OCS with Split DNS without SAN certficates RRS feed

  • Question


    Hi all,


    I currently have a lab setup for OCS and I am working out the kinks.


    My OCS machine is ocs1.domain.lab.


    Getting it up and running was not an issue with a self signed certificate.



    However it has come time to replicate real life usage and to do so I need to use split DNS.  The idea is that outside of our network the DNS for ocs.url.com should resolve to a public IP, and inside the network ocs.url.com should resolve to a private one.


    The DNS entries are not the problem I have that bit functioning with other services just fine.


    The issue seems to be the certificate that OCS uses.

    I have added ocs.url.com to the external web farm FQDN using lcscmd and I have tried to use a certificate for ocs.url.com but the services don't start.


    The research I have done has led me to the conclusion that without a certificate with SANs for both ocs.url.com and ocs1.domain.lab, the services won't start properly.


    My question then comes down to this: Is it possible to utilize split DNS without having a certificate with SANs for each FQDN?


    Thanks for any help and please let me know if the question was not clear enough



    Tuesday, April 22, 2008 11:14 PM

All replies

  • If you want to use Remote Access to OCS you must use an OCS EDGE Server to connect internet users to the internal OCS Server


    Wednesday, April 23, 2008 10:58 AM
  • It sounds to me like you are trying to use the same ceritifcate on both the Front-End and Access Edge servers?  It's not quite clear, but typically you would deploy a certificate issued by an internal Windows CA to the Front-End server or pool and that would be your internal FQDN.  Then a trusted third-party certificate authority would issue another cert for your Acces Edge server.  The subject name of each certificate would match the server's FQDN and thus match the SRV records created for client Automatic Configuration.  Split DNS should not be an issue as the internal and external servers are different, unique names.

    Wednesday, April 23, 2008 9:24 PM
  • This article explains how to support multiple SIP domains with OCS and Certificates


    Tuesday, August 5, 2008 8:21 PM

    Dear CiCiScooter

    Did you find any solution for this issue (OCS with Split DNS without SAN certficates) couse i have the same problem!!!

    Tuesday, September 2, 2008 9:18 AM
  • Hi,

    To the best of my knowledge, the only way to do this is to split your web components server off on to its own box. This would of course require deploying OCS Enterprise in order to move the role off on its own.


    Otherwise, with standard edition server, you're going to need a SAN.






    Tuesday, September 2, 2008 9:02 PM