OCS UpdateServiceDeploy

Microsoft Office
Communications
Server 2007 –
Software Update
Service Deployment
Guide
Published September 2007
Updated October 2007
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
® 2007 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows NT, Windows Server, Windows Vista, RoundTable, and SharePoint are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Contents
Contents.....................................................................................................................................................3
Introduction................................................................................................................................................5
Overview of the Software Update Service.................................................................................................5
Supported Topologies.............................................................................................................................5
Components of the Software Update Service........................................................................................6
How the Software Update Service Works..............................................................................................7
How Updates Are Uploaded and Managed within the Software Update Service..............................8
How Devices Connect to the Software Update Service.....................................................................8
Scenarios for the Software Update Service................................................................................................9
Controlling the way device updates are deployed to users................................................................9
Approving an update..........................................................................................................................9
Rolling back a defective update.........................................................................................................9
Introducing new models...................................................................................................................10
Removing an old model...................................................................................................................10
Retrieving updates automatically or manually.................................................................................10
Retrieve an inventory of devices in the organization.......................................................................10
Overview of Deployment.........................................................................................................................10
Prerequisites.............................................................................................................................................11
Dependencies for Automatic Uploads..............................................................................................11
Configuring SharePoint............................................................................................................................11
Step 1 Create the SharePoint Default Site (if you have not already)..................................................12
Step 2 Enable Anonymous User Access ............................................................................................12
Step 3 Configure Alternate Mapping Access .....................................................................................13
Step 4 Install Files for the SharePoint Server Software Update Service Component.........................16
Verify Installation (optional)............................................................................................................16
Step 5 Create the Software Update Services SharePoint Site.............................................................17
Step 6 Grant Service Account Permissions to Administer the SharePoint Site..................................18
Step 7 Configure Certificates on the SharePoint Server ....................................................................20
Deploying and Configuring the Software Update Service.......................................................................22
Prerequisites.........................................................................................................................................22
4 Microsoft Office Communications Server 2007 Update Server
Step 1 Deploying the Software Update Service..................................................................................23

Installing the Software Update Service on Office Communications Server....................................23
Activate the Software Update Service.............................................................................................23
Step 2 Configuring Certificates on the Software Update Service.......................................................24
Step 3 Configure Kerberos on the Service Account...........................................................................25
Step 4 Configure Your Reverse Proxy (For External Access Only)...................................................26
Configure Network Adapters...........................................................................................................27
Install ISA Server 2006....................................................................................................................28
Request and Configure a Certificate for Your Reverse HTTP Proxy...............................................28
Configure Web Publishing Rules.....................................................................................................28
Verify or Configure Authentication and Certification on IIS Virtual Directories............................32
Create a DNS Record.......................................................................................................................33
Verify Access through Your Reverse Proxy.....................................................................................33
Step 5 Upload a Cabinent File in the Management Console (Optional).............................................34
Step 6 Test Software Update Service..................................................................................................34
Step 6.1 Add a Test Device.............................................................................................................34
Step 6.2 Restart Your Device..........................................................................................................35
Step 6.3 Verify the Audit Logs........................................................................................................35
Appendix A: Troubleshooting..................................................................................................................36
Service Account Is Changed in Office Communication Server...........................................................36
Server Name and Port Changes...........................................................................................................37
Problems Creating the Update Site on SharePoint...............................................................................38
Problems Deleting a SharePoint Site...................................................................................................39
Problems with Anonymous Access or Permissions on the Document Library Folder........................39
Appendix B: Configuring RoundTable for the Software Update Service................................................43
Configuring Device Specifics Updates for RoundTable......................................................................45
Appendix C: Manually Configuring the URLs Used by the Software Update Service...........................47
Update the SharePoint Update Site URL.............................................................................................47
Update the External Download URLs for the Software Update Service.............................................48
Update the External Update URL of the Software Update Service on a Standard Edition Server..48
Update the External Update URL of the Software Update Service on an Enterprise Pool..............48
Introduction 5
Introduction
Unified communication (UC) devices, such as Microsoft® Communicator Phone Experience and
Microsoft RoundTable™, enable rich communication within an organization. Deploying these
devices requires regular maintenance by the IT department, which includes providing available
software updates to these unified communications devices. All UC devices rely on an automatic
mechanism to obtain software update required on a regular basis.
Microsoft Office Communications Server 2007 Upgrade Service provides an automated way to
update all unified communications devices deployed in an organization. These software updates can
be the latest enhancements or fixes to known issues in the current version already deployed on the
device.
This document guides you through the process of deploying the Office Communications Server 2007
Software Update Service in your organization.
Overview of the Software Update

Service
Office Communications Server 2007 Upgrade Service has two primary components:
• SharePoint® Site – An update module running on Windows® SharePoint Services 3.0 that
functions as the repository for update images, log files, device files, and any other files that
might be required as part of the update on a unified communications device. This module also
serves as the installation point for the Web service required by the upgrade server.
• Software Update Service – A service that runs on Office Communications Server. This
component is the core of the Software Update Service and works in conjunction with the
SharePoint site to provide appropriate updates to UC devices in an enterprise. In a typical
installation, several updates services can work with each SharePoint site.
Supported Topologies
The Software Update Service must be installed on an Office Communications Server on which the
Web Component Server role is running. You can deploy the Software Update Service on the
following Office Communications Servers:
• A Standard Edition Server
• Each Enterprise Edition Server in the consolidated pool configuration
• Each Web Components (IIS) Server in the expanded pool configuration
You must install the SharePoint Server on a dedicated separate computer from the Office
Communications Server 2007 Software Update Service.
If your organization contains multiple pools and Standard Edition Servers, you must install the
Software Update Service on each pool (all servers running the Web Components Server role) and
each Standard Edition Server.
Based on SharePoints usage model that assumes a 10% concurrent connection rate, a single
SharePoint Server update site can support up to 90,000 devices for an organization. If you assume a
usage model of up to 50% of the organization using devices, a single SharePoint Server can be used
for an organization with a user base of 180,000 users.
Components of the Software Update Service

There are several components in the Software Update Service that interact with each other to
download, approve, and deploy device updates:
• Software Update Service on the Office Communications Server 2007 Web Components Server.
This component:
• Services all unified communications devices. Devices connect to the Software Update
Service and the Software Update Service determines whether an update is required for the
current version running on the device.
• Retrieves updates from Microsoft Update Service or manually (if no connection to the
Microsoft Update Service exists) and writes this information to the data store on the
SharePoint Server.
• Provides the Management Console for managing updates.
• Management Console – Most of the administrator tasks are completed using this console,
which is a Web console hosted on the Software Update Service that runs on the Office
Communications Server. This console allows you to manage your updates, approve or reject
updates, roll back defective updates, test new updates on devices, or delete updates.
The Management Console uses the following URL constructs:
• For a Standard Edition Server: https://<FQDN of the Standard Edition Server>
/MgmtConsole
• For an Enterprise pool: URL https://<FQDN of a Web Components Server in the pool >
/MgmtConsole
In an Enterprise pool, you can use the FQDN of any Web Components Server in the pool,
but you cannot use the FQDN of the pool. You cannot send requests through the load
balancer because the Management Console does not have state manager to manage activity
made on the console. When a change is committed, it is automatically synchronized across
all Web Component Servers within the pool.
Introduction 7
• Auto updates – This component gets newly published device updates from the Microsoft
Update Service (MUS), Windows Server® Update Service (WSUS), or the Windows Update
Agent. If your organization does not automatically connect to a Microsoft Update site, you can
manually download cab files that contain update metadata from the Microsoft Web site.
• SharePoint Server – The Update Site serves as the central repository for the update
information, logs, and audit information. The Update Site provides the installation point for
devices that require updates. It also allows administrators to view logs and other update data on
the SharePoint Server that contains a data store with the following information:
• Configuration information – Information such as the file storage host and share name,
Windows Server Update Service server information, the life time of the log folder, and other
configuration information required by Update Service is stored in the data store on the
SharePoint Sever.
How the Software Update Service Works

The following figure shows the architecture of Office Communications Server Software Update
Service and its associated components.
Figure 1 Architecture of Office Communications Server Software Update Service
Microsoft
Update
Service
WSUS
Firewall
UC Servers
SharePoint with
OCS with Update Module
Network
Update Service
UC Endpoints
Round Table
Public IP
HTTP
Perimeter
Communicator
Reverse
Proxy UC Endpoints UC
Phone Experience
Administrator
Communicator
Phone Experience RoundTable
External Internal
MUS data path OCS/Update Server data path
Sharepoint data Admin path

How Updates Are Uploaded and Managed within the Software

Update Service
As figure 1 illustrates, if your organization is connected to the Microsoft Update Service, updates are
uploaded in the following manner:
1. Windows Update Agent runs on every computer running Windows Server 2003. The update
agent connects directly to the Microsoft Update Service on the Windows Server Update Service
(depending on your organization). It talks directly to MUS or WSUS, which is transparent to
users.
2. Windows Update Agent retrieves any updates from the Microsoft Update Service.
3. An internal component of the Office Communications Server 2007 Software Update Service
(the update package handler) retrieves all UC device-specific updates and writes this
information to the configuration store on the SharePoint Update site.
4. These updates are automatically published to the pending approvals on the Manage Updates tab
in the Management Console of the Office Communications Server Software Update Service.
5. The Management Console writes any changes to the SharePoint Update site.
How Devices Connect to the Software Update Service
Currently the Software Update Service supports two unified communications devices: RoundTable
and Communicator Phone Edition.
RoundTable must be manually configured to connect to the Software Update Service and upload any
device updates. For more information, see Appendix B: Configuring RoundTable for the Software
Update Service.
Communicator Phone Edition using the default configuration connects to the Software Update
Service in the following way:
1. When Communicator Phone Edition signs in to the server or pool hosting the corresponding user
account, Communicator Phone Edition gets in-band provisioning information from the server or
pool containing internal and external URL of the IIS server running the Software Update
Service.
2. At startup, when the device signs in, and every 24 hours, Communicator Phone Edition checks
for updates by sending an HTTP request over port 443 to the IIS or Web Components Servers
hosting the Software Update Service. Within the HTTP request is the current version that
Communicator Phone Edition is running.
3. Office Communications Server Software Update Service returns a response containing one of the
following:
• If no updates exists for the current version, the response contains downloads=0.
• If an update exists for the current version, the response contains an internal and external
URL for the SharePoint Server site.
4. Communicator Phone Edition sends an HTTPS request to the SharePoint Server.
Introduction 9
• If Communicator Phone Edition is connecting from within the intranet, it sends an HTTPS
request over port 443 to the SharePoint site.
• If Communicator Phone Edition is connecting from outside the intranet, it sends an HTTPS
request over port 443 to the SharePoint site.
5. The image is downloaded to the device.
6. The device waits for five minutes of idle activity, and then restarts
7. When restart is complete, the device is updated.
Scenarios for the Software Update

Service
As an administrator who is responsible for ensuring that all UC devices in your enterprise are
maintained and upgraded at a regular basis, you might encounter one of the following scenarios that
require installing an upgrade server.
Controlling the way device updates are deployed to users
As an administrator, you can verify each update on a test device and then make these updates
available to the appropriate devices in your organization.
You can use Microsoft Office Communications Server Update Server to download device-specific
updates and test them before deployment in an enterprise environment, giving a greater degree of
control over update deployment.
Approving an update
You have set up your enterprise to automatically download updates from Microsoft Updates Service.
However, you want to have the authority to approve or disapprove an update that has been
downloaded automatically from the Microsoft Update Service.
With Microsoft Office Communications Server Update Server, you can approve or reject updates that
have been downloaded automatically from the Microsoft Update Service before deployment. This
allows you to make sure that all updates are valid and functional instead of having to troubleshoot
after deployment.
Rolling back a defective update
You have recently deployed a UC device update only to realize that the update is defective. You can
roll back the defective update and reinstall a prior version.
Microsoft Office Communications Server Update Server allows you to roll back a defective update
and retain a tested prior update as the latest one. The next time a UC device polls the Upgrade Server
for an update, it is sent a URL to a prior (rolled back) version of the upgrade. The device now
automatically installs this update and effectively remove the defective upgrade.
Introducing new models

In a situation where a new model of a UC device is introduced in the market, you want all software
updates relevant for this model to be available for deployment.
With Microsoft Office Communications Server Update Server, you can create new data files or
documents on your SharePoint site for all new UC devices. As updates for the new model are
published by Windows Updates Services, they are downloaded by the Upgrade Server ready for
approval and deployment.
Removing an old model
UC devices can at times be pulled off the market, the company can stop manufacturing those
devices, or you can decide to replace a particular model in your enterprise with a different model. In
such situations, you want to clean up all data files associated with that model from your Upgrade
Service.
With Microsoft Office Communications Server Update Server, you can delete all data files or
documents relating to a particular UC model from your SharePoint site.
Retrieving updates automatically or manually
You can retrieve updates for the Software Update Service automatically or manually.
Automatic Updates
If your organization has a Windows Server Update Service that is connected to the Microsoft Update
Service, your Office Communications Server 2007 Software Update Service automatically receives
updates for your unified communications devices.
Manual Updates
If your organization does not have a Windows Server Update Service or chooses not to connect to
Microsoft Update Service, you can manually upload an upgrade using the Microsoft Web site
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=updatesite.
The site is also useful if your organization is connected to the Microsoft Update Service, but the
automatic updates mechanism malfunctions, Microsoft Update Service might be out of service, or
there are issues connecting with the Internet.
Retrieve an inventory of devices in the organization
You can use the log files and audit information on the SharePoint Update site to get an inventory of
all devices in your organization. For more information, see the Microsoft Office Communications
Server 2007 Software Update Services Administration Guide.
Overview of Deployment
Deployment involves two major tasks:
Introduction 11
• Configuring the SharePoint Server for the Software Update Service site and installing the
Software Update Service component on the SharePoint site. (This installation creates the
Software Update Services site.)
• Deploying the Office Communications Server 2007 Software Update Service on an Office
Communications Server.
Prerequisites
Ensure that you check for the following prerequisites before you start deploying.
1. Windows SharePoint Services is installed in your environment.
2. Microsoft Office Communications Server 2007 is deployed in your environment. You must
install the Software Update Service component on an Office Communications Server 2007
Standard or Enterprise Edition Server, as described earlier.
3. An existing PKI infrastructure is in place and devices are configured with a valid certificate
issued from a public CA (recommended) or a private CA that allows the device to connect to the
Update Service from outside the intranet.
4. If you intend to support external access to the Software Update Service to enable users with UC
devices to connect to the Software Update Service from outside your intranet: You must have:
• A supported edge topology deployed and operational in your perimeter network and remote
user access enabled for users with UC devices. For more information about deploying edge
servers, see the Microsoft Office Communications Server Edge Serve Deployment Guide.
• A reverse proxy in your perimeter network if you intend to support external access to the
Software Update Service.
5. If your organization uses IPSec, it must be configured to run in boundary or request mode.
Dependencies for Automatic Uploads
As explained earlier, if you want to automatically receive updates, the following is required:
• Microsoft Windows Server Update Service
• Microsoft Update Service
Configuring SharePoint
Configuring SharePoint involves the following steps:
Step 1 Create the SharePoint Default Site
Step 2 Enable Anonymous User Access
Step 3 Configure Alternate Mapping Access
Step 4 Install Files for the SharePoint Server Software Update Service Component
Step 5 Create the Software Update Service SharePoint Site
Step 6 Grant Service Account Permissions to Administer the SharePoint Site
Step 7 Configure Certificates on the SharePoint Server
Step 1 Create the SharePoint Default Site (if you

have not already)
Creating the default SharePoint site is part of the standard SharePoint installation process. If you
have not already completed this step, use the procedure below.
To run the configuration wizard to create the default SharePoint site
1. Start the SharePoint Products and Technologies Configuration Wizard: Click Start, point to
Administrative, point to Administrative Tools, and then click SharePoint Products and
Technologies Configuration Wizard.
2. Click Next.
3. Click Yes, and then click Next.
4. Complete the wizard.
The default SharePoint site opens.
Step 2 Enable Anonymous User Access

Use the following procedure to enable anonymous access to the SharePoint site. Anonymous access
is required to allow devices and others to connect and retrieve updates from the Software Update
Service SharePoint site. You must enable anonymous access on the Authentication Providers page,
but only grant permissions to the Software Update Service site (as explained later in this guide).
To enable anonymous user access to the SharePoint site
1. Open the newly created site: http://<servername>:<default central administration
port>/Default.aspx. For example: http://sharepointserver1:28406/default.aspx: Click Start, point
to Administrative Tools, and then click SharePoint 3.0 Central Administration.
2. Click the Application Management tab.
3. Under Application Security, click Authentication Providers.
Introduction 13
4. On the Authentication Providers page, click Default.

5. On the Edit Authentication page, under Web Application verify that the Web site maps to the
SharePoint-80 site.
6. Click the Enable anonymous access check box, and then click Save.
Step 3 Configure Alternate Mapping Access

Alternate mappings allow you to configure URLs that can be used to access your SharePoint site. For
the Software Update Service, you configure alternate mappings to allow access using an HTTPS
URL.
To configure alternate mapping access

1. Open SharePoint Server 3.0 Central Administration: Click Start, point to Administrative Tools,
and then click SharePoint Server 3.0 Central Administration.
2. Click the Operations tab.
3. Under Global Configuration, click Alternate access mappings.
4. On the Alternate Access Mappings page, click Add Internal URLs.
5. On the Add Internal URLs page, click No Selection, and then click Change Alternate Access
Mapping Collection.
Introduction 15
6. Click SharePoint – 80.

7. On the Add Internal URLs page, under URL protocol host and port, type the
https://<SharePointServer Name>URL, and click OK.
8. Repeat the following steps 4 – 7 and add each of the following URLs.
http://<SharePointServer fully qualified domain name> (http URL with fully
qualified domain name (FQDN) of the server)
https://<SharePointServer fully qualified domain name> (https URL with FQDN of
the server)
9. Verify that the following URLs display on the Alternate Access Mapping page.
https://<SharePointServer Name> (https URL with computer name)
http://<SharePointServer fully qualified Name> (http URL with fully qualified

domain name (FQDN) of the server)
https://<SharePointServer fully qualified Name> (https URL with FQDN of the

server)
Step 4 Install Files for the SharePoint Server

Software Update Service Component
After you have configured the necessary settings for SharePoint, install the files necessary for the
update component, a module running on a SharePoint portal functions as the repository for update
images, log files, device files, and any other files that might be required as part of the update on a
UC device. This module also serves as the installation point for the Web service required by the
Upgrade Server.
To install the files for the Software Update Service SharePoint component
1. Log on to the SharePoint Server with an account that is a member of the local administrator’s
group.
2. On the Microsoft Web site, double-click OCSSoftwareUpdateServiceSP.msi.
3. On the Welcome page, click Next.
4. On the License Agreement page, if you accept the licensing terms, click I accept the terms of
the license agreement, and then click Next.
5. On the Confirm Installation page, click Next.
6. Click Close.
Verify Installation (optional)
After completing the installation wizard, verify a successful installation by ensuring that the correct
files have been installed on the server and that IIS is configured properly.
File Verification
The following files should be installed at <drive letter>:\Program Files\Common Files\Microsoft
Shared\web server extensions\12\ISAPI:
• ApprovalDs.xsd
• DocumentLibraryPath.xml
• FileDescriptor.xsd
• Microsoft.RTC.UCServer.SharePointSetup.exe
• UCUpdateService.asmx
• UCUpdateServicedisco.aspx
• UCUpdateServicewsdl.aspx
Introduction 17
IIS Configuration
Use the following procedure to verify the proper settings in IIS.
To verify the proper configuration in IIS
1. Open Internet Information Services (IIS) Manager: Click Start, point to Administrative Tools,
and then click Internet Information Services (IIS) Manager.
2. In Internet Information Services (IIS) Manager, expand your server, and then expand
Application pools.
3. Verify that the following nodes display:
• SharePoint – 80
• SharePoint Central Administration v3
4. Under Application Pools, click Web Service Extensions.
5. In the details pane, verify that Asp.NET v2.0.50727 and Windows SharePoint Services V3
display with an Allowed status.
Step 5 Create the Software Update Services

SharePoint Site
After you have installed the files required for the Software Update Service component on
SharePoint, run the executable to create the Software Update Service SharePoint site.
To create the SharePoint Site for the Software Update Service
1. Log on to the SharePoint Server with an account that is a member of the SharePoint Farm
administrator’s group with full control and the SharePoint site collection administrator’s group
or a group that has equivalent permissions.
2. On the command path, move to the following directory: C:\Program Files\Common
Files\Microsoft Shared\web server extensions\12\ISAPI\.
3. Run the following command.
Microsoft.RTC.UCServer.SharePointSetup.exe <SharePoint servername> <SharePoint
Central Admin Port number> <Admin UserID> <Admin email alias> <password>
<domain> <SharePoint port>.
Table 1 Command-Line Parameters

Arguments Description
Servername SharePoint Server name, for example
http://SharepointServer1
SharePoint TCP Port in the SharePoint Central Administration.
Central
Administrator
Port number
Admin UserID This is the administrator user ID who can create the
SharePoint site.
Admin Email The e-mail alias for the administrator.
Password The administrator password.
Domain The domain on which the administrator account
resides.
SharePoint port The SharePoint port (TCP port of SharePoint – 80
site), port 80
For example:
Microsoft.RTC.UCServer.SharePointSetup.exe http://SharepointServer1 28406 ted
ted@contoso.com MyPassword corp.contoso.com 80
To verify that the SharePoint site is successfully created

1. Open the site and verify creation, for example
http://sharepointserver1/sites/UCUpdateServer/default.aspx.
2. Click Documents.
3. Verify that the following document libraries are created:
• Server
• Logs
• Updates
4. Verify that the DB folder is created in the Document Library Server. For example,
http://sharepointserver1/sites/UCUpdateServer/Server/DB/.
5. Verify that the ConfigSettings.xml file is in the DB folder.
Step 6 Grant Service Account Permissions to

Administer the SharePoint Site
After you have created the default site for the Software Update Service SharePoint component, use
the following procedure to grant the service account used by Office Communications Server 2007
Web Component Server the necessary permissions to the site. This service account
(RTCComponentService by default) requires full permissions to the site and must be configured as a
site collection administrator.
Introduction 19
To add the service account used

1. Open the site at http://<servername>/sites/UCUpdateServer/default.aspx. For example,
2. Click Site Actions, and then click Site Settings.
3. On the Site Settings page, under Users and Permissions, click Site Collection Administrator.
4. On the Site Collection Administrator page, next to Site Collection Administrators, type the
name of the service account used by the Web Components Server. If your organization uses the
default service account name, enter it (<domain>\RTCComponentService). If your organization
uses a different account, enter that service account name.
5. Click OK.
6. On the Site Settings page, click Advanced Permissions.
7. On the Permissions page, click New.
8. Click Add Users.
9. Under Users and Groups, type the name of the service account used by Office Communications
Server 2007 Web Components. If your organization uses the default service account name, enter
it, RTCComponentService. If your organization uses a different account, enter that service
account name.
10. Under Give Permissions, click Give users permissions directly, and then click Full Control –
has full control.
11. Click OK.
Step 7 Configure Certificates on the SharePoint

Server
To configure HTTPS access on your SharePoint Server, you need to configure a certificate for the
Web site. The certificate must be a Web server certificate with a subject name that matches the
FQDN of the server name.
Use the following procedure to assign an existing certificate on your SharePoint Server. If you must
request and assign the certificate, see the procedure immedidate following this one.
To assign an existing certificate to the SharePoint Site
1. Open Internet Information Services (IIS) Manager: Click Start, point to Administrative Tools,
and then click Internet Information Services (IIS) Manager.
2. In the console pane, expand Websites.
3. Right-click SharePoint – 80, and then click Properties.
4. On the Web Site tab, type 443 in the SSL Port box.
5. Click the Directory Security tab.
Introduction 21
6. Click Server Certificate.

7. On the Welcome to the Web Server Certificate Wizard screen, click Next.
8. Click Assign an existing certificate, and then click Next.
9. Under Select a certificate, select the certificate, and then click Next.
10. Select the port, and then click Next.
11. Review the Certificate Summary, and then click Next.
12. Click Finish to complete the wizard.
13. Restart IIS, and then check that all the pool and Web sites are running.
14. Open your SharePoint Server site using HTTPS: https://<FQDN of your server>
/sites/UCUpdateServer/default.aspx.
For example: https://sharepointserver1.contoso.com /sites/UCUpdateServer/default.aspx
To request and assign a new certificate to the SharePoint Site
1. Open Internet Information Services (IIS) Manager.
2. In the console pane, expand Websites.
3. Right-click SharePoint – 80, and then click Properties.
4. On the Web Site tab, type 443 in the SSL Port box.
7. On the Welcome to the Web Server Certificate Wizard page, click Next.
8. Click Create a new certificate, and then click Next.
9. On the Delayed or Immediate Request page, click Send the request immediately to an
online certificate authority, and then click Next.
If you are using a public certification authority (CA), you can select the option to prepare the
request and then send it later.
10. On the Name and Security Settings page, type a meaningful name for the certificate, select a
bit length for the certificate, and then click Next.
11. On the Organization Information page, type or select the name of your organization and
organizational unit, and then click Next.
12. On the Your Site’s Common Name page, type the fully qualified name of the SharePoint
Server, and then click Next.
13. On the Geographical Information page, enter location information in the Country/Region,
State/Province, and City/Locality boxes. Do not use abbreviations. When you are finished,
click Next.
14. On the SSL port page, accept the default port 443, and then click Next.
15. On the Choose a Certification Authority page, click your CA in the list, and then click Next.
16. On the Certificate Request Submission page, review the settings that you specified, and then
click Next.
17. Click Finish.
18. Open your SharePoint Server site using HTTPS: https://<FQDN of your server>
/sites/UCUpdateServer/default.aspx.
For example: https://sharepointserver1.contoso.com /sites/UCUpdateServer/default.aspx
Deploying and Configuring the

Software Update Service
After your SharePoint Server is fully configured, you can deploy the Software Update Service on
Office Communications Server.
The deployment process involves the following steps:
Step 1 Deploy the Software Update Service
Step 2 Configure Certificates on the Software Update Service
Step 3 Configure Kerberos on the Service Account
Step 4 Configuring Your Reverse Proxy
Step 5 Upload a Cab File in the Management Console
Step 6 Test Software Update Service
Prerequisites
As explained earlier, to support Office Communications Server 2007 Software Update Service, an
Office Communications Server 2007 Standard Edition Server or Enterprise pool must be deployed in
your organization.
You must install the Office Communications Server 2007 Software Update Service on one of the
following:
• Office Communications Server 2007 Standard Edition
• Office Communications Server 2007 Enterprise Edition Server in a pool in the consolidated
configuration
• Office Communications Server 2007 Web Components Server (the server running IIS) in a pool
in the expanded configuration
Introduction 23
Step 1 Deploying the Software Update Service

Deploying the Software Update Service involves two processes:
• Installing Software Update Service files on the local computer
• Activating the Software Update Service on the local computer
Installing the Software Update Service on Office Communications

Server
Use the following procedure to install the files locally on the server where you plan to deploy the
Software Update Service.
To install the Update Server
1. Log on to your Office Communications Server with an account that is a member of the local
administrators group or has equivalent permissions.
2. Access the Microsoft Web site to download the Software Update Service.
3. Double-click OCSSoftwareUpdateService.msi.
4. On the Welcome page, click Next.
5. On the License Agreement page, if you agree to the terms, click I accept the terms in the
license agreement, and then click Next.
6. On the Confirm Installation page, click Next.
7. Click Close to complete the installation.
Activate the Software Update Service
Use the following procedure to activate the Software Update Service.
To activate the Software Update Service
1. Log on to your server with an account that is a member of the RTCUniversalServerAdmins
group and the local administrators group.
2. Open a command prompt.
3. Navigate to the \Program Files\ Microsoft Office Communications Server 2007\Web
Components\UC Device Updates\CommonFiles directory.
4. Type the following command:
• For a Standard Edition Server
cscript ConfigUpdatesServer.vbs /Action:Activate
/InternalUpdatesStoreURL:https://<Internal
SharePointFQDN>/sites/ucupdateserver
/ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateser
ver
/user:RTCComponentService /Password:<password>
/ExternalWebfqdn:<External FQDN of Web farm>
• For an Enterprise pool

/InternalUpdatesStoreURL:https://<internalSharePointFQDN>/sites/ucupdateser
ver
ver /user:RTCComponentService /Password:<password>
/guest:<RTCGuestAcccess User Account> /guestpassword:<password>
where:
• InternalUpdatesStoreURL is the internal URL used to access the SharePoint Update site
from inside the intranet.
• ExternalUpdatesStoreURL is the external URL link to the SharePoint Update site from
inside the intranet. Use the following format: https://<ExternalFQDN>/sites/ucupdateserver.
• ExternalWebfqdn is the FQDN that devices use to connect to the Software Update Service
from outside the intranet. Use the following format: <external server FQDN>.
For a
Note:
• User identifies the service account under which Office Communications Server 2007 Web
Components is run. The default service account is RTCComponentService.
• Password is the password for the service account.
• guest is the guest user account used in Office Communications Server (the default account
is RTCGuestAccessUser) or it can be any domain user.
• guestpassword is the password for the guess user account.
Step 2 Configuring Certificates on the Software

Update Service
Use the following procedure to configure the Web certificate required for HTTPS access on the
Software Update Service running on Office Communication Server. You can use the same certificate
that you assigned on the Web Components Server role when you set up Office Communications
Server.
Introduction 25
To configure a certificate on the Update Server

1. Log on to Update Server with an account that is a member of the local adminstrator’s group.
2. Open Internet Information Services (IIS) Manager.
3. Expand Web Sites.
4. Right-click Default Web Sites, and then click Properties.
5. On the Web Site tab, verify that 443 is entered in the SSL Port box.
8. On the Certificate Wizard page, select Next.
9. Select Assign an existing certificate, and then click Next.
10. Select the existing certificate, and then click Next.
11. Under SSL port this web site should use, verify that 443 is entered, and then click Next.
12. Review the Certificate Summary, and then click Next.
13. Click Finish to close the wizard.
14. Restart Microsoft Internet Information Services, and then verify that all pools and Web sites are
running.
Step 3 Configure Kerberos on the Service Account

For administrators to access the Management Console, you must configure the service account used
by Web Components Server to use Kerberos authentication. When the service account is configured
to use Kerberos, it automatically prompts the administrator for a user name and password and
enabled them to access the site (if authorized).
To configure Kerberos on the Service Account
1. Download the SetSPN_Setup.exe from the following location:
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=setspn.
2. Double-click SETSPN_Setup.exe.
3. Navigate to the directory where SETSPN is installed. If you install it from the location in step 1,
the directory is <drive letter>:\Program Files\Resource Kit.
4. Open a command prompt, and then type the following command.
setspn -A HTTP/[FQDN] [Domain]\<service account used by Web Components (default
name is RTCComponentService)>
You should receive an output similar to the following.

Registering ServicePrincipalNames for CN=Admin,OU=Users,OU=all

users,DC=corp,DC=contoso, DC=com
HTTP/server1.corp.contoso.com
Updated object
5. Restart the IIS.

6. Open the following URLs to ensure that connectivity to the Management Console works.
https://<FQDN of your Web Components Server or Standard Edition
Server>/RequestHandler/ucdevice.upx
https:// <://<FQDN of your Web Components Server or Standard Edition Server
>/MgmtConsole/ApprovalProcess.aspx
Step 4 Configure Your Reverse Proxy (For External

Access Only)
To enable devices to connect to the Software Update Service from outside your organization’s
firewall, a Microsoft Internet Security and Acceleration (ISA) Server or other reverse proxy in the
perimeter network is required.
The following table shows the specific directories used by the Web components for the Software
Update Service. We recommend configuring your HTTP reverse proxy to use all directories.
Table 2 Directories Used by Web Components Server
Directory Use
https://<external server The external URL to the Web
FQDN>/RequestHandler/ucdevice.upx Components Server running
Software Update Service
https://<ExternalFQDN>/sites/ucupdate The external URL for the SharePoint
server Update site
Note: This directory is not accessible
from the outside because it does not
allow anonymous access.
UC devices use a fully qualified path to
the specific update they require.
The detailed steps in this section describe how to configure an ISA 2006 server as a reverse proxy. If
you are using a different reverse proxy, consult the documentation for that product. If you already
have an ISA Server or another reverse proxy configured for external user access for Office
Communications Server, proceed to Request and Configure a Certificate for Your Reverse HTTP
Proxy.
Introduction 27
You can use the information in this section to set up ISA as the reverse proxy, which requires
completing the following procedures.
• Configure Network Adapters
• Install ISA Server 2006
• Request and Configure a Certificate for Your Reverse Proxy
• Configure Web Publishing Rules
• Verify or Configure Authentication
• Create a DNS Record
• Verify Access through Your Reverse Proxy
ISA Server uses Web publishing rules to securely publish internal resources, such as a meeting URL,
over the Internet. Publishing information to Internet users makes computing resources inside the
internal network available to users outside the network.
Configure Network Adapters
You must assign one or more IP addresses to the external network adapter and at least one IP address
to the internal network adapter. For information about deploying ISA Server with a single network
adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the
Microsoft TechNet Web site. This document also applies to ISA Server 2006.
In the following procedures, the ISA Server computer has two network adapters:
• A public, or external, network adapter, which is exposed to the clients that attempt to connect to
your Web site (usually over the Internet)
• A private, or internal, network interface, which is exposed to the internal Web servers to which
outside users connect
To configure the network adapter cards on the reverse proxy computer

1. On the server running ISA Server 2006, open Network Connections. Click Start, point to
Settings, and then click Network Connections.
2. Right-click the external network connection to be used for the external interface, and then click
Properties.
3. On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This
connection uses the following items list, and then click Properties.
4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and DNS
server addresses as appropriate for the network to which the network adapter is attached.
5. Click OK twice.
6. In the Network Connections dialog box, right-click the internal network connection to be used
for the internal interface, and then click Properties.
7. Repeat steps 3 through 5 to configure the internal network connection.
Install ISA Server 2006
• Install ISA Server 2006 according to setup instruction included with the product. For more
information about installing ISA Server, see Microsoft ISA Server 2006 - Getting Started at the
Microsoft TechNet Web site.
Note
After completing the ISA Server setup, a default access rule
denying traffic to all network resources is present. You need to
configure your firewall rules as defined in the previous
procedure to resolve this denial.
Request and Configure a Certificate for Your Reverse HTTP Proxy

The root CA certificate for the CA that issued the server certificate on the Web server (the IIS server
running your Office Communications Server Web Components) needs to be installed on the server
running ISA Server 2006. This certificate should match the published FQDN of the external Web
farm where you are hosting the Software Update Service (the external FQDN of the Web
Components r servers).
• You must install a Web server certificate on your ISA Server. This certificate should match the
published FQDN of your external Web farm where you are hosting the Software Update Service.
• If your internal deployment consists of more than one Standard Edition server or Enterprise
pool, you must configure Web publishing rules for each external Web farm FQDN.
Configure Web Publishing Rules
Use the following procedure to create Web publishing rules.
Note
This procedure assumes that ISA Server 2006 Standard Edition
is installed.
To create a Web server publishing rule on the ISA Server 2006 computer
1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server
Management.
2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click
Web Site Publishing Rule.
Introduction 29
3. On the Welcome to the New Web Publishing Rule page, enter a friendly name for the
publishing rule, and then click Next. For example, the name of the rule can be
OfficeCommunicationsWebDownloadsRule.
4. On the Select Rule Action page, select Allow, and then click Next.
5. On the Publishing Type page, select Publish a single Web site or load balancer, and then
click Next.
6. On the Server Connection Security page, select Use SSL to connect to the published Web
server or server farm, and then click Next.
7. On the Internal Publishing Details page, enter the FQDN of the internal Web farm that hosts
the Software Update Service in the Internal Site name box, and then click Next.
8. On the Internal Publishing Details page, enter /* as the path of the folder to be published in the
Path (optional) box, and then click Next.
Note
The ISA Server must be able to resolve the FQDN to the IP
address of the internal Web server. If the ISA Server is not able
to resolve the FQDN to the proper IP address, you can select
Use a computer name or IP address to connect to the
published server, and then enter the IP address of the
internal Web server in the Computer name or IP address
box. If you do this, you must ensure that the ISA Server has
port 53 opened and can reach an internal DNS server or a DNS
server that resides in the perimeter network.
• If your internal server is a Standard Edition, this FQDN is the Standard Edition server
FQDN.
• If your internal server is an Enterprise pool, this FQDN is the internal Web farm FQDN.
Note
In the Web site publishing wizard you can only specify one
path. Additional paths can be added by modifying the
properties of the rule.
9. On the Publish Name Details page, confirm that This domain name is selected for Accept
Requests for, type the external Web farm FQDN for the Software Update Service in the Public
Name box, and then click Next.
10. On the Select Web Listener page, click New to create a new Web listener.
11. On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in
the Web listener name box, and then click Next. For example, type Web Servers.
12. On the Client Connection Security page, select Require SSL secured connections with
clients, and then click Next.
13. On the Web Listener IP Address page, select External, and then click Select IP Addresses.
14. On the External Listener IP selection page, select Specified IP address on the ISA Server
computer in the selected network, select the appropriate IP address, click Add, and then click
OK.
15. Click Next.
16. On the Listener SSL Certificates page, select Assign a certificate for each IP address, select
the IP address you just added, and then click Select Certificate.
17. On the Select Certificate page, select the certificate that matches the public name specified in
step 10, click Select, and then click Next.
18. On the Authentication Setting page, select No Authentication, and then click Next.
19. On the Single Sign On Setting page, click Next.
20. On the Completing the Web Listener Wizard page, review the Web listener settings, and then
click Finish.
21. Click Next.
22. On the Authentication Delegation page, select No delegation, but the client might authenticate
directly, and then click Next.
23. On the User Set page, click Next.
24. On the Completing the New Web Publishing Rule Wizard page, review the Web publishing
rule settings, and then click Finish.
25. In the details pane, click Apply to save the changes and update the configuration.
To create a Web server publishing rule on the ISA Server 2006 computer
for the SharePoint site
Management.
2. In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click
Web Site Publishing Rule.
3. On the Welcome to the New Web Publishing Rule page, enter a friendly name for the
publishing rule, and then click Next. For example, the name of the rule can be
OfficeCommunicationsWebDownloadsRule.
4. On the Select Rule Action page, select Allow, and then click Next.
5. On the Publishing Type page, select Publish a single Web site or load balancer, and then
click Next.
6. On the Server Connection Security page, select Use SSL to connect to the published Web
server or server farm, and then click Next.
Introduction 31
7. On the Internal Publishing Details page, enter the internal FQDN of the SharePoint Server
hosting the Software Update Service site in the Internal Site name box, and then click Next.
8. On the Internal Publishing Details page, enter /* as the path of the folder to be published in the
Path (optional) box, and then click Next.
Note
The ISA Server must be able to resolve the FQDN to the IP
address of the internal Web server. If the ISA Server is not able
to resolve the FQDN to the proper IP address, you can select
Use a computer name or IP address to connect to the
published server, and then in the Computer name or IP
address box, enter the IP address of the internal Web server.
If you do this, you must ensure that the ISA Server has port 53
opened and can reach an internal DNS server or a DNS server
that resides in the perimeter network.
Note
In the Web site publishing wizard you can only specify one
path. Additional paths can be added by modifying the
properties of the rule.
9. On the Publish Name Details page, confirm that This domain name is selected for Accept
Requests for, type the external FQDN for the SharePoint Server hosting the Software Update
Service site in the Public Name box, and then click Next.
10. On the Select Web Listener page, click New to create a new Web listener.
11. On the Welcome to the New Web Listener Wizard page, type a name for the Web listener in
the Web listener name box, and then click Next. For example, type Web Servers.
12. On the Client Connection Security page, select Require SSL secured connections with
clients, and then click Next.
13. On the Web Listener IP Address page, select External, and then click Select IP Addresses.
14. On the External Listener IP selection page, select Specified IP address on the ISA Server in
the selected network, select the appropriate IP address, click Add, and then click OK.
15. Click Next.
16. On the Listener SSL Certificates page, select Assign a certificate for each IP address, select
the IP address you just added, and then click Select Certificate.
17. On the Select Certificate page, select the certificate that matches the public name specified in
step 9, click Select, and then click Next.
18. On the Authentication Setting page, select No Authentication, and then click Next.
19. On the Single Sign On Setting page, click Next.

20. On the Completing the Web Listener Wizard page, review the Web listener settings, and then
click Finish.
21. Click Next.
22. On the Authentication Delegation page, select No delegation, but the client might authenticate
directly, and then click Next.
23. On the User Set page, click Next.
24. On the Completing the New Web Publishing Rule Wizard page, review the Web publishing
rule settings, and then click Finish.
25. In the details pane, click Apply in the details pane.
To modify the properties of the Web publishing rule
Management.
2. In the left pane, expand ServerName, and then click Firewall Policy.
3. In the details pane, right-click the secure Web server publishing rule that you created in the
previous procedure (for example, OfficeCommunicationsServerExternal Rule), and then click
Properties.
4. On the Properties page, click the From tab, and then:
• In the This rule applies to traffic from these sources list, click Anywhere, and then click
Remove.
• Click Add.
• In the Add Network Entities dialog box, expand Networks, click External, click Add, and
then click Close.
5. If you need to publish another path on the Web server, click the Paths tab.
6. Click Add, type /* for the path to be published, and then click OK.
7. Click Apply to save changes, and then click OK.
8. In the details pane, click Apply to save the changes and update the configuration.
Verify or Configure Authentication and Certification on IIS Virtual
Directories
Use the following procedure to configure certification on your IIS virtual directories or verify that
the certification is configured correctly.
To verify or configure authentication and certification on IIS virtual
directories
Note
Perform the following procedure on each IIS Server in your
internal Office Communications Server.
The following procedure is for the default Web site in IIS.
Introduction 33
1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.
2. Expand ServerName, and then expand Web Sites.
3. Right-click <default or selected> Web Site, and then click Properties.
4. On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click
OK.
5. On the Directory Security tab, click Server Certificate under Secure communications. This
opens the Welcome to the Web Server Certificate Wizard.
6. Click Next.
7. On the Server Certificate page, click Assign an existing certificate, and then click Next.
8. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use
box, and then click Next.
9. On the Certificate Summary page, verify that settings are correct, and then click Next.
10. Click Finish.
11. Click OK to close the Default Web Site Properties dialog box.
Create a DNS Record
Create an external DNS A record that resolves the external Web farm FQDN to the external IP
address of the reverse proxy. The device uses this record to connect to the reverse proxy.
Verify Access through Your Reverse Proxy
Use the following procedure to verify that your users can access information on the reverse proxy.
You might need to complete the firewall configuration and DNS configuration before access works
correctly.
To verify that you can access the Web site through the Internet
1. Access your internal SharePoint Software Update Service site.
2. Under Updates, click UCPhone.
3. Select a vendor folder, select a model folder, select the hardware revision and software locale,
and then select the update type.
4. At the specific folder containing the update, right-click one of the update files, and then click
Properties.
5. In the Properties dialog box, copy the URL in the Address field, and then paste it into a
browser.
The URL looks similar to the following example.
http://<internalSharePointServerFQDN>/sites/UCUpdateServer/Updates/UCPhone/Poly
com/CX700/A/ENU/CPE/CPE.cat
6. Change internalSharePointFQDN to the external FQDN of the SharePoint Server, so your

URL appears as follows
http://<externalSharePointServerFQDN>/sites/UCUpdateServer/Updates/UCPhone/Poly
com/CX700/A/ENU/CPE/CPE.cat
7. From outside your intranet, open a browser and ensure you can access the URL.
Step 5 Upload a Cabinent File in the Management

Console (Optional)
If your organization is connected to Microsoft Update Service cab files containing metadata about
available updates, they are automatically downloaded to your Software Update Service. However, if
your organization chooses not to connect directly to the Microsoft Update Service, you can manually
upload a file to the Office Communications Server 2007 Software Update Service.
To upload a cab file
1. Log on to the Office Communications Server 2007 running the Software Update Service.
2. Open the URL https://<FQDN of a Web Components Server in the pool or your Standard
Edition server> /MgmtConsole/upload.aspx.
3. Access the UCUpdates.cab file using the Microsoft Web site
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=OCSupdate. Extract the cabinet file to a
local directory.
4. Browse to the file, and then click Upload.
Step 6 Test Software Update Service

After you have configured your Software Update Service on Office Communications Server, you can
test the Software Update Service by adding a test device and using the audit logs to ensure that the
correct information is sent to the device.
Testing the Software Update Service involves the following three steps:
Step 6.1 Add a Test Device
Step 6.2 Restart your Device
Step 6.3 Verify the Audit Logs
Step 6.1 Add a Test Device
Use the following procedure to add a test device.
Introduction 35
To add a test device

1. Open the Management Console: Open a browser and type https://< <FQDN of a Web
Components Server in the pool or your Standard Edition server>/MgmtConsole/default.aspx.
2. Click the Test Devices tab.
3. Click Add a new test device.
4. Under Friendly name, enter a meaningful name for the device.
5. Under Type, select Mac Address or Serial Number.
6. Under Unique identifier, enter the Mac address or serial number.
7. Click Save.
Step 6.2 Restart Your Device
After you have configured the device as a test device, restart the device so that it logs in to the pool
or Standard Edition server and receive information about how to contact the Software Update
Service.
Step 6.3 Verify the Audit Logs
Use the following procedure to verify that the Software Update Service correctly connected with
your test device and sent valid information.
To verify the audit logs
1. Open the Update Site on your SharePoint Services: Open a browser and type http://<FQDN of
SharePoint Server>/sites/UCUpdateServer/default.aspx/.
2. Under Documents, click Logs.
3. On the Logs page, click the Server folder.
4. Click the Audit Folder.
5. Click the ImageUpdates Folder.
6. Open the current audit log.
7. Verify that you see responses similar to the following:
The following request does not receive a response from the server because the device is running
the current version. Reading these files is easier in Notepad with Word Wrap turned off.
09/04/2007 16:11:35,,10.35.46.89,UCPhone,9/4/2007 4:10:53
PM,"001B9E2CC7B4","1108009636","<Vendor>","<Model>","<Hardware
Revision>","<Software locale>",cpe.nbt;1.0.469.0;9/4/2007 6:07:42 PM,
The following request receives a response from the Software Update Service because the device
is running an older version.
Logging DateTime,User Name,User Host Address,Device Type,Request DateTime,Mac

Address,Serial
Number,Vendor,Model,Revision,Locale,Requested<FileName;Version;TimeStamp>[#
Seperated for Multiple],Response<FileName;Version;TimeStamp>[# Seperated for
Multiple]
09/04/2007 15:54:35,hosamk@microsoft.com,10.35.46.136,UCPhone,9/4/2007 3:53:54

PM,"001B9E2CC7DB","1108009675","<Vendor>","CPE","A","ENU",cpe.nbt;1.0.466.0;8/31
/2007 8:15:08 PM,
https://SharePointServer1.contoso.com/sites/ucupdateserver/Updates/UCPhone/<Vend
or>/<Model>/<Hardware Revision>/<Software Locale>/CPE/CPE.nbt;1.0.469.0;9/4/2007
6:07:42 PM
Appendix A: Troubleshooting
This appendix lists possible conditions or problems you might encounter and the recommended
resolutions.
Service Account Is Changed in Office

Communication Server
Use the following procedure if you change the name of the service account used the Web
components in Office Communications Server. The default service account name is
RTCComponentService.
1. If the Office Communications Server changes, execute the activation command.
2. Open a command prompt.
3. Move to the \Program Files\Microsoft Office Communications Server 2007\Web
Components\UC Device Updates\CommonFiles directory.
4. Type the following:
/InternalUpdatesStoreURL:https://<Internal
SharePointFQDN>/sites/ucupdateserver
ver

Introduction 37

/InternalUpdatesStoreURL:https://<internalSharePointFQDN>/sites/ucupdateser
ver
ver /user:RTCComponentService /Password:<password>
/ExternalWebfqdn:<External FQDN of Web farm
/guest:<RTCGuestAcccess User Account> /guestpassword:******
where:
• InternalUpdatesStoreURL is the internal URL used to access the SharePoint Update site
from inside the intranet.
• ExternalUpdatesStoreURL is the external URL link to the SharePoint Update site from
inside the intranet.
from outside the intranet.
Components Server is run. The default service account is RTCComponentService.
• guest is the guest user account used in Office Communications Server (the default account
is RTCGuestAccessUser) or it can be any domain user.
5. If the SharePoint Server changes, add the new account to the SharePoint site administrator.
Server Name and Port Changes

Office Communication Server Changes
Office Communication Server names change after installation of Office Communication Server.
Changing the FQDN of the Office Communications Server after deployment is not supported. If you
do recreate your server by changing the name, you must deactivate and uninstall Office
Communications Server.
By default, the port cannot be changed in the Office Communication Server. It always runs on
default port.
SharePoint Server Changes
Changing the SharePoint Server name after installing Windows SharePoint Server 3.0 is not
recommended.
If you change the port setting for a SharePoint site, use the following steps to update other settings:
1. The corresponding port changes should be updated in the Alternate Access Mapping.
2. Verify that the port has the correct certificate installed.
3. Update the URL details in the WMI entries.
Problems Creating the Update Site on SharePoint

Use the following section to troubleshoot problems creating the Software Update Service site on
SharePoint Server.
1. If the SharePoint Server changes, run Microsoft.RTC.UCServer.SharePointSetup.exe
<SharePoint servername> <SharePoint Central Admin Port number> <Admin UserID> <Admin
email alias> <password> <domain> <SharePoint port>.
Table 3: Command-Line Parameters
Argument Description
Servername The SharePoint Server name, for example
http://TanjayTestSPS.
SharePoint The TCP port in the SharePoint Central
Central Administration.
Administrator
Port number
Admin UserID The user ID of the administrator who can create
the SharePoint site.
Admin Email The e-mail alias for the administrator.
Password The administrator password.
Domain The domain on which the administrator account
resides.
SharePoint port The SharePoint port (TCP port of SharePoint – 80
site).
For example:
Microsoft.RTC.UCServer.SharePointSetup.exe http://SharePointServer1:28406 Admin
admin@contoso.com ******* corp.contoso.com 80
2. If you encounter a site creation error with Operation Time Out, run the same command and
during the setup process, choose option 2 to delete the partially created site.
Introduction 39
Problems Deleting a SharePoint Site

Use the following section to troubleshoot problems deleting a SharePoint site.
1. Open the SharePoint Central Administration Site.
2. Open the Application Management.
3. In SharePoint Web Application Management, click Delete Web Application .
4. Select the Web application that is not getting deleted, and then click Delete the Site.
5. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint
Products and Technologies Configuration Wizard.
6. Reconfigure the default settings.
7. After successfully deleting the site, try to recreate it.
8. If the site cannot be deleted, see SharePoint Services troubleshooting information.
Problems with Anonymous Access or Permissions on the

Document Library Folder
If you encounter problems with anonymous access to the SharePoint site or general problems
accessing Document Library or other folders on the SharePoint site, use the following steps to ensure
that anonymous access is enabled:
To grant anonymous users read access
1. Open the site at http://<servername>/sites/UCUpdateServer/default.aspx. For example,
2. Click Site Actions, and then click Site Settings.
3. On the Site Settings page, click Advanced Permissions under Users and Permissions.
4. On the Permissions page, click Anonymous Access in the Settings list.
5. On the Change Anonymous Access page, select Lists and Libraries under Anonymous users
can access, and then click OK.
6. On the Permissions: Updates Server page, click Documents.
7. On the All Site Content page, click Updates.

Introduction 41
8. On the Updates page, click Settings, and then click Document Library Settings.
9. On the Customize Updates page, click Permissions for this document library.
10. On the Permissions Updates page, click Settings, and then click Anonymous Access.
11. On the Change Anonymous Access Settings: Updates page, select the View Items check box,
and then click OK.
Introduction 43
Appendix B: Configuring RoundTable

for the Software Update Service
This appendix describes how to configure a Microsoft RoundTable device to use the Software
Update Service.
Before starting, make sure that you have a supported version of Office InfoPath installed: Office
InfoPath 2003 or Office InfoPath 2007.
To apply new settings to a Microsoft RoundTable device
1. In the %ProgramFiles%\Microsoft RoundTable\DeviceManagement\ directory, double-click
DeviceConfig.xsn to start the InfoPath form. The following figure shows a portion of this form.
2. After you change the settings to suit your particular installation, save the configuration (as
RTConfig.xml, for example) to the same directory as Rtmanage.exe. The section following this
procedure provides details of the InfoPath configuration form.
3. Open a command prompt, change the directory to %ProgramFiles%\Microsoft
RoundTable\DeviceManagement\, and then type the following command line.
Rtmanage.exe -m:img -i:config -f:RTConfig.xml
4. Check for any XML parsing errors by running this command.

Rtmanage.exe -m:cfg -q:cfgparseresult
5. If there are no errors, proceed to the next step. Otherwise fix the errors and repeat from step 3.
6. Restart the device by running this command line.
Rtmanage.exe -m:cfg -r
Table 1. Software Updates Settings
Field Description Factory default

Automatically update Selected or cleared. If this check box is Selected
using the image selected, automatic image updates are
Introduction 45
Field Description Factory default

update server enabled.
Exclude configuration Selected or cleared. If this check box is Cleared
file from automatic selected, the configuration file is
update excluded from automatic update.
Update time The time of the day at half-hour 3:30 A.M. local
intervals. time
Update interval Every day Every day
Every Sunday
Every Monday
Every Tuesday
Every Wednesday
Every Thursday
Every Friday
Every Saturday
Server The name of the update server. Ucupdates
Port The port for device-server 80
communication.
Uniform resource The URI path on the server with which (empty string)
identifier path to communicate.
Configuring Device Specifics Updates for RoundTable

Occasionally, an update may be required for a specific RoundTable device. Software Update Service
allows you to configure device specific updates for RoundTable so that these devices can identifier
themselves by their serial number and the Software Update Service can then send any specific
devices required.
To configure Software Update Service to send RoundTable device-specific
updates:
1. You must manually create a folder in the Updates Folder under the RoundTable folder on the
SharePoint site, called DeviceSpecificUpdates
2. For each deployed RoundTable in your organization, create a folder with the serial number of
the device.
3. When the RoundTable device connects to the Software Updates Service, the Software Updates
Service will send an updated configuration file or any other files for the device (if it is required).
4. The following shows an example of the configuration file. The portion in bold is specific to a
particular device.
<?xml version="1.0" encoding="UTF-8"?><?mso-infoPathSolution
solutionVersion="1.0.0.72" PIVersion="1.0.0.0"
name="urn:schemas-microsoft-com:office:infopath:DeviceConfig:http---www-
microsoft-com-RoundTable-DeviceManagement-RoundTable-
xsd" language="en-us" productVersion="12.0.0" ?><?mso-application

progid="InfoPath.Document"?><mstns:RoundTable
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"
xmlns:mstns="http://www.microsoft.com/RoundTable/DeviceManagement/RoundTable.xs
d"
xmlns:xd="http://schemas.microsoft.com/office/infopath/2003">
<mstns:RoomSettings mstns:RoomName="Example" mstns:RoomSize="Medium"
mstns:TableSize="10'x5'" mstns:Lighting="Normal"
mstns:TextField1="" mstns:TextField2=""
mstns:TextField3=""></mstns:RoomSettings>
<mstns:NetworkSettings mstns:DeviceName="Example1"
mstns:DHCPEnabled="true" mstns:IPAddress="" mstns:SubnetMask=""
mstns:DefaultGateway="" mstns:PreferredDNSServer=""
mstns:AlternateDNSServer=""></mstns:NetworkSettings>
<mstns:TimeSettings mstns:TimeZone="Pacific Standard Time"
mstns:DaylightSaving="true"></mstns:TimeSettings>
<mstns:DisplaySettings mstns:DisplayLanguage="English"
mstns:ScreenSaverText=""></mstns:DisplaySettings>
<mstns:TelephonySettings mstns:PhoneNumber="" mstns:FlashTiming="700"
mstns:DialWithoutToneDetection="Off"></mstns:TelephonySettings>
<mstns:SoftwareUpdatesSettings mstns:UseAutoUpdate="true"
mstns:ExcludeConfig="false" mstns:UpdateTime="03:30:00"
mstns:UpdateInterval="Everyday"
mstns:Server="UpdateServer1.Domain1.Forest1.Contoso.com" mstns:Port="80"
mstns:Uri="/RequestHandler/ucdevice.upx"></mstns:SoftwareUpdatesSettings>
<mstns:LogSettings mstns:LogToServer="true" mstns:UploadTime="12:30:00"
mstns:UploadInterval="Every hour"
mstns:MaxLogSizeInMemory="1024"
mstns:Server="UpdateServer1.Domain1.Forest1.Contoso.com" mstns:Port="80"
Introduction 47
mstns:Uri="/RequestHandler/ucdevice.upx"></mstns:LogSettings>
<mstns:PowerManagementSettings
mstns:LCDBacklightOff="5"></mstns:PowerManagementSettings>
<mstns:AdvancedSettings
mstns:SpeakerDetectionAlgorithm="AudioVideoSpeakerSelection"
mstns:SpeakerSwitchingFrequency="Normal" mstns:WhiteBalanceSetting="Auto"
mstns:LightTemperature="4100K">
<mstns:DebugSettings mstns:AudioSetting="Off"
mstns:VideoSetting="Off" mstns:System="Off"
mstns:ExtendedProperties=""></mstns:DebugSettings>
</mstns:AdvancedSettings>
<mstns:SpeedDials>
<mstns:SpeedDial mstns:Name=""
</mstns:SpeedDials>
</mstns:RoundTable>
Appendix C: Manually Configuring the

URLs Used by the Software Update
Service
After installing the Software Update Service, if you need to change the URLs used by the Software
Update Service, you can modify the URLs in the following ways.
Update the SharePoint Update Site URL

To update the URL used by the SharePoint Update site, you can rerun the activation script and
update the InternalUPdatesStoreURL and the ExternalUpdatesStoreURL parameters to change the
SharePoint site URLs:
/InternalUpdatesStoreURL:https://<Internal SharePointFQDN>/sites/ucupdateserver
/ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateserver


/InternalUpdatesStoreURL:https://<internalSharePointFQDN>/sites/ucupdateserver
/ExternalUpdatesStoreURL:https://<externalSharePointFQDN>/sites/ucupdateserver
/guest:<RTCGuestAcccess User Account> /guestpassword:******
where:
• InternalUpdatesStoreURL is the internal URL used to access the SharePoint Update site from
inside the intranet.
• ExternalUpdatesStoreURL is the external URL link to the SharePoint Update site from inside
the intranet. Use the following format: https://<ExternalFQDN>/sites/ucupdateserver.
from outside the intranet. Use the following format: https://<external server
FQDN>/RequestHandler/ucdevice.upx.
Components is run. The default service account is RTCComponentService.
• guest is the guest user account used in Office Communications Server (the default account is
RTCGuestAccessUser) or it can be any domain user.
Update the External Download URLs for the Software

Update Service
After you have deployed the Software Update Service, you cannot change the internal update URL
on the Software Update Service. The way you change the external URL varies depending on whether
you are updating the URL on a Standard Edition server or an Enterprise pool.
Update the External Update URL of the Software Update Service on
a Standard Edition Server
If you want to change the external update URL of the Software Update Service on a Standard Edition
server, you can rerun the activation script (documented in a previous section) and update the
ExternalWebfqdn parameter.
Update the External Update URL of the Software Update Service on
an Enterprise Pool
On an Enterprise pool, you can only update the external download URL and can only change the
download URLs using WMI.
Introduction 49
Use the following procedure to update the URLs external download URL, the internal download
URL, or the external download used by the SharePoint Update site.
To configure the external Web farm FQDN to the Software Update Service
1. Log on to an Enterprise Edition server hosting the Update Server. Use an account that is a
member of the RTCUniversalServerAdmins group or has equivalent privileges.
2. Click Start, click Run, type cmd in the Open box, and then click OK.
3. At the command prompt, type wbemtest.
4. Click Connect.
5. In the Namespace box, type root\cimv2, and then click Connect.
6. Click Query.
7. Select one of the following:
• On a Standard Edition server, type the following:
Select * from MSFT_SipUpdatesServerSetting where BackEnd="(local)\\rtc"
• On an Enterprise pool, type the following:

Select * from MSFT_SipUpdatesServerSetting where BackEnd=”SQL database
instance”
8. Click Apply.
9. Double-click the result returned.
10. In Object Edit, double-click the ExternalUpdatesDownloadURL property.
11. In the Value box, type the external URL used to connect with the Software Update Service using
the format https://<external server FQDN>/RequestHandler/ucdevice.upx.
12. Click Save Property.

13. Click Save Object.
14. Click Close.
15. Click Close again, and then click Exit to close wbemtest.

OCS UpdateServiceDeploy

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

OCS UpdateServiceDeploy

Hochgeladen von

Copyright:

Verfügbare Formate

Microsoft Office

® 2007 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Step 1 Deploying the Software Update Service..................................................................................23

Overview of the Software Update

Components of the Software Update Service

How the Software Update Service Works

Sharepoint data Admin path

How Updates Are Uploaded and Managed within the Software

Scenarios for the Software Update

Introducing new models

Step 1 Create the SharePoint Default Site (if you

Step 2 Enable Anonymous User Access

4. On the Authentication Providers page, click Default.

Step 3 Configure Alternate Mapping Access

To configure alternate mapping access

4. On the Alternate Access Mappings page, click Add Internal URLs.

6. Click SharePoint – 80.

http://<SharePointServer fully qualified Name> (http URL with fully qualified

https://<SharePointServer fully qualified Name> (https URL with FQDN of the

Step 4 Install Files for the SharePoint Server

Step 5 Create the Software Update Services

Table 1 Command-Line Parameters

To verify that the SharePoint site is successfully created

Step 6 Grant Service Account Permissions to

To add the service account used

11. Click OK.

Step 7 Configure Certificates on the SharePoint

6. Click Server Certificate.

Deploying and Configuring the

Step 1 Deploying the Software Update Service

Installing the Software Update Service on Office Communications

• For an Enterprise pool

cscript ConfigUpdatesServer.vbs /Action:Activate

Step 2 Configuring Certificates on the Software

To configure a certificate on the Update Server

Step 3 Configure Kerberos on the Service Account

You should receive an output similar to the following.

Registering ServicePrincipalNames for CN=Admin,OU=Users,OU=all

5. Restart the IIS.

Step 4 Configure Your Reverse Proxy (For External

To configure the network adapter cards on the reverse proxy computer

Request and Configure a Certificate for Your Reverse HTTP Proxy

19. On the Single Sign On Setting page, click Next.

6. Change internalSharePointFQDN to the external FQDN of the SharePoint Server, so your

Step 5 Upload a Cabinent File in the Management

Step 6 Test Software Update Service

To add a test device

Logging DateTime,User Name,User Host Address,Device Type,Request DateTime,Mac

09/04/2007 15:54:35,hosamk@microsoft.com,10.35.46.136,UCPhone,9/4/2007 3:53:54

Service Account Is Changed in Office

• For an Enterprise pool

cscript ConfigUpdatesServer.vbs /Action:Activate

Server Name and Port Changes

Problems Creating the Update Site on SharePoint

Problems Deleting a SharePoint Site

Problems with Anonymous Access or Permissions on the

4. On the Permissions page, click Anonymous Access in the Settings list.

7. On the All Site Content page, click Updates.

Appendix B: Configuring RoundTable

4. Check for any XML parsing errors by running this command.

Table 1. Software Updates Settings

Field Description Factory default