OCS federation in the same company, trusted domains RRS feed

  • Question

  • Hi All,

    Due to security we will have 2 different networks, domains and Active Directory in our company. In CompanyA we have LCS2005 SP1 in CompanyB we will install OCS2007.

    In DomainA we have more than 1 LCS server so between Edge server and LCS server we will use a Director.

    In DomainB we will install a OCS2007 server and an Edge server.

    This is highlevel but I think its pretty straight forward.

    Im really confused about certificates and DNS SRV records. I have read a lot of guides but I still cant understand it.

    DomainA = EDGE_A
    DomainB = EDGE_B

    1. Because these EDGE server are in the same infrastructure, will not go outside to internet. Do I need an external issued certificate ?
    2. How should the DNS SRV record be setup ?

    DNS or Certificates is a really greyzone for me...

    / Staffan

    Thursday, May 14, 2009 12:47 PM

All replies

  • Even though the Edge servers are in the same infrastructure, your federation will still have to happen between the Edge servers. If you're federating with other partners then it might make sense to use a public certificate. If not, you just need to make sure your two Edge servers trust each other's certs assigned to the Access Edge service, or Access Proxy.

    The SRV records only come into play for federation if you're allowing the Edge to discover other partners Access Edge server automatically. You can still explicitly point the OCS Edge at a specific address (of your Access Proxy) for the other SIP domain.

    Are these Edge servers in the same network, or maybe even the same subnet? Depending on if you're using public IP addresses in your DMZ this might just work without much effort. If not, you may want to use a host file for DNS so the servers resolve each other to their Access Edge IP within the same network instead of the public IP.
    Wednesday, May 20, 2009 9:00 PM
  • You don't have to use public certificates if you simply install the root/issuing certs for each CA on the other's Edge Server.  You can also add each Edge server's FQDN into the other's HOSTS file to bypass any need for DNS records as well.  Then just configure each remote FQDN in the Allowed configuration for Federation.  since this will not be a public facing Edge server then the SRV records used by Open Federation wouldn't not be used either.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, May 20, 2009 9:13 PM