Single certificate for OCS/Exchange/ISA usage

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I am also including the link to the original or similar post to provide credit to the original author.

http://www.unifysquare.com/blog/post/Single-certificate-for-OCSExchange-firewall-usage.aspx

Internal certificates work wonders for your Active Directory Domain Services members. For Unified Communications, where OCS and Exchange are going to be using the same ISA 2006 server as the firewall, utilizing a Subject Alternative Name (SAN) certificate for your edge configuration and your ISA configuration can save you time, management hassles, and possibly provide cost savings as well. For internal servers, an internal PKI is just fine, but for the public interface of your system, you should most likely be looking at using a public-sourced key such as Go-Daddy, Thawte, DigiCert, etc. OCS Federation, remote users, and Public Instant Messaging Connectivity (PIC) demand public certificates.

The following table shows the SAN names needed on a certificate to support the base OCS and Exchange functions on ISA 2006 – and I imagine that this certificate construction will work just fine on many other firewalls as well. The table comes from my test domain; you should replace my test domain with your own domain name.

Obtain a public SAN (UCC) certificate from your favorite provider, import the certificate into your OCS Edge server and your ISA server computer account Trusted Root Certificate store and then you can use one certificate for all these uses. This approach leaves you with only the one certificate to manage and renew, or, if life treats you badly, move to a new server.

 

	SAN Name	Usage	Notes
1	SIP.domain.com	OCS Edge Server	IM, Presence, Federation, PIC
2	webconf.domain.com	OCS Edge Server	Web Conferencing
3	AV.domain.com	OCS Edge Server	A/V
4	revproxy.domain.com	ISA Reverse Proxy	Web Components
5	CWA.domain.com	ISA Web Listener	Communicator Web Access
6	DOWNLOAD.CWA.domain.com	ISA Web Listener	CNAME for CWA desktop sharing
7	AS.CWA.domain.com	ISA Web Listener	CNAME for CWA desktop sharing
8	MAIL.domain.com	ISA publisher	Outlook Anywhere, OWA, POP, IMAP
9	AUTODISCOVER.domain.com	ISA Web Listener	Autodiscover for outlook and OCS.

Address Book Download Issue (Vista Only)

This is a case I have faced right after the MVP award thing; it proves one thing to me.  You will always learn till the last minute of your life whether you are a Ranger or MVP or even one of the product team themselves. 

Ok here is the case; I have a Pilot on Isolated Environment where I have deployed 3 machines (AD+ CA+ Exchange, OCS Front End, OCS Mediation) And the users are on another production environment and they are planning to test the OC locally from their computers joined to the Production domain not the pilot one.

I have everything configured fine, hosts file edited correctly, Certificate Chain imported and Communicator is able to login correctly with no Problem. All of a Sudden all Vista machines are not able to download address book or to retrieve outlook free /busy information. However XP machines are working smoothly with no Problem

OK….then we think logic , what is common between Address Book and Exchange Free/ Busy?  Both are Web Services retrieved through HTTPS, so it has to be IE problem.

After some Googleing I found the solution on the UC No Evil blog as he describes details of troubleshooting steps he did and in the end it appeared to be the IE setting of Check for sever certificate revocation along with Disabling Windows Vista User Access Control

Below Are the Detailed Steps as described on the Blog:

1. Make sure this symptom is the same on all of your Vista clients.
2. Flush DNS by using ipconfig /flushdns on the client.
3. Verify within IE that ‘Check for server certificate revocation* is disabled.  To do this go to IE > Advanced > Security section > Check for sever certificate revocation*.   Deselect the check box.
4. Now  close Internet Explorer, close Communicator (Completely — sign-out and close application)
5. Start Communicator| Sign in
6. If you’re not presented with an error or the warning stating an issue accessing the Address Book, go to the %userprofile%\Local Settings\Application data\Microsoft\Communicator and verify that a GalContacts.db file exists.  If it does exist, GREAT! You’re done.   If not then continue with the rest of the procedure.
7. Within IE add the Address Book URL that users will download the AB files.  IE > Internet Options > Security > Trusted Sites > Add the URL to trusted sites (ex.  https://ocsfrontend.company.com)
8. Repeat steps 4-6
9. If you still cannot download the address book try, move to step 10.
10. Verify that User Access Control is off and then repeat steps 4-6.

Also some good technical details for the issue are available here on Microsoft Forums

The UC Guy Awarded 2009 Microsoft MVP

First Of all I am Egyptian and Proud to be
We have the Pharos Beliefs in our blood that simply Nothing is Impossible and Sky is the limit Always.

Yesterday at 1 AM I received the Congratulations e-mail for the Award of 2009 MVP in Unified Communications.

That really felt so awesome , specially that I remembered from 10 years I had the dream to Achieve an MCP Certificate and Hold Microsoft Card in my hands  , then later I wished to have Direct communications with The Microsoft Guys , later I Wished to have my Own Blog and to actually have something useful to write in it.

That MVP Dream came to my mind last year and I thought how far that could be. Today I have Achieved this Dream and I am very happy with it, I owe it to God who has been always taking care of me and giving me all the good things.

Thanks …Like Kaka Says: I Belong To Jesus