.
Communicator Web Access (2007 release) Planning & Deployment Guide 111
3. Click OK.
You manage advanced call forwarding settings from the Advanced Call Settings page seen in the
next figure.
112 Communicator Web Access (2007 release) Planning & Deployment Guide
Upgrading and
Interoperability
This section describes upgrading the 2005 release to the public beta release of Communicator
Web Access (2007 release). Upgrading the 2005 release to the Beta 3 version of the 2007 release
is not supported. A side-by-side upgrade of the 2005 release to the public beta of the 2007 release
is the only supported upgrade path.
With the introduction of the 2007 release, the concepts of legacy and enhanced conferencing,
legacy and enhanced clients, and legacy and enhanced presence are also introduced. The
introduction of these new concepts is due to the change in conferencing model between the 2005
release and the 2007 release.
In such environments, there are two types of user:
• Legacy presence user
• Enhanced presence user
In this environment, there are two conferencing models working together:
• MIM - The Multi-Party IM based conference (MIM-based conference) is the legacy model
where each endpoint in a conference distributes messages to all other endpoints in the
conference.
• Focus- The Focus-based conference is the enhanced model in which all endpoints send
messages to a centralized Instant Messaging MCU (the Focus). The Focus acts as the
manager of the conference, ensuring that messages get to their required and intended
destination. The Focus also ensures that messages are not unnecessarily sent to endpoints
that do not need to receive the message. The Focus is the SIP conference host and is the
central point of control of each party in a multiparty, SIP-signaling conference.
With the Focus-based model, there are enhancements provided over the legacy MIM-based
model:
• Ability to lock and unlock a conference
• Ability to promote participants
• Ability to eject participants
Legacy redirection is a feature provided in Communicator Web Access (2007 release) that
enables the administrator to configure redirection of legacy traffic without intervention from the
user. Legacy redirection when enabled occurs in two cases:
• Legacy code
• The legacy presence user is not flagged for enhanced presence upgrade
114 Communicator Web Access (2007 release) Planning & Deployment Guide
Whether or not a user is flagged for enhanced presence upgrade is controlled by bit 9,
EnableForEnhancedPresence, of the msRTCSIP-OptionsFlags user attribute in Active
Directory. Redirect occurs when the value of bit 9 is false.
The following figure shows a combined enhanced presence and legacy presence environment, in
which Legacy Redirection may or may not be configured by the administrator.
Figure 18: Coexistence
3. The user is enabled for enhanced presence on the User Options page, accessible from the
Communications tab of the User Properties page in Active Directory Users and
Computers console.
A side-by-side migration from Live Communications Server 2005 with SP1 and with
Communicator Web Access (2005 release) deployed to Office Communications Server 2007 and
with Communicator Web Access (2007 release) deployed is the only supported migration path for
the public beta.
The only public beta-supported topologies for coexistence of Communicator Web Access (2005
release) and Communicator Web Access (2007 release) are:
• Communicator Web Access (2005 release) with legacy presence users homed on Live
Communications Server 2005 with SP1
• Communicator Web Access (2007 release) with enhanced presence users homed on Office
Communications Server 2007
Conferences in which both models are involved work differently than conferences in which there
is just one model involved.
• Bob upgrades his desktop computer from Office Communicator 2005 to Office
Communicator 2007 but he does perform a Logon to Office Communications Server 2007
using either Office Communicator 2007 or Communicator Web Access (2007 release). It
does not matter which.
• Using her laptop, Alice Logs on to:
• (1) Communicator Web Access (2005 release), by entering https://legacy.contoso.com in
her browser.
• (2) Communicator Web Access (2007 release), by entering https://cwa2k7.contoso.com
in her browser.
• (3) Office Communicator 2005.
• (4) Office Communicator 2007.
Doing so, Alice has the following user experience:
• (1) Alice gets an error. She must access the 2007 release server.
• (2) Alice logs in to the 2007 release server after successfully entering her credentials.
• (3) Alice gets an error. She must start using Office Communicator 2007.
• (4) Alice logs in after successfully entering her credentials.
• Using his laptop, Bob Logs on to:
• (1) Communicator Web Access (2005 release), by entering https://legacy.contoso.com in
his browser.
• (2) Communicator Web Access (2007 release), by entering
https://webserver3.contoso.com in his browser.
• (3) Office Communicator 2005.
• (4) Office Communicator 2007.
Doing so, Bob has the following user experience:
• (1) Bob gets an error. He must access the enhanced platform.
• (2) He gets enhanced presence.
• (3) Bob gets an error. He must access the enhanced platform.
• (4) Bob logs in after successfully entering his credentials.
The next sections discuss specific interoperability scenarios.
Understanding Instant Messaging Interoperability
• Scenario 1: When a legacy presence user (Bob) and an enhanced presence user (Alice) are in
a 2-party conference, Bob can invite neither another legacy presence user nor Alice to join
the conference.
• Scenario 2: When a legacy presence user (Bob) and an enhanced presence user (Alice) are in
a 2-party conference, and when Alice invites another participant, Bob, who is already in the
meeting, receives another meeting pop-up chat window.
Communicator Web Access (2007 release) Planning & Deployment Guide 117
• Scenario 6: Alice and Bob are enhanced and legacy users, respectively, and are using
Communicator Web Access (2007 release) and Communicator Web Access (2005 release),
respectively as their clients. Alice adds Bob to her contact list. When Alice’s status “Do not
Disturb” Bob sees Alice’s status represented by a “Busy” icon but text that says “Offline”.
MMC Interoperability
The Communicator Web Access Manager (2007 release) and Communicator Web Access
Manager (2005 release) Managers can be installed on the same computer. The requirements for
that computer are dictated by the Communicator Web Access Manager (2007 release) snap-in.
Performing a Migration
Side by side migration from Communicator Web Access (2005 release) to Communicator Web
Access (2007 release) is supported. Side by side migration of Live Communications Server 2005
with SP1 to Office Communications Server 2007 must be completed prior to migrating
Communicator Web Access. For the procedure for migrating Live Communications Server 2005
with SP1 to Office Communications Server 2007, see the Office Communications Server 2007
deployment documentation.
After you upgrade the user to Office Communications Server 2007 and enhanced presence, then
you can access the user from the Active Directory Users and Computers snap-in on a computer
with the Office Communications Server 2007 Administrative Tools installed. The before and after
for a legacy presence user, John Evans upgraded to enhanced presence is seen in the next two
figures.
Communicator Web Access (2007 release) Planning & Deployment Guide 121
Notice that the Communications tab only offers the enhanced home server and the Live
Communications tab offers both. The Live Communications tab is present and accessible for
both legacy and enhanced users from management computers with the appropriate management
tools installed. The Communications tab is present for both legacy and enhanced users, but only
accessible for enhanced users from management computers with the appropriate management
tools installed.
If the user is not using Office Communicator and is using only Communicator Web Access, once
the user is switched over to the Office Communications Server 2007 Home Server, and is enabled
for enhanced presence, the user will get enhanced presence when the URL that the user enters in
the browser, is a URL that points to the 2007 release server. If the user enters a URL that points
to a 2005 release Communicator Web Access server, the user will get an error.
Prior to being enabled for enhanced presence by the administrator in Active Directory, the legacy
user can only connect to the legacy server using a legacy client. However, you can configure
Communicator Web Access (2007 release) to redirect the legacy user traffic to the legacy server
when the legacy user enters the 2007 release URL in his or her browser.
You can use two methods to migrate legacy users by marking them for enhanced presence
upgrade:
• Multiple users simultaneously using the Live Server Move User Wizard
• Individual users manually, one at a time
122 Communicator Web Access (2007 release) Planning & Deployment Guide
For information on the Live Server Move User Wizard, see the Office Communications Server
2007 documentation. The following procedure describes the manual method.
To manually mark a single legacy presence user for enhanced
presence upgrade
1. From a management computer with the Live Communications Server 2005 with SP1
administrative tools snap-in and the Active Directory Users and Computers snap-in installed,
click Start, point to Programs, point to Administrative Tools, and then click Active
Directory Users and Computers.
2. In the console tree, expand the Organization Node, and then expand Users.
3. In the Active Directory Users and Computers console tree, under Users, right-click the
user’s name that you want to convert, and then click Properties.
4. In the Properties dialog box, click the Live Communications tab. In the Server or pool
box, select the 2007 release server, click Apply, and then click OK.
5. From a management computer with the Office Communications Server 2007 administrative
tools snap-in and the Active Directory Users and Computers snap-in installed, click Start,
point to Programs, point to Administrative Tools, and then click Active Directory Users
and Computers.
6. In the console tree, expand the Organization Node, and then expand Users.
7. In the Active Directory Users and Computers console tree, under Users, right-click the
same user’s name for which you changed the server, and then click Properties.
Communicator Web Access (2007 release) Planning & Deployment Guide 123
Appendixes
Appendix 1: Ports Used By Communicator Web Access
Firewalls can block ports needed by Office Communicator Web Access (2007 release). Table 21
shows the ports used by Communicator Web Access (2007 release).
Communicator Web Access (2007 release) Planning & Deployment Guide 125
Appendix 2: Accounts
This section describes the accounts required for Communicator Web Access (2007 release).
Accounts Created by Communicator Web Access (2007 release)
Setup
The following account is created by the Communicator Web Access setup program.
Table 22: Account Created by Setup
Account Name Member Of
CWAService RTCHSUniversalServices
Administrator Groups
The following administrator group changes are required for Communicator Web Access.
Table 23: Administrator Group Changes
Account Name Changes
RTCUniversalServerAdmins Grant the following:
• Member of Administrators (local
machine)
• Read/Write ACEs on Communicator Web
Access WMI
• Read/Write IIS Settings
• No Active Directory ACEs required
activate the server by creating a new security group, granting the security group only the rights
and permissions that are required to run the Communicator Web Access Activation Wizard, and
adding the administrator to the new security group.
The following permissions are required to run the Communicator Web Access Activation Wizard:
• Rights equivalent to membership in the Administrators group on the local computer.
• Permissions on the Office Communications Server 2007 global container RTC Service, to
create and delete global settings.
• Permissions on the container that contains the RTCUniversalServerAdmins group and the
RTCHSUniversalServices group to create and delete accounts.
• Read and Write permissions on the service account that is specified during activation.
To grant a user these permissions, you can perform the following
tasks:
1. Create a service account for Communicator Web Access that will be specified during
activation, and add this account to the RTCHSUniversalServices security group.
2. Create a global security group and give it a name, for example, CWAServerAdmins.
3. Grant the new security group the permissions necessary to create and delete global settings.
The group must have the following permissions on the RTC Service object: Read, Create
All Child Objects, and Delete All Child Objects.
4. Grant the new security group the permissions necessary to create and delete accounts. The
account must have the following permissions on the Users container (or the container that
contains the RTCUniversalServerAdmins group and the RTCHSUniversalServices
group): Read, Create All Child Objects, and Delete All Child Objects.
5. Grant the new security group Read and Write permissions on the service account that will be
specified during activation.
6. Add the administrator’s user account to the new security group, so that the administrator can
run the Communicator Web Access Activation Wizard without membership in the
DomainAdmins group.
The following procedures describe these steps in detail.
To create a service account that will be specified during activation
1. Log on to a computer as a member of the DomainAdmins group for the domain where you
will deploy Communicator Web Access.
2. Open Active Directory Users and Computers: Click Start, click All Programs, click
Administrative Tools, and then click Active Directory Users and Computers.
3. In the console tree, expand the domain node, right-click Users, click New, and then click
User.
4. In First name, type the account name (for example CWAServiceAccount). In User logon
name, type the same account name. Click Next.
5. In Password, type a password. In Confirm password, type the same password.
Communicator Web Access (2007 release) Planning & Deployment Guide 127
6. Clear the User must change password at next logon check box. Click Next, and then click
Finish.
7. In the details pane, right-click RTCHSUniversalServices, and then click Properties. Click
the Security tab.
8. Click Add. Under Enter the object names to select, type the service account name, and
then click OK.
To create a security group
1. Log on to a computer as a member of the DomainAdmins group for the domain where you
will deploy Communicator Web Access.
2. Open Active Directory Users and Computers: Click Start, click All Programs, click
Administrative Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console tree, right-click Users, click New, and
then click Group.
4. In Group name, type the group name (for example CWAServerAdmins). Under Group
Scope, accept the default Global. Under Group type, accept the default Security. Click
OK.
To grant the required global permissions to the security group
1. Log on to a computer as a member of the DomainAdmins group for the domain where you
will deploy Communicator Web Access.
2. Open Active Directory Users and Computers: Click Start, click All Programs, click
Administrative Tools, and then click Active Directory Users and Computers.
3. On the View menu, click Advanced Features.
4. In the console tree, expand the root domain node, expand System, expand Microsoft, and
then expand RTC Service.
5. Right-click Global Settings, and then click Properties.
6. Click the Security tab, and then click Add.
7. In the Enter the object names to select box, type the name of the global security group (for
example, CWAServerAdmins), and then click OK.
8. Next to the following permissions, click Allow:
• Read
• Create All Child Objects
• Delete all Child Objects
9. Click OK.
To grant permissions required to create and delete accounts to the
security group
1. Log on to a computer as a member of the DomainAdmins group for the domain where you
will deploy Communicator Web Access.
128 Communicator Web Access (2007 release) Planning & Deployment Guide
2. Open Active Directory Users and Computers: Click Start, click All Programs, click
Administrative Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console tree, expand the node of the domain
where Communicator Web Access will be installed. Right-click Users (or the container that
contains the RTCUniversalServerAdmins group and the RTCHSUniversalServices
group), and then click Properties.
4. Click the Security tab, and then click Add.
5. In the Enter the object names to select box, type the name of the global security group (for
example, CWAServerAdmins), and then click OK.
6. Next to the following permissions, click Allow:
• Read
• Create All Child Objects
• Delete all Child Objects
7. Click OK.
To grant permissions on the service account to the security group
1. Log on to a computer as a member of the DomainAdmins group for the domain where you
will deploy Communicator Web Access.
2. Open Active Directory Users and Computers: Click Start, click All Programs, click
Administrative Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console tree, click Users. In the details pane,
right-click the service account you created (for example CWAServiceAccount), and then
click Properties.
4. Click the Security tab, and then click Add.
5. Under Enter the object names to select, type the name of the global security group (for
example, CWAServerAdmins), and then click OK.
6. Next to the following permissions, click Allow:
• Read
• Write
7. Click OK.
2. Click Add. Under Enter the object names to select, type the user account name, and then
click OK twice.
The user now has the rights necessary to run the Communicator Web Access Activation Wizard.
Application Pools The Communicator Web Access Create Virtual Server Wizard creates
two application pools for the first virtual server created:
132 Communicator Web Access (2007 release) Planning & Deployment Guide
Important
Do not use the recycling options in the application pool
properties. The recycling application pool settings are
specified on the Recycling tab of an application pool’s
Properties dialog box. Because some Communicator Web
Access processes are stateful, using any of these recycling
options can result in failures.
For additional information see “Web Application Services Operations” in the Windows Server
System Reference Architecture (WSSRA) at:
http://www.microsoft.com/technet/itsolutions/wssra/raguide/WebApplicationServices/igwaog_2.
mspx
Default Communicator Web Access IIS 6.0 Settings During Communicator
Web Access setup, several IIS settings are configured automatically. The default settings
configured by setup are listed in Table 25. As you monitor your Communicator Web Access
servers over time, you can tune these settings to meet the needs of your organization.
Table 25: Default IIS 6.0 MMC, Communicator Web Access web site
settings
Setting Name Type Setting Value
Web Site Tab
Description text box Communicator Web Access
IP Address drop down list box (All Unassigned)
TCP Port text box 80
SSL Port text box 443
Connection Timeout text box 120
Enable HTTP Keep- check box selected
Alives
Enable logging check box selected
Communicator Web Access (2007 release) Planning & Deployment Guide 133
Active log format drop down list box W3C Extended Log File Format
Advanced Web Site Identification-Multiple identities for this Web Site
IP Address text box Default
TCP Port text box 80
Host Header Value text box <empty>
Advanced Web Site Identification-Multiple SSL identities for this Web Site
IP Address text box Default
SSL Port text box 443
Logging Properties - General Tab
New log schedule radio buttons Daily radio button selected
Use local time for file check box unselected
naming and rollover
Log file directory text box %windir%\system32\LogFiles
Logging Properties - Advanced Tab
Extended logging lots of check
options boxes
unselected Server Name (s-computername)
Bytes Sent (sc-bytes)
Bytes Received (cs-bytes)
Time Taken (time-taken)
Protocol Version (cs-version)
Host (cs-host)
Cookie (cs(Cookie))
Referer (cs(Referer))
selected All remaining check boxes
Performance Tab
Bandwidth Throttling check box unselected
Web site connections radio buttons (2) Unlimited radio button selected
ISAPI Filters Tab
Status text box Green up-pointing arrow
Filter Name text box cwaauth
Priority text box Low
Configuring for Performance To maintain peak performance of your Communicator
Web Access servers, you can configure the following IIS property settings:
134 Communicator Web Access (2007 release) Planning & Deployment Guide
• Web Site Connections – Web site connections are set to unlimited by default. Connection
limits restrict the number of simultaneous client connections to your Web sites and your Web
server. Limiting connections conserves memory and protects against malicious attempts to
overload your Web server with thousands of client requests.
• Bandwidth throttling – By default, bandwidth throttling is disabled. If the network or
Internet connection that is used by the Communicator Web Access server is also used by
other services such as e-mail or news, you may want to limit the bandwidth that is used by
each service. If your Web server hosts more than one Web site, you can individually throttle
the bandwidth that is used by each site.
• IIS Logging – IIS logging is enabled by default. When IIS logging is enabled, the IIS log
files could use up the free disk space on the server over a period of time. For example, in a
deployment that supports 1,000 or more users, free disk space could be depleted within a few
days. To keep Communicator Web Access server running properly, you should enable IIS
logging only for debugging purposes, or you should regularly delete obsolete files.
For information about tuning IIS 6.0 settings, see “Performance Tuning (IIS 6.0)” at
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/71490aae-f444-
443c-8b2a-520c2961408e.mspx.