Edge server cert:can i use the same cert with OCS SE server? RRS feed

  • Question

  • i'm in process deploying my edge server...is it i can use the certificate for internal interface which is same with OCS SE cert?
    what about the external interface?how many certificate do i require for the edge server deployment?

    Wednesday, June 11, 2008 9:16 AM

All replies

  • If you are generating certificates from an internal CA it's best to use different certificates for the internal edge and SE server, though theoretically you could use the same one as long as all the names you need are in the subject alternative name of the certificate.  Typically you have at least 3 certificates in a 2 server deployment (consolidated edge + SE server):

    - External Edge (from a public CA vendor like Entrust, Verisign, Thawte, etc.)
    - Internal Edge (from your internal CA)
    - SE (from your internal CA)
    Wednesday, June 11, 2008 2:04 PM
  •  rambo888 wrote:
    how many certificate do i require for the edge server deployment?



    You can find a breakdown of the Edge Server certificate requirements in the latter part of this blog: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19

    Wednesday, June 11, 2008 3:15 PM
  • I guess it depends on your Edge Server.

    1) Cert (Public CA) for IM  (ExtIM.xxx.com)

    2) Cert (Public CA) for WebConferncing  (ExtWeb.xxx.com)

    3) Cert (Internal CA) for Internal interface (servername.xxx.internal)


    If you have an Edge server for A/V separate, then you would need (2) certs - one for the AV and one for the Web /IM server.   (That is where InAV.xxx.internal, InIM.xxx.internal from the MS documentation is more useful..)


    You also need one for your reverse proxy server (for ABS / Conf / etc. access) , (Public CA)


    You also need to get one that supports SAN (subject alternative names) for your ext. interface

    if you have multiple SIP domains, or want to use the "sip.xxx.com" for your clients as a fallback if

    the client can't resolve _sip_tls.xxx.com  (your SRV record you should have) for some reason.


    See the following for more info on which Public CA's support SANs.


    Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007





    - Steve

    Wednesday, June 11, 2008 3:22 PM
  • (Off topic) Steven, I worked with a Steve Hahn back in 1998-99 in Schaumburg, IL at a software development firm. It's a longshot...
    Wednesday, June 11, 2008 3:49 PM
  • firstly thanks for the answersSmile

    1. f i want to make my OCS edge server for my company staff which reside in different offices (different locations which coonected via braodband), it is mean that i can use same certificate for my OCS Edge & OCS SE?am i rite?

    2. but if i want to extend to PUBLIC IM, i need PUBLIC CA Cert?

    3. what  is the function of  external & internal interface?
    Wednesday, June 11, 2008 4:03 PM
  • Different one.  :-)    (I'm the one who worked for Microsoft from 1993-2005, in Charlotte NC)


    Have read your web page on the subject though..nice blog post.




    - Steve



    Wednesday, June 11, 2008 4:04 PM

    Well, Edge servers are for External communciations - to people outside your internal network.  (Like from home...)


    If you have other offices that have access to your Internal CA, then they should be ok using an internal cert.  (Have to be able to access the CA for certficate revocation checking).


    I would rather just get a Public cert for both - and not have to put the cert. authority cert on my remote computers too...just too much work otherwise. 


    Internal interface - used to talk TLS to Front End Servers / Mediation Servers / etc.   Route for external users.

    External Interface - used to talk to Clients (TLS as well).    Edge also prevents your internal OCS server from getting hammered by requests from the outside (Security feature)


    Technically, you could open up your firewall and not use an Edge server at all if you really wanted, if you don't care about security.   ;-)




    - Steve




    Wednesday, June 11, 2008 4:19 PM
  • yeah great answersSmile

    okie...for my deployment...

    for internal i use ip address 10.x.x.x

    for external i use ip address 172.x.x.x (which will reside in DMZ zone)

    for the reverse proxy..i have map the public IP address to the external interface (172.x.x.x). is it the correct config?

    for the your answer..it seem that i can use same cert with OCS SE for remote workers..am i rite?

    u guys great!!!...

    p/s:i'm watching euro 2008 now..chezch vs portugalSmile
    Wednesday, June 11, 2008 5:17 PM

    Reverse Proxy


    - Listens on port 443, for external DNS name you are using (external web farm FQDN)

    - Certficate on the reverse proxy matches the externalwebfarm FQDN


    In the proxy setup, you point it to your internal Front End.


    The ISA server (or whatever you use) has to resolve the name of your front end (or pool), and

    the cert on the Front end needs to match this.  (Or if you are using SAN, it must match the Secondary name..)


    So unless you can use the same certifcate externally as internally, you are pretty much resigned to the fact that you need 2 certficates.   You can create an SAN cert with both names on it and give it a try.

    You also need to open your ports to the CRL list if you have an internal CA, if you plan on using an internal cert.  And you will have to make sure external clients have the cert chain for this to work correctly.   Again - why do this whenyou can just buy a public cert and be done with it.






    - Steve

    Wednesday, June 11, 2008 5:36 PM
  • just wondering...my access from internet still unsuccessful...is it a MUST i have to use Public CA for External Edge?
    seem everything did not work....i dont know that to do anymore...help me
    Thursday, June 19, 2008 4:44 AM
  • if wanna buy cert from Public CA...so which one should i buy?i go to GoDaddy but i'm not sure which one should purchase..help me
    Thursday, June 19, 2008 6:04 AM
  • From this thread:


    See the following for more info on which Public CA's support SANs.


    Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007





    Also really look carefully at the Edge Server documentation from Microsoft, which goes into great detail about the cerficates needed for outside Edge servers.


    Since there are "wizards" for requesting them, it is relatively painless getting them.




    -  Steve

    Thursday, June 19, 2008 11:18 AM
  • i've check my reverse proxy server(which deployed by another guy),when i try to connect from outside..there is packet come in to port 443 in my reverse proxy...but i think it cannot get thru the Edge...it seem like... the cert dosn't match.the error is 'server unavailable'.

    is it sipexternal need to put in the internal AD or external public DNS?

    okie, the OCS SE cert is grab from exch-server  and assign to ocs

    the OCS Edge cert is grab from exch-server too and assign to ocsedge

    where else should i assign the cert?

    anyway..the UC cert from Digicert is really expensive..it is about USD399...OMG
    Thursday, June 19, 2008 8:23 PM
  • Dear all Please have a look to this url  for physical edgeserver setup.


    other power point slides are creating  a big problem to under stand , but this url is clearly explain what will be the physical setup.
    Wednesday, October 21, 2009 3:08 PM