locked
Entrust Certificate question for 2 OCS Edge servers RRS feed

  • Question

  •  

    Can any provide advice about purchasing UCC certificates from Entrust (thats were we get all of our certs) for the Public interface of 2 live edge servers.

     

    We have 2 liveedge servers running fine with certificates from our internal CA and now we want purchase certs from a trusted external CA.

     

    internally the DNS records for the 2 edges servers are liveedge01.domain.com and liveedge 02.domain.com

     

    we have the external DNS records sipexternal.domain.com, edgeweb.doman.com, and edgeav.domain.com  with our ISP and it works fine for remote users.

     

    edge server 1 runs the edge access and web conferencing roles 

    edge server 2 runs only the Audio Visual role

     

    Can I buy one UCC cert from Entrust and use the Subject Alternate Names

     

    sipexternal.domain.com, edgeweb.domain.com, edgeav.domain.com

     

    then assign that one cert to the public interface on each of the 2 edge servers.

     

    One last  question what would be the proper way to set up the Subject Name and Subject Alternate Name for the one UCC in order to work for both edges servers.

     

    I hope that makes sense.

     

    Rodney

    Wednesday, August 20, 2008 4:45 PM

Answers

  • If you want to do this correctly then you should not use UCC Certs unless you have multiple sip domains

     

    You should have

    -One Public Cert for Access EDGE (use a UCC if you have multiple sip domains only)

    -One Public Cert for Conferencing EDGE (UCC only for multiple sip domains)

    -One Public Cert for Reverse Proxy server

    -No Public Cert required for Audio and Video EDGE Server

    -One Private Cert required for A/V Authentication Service on the internal NIC

     

     

     

    Wednesday, August 20, 2008 9:27 PM

All replies

  • If you want to do this correctly then you should not use UCC Certs unless you have multiple sip domains

     

    You should have

    -One Public Cert for Access EDGE (use a UCC if you have multiple sip domains only)

    -One Public Cert for Conferencing EDGE (UCC only for multiple sip domains)

    -One Public Cert for Reverse Proxy server

    -No Public Cert required for Audio and Video EDGE Server

    -One Private Cert required for A/V Authentication Service on the internal NIC

     

     

     

    Wednesday, August 20, 2008 9:27 PM
  •  

    Thanks for your reply.

     

    That is exactly what I was thinking before I heard of the UCC certificate, which I dont fully understand.  We only have one sip domains so I guess the UCC isnt necessary. 

     

     

    Wednesday, August 20, 2008 9:32 PM
  • One other question.

    I found a problem with the Internal Interface Settings on my Edge Server.

    The "User Authentication Certificate infromation" is set with a certificate to our Internal CA which is causing a problem for users that dont trust our internal CA.  I want to change that to a public CA certificate but cant figure out how to replace the certificate.  the Certificate wizard doesnt seem to affect that setting. 

    any help would be apprecitated.

    Rodney
    Wednesday, August 27, 2008 7:00 PM
  • Hello!

     

    I have a question about one of the answers. I know you need a UCC certifcate on your access edge public ip when using multiple SIP domains. But why you should use it on the webconferincing I don't understand? You don't specify the fqdn of the webconf in the clients, that adress is provided to the clients by OCS it self, right?

     

    Thursday, August 28, 2008 6:08 AM
  • Can you create a new topic? A lot of new question in the same thread is a little bit confusing for everyone.

     

    Thursday, August 28, 2008 9:16 AM
  •  RodneyGarner wrote:
    One other question.

    I found a problem with the Internal Interface Settings on my Edge Server.

    The "User Authentication Certificate infromation" is set with a certificate to our Internal CA which is causing a problem for users that dont trust our internal CA.  I want to change that to a public CA certificate but cant figure out how to replace the certificate.  the Certificate wizard doesnt seem to affect that setting. 

    any help would be apprecitated.

    Rodney

     

    I figured out my problem.  It turns out something is wrong with the TCP/IP stack the server.  I created a brand new server with the public certs and everything works.

    • Proposed as answer by mahbodava Wednesday, September 16, 2009 10:22 AM
    Thursday, August 28, 2008 9:55 PM