Device Update Service
To assist you in your deployment planning, this topic provides the following information about Device Update Service:
- Required components
- Scaling considerations
- Technical prerequisites
- Deployment steps
Required Components
This section describes the technologies and components required to deploy Device Update Service.
Servers
During Office Communications Server 2007 R2 installation, Device Update Service is automatically installed on all servers running the Web Components Server role. You do not need to plan for additional servers to support Device Update Service.
Device Update File Storage
Device Update Service uses a number of files that must be stored on a file system. The location is different, depending on which edition of Office Communications Server 2007 R2 you are running.
- Office Communications Server 2007 R2 Enterprise Edition. Before running the Create Enterprise Pool wizard during deployment, you must create a shared folder for both client and device update files. Device Update Service creates folders within this shared folder in which to store update image files, log files, and configuration files. The shared folder will also be used by Office Communications Server for storing Office Communicator update files. During installation you will need to provide the UNC path of this folder.
- Office Communications Server 2007 R2 Standard Edition. The installer automatically creates the DeviceUpdateFiles folder in the Web Components folder under the Office Communications Server 2007 R2 installation folder on the local computer. This folder is not shared, and it inherits the permissions of the installation folder. Device Update Service creates folders within the DeviceUpdateFiles folder in which to store update image files, log files, and configuration files.
Two virtual directories in Internet Information Services (IIS) refer to these folders:
- The DeviceUpdateFiles_int virtual directory points internal devices to the updates folder.
- The DeviceUpdateFiles_ext virtual directory points external devices to the updates folder.
For details about the virtual directories created for Office Communications Server 2007 R2, see Internet Information Services (IIS) Requirements.
Security
Device Update Service uses the authentication configured for the Web Components Server, so you do not need to take any additional steps to implement this security for Device Update Service, unless you are migrating external Communicator Phone Edition devices from the previous version Office Communications Server 2007. In this case, there are additional security configuration tasks to perform. For details, see the Office Communications Server migration content. For details about performing the configuration for the Web Components Server, see Configure the Web Components Server IIS Certificate.
DNS Records
Communicator Phone Edition devices typically receive information about the pool or Standard Edition server hosting Device Update Service through in-band provisioning, when a user logs into that device. If a user has never logged into that device, however, the device uses DNS to discover the server hosting Device Update Service and obtain updates. RoundTable devices also use a DNS record to discover and connect to Device Update Service. To enable this discovery, you must create an internal DNS record. For details, see DNS Requirements for Servers.
If you plan to allow devices outside your organization’s firewall to access Device Update Service and obtain updates, you must also configure an external DNS record. For details, see DNS Requirements for External User Access.
External Device Access
If unified communications (UC) devices will be used outside of your corporate network, and you want to enable the devices to automatically update, the following prerequisites are required:
- A supported edge topology must exist in your perimeter network.
- A reverse proxy must be implemented in your perimeter network.
- Remote user access must be enabled for users of UC devices.
For details about these requirements, see External User Access Components. For details about the specific configuration steps required to allow access for external devices, see ″Configure External Access for Devices″ later in this topic.
Technical Prerequisites
This section covers the technical prerequisites for Device Update Service to function correctly in your environment.
Configure Security Accounts
Device Update Service administrators must be members of the RTCUniversalServerAdmins security group.
Create the Shared Updates Folder
Device Update Service is automatically installed on all servers running the Office Communications Server 2007 R2 Web Components Server role. You do not need to take any specific installation steps.
As described previously, with Office Communications Server 2007 R2 Enterprise Edition, prior to installation you must create a file share that will be used to store both the device update files and the client update files. You will be asked to provide the UNC path of this share when using the Enterprise Pool deployment tool. For details, see Create the Pool. The installer sets the following discretionary access control list (DACL) on the share.
Table 1. DACL on the Shared Updates Folder and Subfolders
| Security account | Permissions |
|---|---|
RTCUniversalServerAdmins |
Read/Write |
RTCHSUniversalServices |
Read-only |
RTCUniversalGuestAccessGroup |
Read-only |
With Office Communications Server 2007 R2 Standard Edition, creating a shared folder is not necessary, because the device update files, log files, and configuration files are stored on the local computer in a folder named DeviceUpdateFiles found in the Web Components folder under the installation folder. The default path is %ProgramFiles%\Microsoft Office Communicator 2007 R2\Web Components\DeviceUpdateFiles. The installer sets the following DACL on DeviceUpdateFiles and its subfolders.
Table 2. DACL on the DeviceUpdateFiles Folder and Subfolders
| Security account | Permissions |
|---|---|
TERMINAL SERVER USER |
Modify |
CREATOR OWNER |
Full Control |
SYSTEM |
Full Control |
Administrators [FRONTEND\Administrators] |
Full Control |
Power Users [FRONTEND\Power user] |
Modify |
Users [FRONTEND\Users] |
Read and Execute |
Configure External Access for Devices
If you plan to give external users access to Office Communications Server features, including enabling UC devices to use Device Update Server for automatic updates while working outside your firewalls, you must take additional deployment steps, as described in this section. Otherwise, you will need to update your UC devices manually.
Deploy Edge Servers
Edge Server is a server role in Office Communications Server that enables users outside of your firewall to access Office Communications Server 2007 R2 features. To deploy Edge Servers, follow the instructions in Deploying Edge Servers for External User Access, taking the following steps specifically enable external access to Device Update Service:
- In the Configure a Reverse Proxy step, you must configure the reverse HTTP proxy to use the following Device Update Service virtual directories:
- The external URL of the Web Components Server:
https://<external Server FQDN>/RequestHandlerExt/ucdevice.upx - The external URL for the Update site:
https://<external Server FQDN>/DeviceUpdateFiles_Ext
- The external URL of the Web Components Server:
- In the Configure DNS step, you must create a DNS A (host) record with the name ucupdates-r2.<SIP domain> that resolves to the IP address of the Enterprise pool or Standard Edition server hosting Device Update Service.
- You may need to take steps to enable external Communicator Phone Edition devices from the previous version of Office Communications Server 2007 to update to the current version of the firmware. For details, see the Office Communications Server migration content.
Configure Certificates
Security is implemented by the use of certificates and Kerberos authentication. Device Update Service makes use of the Web Components Server security infrastructure. An existing PKI infrastructure must be in place and devices configured with a valid certificate issued from a public CA (recommended) or a private CA that allows the devices to connect to Device Update Service from outside the intranet.
Configure IPsec
If your organization uses IPsec, it must be configured to run in boundary or request mode.
Deployment Steps
This section lists the steps to take to deploy Device Update Service on Office Communications Server 2007 R2 Standard Edition and Enterprise Edition. Details on the requirements for each step are covered earlier, in ″Technical Prerequisites.″
Deploy Device Update Service on Standard Edition
- If you plan to allow external devices to obtain updates, verify that you have taken the steps described earlier, in ″Configure External Access for Devices.″
- Install Office Communications Server 2007 R2, as described in Deploy a Standard Edition Server [2007 R2].
- Add Device Update Service administrators to the RTCUniversalServerAdmins security group in Active Directory Domain Services (AD DS).
- If you have enabled access by external devices, follow the procedure in “Verifying External Device Access” in the Office Communications Server operations content to ensure that devices will be able to connect to Device Update Service from outside the firewall.
For details about configuring Device Update Service and managing updates, see “Administering Device Update Service” in the Office Communications Server operations content.
Deploy Device Update Service on Enterprise Edition
- If you plan to allow external devices to obtain updates, verify that you have taken the steps described earlier, in ″Configure External Access for Devices.″
- Create a shared folder to store both client and device update files, making a note of the UNC path, which you must provide when running the Create Enterprise Pools wizard.
- When running the Create Enterprise Pools wizard, as described in Create the Pool, on the Specify Locations of Miscellaneous Server Stores page, provide the remote UNC path of the shared folder in the Client Update Data Store box.
- Add Device Update Service administrators to the RTCUniversalServerAdmins security group in Active Directory Domain Services.
- If you have enabled access by external devices, follow the procedure in “Verifying External Device Access” in the Office Communications Server operations content to ensure that devices will be able to connect to Device Update Service from outside the firewall.
For details about configuring Device Update Service and managing updates, see “Administering Device Update Service” in the Office Communications Server operations content.