BPOS – Online Services Event 22nd Sept Presentation

Business Productivity Online Suite (BPOS) presentation from this partner invite only event that took place on 22 September in Reading.
Other event presentations also available from the same URL, including: Windows Showcase – Windows 7 & 2008 R2; Hosting Days 09 event; Developing Hosting Partnerships event – How to take Hosted Exchange to Market and BPOS.

Unified Comms Learning Resources – OCS 2007&R2 / Exchange 2007/2010

Found some useful training resources for MS Partners from Microsoft at… http://www.uclearningpaths.com/
Also resources available at…
UC Home page…  http://www.microsoft.com/uc

Create Solutions with Microsoft Online Services

Create Solutions with Online Services

"…Discover how you can help your customers make the right decision between on-premises and Microsoft-hosted solutions. Online Services Product Manager Ryan McGee guides you through making Software-plus-Services part of your offerings, demonstrates new partner features, and shows how partners are increasing margins and developing solutions based on Microsoft Online Services…."


Office Communications Server 2007 Edge Planning Tool

The Edge Planning Tool for Office Communications Server 2007 is a tool that takes a user through a set of interview questions regarding the proposed or current edge server deployment. The tool interviews users about their perimeter network settings as well as some questions regarding their internal deployment.


Based on the answers to these questions and Microsoft Office Communications Server 2007 best practices, the tool generates a set of 6 reports…

  • Best practices
  • OCS Admin

The next 4 reports are stripped down versions of the OCS Admin report

  • Certificate, Firewall, DNS and Custom Documentation.

Taken from and courtesy of OCS Team Blog…. http://communicationsserverteam.com/archive/2008/08/29/248.aspx

Joining OCS Edge Servers to an Internal Domain


All OCS Edge servers have been designed to have no dependency on membership of an AD Domain. Therefore OCS edge servers can be run either as servers in a workgroup, or as members of a domain.

Edge server deployment guide recommends :

              “Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory® Domain Services out of the perimeter network.
                Locating Active Directory in the perimeter network can present a significant security risk.

This follows the ‘Best practice’ not to join servers in a perimeter network to an internal domain or forest. On the other hand the traditional rigid model of a tightly cordoned DMZ is being replaced by a per server or service risk analysis that leads to a security implementation that is specifically tailored to that server and the risks associated with an outage or other type of intrusion.

Note that the service accounts and administrative that are used on the OCS Edge servers are intended to be machine local accounts, and that that will further reducing the chance of intrusion.

Advantaged and disadvantages

When considering membership of the internal xxx.contoso.com domains a number of benefits and disadvantages are:

Some advantages of Members servers in a perimeter zone

  • Limited local SAM database on each servers
    • Less password maintenance
    • Generally leads to better passwords and better password maintenance
    • only a few accounts with very long very complex passwords can be used.
      (as they will not be used during normal operation.)
  • Patch management can be done via same mechanisms as other internal servers
    This is a very limited advantage as generally speaking Perimeter servers , including OCS Edge servers should be under a  different update regime or policy than internal servers
  • Smart-card logon for server management is possible.

Some disadvantages of Members servers in a perimeter zone.

  • Need additional procedures and security pre-cautions to make sure non-DMZ personnel cannot access DMZ servers
  • Need to open more ports in the inner firewall compared to non-domain members
  • It is harder to separate hostile traffic from a defaced server as all servers will frequently connect to the internal Domain Controllers.

Technical Limitations

With regards to domain membership of OCS Edge server there are no limitations to the functions of any of the OCS Edge servers.


Microsoft will support OCS Edge servers in a deployment model where they are joined to the Contoso internal domain.

To assure secure operation of the system the additional risk should be balanced with addition security measures, some of which are already be in place in the Contoso perimeter network and in the OCS architecture and design for Contoso.

  • Make sure the patch management process is well implemented for all OCS Edge servers.
    This should include an option to deploy security updates with priority to systems in the Perimeter network
  • Scan the systems for intrusion or use a more holistic intrusion detection system
  • Implement OCS Directors servers in the internal Contoso network to place an additional authentication layer between the Edge servers and the OCS Pool Servers
  • Use machine local service accounts with complex passwords.
  • Store and maintain the edge server configuration of all Edge servers in a secure location to facilitate a correct and rapid rebuild process in case of suspicious activity.

Taken from and courtesy of the OCS team blog ….http://communicationsserverteam.com/archive/2007/12/11/36.aspx