After much back and forth about Microsoft's requirement for ISA 2006 and reverse proxy for the address book publishing, I decided to try to find an alternate way.
Of course, per the OCS deployment guidelines, reverse proxy with ISA 2006 is the recommended solution, because you are not allowing direct access to the HTTPS server on your internal front end server.
Here's how to do it using a regular NAT translation and opening 443 to your front end server.
- Change your group expansion URL using wbemtest (from here and here)
- Configure an external DNS name, a NAT translation to your OCS Front End, and allow TCP/443 inbound. I used ocsab.domainname.com as a convention for the name.
- Request a new FE certificate using the OCS certificate wizard that includes existing names + ocsab.domainname.com. If you are only supporting Access Edge Remote connectivity from domain based PC's, you can still use your internal Enterprise PKI. If you want to support non domain workstations, you have two choices, have them install your internal SSL chain locally, or send this cert request to a third party trusted Certificate Authority.
- Install the certificate and assign it in OCS. After doing this, you will likely need to restart your OCS services.
- Finally, in IIS Manager, you will need to select this new certificate as the certificate to be used for the Default Web Site. This is a critical step, as the OCS certificate wizard does NOT seem to change this for you.
Enjoy having External group expansion while sticking to your guns on your choice of firewall vendor.