UCC for Exchange 2007 SP1 and OCS 2007 issues? RRS feed

  • Question

  • Dear all,
          I have searched some posts in this forum about UCC for OCS&Exchange, but still confused.
          I already have one wildcard cert: *.domain.com, and my Exchange external CAS FQDN is mail.domain.com, and OCS SIP: sip.domain.com, WebConf FQDN: webconf.domain.com, CWA FQDN: ocsweb.domain.com. My Exchange is 2007 SP1 with Update Rollup 6 installed, and OCS is 2007 RTM.      
          I tried to use Enable-ExchangeCertificate cmdlet to enable POP3/IMAP4 services on CAS using this wildcard cert, it says:"WARNING: This certificate will not be used for external TLS connections with an FQDN of '*.domain.com' because
     the self-signed certificate with thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' takes precedence. The following connectors match that FQDN: POP3/IMAP4.

         The weird thing is that the thumbprint that the message says will take precedence is actually the thumbprint for the wildcard cert, and not the autogenerated self signed cert. The wildcard cert is also not self-signed as the message says, and I verified this by looking at the "IsSelfSigned" attribute from the Get-ExchangeCerteificate | fl command. Besides, I found there might be problem when using wildcard cert with ActiveSync.
          OK, I know it's a OCS forum, so
    just want to ignore the wildcard cert issus, and purchase a new UCC for Exchange and OCS.
       Below are some questions:
          1. I want to use this cert both on Exchange CAS role and OCS edge role servers.So which one should assign the subject name (common name)?
    SN: mail.domain.com
    SANs: sip.domain.com,webconf.domain.com,ocsweb.domain.com,autodiscover.domain.com

    SN: sip.domain.com
    SANs: mail.domain.com,webconf.domain.com,ocsweb.domain.com,autodiscover.domain.com
          Is that possible to use one of the above (total 1 cert)to make all My Exchange Services (POP3/IMAP/SMTP/OWA/Office Aywhere/ActiveSync/Autodiscover) and OCS 2007 Services runnning with no errors?

         2. When generating CSR, the "Include client EKU in the certificate request" option and "Automatically add local machine name to Subject Alt Name" option must be checked?
         3. Someone here said OCS Edge Web Conferencing Edge Server Public Interface need a separate cert, someone said not necessary, which one is correct?
         4. Did the order of SANs make sense? like which one(subject name?) must be the first SAN?

    Monday, March 9, 2009 5:59 AM

All replies

  • You should use your internal CA to secure Exchange and OCS
    In your reverse proxy use UCC certificates that support both your Exchange and OCS environment
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Friday, March 13, 2009 6:22 PM
  • Thanks for your reply.
    I purchased a new UCC,
    SN: sip.domain.com
    SANs: sip.domain.com,webconf.domain.com,mail.domain.com

    seems all services are running fine.

    Monday, March 16, 2009 4:01 AM