Tuesday, October 19, 2010

OCS R2 / Lync Server + Exchange 2010 lab setup (in a home office behind single dynamic IP)

So let me start by saying that of course this is not a supported scenario, and is not recommended in a production environment.
I made some tradeoffs and configuration decisions to simplify my setup as much as possible for a basic lab.
I was working with the following:
  1. Single public IP Address
  2. Single domain SSL cert (a cheap $14 / yr one)
  3. Communications Server R2 (in process of migration to Lync server RC at the same time).
  4. Exchange 2010
  5. Hyper-V virtual hosts with limited resources (Host has dual core with 4Gb Ram)
Features I wanted to enable:
  1. OCS Federation (already up and running)
  2. OCS Communicator Web Access (CWA) on same domain, using same certificate.
  3. Lync / Communicator external access
  4. CoMo on Windows Mobile 6.1
  5. Outlook Mobile (WM 6.1)
  6. iPhone
  7. PSTN connectivity (already up and running using FreeSWITCH)
  8. Mailbox access via Outlook Anywhere
  9. Exchange UM
    1. Exchange Web Services
    My topology (did I mention this is not supported or recommended for various reasons) looks like this:
    Some hoops, gotchas and other intricacies:
    1. I am running my lab on a residential internet connection with a single dynamically allocated IP address. This meant I had to be creative about things like multiple roles wanting to use the same ports on unique IP addresses, as well as dealing with multiple web apps running on a single ip / cert. So the solution for this is a reverse proxy, I opted to use IIS 7’s ARR:
      1. Set it up with the following rule:
        <rule name="ReverseProxyInboundExchange" stopProcessing="true"> <match url="((?:^owa|^OAB|^Microsoft-Server-ActiveSync|^EWS|^ecp|^Autodiscover).*)" /> <action type="Rewrite" url="https://internal-cas-fqdn/{R:1}" /> </rule>
      2. Install your public cert & assign to the default website.
      3. Disable NTLM authentication on the root of the default website.
    2. Another symptom of being behind a residential internet connection is that SMTP outbound is barred to anywhere (and even if I could send smtp, it would probably by blacklisted and get bounced by lots of recipients). My solution to this is to use a cheap VPS (I pay around $10/month). It happens to be Linux based running Sendmail as my smarthost. I’m no Linux guy so I wont even embarrass myself with a step by step. I also use it inbound in case my ip address changes, Sendmail will just queue up the email until my dns entries get set to the new dynamic ip.
    3. Certificates… any post on Exchange or Lync would not be complete without a mention of Certificates. On my exchange server I replaced the self signed cert with one from my domain cert. This was my lazy way:
      1. Use the OCS certificate wizard to do an online request using the internal fqdn of my exchange server as the CN (no SAN’s). (make sure you check the exportable checkbox. Do not assign it to the ocs server.
      2. Export to a pfx, copy to and install on the exchange box.
      3. Run Enable-ExchangeCertificate cmdlet.
    4. Before I installed Exchange I had to clean up my previous botched attempts of pre-release versions of Exchange. I just used ADSI edit and removed everything I could find to do with Exchange as described here.
    5. I had a very very slow exchange VM, initially I had given it 768Mb ram (all I had spare at the time). Turns out that was not enough – I was experiencing a very slow EMC  and shell and lots of shell commands seemed to be missing. Exchange seems to complain pretty quietly when it has too little ram and also use all the ram it has available once its running ok. I moved some of my VM’s around and gave it 1.3Gb ram and now it seems a lot happier. Remember I am only using one or two accounts for a lab install, this is way too little for any real server – minimum supported in my configuration (all roles on one server) is 8Gb.
    6. I am a domain admin in my domain so ActiveSync to my WM device over the air did not work initially – thanks to this answer about my error (0x86000c0a) and my buddy Mike Stacy confirmed “just uncheck the inheritable permissions box on your account then sync. AD will enable it again within 15 min’s but that's ok as long as you've synced before it does that”. I had the same issue on the iPhone but there was no error code, it just didn’t work.
    7. I used SRV records for Autodiscover because I didn’t want to use another hostname / cert and I am only interested in supporting newer clients. You could do the same with the redirect method but it will result in a user prompt.
    8. Set my external uri for auto discover : set-autodiscovervirtualdirectory -identity 'autodiscover (default web site)' -externalURL https://myuri//Autodiscover/Autodiscover.xml
    9. Install the Exchange anti-spam components with the Install-AntispamAgents.ps1script. (Depending on how realistic you want your lab to be, you could also use Forefront for Exchange)
    10. My IP PBX, FreeSWITCH is listening on a port other than 5060 – so I had to run “Set-UMIPGateway –Identity my_servername -Port my_port”
    11. I have UM running in my VM, but it doesn’t work well at all (I have never had any success virtualizing UM) – its also neither recommended nor supported - “ All Exchange 2010 server roles, except for the Unified Messaging server role, are supported in a virtualization environment. This is due to the real-time response requirements associated with voice communications with the Unified Messaging server role.” – technet
    Here is a  handy online tool (hosted by Microsoft) to help test the configuration.
    In a future post I will cover my next steps of:
    1. Completion of Lync Server install
    2. Lync / Exchange integration
    3. SharePoint 2010

    1 comment: