Microsoft Office Communications Server 2007 R2—similar to Microsoft Live Communications Server 2003, Microsoft Live Communications Server 2005, and Microsoft Office Communications Server 2007—takes advantage of other technologies to provide an integrated management experience and capitalize on existing technology investments customers might have already made. The primary technologies that Office Communications Server 2007 R2 relies on are as follows:
Microsoft Active Directory Domain Services
Microsoft Windows Server 2003 x64 or Microsoft Windows Server 2008 x64 operating systems
Public key infrastructure (PKI) as used in Microsoft Windows Certificate Server and public certification authorities (CAs)
Domain Name System (DNS)
Microsoft SQL Server
Hardware load balancers
Hypertext Transfer Protocol Secure (HTTPS) reverse proxy using Internet Security and Acceleration (ISA) Server
Office Communications Server 2007 R2 is the first version of Office Communications Server that runs on Windows Server 2008 and requires that the operating system be 64 bit. By itself, this is not a security issue, but it is an issue of reliability and stability.
Much like Microsoft Exchange Server 2007 before it, the forward progress of Office Communications Server is better served by the performance potential and the much larger memory available to the 64-bit hardware and operating system. This does mean that you will require 64-bit-capable hardware. Both Intel Corporation and Advanced Micro Devices (AMD) processors are supported under the x64 operating system. However, the Intel Itanium processor is not supported for installation of Office Communications Server. It is, however, supported to host the Microsoft SQL Server back end that is required by the Enterprise Edition of Office Communications Server.
Windows Server 2008 is inherently a more secure operating system because minimal services are deployed during the initial installation. For example, there are no roles installed, and if you need Web services, you must explicitly install Internet Information Services (IIS). File, print, Directory, and domain naming services are also not installed during the initial installation. And there is no .Net Framework except that which is required for the underlying operating system. All of these services must be installed as roles or features.
This provides for a system that is as secure as possible by default. As each role is installed, ports are opened on the mostly closed firewall, which has no inbound ports open by default. When a program or application is installed, it should make use of installation elements to open firewall ports and protocols. If it does not, the developer should provide the administrator with documentation about what ports and protocols should be open to enable proper communication. Part of this chapter deals directly with best and preferred practices for firewall ports and protocols that must be available for Office Communications Server to work correctly. Even though this work should be done for you at install time, knowing what is open through a firewall is critical information for any enterprise, for troubleshooting and compliance purposes.
Office Communications Server 2007 R2 is also supported on Windows Server 2003 x64. Windows Server 2003 does not have some of the more advanced features of Windows Server 2008, but it still has an efficient firewall that you will need to manage and support.
A recommendation for installing Office Communications Server 2007 R2 on either operating system is that you should not have any more services or features running than those that are required to allow Office Communications Server to run. This is even more important in the Edge services that sit in the perimeter of your firewall. The design of Office Communications Server is one of "defense in depth." The firewalls, routers, Edge Servers, Director, front-end servers, and pool servers all play a vital role, with certification services and Active Directory directory service providing specific and absolute authentication required by a complex system.
To date, it has been possible to locate separate Edge roles on dedicated servers. With the release of Office Communications Server 2007 R2, all roles are collocated on the same server. The security best practice for the new Edge Server configuration is that you should open only ports and protocols for the roles that you intend to use. If you are not planning to allow remote conference capability, the ports and protocols necessary for this role to run would not be opened in the firewall. Moreover, if you have no plans for any federation or remote access, there may be no reason to deploy any Edge Servers at all. This is part of your security planning and functional requirements steps. Obviously, if you do not need it, you do not implement it, and the security profile of your infrastructure is lowered because there are fewer factors to induce potential security problems.
Note that the key to safely implementing Office Communications Server is to always follow best security practices and thoroughly test all components that you implement. Knowing what is running and how it reacts to certain conditions is a mandatory step of securing your environment. The scope of this topic is much too large to cover here, and there are many books dedicated to the subject. Suffice it to say that implementing any server or service should receive a high degree of attention when it comes to security.
3.145.69.192