2009년 3월 9일 월요일 오전 5:59Dear all,
I have searched some posts in this forum about UCC for OCS&Exchange, but still confused.
I already have one wildcard cert: *.domain.com, and my Exchange external CAS FQDN is mail.domain.com, and OCS SIP: sip.domain.com, WebConf FQDN: webconf.domain.com, CWA FQDN: ocsweb.domain.com. My Exchange is 2007 SP1 with Update Rollup 6 installed, and OCS is 2007 RTM.
I tried to use Enable-ExchangeCertificate cmdlet to enable POP3/IMAP4 services on CAS using this wildcard cert, it says:"WARNING: This certificate will not be used for external TLS connections with an FQDN of '*.domain.com' because
the self-signed certificate with thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' takes precedence. The following connectors match that FQDN: POP3/IMAP4.
The weird thing is that the thumbprint that the message says will take precedence is actually the thumbprint for the wildcard cert, and not the autogenerated self signed cert. The wildcard cert is also not self-signed as the message says, and I verified this by looking at the "IsSelfSigned" attribute from the Get-ExchangeCerteificate | fl command. Besides, I found there might be problem when using wildcard cert with ActiveSync.
OK, I know it's a OCS forum, so just want to ignore the wildcard cert issus, and purchase a new UCC for Exchange and OCS.
Below are some questions:
1. I want to use this cert both on Exchange CAS role and OCS edge role servers.So which one should assign the subject name (common name)?
Is that possible to use one of the above (total 1 cert)to make all My Exchange Services (POP3/IMAP/SMTP/OWA/Office Aywhere/ActiveSync/Autodiscover) and OCS 2007 Services runnning with no errors?
2. When generating CSR, the "Include client EKU in the certificate request" option and "Automatically add local machine name to Subject Alt Name" option must be checked?
3. Someone here said OCS Edge Web Conferencing Edge Server Public Interface need a separate cert, someone said not necessary, which one is correct?
4. Did the order of SANs make sense? like which one(subject name?) must be the first SAN?
2009년 3월 13일 금요일 오후 6:22You should use your internal CA to secure Exchange and OCS
In your reverse proxy use UCC certificates that support both your Exchange and OCS environment
- Belgian Unified Communications Community : http://www.pro-exchange.be -
2009년 3월 16일 월요일 오전 4:01Thanks for your reply.
I purchased a new UCC,
seems all services are running fine.