Mino – The UC Guy

Microsoft Unified Communications Blog ( Link Development )

«
»

Single certificate for OCS/Exchange/ISA usage

Posted by Mino on July 7, 2009

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I am also including the link to the original or similar post to provide credit to the original author.

http://www.unifysquare.com/blog/post/Single-certificate-for-OCSExchange-firewall-usage.aspx

Internal certificates work wonders for your Active Directory Domain Services members. For Unified Communications, where OCS and Exchange are going to be using the same ISA 2006 server as the firewall, utilizing a Subject Alternative Name (SAN) certificate for your edge configuration and your ISA configuration can save you time, management hassles, and possibly provide cost savings as well. For internal servers, an internal PKI is just fine, but for the public interface of your system, you should most likely be looking at using a public-sourced key such as Go-Daddy, Thawte, DigiCert, etc. OCS Federation, remote users, and Public Instant Messaging Connectivity (PIC) demand public certificates.

The following table shows the SAN names needed on a certificate to support the base OCS and Exchange functions on ISA 2006 – and I imagine that this certificate construction will work just fine on many other firewalls as well. The table comes from my test domain; you should replace my test domain with your own domain name.

Obtain a public SAN (UCC) certificate from your favorite provider, import the certificate into your OCS Edge server and your ISA server computer account Trusted Root Certificate store and then you can use one certificate for all these uses. This approach leaves you with only the one certificate to manage and renew, or, if life treats you badly, move to a new server.

 

 

SAN Name

Usage

Notes

1

SIP.domain.com

OCS Edge Server

IM, Presence, Federation, PIC

2

webconf.domain.com

OCS Edge Server

Web Conferencing

3

AV.domain.com

OCS Edge Server

A/V

4

revproxy.domain.com

ISA Reverse Proxy

Web Components

5

CWA.domain.com

ISA Web Listener

Communicator Web Access

6

DOWNLOAD.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

7

AS.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

8

MAIL.domain.com

ISA publisher

Outlook Anywhere, OWA, POP, IMAP

9

AUTODISCOVER.domain.com

ISA Web Listener

Autodiscover for outlook and OCS.

This entry was posted on July 7, 2009 at 7:04 PM and is filed under A/V Edge Server, Certificates, Communicator Web Access, Consolidated Edge, Edge Server, Good Articles take from Other Blogs, OCS & Exchange07, OCS 2007 R2. Tagged: , , , , , , , , , , , , , , , , , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “Single certificate for OCS/Exchange/ISA usage”

  1. richard said

    July 8, 2009 at 11:47 AM

    Hi Mino, just a quick question: didnt you notice issues with such a common certificate used by many services on many different machines?

    I mean on edge server, the OCS picks up automatically the FQDN from the certificate SN attribute, and simply ignores SAN attributes. So, the external FQDN for OCS services becomes the name that is visible in the certificate as SN. That is a serious problem, if OCS fqdns are in the SAN list, and not in the SN. In your example, you did not specify what was included as SN, but I assume in this scenario, the problem may appear also.

  2. Mino said

    July 8, 2009 at 12:04 PM

    Yes i totaly understand what you mean and thats why UCC certificate vendors give you Administration page on their website which gives you the option to reorder the names to chose from which of the SAN names would you like to have as your common name …then you can regenerate and download the certificate.
    this is all free of of charge and you can do it as many times as you want.

    I hope that answers your questions.

  3. richard said

    July 8, 2009 at 3:24 PM

    Regenerating the certificate results a brand new certificate in terms of new thumbprint, private key, publc key?

  4. Mino said

    July 8, 2009 at 3:27 PM

    no no , just re-ordering of the names with the same thumbprint, private key and public key.

    take a look at DigiCert site below and see more information
    http://www.digicert.com/unified-communications-ssl-tls.htm

  5. Scott said

    August 13, 2009 at 11:48 PM

    Is there any problem with using a wildcard certificate?
    Our company currently uses one for most of our external addresses.

    Right now I’m only setting up an Edge server for testing purposes. The biggest problem I’m having is getting my certs straightened out. Very confusing. So at this point I’m unable to connect to the Edge server from an external client.

    Thanks

  6. Mino said

    August 15, 2009 at 10:39 PM

    Dear Scott,

    I believe WildCard Certificate is not supported for OCS Edge and will not work when you try to use it because if you checked the certifcate SN u will find it named as *.yourdmain.com , however the Edge Configuration will be looking for the FQDN of the service name in the certificate . For example sip.yourdomain.com and Webconf.yourdomain.com and AV.yourdomain.com

    so that’s why Wild Card will not work

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»