"…Discover how you can help your customers make the right decision between on-premises and Microsoft-hosted solutions. Online Services Product Manager Ryan McGee guides you through making Software-plus-Services part of your offerings, demonstrates new partner features, and shows how partners are increasing margins and developing solutions based on Microsoft Online Services…."
The Edge Planning Tool for Office Communications Server 2007 is a tool that takes a user through a set of interview questions regarding the proposed or current edge server deployment. The tool interviews users about their perimeter network settings as well as some questions regarding their internal deployment.
Based on the answers to these questions and Microsoft Office Communications Server 2007 best practices, the tool generates a set of 6 reports…
- Best practices
- OCS Admin
The next 4 reports are stripped down versions of the OCS Admin report
- Certificate, Firewall, DNS and Custom Documentation.
Taken from and courtesy of OCS Team Blog…. http://communicationsserverteam.com/archive/2008/08/29/248.aspx
All OCS Edge servers have been designed to have no dependency on membership of an AD Domain. Therefore OCS edge servers can be run either as servers in a workgroup, or as members of a domain.
Edge server deployment guide recommends :
“Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory® Domain Services out of the perimeter network.
Locating Active Directory in the perimeter network can present a significant security risk.
This follows the ‘Best practice’ not to join servers in a perimeter network to an internal domain or forest. On the other hand the traditional rigid model of a tightly cordoned DMZ is being replaced by a per server or service risk analysis that leads to a security implementation that is specifically tailored to that server and the risks associated with an outage or other type of intrusion.
Note that the service accounts and administrative that are used on the OCS Edge servers are intended to be machine local accounts, and that that will further reducing the chance of intrusion.
Advantaged and disadvantages
When considering membership of the internal xxx.contoso.com domains a number of benefits and disadvantages are:
Some advantages of Members servers in a perimeter zone
Limited local SAM database on each servers
Less password maintenance
Generally leads to better passwords and better password maintenance
only a few accounts with very long very complex passwords can be used.
(as they will not be used during normal operation.)
This is a very limited advantage as generally speaking Perimeter servers , including OCS Edge servers should be under a different update regime or policy than internal servers
Some disadvantages of Members servers in a perimeter zone.
Need additional procedures and security pre-cautions to make sure non-DMZ personnel cannot access DMZ servers
Need to open more ports in the inner firewall compared to non-domain members
It is harder to separate hostile traffic from a defaced server as all servers will frequently connect to the internal Domain Controllers.
With regards to domain membership of OCS Edge server there are no limitations to the functions of any of the OCS Edge servers.
Microsoft will support OCS Edge servers in a deployment model where they are joined to the Contoso internal domain.
To assure secure operation of the system the additional risk should be balanced with addition security measures, some of which are already be in place in the Contoso perimeter network and in the OCS architecture and design for Contoso.
Make sure the patch management process is well implemented for all OCS Edge servers.
This should include an option to deploy security updates with priority to systems in the Perimeter network
Scan the systems for intrusion or use a more holistic intrusion detection system
Implement OCS Directors servers in the internal Contoso network to place an additional authentication layer between the Edge servers and the OCS Pool Servers
Use machine local service accounts with complex passwords.
Store and maintain the edge server configuration of all Edge servers in a secure location to facilitate a correct and rapid rebuild process in case of suspicious activity.
Taken from and courtesy of the OCS team blog ….http://communicationsserverteam.com/archive/2007/12/11/36.aspx