locked
tls from offsite.. for communicator.. needed or not? How to make work? RRS feed

  • Question

  •  

    We have a godaddy ssl cert, but right now we are just using a local SSL cert, with SAN name of wan1.domain.com .. as internally we can connect via TLS if we wanted to..

     

    We are just using TCP internally.. and externally tcp works fine, but TLS does not.. i'm guessing the only way to make TLS work from offsite would be to use the godaddy cert.. but if we did this the name wouldnt match up to the internal server name and this would cause issues?  I'm also not sure if the port is 5061, udp or tcp?

     

    Is there a way around this.. given our setup (one server, behind firewall etc)..

     

    Thanks

    Thursday, October 25, 2007 4:12 PM

All replies

  • Hi Mark,

     

    In order to connect from the outside, you do need to use the external cert. The correct way to do it is to install an OCS edge server, and bind the cert to the Edge Server's Edge Authentication service. That way your external cert matches your edge server and your internal cert matches your internal cert name.

     

    As far as I know there isn't a way to do it with just the one server w/out an edge.

     

    Port 5061 is TCP for OCS, btw.

     

    Regards,

    Matt

     

    Thursday, October 25, 2007 4:41 PM
  •  markm75c wrote:

     

    We have a godaddy ssl cert, but right now we are just using a local SSL cert, with SAN name of wan1.domain.com .. as internally we can connect via TLS if we wanted to..

     

    We are just using TCP internally.. and externally tcp works fine, but TLS does not.. i'm guessing the only way to make TLS work from offsite would be to use the godaddy cert.. but if we did this the name wouldnt match up to the internal server name and this would cause issues?  I'm also not sure if the port is 5061, udp or tcp?

     

    Is there a way around this.. given our setup (one server, behind firewall etc)..

     

    Thanks



    We have a similar setup and ended up with three servers. 1 ISA Server, 1 OCS Standard Server, and 1 Edge Server. Check out http://jason-shave.blogspot.com for more information.
    Thursday, October 25, 2007 5:47 PM
  •  mmcgille wrote:

    Hi Mark,

     

    In order to connect from the outside, you do need to use the external cert. The correct way to do it is to install an OCS edge server, and bind the cert to the Edge Server's Edge Authentication service. That way your external cert matches your edge server and your internal cert matches your internal cert name.

     

    As far as I know there isn't a way to do it with just the one server w/out an edge.

     

    Port 5061 is TCP for OCS, btw.

     

    Regards,

    Matt

     

     

    Is this the same edge server as with 2007 exchange, one that isnt part of a domain etc?

     

    If so.. i guess we are out of luck at least for TLS from offsite for awhile.. unless we bought one of the SAN approved (by microsoft) SSL certs, which are like $600 a piece.

     

    We also couldnt do the external dns srv records.. as our dns server is through network solutions, who doesnt offer these type of records..

    Thursday, October 25, 2007 5:53 PM
  • Hi,

    It's a different server than the Exchange Edge. It's a component of OCS and should be installed on a server by itself, not part of a domain. You can't really even install it on the Exchange Edge because exchange is 64-bit and ocs requires 32-bit.

     

    I think you're right- you may be out of luck if you want to do TLS.

     

    Regards,

    Matt

     

     

    Thursday, October 25, 2007 5:57 PM
  •  mmcgille wrote:

    Hi,

    It's a different server than the Exchange Edge. It's a component of OCS and should be installed on a server by itself, not part of a domain. You can't really even install it on the Exchange Edge because exchange is 64-bit and ocs requires 32-bit.

     

    I think you're right- you may be out of luck if you want to do TLS.

     

    Regards,

    Matt

     

     

     

    So its a second server with OCS edge components?  IE:  main OCS server is installed on a domain server, then the edge portion on another? 

     

    Actually, as of now, i have OCS 2007 installed on 2003 x64.

     

     

    Thursday, October 25, 2007 6:00 PM
  • Yep - it's a second server w/ OCS components (when you run the setup, you can select "additional roles" (or something like that) and you will see  the edge role available to install.

     

    And that's good to know about the x64- I knew that OCS is only a 32-bit app, didn't know that it would run ok on a 64-bit OS. Thanks for the info!!

     

    Regards,

    Matt

     

     

    Thursday, October 25, 2007 6:15 PM
  •  mmcgille wrote:

    Yep - it's a second server w/ OCS components (when you run the setup, you can select "additional roles" (or something like that) and you will see  the edge role available to install.

     

    And that's good to know about the x64- I knew that OCS is only a 32-bit app, didn't know that it would run ok on a 64-bit OS. Thanks for the info!!

     

    Regards,

    Matt

     

     

     

    Nice... so i could technically install it on an Edge Exchange 07 server then Smile

    Thursday, October 25, 2007 6:34 PM
  • What about virtualization.. anyone running an edge server on another server in the virtual realm.. with its own external ip address.. i'm assuming this is possible?

     

     

    Thursday, October 25, 2007 9:36 PM
  • I have an edge on a VM and it works well. I have it using a physical NIC on the server though, for the externally routeable IP.

     

    Regards,

    Matt

     

     

    Thursday, October 25, 2007 9:48 PM
  •  mmcgille wrote:

    I have an edge on a VM and it works well. I have it using a physical NIC on the server though, for the externally routeable IP.

     

    Regards,

    Matt

     

     

     

    What are you using for virtualization?  VS 2005 or Vmware product?

     

    Some people have been bashing the MS virtualization line.. frankly.. the workstation VPC 2007 vs Vwmare:  i do find vmware to be a bit faster and more user friendly, but on a server and given we have MSDN/action pack.. i'd probably go virtual server given the new virtual server manager abilities and future 2008 server virtualization built in?

    Friday, October 26, 2007 5:57 PM
  • We are using MS Virtual Server for the Edge. It works pretty well for us.

     

    Regards,

    Matt

     

    Friday, October 26, 2007 7:57 PM
  •  mmcgille wrote:

    We are using MS Virtual Server for the Edge. It works pretty well for us.

     

    Regards,

    Matt

     

     

    Cool...

     

    Curious.. are you running an Exchange 2007 edge server inside that VM as well.. Have you tried System Center Virtualization Manager with that? 

     

    How much memory did you end up allocating to the Edge VM out of curiousity and did you have to install an ISA server in the VM or elsewhere to get the edge features working properly?

     

     

    Friday, October 26, 2007 8:01 PM