locked
Certificates for Live Meeting External Content URL RRS feed

  • Question

  • Ok so my OCS 2007 is deployed in consolidated mode. I want to access live meeting content, abs etc externally.

    Currently there is a cert on IIS with name "domain.internal" I can add a SAN of "domain.external" from using the OCS wizard guide. But how do I apply for a public certificate using both internal and external names, Go-Daddy won’t let me because of the internal domain, is this where ISA server comes in? We don’t want to send out our internal Root cert to all our external users.

    Is there a Cert provider that will let me do internal and external name on one cert?

    Thanks

    Adriano

    Tuesday, February 26, 2008 11:25 PM

Answers

  •  Adriano_83 wrote:

     

    I want to buy a Public cert but i want to mix external and internal domain names on the same certificate. Is this possible?

    Yes, it is possible.  We bought Standard SSL Multiple Domain (UCC) Certificate from www.certificatesforexchange.com.  They also work for OCS servers.  We entered all internal and external domain names to the alternative names section.

    We had to buy only one certificate for OCS server.  We assigned the same certificate for all 3 external IP addresses.  We have them on the same NIC. 

    We use internal certificates for all internal NICs.

    And it works.

    Saturday, March 1, 2008 8:20 PM

All replies

  • Adriano,

     

    You probably need to deploy an edge server (http://www.microsoft.com/downloads/details.aspx?FamilyId=ED45B74E-00C4-40D2-ABEE-216CE50F5AD2&displaylang=en)

     

    And you can check here http://support.microsoft.com/kb/929395/EN-US/ for certificate providers that do SAN's.

     

    Andre.

    Wednesday, February 27, 2008 3:03 AM
  • Do you have to use an externally provided cert for the public interface of the address book on the ISA server? I am currently using an internal CA issued certificate for this. I'm assuming since it's a public facing URL it should be a publicly issued cert like a Verisign certificate?

     

    Can someone please confirm.

     

    Thanks

     

    Wednesday, February 27, 2008 4:47 AM
  • Step 1: Make sure you can do live meeting as an internal user..

    Step 2: Install Access Edge server . http://www.ocspedia.com/Edge_Server/Deploy_AEP.htm

    Step 3: Install Web Conf Edge Server : http://www.ocspedia.com/Edge_Server/Deploy_WebConf_Edge.htm

    Step 4: Configure Reverse Proxy : http://forums.microsoft.com/unifiedcommunications/ShowPost.aspx?PostID=2841818&SiteID=57

     

     

    Certificate:

     

    If you do have internal CA, get the certificate from internal CA for the internal interface of the edge server. If you dont want to send your root CA to external clients, get public certificates for the external interface of Access Edge and Web Conferencing Edge server.

     

    Certificate on Access Edge server : http://www.ocspedia.com/Certificates/AccessEdge/AccessEdge_Cert.htm

     

    Certificate on Web Conf Edge Server : http://www.ocspedia.com/Certificates/WebConfEdge/WebConfEdge_Cert.htm

     

     

     

    If you do have single Edge server configured as access edge and Web conferencing edge server, you need only one certificate for the internal interface but two public certificates for the external interface.

     

    If the external domain name of Access Edge server and web conference edge server is same then you need to get only one public certificate and configure at both external interfaces (Access Edge and Web conf edge) on the Edge server.

     

     

     

    R. Kinker
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com

     

    Wednesday, February 27, 2008 9:48 AM
  • Hi Kinker

    I forgot to mention I have an access edge and all works well. But how do I secure the "External URL for meeting content download" with an external cert running a SAN of internal and external names with a public cert? I can do this with my internal CA and all works well, but I don’t want to send out the root cert to non domain users. Go Daddy denied my request because I had a internal domain name on the Cert SAN as well as a External domain.

     I have already attached the internal cert to IIS that OCS created in the setup which is ok for the "Internal URL for meeting content download" which is pool01.domain.internal, and I have added a SAN external.domain.com. Not good for external and anonymous live meeting users who will need my internal root cert.

    I want to put a public Cert to facilitate internal and external live meetings users.

    Regards

    Adriano



    Thursday, February 28, 2008 4:51 AM
  • Hi Adriano,

    just a very quick hint, if you dont want to buy additional external trusted certificate: what about hiding your isa behind the edge server, and portforwarding the traffic directed to a dedicated port on edge into the internal ISA machine's "external" leg. ("external" leg because ISA has to have 2 NICs, and this leg will send/receive internet traffic)

    In that case you can use the same certificate on ISA's "external" leg as on the edge server's external interface, because an internet user sees as if it is connected to the same computer. I know that is a stupid hack, but if it works, you saved the extra cost of a new certificate.
    Thursday, February 28, 2008 9:47 AM
  •  

    I want to buy a Public cert but i want to mix external and internal domain names on the same certificate. Is this possible?
    Friday, February 29, 2008 5:20 AM
  •  Adriano_83 wrote:

     

    I want to buy a Public cert but i want to mix external and internal domain names on the same certificate. Is this possible?

    Yes, it is possible.  We bought Standard SSL Multiple Domain (UCC) Certificate from www.certificatesforexchange.com.  They also work for OCS servers.  We entered all internal and external domain names to the alternative names section.

    We had to buy only one certificate for OCS server.  We assigned the same certificate for all 3 external IP addresses.  We have them on the same NIC. 

    We use internal certificates for all internal NICs.

    And it works.

    Saturday, March 1, 2008 8:20 PM
  • Well..There are public cert providers like verisign and others who don have any problem if you mention the internal domain name. The only thing you need to take care is ISA can read either subject name or the first name in the SAN. It cant read other names in the SAN.

     

     

     

    R. Kinker
    MCSE 2003 (Messaging), MCTS - (LCS 2005, OCS 2007)
    http://www.ocspedia.com
    http://www.ITCentrics.com

    Sunday, March 2, 2008 5:35 AM
  • Thanks Igor i'll check them out

     

    Monday, March 3, 2008 5:09 AM