OCS 2007 Installation - Part 2

Other parts in this series:

OCS Installation - Part 1

Last time we left off about halfway through the OCS 2007 installer. This part should run through the end of the initial installation process. I'll cover some of the initial configuration on the next part.

Configure Internal Certificate

The Configure Server section should now have a green checkmark next to it. Click the Run button under Configure Certificate to continue.

clip_image002

The Configure Certificate Wizard should start. Press Next to continue.

clip_image004

Choose Create a new certificate and press Next.

clip_image006

Choose Send the request immediately to an online certification authority and press Next.

clip_image008

Give the certificate a meaningful friendly name, uncheck Mark cert as exportable and press Next. We shouldn't ever need to export the certificate from the front-end server.

clip_image010

Fill in organization and organization unit names and press Next.

clip_image012

Leave the subject name as the fully qualified name of the internal OCS machine, tap-ocs-2k7.ptown.com. In the subject alternate name (SAN) box enter tap-ocs-2k7.ptown.com,sip.confusedamused.com. Press Next.

cert1

Note: The reason the first SAN listed must be the same as the subject name is because of how ISA 2006 handles the reverse proxy. If we only left sip.confusedamused.com as the sole SAN entry everything would work fine internally, but we'd run into problems with the reverse proxy later. Since we'll later tell ISA the internal site name is tap-ocs-2k7.ptown.com, but when it connects it tries to match the subject name to the first SAN listed. When it doesn't line up ISA throws an Error 500 - Service Principal Name Incorrect. Doing the certificate this way now removes some unnecessary work later. You can read some more about this ISA issue here.

Enter a state and province and press Next.

clip_image016

The certificate authority, tap-dc-2k3.ptown.com\P-Town Certificate Authority, should already be detected. Press Next.

clip_image018

Review the certificate information and press Next to generate the certificate.

cert2

The success message should appear. Press the Assign button to use the certificate just created for OCS services.

clip_image022

A message indicating the certificate was applied should appear. Press OK.

clip_image024

Click Finish to close the certificate wizard.

Assign Web Components Certificate

Open IIS Manager, expand the Web Sites folder, right-click on the Default Web Site and choose Properties.

clip_image002[5]

Click on the Directory Security tab.

clip_image004[5]

Click the Server Certificate button to start the Web Server Certificate Wizard.

Press Next to start the process.

clip_image006[5]

Choose Assign an existing certificate and press Next.

clip_image008[5]

Select the certificate that was issued to tap-ocs-2k7.ptown.com and press Next.

cert3

Leave the default SSL port of 443 and press Next.

clip_image012[5]

Review the certificate summary and press Next.

clip_image014[5]

A success message appears. Click Finish to close the wizard.

clip_image016[5]

Warning: The service accounts RTCService and RTCComponentService do not have have the Password Never Expires option selected by default. Unless you want those account passwords to be changed with the default domain policy I would recommend going into Active Directory Users & Computers and making sure those passwords don't expire. If they do expire your OCS services won't start.

Start Services

At this point the OCS services can started. Flip back to the OCS installer and click the Run button under Start Services.

clip_image002[7]

The Start Services Wizard should open. Press Next to continue.

clip_image004[7]

Press Next again to start the list of services found.

clip_image006[7]

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

clip_image008[7]

At this point, OCS is up and running, but will not pass many of the validation tests. Exit the installer completely. I'll cover the DNS configuration in the next part of this series.