Very Confused about the Cert Setup for both OCS and Edge servers (both consolidated) RRS feed

  • Question

  • Ok, first off, I would like to apologize for having to post this as I believe I have thought myself into a knot, and just don't know what to do in regards to certs! So, I will be very specific and describe our situation exactly.

    In our environment, our main site has on OCS 2007 R2 SE server built on Windows Server 2003 R2 SP2. Our AD domain is domainname.local. Externally, all of our sites and resources are published as domainname.com. In our environment, we have split-DNS set up, so that domainname.com addresses are resolvable internally. Our OCS server's FQDN is OCS.domainname.local. When setting up OCS, I named our pool OCS.domainname.local. I set up our external address as communicator.domainname.com, and this is resolvable internally because of our Split-DNS, which points that FQDN directly at the IP of our OCS server.

    So far, as far as a cert goes, I have used a self-signed certificate that I generated on the OCS server from IIS. So, this cert only has the name OCS.domainname.local bound to it. Then, I deployed this certificate to every workstation's Trusted Root Certificate Authority stores, and internally, everything works great! At our main site, we can IM each other, we can conference with multiple users, do Live Meetings with Application Sharing and white board sharing, and we can do A/V as well. If this was our only requirement, I would leave it at that and call it good. BUT, there are two areas where this becomes a problem: 1) With this setup we have to use login credentials that end in "@domainname.local", rather than using our email addresses that end in "@domainname.com" (preferable); 2) we need all the above functionality between us and our remote sites (all on same domain with split-DNS enabled, but on different subnets), and even though we have ISA 2006 servers at each site, connected with Site-to-Site VPN connections that are supposed to Route ALL traffic, right now we can only IM with them and conference, but A/V does not work between the sites.

    From what I have read, many people have encountered the same problem of A/V not working between ISA VPN connected sites, and the recommended fix seems to always be that an Edge server needs to be deployed to make the A/V work between sites. So we are in the process of setting that up.

    Anyway, in order to login to the Communicator clients with our email addresses (.com, not .local), I have realized that the cert specified in OCS needs to have a name that matches the email address (.com). Unfortunately, a cert like that would not match the pool name (ends in .local). SO, what are my options here?

    If I set up an internal CA in our environment, is it possible, and will it work, to request a certificate with a Subject Name of OCS.domainname.local, and specify that the certificat has a SAN of communicator.domainname.com? I am not sure if it is even feasible to have different domain names that belong to different namespaces on the same cert.

    Also, provided that I can generate this cert above, I am VERY confused on all the different resources about exactly what certs we will need on both the OCS and Edge servers. If someone can just spell out EXACTLY what certs we will need (least amount possible), and where exactly each of these certs need to go, that would REALLY help me get my ducks in a row! Again, I apologize for my general confusion and long-winded problem, but I wanted to be thorough. I really look forward to any and all help anyone can provide!


    Thursday, November 5, 2009 3:30 PM


All replies