locked
OCS 2007 R2 CWA require a public certificate or will private do? RRS feed

  • Question

  • Hi all,

    Anyone that's done the complete config of CWA on OCS R2 should be able to answer this one really quickly...This is my first install of the service and I'm getting an ISA 2004 configured, I wonder if I'll need a public SSL certificate setup on the CWA and ISA box for clients to connect via various browser types over the internet or will a private CA do the same? I've got a mixture of public and private certs at the moment, with public being available for Web Components (via same ISA), Access Edge and AV Edge, the rest are all internal CA setups - this CA isn't available to the public.

    The technet guide is a little confusing in that it says if you use a public certificate provider, use them, if not use a private certificate provider - so does this mean a private can be used by clients with various browser types from anywhere?

    Tuesday, September 22, 2009 3:50 PM

Answers

  • Please note that a certificate is only to enhance security (by encrypting data). You can use either a public or a private certificate.

    The only issue you need to understand is that browsers, throw an error message (mostly flash a red-line, saying that the site may be unsafe, or the certificate is unknown). For the common user, this may be a bit misleading.

    If you want to use a private cert, you need to find ways to install your CA-Cert to all machines (Can be done using a GPO to all domain joined machines).

    To eliminate such hasles, specially on mobile devices, and on multiple browsers, it is suggested that you use a public cert.

    Alas.. a cert is a cert


    Its just the user education, device maintenance, help-desk tickets that count make a public cert more economical in the long run.
    Tuesday, September 22, 2009 3:57 PM
  • You can use either.

    My recommendation would be to use a public certificate for a couple of reasons:
    - If you're using PSTN Dial-In Conferencing anonymous dial-in users reaching the page will see the certificate error.
    - If your users use the "Meet Now" functionality of Communicator (not to be confused with the Meet Now of Live meeting), any anonymous participants they invite to an IM or desktop share via the browser will see the error.
    - I find CWA is used often at kiosks or public terminals when someone doesn't have their "company" machine so even then your users are likely to see the cert error.

    If you're not concerned about those items and your user base will trust the private cert already you can probably go with the private.

    Tuesday, September 22, 2009 7:28 PM

All replies

  • Please note that a certificate is only to enhance security (by encrypting data). You can use either a public or a private certificate.

    The only issue you need to understand is that browsers, throw an error message (mostly flash a red-line, saying that the site may be unsafe, or the certificate is unknown). For the common user, this may be a bit misleading.

    If you want to use a private cert, you need to find ways to install your CA-Cert to all machines (Can be done using a GPO to all domain joined machines).

    To eliminate such hasles, specially on mobile devices, and on multiple browsers, it is suggested that you use a public cert.

    Alas.. a cert is a cert


    Its just the user education, device maintenance, help-desk tickets that count make a public cert more economical in the long run.
    Tuesday, September 22, 2009 3:57 PM
  • You can use either.

    My recommendation would be to use a public certificate for a couple of reasons:
    - If you're using PSTN Dial-In Conferencing anonymous dial-in users reaching the page will see the certificate error.
    - If your users use the "Meet Now" functionality of Communicator (not to be confused with the Meet Now of Live meeting), any anonymous participants they invite to an IM or desktop share via the browser will see the error.
    - I find CWA is used often at kiosks or public terminals when someone doesn't have their "company" machine so even then your users are likely to see the cert error.

    If you're not concerned about those items and your user base will trust the private cert already you can probably go with the private.

    Tuesday, September 22, 2009 7:28 PM
  • Guys, spot on response thanks...

    I think with the company requirements of any where, any time, any device, public certs is my only option.
    Tuesday, September 22, 2009 9:35 PM
  • Also keep in mind that CWA uses certificates for two different forms of communication, both client-to-server SSL and server-to-server MTLS communications.  The choice of what certificates to use (or what single certificate if loading both functions into a single SAN cert) is impacted by what is in use on other OCS hosts as well.

    Additional details can be found here: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=75
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, September 22, 2009 10:50 PM
    Moderator
  • I have a way to install Cert in trusted root CA to PC " Not join domain" , with One press from Cleint  ,,,,  100$  lol   ??

    send me your Email to send you how to do it with Snapshot .....  

    Wednesday, October 21, 2009 4:41 PM