次の方法で共有


Director Role in LCS & OCS (Part 2 of 3)

As we continue this discussion of the director role we will look at today some of the topologies that are available once you have decided that you want a director in your enviroment.

As we stated in part 1 of this 3 blog series, the director can come in the following shapes and sizes, Standard Edition server, Enterprise Pool, and Array of Standard Edition servers.

Standard Edition server

The Standard Edition server is a single physical box, its role will be to act as a buffer between the Access Proxy that sits in the DMZ and our internal organzation.  Sitting in this capacity the director will need to talk to additional servers within the OCS infrastructure.  For that to happen securely the director will need to talk MTLS.  MTLS stands for Mutual Translation Security, and by needing to talk to additional servers through MTLS requires a certificate.  This certificate can come from your existing PKI setup or a public certificate, as long as it has a certificate.  When assigning the certificate name or Subject name of this certificate, be sure to name it properly or this server will not be able to talk to the internal servers. The server name should be the FQDN of the server name.

For example, if my director's name is Server1.Contoso.com; then my SN will be Server1.Contoso.com

Enterprise Pool

The enterprise pool is where we use our existing pool as the director itself.  This is the case when we choose not to have a server in front of our pool and we just let the pool do all the authentication and directing to additional pools if needed itself. If you have already deployed OCS 2007 in an enviroment and you deployed by selecting Enterprise Edition and you did not select to have another physical box do the authentication, then the pool is acting as your director.  This setup too requires a certificate, so the certificate is basically already setup when you created a certificate for your pool.  The server name should be the FQDN of the pool.

For example, my internal pool name is Pool1.Contoso.com; then my SN will be Poo1.Contoso.com

 

Array of Standard Edition servers

This will be the last of the topologies with a director that we talk about, the Array of Standard Edition servers.  This particular topology is not too widely used, but it's valuable when used.  The Array of Standard Edition servers is exactly that, an Array of Standard Edition servers.  An array can consist of two or more servers, so in this instance we will just say an array is three. This topology follows the same logic as the single standard edition server by offloading the authentication from a pool to the array of servers that sit in the internal organization before the pool.  So instead of a single server doing the authentication for lots of users we now have (for this example) three servers that are doing the authentication.

This setup will require a physical loadbalancer to be in front of the array of standard edition servers. The hardware loadbalancer will take the request and pass the request to the different standard edition servers that are acting as directors. 

A couple of things are needed for this configuration and those are setup of your hardware loadbalancer and certificates once again.  Now what's different with this set of certificates from the others is that SN must match the FQDN for the VIP used.

For example, Certificate SN = director_array.contoso.com

This concludes part 2 of the 3 part series on the director, next time we will look at once the director is setup in the enviroment what are some things that need to be addressed during regurlar maintanence and disaster recovery.